How Satoshi Tests Expose Your Transfers Before They Happen

With the Travel Rule, many jurisdictions have included self-hosted wallets within their scope and with this comes the task of proving self-hosted wallet ownership. 

One popular method throughout the industry is the Satoshi Test. However, it is far from flawless, it unintentionally exposes delicate information during its process. 

In this blog, find out what a Satoshi Test is, understand its limitations and privacy implications and learn about the alternative that solves these challenges. 

What Is a Satoshi Test?

A Satoshi Test is a process used to confirm ownership of a self-hosted wallet address linked to a VASP customer. 

Using the image below as a guide, the process begins with the goal of verifying ownership of a self-hosted wallet. When a customer initiates a withdrawal, their virtual asset service provider (VASP) will first require them to complete a Satoshi Test to prove they control the wallet address they intend to use.

Because self-hosted wallets are not tied to regulated entities, the customer’s address will typically appear as an unknown address in blockchain analytics tools, while the VASP’s address will be identified as belonging to a VASP.

The Satoshi Test itself involves sending a very small amount, usually around 1 USD. For the verification to be deemed successful, the transaction must be sent from the customer’s self-hosted wallet address, which needs to be validated, and sent to the specific address provided by the VASP for the test.

Once the test transaction is confirmed and the VASP is satisfied that the customer controls the address, the VASP will release the actual withdrawal amount to the same self-hosted address used in the test. Despite this verification, blockchain analytics tools will still generally classify the self-hosted wallet as unknown.

It is also important to note that the VASP may send the final withdrawal from any one of its addresses, not necessarily the same address that received the Satoshi Test transaction

Limitations of the Satoshi Test

The Satoshi Test introduces several issues that make it far from ideal for both customers and VASPs. From a user-experience perspective, requiring a customer to first send a pre-defined amount of Bitcoin from a specific wallet to another specific wallet before being allowed to withdraw their funds feels counterintuitive and illogical. 

It also adds unnecessary cost and effort, since every blockchain transaction incurs a fee and demands extra time and work from the user. 

Regarding the time issue, users relying on a Satoshi Test can expect to wait between 10 and 30 minutes for the confirmation, and during congested periods, this confirmation can stretch even longer. 

Moreover, if the user does not complete the test in the allotted time or with the exact amount, the process will need to be repeated.

Beyond usability and cost, there is a significant privacy concern: because each Satoshi Test takes place on-chain, it publicly reveals information about a user’s actions, intentions, and wallet relationships to anyone monitoring the blockchain. 

While this may not seem like a significant issue, over time, it reveals a user’s spending habits and financial patterns, allowing observers to anticipate future transfers, and it becomes easier to monitor and anticipate high-value movements. 

Satoshi Tests Increase Risks Through Transparency  

The requirement to perform a proof transaction ahead of the actual transaction unintentionally reveals that the parties involved are preparing to move additional assets thereafter. 

This is because a Satoshi Test transaction has a particular design that can be more easily spotted among normal transactions:

1. It has only one sender (one input);

2. The value of the crypto amount is around USD 1 at the moment it is sent;

3. It is sent to an address owned by a VASP (which might be known by a Blockchain Analytics company);

4. It is usually sent by a self-hosted wallet (therefore, Blockchain Analytics companies don’t have the sending address tagged as a VASP).

Why Transparency on the Blockchain Is an Issue

One of the key selling points of public blockchains is their transparency; transactions can’t be altered or hidden. However, this transparency comes at a cost when performing a Satoshi Test. 

When performing a Satoshi Test, privacy is reduced and sensitive information can be unintentionally exposed. By placing activity on-chain, it reveals that one address most likely belongs to a VASP and that the other is a self-hosted wallet, making it easier for observers to map ownership and link identities. 

In fact, crafty observers quickly learn that after every Satoshi Test, a larger amount will follow from the same wallet address. This can enable front-running: third parties can anticipate that users will soon move assets and potentially exploit that knowledge before the actual transaction takes place. 

What Is the Alternative?

21 Analytics developed AOPP as a solution to the issues presented to VASPs and their customers when using pre-existing wallet ownership proof methods, like the Satoshi Test. 

The goal of AOPP is to be easy to perform for VASP customers and act as a reliable and automated wallet proof for compliance teams. 

Proving wallet ownership with AOPP is incredibly simple, a self-hosted wallet owner will initiate a withdrawal from their VASP. A link is automatically generated for the AOPP Portal. Within the Portal, users will select their wallet type, for example, Ledger or Trezor. Thereafter, they will be prompted to complete the signing process within their wallet. 

Once the process is completed, this proof is automatically sent to their VASP. This is all within a matter of seconds. 

On the VASP’s side, the verification process runs fully in the background. Once completed, the proof will automatically appear in their 21 Travel Rule software, requiring no manual intervention.

“When Switzerland first enforced the Travel Rule, we realised that proving wallet ownership would become a major usability challenge for both CASPs and customers. We built AOPP to make this process as seamless and privacy-preserving as possible, staying true to Bitcoin’s values while ensuring compliance.”
Lucas Betschart, COO & Co-Founder, 21 Analytics.

Now, AOPP is cited by regulators, trusted by compliance teams, and favoured by their customers.

Learn how you can implement AOPP - request a demo today.