CT-008: Mitigating dusting attacks in Monero CLI

Posted Mon, 05 Dec 2022, from Monero Observer

Source Article Link: https://monero.observer/cypherpunk-transmission-008-mitigating-dusting-attacks-monero-cli/

This is the 8th report in the Cypherpunk Transmission series.


Monero addresses are not publicly recorded on the blockchain and ring signatures do provide plausible deniability, but they aren’t perfect.

Although Monero is less vulnerable than public chains, rings can still be targeted and weakened by dusting attacks, which could lead to indirect linkage of outputs and user deanonymization.

This guide suggests a few simple ways to deal with poisoned outputs from dusting/EAE attacks.


  • Monero CLI installed (CT-0021)’2
  • ~5 mins free time (+sync time)

1. Identifying dusting attacks

To determine if you are under attack, simply check for suspicious incoming transactions that are small (usually under 0.01 XMR) and which are being periodically transferred to your addresses.

The show_transfers incoming command in your Monero CLI lists all incoming transactions.

Use unspent_outputs and unspent_outputs index=1 to confirm which addresses are being targeted by the dusting attack.

Note: replace index number to see unspent outputs in other addresses; type in address all to list all addresses and associated index numbers.

You should be able to identify something similar to this, with a high number of keys:

Amount: 0.001, number of keys: 24

Let’s assume we spot 24 x 0.001 XMR transactions hitting index 1. Now we are fully aware of the attack.

2. Mitigations

You might want to consider your own theat model (CT-0013) when deciding on the best course of action.

2.1 Manage

We could try combining only the poisoned outputs (not churning the entire balance with sweep_all).

Let’s grab all unlocked poisoned outputs with sweep_below and send them to a new subaddress:

sweep_below 0.002 index=1 <address>

Note: replace amount, index number and address accordingly; repeat the process as needed; generate a new subaddress with address new.

2.2 Ignore

Alternatively, we could simply choose not to touch/spend those poisoned outputs.

Let’s ignore outputs below a certain threshold with:

set ignore-outputs-below 0.002

Note: replace amount accordingly; if there are other ‘safe’ outputs on that index, they could be linked with the poisoned ones.


  • if you need help with any command, use help <command> and help all
  • not all dusting attack victims are directly targeted
  • churning can increase user privacy, but it is not easy to provide an optimal churn frequency recommendation
  • successful EAE attacks require colluding adversaries on both sides with access to external correlating metadata (ie. IP addresses, KYC data, timing)
  • Seraphis should bring an increase in the ring size, which could reduce dusting attacks efficiency
  • watch Breaking Monero’s Poisoned Outputs (EAE Attack) video4 to learn more about these types of attacks

That’s it. Nothing is perfect, not even Monero, but I do believe we are moving in the right direction. If you are under attack, don’t panic: sweep / ignore and take that as a compliment instead.


Let me know if you find this helpful and, depending on interest, I will do my best to post a new Cypherpunk Transmission report every (other?) Monday.

Questions, edits and suggestions are always appreciated @ /about/.


Credit goes to gnuteardrops from monero.graphics for the amazing xkcd graphic. Work and xkcd Script font licensed under CC BY-NC 3.0.

License: CC BY 4.0, no changes were made to the article.