Privacy and Cryptocurrency, Part V: Bisq, RuneScape and stories from buying bitcoin anonymously

Eric Wall
Human Rights Foundation (HRF)
16 min readMar 19, 2020

This is the fifth part in an article series by the Human Rights Foundation (HRF) on privacy and cryptocurrency, funded by the Zcash Foundation. To read about the purpose of this article series, see our introductory piece “Privacy and Cryptocurrency, Part I: How Private is Bitcoin?”. This series is written by Eric Wall, Privacy Technology Fellow at the HRF.

Buying bitcoin anonymously

Previously in this series, we’ve tried to uncover the privacy characteristics of cryptocurrencies and the tools available for reclaiming your financial privacy from snooping governments. Then again, if you are living under the threat of surveillance from an authoritarian country, your first question might be how to privately acquire bitcoin in the first place. In this final piece of the series, the author — Eric — will use everything he knows about bitcoin and privacy to try to buy bitcoin anonymously.

Step 1: Catching shrimp

I’m running around aimlessly on a green hill. A woman instructs me how to catch shrimp from a nearby pond.

I look around in my bags and find a net. I toss it over the shrimp.

My attempt is successful.

Wait, what? Wasn’t this supposed to be an article about how to buy bitcoin anonymously?

Well, it is. It starts with an exploration of all the obvious venues you would expect a bitcoin buyer to explore, but after over a month of very limited (none) success in the cashless alleys of Sweden, I ended up having to killing rats, cook shrimp and a bunch of other things I never expected having to do, in the 19-year-old computer game RuneScape.

But let’s rewind a bit and start from the beginning.

Mentioned in this piece

  • Decentralized exchanges: Bisq
  • P2P marketplaces (custodial): LocalBitcoins, LocalCoinSwap
  • P2P marketplaces (non-custodial): Hodl Hodl, Bitcoin.com Local
  • ATMs
  • Online bulletin boards: Mycelium Marketplace
  • Mining
  • Public groups (Facebook Groups)
  • Meetups (Meetup.com)
  • Tinder
  • RuneScape

Preparation

In preparation for this exercise, I fired up a Tor browser and made sure to only use this from here on out.

Tip: If using Wasabi Wallet and a Tor browser simultaneously; you’ll most likely have to change the Wasabi Tor port.

You’ll probably also want a burner SIM card (easy to get in convenience stores for cash) since they’re pretty much a requirement if you want to be able to set up a new Telegram, Facebook, WhatsApp, Gmail or Discord account in 2020.

Bisq: a fiat-to-bitcoin decentralized exchange

The first thing that came to mind when buying bitcoin without KYC was Bisq, a decentralized exchange used to coordinate and resolve bitcoin-to-fiat trades without any centralized party taking custody over users’ funds or storing user information in a central database. To trade on Bisq, you don’t even access a website; instead you run the Bisq decentralized software.

Each Bisq client consists of two components — a P2P communication network that routes trading information between participants (via Tor hidden services) and a Tor-connected Bitcoin wallet (SPV or full node).

When you buy bitcoin using Bisq, you’ll first need to find a seller supporting a fiat payment method you can use. The money is then sent directly from you to the seller. At the time of my visit, there were 170 offers in the Bisq orderbook.

However, before we get too deep in to the weeds with Bisq, here’s why this bitcoin purchasing option did not work for me:

The fact that Bisq requires you to place a security deposit (in bitcoin) was a bit of a catch-22 situation for me since I had no bitcoin, so I decided to perhaps revisit this option later.

ATMs

Given that I had some recent success using a bitcoin ATM in Berlin, I decided to take a shot at finding one in Stockholm. I know there used to be one, but it appears to not be around anymore, so I’m out of luck.

Bitcoin ATMs will sometimes allow you to buy bitcoin without providing identifying information. Oh well.

Gift cards

In an excellent piece by Matt Ahlborg, I recently learned that there’s a growing market for buying bitcoin with gift cards.

I was only able to find offers with >70% markups when purchasing bitcoin with gift cards (e.g. Steam Wallet, Google Play and iTunes).

While this is hefty price to pay, it would at least anonymously provide me with the bitcoin I need for the security bond in order to trade at Bisq (which offers a 2 -4% markup) since I can buy the gift cards with cash.

LocalBitcoins

LocalBitcoins used to be a good place for anonymous bitcoin trades, but they have since then stepped up their compliance and KYC measures considerably, and they now collaborate extensively with governments worldwide. The markups on LocalBitcoins are reasonable though, with rates as low as 2% in my area.

I thought I’d stop by there to see how exactly the KYC checks are enforced, and whether there were any loopholes I could exploit.

When browsing ads on LocalBitcoin, I discovered that it’s not entirely uncommon that ads contain link to websites, WhatsApp numbers, Telegram usernames other pieces of info that allow you to reach out to sellers directly.

I tried to find someone locally in Sweden by filtering for the Sweden-specific payment option Swish. Out of the five sellers I found, one had his Wickr username on display. While he engaged with me initially, I was ultimately unable to close a cash deal with him. Was worth a shot though!

Buying online from a fictional LocalBitcoins account

The HRF has received reports where some users claim to be able to make LocalBitcoins purchases up to €1,000 using fictional accounts. However, fictional names are against LocalBitcoin’s terms of service and could result in account shutdown and loss of funds.

Mycelium Marketplace

The Bitcoin wallet Mycelium has a special tab where you can find people locally who are often up for cash trades. It used to be a relatively vibrant place once. This is what it looks like when you navigate to marketplace tab:

Tip: Although just browsing ads on Mycelium on your phone is unlikely to get you in trouble, you can use apps Orbot if you have Android to get Tor on your phone. There are also VPNs you can use on iOS (PIA allows you to pay with cash-bought gift cards). You could also use a public wifi.

I set up a new Telegram account and I open a secret end-to-end encrypted chat with the seller from the ad above.

Unfortunately, I didn’t have a representative in Barcelona or Nice, so I was unable to close a deal here as well. So I continue the search.

Hodl Hodl

Hodl Hodl is similar to LocalBitcoins with the exception that they don’t hold customer funds. This puts them in a different regulatory bucket from LocalBitcoins and supposedly relieves them from having to log user information. They still act as an arbitrator between bitcoin-to-fiat trades in case of a dispute though.

I was able to find a bitcoin offer for a 5% markup via Revolut on Hodl Hodl.

Security notice: Hodl Hodl is non-custodial, but if they both act as the seller and arbitrator in a disputed trade, they could still steal your money. This is different from Bisq where arbitrators have to post a security bond, which could be slashed if the arbitrator is found guilty of fraud by a community vote.

You can think of Hodl Hodl like LocalBitcoins except you don’t break the terms of service by not providing your real name or email address. If all goes well with your trade, Hodl Hodl should have no idea who you are (however, you will still have to share your details with Hodl Hodl support staff in an arbitration case where the seller refuses to release the coins and you want a chance to dispute it).

My first successful trade

Hodl Hodl displays how many successful trades a trader has completed in the past as part of a reputation system. Reputation systems can seem quite vulnerable to manipulation, but they often work quite well in practice, especially if you’re trading in small chunks.

This seller released my bitcoins from escrow immediately as I sent him a payment over Revolut.

But you used Revolut. That’s not very anonymous?

Correct. I used a Tor browser and only a dummy name and email address on Hodl Hodl to conduct this trade, so Hodl Hodl should have no idea it was me. But the person who I bought the bitcoins from should know my real name because Revolut displays this information in the app. The transaction is also stored in Revolut servers, although Revolut themselves won’t necessarily know this transaction was a part of a bitcoin trade. It’s completely possible that the seller, who for me was in Finland based on his phone number country code, shares the information of this trade with authorities (e.g. tax agencies) and other third parties.

It’s also completely possible for authorities to conduct bitcoin purchases just like this in order to identify sellers, and request that Revolut provide them with full lists of those sellers’ transaction partners in order to map out potential bitcoin users in their country. I therefore don’t think it’s wise to call this trade “anonymous”, and the same goes for e.g. Bisq, if you use this kind of online payment option.

Hunting cash deals

Ideally, I want to find someone to make a cash trade with, to avoid leaving any digital traces at all. My back-up plan is to buy some mining equipment and convert my electricity to cryptocurrency that way, but let’s hope it doesn’t have to come to that.

Paxful: I check Paxful for bitcoin-to-cash trades in Stockholm. Nothing.

LocalCoinSwap: I check LocalCoinSwap. The search function appears broken at the moment, but scrolling through the pages and CTRL+F-ing “Sweden” works decently well since there are only ~300 offers. I actually find one lead this way.

Bitcoin.com Local: I check Bitcoin.com Local. If I can buy “Bitcoin Cash” (BCH) for cash there, I can swap it for bitcoins (BTC) using Sideshift.ai. I find a few offers.

LocalCryptos: No leads.

Meetups: I contemplate showing up to Stockholm Satoshi Square wearing a disguise (needed since most people there know who I am), but eventually I decide to scrap this plan in order to not scare people up.

Facing failure

The two ads I found were rather old. I was able to reach one guy who was selling BTC for a 10% markup on LocalCoinSwap by contacting him through his Wickr username which he displayed in the ad. The other was selling BCH for a 11% markup in Stockholm on Bitcoin.com. However, despite countless attempts to meet, my efforts are unsuccessful and I’m left with no further obvious options.

Eric starts to get desperate

I devised two additional strategies in my attempts to acquire bitcoin with cash anonymously, both of which failed. However, I’ve still decided to share what these plans were in case they should work for someone else.

Desperate strategy #1 — Fake Facebook account

The idea with this strategy was that I would create a fake Facebook account and join any Swedish Bitcoin groups I could find (e.g. Bitcoin Sverige has 8000+ members) and ask around. In order to do that I needed to sign up on Facebook with Tor and a burner SIM.

I wasn’t going to get accepted into any groups without having a profile picture, so my best idea was to pick up an AI-generated image from ThisPersonDoesNotExist.com. I didn’t want to use a picture of my own face, not only because it would link my face to the trade, but because facial recognition engines have gotten so good that any picture of myself would probably be as un-anonymous as using my real Facebook account.

Unfortunately, I did not get very far with this plan. I spent a few hours having my applications to join Facebook groups rejected and getting harassed by Google’s bot detection algorithms (probably related to Tor usage). Eventually, my account was banned from Facebook.

I got pretty good at identifying cars, crosswalks, traffic lights and fire hydrants through this experiment.

Desperate strategy #2 — Tinder

At this point the situation had gotten pretty hopeless and I was really running out of ideas. I’m not proud of the strategy I’m about to mention and I wouldn’t recommend it to anyone. But desperate times called for desperate measures.

It’s not super-uncommon that people in my area use dating apps such as Tinder to find people for non-dating-related activities, such as finding a gym friend or someone to go to a specific concert with. I asked my significant other to set up a Tinder profile looking for a “bitcoin trade counterparty” to execute an anonymous cash deal with (being a guy, I simply don’t receive sufficient attention on dating apps for this strategy to be viable on my own).

This attempt was unfortunately ultimately also a complete failure, as we relatively quickly got banned from Tinder before any trade could be arranged.

The strategy that ended up working — RuneScape!

This strategy was not my own idea, but was instead half-jokingly suggested to me by Alex Gladstein, CSO of the Human Rights Foundation, which he learned about through a Twitter comment.

RuneScape is one of the largest free MMORPG games of all time, and the 2007-version of this game still has over 60,000 users playing on any given day. What makes RuneScape so interesting for this experiment is that there’s a surprisingly liquid OTC market for its in-game currency, “OSRS” gold (Old School RuneScape gold).

There are also no KYC requirements to play RuneScape. Anyone from anywhere in the world can create an account and trade its currency. Interestingly enough, people who specialize in trading RuneScape gold are also often large fans of cryptocurrency because traditional payments usually suffer from serious chargeback risks.

Traders selling bitcoin in exchange for RuneScape gold on Sythe.org.

This is what a typical RuneScape gold ad will look like, catered for irresistibility to the average RuneScape adventurer:

On the Sythe.org forums, you’ll find that these vendors support nearly every digital payment option imaginable (PayPal, Western Union, Zelle, Alipay, Wechat, Skrill, Revolut, SEPA, TransferWise, local bank payments, cryptocurrencies). Currently, there are more than 50 people browsing these subforums at any given time and the trades are generally coordinated over Discord. Buy threads are here and sell threads are here.

Warning: Real-world trading is against RuneScape rules, and could result in your account getting banned.

Buying RuneScape gold

Step 1
So the first thing you’ll need to do is to find a RuneScape gold seller who offers a payment option you can use. The next step is to convince the seller to accept a payment from you. This might be a bit tricky, as the seller is going to worry about you issuing a chargeback once the gold has been transferred.

Discord conversation that took place right after I added a a random seller’s user name from one of the advertisement on Sythe (important guide to avoid getting scammed via Discord username spoofing).

Sellers usually want some kind of assurance such that incase you try to rip them off, you’ll lose something valuable to you (like your high-reputation accounts that allow you to find trade partners easily). The seller here is probably right that Twitter won’t delete my account if he reports me for engaging in RuneScape gold chargeback scams, so it’s no use to him.

So what to do as a brand new RuneScaper? After speaking to a different seller, I found out that there exists people who are okay with weaker (or perhaps different) guarantees.

My next seller, a RuneScape power-leveler (a person who quickly levels up other users’ characters for gold payments) was fine with accepting a PayPal payment from me, with the condition that I send him an email from my PayPal email confirming that I received the good I was buying and that I would have no reason or right to dispute the transaction.

Step 2
It’s time to prepare yourself to receive the gold in-game. Actually, you’ll want to prepare most of this step before you complete Step 1. You download the game here (Old school version! It’s actually the more popular RuneScape game, with the most liquid OTC market for gold).

In order to get to the part of the RuneScape world where you can meet up with other people, you’re going to have to complete what’s known as “Tutorial Island” (RuneScape starting zone).

I am buying the gold for someone else as a gift. But this seller doesn’t need to know that this someone is one of my other anonymous RuneScape characters.

As you may have guessed by now, completing Tutorial Island is how I ended up having to cook shrimp, cut wood, forge weapons and kill human-sized rats in this virtual game.

After killing the rats, cooking the shrimp and finishing the tutorial you get teleported to Lumbridge, the starting town in RuneScape, where your seller can meet up with you to complete the trade.

It should be noted that this transaction was completely trust-based. I needed to trust my vendor to fulfill his end of the trade (transferring me the gold). That is why I chose to buy in relatively small chunks at a time ($174 here). Luckily, this seller honored his part of the deal without any complications.

Selling RuneScape gold

The next steps should be relatively straightforward here (go to the Sythe OSRS sell forum and find someone who is buying gold for bitcoin, which should be almost all of them). I will just point out a few good things to remember when selling the gold you acquired.

In order to break the link between your previous RuneScape character, you need to set up a completely new set of accounts (RuneScape, Discord, Email, new burner SIM card — the lot!) while using a new IP address (e.g. via a public wifi or VPN). Doing this, you’re probably going to have your traffic light identification skills extensively tested by Google again. You’ll then have to catch some more RuneScape shrimp since you’ll need to run a new character through Tutorial Island.

My two RuneScape characters meeting up to transfer the gold I previously purchased. Both characters only have links to completely different accounts, associated with completely different IP addresses.

This is because when you’re going to sell the gold to buy bitcoin, you’ll want to do it from a new character with no definitive link to the previous character you bought the gold with.

What’s interesting about this manoeuvre is that the only entity that could easily link you and your new character to the previous character is Jagex (RuneScape creator). But even then, if you’ve done everything right, Jagex does not know that these characters were both controlled by you, only that they transacted once. In my case, it would also require the combined knowledge of Jagex and Discord (or help from my PayPal seller) just to link my previous character to my real identity. But they wouldn’t be able to prove who was behind my second character. All things considered, we appeared to have constructed a sufficiently contrived paper trail for deanonymization attacks to seem unlikely at this point.

The final step is to once again coordinate a trade with someone using their advertisement on Sythe, but this time you’ll simply provide them with your Bitcoin address and there should be no further hassle, as there are no chargeback risks either of you will have to worry about in this instance.

Copying a Bitcoin address from Wasabi Wallet.

After meeting up with the person who is buying your RuneScape gold in the game world and transferring them the gold, you will finally have successfully purchased bitcoin anonymously 2020-style.

Conclusion

One of the original premises of bitcoin was that it should be possible to use it without revealing information about your identity. In Part I and Part II of this series, we went over the how one should treat the Bitcoin system in order to not create links between one’s transactions and one’s identity, but that’s perhaps of little help if all your initial bitcoin purchases can be surveilled. It’s important that users are aware of this risk and understand how one could work to route around it.

Joining this piece together with the previous pieces in this series, it does raise the question whether it is achievable for the average person to anonymously acquire and use cryptocurrency today without facing major hurdles. There is currently no smooth one-stop shop for privacy in bitcoin, but rather an amalgamation of different tools and systems one must learn to navigate depending on the exact use case one is looking to manoeuvre.

That said, many privacy-enhancing technology developments are continuously in the pipeline for bitcoin. It will most likely be an ongoing task for groups and local communities to create networks, and to educate themselves on how to best approach these tools with some recommended practices for how to acquire, store and transfer cryptocurrencies moving forward.

With respect to the challenge of privately acquiring bitcoin specifically, there are other options not explored in this article, such as using the help of a relative or a friend living in a different part of the world where the threat of surveillance is less dramatic, or earning it through a bitcoin-paying employer, or even by mining it. The HRF notes that while Bitcoin privacy is still a bit tricky, there is still no other type of asset one can store in one’s mind and transport across countries without the fear of having it confiscated by a government or seized at a border. That freedom alone is worth fighting for.

*The essays in this series will form the basis for a report to be published by Coin Center, the leading cryptocurrency policy research and advocacy group based in Washington, DC.

**The Zcash Foundation contributed funding for the project. The Zcash Foundation exists to build and support tools that enable privacy and autonomy, particularly with respect to people’s transactions and financial information. Privacy is important for numerous reasons — personal, medical, political, and more. For this reason, Zcash pioneers the use of zk-SNARKs, a novel form of zero-knowledge cryptography with strong privacy guarantees. Ultimately, the Zcash Foundation’s impact will come from serving the needs and workflows of real people, including those from many backgrounds and locations.

--

--

Human Rights Foundation (HRF)
Human Rights Foundation (HRF)

Published in Human Rights Foundation (HRF)

Human Rights Foundation (HRF) is a nonprofit that promotes freedom where it is most at risk. We produce the Oslo Freedom Forum (@OsloFF)