Topic: ✰ [ANN] BITMIXER.IO ✰ High Volume Bitcoin Mixer ✰ - page 7. (Read 49099 times)

Thank you for appreciating our service. We are trying to improve mixing algorithms every time.

This service works like a charm.

It is an amazing system and all the logic behind it. Congrats to everyone who is involved with it.

 

I'm sorry, it is not our wallets you've sent coins too. May be you've mistaken while copy/pasting, may be you have malware replacing wallets or websites. But I'm sure its not our wallet, our server never generated those addresses.

bitmixer2whesjgj.onion

Yes im wondering too, the coins are lying on the wallets ! i doubt any fishing site would store the coins on the generated wallets, some coins are even there for a month.

please dont tell me my money is lost now ill go nuts i saved so long for it

i always use DIRECTLINKS and i never had any problems ever with your service!

What the onion address you have used? You are probably a victim of a phishing site. We do not use old addresses, we generate the new address for every new mix. So it couldn't be our service.

Please never send coins if you can't download and verify the Letter of Guarantee!

(im not saying that its bitmixers fault neither i call a scam! not saving the letter is my fault obviously but the money is stored and i hope i can get it)


Hello Community,
i registred cause im in the seek of help since im having a problem with bitmixer.io and i saw that they are active on this board.
id be more than thankfull to receive some support here! I will even pay for it.


My english is not the best so please excuse for mistakes, i try to explain the situation as good as possible.
I mix my coins alot on bitmixer.io and never had any problems until yesterday.


So Ysterday i sent 2 Payments threw their onion site, one with about 1600$ and one with 500$ +- and added 3 forward adresses.
Its 14+ hours now and i still didnt receive any BTC on my wallets.
The wallets i payed too also show NO OUTGOING PAYMENTS and they are stored payments from 1 month ago or so.

MY PC TURNED OFF FOR WHATEVER REASON; AND IT DIDNT SAVE MY TXT WITH THE LETTERS OF GUARANTEE!
I can however verify that im the owner of the wallet the coins are coming from, and everybody can also see that the coins are stored at the wallet.

Hashs:
https://blockchain.info/address/1NVMDXDHNjmNSGznYucgariU8ARoTC2dfM
https://blockchain.info/address/15eAcj7JMgS3be2txTHXBsW4RLsdGhLDpL

i dont know what to do, support isnt answering and im really in need the money! cant be true that 2,1k or even a bit more are lost in space...
since it didnt go anywhere there should be a chance for me to receive them right?

I will even pay a huge fee if someone can help me with that!
please respond asap id be really really thankfull!

(im not a victing of a phishing site, the money is lying on the wallet and i always doublecheck domains, i just got the directlink saved for your onion site anyways)

Thank you for considering it, and for the advice about using the API for long delays.  BTW if you arrive on your site with javascript disabled, it's not obvious how to proceed.

Thanks for the advice.
We are thinking about fractional percentage. Long time delays allowed if you use api. You may use it right in your browser. It is also javascript-free method. Example:

[Don't use bitmixer.io clearnet address with TOR]

Thanks for the reply. 

Adequate security is defined in terms of your threat model.  I'm talking about users who expect that significant compute power (thousands of dollars worth) will be applied to the blockchain in order to follow their transactions.  A few simple optional adjustments to your service could increase the cost of following the transactions significantly, or even make it actually impossible (given absence of other security mistakes by the user).

I mentioned electrum because your customers might use it or a block explorer to watch the address they sent coin to, and also at the same time all of their receiving addresses.  If the threat model assumes those servers might be compromised, then the action of watching all addresses at once links the addresses.  Thus, customers should be warned that their coin could be followed by sufficiently powerful adversaries unless they run their own full bitcoin node to watch the addresses.

One point is pretty unacceptable:  if you specify the same percentage for two outputs, then both outputs are exactly the same.  There aren't enough transactions per day on the blockchain to hide this.  Also, once the duplicate amounts are noticed, the other output transactions will be identifiable because there is no randomness applied after the fee is deducted, and because there are no fractional percents allowed.

But using random assignments of the per output fee is unnecessary.  All you need is to let the users specify parts per ten thousand instead of parts per hundred.  (That is, allow two decimals in the percentage:  x.yz%)

And while you are at it, you should allow one decimal in the hour, which is to say, delays are specified in units of six minutes instead of sixty minutes.  And delays up to 48 hours.

The default percentages and delays should be assigned randomly.  You should have text boxes to enter exact percentages or delays, and a checkbox to lock the value.

To make it easier to make specific payment amounts, you could provide a text box for the expected input total, and display output amounts beside the percentage.

Finally, you should support browers with disabled javascript.  There have been zero-day vulnerabilities in javascript.  This page would just have text boxes to type in the desired percents and delays, and a "proceed" button that displays a confirmation page, with any errors pointed out.

We don't use electrum We use custom (full node) software making all efforts to isolate every transaction. You usually receive a small part from a big source or exact sum from several inputs, or you may receive two transactions, or... several another ways. Anyway there are no links to you original coins. We are improving mixing algorithm everytime.
We can't use random fee for several outputs just because some users need very exact sum for every output (pay bills, automated services using our API etc). I think a custom fee 0.5%-3.5% and time delay is enough to make transaction untraceable.

When you transfer coins to bitmixer there are no way to detect that you did it. Attacker don't know that you transferred coins to our server and received coins from another sources. Unlike other services.
For example when you transfer coins to bitcoinfog, after 1-2 days you may find your transaction here: https://www.walletexplorer.com/wallet/BitcoinFog and then trace another sources up to all their reserve from begin.

Time delay as you pointed out is not fixed, you may receive coins during one full hour after.

For one thing, the electrum wallet software sends all of the addresses in a wallet to the same server.  Some servers try or claim to not keep logs.  Others don't even say.  Tails comes with electrum.  :-(  So if your threat model calls for disconnection of output addresses, you better be careful where you get balance information.

And if you put the input and output bitmixer addresses into the same wallet (or even separate wallet files), your friendly electrum server, or block explorer, can associate the input and output addresses.

I'd say the only safe way to follow balances of addresses you want to keep completely isolated from one another is to run your own full bitcoin node and keep your watching wallet there.  But that's not very easy to do while using tails.

A second way that output addresses can be associated is by searching for other transactions where the amount of satoshis have common factors.  This happens because bitmixer first subtracts the random fee, and only afterward divides the outputs, and because the division coefficients have to be multiples of 0.01 (1%).

So I sent in 1**,***,*** satoshis, with fee 0.****% + 0.0005 BTC / output * 8 outputs, and  received  1**,***,***.  So the fee totaled 1,***,***, or 1,***,***+400,000, as it should have.  Each output of x% was exactly (input - fee) * x% - 50,000.

Two outputs were specified as 10%, and both received exactly 12,***,*** satoshis.  I seriously doubt there were many other transactions that day with that exact amount.  Another pair were 11%, and both received exactly 14,***,***.

When multiple output addresses are given, the 50,000 satoshi per address fee should be randomly divided among them, instead of deducting exactly 50,000 from each total.

The transactions did not all arrive at the same number of minutes after the hour, but they all arrived in the same half hour (5 minutes after the hour to 38 after, and six of them arrived between 11 after and 23 after).

Avoid unnecessary trust.  You don't need to derive other private keys from the ...Eiyyp... key, making all of your private keys vulnerable to a single leak.  If I were you, I'd make fixing that a top priority.

I found it was not easy to find out how to verify signatures using a bitcoin wallet.  The documentation is much less widespread.  And it involves three separate copy and paste steps.

Regarding gpg, using tails (the amnesic incognito live system, tails.boum.org), booted from USB stick with encrypted persistent storage (so you import keys once), checking a gpg signature is done by copying the document to clipboard, clicking on the icon in the upper right that looks like a good old brown masonite and steel clipboard and selecting "Decrypt/Verify clipboard".  (When the clipboard contains a signed or encrypted document, the clipboard icon has a red hexagon in the center).  A dialog comes up with results.  It gives the key ID that is needed (or was used) to verify the document.

If the key is missing, select "manage keys" from that clipboard icon menu.  A window comes up titled Passwords and Keys.  Select "Find remote keys" from the "Remote" menu, and paste the key ID into the dialog. Or, if the keys are available on the https website, you can download them from there and select Import from the File menu of the Passwords and Keys window.

We know. The leaking of private key of 1BitmixerEiyyp3eTLaCpgBbhYERs48qza means leaking of all our private keys (currently 2,000 BTC in reserve). Moreover thief will be able to sign tons of Letters of Guarantee to claim huge sum. That is why our servers are very very secured. Don't worry, we'll change signing address in case of compromising.

gpg? most of our users can't even verify Letter of Guarantee using bitcoin client. gpg is still too complicated for most of people.

How do you know the private key of address 1BitmixerEiyyp3eTLaCpgBbhYERs48qza has not leaked?  Hint:  you don't.  You obviously have to keep it online to sign letters of guarantee.  The more days it remains online, the more likely it has somehow leaked.

I can see it's not all that important to users (a thief could forge a letter of guarantee and embarass you here), but it just gives the impression of sloppiness.

You would probably want to keep the current bitmixer API and webpages unchanged, but add a link to a new version which fixes this and maybe other problems.

You should generate a new 1BitmixerNew... address on an offline machine, certify it as unexpiring with the old key, use it to sign a large quantity of keys (each document specifying the date(s) the key is valid), and immediately destroy the 1BitmixerNew... private key.  The signed keys should be placed on some physical medium and stored in a safe deposit box.

Then you bring out say a week's worth of keys at a time, and import the next key to the server as needed.

The revised letter of guarantee includes the certificate giving the 1BitmixerNew... key signed by the 1BitmixerEiyyp... key, the currently valid guarantee signing key signed by the 1BitmixerNew... key, and the guarantee signed by the guarantee signing key.

And maybe you could consider using gpg keys instead or in addition?  This stuff is fairly well automated in gpg.
You could just run the letter of guarantee through gpg, appending a signature made with the currently valid signing key.  Also, you could provide a gpg keyring text document giving say a year's worth of document signing keys and the keysigning gpg key.  This document could be signed by the 1BitmixerEiyyp... and the 1BitmixerNew... bitcoin keys.

We don't have any errors or uncompleted orders, so I guess he was at the wrong site. We accept many request like "I didn't receive my coins" - most of them are victim of phishing sites. That is why we suggest to download the Letter of Guarantee. That is why before mixing you have to accept term "I understand I must save and verify the Letter of Guarantee before I send coins to bitmixer.io". Nobody can forge the Letter of Guarantee. Also it is provable guarantee of our obligations.

From his post it seems that he just does not want to download the letter, not that he can't.

You are probably a victim of tor hacker redirect or phishing site. If you can't download and verify the Letter of Guarantee, you are on the phishing site. If you are using TOR, please do not use clearnet bitmixer address, always use only http://bitmixer2whesjgj.onion.

And THAT is very decent of bitmixer, and why I am in their campaign.  I messed up once, and they took care of me.

Even if posts here on this thread do not count in their campaign... 

Sorry for the delay, we've sent back all coins and compensation.

There is no sign of a lack of integrity in the actual mixer operation, just one isolated incident of which someone sent coins to a donation address where the owner decided not to give it back.

This doesn't damage their reputation in their main program, but just their community-based support. Oh well.