In the ever-evolving realm of blockchain technology, payment channels have become crucial for achieving competitive throughput. Payment channel network (PCN) was the ini-tial attempt to ease blockchain congestion by enabling off-chain transactions through a network of payment channels. However, routing paths can become long, causing high fees and delays. Payment Channel Hubs (PCHs) solve this by using a central entity (aka tumbler) for faster, cheaper transactions; without revealing sender, receiver, or amount details. Thus, PCHs aim to enhance privacy through promising relationship anonymity and concealed transaction amounts, which go beyond base layer where all transaction details are public. Despite these benefits, PCHs are vulnerable to balance discovery attacks (BDAs) due to channel capacity-driven transaction processing, which is fundamental to any system utilizing payment channels. In this work, we propose xPOZ-HUB, a novel attack technique designed to expose transactions occurring within the PCH system. Our approach involves a set of collaborative probers that exploit information leaks in PCH response messages to infer sensitive user information (i.e., balance) in an economic and stealthy way. The attackers further collude with the tumbler to access user interaction data, which is leveraged to formulate a constraint satisfaction problem (CSP). By solving this CSP, aided by deep learning (DL)-based transaction pattern identification and incorporating insights from BDA reconnaissance, the attackers uncover PCH transactions with high accuracy. The attack demonstrates that the privacy guar-antees advertised by PCHs are not absolute: the unlinkability and value confidentiality can be systematically undermined. We assessed the attack impact by extending the TumbleBit protocol to create a PCH simulator and experimented with PCH mainnet snapshots to illustrate real-world effects. While the attack works in real time on open channels; it cannot deanonymize settled transactions.
