The IRS currently has a $600k bounty on the ability to de-anonymize Monero transactions, which has so far gone unclaimed. Most crypto drug sales are transacted in Monero nowadays. Not every crypto has public and traceable transactions.

You're still betting your future on this privacy holding. If they do find a way to attack it, they will likely still be able to reconstruct the whole history, unlike with cash.

Also, the bounty was awarded to a company who is theoretically developing a solution. I'm not holding my breath, and anyway I hope for the sake of everyone guilty of harmless "crimes" (buying recreational drugs) that the anonymity holds.

I actually don't believe it's possible to retroactively reconstruct Monero history, in an information-theoretic sense. The data just isn't there, because it gets thrown out along the way after each ring-signature is completed. It's on a similar playing field as cash in that regard.

To track cash, you need to surveil each point at which the cash changes hands, otherwise that information is lost forever. To track XMR, you likewise need to surveil each point at which XMR changes hands. In some ways, the process is similar to reconstructing TOR traffic - you can't passively observe and deanonymize the entire network, you have to actively target a specific actor. I believe that's what the IRS is talking about when they offer their bounty.

I've tried to read the white paper, but I'm not confident I understood enough, and it seems Monero does some extra things as well beside protocol described in the paper. It didn't seem to me that the information is destroyed in any way, but it did seem true that many pieces that are absolutely required to de-anonymize were never part of the network, so they can't be gleaned.

It did seem though that some targeted attacks where you obtain the private keys of separate individuals could allow you to confirm that they transacted via Monero in the past by inspecting the block chain with these keys.

I believe that's true - if you can get ahold of someone's private keys, you have free access not only to their money but also to their money's transaction history. The security and anonymity of the system is predicated on the person wanting to be anonymous being able to keep their private keys private.

However, private keys are easy to strongly encrypt, typically don't leave your own machine, and can be safeguarded in many other ways. So in practice, they are impossible to lift from a sophisticated user without performing an equally sophisticated attack of deception, for example an evil maid attack with specialized hardware/software.

600k is peanuts compared to how much that ability would be worth.

A real bounty would be close to 100x that number.

You're forgetting that the IRS is basically perpetually handicapped by people who are protecting their friends who do sketchy tax based things to make more money that they then feed back to the people that kneecap the IRS