Could you expand on your comment? My understanding is that if a party can't tie a wallet to an identity then it is anonymous. So if you can acquire bitcoins (eg. mining) and purchase something (eg. VPS) without giving up your identity then you are solid.
I've heard conflicting information as far as this goes.
Thinking this through- an adversary who's watching the block chain probably knows some inputs and some outputs. As in, these addresses belong to an exchange, these addresses belong to a hosting company.
Okay, fine. Now remember than any user can literally create wallets out of thin air, and in fact doing so is considered basic security hygiene. Let's say Joe User transfers one coin from one wallet to another wallet under their control. Let's say they do this 20 times, sometimes with the full amount, sometimes less.
How does the adversary attach an identity to those transactions?
You have to use your bitcoins someday. Either to buy real currency or real goods. Then you know where the money went TO. Tracing the transactions back (where the money came FROM) is then not a big deal - full history is in the blockchain.
So as long as you don't do a transaction that connects your identity to any bitcoin address, you are fine. but to use bitcoins you are almost always required to do it (its an electronic financial transaction, they are governed by law to have an identity, but of course you can find entities who do not follow these laws).
Only as you say if you convert them into a "real" currency. If they only used their Bitcoin to purchase goods (such as VPS) which was not tied to a physical address, then they could still remain anonymous.
As for where the Bitcoins came from, I'm sure the author of this document would have some digital assets they could sell on the darknet to acquire some Bitcoin. Where those Bitcoin originated then would not be their problem.
Nobody that I can remember has been able to identify the large bitcoin thefts over the years by tracking the coins, those people cashed out somehow. However the SEC filing on Pirateat40's ponzi scheme was remarkably detailed, they were able to track every single coin he received and prove he spent it on himself.
I would imagine others use JoinMarket to mix up the coins[1], use coin control[2] to exchange for other cryptocurrency p2p, or other obfuscation methods like buying up high demand items with bitcoin then selling them remotely for other bitcoins.
Just by following the flow of the money between wallets? Assuming that at least one of the wallets can be connected to an identity, guessing that the others belong to the same person shouldn't be too difficult, just by observing transaction patterns.
