ART Graphs in Privacy Cryptocurrencies

Updated 27 November 2025

ART graphs are formal models that capture relationships among stealth addresses, cryptographic rings, and transactions in privacy-focused cryptocurrencies.
They extract structural and temporal features such as degree metrics, hop distances, and inter-transaction intervals to reveal patterns in illicit activity.
The methodology supports machine learning pipelines for anomaly detection and deanonymization, offering practical insights for blockchain forensic analysis.

Address-Ring-Transaction (ART) graphs are a formalism for modeling the intricate input and output relationships in privacy-based cryptocurrencies, especially those leveraging ring signatures such as Monero. These graphs capture the structural and temporal interplay among stealth addresses, cryptographic rings, and transactions, enabling advanced forensic analysis—even in the context of protocols designed to resist traditional transaction tracing. ART graphs serve both as a basis for machine-learning-based illicit activity detection and as a vehicle for formal anonymity guarantees and adversarial analysis.

1. Formal Definition of ART Graphs

Let $A = \{a_1, a_2, \ldots, a_{|A|}\}$ denote the set of one-time Monero stealth addresses, $R = \{r_1, r_2, \ldots, r_{|R|}\}$ the set of input rings (each representing a set of mixins plus the real input), and $T = \{t_1, t_2, \ldots, t_{|T|}\}$ the set of transactions.

Two edge sets define the ART graph:

$E_1 \subseteq A \times R$ : $(a, r) \in E_1$ iff address $a$ is a member (real or mixin) of ring $r$ .
$E_2 \subseteq R \times T$ : $(r, t) \in E_2$ iff ring $r$ appears as an input in transaction $t$ .

The complete ART graph is $G = (A \cup R \cup T, E = E_1 \cup E_2)$ (Venturi et al., 20 Nov 2025).

Incidence mappings:

$\iota_1: R \to 2^A,\, \iota_1(r) = \{a \in A \mid (a, r) \in E_1\}$ (addresses in ring $r$ )
$\iota_2: T \to 2^R,\, \iota_2(t) = \{r \in R \mid (r, t) \in E_2\}$ (rings used in transaction $t$ )

Distinct from classical transaction graphs on UTXO-based or account-based blockchains, ART graphs explicitly model the ring-incidence (a privacy primitive) and facilitate structural as well as statistical feature extraction at varying topological depths.

2. Graph Construction and n-Hop Neighborhoods

The procedure for assembling an $n$ -hop ART subgraph $G_n(t_0)$ is centered around a "seed" transaction $t_0$ . Iterative graph expansion alternates between including:

All input rings to each transaction on the current frontier,
All stealth addresses (as members) to each ring,
Additional transactions sharing addresses with the growing subgraph.

Pseudocode (as specified in (Venturi et al., 20 Nov 2025)):

procedure Build_ART_Graph(t0, n):
    Initialize G = (V = ∅, E = ∅)
    frontier = {t0}
    for hop in 0..n:
        next_frontier = ∅
        for each tx in frontier:
            add tx to V
            for each input ring r of tx:
                add r to V
                add edge (r, tx) to E
                mixins = fetchRingMembers(r)
                for each address a in mixins:
                    add a to V
                    add edge (a, r) to E
        frontier = set of transactions that share any address in V \ previous V
    return G

This approach can be extended to include output modeling, higher-hop expansions, and bidirectional traversals depending on the forensic objective.

3. Feature Engineering for Behavioral Modeling

Feature extraction from ART graphs exploits both structural and temporal dimensions:

Structural features:
- Degree statistics for all node types; for rings, degree yields ring size.
- Path-length metrics from $t_0$ (min/max hop distances).
- Centralities: betweenness ( $b(v)$ ), closeness ( $c(v)$ ).
- Clustering coefficients within induced subgraphs.
Temporal features:
- Time differences $Δτ(t, t') = |\tau(t) - \tau(t')|$ for pairs of transactions.
- Summary statistics (mean $\mu$ , standard deviation $\sigma$ , min, max, median) of $Δτ(\cdot, t_0)$ across i-hop neighbors.
Hop-based aggregation:
- 0-hop: attributes of $t_0$ .
- i-hop: analogous metrics for all transactions at hop $i$ .

All extracted features collectively form a high-dimensional vector $x(t_0)$ to be used in downstream classification tasks (Venturi et al., 20 Nov 2025).

4. ART Graphs and Deanonymization: Adversarial and Theoretical Perspective

The theoretical foundations for the ART (or more generally, bipartite address-ring-transaction) graph's anonymity properties derive from formal modeling of ring samplers and adversarial graph analysis.

Let $U = \{u_1, ..., u_n\}$ be user addresses and $T = \{t_1, ..., t_T\}$ transactions. The graph $G = (U \cup T, E)$ is bipartite, with $(u, t) \in E$ if $u$ appears in the ring for $t$ . A ring-sampler $S$ specifies the distribution $p_S(R|u)$ for $u$ 's ring $R$ ; the canonical "partitioning sampler" randomly partitions $U$ into disjoint blocks of size $m$ , outputting the block containing $u$ as $R$ .

The adversary's probability of deanonymizing the signer (beyond random guessing) is tightly bounded:

For partitioning (or more generally, $m$ -symmetric) samplers with $m \geq c \ln n$ , any graph-analysing adversary achieves success at most $2/m$. Thus, structural analysis beyond ring membership yields negligible advantage (Egger et al., 28 Feb 2024).

Empirical studies over simulated data (e.g., $n=10^5$ , $m\in\{10,20,50,100\}$ ) using maximum-degree, PageRank, and other heuristics confirm the theoretical anonymity bound: as $m$ increases, adversarial success converges to $1/m$.

5. Machine Learning Pipeline and Empirical Evaluation

Behavioral detection is formulated as a supervised classification problem over feature vectors extracted from ART subgraphs. Notable aspects include:

Modeling choices:
- Random Forests (RF, 500 trees, unrestricted depth, $min\_samples\_leaf=1$ )
- Optional XGBoost (200 estimators, $max\_depth=6$ , $\eta=0.1$ )
- Data balancing via SMOTE on positive (illicit) samples
Input representation:
- Feature vector aggregates all hop-based structural/temporal signatures: $x(t_0) \in \mathbb{R}^d$ .
Evaluation protocol:
- 80/20 train/test split
- Metrics: Precision, Recall, F1-score: $F1 = 2 \cdot Precision \cdot Recall / (Precision + Recall)$

Empirical results (WannaCry 2.0 Monero case paper, $n_{pos}=19$ , $n_{neg}=150$ , 2-hop subgraphs with $d \approx 60$ features) indicate:

Metric	Value
Precision	1.000
Recall	0.750
F1-score	0.857

Detected positive neighborhoods show tight batch consolidation temporal patterns (inter-transaction delay $\mu_{Δτ} < 10$ min), large ring sizes ( $\geq 8$ ), and denser 2-hop subgraphs (Venturi et al., 20 Nov 2025).

6. Key Signatures, Limitations, and Design Implications

Key Observed Patterns:

Regular use of large ring sizes in illicit transfers.
Clustered and brief inter-transaction intervals among ring members.
Increased local ART graph density indicating fund consolidation behavior.

Limitations:

Scarcity of labeled positive data increases overfitting risk.
Synthetic data balancing (SMOTE) may distort minority class distributions.
The framework's efficacy is primarily limited to flagged or partially deanonymized cases; completely unlinked flows remain challenging.

Theoretical safeguards:

Formal anonymity is only preserved when decoy selection achieves (near-)perfect symmetry. Any deviation facilitates potential graph-based attacks.
The ring size $m$ must be scaled as $\Omega(\log n)$ , balancing anonymity strength and on-chain resource usage (Egger et al., 28 Feb 2024).

Future Directions:

Incorporation of spectral features and unsupervised anomaly detection into ART graph analysis.
Exploration of larger $n$ -hop neighborhoods through optimized traversal algorithms.
Extension of ART methodologies to protocols with different privacy or transaction structures.

7. ART Graphs in Broader Blockchain Forensics

ART graphs fundamentally differ from account-based transaction graph models such as those in TRacer (Wu et al., 2022), which unify all asset transfers (including DeFi operations) in a directed, weighted, temporal, multi-relationship graph for scalable, PageRank-based tracing. In contrast, ART graphs—owing to Monero's privacy architectures—oblige bipartite/tri-partite address–ring–transaction modeling and specifically encode input ring composition and anonymity structure, challenging but enabling forensic analytics even in privacy-centric environments.

Investigative use-cases demonstrate that ART-graph-based ML can surface behavioral traces suggestive of illicit activity, although these techniques are constrained by the underlying privacy-preserving protocol's design. This highlights the dual imperative: forensic strategies must continuously adapt to privacy protocol innovations, and privacy protocols must evolve to maintain their provable resistance to advanced structural graph analysis.