(no title)

Clearly, it's not. This is a pervasive misconception. Bitcoin is not, and is not even meant to be, private. Even with obfuscation attempts, nearly every ransomware gang has their bitcoin payments fully tracked, as this one did. There is a robust industry of blockchain analytics that pulls in many many millions each year surveilling the bitcoin blockchain. Virtually all exchanges (fiat on and off ramps) collaborate with those analytics companies and require full KYC/AML of their customers, and can thus apply their KYC label data to blockchain metadata.

Bitcoin is not account based: it is based on unspent transaction output sets. UTXOs can be combined with many other UTXOs, combined into one, or split into many. This leaves a large amount of potential for obfuscation strategies such as CoinJoin[^1]. Nearly all of these gangs attempt to use CoinJoin or similar but make small mistakes such as being representative of a large amount of the volume, leaking information through timing, combining their outputs into one, or countless other potential errors, and often a simple "FIFO" strategy can trace flows. Obfuscation is not a robust anonymity strategy, and pseudonymity is not anonymity. To quote Vitalik Buterin, "If your privacy model has a medium anonymity set, it really has a small anonymity set. If your privacy model has a small anonymity set, it has an anonymity set of 1. Only global anonymity sets (eg. as done with ZK-SNARKs) are truly robustly secure."[^2]

[^1]: https://en.bitcoin.it/wiki/CoinJoin [^2]: https://twitter.com/vitalikbuterin/status/119646811199575654...