bitcoin sign
Bitcoin's famed anonymity can be breached with website cookie data Reuters

Using the bitcoin cryptocurrency to buy goods and services online can lead to the currency's famed anonymity being overturned and user identity exposed, a team of researchers has warned.

It was found that cookies used by websites to track visitors around the internet make it possible for the anonymity treasured by bitcoin users to be stripped away, linking bitcoin wallets with the real-world identity of their owners.

The researchers also found the use of privacy-protecting services like CoinJar, designed to add a further layer of anonymity to bitcoin transactions, does not stop customers from being identified by third-party web trackers used by online merchants.

The report, compiled by privacy researcher Dillon Reisman and Princeton University's Steven Goldfeder, Harry Kalodner and Arvind Narayanan, claims of 130 merchants that accept bitcoin, they found 53 leaked payment information to 40 different third parties, who could then link bitcoins with their owners. Most of these leaks came from the shopping basket pages of retail sites, and were done on purpose for advertising and analytical purposes.

Worse than these deliberate leaks, the researchers say, were the "many merchant websites [with] far more serious (and likely unintentional) information leaks that directly reveal the exact transaction on the blockchain to dozens of trackers." Linking a blockchain transaction with the once-anonymous owner of the bitcoins is then trivial.

Bitcoin anonymity lost through web cookies
Diagram shows how a bitcoin user can be identified through website cookie data Princeton University research paper

Even if customers used software to protect them from being tracked, the researchers claim many sites still helped themselves to personal information, which could in turn lead to bitcoins being linked to their owners.

The researchers explained: "We show that, if the user pays using cryptocurrency, trackers typically possess enough information about the purchase to uniquely identify the transaction on the blockchain, link it to the user's cookie, and further to the user's real identity."

Worse still, they found that if a tracker is able to spot two purchases made by the same user and link them to the blockchain, a public record of all (anonymised) bitcoin transactions, the tracker data can be used to identify a person's entire bitcoin transaction history.

Lastly, the researchers warn how this identification technique is passive and "can be retroactively applied to past purchases".

There isn't a great deal consumers can do to fully protect themselves from such attacks, the report says, as "most of the privacy-breaching data flows we identify are intentional and not accidental".