Monero Dandelion++ Network Privacy Explained
Monero Dandelion++ Network Privacy Explained
Most people who buy Monero assume the protocol hides everything the moment a transaction leaves their wallet. On the blockchain itself, that is largely true — RingCT conceals amounts, the ring signature obscures which output is being spent, and the stealth address breaks the link to the recipient. But there is a quieter layer that has nothing to do with the ledger: the peer-to-peer network that carries your transaction from your node to a miner. When you click "send," your transaction first appears at one IP address before it spreads. A network observer who spots that origin can sometimes tie a perfectly private on-chain transaction back to a real-world internet connection.
This is the gap Dandelion++ was built to close. It is the propagation protocol Monero uses to scramble the path a transaction takes through the network so that the node where it surfaces is almost never the node that created it. When you swap into Monero through a service like MoneroSwapper, your coins inherit this protection automatically — but understanding how it works tells you where its limits are and what you should add on top. This guide walks through the stem-and-fluff design, the parameters Monero actually ships, the realistic threat model, and how to harden your setup in 2026.
Why network-level privacy is a separate problem
Privacy coins are usually discussed in terms of what lands on the chain. That framing misses a whole category of leakage. The blockchain is a public record, but the act of broadcasting a transaction is a live event happening at a specific place and time, and that metadata can be just as identifying as a transparent ledger.
Three distinct surfaces are at play whenever you transact, and Dandelion++ only addresses the third one:
- On-chain content: the amount, sender, and receiver. Monero protects this with RingCT, ring signatures, stealth addresses, and the key image that prevents double-spends without revealing which coin moved.
- Chain-level linkability: whether two transactions can be tied together by reused data. Subaddress generation and one-time stealth addresses keep these unlinkable, which is what underpins Monero's fungibility.
- Network metadata: the IP address that first announces a transaction, the timing of the announcement, and the node that holds it in its mempool first. None of the cryptographic tools above touch this — it lives below the protocol, in the gossip layer.
An adversary running a fleet of well-connected listening nodes does not need to break any cryptography to attack the third surface. They simply record which IP they first heard each transaction from. In a naive flood-broadcast network, the first node to relay a transaction is very likely the one that authored it. That single observation can collapse the anonymity of an otherwise flawless private payment. Bitcoin's early network was repeatedly shown to be vulnerable to exactly this style of "first-spy" deanonymization, and the research that produced Dandelion grew directly out of those findings.
How Dandelion++ actually works
Dandelion++ is an academic protocol introduced in 2018 by Fanti and co-authors, refining the original 2017 Dandelion proposal. Monero shipped its implementation in the v0.15 "Carbon Chameleon" release in late 2019, and it has guarded transaction propagation on the network ever since. The core idea is to split propagation into two phases with very different behavior: a private routing phase and a public flooding phase.
The stem phase
When your node creates a transaction, it does not shout it to every peer. Instead it enters the stem phase. The transaction is forwarded to a single, pseudo-randomly chosen peer. That peer then makes a probabilistic decision: with a small per-hop probability (Monero uses a low fluff probability, on the order of ten percent), it switches the transaction into the public phase. Otherwise it forwards the transaction onward to its own single stem peer.
The result is that the transaction travels along an unpredictable line of nodes — a "stem" — before it ever goes public. By the time it surfaces to the whole network, it may be many hops away from the originator. An observer who first hears the transaction sees an innocent relay node, not the author, and has no reliable way to walk the chain backward.
The fluff phase
Once a node decides to transition, the transaction enters the fluff phase. Here it behaves like ordinary gossip: the node broadcasts it to all of its peers, who broadcast it to all of theirs, and it floods across the network to reach miners and land in everyone's mempool. The fluff phase is fast and reliable — its job is delivery, not concealment. All the concealment work happened upstream in the stem.
Epochs and the four-regular graph
The improvement that earned the "++" comes from how stem routes are chosen. The original Dandelion routed each transaction along a simple line, which a persistent adversary could gradually map. Dandelion++ instead uses a four-regular graph: each node connects its stem to a small fixed set of outbound relays, and selections are re-randomized every epoch — a window on the order of minutes. Because the routing topology constantly reshuffles and intermingles many users' stems, correlating successive transactions to one source becomes far harder, even for an adversary that controls a fraction of the network.
Dandelion++ does not make deanonymization impossible — it makes it probabilistic and expensive. A patient, well-funded Sybil adversary can still degrade it, which is exactly why it should be layered with anonymity networks rather than trusted alone.
The embargo timer
A clever attacker might try a "black hole" attack: sit on the stem path, swallow a transaction, and never let it reach the fluff phase, hoping to either censor it or fingerprint the sender who eventually retries. Monero defends against this with an embargo timer. When a node hands a transaction into the stem, it starts a randomized countdown of tens of seconds. If it does not observe that transaction entering the public fluff phase before the timer expires, it assumes something went wrong and broadcasts the transaction itself. This guarantees liveness — your payment will go through — while keeping the timing jittered so the fallback itself is hard to exploit.
Dandelion++ versus the full network-privacy stack
Dandelion++ is necessary but not sufficient. It hides the origin within the clearnet P2P graph, yet your node is still talking to peers over your real IP address. A network-level adversary positioned at your ISP, or one that operates a very large share of nodes, can still gather signal. The strongest setups combine Dandelion++ with an anonymity network underneath. Here is how the common options compare:
| Configuration | What it hides | Trade-offs |
|---|---|---|
| Clearnet, no Dandelion++ (legacy) | Nothing at the network layer; first-relay = likely origin | Fastest, but trivially deanonymizable by listening nodes |
| Clearnet + Dandelion++ (default today) | Obscures origin node inside the P2P graph | Your IP is still visible to peers; vulnerable to large Sybil fleets |
| Dandelion++ + Tor (tx proxy) | Origin node and your real IP from peers | Higher latency; exit/guard considerations; easy to enable |
| Dandelion++ + I2P | Origin and IP, with garlic-routed inbound and outbound | Smaller network, more setup; strong for always-on nodes |
The key takeaway: Dandelion++ raises the cost of the cheapest attacks for free and by default. Tor or I2P then closes the door on the adversary who can see your raw connection. They solve overlapping but distinct problems, and serious users run them together.
How to harden your Monero network privacy
If you run your own node — and self-custody is increasingly the only durable option after exchange delistings across the EU and elsewhere — a few concrete steps put you near the top of the realistic privacy curve. Dandelion++ is already on; these add the layers it cannot provide alone.
- Route outbound transactions over Tor. Start your daemon with a transaction proxy (the
--tx-proxy torstyle option) so that broadcasts leave through Tor. Your peers never see your real IP for the transactions you originate. - Add an anonymous inbound address. Configure
--anonymous-inboundwith a Tor hidden service or I2P destination so your node can also receive connections without exposing its location, which improves your stem connectivity. - Run your own node instead of a remote one. A remote node sees every transaction you submit and your IP. Running your own daemon — or pairing your wallet with a node you control — removes that trusted middleman entirely.
- Keep your node online and current. A node that stays connected participates in more epochs and blends into more stems. Always run a release that includes the latest propagation and consensus fixes ahead of scheduled network upgrades.
- Avoid leaking metadata elsewhere. Network privacy is wasted if you reuse the same address publicly or tie a swap to a KYC identity. Generate fresh Subaddresses and acquire coins privately in the first place.
A real-world threat model
Consider how this plays out against the kind of adversary that actually exists. Blockchain-analysis firms such as Chainalysis market network-monitoring capabilities to law enforcement, and one well-publicized leak described a "module" aimed at Monero that relied heavily on running malicious nodes and harvesting timing and IP data — not on breaking RingCT. That is the precise attack surface Dandelion++ targets.
Picture a user who swaps Bitcoin into Monero through MoneroSwapper, then sends the XMR to a long-term savings wallet. On-chain, the destination is shielded by the stealth address and the amount by RingCT. Without network privacy, an analyst running listening nodes could still note "the first IP to announce this transaction was 203.0.113.x at 14:02 UTC" and combine it with other records. With Dandelion++, the transaction surfaces several anonymous hops away, at a node the user has never controlled; with Tor underneath, even that surfacing point cannot be tied back to the user's connection. The analyst is left with a relay, a timestamp, and nothing to anchor them to.
This is also why network privacy will stay relevant even as Monero's on-chain cryptography advances. The upcoming FCMP++ (Full-Chain Membership Proofs) upgrade replaces fixed-size ring signatures with a proof drawn from the entire output set, and next-generation addressing work like Seraphis and Jamtis is on the roadmap. All of that strengthens the ledger — none of it changes the fact that a transaction has to be announced from somewhere. Dandelion++ remains the protocol guarding that announcement.
FAQ
Does Dandelion++ replace Tor for Monero?
No. Dandelion++ hides which node inside the peer-to-peer network originated a transaction, but your node still connects to peers over its real IP address. Tor or I2P hides that IP. They are complementary: Dandelion++ defeats cheap first-relay deanonymization for free, while an anonymity network protects against an observer who can see your raw connection.
Is Dandelion++ enabled by default in Monero?
Yes. Since the v0.15 "Carbon Chameleon" release in late 2019, every standard Monero node propagates transactions using Dandelion++ automatically. You do not need to configure anything to benefit from the stem-and-fluff routing — it is part of normal transaction relay.
Can a powerful adversary still deanonymize Dandelion++ traffic?
Partially, under the right conditions. Dandelion++ provides probabilistic, not absolute, protection. An adversary that controls a large fraction of network nodes (a Sybil attack) can degrade its guarantees by observing many stems at once. This is the central reason the Monero community recommends layering Tor or I2P on top rather than relying on Dandelion++ in isolation.
What is the difference between the stem and fluff phases?
The stem phase is the private routing stage: a transaction is passed quietly along a line of single peers, each of which decides with a small probability whether to make it public. The fluff phase is the ordinary flooding stage, where a node broadcasts the transaction to all its peers so it reaches the whole network and miners. Anonymity comes from the stem; delivery comes from the fluff.
Does using a remote node weaken Dandelion++?
It can. A remote node you connect to sees the transactions you submit and the IP you submit them from, so it can bypass the protection Dandelion++ offers other observers. Running your own node, or one you trust and reach over Tor, keeps that origin information out of a third party's hands.
Conclusion
Monero's reputation rests on the cryptography written into its ledger, but real privacy is only as strong as its weakest layer — and for years that weak layer was the network. Dandelion++ closes the gap by ensuring the node that announces your transaction is almost never the node that made it, and the embargo timer keeps that protection from being weaponized to censor you. Combined with Tor or I2P and your own node, it places you well beyond the reach of the cheap, scalable attacks that adversaries actually deploy. If you want coins that arrive already inside this protection, you can buy Monero anonymously through MoneroSwapper and keep your privacy intact from the swap all the way to your wallet.
🌍 Read in