Topic: ➡️➡️ [ANN] | [banned mixer] | BITCOIN MIXER ⬅️⬅️ - page 4. (Read 2298 times)

After reading some observations, I had a doubt:
If the user chooses the Security level Premium option, does this mean that all their coins come from an exchange? If yes, which one?

Now, DDOS-Guard or any other service providing DDoS protection won't be able to intercept our clients' data.

Here's how it works:

- When placing an order in the browser environment, a pair of 2048-bit RSA keys is generated (ClientPublicKey and ClientPrivateKey).
- Inside our JavaScript, there is our system's public key (SystemPublicKey).
- When placing an order, the client's browser encrypts the transmitted data using our public key (SystemPublicKey). Only we can decrypt this data because only we have the private key (SystemPrivateKey).
- In response from the server, the client also receives encrypted data, which was encrypted using the client's public key (ClientPublicKey). Only the client can decrypt the received data because only they have the private key (ClientPrivateKey).
- In addition, it is impossible to intercept order addresses by inspecting HTTP requests. OrderID is simply absent in the requests.

Encryption has been implemented for all critical parts of the project, namely:

- Order creation
- Order page
- Downloading a Letter of Guarantee
- Using the tumbler code
- Support

We would appreciate any feedback related to this update (primarily of a technical nature).

I was doing a review for the current campaign, and I was almost sure that I had forgotten to write something. This KingsDen's case reminded me of one thing and I will write it here, rather than edit my review.
Your website lacks some kind of notification, where you would emphasize which are the only official channels of communication with support. I think that in your case it is certainly important because you do not have an official Telegram channel, which is quite unusual. Ideal for impersonators to trick new users who won't recognize the fake channel.

[/list]

Yes, there is. Don't use services which discriminate their clients if they use privacy protecting tools.

Shouldn't you clarify in your main page which exchanges are tested? As I already told you, we frequently notice coins being treated as tainted by one exchange while being acceptable by another. For example, your mixed coins might be acceptable by Binance, but not by Coinbase.

You should also clarify that; "Our anonymizing meter is based on Blockchair's software".

If you're going to follow that route, you need to be transparent with your clients. "We base our work on this", "We have tested this", etc. Otherwise once a client gets their coins rejected sometime (i.e., because of an AML bot update), you will be called a bad service.

And, to my great regret, there's nothing that can be done about it. Such systems will continue to operate, and over time, their numbers will grow. I'm afraid to predict, but it seems to me that the next step is mandatory verification of transactions by miners before adding them to blocks


We tested a vast number of transactions in the AML bot. In reality, their system is quite simple. It's all based on the concept of good and bad. For instance, if you have 1 BTC with a 100% risk after CoinJoin, it's enough to mix this address with another 1 BTC from a verified exchange to reduce the risk to 50%.

In our system, we eliminated the most obvious patterns for identifying bad coins and configured payout logic based on Blockchair patterns. The result is a very effective system that, with a large pool of coins and a growing customer base, will become the best of its kind.

No problem.
I would like to give another try in testing Tumbler with a second review, and I hope to see some improvements this time.

Because some people coins gets confiscated on centralized exchange that is related with this bad score.

You cannot simultaneously protect your privacy and use Coinbase. You have to pick either your privacy or Coinbase.

We've talked about this in another thread. You cannot hide the fact that you protect your privacy, and nor should you. Coinbase has made it abundantly clear that mixed coins are unacceptable, because they treat every coin they cannot track as morally incorrect. Why are you trying to deceive Coinbase into thinking your coins are not mixed, and not skip it altogether and move to an environment that respects your privacy?

Centralized entities are not so powerful anymore, because we have developed decentralized solutions that work.

If you find it so difficult to use Bisq, then just select an exchange which doesn't treat its users as shit. There's a variety of non-KYC: https://kycnot.me/. As I've said before, the only excuse to using a popular, regulated CEX over non-KYC, is shitcoins.

@BlackHatCoiner
What you say is true, I understand this, the whole purpose of bitcoin mixer is to make your coins untraceable. You, the person who uses decentralized exchanges, has nothing to worry about but there are people who use centralized exchanges because of many reasons, some of them I already listed in my previous post.
Let's say that despite the fact that I use centralized exchange, I don't want to be totally tracked and want to have my private space. So, I have a bitcoin wallet that is not associated with me and I protect my privacy there but now I need to cash some of my coins and I have to deposit them on Coinbase but I don't want to reveal myself. What do I do in this case? I mix coins on a mixer that offers me coins that will pass AML bots, that's all. When I withdraw from Coinbase, I don't care about that problem, that only arises when I have to deposit on Coinbase. Coinbase is just an example in this case and nothing more or less.

Man, there is a huge problem in crypto world right now. I respect the fundamentals of bitcoin and use it to gain its advantage but centralized entities are taking it over and people prefer easy and comfortable service instead of slightly more complex one. Bitcoin, that was decentralized, is getting centralized. Mining is already centralized, you can't mine it at home, only huge corporations can mine bitcoin. Exchanges are getting regulated, casinos ask your for KYC documents, Ledger implements paid backup subscription for self-custody wallets. You see, this is not decentralization, this is taking over. It looks like centralized entity controlling decentralized coin, totally has it in its territory. So, at this time, demand and supply changes and now, like you said, privacy-focused service tries to adapt with anti-privacy organizations because of high demand, that's all.

I know, because the point of coinjoin is to create fungible coins which follow the exact same pattern. X inputs which are owned by several entities are consolidated, creating Y outputs. This process provably obfuscates the ownership. The fact that AML bots treat these as "100% tainted" tells a lot about the mixing effectiveness. They cannot tell who's who, and thus, treat the entire set of outputs as "tainted", which is beyond insane.

Until when is the question. You're a privacy-focused service which tries to adapt with anti-privacy organization that rely on utter guesswork, which I find fundamentally erroneous. You say that you want to adapt, I'm genuinely curious with what estimations you base your work since anything can be treated as "tainted" by these people with no justification given.

To me, it seems that you've observed which techniques are considered "red flags" by their software, and you try to mitigate to alternative privacy methods. Is that it?

We have already answered this question above.


We are sure (through testing) that using CoinJoin "completely" is not possible because it becomes a 100% pattern in systems like AML bot and Chainalysis. After today's update, our system uses a hybrid approach, but it will take time for you to notice the difference as new transaction chains are formed.

We're not trying to achieve a favorable AML score by giving up full CoinJoin. We're adapting to the current situation. Everyone has learned to detect it and label those transactions negatively. Why bother with that? We can take a different approach.

To which update are you referring to?

Let's ignore for a moment that buying "taint" is harmful for Bitcoin, and that we should opt out using services which treat the currency in such an unfair manner. How do you adapt into something completely non-transparent?

That is a question for [banned mixer]. How do you make sure that your "AML scoring" is acceptable? From the link I mentioned above, the chairmen of chain analysis companies have clarified they won't let anyone audit their software code. You practically have no manner to confirm that they won't be flagged by the chain analysis software, as you don't even know which software is used in the first place. Binance might be using software X, Huobi software Y, Kraken Z etc. We frequently notice coins being deemed as "tainted" from one exchange, and at the same time "clean" by another.

It's clear that AML scores are made up bullshit but that is how it is. When you play their game, you have to follow their rules. I think there are too many people that use centralized exchanges because they are fast, easy to use and offer many services that you can't find on DEX.
So, in the end, many people prefer their coins to be clean without tag that it was mixed, because, mixing sounds bad.

It doesn't hurt your anonymity but it hurts you when you want to use centralized exchange. I know, solution is to use DEX but here we talk about people, tons of people who use CEX. You can't force people to use DEX, right? So you have to adapt your service.

To some extent, we've implemented what you need. In reality, please test our service in one month, and you'll see that previous transactions will no longer have the same obvious 1-2 pattern. It takes time to create pools and make transactions less conspicuous. Notice that in your review, you mentioned transactions that occurred before the update. We cannot modify the blockchain.

I don't know the number. What I do know is that it's our responsibility to educate newbies about these solutions, and to not give up everything on their naivety. We should not be endorsing the usage of a service which is treating the currency as non-fungible with evidently inaccurate data.

You don't agree when you're running a business which is based under the premise that taint exists. You're supporting it.

I won't derail this further. It's just sad how some people don't appreciate the censorship resistance this network provides in such efficient and effective manner.

In the current reality, it's no longer easy to just rely on CoinJoin. You use decentralized exchanges without KYC, which makes CoinJoin a suitable option for you. But how many share your situation? Maybe just 0.01%?


I agree, but that's the situation right now. Sadly, we might eventually see miners being mandated to include transactions only from verified sources in blocks

CoinJoin doesn't sever the link between your old and new coins.

For example, you have 1 BTC, and it's publicly known to belong to you. I also have 1 BTC, publicly known to be mine. After a CoinJoin transaction to 10 addresses (0.2 coins each), all 10 addresses receive the marker "Yours and Mine" (50/50), but this doesn't mean the marker disappears.
This is why CoinJoin services function without a hitch; it's just too easy to monitor them.

In our case, the connection is entirely severed.

We're having a disagreement in a fundamental level; you're buying the notion that coins are tainted. Every action of your service is done under the premise that the mixed coins must be treated as "non-tainted" by blockchain analysis companies. I don't buy that notion, and don't interact with services that will deem my coins as that. Usually, they're just centralized exchanges, which I avoid as I trade decentrally.

To me, the point of a mixer is to make it as hard as possible for a third party to tell which outputs correspond to which inputs. Period. "AML scores", "tainted coins" and the like, are all inaccurate, made-up nonsense that undermine Bitcoin as currency and attack our privacy.

Revealing which addresses belong to a mixer doesn't hurt its clients anonymization, just as revealing which inputs are coinjoined doesn't make the outputs de-anonymized. It's just making it apparent that the clients used a mixer / coinjoined, which in the eyes of chain analysis that is deemed as "tainting". Otherwise, I strongly recommend you to get rid of a competitor with just $20 in expenses.

Analyzing blockchain transactions becomes significantly easier once it's known that you've used a mixer . Naturally, this grants access to scrutinize past transactions. However, in most cases, after just the second iteration, it becomes challenging to distinguish between the recipient and the change.

Purely mathematically, for a more paranoid approach, using CoinJoin after each payout is tempting to ensure there's no chance of reviewing clients' past transactions.

But here, two immediate issues arise:

1. In this operation, you're immediately exposing not one client of the mixer but hundreds (Example Tx).
2. Your coins will receive a 100% risk rating in AML bots and similar systems, making them unacceptable to any verified exchange or trading platform.

An effective mixer's goal is to disconnect your old and new coins, and we achieve this fully.

First off, we're not a CoinJoin mixer.
We operate on a client-to-client basis.
When a user opts for the "premium" level, investor coins are added to the pool.
Let's make a note of that!

Next, I'm not quite following your suggestions regarding improving anonymity.

Our current mixer setup completely severs the connection between your coins.
You might see past transactions from the payout address, but those aren't your coins, right?

Let me let you in on a "secret": when using the Tumbler code, you're guaranteed not to receive your own coins back, even after a thousand "payout-change" iterations.
Even if your coins were partially transferred to another client, using the Tumbler code ensures you'll never get back the coins that remained in the service as change. To me, that sounds pretty fantastic, not "not strong anonymity".

You're deeply mistaken if you think you can achieve the same level of anonymity just using your own wallet. Mathematically, it's just not possible.

First off, our current mixer pool already contains hundreds of addresses with various balances. After testing, that number will soar into the thousands. Try mixing any amount different from your last transaction, and you'll see entirely different addresses. Of course, when testing with amounts like 0.001 BTC, the service won't pay you from an address with a 1 BTC balance. It adjusts according to your amount. In this context, it's plausible that without using the Tumbler code, you might come across your old address someday.

The solution is in place; for maximum anonymity, use the Tumbler code.

THE ESSENCE OF A GOOD MIXER IS TO HAVE A LARGE COIN POOL AND A SYSTEM THAT PROPERLY DISTRIBUTES COINS AMONG CLIENTS.

At present, we only use 10 BTC, but after testing, we'll SIGNIFICANTLY expand the pool. As for the system, it's fully implemented.

From what I gather, you suggest a "payout -> coinjoin -> payout" scheme? That's a pretty bad idea. Not a single verified exchange will accept your coins. The UniJoin mixer already operates on this scheme: after mixing with them, your coins will instantly be flagged with a 97% risk on the AML bot and similar systems, marked as "COINJOIN". CoinJoin schemes are easily detected, and such coins will attract undue attention. Tx.

You've got the MixTum mixer in your signature. I assume nobody forced you to promote that particular mixer, so it's a conscious choice, right? Did you test it before showcasing it in your signature? That mixer sources its payouts from the Huobi exchange, and what's more, all client payouts come from a single address with a "large balance", until it's depleted. Test it for yourself – due to the significant initial balance, you can track their payout history for several weeks! Is that what you call anonymity?

And with that, I'm directly addressing your question about the 0.0002 BTC fee for each receiving address.

In our case, to get a list of all our current addresses (to stage an attack on our pool), one would need to make hundreds of orders with different amounts, paying roughly $5+ for each payout, plus the service fee (and that wouldn't even scratch a tenth of our pool post-testing). Given that different security levels have separate coin pools, such an attack becomes extremely costly. No analytics-type organization will bother with that.
Using your mixer as an example: to de-anonymize all its users in recent weeks, it would take $10-20, right?

Trust us, we've explored all possible operational methods, scrutinized "every competitor" out there.
Our current system is the only one that truly works without any harmful side effects, and most importantly,
it's a real thorn in the side for analytic companies.

You certainly can for the transactions that had these 3 small inputs, in other words, you revealed the recipient address of my first mix.

more details:

This was my first mix

https://blockchair.com/bitcoin/transaction/29cecb7abf2b2455ac842f0f2ca20bc64eeafa650244f100dc2ec248549de845

this was my address


and this was the change address owned by you


up to this point, it's very difficult to tell which address was the change address.


And then there is this mix (not mine)

https://blockchair.com/bitcoin/transaction/6d08da9665e39843ffd02d67d544e030f8ca3e4f82910a74299debbe13bab0ae

and this (not mine)

https://blockchair.com/bitcoin/transaction/4b376658c9932523c06055facd620cfe243042bfc51e6697249467fbaf194f9f


All the way before the last transaction, we had no way of telling what the change address was for all of these 3 mixes, but now after this transaction

https://blockchair.com/bitcoin/transaction/c9a3b09f602b02c433f11fed1e5cc5c1e1207c8c71b34539b0e01445eb04f2db

We know that these 3 inputs belong to the same person, and thus in all of the 3 previous transactions the other 3 addresses were not the change addresses.

So now I know this address

bc1qpweug4vt3pqxfyrl48huppeuhy0xl59c235jxh

and this address

bc1qscpqkpclc6vrucwfmznfzpak4r8942xhvcc2w4

were the recipients of those two transactions, you revealed this piece of info to me for no apparent good reason (or at least one which I don't see).

had you not consolidate those 3 inputs in a mixed transaction that I received, I wouldn't be able to tell the change address of the other 2 addresses (which I don't own)

Obviously, I don't know of other ways to consolidate those small inputs on-chain without revealing the same thing, eventually, when they are consolidated you would reveal the change address of all the other transactions in the same manner, it would just be harder to analyze this information had you waited a little longer before consolidating.

Furthermore, the transaction behavior itself looks suspicious, a normal transaction from a normal wallet would have only included the large input which was larger than the desired output, and the 3 smaller outputs were not even enough to match that anyway.

I do understand that most mixing isn't done so that nobody can tell it's a mixer transaction, the goal is to break the connection between the coins you send and the coins you receive, which you did manage to achieve based on my analysis, I just think that if someone is digging deeper to find out all of this info, it would be wiser to make things more difficult for them even by a small degree.