Mirror/stealth
1
0
Fork 0
mirror of https://github.com/LORDBABUINO/stealth.git synced 2026-05-03 02:49:59 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
cf07b9452032b38351aacc60a4e8980f6eb3ae2a
stealth/README.md
Renato Britto 7700cfcbb1 feat(docs): update README to reflect rust refactor
2026-03-30 23:12:08 -03:00

254 lines
9.1 KiB
Markdown
Raw Blame History

# Stealth
A privacy auditing tool for Bitcoin wallets.
Stealth analyzes wallet behavior using real-world blockchain heuristics and surfaces privacy risks that are often invisible to users.
## Why this matters
Bitcoin users often unknowingly leak sensitive information through common transaction patterns such as address reuse, input clustering, and change detection.
These leaks can:
- Expose wallet balances
- Link identities across transactions
- Reveal behavioral patterns over time
- Compromise the privacy of activists, journalists, and everyday users
While these heuristics are widely used in blockchain analysis, they are rarely accessible to the users themselves.
**Stealth makes these risks visible.**
Stealth aims to become a foundational privacy auditing layer for Bitcoin wallets and tools. By making privacy risks understandable and actionable, it helps users take control of their on-chain footprint before those leaks become irreversible.
## Status
Stealth is currently transitioning from a controlled regtest environment to real-world mainnet support.
The immediate focus is enabling analysis of real wallet data using a local Bitcoin node.
Stealth ships a Rust workspace with:
- `stealth-engine` (analysis engine)
- `stealth-model` (domain model types and interfaces)
- `stealth-bitcoincore` (Bitcoin Core RPC gateway adapter)
## Project Direction
Stealth is evolving into a modular privacy heuristics engine for Bitcoin.
The long-term goal is to:
- Provide a reusable analysis engine for wallet developers
- Integrate with tools like Bitcoin wallets and node-based clients
- Enable privacy-preserving analysis using a local Bitcoin node
The project is also moving towards a Rust-based core for performance and portability.
## What it does
Stealth takes a Bitcoin wallet descriptor as input and analyzes its transaction history (initially in controlled environments, moving towards full mainnet support).
The report includes:
- `findings`: confirmed privacy leaks
- `warnings`: potential risks or patterns
- Severity levels (`LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
- Structured evidence for each issue
Stealth is designed to work with real wallet data and highlight privacy risks based on observed on-chain behavior.
## Example risks detected
Stealth identifies real-world privacy issues such as:
- **Address reuse** → links transactions and balances
- **Common Input Ownership (CIOH)** → links multiple addresses to the same entity
- **Change detection** → reveals wallet structure
- **Dust attacks and spending patterns** → cluster linking
- **Script type mixing** → strong wallet fingerprinting
- **UTXO consolidation** → merges previously separate histories
- **Behavioral fingerprinting** → consistent transaction patterns over time
## Detection taxonomy
Stealth's source-of-truth detector is:
```
engine/src/detect.rs
```
The report model and type names are defined in:
```
model/src/types.rs
```
### Severity levels
| Level | Meaning |
| ---------- | ----------------------------------------------------------------- |
| `LOW` | Weak or contextual signal; monitor behavior |
| `MEDIUM` | Meaningful privacy leakage under common heuristics |
| `HIGH` | Strong linkage/fingerprinting risk |
| `CRITICAL` | Very strong deanonymization signal requiring immediate mitigation |
## Vulnerabilities detected
Stealth currently runs **12 detectors** in `stealth-engine`.
| # | Type | Default severity | What it indicates |
| --- | ------------------------ | ---------------- | ------------------------------------------------------ |
| 1 | `ADDRESS_REUSE` | HIGH | Same receive address used across multiple transactions |
| 2 | `CIOH` | HIGH - CRITICAL | Multi-input ownership linkage |
| 3 | `DUST` | MEDIUM - HIGH | Dust outputs received/spent |
| 4 | `DUST_SPENDING` | HIGH | Dust merged with normal inputs |
| 5 | `CHANGE_DETECTION` | MEDIUM | Identifiable change output patterns |
| 6 | `CONSOLIDATION` | MEDIUM | Consolidation transactions linking clusters |
| 7 | `SCRIPT_TYPE_MIXING` | HIGH | Mixed script types that fingerprint wallet behavior |
| 8 | `CLUSTER_MERGE` | HIGH | Previously separate clusters merged on-chain |
| 9 | `UTXO_AGE_SPREAD` | LOW | Broad age spread revealing timing behavior |
| 10 | `EXCHANGE_ORIGIN` | MEDIUM | Signals typical of exchange batch withdrawals |
| 11 | `TAINTED_UTXO_MERGE` | HIGH | Tainted and clean inputs merged |
| 12 | `BEHAVIORAL_FINGERPRINT` | MEDIUM | Repeating transaction patterns |
### Warning types
| Type | Typical severity | Meaning |
| --------------- | ---------------- | ----------------------------------------------- |
| `DORMANT_UTXOS` | LOW | Dormant/hoarded UTXO behavior |
| `DIRECT_TAINT` | HIGH | Funds directly received from known risky source |
## How to use the frontend
1. Run and open the application
2. Paste a wallet descriptor (`wpkh(...)`, `tr(...)`, etc.)
3. Click **Analyze**
4. Review:
- Findings and warnings
- Severity levels
- Structured explanations
## Roadmap
### Short term
- [ ] Rewrite the analysis engine in Rust, replacing the current multi-language implementation
- [ ] Add support for analyzing real wallet data using a local Bitcoin node (mainnet)
### Medium term
- [ ] Enable integration with wallet ecosystems (e.g. BDK-based wallets)
- [ ] Expose the analysis engine as a reusable library
### Long term
- [ ] Enable external clients (e.g. wallets, tools like am-i-exposed)
- [ ] Integrate with Floresta
## Installation
### Prerequisites
| Dependency | Version | Purpose |
| -------------- | ------- | --------------- |
| Bitcoin Core | ≥ 26 | Local node |
| Python | ≥ 3.10 | Analysis engine |
| Java | 21 | Backend |
| Node.js + yarn | ≥ 18 | Frontend |
### 1. Clone the repository
```bash
git clone https://github.com/stealth-bitcoin/stealth.git
cd stealth
```
### 2. Configure blockchain connection
Edit:
```
backend/script/config.ini
```
### 3. Development setup (regtest)
A regtest environment is provided for development and reproducible testing of heuristics.
```bash
cd backend/script
./setup.sh
```
### 4. Generate sample transactions
```bash
python3 reproduce.py
```
### 5. Start backend
```bash
cd backend/src/StealthBackend
./mvnw quarkus:dev
```
### 6. Start frontend
```bash
cd frontend
yarn install
yarn dev
```
## Project structure
```
stealth/
├── Cargo.toml # Rust workspace definition
├── engine/ # stealth-engine (detectors + graph + report model)
│ ├── src/
│ │ ├── detect.rs # privacy detectors
│ │ ├── engine.rs # AnalysisEngine entry point
│ │ ├── graph.rs # Transaction graph builder
│ │ └── lib.rs # Crate root and re-exports
│ └── tests/
│ └── integration.rs # Regtest integration tests
├── model/ # stealth-model (domain model types and interfaces)
├── bitcoincore/ # Bitcoin Core gateway implementation crate
├── frontend/ # React + Vite UI
│ └── src/
│ ├── components/ # FindingCard, VulnerabilityBadge
│ ├── screens/ # InputScreen, LoadingScreen, ReportScreen
│ └── services/ # walletService.js (API client)
├── backend/
│ ├── script/ # Python scripts + regtest data
│ │ ├── setup.sh # Bootstrap bitcoind regtest
│ │ ├── reproduce.py # Create 12 vulnerability scenarios
│ │ ├── detect.py # Privacy vulnerability detector
│ │ ├── bitcoin_rpc.py # bitcoin-cli wrapper
│ │ ├── config.ini # Connection config (datadir, network)
│ │ └── bitcoin-data/ # Regtest chain data (gitignored)
│ └── src/StealthBackend/ # Quarkus Java REST API (single /api/wallet/scan endpoint)
└── slides/ # Slidev pitch presentation
```
### Test Coverage
Stealth test coverage includes end-to-end api tests, integration tests using bitcoind regtest in core/ and additional unit tests.
You may run tests with:
```bash
cargo test
```
## Privacy notice
Stealth follows a local-first approach.
It is designed to run on top of a user's own Bitcoin node, avoiding the need to share sensitive wallet data with third-party services or external APIs.
This ensures that wallet analysis can be performed without leaking addresses, descriptors, or behavioral patterns.
Reference in New Issue View Git Blame Copy Permalink