Topic: [ANN] Anonymixer - the Anonymous Bitcoin Mixer (Read 2523 times)

OK, thanks for answering. You can close the transaction and keep the BTC as a donation. Fees high at the moment.

We have responded to your e-mail.

The trade was created 4th December. You sent a single small deposit and miscalculated on transaction fees and want it returned.

Transactions fees have been so high recently, at one point going above 400 sat/vb, that it would cost us the same amount in Transaction Fees, just to send this back to you.

As a good will gesture, we have extended and extended this trade for you. It remains open, if you send the remaining balance, it will complete as expected.

Thanks for info. Gonna try that.

You could try using Block explorers to check the inputs of your received Bitcoin transactions. You will probably notice that your pre-mixing transaction has been delinked from your post mixing transaction.

First, do it with small amounts if you are not sure. One thing I like about them is that they are probably the only mixer here that do not use a third party service against DDoS attacks, eliminating the possibilities of the MITM vulnerabilities.

Anyone can answer this, or is it too stupid a question xD?

Hi Jerome,

Thanks for noticing, you're probably aware it's to prevent outside observers correlating amounts going in, with amounts going out. Had your trade included more than one output address, you'd be presented with one initial deposit address.

The clearnet site is now pretty much up all of the time and will be going forward, despite being under intense DDoS attack (even as we speak).

Since ChipMixer left, we were obliterated from so many types of attacks; DDoS, some kind of ping/icmp style attack causing CPU to overload and freeze including on boot, false "abuse" reports of the server IP performing port scans then getting canned by hosting provider, getting mail bombed with spam, it just goes on. We got kicked off so many hosts trying to deal with it all but never gave up - we'll never use Cloudflare, DDoS-Guard or any other service that can eavesdrop on traffic.

If the total outgoing BTC is higher than the Hot maximum, then it's a Cold Trade. Hot Trades are automatic, Cold Trades are signed off from a hardware wallet.

🎉🎉 Anonymixer is now 3 years old!!! 🎉🎉

In a market where mixers come and go (and exit scam), we're still here and we treat people the way we would like to be treated!

I love how the mixer automatically generates two deposit addresses. Most mixers don't do this. This is also probably the first time i find the clearnet site on, it must be a lucky day 
In regard to the trade maximums, Hot Trade Maximum = Automatic sending off of bitcoins and Cold Trade Maximum = manual sending off of Bitcoins?

If Hot Trade Maximum is 0.1 BTC and I have 0.3 BTC, I send 0.09 BTC on address 1 and 0.21 BTC on address 2. Will both addresses have a cold trade mix via the output addresses?

After 3 years, we're still here and committed to protecting your privacy.

Just to remind,

• Anonymixer is the only mixer that does not rely on CloudFlare, DDoS-Cloud or any other "man in the middle" traffic logging service
  
• Anonymixer is the only mixer with a SSL / TLS Grade A+ rating, the strongest encryption
  
• Anonymixer does not charge additional fees per Output Address. Just a low 1 - 2% fee + network fee, so no hidden surprises
  

It looks like a typo:
That block hash was mined on May 25, and the block hash can't be faked ahead of time. The signing address is still the same. That means month "04" should have been "05".
It's sloppy, but whoever signed this has access to the private key.

Hi!
I've been working with this mixer for a couple of years but this May it suddenly stopped working for a few weeks with a warning sign (something about maintenance).
Now the sign has disappeared from the site but the canary is outdated. I'm wondering, is the mixer in working condition now? I'm afraid that it can be "stolen" or faked.
I'm talking about onion version

thanks _) I'll go to sleep well _)

---

I work with Eim Mixer everything is different! Hung my mobile wallet did not display the score! I will advise the guys quick feedback! In general, everything is fine!

correctly i poned if I want to get fast i should throw Hot Trade Maximum 0.2731?

Nah, you didn't lose 0.72 BTC.
It will be mixed manually, like I said with the "cold trade" and sent to your adress.
Just wait a bit

see https://[banned mixer]/help/faq

edit:


Yes 0.27 BTC max but you can then wait a bit and start to mix again, once they have refilled their "hot trade wallet".

i threw 0.72btc

I want to hope that everything will be fine (i wrote support@[banned mixer] waiting for an answer ! As a result, I'll let you know

Perhaps because of the current limits?

 (displayed on the bottom of the page)
Hot Trade: everything is automated and outputs are send directly after 1 confirmation.
Cold Trade: manual mode: outgoing transactions are signed off by a person

Hi guys! I made a large amount on the mixer waiting for more than 3 hours so the coins and did not fall on my address. Done up to this point the deal was all right! I am waiting for a response from the admins! 

sanctioned wallet address whats happening

hi, just a simple question, how do I know the service has worked, is there any way to check if my coins have been mixed and untraceable? thank you

Thanks for pointing this out, LeGaulois! The anonymixer.org website is indeed a scam.

Be careful guys with the following domain names

Someone posted a phishing URL on one of my topics. Looking around I found 3 other domain names. The last three are not used (yet) but it will for sure and should be avoided as well. Unless @anonymixer owns them but I very highly doubt it. Better safe than sorry, use only the links posted on the 1st post

Scam bitcoin mixers:
anonymixer.org
btcmixqkqe6b6fiq2kqsicdazl46kxfnacl7iv722jigq33fewz7zuad.onion
anonymixer.xyz
anonymixer.io
anonymixer.biz

Edit 1: to add a Tor link
Edit 2: for reference to newcomers Scams Bitcoin Mixers List and Services closed

Thanks a lot for the prompt answer, that's good customer service/care, I was just asking as the paradigm of declaring what you send is completely different to other mixers where you can just send whatever coins you want.

It's considered a tip and the trade goes through, as is. This can actually be a great way of avoiding change coming back to you from your deposits.

However, if you've made a mistake or sent way too much, we can arrange to get the excess deposit(s) returned to you - just send us an email.

What happens if you deposit more than what you declared on the initial screen ?

The self-signed certificate which can be used to verify the authenticity of PDF Letters of Guarantee, expired yesterday.

For those who rely on this, please update and trust the New Certificate in the same way you did before,

Please see https://no-js.[banned mixer]/help/trade/trusting-pdf-signing-certificate

The new (Self Signed) Certificate is:

-----BEGIN CERTIFICATE-----
MIIB9TCCAZmgAwIBAgIEGR+vSjAMBggqhkjOPQQDAgUAMG8xEDAOBgNVBAYTB1Vu
a25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNV
BAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEzARBgNVBAMTCkFub255bWl4
ZXIwHhcNMjIwNzE0MTQyODQ4WhcNMjUwNzEzMTQyODQ4WjBvMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRMwEQYDVQQDEwpBbm9ueW1p
eGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEISAOfDq4demVEDYb7d0LwjNZ
AF+PF7zzhmTRa52EsS3vKRJWpI+K2X6rGcX6M4NXb6FMlo9eWglyoXBrEDz7XqMh
MB8wHQYDVR0OBBYEFBd9YtbAIn2ptTvddxbtg4VKy7y7MAwGCCqGSM49BAMCBQAD
SAAwRQIhANEQqDh2S6yIQBNeR6b3Gb4++ALv1cBzD53Xg8otlP49AiBg8lf062S8
ywP6zX1XImTHqPd7oPjzDpck8mIDaeGQRQ==
-----END CERTIFICATE-----

Signed By: 1AnonyMix35XkzRusC7FAzwi9KKggnyg5b
Signature: H74RXq3+umK72KCFEvs9HcF9lgyCTXCvYjHAa55ZZi24Kxum1NbvKpywCulncyNX2zExKezqlgLUIMaKxtQDhig=

Hi you all,

Regarding what I sent  0.1914734 btc  to   bc1qlrh69pa07qmn5e7k907xsn3yh9eed6yw5c2yaa

I wasn't aware of the hot wallet cap and the need for a human to process the transaction that would take far longer than the guarenteed times of deposits generated by the mixing process.  I was spooked and on edge for 12 hours+ but extremely relieved when the clean coin showed up in my deposit wallets. I appologize if my post caused concern for anybody out there. I'd never experienced hours delay past the alotted time for deposits.

Anonymixer is 100% legitimate and continuing it's excellent service which I will continue to use.

/]The website currently shows this:
If that was the case when you made the transaction, 6 hours might not be enough for a human to complete the transaction.

Is it signed from 1AnonyMix35XkzRusC7FAzwi9KKggnyg5b? If so, are you willing to share it to be verified? Note that sending it by PM (or unencrypted email) compromises the privacy of your transaction.

I've used Anonymixer service a few times before and it always worked well, depositing
bitcoin to the outgoing addresses in the time expected. I just mixed about
$7450 btc and it hasn't shown up in my 3 wallets. It's now over 6 hours
since the mixed bitcoin confirmed being received at the staggered
payment scheduled. I checked the blockchain and
there's zero activity involved with all three of the fresh wallets
expecting payment. Of course I'm concerned and hoping this is a
glitch they'll quickly remedy. I've emailed them.

Has anyone experienced a lack of
follow through with Anonymer's service right now?
I wonder if they're exit scamming.

I sent  0.1914734 btc  to   bc1qlrh69pa07qmn5e7k907xsn3yh9eed6yw5c2yaa

I have the digital letter of guarentee to provide the service representative
so they can sort it out.

A short review from a previous Wasabi user:

Clean and easy website to use, very straight forward

Tried it twice with a small sum, and everything seems have gone great

Let's hope it works with ten times as much in a short while

And is it possible to add a line to the letter of guarantee that sums up all the split deposits? 
Maybe something like: "the above addresses will be sent exactly a total of X BTC"

Just a thought, makes it easier to check at a glance.

Yes the attack is over, the vulnerabilities are fixed and no it's unlikely to happen again.

It was an attack on the V3 network as a whole and was patched by the Tor devs.

If the same (or similar) attack did happen to come back and the V3 network was destroyed - our infrastructure would still be standing and operating.
We spent 2 weeks re-developing our internal architecture assuming that the attack on the Tor V3 network would persist indefinitely.

Is the attack on V3 completely over? Are the vulnerabilities fixed or this might happen again?

Tor is removing support for legacy V2 addresses. Tor V3 addresses provide better encryption algorithms and anonymity.

Anonymixer's primary Tor V3 Onion address is:
][banned mixer]

Please update any bookmarks which reference the old Tor V2 Address (anonymixerpolbpy.onion).

Also, Anonymixer will support Taproot addresses when the soft fork fully activates in November.

Some updates:

• Anonymixer now supports Native SegWit deposits
• We still provide legacy P2PKH and P2SH deposit addresses, just in case
• We now provide 10 unique deposit addresses per trade/mix
• Paying multiple deposit addresses in the same transaction didn't always register properly. That's been fixed

When Transaction fees are high, it's not a bad idea to send 1 transaction to Anonymixer, where by you batch-pay multiple Deposit Addresses in that transaction, for instance:

Your Input Address	|	Amount (BTC)	|	Output Address	|	Amount (BTC)
bc1qech0svc0u3rvjmmqnnssf0wg76tvldqygq92ha	|	0.02	|	bc1qkwqwzklpr5az9qm80xnzxpjspxpyjftmqdzyvy (Anonymixer Deposit)	|	0.00306244
	|		|	bc1qasuwtlyge8wczt0aum63e84a6fs3jjh887cm8c (Anonymixer Deposit)	|	0.00714568
	|		|	bc1qecdxvhh2za26pm92jr25zee3eu520vvnqdd7f9 (your change)	|	0.00970988

Another note: when you spend from multiple inputs and deposit to multiple Anonymixer addresses all in the same Transaction, for all intents and purposes that is considered to be a CoinJoin or an Exchange depositing into Anonymixer, certainly Blockchair appears to think so, so you could get really creative here with both depositing into as well as payments coming out of Anonymixer.

Our PDF letter of guarantee (Digitally Signed), now looks like this:

Hello,

I'm just dropping in to express my gratitude for this excellent service.

Just a short post detailing my positive experience with Anonymixer and its staff.
The mixing service itself is quite impressive, quick, slick, well built and with helpful tutorials.

However, since I was in a hurry when using it, I made a large overpayment with my mix.
Upon contacting the Anonymixer staff they promptly sorted everything out for me, even though the blunder was on my side.

I was stupid, but these nice dudes saved my ass. A lesson learned and a heads up for anybody else.

Many thanks for that.

Some persons think the attack is done by a state, some others think it's done by market owners, yet there is no evidence found. Perhaps none of them are the cause, do you remember last year?
https://gitlab.torproject.org/tpo/core/tor/-/issues/33018

Something interesting, what about TorPy
https://lists.torproject.org/pipermail/tor-dev/2021-January/014505.html
https://lists.torproject.org/pipermail/tor-dev/2021-January/014510.html

The Tor V3 network is being attacked again, perhaps by a State Actor?, specifically the consensus nodes are receiving the brunt of it.

The Anonymixer Service is 100% up! The V2 onion works fine, with some perseverance the V3 onion will work. Most crucially, the status light will stay green / on and we're able to Trade, even under this attack.

The Tor guys did release a patch for the consensus nodes, well enough for it to be workable, but I suspect the attackers have since tweaked their code to get around that.

Not that it's anything to do with us, but for those concerned about upgrading their Bitcoin nodes to Bitcoin 0.21.0 with the network shifting over to Onion V3 addresses, in my personal opinion, don't be concerned.

From what I understand, unlike HTTP, where streams / sockets can close and Tor circuits forgotten, the Bitcoin Protocol is binary based and establishes a relatively permanent stream / socket over a constant circuit. Further it establishes streams / sockets with many remote peers. When one peer disconnects, the client will persistently retry to build circuits and streams with others. So, in our opinion, have no fear in upgrading to Bitcoin 0.21.0 - it will be resilient in the face of this attack.

Bitcoin 0.21.0 also includes a very, very important privacy feature:

To improve wallet privacy, the frequency of wallet rebroadcast attempts is reduced from approximately once every 15 minutes to once every 12-36 hours. To maintain a similar level of guarantee for initial broadcast of wallet transactions, the mempool tracks these transactions as a part of the newly introduced unbroadcast set. See Pull #18038.

Anonymixer Service is 100% now online and available. Major development has taken place behind the scenes, to improve OP-SEC, which was already very good, but is now even better.

• You may find everything to be a lot faster / snappier, i.e. Deposit transactions and confirmations are picked up even quicker than before
• Service light being red, hopefully, touch wood, is a thing of the past, everything should be a lot more stable

The powers that be can attempt to destroy the Tor V3 network to their heart's content and hopefully, we will still be standing - and still very much anonymous.

We may be over-cautious, but we do not know what the future holds.

Hope to trade with you soon.

Anonymixer Service is Temporarily Suspended!

• On January 10th, the Tor Network started to suffer from a major DOS attack affecting all V3 Onion Services, to the point where it became unusable. We use Tor V3 Services internally.
• On January 11th, some service was restored briefly, but intermittently. However, various Onion services have been seized, during this time.
• It's possible that this may be due to the attack itself.

We are not a DarkNet Market and we only focus on people's financial privacy, however, we have decided to temporarily pause trading whilst we re-architect and re-develop internal parts of our system, to improve OP-SEC prior to re-opening the Service.

We estimate this software development to take approximately 1 week. Hopefully we will be back up and running up by 19th January.

We can assure you that we are safe and well, we have /canary]updated our Canary and we hope to trade with you again soon!

We are sorry for any inconvenience caused.

Anonymixer Service is Down.

The entire Tor V3 network is being DOS attacked, which we use internally. Sorry for the inconvenience, we are trying to find a work around.

No in-flight trades are impacted and will go through as normal.

No worries Brother. The transaction completed a few minutes after I posted that.

Its a good feeling to have wallets full of clean satoshi's.

Thanks again for a well run and affordable service.

Hi Gary,

Thanks for your kind comments.

I have written some custom local software which allows me to view / manage the state of Anonymixer as well as digitally sign cold transactions prepared by the system.

Unfortunately, A bug in this hardware interface / signature code presented itself the other day and will continue to happen if an unsigned transaction has certain properties. Until I've fixed this bug, I'm not comfortable with Cold Trades so I've turned them off for the moment. This fix is currently Priority #1 and I am working on this, even now, I will re-enable cold trades once this code has been fixed. UPDATE: now fixed

I initially set the Cold Limit down to 0.2 BTC, then to 0 BTC, where really I need to set a config flag, similar to Issue #1, where by there's a nice message explaining that the Admin is currently unable to accept Cold Trades and/or is away at the moment.

Regarding other (Hot) trades and speed, this is down to the Mempool. Once a Trade has been fulfilled by the user (i.e. all deposits have at least 1 conf) and they want their outgoing transactions to be sent absolutely immediately, that's totally fine and they'll go out immediately, with a good fee and get confirmed quickly.

The Bitcoin mempool right now is quite congested. Some transaction deposits sent without enough of a fee on them will take longer to confirm. However, if you've sent a Transaction with "Replace-By-Fee" enabled, you could re-send that Transaction with a higher fee and hopefully it'll confirm faster.

I hope you are enjoying the Bitcoin Price rise that has come hand in hand with the Mempool being busy, Gary

UPDATE 2020-12-19: Cold Digital Signing code is working, all unit tests passing, have to perform end-to-end testing and then will re-enable cold trades later today. Thank you for your patience.
UPDATE 2020-12-19: Cold Trades have been re-enabled.

I'm happy to report several successful mixes using this service. I do have a couple of questions though.

I am in a mix right now that limited me to .2 BTC and I think I know why, but the WARNING! message that pops up is unhelpful in explaining why and is a bit disconcerting.

Also the first few mixes I did were done very quickly but then it seems like they got progressively slower until the present mix I am in has been over 12 hours.

Nice service... just wondering...

nah, i didn't... I phrased it wrong... I meant to say something more in the lines of :"It's been a while since I last posted in this topic, and because i didn't want any bias, i didn't re-read everything before i made my review".


Agreed, so far i see a lot of green lights for this one... It is indeed refreshing to see a mixer that doesn't fall for the obvious pitfalls so many others have fallen for lately. I still won't give up chipmixer and coinjoining using my wasabi wallet, but i'll defenately keep this one on the shortlist after the OP makes the changes to allow me to specify the amount i want to deposit instead of the amount i want to withdraw (he seems to be working on this feature), and i'll defenately use him to mix unspent outputs that are not ideal for chipmixer or coinjoin (unspent outputs with values that make them less suitable for their algo).

Did you forget you posted here before?

I've seen many mixers that claim to own 200 or more Bitcoin, and claim you can mix 50 or more Bitcoin at once. And I've seen some of them disappear the moment someone deposited a large amount.
It's refreshing to see a mixer that doesn't make large claims about owning funds, and doesn't seem to be hoping for a large deposit to run away with.

full disclosure: i'm payed the equivalent of ~$15 as an incentive to do a small writeup of anonymixer.com

preface: by sharing screenshots of the mixing process i went trough, i basically voided my mixing session. I also made other "bad" choices opsec-wise (like chosing a short interval and only creating 1 deposit and 1 withdrawal addy). The point is that i'm trying to review this mixer, not mix my unspent outputs . You're free to lookup these addresses on any block explorer and see if the mix was actually succesfull

preface 2: i'm also a big fan of using tor to initiate a mixing session, aswell as using a non-js mixer (this function is available in this mixer), however, i decided to use the clearnet, js-enabled version from my normal browser, since this is the way i suppose most normal non-tech users would use a mixer

preface 3: i did not read the other posts in this topic, so i wouldn't be prejudiced.

preface 4: i use wasabi to hold some pre-mixed change before i move my funds to my hw wallet... I'm not here to start a discussion about this... Wasabi is fine for holding smaller amounts, as is electrum... Desktop wallets are not ok for long term storage.

Here we go:
Walktrough
1) I created a new address where i liked to receive my mixed funds:


2) I opened anonymixer, pasted the address i created in the first step and chose the amount i wanted to receive post-mix


3) I was redirected to a page where i had a nice overview of the costs, and where i was able to adjust the timeout


4) I was redirected to a page where i saw 2 deposit addresses and a proposition on how to divide my funds over these 2 deposit addresses. I removed one of these addresses for the purpose of this walktrough, but it's better opsec not to do this. The page also allowed me to download the letter of guarantee both in txt as pdf format


5) I deposited the necessary funds


successfully


6) The unconfirmed tx was picked up really fast by anonymixer's gui


7) I waited for 1 confirmation, at this time my 4 minute timeout started counting down




After the 4 minute timeout, i received my mixed funds


Discussion/remarks:
1) I've already contacted anonymixer after completing this mixing session because i tought it would be better if they allowed me to specify how much funds i was going to deposit instead of having to specify how much funds i wanted to receive post-mix... I usually start with an unspent output i want to anonymise. Because of the random fee, it's impossible to calculate how much i have to enter as post-mix value in order to spend the complete value of the unspent output. Underestimation leads to tainted unspent outputs funding my change address, overestimation leads to having to use an extra unspent output.
Apparently the owner was already aware of this, and had already opened a ticket in his git repo about this issue aswell

2) I tought anti-csrf tokens were missing, but apparently they are not... my bad

3) I was missing some security headers, i have sent them to the OP. Nothing dramatic tough, just small tweaks... Not all headers are necessary, but it's wise to consider them on a case-by-case basis. I guess this mixer would be fine even without these headers, but i was in a mood to nitpick

4) The session cookie missed the secure flag

5) native segwit deposit addresses would have been nice...

6) the canary function is a nice touch, eventough 2 weeks time between 2 updates might be a tad bit on the long side... But at least we'll know in 2 weeks or less if the OP ever goes AFK for a longer period of time.

Conclusion:
From my point of view, the OP did his homework... I'm 99,9% sure my own site has a lot more vulnerability's and is missing a lot more security headers than OP's.
I'm glad to see a new mixer that doesn't include external js, doesn't use a CDN, doesn't created a MITM by using cloudflare,...

From a technical point of view, I can say that anonymixer looks really promising. There might be some bugs here or there, or some enhancements,... but nothing to serious, and AFAIK nothing that exposes this mixer's clients.

I waited a couple of days after being contacted by the OP, there is no way he knows I was starting my walktrough, and everything went exactly as i presumed it would go... So, i'm confident in saying the OP at very least has the infrastructure to do what he's claiming to be doing.
Offcourse, mixers need to stick around for a while to build some trust, trust is something i cannot review... But in this case, at least i'm hopefull... This is a mixer i would actually use myself from time to time. I think this one of complementary to chipmixer since these mixer's have a completely different mode of operations

PS: Since i voided my own mixing session, i'm also willing to share the letter of guarantee i got, so people are able to verify everything for themselfs: https://www.mocacinno.com/hotlinkimages/anonymixer/1e2289b0-a4c7-427d-87a0-84bf58983dac.txt
I went ahead, and verified the signature, it's valid... But you're free to try it for yourself

Thank you very much LoyceV for reviewing Anonymixer. it's really appreciated!


I've created Issue #1: Add "System Maintenance" flag mechanism which means no-one will face that in the future once completed.
Unfortunately, despite the tx creation/coin-selection code working just fine for weeks, After noticing odd things in the logs, to be on the safe side I decided to stop accepting new trades by setting the maximum limits to 0 whilst I had a closer inspection.


Totally agree about that not being intuitive, I created Issue #2: Clicking Confirm "tab" destroys user's entered data. Now fixed.


Agreed. The maximum limit should be more prominent. I'm going to have a think about showing users the maximum limit, closer to output addresses. These limits were previously visible on the Outputs Screen prior to adding in the marketing material.


You want to avoid sending change to yourself, which is very understandable. This would require a bit of deep surgery on my part, which can done. I've created Issue #4: Ability to update Output Amounts on Confirm screen in-case you would like to track that feature's progress.


As things stand, the trade would expire - which is bad. However, providing we have a Letter of Guarantee, any trades can and will be completed manually. I've created Issue #5: Extend the life of trades with low-priority unconfirmed transactions which should help even if incoming deposits are coming in with 1 sat/byte during a high fee season.


Quotes last for a maximum of 30 minutes before they time-out and where you would be presented with an updated grand total / set of fees. However, I agree this is odd to look at and a user should be given exactly 72 hours from the moment they press the Confirm button. I've created Issue #6: Trade Timestamps on Confirmation of Trade.


Let's see how things go, things can change. At the moment, I'm personally in favor of a variety of UTXOs both large and small. More UTXOs to choose from is better for the coin-selection / transaction creation code in terms of both getting lucky with change avoidance as well as when we do have to create change, doing so in such a way that makes it very difficult or impossible to spot which are the change outputs(s).


We also believe transaction fees should be as low as possible, but bear in mind that trades wait for deposits within a 72 hour time window. The mempool may be relatively empty at the point-in-time they create the trade, but it may be busy when their final deposit confirms and/or their scheduled outgoing transactions are due to go out (say 40 hours later). So we must be conservative, but not overly conservative if that makes sense.

On the plus side of being conservative like this, it means that even during times of high fees, users who want to get funds mixed, can do so quickly.

I have created Issue #7: Add ability to adjust Bitcoin Network/Mining Fees on Confirm Screen, in-case you wish to track this feature.

Just a note, Outgoing Transactions which are due to go out at the same scheduled time do in-fact go out in the same batched transaction, which reduces network/mining fees.


I will get that sorted. I've created Issue #8: FAQ: Maximum Fees should show actual real-time fees, not just a picture.

• Many wallets
• Many UTXOs in each wallet, e.g. 100+ per wallet
• It is Wallets, but not UTXOs are cycled in chronological order

The code tries it's best to not combine UTXOs in outgoing transactions, however that can happen, of which it would be unlikely to pick another deposit UTXO from the same trade due to the amount of UTXOs available within a Wallet.

For the moment, one could ensure that UTXOs can not be co-spent if they happen to both originate from the same deposit input transaction, but we could not follow the same logic across multiple input transactions as that would mean keeping a permanent record of which UTXOs were linked to which trades, which goes against the 100% no-logs policy. We could however try to influence it so that UTXOs in the same Wallet with more disparate block heights are preferred as potential partners as opposed to those confirmed closer to each other. We will continue to have a think about this.

What we can do and actually do manually, from time to time, is shift coins around internally, not co-spending any of them in a variety of ways.

For internal UTXOs "at rest" not associated with any users or trades, we were previously thinking about writing code to participate in JoinMarket CoinJoins as a Maker or connecting to a Wasabi co-ordinator node and joining in with their CoinJoins, but for the moment have decided against this because of the possibility of exchanges then flagging-up coins that have come from Anonymixer as being suspected of participating in CoinJoins, because they would've been. So internally shifting stuff around for the moment is the weapon of choice.


We know you like the Lightning Network and in this case you were sending some funds to your Pheonix Wallet, presumably to open a new channel. It may or may not interest you to know that we've been working on adding Lightning into Anonymixer.

The suggestion is, in the future you could give Anonymixer a Lightning Invoice on the Outputs Screen and then send a regular on-chain deposit to Anonymixer which would then pay your Lightning Invoice(s), re-balancing and re-populating your existing open channel(s).

Likewise, the reverse: say you have received many payments via Lightning and can no longer accept funds into these channels and wish to on-chain some of those funds without closing your channels, you could deposit funds to an Anonymixer Deposit Lightning Invoice(s), which would result in your chosen on-chain Output Addresses getting regular Bitcoin payments.

I was asked to test Anonymixer, and received 0.001BTC to use for this.

My review
I used the Tor site.
After I entered 3 Output addresses (all Bech32), I clicked the gray Confirm tab. This emptied my Output addresses and I tried to enter them again. It showed red: "Warning: Your maximum limit right now is 0 BTC. Please reduce the total Bitcoin."
This error didn't go away, even after reloading or trying in a private Tor window. It turns out something went wrong on the site. After anonymixer fixed the problem, they said they've added a "maintenance mode" so it becomes more obvious when the mixer is taken down in the future.

Trying again, the same thing happened when I clicked the gray Confirm tab: this emptied my Output addresses again. I think this should be fixed, I get now that I have to click "Continue", but I intuitively assumed going back and forth through the tabs would work.

It took me a while to notice the Maximum amount that can be mixed in the bottom-left corner. It's a lot of scrolling to get there, maybe this can be placed closer to where you enter the Output Addresses.

I don't like that I can't change the amounts sent to each address on the Confirm tab. I want to spend a certain total amount, but I have to go back to get to the Outputs tab to adjust for the Bitcoin Network Fee and Anonymixer fee. It would be better to show the Total amount including fees on the Outputs tab. Now it's difficult to get to the right amount, because everytime I go back, the Bitcoin Network Fee changes. I'm probably not the only user who wants to send an exact amount so I don't receive a small change amount.

I've deposited funds to 2 different deposit addresses with a low fee (7 sat/byte). I'm requesting it to be send to 2 different addresses (straight into my BlueWallet and Phoenix Bitcoin Lightning Network wallets).
Hypothetical question: what would happen if my transactions don't confirm within 72 hours?

I didn't change the default delay between output transactions, and the first transaction arrived as scheduled already. The next transaction was scheduled 31 minutes later. Eventually they both confirmed in the same block, despite a delay of 31 minutes in between (the default). Blocks are sometimes slower, so a larger default delay might be better.

Letter of Guarantee
I confirm this checks out. A question though:
I guess the 72 hour started when I started entering data on the site. It's a small difference now, but if someone takes 2 days making changes, this shouldn't be taken from his 72 hours. So I suggest to add exactly 72 hours from the moment the Letter of Guarantee is created.

Other comments
For your business model: you're currently not charging any additional fee when someone funds 20 different addresses, while the cost for you will be higher. As an example: CoinPlaza.it (a small exchange) used to charge no mining fees on Bitcoin, but they've changed that. For several of my past transactions with them they earned less from me than they paid on network fees alone. So I wonder if this will be sustainable, especially when transaction fees rise a lot.

Sending individual output transactions also increases fees a lot, and I think you're overpaying miners. Especially if you target small amounts, transaction fees should be as low as possible. One third of the fee would still have been enough for a fairly fast confirmation, and in most cases I prefer lower fees over faster confirmation.

In the faq, it shows a screenshot of the maximum mixing size. This is an "Example", but I'd suggest adding real-time values instead of a picture. Make it show the actual values. People usually don't read, so the images is the first thing they'll see.

Also from the faq:

Hi everyone,

Just to let you know that on Saturday 28th November at 23:00 UTC
our front-facing web server will be down for scheduled maintenance.

Estimated downtime is likely to be 1 hour, but could take longer
and may not be up until some time on Sunday.

No existing in-flight Trades will be affected and will go through as normal
regardless of whether or not the front-facing web server is up.

It is likely that the two two Onion URLs will be up and accessible
first before the Clearnet URL, just a reminder, these are:

V2 Onion: anonymixerpolbpy.onion
V3 Onion: btcmixer2e3pkn64eb5m65un5nypat4mje27er4ymltzshkmujmxlmyd.onion

Regards,

Anonymixer

Message written at Bitcoin Block:
0000000000000000000bfbf9d885a9bfbd55267bd10767488f2b210248b25340

---

Signature: IHhF3yZiFm0mpfAPzpaYLKWr1P5qoTsinwSX6yITFP9BY9nzbMAXbM3KwDIMCIfgAnyzaFpguZMMYRF Tn9a7gsw=
Signed By: 1AnonyMix35XkzRusC7FAzwi9KKggnyg5b

Hi Everyone,

We've been updating our site and fixing bugs.

• The site works better and smoother than ever without JavaScript
• We have added an Onion V3 Address
• We have added Russian and Dutch Language Translations - (Big thanks to Royse777 for the Russian Translation!)

A reminder of all of our URLs,

Clearnet: https://anonymixer.com/
Tor Onion V2: http://anonymixerpolbpy.onion
Tor Onion V3: http://btcmixer2e3pkn64eb5m65un5nypat4mje27er4ymltzshkmujmxlmyd.onion

Interesting comment anonymixer. As of today I got almost 95% of my coins under strict coin control. Nonetheless I am studying what could be the best options to keep my privacy and avoid blockchain analysis as I believe in the not so distant future LN and such will be more ready to be used on a daily basis. Either way, what can be done with your service looks good and I will try it eventually.
I'm glad you will be adding references not only for Wasabi, as there are more ways of producing toxic waste. 
I'll see you around (sorry can't merit, I am out, will keep some for you)

Hi Karartma1,

Yes, the same applies to Doxxic Change produced from Samourai Wallet CoinJoins. Thanks for letting me know about this, as I'll update the site regarding that!

This actually applies to any small coins/outputs you have, where you consider them to be dangerous from a privacy perspective.

• Small coins/outputs can be too small to practically spend on their own in one go, yet when combined can add up to a very significant amount of money.
• If you co-spend any of these outputs at the same time, you destroy your privacy as Common-Input-Ownership Heuristic analysis will let any outside observer know that you in-fact own those outputs.

Because Anonymixer provides you with 20 unique deposit addresses per trade, you can spend each of your low value coins in their entirety (seperately), sending each in separate transactions to respective unique Anonymixer Deposit Addresses with no change.

As far as outside observers are concerned, each of these individual transactions is considered to be a straight "internal transfer" from one Address to another. i.e. sending them to yourself.

Once you've sent your deposits to Anonymixer, you will then get a consolidated coin back that is entirely unconnected from any of the coins you sent Anonymixer in the first place.

No matter how much Blockchain Analysis companies try to piece models of clusters (wallets) together by using common input ownership heuristics / peel chains / change address identification etc, they will never be able to determine that you either sent your coins to a mixer or received a consolidated coin back from a mixer - They can't identify any of our clusters or addresses!

All transactions look like regular transactions between users.

Let's say you have 5 low value coins/outputs:

• 0.00014642 BTC
• 0.00053470 BTC
• 0.00023380 BTC
• 0.00051851 BTC
• 0.00051346 BTC

You create a trade and send 5 payments to Anonymixer, to 5 unique deposit addresses. Spending each individual coin in it's entirety with no change.

Anonymixer will then send you back 1 coin = 0.00194689 BTC (minus fees).

Don't throw money away to Bitcoin Eater Addresses.
Every Satoshi is Sacred!

More information can be found at: https://anonymixer.com/help/wasabi-change-coins

Please specifically look at the area: There is a Solution - with Anonymixer

I guess the things I like the most are no JS, being mobile friendly, no CDN, no HTTP and of course TOR Support. I have a question regarding Wasabi toxic waste: could the same be done with the doxxic change coming from Whirlpool (Samourai Wallet)?

Hi Everyone,

It's been a while since the last post.

The Anonymixer website front page has been revamped, bells and whistles have been added. Any feedback is most welcome.

Plenty of bugs have been fixed. Thank you to everyone who has used Anonymixer so far!

We try hard to make sure that you don't get your coins from a previous mix, but it can happen. We will continue to develop the software further to try to ensure that this doesn't happen.

Aside from the fact that we have many individual coins/UTXOs, two approaches we currently take are;

1. Conf-Guard

Any coin that comes into the Mixer, must have at least 18 confirmations and be suitably thawed prior to leaving the mixer in any subsequent trade.

This caters for a user that makes multiple mixes in quick succession. If a user sends a coin to the mixer, there is absolutely no way that coin is coming back out of the mixer for at least 3 hours.

2. Most recent coins go out last

We have many Wallets. The Wallet which received coins into it last has the least likelihood and priority of being used to send out coins in subsequent mixes.

This caters for a user performing another trade on the same day or the next.

Hi LoveUJack,

For what it's worth and without going into too much detail, the software architecture of Anonymixer assumes that such entities have infiltrated the public facing server and have had 100% root access from the very first minute.

The public facing server writes nothing to disk, with anything of importance temporarily stored in memory on a need to know basis.
To my current knowledge, even with root access, a third party would be unable to eavesdrop on HTTPS network traffic.

All Anonymixer source code, both server side and client side is compiled, obfuscated and mangled.

Even with this software design in place, we have taken great care in securing the public facing server from outside attackers, for instance the server only exposes port 443 (HTTPS) and has an SSL Labs Grade A Rating. All keys are encrypted and buried away within very large binary files.

In the event of a suspected security breach, or if we just lost the server completely - we could setup an alternative server from an alternative provider very quickly.

One thing to note, albeit highly unlikely, even with this security in place, these "entities" do what they like, legally or illegally, when and how they please. There is nothing stopping these entities changing NameServer entries of the WHOIS records or altering your chosen DNS server's records so that on trying to resolve Anonymixer.com, you are actually pointed to their own server, which in-effect could act as a MITM. Or, they could simply confiscate the domain entirely.

We recommend using Tor, our Onion address is http://anonymixerpolbpy.onion.

@LoveUJack: that's actually a very good question.

There are a couple of scenarios tough:

• the mixer owner can hire a dedicated server. In this setup he can encrypt the necessary filesystems . If his host decides to cooperate with a 3 letter agency, they'll have to boot the server from a boot image to reset the root password, and at this point they'll be faced with the encryption. So the mixers clients are safe-ish (I do believe 3 letter agencys have more resources to break the encryption and ways to track down the owner to force him to decrypt any encrypted filesystems.. but still..)
• if the owner of the mixer is renting a vps, there is some isolation, but the host can still access the container
• if the mixer is using shared hosting and his host cooperates with a 3 letter agency, the clients are royally screwed
• it's also possible the host isn't a us based company (best case scenario it's a bulletproof host in a safe country)

So, in the end: yes, the mixer can make other not-do-smart choices hosting-wise. However, we know (for a fact) that cloudflare hosts content in the us, so no matter which choised about hosting the mixer operator makes: cloudflare is unwise.
Yes, the hosting can be an attack vector, but it's not because you already have one attack vector it's ok to add an other one you can easily avoid....

I do need to clear something up: I'm not against cloudflare per se! Cloudflare is easy, cloudflare protects sites that have nothing to hide, cloudflare speeds up your site, cloudflare reduces bandwidth.
Cloudflare is great for blogs, small stores, forums,... But cloudflare is bad for mixers.

PS: I suspect cloudflare of nothing... I have never seen any proof they're leaking anything to le... However the mere fact they *could* leak data as sensitive as this makes me think that any mixer using cloudflare is bad at opsec

EDIT: After writing this post, i suddenly realised i forgot to add a major point: IF the mixer is legit, he should NOT be keeping logs... If the host would work together with LE and they seized the server (or VPS, or shared hosting), the only thing they *should* get are the currently running sessions... IF cloudflare would leak info, they would be able to give the complete content of every package ever exchanged between the mixer and their clients.

I have some question regarding this paranoia about Cloudflare. If you suspect Cloudflare for monitoring a mixer and leaking data to FBI/CIA/DOD, why would not you suspect the web hosting companies for the same?

For example, it is no secret that Anonymixer.com is hosted on Hostkey.com and Chipmixer.com is hosted by Choopa.com. So, how difficult is it for FBI/CIA/DOD to get data from these web hosts, if they can do the same for Cloudflare?

@Bill Gates... I'll try to answer your questions one by one... Maybe not in the correct order...

1) I looked into it, and you are right, cloudflare started offering unmetered ddos protection in their free plans in september 2017. Before that, I have heared interviews with (what i think was) their founder... At this point he clearly stated that people on free plans got free DDos protection as long as they didn't stress their network. If a member on a free plan caused a nuisense for them, said member would be kicked from their service... I still had this in the back of my mind, but apparently they changed their business practices ~3 years ago. I couldn't find any articles about their previous busines practices, i don't think they're proud about it right now either... And i don't even know if there were public statements about this in the past, they probably didn't want to advertise this "feature".
Paying cloudflare members always got DDos protection... at least AFAIK...
Cloudflare still kicks regularly DDos'ed services from their network from time to time, look at 8chan.

2) i'm clearly talking about people that use cloudflare's SSL certificate. But even if you have your own certificate AND want to use cloudflare as a CDN, you have to upload your private key (no password): https://support.cloudflare.com/hc/en-us/articles/200170466-Managing-Custom-SSL-certificates.
Why? Because if you want to use cloudflare as a CDN, your traffic passes cloudflare's servers, cloudflare decrypts said traffic and caches it. There is just no way around this. It's impossible for cloudflare to work as a CDN the way they do by caching replies without them decrypting your traffic (it would be possible for them if they chose a different approach to being a CDN).
You can use cloudflare to maintain your DNS records without using their proxy and use your own certificate tough... Or proxy certain subdomains (for example, move your static content to subdomain and cache it while not proxying your main site and using your own ssl certificate for the unproxyd subdomain)/ But that's not the same as their implementation of a CDN

3) thank you for meriting my thread... I spent a lot of time writing it

4) same answer as 2). You can use your own certificate, but you have to give them your key...
I'm aware that they have Keyless SSL, where you keep your private key on your own keyserver, but cloudflare still knows each session's symmetric key... They have to, otherwise they wouldn't have anything to cache. It's a moot point... The difference between giving them your private key and helping them get their hands on the session's symetric key is small... at least from the enduser's privacy point of view.

6)
https://www.google.com/search?q=ddos+mitigation+hardware
My server is behind DDos mitigation hardware. I work for a very big company and all our external servers are behind our own hardware... I wouldn't dream off going to my boss and telling him to use cloudflare. I'd probably be fired on the spot.

BTW: there are ways to get the ip of servers behind cloudflare... This is a reply to your previous post, not the one i'm writing answers for...
https://blog.detectify.com/2019/07/31/bypassing-cloudflare-waf-with-the-origin-server-ip-address/
https://securitytrails.com/blog/ip-address-behind-cloudflare
not 100% foolproof, but still..

Wrong. Cloudflare is a CDN and it does mitigate DDOS attacks. Read more about it here: https://www.cloudflare.com/ddos/. In fact, BitcoinTalk also uses Cloudflare for DDOS protection.


This depends on implementation. If the website owner is using HTTP then MITM is definitely possible. If HTTPS is used, where SSL is provided by CLoudflare, then also MITM is possible. But, if, HTTPS is used, but SSL is provided by hosting provider, then CLoudflare has no way to intercept. This helps to protect from DDOS as well as mitigate the risk of MITM.


Was not aware of this thread. It is a fantastic thread to be honest. I have merited whatever I had to this thread.


Wrong. Part 2: A https site using it's own certificate (aka, best case scenario) - this is the best case scenario when used in conjunction with Cloudflare, because Cloudflare mitigates the DDOS problem as well as hides the hosting IP from public eye.


Please enlighten the community with those superior ways to mitigate DDOS. BitcoinTalk may adopt those to get rid of Cloudflare as well.

It's the other way around...
A CDN is just a content delivery network. It won't protect you against DDOS attacks.

I do know one CDN that's giving away proxy functionality for free... And because they act as a proxy, they also mitigate DDOS attacks to a certain point (eventough their primary function is being a caching proxy). However, this CDN DOES act like a MITM. I stay away from any mixer that uses this CDN, since they'll decrypt any data exchanged between me and the mixer and they'll be able to store the unencrypted data in a US based server farm.

I've actually written a complete thread about this in the past:
https://bitcointalksearch.org/topic/mixers-using-cloudflares-ssl-certificates-5247838
please read and educate yourself before you push anybody towards cloudflare in the future... Cloudflare is fine for any service that isn't privacy-focussed... But not if you think your clients don't want their details in an FBI/CIA/DOD/... database. I, for  one, wouldn't care if the FBI knew i was buying new lightbulbs, so a lightbulbstore could use cloudflare.
On the other hand, i WOULD mind if the FBI knew i was mixing coins, or buying a subscription to a porn site, or if i bought a new hunting knife. So if one of these businesses would use cloudflare, i wouldn't touch them with a 20 foot pole.

What the OP is doing is the best possible scenario...

BTW: there are other, better, more superior ways of dealing with a DDOS attack. If you're running an online service, and you need privacy for your users, you should stay away from cloudflare...

How do you ensure that coins sent to you in a previous mixing will not return to the user at a later mixing?

Also, as you are providing letter of guarantee, use of CDN would not allow MITM. Without using CDN, you are just exposing your IP, i.e. 46.17.96.4, open for DDOS.

Hi all,

Just noticing some Trades are going through.

If you have any queries about a transaction or any suggestions, please let us know by emailing us at [email protected] and we will resolve any issues you have.

Please do not be afraid to put stuff through via Cold Trades, we are here and ready to sign Cold Transactions, the vast majority of our coins live in Cold Storage.

We are also on Twitter with the handle of @anonymixer

Our PGP Key is at: http://anonymixerpolbpy.onion/pgp-and-bitcoin OR https://anonymixer.com/pgp-and-bitcoin

Thanks very much LoyceV for taking the time to setup up a ProtonMail account and validate those addresses and funds.

I'm OK with upping the decimal place

---

I've just managed to create a Twitter account: https://twitter.com/anonymixer

Fingers crossed, that stays up. If anyone is on Twitter, please give me a follow

Click to verify (although you should never rely on third parties to verify a signature).
Address staked here.

Feel free to send me anything to prove ownership of funds:
This is what I'll do with the information:

• Verify the signature(s) using either Bitcoin Core or Electrum
• Verify the balance using my latest data dump on my local PC (so I don't have to enter the address in a Block explorer)
  This means the balance I confirm might be outdated by several hours
• Post the sum of all balances in this topic, rounded to Bitcoins dot One Two Decimals
• Delete your email
• Remove the addresses from the search history on my PC

---

---

Update: I can confirm the sum of the addresses signed by Anonymixer have a combined balance of 0.14 BTC, based on today's address snapshot (at least 14 hours old, possibly a bit more), spread out.
I've deleted all data already. I said I'd post only one decimal, but if OP is okay with it, I can add one more decimal (from memory) to make the balance more accurate. Done!

LeGaulois

Thanks very much for trying Anonymixer and leaving feedback! I'm pleased the trade went through all fine.

The two issues you encountered:

1. On the Clearnet version, my hyperlink to the "no-js" subdomain had a URI scheme of "http" instead of "https". I don't open the HTTP port, so your browser couldn't connect.

I've fixed that.

2. After confirming the trade, you clicked browser back button, through to the Outputs screen and attempted to add another Output Address and it went "bang". It should never go bang.

I've fixed that too. Doing the same thing now simply gives a nice message stating that the Trade has been confirmed and that you can't add or alter the Outputs at that stage.


If you turn JavaScript off via the NoScript plugin, then the behaviour of Anonymixer is the same, regardless of whether you're on https://anonymixer.com or https://no-js.anonymixer.com.

The only difference is that the "no-js" domain does not send the