Author

Topic: Scammer lead developer resigns from honeypot Wasabi Wallet (Read 1452 times)

jr. member
Activity: 35
Merit: 35
besides, whatever you suggested could be applied to all other Coinjoins that use a centralized coordinator, which is why I said "let's keep criticism" fair.


If Wasabi sybil you your coordinator fee pays for their transaction fees and so sybil is free for them.
If Samourai sybil you you pay nothing after 1 round and they pay transaction fee for every round so sybil is very expensive for them.

Not the same at all. And Wasabi devs ADMITTED to self sybilling!
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Still, however, the worst coinjoin is probably better than the best centralized exchange when privacy is at stake.
Equally bad, in my opinion. Privacy enhancing services are reputation-based. If you have a bad reputation, I won't trust you. Judging by the (not so recent anymore) events in Wasabi, I would put it in the same rack with centralized exchanges. Honestly, even if the former is a mixing service, I cannot trust it my privacy in the slightest; if used, I'd consider it invaded, just as with centralized exchanges.
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
If you want to hide your transactions from friends and you're willing to go through a centralized company anyway, it's cheaper to use an regular exchange.

You can but there is a huge difference, centralized exchanges are custodial and KYCed whereby coinjoins are not, besides most coinjoin services are somewhat centralized anyway given that they use a centralized coordinator, which is why joinmarket is a superior option since they use orderbook over internet relay chat without a centralized coordinator.

Still, however, the worst coinjoin is probably better than the best centralized exchange when privacy is at stake.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Think about it this way: someone who wants to coinjoin to maintain a good level of privacy against friends, co-workers, customers paying them in BTC, or any other reason where the privacy you know isn't the center of it. To that someone, using Wasabi is probably a better option. They could think that since this service goes through a government filter, what comes out of it is going to be "clean" coins, making them safe for future cash-out.
If you want to hide your transactions from friends and you're willing to go through a centralized company anyway, it's cheaper to use an regular exchange.
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U

Your theory is valid. I have also questioned the volume after the censorship action, but I believe privacy is subjective. It's like your window curtains; they keep your neighbor away, but then someone could have access to your CCTVs or phone camera and watch while you sleep, I believe many people coinjoin their coins just to "hide" from other people, not to hide from chain analysis/governments. Thus, using a government-friendly privacy (or lack thereof) service like Wasabi coinjoin might be an even better option.

Think about it this way: someone who wants to coinjoin to maintain a good level of privacy against friends, co-workers, customers paying them in BTC, or any other reason where the privacy you know isn't the center of it. To that someone, using Wasabi is probably a better option. They could think that since this service goes through a government filter, what comes out of it is going to be "clean" coins, making them safe for future cash-out.

On the other hand, if they use a non-government-friendly service, they could be "accidentally" or "intentionally" mistakenly identified as a scammer/terrorist or whatever. This is always a possibility as long as criminals use coinjoin, and many people believe in tainted BTC. Many people want to steer clear from anything gray—let alone black—so they may choose to use a government-approved service.

When I define privacy to myself, I take it as a whole package. It's myself against the whole world. I treat everyone else looking from the outside as an intruder. I believe you and many other privacy-oriented people define privacy the same way, but we can't assume that everyone thinks of their privacy the way we do. Many people are willing to KYC themselves to some random exchanges just to get an airdrop of some worthless coins. And the KYC process isn't just "write your full name" and off you go; they now take selfies, write some information on a piece of paper. Many of them won't mind sending their naked pictures to those CEXs but still might want to hide their coins from their wives, employers, or God knows whom.

Personally, I believe that eventually, the entire crypto space will be heavily KYCed. I don't have much hope in the crypto community to fight for their privacy. The majority of people invest in crypto to make a profit, and most of them don't appreciate all the beautiful things BTC has to offer them except to make them rich. So, I won't be surprised if all that volume comes from real users who believe it's completely normal for the government to spy on them. Mind you, these aren't all just regular users; even people like Peter Todd advocate for Wasabi, calling the Samourai team scammers and being fine with chain analysis spying on them, so go figure.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
it seems like you are making an even wilder assumption thinking that everyone using Wasabi is a newbie jerk who doesn't care if their not-so-private coins become 100% KYCed.
Doesn't seem that wild to me. If you still believe Wasabi is a good option after the numerous lies, the incidents where their software was caught to be flawed, the blacklisting update and their cooperation with mass surveillance firm, then you're naive to think it's superior solution. If you are tricked into believing that funding blockchain analysis for the sake of your coinjoins is a clever choice, then you surely can be tricked into believing some sort of other nonsense for the sybil attack as well.

I personally hated the fact that they took this path, but the chainanalysis/censorship isn't a concern to many people
If chain analysis in a privacy-protecting software doesn't ring a bell to you, then I'm pretty confident that a silent sybil attack will neither.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
I do understand the anger and hate against Wasabi, I personally hated the fact that they took this path, but the chainanalysis/censorship isn't a concern to many people, in fact, their volume over the last year is higher than it was before the censorship, could it be fake? of course, but are there a dozen people out there who don't care about Bitcoin fungibility? indeed, is everyone using Wasabi stupid? I'd say no, should anyone use Wasabi? NO, are there better options? Yes.
And this is very mind blowing to me.

How do you explain this?  More than half of us who were using Wasabi before hate what they did and are not using their Wallet any more.  But the Volume is higher than before we stopped using it?

Makes me think about a few things, which are very broad assumptions but it is still a concern to me.  I am worried about things like Could the Blockchain Analysis partner of theirs be including a lot of their own Inputs so they could artificially rise the Volume to attract more people while also rising the chance of linking the rest of the users to their Coin Joined Bitcoin?

Back when they decided to do this Chainalysis thing the first thought I had was Politics.  I thought big names would come with big time money to drop into Wasabi and launder it all in a legal way.

In consequence I am still worried about a few things such as the above.  It makes no sense to see almost every body hating on Wasabi while their business prospers.  You would expect the opposite to happen to their business.
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
That's quite of a big assumption to make.

It would have been an assumption if I said "only me and you trying to coinjoin this round", which I did not, it was merely an example to explain how user X could detect that user Y is being targeted in Sybil attack.

Quote
A sybil attack is obviously not an exclusive perk of Wasabi;

Great then, it shouldn't be used against Wasabi, unless there exists a valid proof that they are doing it themselves, which nobody has come up with yet as far as I am concerned.


Quote
You're also making the wild assumption that the remaining clients will be concerned about experiencing a sybil attack. Anyone choosing to use Wasabi after the extensive list of red flags would be the least likely to worry about being sybil attacked.

If the "remaining clients" are not concerned about their privacy then why use a coinjoin in the first place? it seems like you are making an even wilder assumption thinking that everyone using Wasabi is a newbie jerk who doesn't care if their not-so-private coins become 100% KYCed.

Also, all the research and money spent by competitors isn't enough? Have you seen how hard the Samouri team is trying to find the smallest flaw in Wasabi? it would cost them less to monitor Wasabi than it would cost Wasabi to launch continuous Sybil attacks.

I do understand the anger and hate against Wasabi, I personally hated the fact that they took this path, but the chainanalysis/censorship isn't a concern to many people, in fact, their volume over the last year is higher than it was before the censorship, could it be fake? of course, but are there a dozen people out there who don't care about Bitcoin fungibility? indeed, is everyone using Wasabi stupid? I'd say no, should anyone use Wasabi? NO, are there better options? Yes.

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Up to this point, you have only provided input and a blinded output (no Sybil attack is possible)
The sybil attack is an on-going process. If the coordinator forbids you from joining the round, with the excuse that you're "naughty", it gains the advantage to replace your potentially untraceable coins with traceable, to de-anonymize certain inputs; which are the victims of the attack. Then, it can repeat, with other victims.

So let's just assume it's only me and you trying to coinjoin this round
That's quite of a big assumption to make. In reality, you don't know anything about the people you coinjoin your coins. That's the reason we're discussing about sybil attack in the first place. If I knew by whom the round is consisted of, I wouldn't have to worry.

Note that I am talking about the possibility of the coordinator using the power that other attackers don't have to perform sybil attack, what you described in your previous post could be achieved by anyone, I know the maximum number of inputs in each round is x, I can register x inputs and perform the same attack, in other words, this could probably be applied to all conjoins coordinators not just ZKsnacks, so not sure why is this an exclusive criticism for Wasabi?
A sybil attack is obviously not an exclusive perk of Wasabi; it can potentially be executed on every peer-to-peer network. However, comparably to e.g., Joinmarket that's implemented resisting measures such as fidelity bonds, there is clearly an orders of magnitude difference. Not only does Wasabi not resist same like, but it requires approval from an entity that is incentivized to execute such attack.

You're also making the wild assumption that the remaining clients will be concerned about experiencing a sybil attack. Anyone choosing to use Wasabi after the extensive list of red flags would be the least likely to worry about being sybil attacked.
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
And what's a "valid" input? Is there such a terminology in their repository?

Yes, anything that passes the input registration phase is valid.

Code:
private async Task MoveToConnectionConfirmationAsync()
{
using (BenchmarkLogger.Measure(LogLevel.Info, nameof(RemoveAlicesIfAnInputRefusedByMempoolNoLockAsync)))
{
await RemoveAlicesIfAnInputRefusedByMempoolNoLockAsync().ConfigureAwait(false);
}
using (BenchmarkLogger.Measure(LogLevel.Info, nameof(RemoveAliceIfCoinsAreNaughtyAsync)))
{
await RemoveAliceIfCoinsAreNaughtyAsync().ConfigureAwait(false);

It's probably worth a bit of logic in how the coordinator operates, ZKsnacks operates chaumian coinjoin structure, it runs through five main phases which are

Input Registration
Connection Confirmation
Output registration
Signing
Broadcasting

This could be further understood in the CoordinatorRound class

Input Registration: in this phase, the client would sent an input and a blinded output, this is where the "banning" is done.

You can see the old code was

Code:
var round = new CoordinatorRound(RpcClient, UtxoReferee, RoundConfig, confirmationTarget, RoundConfig.ConfirmationTarget, RoundConfig.ConfirmationTargetReductionRate, TimeSpan.FromSeconds(RoundConfig.InputRegistrationTimeout));

changed to

Code:
var round = new CoordinatorRound(RpcClient, UtxoReferee, RoundConfig, confirmationTarget, RoundConfig.ConfirmationTarget, RoundConfig.ConfirmationTargetReductionRate, TimeSpan.FromSeconds(RoundConfig.InputRegistrationTimeout), CoinVerifier);

They added a new dependency called "CoinVerifier" which is called by the "naughty" method you mentioned above, basically the Coinverfier class interacts with ApiResponseItem that gets the ban/approve from an HTTP response.

Now if you check the private asynchronous method called  Task MoveToConnectionConfirmationAsync()


Code:
private async Task MoveToConnectionConfirmationAsync()
{
using (BenchmarkLogger.Measure(LogLevel.Info, nameof(RemoveAlicesIfAnInputRefusedByMempoolNoLockAsync)))
{
await RemoveAlicesIfAnInputRefusedByMempoolNoLockAsync().ConfigureAwait(false);
}
using (BenchmarkLogger.Measure(LogLevel.Info, nameof(RemoveAliceIfCoinsAreNaughtyAsync)))
{
await RemoveAliceIfCoinsAreNaughtyAsync().ConfigureAwait(false);
}
Phase = RoundPhase.ConnectionConfirmation;
}

so before moving to the second phase of Connection Confirmation, all the filtering is done, your coins become invalid either due to them being "naughty"  or "Invalid",  let's just assume the input registration is invalidated for no valid reason.

Up to this point, you have only provided input and a blinded output (no Sybil attack is possible) since the coordinator did not receive an output from you, and you are not yet enrolled in a coinjoin, so if they want to Sybil attack you, they would need to sign the blinded output and send it back to you

If you pass this phase, the coordinator will now need to sign the blinded output and send it back to you with a new identity/UniqueId(still no Sybil attack or its detection is possible yet)

So let's just assume it's only me and you trying to coinjoin this round, you got your inputs registered and I got mine, we both got our blinded outputs signed and received our unique-Ids, we would now enter the Connection Confirmation phase, and whereby we both send our uniqeIds to the coordinator and we both know they are valid and the coordinator MUST accept them.

If the coordinator were to reject my connection confirmation it would be safe to assume that they are launching a Sybil attack against you (of course I don't know whom they are launching the attack against but having refused my connection while I have a valid unique id the proves that I have registered x input means they are doing the attack), there is no VALID reason for them to refuse my conn-conf, it should be accepted and after the timeout we need to move OutputRegistration phase, you can check the code to find that       Phase = RoundPhase.OutputRegistration; doesn't have any valid conditions of which they can reject you for "no reason".

This applies to the rest of the phases, if the coordinator accepted your input registration -- there is no valid for reason them to stop you from going forward, I am not saying they "can't" of course they can reject your connection confirmation or even claim that your output registration was invalid, they can even claim that you did not register your input to start with, but given that the code is open-source it MUST act as it says it does, otherwise, people/observers would see that they are being refused for no reason which means the code which is run by the coordinator isn't exactly what they say it is and/or, they are trying out some attacks.


If Wasabi going to sybil one input they put all other inputs in a different round. Very easy for them. And undetectable.

Round ID, Input count, current phase, time to next phase are all publically available, your claim would be valid if you register two inputs to the same round and they end up in different rounds, otherwise, how do you suggest doing that without anyone noticing? obviously, most users don't check all this info and just use the next GUI and set their auto-conjoin, but don't you think there are enough people (Wasabi rivals for example) logging every round detail to showcase how Wasabi is doing all of these claims? besides, whatever you suggested could be applied to all other Coinjoins that use a centralized coordinator, which is why I said "let's keep criticism" fair.

My main issue with Wasabi is the fact that their default coordinator and funding firm ZKsnacks censors transactions for no valid reasons.
Okay, but if they wanted to target individual UTXOs every now and then, that might be feasible, right?

It's always doable, I am just not sure about how feasible if enough people are observing these rounds and actually are spending time and money to detect such attacks (mainly their competitors), if you see all the research Samourai Wallet team does on Wasabi, you would probably guess that there are enough people watching them, of course tho, just because nobody caught them -- doesn't mean they have never done it.

hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
[...]
Obviously, if they have a targeted input (or a few of them) to which they want to link -- then that would make sense, and they could be doing that already and manage to hide it but a full-scale Sybil attack is just not feasible IMO.
Okay, but if they wanted to target individual UTXOs every now and then, that might be feasible, right?

With that said, I am not claiming Wasabi don't/won't do any of that, I am just stating that it would be very difficult to hide a sybil attack, besides, Wasabi doesn't need any more criticism, you make chain analysis scums richer every time you use it.
From what I've heard so far, it seems to me that sybil-attacking from the coordinator side is still feasible, as long as it's not done on a massive scale.

That's a good last point, though; even if they weren't doing anything fishy, every Wasabi CoinJoin puts some extra money in blockchain analysis pockets. They might use that to fund more blockchain analysis research and development for new ways to deanonymize us.
jr. member
Activity: 35
Merit: 35

Just to keep fair criticism here, sybil attacks in coinjoins are easily detectable, in order for the attack to work efficiently in deanonymizing a certain input -- the coordinator needs to refuse connection confirmations from all other participants, so if your input has not been spent before and the coordinator rejects your connection it's safe to assume that it's preparing for a Sybil attack on an input it identified earlier in the current round.


If Wasabi going to sybil one input they put all other inputs in a different round. Very easy for them. And undetectable.

And no need to sybil every input. Every input is examined by BC analysis first. BC analysis say 'we don't care about this input, fully KYCed, user is tracked by other methods, whatever' then coinjoin as normal. BC analysis say 'gov want more info on this input' then they get sybilled.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
If you are indeed the coordinator then you have got an edge, you could simply reject all other users in the round I am joining and the attack will work, but again, doing that would be obvious because other users who have valid inputs will be rejected for no good reason and that would indicate the coordinator is attempting the attack.
And what's a "valid" input? Is there such a terminology in their repository? The coordinator can start rejecting certain inputs as "naughty" (which is part of their terminology btw), and the users are required to accept this with no questioning. Their blacklisting does not indicate sybil attack attempt, as far as they've put it.

Quoting myself from the past:
You register 10 (non-private) inputs, and 1 of them gets rejected, what is your conclusion? To me, absolutely none. Coinfirm might have deemed this one input as inappropriate, or it might be trying to get rid of some coinjoin inputs, so they can use theirs instead and de-anonymize the remaining registered inputs. Who knows. For instance, a 150-input long coinjoin can have its 75 inputs rejected, and replaced with 75 Coinfirm inputs. That leaves the firm with 50% less output set to account for.



Sybil attacks on the p2p network are different, since other nodes won't care if your node is rejecting them or has gone offline, since there is no central coordinator the whole thing is different. 
I agree that it is more effective and less costly to execute in coinjoin. The victim of a sybil attack in Bitcoin Core is the client which connects with malicious nodes exclusively, which possess significant computational power. The victim of a sybil attack in Wasabi coinjoin is to connect with just one malicious entity.
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
Couldn't the coordinator just use own inputs and 'prioritize' them over real user inputs whenever they need to do a sybil attack? How would that be obvious to other users? It could easily be that those are not coordinator inputs but that it's real user demand that's simply higher than usual for a brief period of time, no?

if the number of inputs exceeds the maximum number set by the coordinator which I think is 400 for their new protocol, the coordinator would automatically arrange another round.

But then we really need to reach some ground on defining the purpose of sybil attacks, be it those done by outside attackers or the coordinator itself, the point of sybil attacks in a coinjoin is to bring the anonymity set for the victim to 1, it's the only possible way to link x input to y output -- otherwise, the attack would only reduce the anonymity set/score.

The coordinator could certainly force you into a conjoin that has 399 inputs it owns and 1 is yours, but that means, there will be a coinjoin for every "real" participant, while that is doable in theory, it would certainly raise the flag (you can register 2 different inputs and see if they end up in different rounds every time you do that).


Also, round status is publically available through Wasabi API, you can acquire the current input count, if the current round is at the input registering phase and has 50 registered inputs, and then you try to register 2 different valid inputs and they end up in a different round, you know they are doing something fishy.

Obviously, if they have a targeted input (or a few of them) to which they want to link -- then that would make sense, and they could be doing that already and manage to hide it but a full-scale Sybil attack is just not feasible IMO.


Quote
I don't think users get something like a timestamped proof that they submitted inputs to a CoinJoin at a certain point in time (could be used to show that they entered the CoinJoin before the coordinator started to attack), right?

timestamped proof? not sure,  A proof, yes, the coordinator creates Tor identity at input registration, obviously the person who receives it knows the time at which they received the credential, I don't think they can prove it to someone else.

With that said, I am not claiming Wasabi don't/won't do any of that, I am just stating that it would be very difficult to hide a sybil attack, besides, Wasabi doesn't need any more criticism, you make chain analysis scums richer every time you use it.

hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
If you are indeed the coordinator then you have got an edge, you could simply reject all other users in the round I am joining and the attack will work, but again, doing that would be obvious because other users who have valid inputs will be rejected for no good reason and that would indicate the coordinator is attempting the attack.
Couldn't the coordinator just use own inputs and 'prioritize' them over real user inputs whenever they need to do a sybil attack? How would that be obvious to other users? It could easily be that those are not coordinator inputs but that it's real user demand that's simply higher than usual for a brief period of time, no?

I don't think users get something like a timestamped proof that they submitted inputs to a CoinJoin at a certain point in time (could be used to show that they entered the CoinJoin before the coordinator started to attack), right?
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
They are easily detectable if the developers have dedicated a part of their software on defending the user from such attacks. Bitcoin Core has worked on it, for example. The user cannot be expected to use all sort of coins, from different devices, for the sake of confirming they aren't under sybil attack. I haven't found anything substantial in their client's repository.

I feel like we are talking about different things, sybil attacks in Coinjoins are pretty useless if you are not the coordinator, if you want to attack me you need to guess the exact round that i would be joining + stop others from joining the same round or in other words make every other participant (you) which I can't think how would it be possible.

If you are indeed the coordinator then you have got an edge, you could simply reject all other users in the round I am joining and the attack will work, but again, doing that would be obvious because other users who have valid inputs will be rejected for no good reason and that would indicate the coordinator is attempting the attack.

Sybil attacks on the p2p network are different, since other nodes won't care if your node is rejecting them or has gone offline, since there is no central coordinator the whole thing is different.  
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Just to keep fair criticism here, sybil attacks in coinjoins are easily detectable
They are easily detectable if the developers have dedicated a part of their software on defending the user from such attacks. Bitcoin Core has worked on it, for example. The user cannot be expected to use all sort of coins, from different devices, for the sake of confirming they aren't under sybil attack. I haven't found anything substantial in their client's repository.

But you are still passing information to hidden services in clear text.
I still don't get it, though. What does it matter? Alice and Bob are two separate Tor identities. Their messages are different.
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U

In *theory* couldn't all their transactions be sybil attacks. All inputs except 1 for each mix come from them / known source. Every time the coodinator sees something coming in it has local wallets fill the rest of the space so to speak.


That would also be detectable, the minimum number of participants is 100 in a single round, and the timeout IIRC is 60 mins, unless the max figure is reached, I can't recall all the details but to make a long story short; the number of coinjoin rounds are guessable, a scenario like the one you described would make the number of successful rounds exponentially large.

Furthermore, you could use two identities at the same time and see if they end up in the same round or a different one, it would be pretty obvious for anyone observing wasabi to spot such an attack.

Besides, depending on your anonymity set target (they changed the name and the math behind the score but logic still applies) the coordinator would need to prepare all kinds of different input sizes to attack everyone, it is not feasible.

One way they might attack you is by signing the blinded outputs using a different private key, of which then they can brute force the number of unblinded outputs to figure out which input belongs to what output, I am not sure how Wasabi/GovSnacks prevents such attacks.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
They self sybil and fill Wasabi with fake volume. Very easy for them to link inputs and outputs.

Just to keep fair criticism here, sybil attacks in coinjoins are easily detectable, in order for the attack to work efficiently in deanonymizing a certain input -- the coordinator needs to refuse connection confirmations from all other participants, so if your input has not been spent before and the coordinator rejects your connection it's safe to assume that it's preparing for a Sybil attack on an input it identified earlier in the current round.

Obviously, at this stage, it's hard to tell if enough adequate users still use Wasabi to spot sybil attacks.

In *theory* couldn't all their transactions be sybil attacks. All inputs except 1 for each mix come from them / known source. Every time the coodinator sees something coming in it has local wallets fill the rest of the space so to speak.

Yes there is a large cost and complexity. But we are talking millions of dollars at most, not an unobtainable amount of money for a business.

-Dave
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
They self sybil and fill Wasabi with fake volume. Very easy for them to link inputs and outputs.

Just to keep fair criticism here, sybil attacks in coinjoins are easily detectable, in order for the attack to work efficiently in deanonymizing a certain input -- the coordinator needs to refuse connection confirmations from all other participants, so if your input has not been spent before and the coordinator rejects your connection it's safe to assume that it's preparing for a Sybil attack on an input it identified earlier in the current round.

Obviously, at this stage, it's hard to tell if enough adequate users still use Wasabi to spot sybil attacks.
jr. member
Activity: 35
Merit: 35

That's going to be expensive on transaction fees, but sounds plausible.

Very cheap actually. Or even free. Coordinator fee for self sybilling inputs goes back to them so this costs nothing. Coordinator fee from the target can cover sybil inputs transaction fee. Target pays for the sybilling, Wasabi pays nothing.

Or government says to BC analysis buddies 'we pay you to track this input' and so Wasabi can make a profit by self sybilling.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
I think you've misread something. First things first, the links you've mentioned talk about the exit nodes (which are your "way out" to the clearnet). Wasabi utilizes hidden services, that means, no exit nodes intervene.

Yes, I grabbed the wrong links I'm mobile / remote at the moment.

But you are still passing information to hidden services in clear text. The links I wanted to grab discussed that sending things in the clear was now creating a need to trust the person getting the data (in this case wasabi but they were discussing ahem...other things) and the person running the last hop that service was connecting to which 99% of the time was the service itself.

Might not be making myself 100% clear here but the best way to say it is that since the wasabi coordinator itself is getting the info in cleartext unless they are running their onion services on the same server then somewhere even if it's just between Virtual Machine 1 and Virtual Machine 2 on the same physical hardware blade there is still data being unencrypted data being passed. Is it a 'real' threat? Depends on how they are doing things.

In the end, probably not important since you are trusting them to do things they way they say they are doing them anyway.

-Dave
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
They self sybil and fill Wasabi with fake volume. Very easy for them to link inputs and outputs.
Even if they do not sybil attack themselves, their back-end unit tests reveal that they request input approval from a chain analysis company (probably Coinfirm). A company which have a great incentive, I'll say, to execute a sybil attack.

I don't want to engage in Wasabi discussions since I think we've covered that arc and there isn't anything more to say, but even if Wasabi is not a honeypot and we ignore all the evidence of Wasabi being flawed software, it's just naive to put trust on people with principles that do not align with Bitcoin's.

[...]
I think you've misread something. First things first, the links you've mentioned talk about the exit nodes (which are your "way out" to the clearnet). Wasabi utilizes hidden services, that means, no exit nodes intervene.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
They self sybil and fill Wasabi with fake volume. Very easy for them to link inputs and outputs.

And beyond that from here:
https://docs.wasabiwallet.io/using-wasabi/CoinJoin.html#wabisabi-protocol-step-by-step

Quote
It is very important that the coordinator cannot link Alice to Bob. Because Alice has sent the cleartext input, and Bob sends the cleartext output. So, if the two were to be linked, then the coordinator can specifically link the input to the output, meaning that the anonymity set is 1. Because Alice received a credential from the coordinator, and because Bob is a new Tor identity not linked to Alice, the coordinator can verify that nobody is cheating, but it cannot deanonymize the peers.

because of this:
https://www.makeuseof.com/tor-exit-nodes-spying/
and this:
https://www.reddit.com/r/TOR/comments/mkd1s5/79_of_all_tor_nodes_are_hosted_within_14_eyes/
and this:
https://nusenu.medium.com/tracking-one-year-of-malicious-tor-exit-relay-activities-part-ii-85c80875c5df

Thinking that sending in cleartext is a good idea or that it provides any anonymity is a joke a best.

-Dave
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Thanks for this link. So they did actually think it through. But this sounds easy enough to do:
They self sybil and fill Wasabi with fake volume. Very easy for them to link inputs and outputs.
That's going to be expensive on transaction fees, but sounds plausible.
jr. member
Activity: 35
Merit: 35
They self sybil and fill Wasabi with fake volume. Very easy for them to link inputs and outputs.
newbie
Activity: 26
Merit: 19
zkSNACKs already successfully convinced their remaining user base that the current collaboration with blockchain analysis is not a privacy issue, so I think they'll market it successfully, again.
One thing still isn't clear to me: does the coinjoin coordinator see which input belongs to which output? If so, they know everything. If not, I'm curious how it works on a technical level (but don't really want to spend time on it since I'll never use them anyway).

Nobody in this thread seems to know anything about how it works yet they make all these nonsense claims.

No, they cannot see which input belongs to which output. https://docs.wasabiwallet.io/using-wasabi/CoinJoin.html#wabisabi-protocol-step-by-step
jr. member
Activity: 35
Merit: 35
Wasabi team members pump lots of fake volume in to Wasabi. Probably funded by BC analysis. Support their failing wallet and make fake volume. Makes self sybilling very easy and unmixing Wasabi coinjoins very easy. Wasabi team members have admitted this. Evidence in my first post!
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Tor is pointless, no you can't steal funds with this attack using Tor but to think it provides privacy is weak at best.

https://therecord.media/thousands-of-tor-exit-nodes-attacked-cryptocurrency-users-over-the-past-year
Isn't it the other way around: SSL stripping doesn't reduce your privacy, but it makes you send Bitcoin to the wrong address.

The point I was making is that if you are either a motivated criminal or a business or a government spinning up a ton of exit nodes and other services is not difficult.
And it makes people using 'many different exit nodes' for privacy loose a lot of it.

The tor cannot be tracked is bogus considering the number of tor sites that have been traced / seized over the years.

-Dave
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Tor is pointless, no you can't steal funds with this attack using Tor but to think it provides privacy is weak at best.

https://therecord.media/thousands-of-tor-exit-nodes-attacked-cryptocurrency-users-over-the-past-year
Isn't it the other way around: SSL stripping doesn't reduce your privacy, but it makes you send Bitcoin to the wrong address.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Wouldn't it be more likely for all privacy minded users to abandon Wasabi entirely? Even if the current bad reputation isn't enough, that will end the moment it's bought by a blockchain analysis company.
The "privacy minded users" are not their target. Instead their target is the majority who don't really understand how to improve their privacy and are too lazy to do any research so they end up in a honeypot like Wasabi wallet.....

I posted it earlier someplace but we are not their target audience for the most part. It's businesses that want 'privacy theater' so you can have peoples coins and put on a nice show that due to the fact that they are using this wallet with this feature that people can have privacy. And look we will never send you 'tainted' coins because these nice people are checking them for you.

Much like people buying bitcoin ETFs instead of just buying coin.

...Tor ...
Tor is pointless, no you can't steal funds with this attack using Tor but to think it provides privacy is weak at best.

https://therecord.media/thousands-of-tor-exit-nodes-attacked-cryptocurrency-users-over-the-past-year


-Dave

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
zkSNACKs already successfully convinced their remaining user base that the current collaboration with blockchain analysis is not a privacy issue, so I think they'll market it successfully, again.
One thing still isn't clear to me: does the coinjoin coordinator see which input belongs to which output? If so, they know everything. If not, I'm curious how it works on a technical level (but don't really want to spend time on it since I'll never use them anyway).
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
Another reason why it would be a great acquisition for them is that it would give them a huge competitive advantage over other blockchain analysis firms. They'd be the only ones able to provide data on Wasabi CoinJoin'ed transactions.
Wouldn't it be more likely for all privacy minded users to abandon Wasabi entirely? Even if the current bad reputation isn't enough, that will end the moment it's bought by a blockchain analysis company.
Bought by a blockchain analysis company?
Besides self-sabotage, why would one of them try to buy out Wasabi Wallet (and zksnacks). Would that not be counter-intuitive since they would lose money buying something to destroy?
I highly doubt that such a move would destroy the wallet; zkSNACKs already successfully convinced their remaining user base that the current collaboration with blockchain analysis is not a privacy issue, so I think they'll market it successfully, again.
newbie
Activity: 26
Merit: 19
Wouldn't it be more likely for all privacy minded users to abandon Wasabi entirely? Even if the current bad reputation isn't enough, that will end the moment it's bought by a blockchain analysis company.
The "privacy minded users" are not their target. Instead their target is the majority who don't really understand how to improve their privacy and are too lazy to do any research so they end up in a honeypot like Wasabi wallet.
That's more than enough for a blockchain analysis company to get ahead in the competition and make a ton of money selling its services to bitcoin businesses who are forced by the authorities to subscribe to such malicious services.

In my opinion the danger Wasabi poses which needs to be emphasized is not to its own users, it is to other privacy oriented projects and also to privacy in general.

Think of this scenario: a user who mixes their coin using anything but Wasabi (like centralized mixers, other CoinJoin implementations, etc.) has their transaction rejected and their account restricted by a centralized service they're using (like a CEX). But users who use Wasabi don't face the same problem since the blockchain analysis company knows their coins origin and has the "link" which they provide authorities.
They start complaining on the internet and start being advised to use the Wasabi (they honeypot) because they didn't have their coins seized when using Wasabi.

Before you know it the number of users of real privacy improving tools fall, their volume falls too making CoinJoin and mixing harder while making banning them a lot easier and less costly for centralized services making those services comply more willingly.

A mixed output can’t be linked to its origin. That’s why the protocol Wasabi was originally based on is called ZeroLink. Chain analysis companies wouldn’t know anything besides what’s already publicly visible on the blockchain. The coordinator is blind to which outputs were funded by which inputs. Tor and block filters also ensure additional privacy from the coordinator which is in contrast to Whirlpool, where by default you’re connecting over your clear IP and revealing your XPUBs. It’s also different than Jambler based mixers, which many in this forum seem so fond of. Jambler, which also blacklists tainted coins, is custodial and knows the direct link between deposits and withdrawals.
legendary
Activity: 3472
Merit: 10611
Wouldn't it be more likely for all privacy minded users to abandon Wasabi entirely? Even if the current bad reputation isn't enough, that will end the moment it's bought by a blockchain analysis company.
The "privacy minded users" are not their target. Instead their target is the majority who don't really understand how to improve their privacy and are too lazy to do any research so they end up in a honeypot like Wasabi wallet.
That's more than enough for a blockchain analysis company to get ahead in the competition and make a ton of money selling its services to bitcoin businesses who are forced by the authorities to subscribe to such malicious services.

In my opinion the danger Wasabi poses which needs to be emphasized is not to its own users, it is to other privacy oriented projects and also to privacy in general.

Think of this scenario: a user who mixes their coin using anything but Wasabi (like centralized mixers, other CoinJoin implementations, etc.) has their transaction rejected and their account restricted by a centralized service they're using (like a CEX). But users who use Wasabi don't face the same problem since the blockchain analysis company knows their coins origin and has the "link" which they provide authorities.
They start complaining on the internet and start being advised to use the Wasabi (they honeypot) because they didn't have their coins seized when using Wasabi.

Before you know it the number of users of real privacy improving tools fall, their volume falls too making CoinJoin and mixing harder while making banning them a lot easier and less costly for centralized services making those services comply more willingly.
sr. member
Activity: 364
Merit: 298
Besides self-sabotage, why would one of them try to buy out Wasabi Wallet (and zksnacks). Would that not be counter-intuitive since they would lose money buying something to destroy?

It makes as sense as if a privacy proclaiming service hired a blockchain surveillance firm to spy on their clients.  Oh wait!
jr. member
Activity: 35
Merit: 35
Another reason why it would be a great acquisition for them is that it would give them a huge competitive advantage over other blockchain analysis firms. They'd be the only ones able to provide data on Wasabi CoinJoin'ed transactions.
Wouldn't it be more likely for all privacy minded users to abandon Wasabi entirely? Even if the current bad reputation isn't enough, that will end the moment it's bought by a blockchain analysis company.

All privacy minded users already abandon Wasabi. Only used by newbies who don't know better or who are tricked by scammers adverts. And Wasabi already might have been bought by BC analysis company! They will never admit it.

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Another reason why it would be a great acquisition for them is that it would give them a huge competitive advantage over other blockchain analysis firms. They'd be the only ones able to provide data on Wasabi CoinJoin'ed transactions.
Wouldn't it be more likely for all privacy minded users to abandon Wasabi entirely? Even if the current bad reputation isn't enough, that will end the moment it's bought by a blockchain analysis company.

Bought by a blockchain analysis company?

Besides self-sabotage, why would one of them try to buy out Wasabi Wallet (and zksnacks). Would that not be counter-intuitive since they would lose money buying something to destroy?

I've always imagined if a blockchain analysis company wanted to create a wallet, they'd load it full of spyware and other kinds of tracking. Like Coinbase.

EDIT: silly me, I completely missed the news that Wasabi wallet are trying to sell out (literally this time).
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
Another reason why it would be a great acquisition for them is that it would give them a huge competitive advantage over other blockchain analysis firms. They'd be the only ones able to provide data on Wasabi CoinJoin'ed transactions.
Wouldn't it be more likely for all privacy minded users to abandon Wasabi entirely? Even if the current bad reputation isn't enough, that will end the moment it's bought by a blockchain analysis company.
I like to think that everyone who really understands privacy has already left Wasabi; being acquired by a blockchain analysis firm may not matter all that much to current users. zkSNACKs would also just continue to claim users are fully private due to their open-source client code and zero-knowledge components of the system, just like they did when the 'Blacklisting Update' came out.

Also consider how many companies have some (sometimes shady) parent company that simply nobody knows about; this could maybe be done in a low-key way that doesn't pull too much attention.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Another reason why it would be a great acquisition for them is that it would give them a huge competitive advantage over other blockchain analysis firms. They'd be the only ones able to provide data on Wasabi CoinJoin'ed transactions.
Wouldn't it be more likely for all privacy minded users to abandon Wasabi entirely? Even if the current bad reputation isn't enough, that will end the moment it's bought by a blockchain analysis company.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
Why on earth would you use a web interface and expose your HTTP port in order to do a coinjoin?
That's good point. While i don't play to try Jam for now, it could prevented by using firewall with advance rule.
In fact, any decent firewall should block all ports by default. On my own full node, everything is only accessible locally from the machine itself, by default.

If you open a port on the local firewall, it becomes available on your LAN, but it's still going to be safe from anyone not on this network. Only by opening a port on the device's firewall and port-forwarding it on your router, it would actually be 'exposed'.

Web GUIs allow you to e.g. run JoinMarket on a headless server in your LAN and access it from your various PCs and laptops, and they do tend to look more modern than something built on QT. Although personally, as a long-term Bitcoin-Qt user, I prefer the JoinMarket-Qt interface.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
That project use different GitHub account, so no wonder i didn't know about it. While the UI application seems to be user-friendly, the installation process[1] would filter many Bitcoiner.

[1] https://jamdocs.org/software/installation/
Why on earth would you use a web interface and expose your HTTP port in order to do a coinjoin?

Not only does it come with the usual risks of bots infiltrating your network with malicious packets and spam, but it also allows them to potentially use a vulnerability to steal crypto located inside the JoinMarket wallet.

That's good point. While i don't play to try Jam for now, it could prevented by using firewall with advance rule.

There is nothing wrong with the Qt interface of JoinMarket.

It depends on what we count as wrong. Although it can't denied the UI doesn't look as good as many modern application or website.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
AFAIK there's still no user-friendly interface which can rival Wasabi or Samourai wallet.

It comes with a fancy UI: Jam.

Here is the installation guide for multiple node implementations: https://jamdocs.org/software/installation/

If you think about it from a technical perspective, JoinMarket needs a backend implementation which is here: https://github.com/JoinMarket-Org/joinmarket-clientserver and a UI implementation which is here: https://github.com/joinmarket-webui/jam

Yes, it's not the easiest approach. Yes, it requires manual work. But it is worth it.

That project use different GitHub account, so no wonder i didn't know about it. While the UI application seems to be user-friendly, the installation process[1] would filter many Bitcoiner.

[1] https://jamdocs.org/software/installation/

Why on earth would you use a web interface and expose your HTTP port in order to do a coinjoin?

Not only does it come with the usual risks of bots infiltrating your network with malicious packets and spam, but it also allows them to potentially use a vulnerability to steal crypto located inside the JoinMarket wallet.

There is nothing wrong with the Qt interface of JoinMarket.
hero member
Activity: 560
Merit: 1060
It is the most decentralized, but honestly, I prefer Whirlpool over Joinmarket. In the former, you get infinite remixes for free. In the latter, not only don't you get free remixes, but you pay for every maker's input. It has also presented some issues with the fee selection, like this one for instance.

Correct. I agree but it has worked perfectly for me this far. I guess you pay these issues to gain in decentralisation.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
After trying literally every service for this purpose (except the wasabi ones), I can safely agree that JoinMarket is my favorite one. I use others too, of course, but JoinMarket is the most decentralised one.
It is the most decentralized, but honestly, I prefer Whirlpool over Joinmarket. In the former, you get infinite remixes for free. In the latter, not only don't you get free remixes, but you pay for every maker's input. It has also presented some issues with the fee selection, like this one for instance.

If you think about it from a technical perspective, JoinMarket needs a backend implementation which is here: https://github.com/JoinMarket-Org/joinmarket-clientserver and a UI implementation which is here: https://github.com/joinmarket-webui/jam
JoinMarket does come with a UI, Joinmarket-Qt. Also, note that Jam is unofficial.
hero member
Activity: 560
Merit: 1060
That project use different GitHub account, so no wonder i didn't know about it. While the UI application seems to be user-friendly, the installation process[1] would filter many Bitcoiner.

[1] https://jamdocs.org/software/installation/

Certainly. There is also a very good guide for installing both of these in Raspibolt's webpage:

1. https://raspibolt.org/guide/bonus/bitcoin/joinmarket.html
2. https://raspibolt.org/guide/bonus/bitcoin/Jam.html

I plan to install it this weekend! I will let you know.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
AFAIK there's still no user-friendly interface which can rival Wasabi or Samourai wallet.

It comes with a fancy UI: Jam.

Here is the installation guide for multiple node implementations: https://jamdocs.org/software/installation/

If you think about it from a technical perspective, JoinMarket needs a backend implementation which is here: https://github.com/JoinMarket-Org/joinmarket-clientserver and a UI implementation which is here: https://github.com/joinmarket-webui/jam

Yes, it's not the easiest approach. Yes, it requires manual work. But it is worth it.

That project use different GitHub account, so no wonder i didn't know about it. While the UI application seems to be user-friendly, the installation process[1] would filter many Bitcoiner.

[1] https://jamdocs.org/software/installation/
hero member
Activity: 560
Merit: 1060
One solution would be to switch to decentralized approaches, such as JoinMarket.

After trying literally every service for this purpose (except the wasabi ones), I can safely agree that JoinMarket is my favorite one. I use others too, of course, but JoinMarket is the most decentralised one.

AFAIK there's still no user-friendly interface which can rival Wasabi or Samourai wallet.

It comes with a fancy UI: Jam.

Here is the installation guide for multiple node implementations: https://jamdocs.org/software/installation/

If you think about it from a technical perspective, JoinMarket needs a backend implementation which is here: https://github.com/JoinMarket-Org/joinmarket-clientserver and a UI implementation which is here: https://github.com/joinmarket-webui/jam

Yes, it's not the easiest approach. Yes, it requires manual work. But it is worth it.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
What exactly is needed to run such a service? honestly if both wallets are completely open source, then there is no need to point fingers and have such dramas, one could simply fork the wallet and start a new service, a better one.
At bare minimum, a server and ability to follow guide about setting either coinjoin software. But gaining people's trust and liquidity to perform CoinJoin isn't simple.
In any of these 2 cases though, you'll still be running a centralized service. As a coordinator, authorities will be able to pressure you into shutting down, implementing privacy-breaking changes and helping them deanonymizing users through blockchain analysis. Maybe they'll force you to partner with a blockchain analysis firm, even. Does some of this sound familiar?

That's true, although authority would have harder time pressure anonymous person/group.

One solution would be to switch to decentralized approaches, such as JoinMarket.

That's valid solution, although it remain less popular since it require you to run full node[1] is AFAIK there's still no user-friendly interface which can rival Wasabi or Samourai wallet.

[1] https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/JOINMARKET-QT-GUIDE.md
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
What exactly is needed to run such a service? honestly if both wallets are completely open source, then there is no need to point fingers and have such dramas, one could simply fork the wallet and start a new service, a better one.
At bare minimum, a server and ability to follow guide about setting either coinjoin software. But gaining people's trust and liquidity to perform CoinJoin isn't simple.
In any of these 2 cases though, you'll still be running a centralized service. As a coordinator, authorities will be able to pressure you into shutting down, implementing privacy-breaking changes and helping them deanonymizing users through blockchain analysis. Maybe they'll force you to partner with a blockchain analysis firm, even. Does some of this sound familiar?

One solution would be to switch to decentralized approaches, such as JoinMarket.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Now on topic, I wonder if samurai and watnotsabi use the same technology?

They use different technology. Samourai uses Whirlpool/ZeroLink[1] while Wasabi use WabiSabi[2].

What exactly is needed to run such a service? honestly if both wallets are completely open source, then there is no need to point fingers and have such dramas, one could simply fork the wallet and start a new service, a better one.

At bare minimum, a server and ability to follow guide about setting either coinjoin software. But gaining people's trust and liquidity to perform CoinJoin isn't simple.

[1] https://docs.samourai.io/en/wallet/features/whirlpool
[2] https://github.com/zkSNACKs/WabiSabi
hero member
Activity: 1442
Merit: 775
In terms of whatever Peter Todd thinks of Wasabi, I tend not to care what one person's opinion is, regardless of who that person is. Gavin Andresen was a reputable contributor to bitcoin, and people blindly listening to his opinion has caused untold damage in this space. The opinion of one person is irrelevant, especially when that opinion can be bought. I care about the facts.
Bitcoin is a decentralized project and when it has been here for more years, it has been becoming more and more decentralized.

As part of Bitcoin history, we can not deny some facts that in early months, it is not a decentralized project with so much centralization on Satoshi Nakamoto, Gavin Andresen, sirius and some early programmers.

Things are very different with Bitcoin protocol to allow developers to join, and big upgrade must be decentralized voted by many nodes. A single developer nowadays can not change the Bitcoin protocol.

The power of community is decentralization so if one person, even had big contributions in the past, now start to mislead the project, will not be support by majority of Bitcoin community.
legendary
Activity: 2268
Merit: 18771
It seems like Peter Todd is / was a reputable contributor to Bitcoin for a very long time even though I did not hear of him until weeks ago.  I find it strange that Kruw is consistently reminding every body about Todd almost every time he posts a reply to a Thread.

What is your personal opinion of Todd ever since the Wasabi Censorship drama?
I've had Kruw on ignore for a long time so I've not been keeping up with his latest copy and paste nonsense.

In terms of whatever Peter Todd thinks of Wasabi, I tend not to care what one person's opinion is, regardless of who that person is. Gavin Andresen was a reputable contributor to bitcoin, and people blindly listening to his opinion has caused untold damage in this space. The opinion of one person is irrelevant, especially when that opinion can be bought. I care about the facts. And the facts of the matter are that Wasabi directly funds the enemies of privacy, and that Wasabi coinjoins are deeply flawed: https://bitcointalksearch.org/topic/m.63334000.
legendary
Activity: 1456
Merit: 5874
light_warrior ... 🕯️
3 months later and nopara sells up and quits
Now Wasabi get magic funds from some where to do signature adverts on forum??? Grin Grin Grin
To be honest, this is quite funny to read. Especially since he was the guy I was chatting with about restarting the campaign.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
The one category of entities who would desperately pay any price to have Wasabi on to their hands is the one we hate the most.  Blockchain Analysis companies.  They are in a collaboration already so one foot is in their boat already anyway.
And it's a great acquisition for a blockchain analysis company.
[...]
Another reason why it would be a great acquisition for them is that it would give them a huge competitive advantage over other blockchain analysis firms. They'd be the only ones able to provide data on Wasabi CoinJoin'ed transactions.

What is your personal opinion of Todd ever since the Wasabi Censorship drama?
No authorities, no heroes, and all that. There's a reason satoshi did what he did. Don't trust or care about people too much, no matter if they're Bitcoin developers, former privacy advocates or whatever else.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
And it's a great acquisition for a blockchain analysis company.
Blockchain Analysis companies would drool over this opportunity for sure.  Not only would it remove a large cost of running Wasabi but there would be no more need for the input of the Bitcoin community and they could simply diminish or abolish the Wasabi Commissions too in order to attract more people, collect more information, apply more Censorship and so on and so forth.

The writing has been on the wall for Wasabi since they day they announced they will start cooperating with and directly funding blockchain analysis. Anyone who has chosen to support them from that day onward has no excuse.
I am very intrigued although either the last time I asked this it was pure coincidence or it is a very sensitive subject for the moderators.

It seems like Peter Todd is / was a reputable contributor to Bitcoin for a very long time even though I did not hear of him until weeks ago.  I find it strange that Kruw is consistently reminding every body about Todd almost every time he posts a reply to a Thread.

What is your personal opinion of Todd ever since the Wasabi Censorship drama?

I've been poking around the Dread forum after seeing the links shared by OP; the distrust of Wasabi there is pretty widespread (for good reason), and I would think people regularly using Tor and Darknet Markets know a thing or two about privacy. The most privacy orientated people on this forum do not recommend Wasabi. The most privacy orientated people on Twitter do not recommend Wasabi. It would seem the people who do recommend Wasabi largely either work for Wasabi or are being paid by Wasabi. It's pretty telling.
Fortunately Wasabi was well known to the Privacy community way before they turned the blade against us.  I really believe it would of been much worse had they turned against us before their strong reputation.  Much easier to fool.  Considering most of us were up to date with them and highly supportive however, they hit a big nail into their own fingers by deciding to turn their back and present support to Blockchain Analysis.  All of us found out quickly, and most of us decided to stay away and question their behavior.
legendary
Activity: 2268
Merit: 18771
The one category of entities who would desperately pay any price to have Wasabi on to their hands is the one we hate the most.  Blockchain Analysis companies.  They are in a collaboration already so one foot is in their boat already anyway.
And it's a great acquisition for a blockchain analysis company. Simultaneously remove a large cost of running Wasabi since they can obviously supply their mass surveillance tools to themselves for free, while also gaining more information about every output which is even attempted to be coinjoined through Wasabi (even if they ultimately censor it), giving them more information to further their blockchain analysis capabilities. Plus it further opens up the possibility of self Sybil attacks (as OP has linked to) to further deanonymize Wasabi users. (On another note, some of the Twitter links OP has provided are now dead, but can be found on The Wayback Machine.)


It will taint their names too late however, because the big damage will already be done.
The writing has been on the wall for Wasabi since the day they announced they will start cooperating with and directly funding blockchain analysis. Anyone who has chosen to support them from that day onward has no excuse.

Think about it.  You are being told it is fine to work with Blockchain Analysis as long as Privacy is still the number one priority.  It is a very contradictory and creepy way of deceiving users into believing it is completely fine for our Privacy to collaborate with the enemies of Privacy.
I've been poking around the Dread forum after seeing the links shared by OP; the distrust of Wasabi there is pretty widespread (for good reason), and I would think people regularly using Tor and Darknet Markets know a thing or two about privacy. The most privacy orientated people on this forum do not recommend Wasabi. The most privacy orientated people on Twitter do not recommend Wasabi. It would seem the people who do recommend Wasabi largely either work for Wasabi or are being paid by Wasabi. It's pretty telling.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
Wasabi messed up tremendously already.  If o_e_l_e_o is right then offering to sell Shares or their entire company only means one thing is bound to happen at some point in the future and we all know what that is.  The one category of entities who would desperately pay any price to have Wasabi on to their hands is the one we hate the most.  Blockchain Analysis companies.  They are in a collaboration already so one foot is in their boat already anyway.

Unfortunately this Wasabi product will end up tainting the names of many reputable persons of the Bitcoin community.  Not necessarily the members who joined their Signature Campaign but the much more important people who are keen on publicly supporting Wasabi as the best option for Privacy.  It will taint their names too late however, because the big damage will already be done.

The signs are all there and stronger than ever.  From now on it is a matter of whether or not we want to support Wasabi and their likely honey pot and seemingly innocent strategy against Privacy.

There is an even larger red flag than ever before now.  Crack downs happen strongly on Mixers but not on Wasabi Coin Joins.  Kruw already has a very suspect yet interesting way of behaving and deceiving, it all speaks volumes.

Think about it.  You are being told it is fine to work with Blockchain Analysis as long as Privacy is still the number one priority.  It is a very contradictory and creepy way of deceiving users into believing it is completely fine for our Privacy to collaborate with the enemies of Privacy.  This while committing even further creepy actions such as exposing real identities, pushing false accusations and so on.  They tell you they are offering Privacy while exposing any public information they have about their competition and working with and funding who Privacy oriented people hate using the money you pay them for offering you 'Privacy'.

If some body bigger with even more malicious intentions gets to own Wasabi then expect the worst.  Betrayals from some of our most beloved members of the Bitcoin community.  Even more crack downs on what truly offers Privacy.  More restrictive laws and so on.

I wish I am wrong but time keeps telling me my gut feeling is right.  I keep hearing worse and worse news.  Wasabi is not to be trusted.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
These are some big news, but I've got to say: Bitcointalk always had its doubts.

'Bitcointalk Wasabi saga' timeline (did I miss something?):
|Date|Topic|URL
|March 14, 2022|The default Wasabi Wallet coordinator will start censoring "illegal" UTXOs|https://bitcointalksearch.org/topic/the-default-wasabi-wallet-coordinator-will-start-censoring-illegal-utxos-5389567
|July 06, 2022|Wasabi blacklisting update - open letter / 24 questions discussion thread|https://bitcointalksearch.org/topic/wasabi-blacklisting-update-open-letter-24-questions-discussion-thread-5405325
|July 24, 2022|'Wasabigeddon' article discussion (it supposedly solves fungibility)|https://bitcointalksearch.org/topic/wasabigeddon-article-discussion-it-supposedly-solves-fungibility-5407473
|June 25, 2023|Petition to remove Wasabi from recommendations of bitcoin.org|https://bitcointalksearch.org/topic/petition-to-remove-wasabi-from-recommendations-of-bitcoinorg-5457560
|January 04, 2024|Scammer lead developer resigns from honeypot Wasabi Wallet|https://bitcointalksearch.org/topic/scammer-lead-developer-resigns-from-honeypot-wasabi-wallet-5480440
jr. member
Activity: 35
Merit: 35
BC analysis helping to put innocent privacy devs in jail.

Code audit not needed. Anyone can go find code that ask BC analysis to spy on your coins!
copper member
Activity: 1330
Merit: 899
🖤😏
How are the people you mentioned are "innocent" people? To me it looks like they arrested a bunch of hackers and scammers, why would that be wrong, and if all the claims are facts and true, then they are indeed honeypot, but what would be a good move is to pay at least 2 reputable experts to audit their code in secret and when their report was ready to publish, they could publish it themselves, however they won't lie to damage their reps, also they won't simply do the audit for free, so there is that.

But if there was no "software" related flaws, and the leakes were server or user related, then you'll have nothing to complain about.
jr. member
Activity: 35
Merit: 35
Dread uses POW protection for DDOS. Update Tor and it works.

Wasabi never denies leak. Probably true... they only care about money.

Wasabi is a honeypot and works with BC analysis. BC analysis give evidence to put innocent people in jail. Everyone working with Wasabi is guilty collaborater.
copper member
Activity: 2128
Merit: 1814
฿itcoin for all, All for ฿itcoin.
Can anyone access any of those links using Tor Browser? The estimated waiting time is <3 minutes, but i already wait for over 15 minutes with no change.
I waited for less than a minute to access what is in the links, though they have some very hard captcha challenge

The profile that made the quoted posts in the dread forum (MoneroHead) seems to be a long time critic of Wasabi wallet. This perhaps explains why they went out so hard by calling Nopara73 a scammer. I don't know if he scammed anyone.

But here is part of the post history. Perhaps OP is MoneroHead?


sr. member
Activity: 364
Merit: 298
Can anyone access any of those links using Tor Browser? The estimated waiting time is <3 minutes, but i already wait for over 15 minutes with no change

I can neither access Dread.

But can we trust that leak, especially when it comes from Samourai Wallet who also has some controversy and few questionable behavior on social media?

Very questionable.  I cannot find these documents in samourai's tweet anywhere.  Maybe someone else can. 
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Can anyone access any of those links using Tor Browser? The estimated waiting time is <3 minutes, but i already wait for over 15 minutes with no change.

I can confirm that I waited less than 3 minutes, and that after some strange captcha I was able to see the content. The home page that opens contains exactly what is in the OP. Maybe the problem was only temporary, or you should try changing the Tor Circuit (if you haven't already).
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange

Can anyone access any of those links using Tor Browser? The estimated waiting time is <3 minutes, but i already wait for over 15 minutes with no change.

A few months ago it was leaked on Twitter that the Wasabi team were trying to sell shares or even sell the company entirely, and were "open to the idea of merger and acquisition": https://nitter.cz/SamouraiWallet/status/1708068554208117028#m

Does this mean they found some institutional buyer and so some of the devs are selling out and leaving?

But can we trust that leak, especially when it comes from Samourai Wallet who also has some controversy and few questionable behavior on social media?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Wasabi have been bought by bigger company with advert budget. But who? Exchange? BC analysis? Law enforcement? What a scam!

I think you mean zksnacks. Wasabi is not the company, it's just the name of the wallet. The full-time wasabi devs work for zksnacks.
jr. member
Activity: 35
Merit: 35
So

Wasabi volume dying....https://i.postimg.cc/wj12bP0t/image.png
Wasabi then want to sell company
3 months later and nopara sells up and quits

Now Wasabi get magic funds from some where to do signature adverts on forum??? Grin Grin Grin


Wasabi have been bought by bigger company with advert budget. But who? Exchange? BC analysis? Law enforcement? What a scam!
sr. member
Activity: 364
Merit: 298
Everyone should use Wasabi above all else.

Everyone except:

  • People who do not want to risk their privacy with faulty software.
  • People who would rather not pay blockchain analysis firm to spy their inputs.
  • And people who do not like treating their bitcoin as non-fungible.
legendary
Activity: 2730
Merit: 7065
I wonder what our Wasabi Wallet forum fan and shill Kruw will say about all of this? History tends to repeat itself, so I expect he will point the finger and call other implementations faulty, highlighting the open-source nature of Wasabi.

I don't support or like anything related to Wasabi, but it's important to keep in mind that if a user has a problem on a CEX because their coins come from a mixer or coinjoin implementation, it isn't a fault of the privacy tool they used. It's the CEXs hating on anything privacy-related or privacy-improving.
legendary
Activity: 2268
Merit: 18771
A few months ago it was leaked on Twitter that the Wasabi team were trying to sell shares or even sell the company entirely, and were "open to the idea of merger and acquisition": https://nitter.cz/SamouraiWallet/status/1708068554208117028#m

Does this mean they found some institutional buyer and so some of the devs are selling out and leaving?
jr. member
Activity: 35
Merit: 35
From Dread.

http://g66ol3eb5ujdckzqqfmjsbpdjufmjd5nsgdipvxmsh7rckzlhywlzlqd.onion/post/461a84a003112589e347

Quote
Nopara73, the lead developer at failed bitcoin wallet Wasabi, has decided to leave the project. In his wake he leaves behind over 132 arrests of users who were scammed into believing that Wasabi provided any kind of transactional privacy whatsoever.

Both Wasabi 1.0 and its later 2.0 incarnation were demonstrably broken.

In early 2022 Wasabi admitted to working with chain analysis companies in order to identify and filter bitcoins entering their system. These are the same chain analysis companies that are providing information and "evidence" to be used for the government prosecution of privacy developers like Roman Sterlingov and Alexey Pertsev. In effect, Wasabi has been operating as a law enforcement honeypot.

See earlier posts from this Dread with regards to Wasabi misdeeds.

https://www.nobsbitcoin.com/wasabi-wallets-cto-leaves-to-focus-on-next-gen-bitcoin-privacy/



http://g66ol3eb5ujdckzqqfmjsbpdjufmjd5nsgdipvxmsh7rckzlhywlzlqd.onion/post/b1f32ddd71f9b14c6245

Quote
Questions keep arising concerning Wasabi Wallet mixing. Wasabi bugs, user arrests, user accounts flagged and so forth are becoming too numerous to keep track of.

I will try to keep this list up-to-date as new elements become available and are documented.

UPDATE: As Wasabi Wallet flaws continue to be ignored this list is also kept up-to-date at http://scam7kwuwdjksshy6ocig5k34zuxigvhjbdy2hkvqbqsylt6eey2fmyd.onion/

    Wasabi user account is flagged at BitFinex and this is pointed out by anonymous tweets thus causing Wasabi Lead Dev Nopara73 to dox competitor who he suspects is spreading the (true) facts about Wasabi's poor implementation. https://web.archive.org/web/20200128233910/https://old.reddit.com/r/WasabiWallet/comments/beqj8r/bitfinex_lock_account/ https://twitter.com/sthenc/status/1251655851443515393

    There have been 5 documented cases of coinjoins being flagged by exchanges and brokers. All have concerned Wasabi. Rather than fix recurring issues with their implementation, Wasabi claimed that the problem was due to an anti-coinjoin campaign by KYC actors despite the fact that only Wasabi coinjoins have ever been targeted https://6102bitcoin.com/coinjoin-flagging/ (Update: now 6 documented cases. See below.)

    6 arrests each from PlusToken and WoToken scams. See OXT Research links below.

    Bitcoin address bc1q3zr88h3czss85xxp4lyyhes2xcgu7cg8vhcnzy is tagged as being BitClub. 700 btc into Wasabi via transaction 9a9cb20635db66de837685d01e7d00de9cc13c9bc80f7bcd1fe4f4173a4c503c. 3 arrests soon followed.

    Wasabi hires known scammer Cedric Dahl as paid shill. Dahl peddles bogus DNM stats and falsely claims to have subjected Wasabi to a battery of tests. https://www.whatbitcoindid.com/podcast/dark-markets-and-bitcoin-adoption-with-cedric-dahl

    Wasabi staff member doxes Wasabi corporate account via his own use of Wasabi wallet https://twitter.com/keonne/status/1151437292730560512

    Respected developer confirms that Wasabi ZeroLink is incorrectly implemented https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-December/017542.html

    PlusToken uses Wasabi, mixes unwound https://research.oxt.me/special-situation-report

    China & North Korea entities use Wasabi, mixes unwound https://research.oxt.me/china-and-north-korea

    Nopara73, Wasabi lead developer, "donated" a Wasabi mixed output (almost 0.1 BTC) to a scammer who was stealing funds from Wasabi users in the Wasabi Telegram chat. The "donation" took place in transaction 683aba09e87f02611842c698bad49f48734247358c673b48941f8075416a3d49 and the amount was thereafter sent to an address controlled by Huobi. This can be confirmed in the Wasabi Telegram chat logs.

    Wasabi lead developer publishing misleading usage statistics https://twitter.com/6102bitcoin/status/1263464894323658757

    Wasabi staff member admits providing liquidity to Wasabi via multiple wallets (Wasabi is self-sybilling) https://twitter.com/6102bitcoin/status/1267449330975244290

    Serious red flag about Europol report and Wasabi collaborating with law enforcement https://twitter.com/6102bitcoin/status/1269243083314659328

    Explanation of how Lasarus Group mixes were unwound https://stephanlivera.com/episode/179/

    More about the purported Europol report: closer examination of the PDF file reveals many major differences with other Europol EC3 reports available to the public via their website. As opposed to being a PDF-exported report with selectable text like all the others, the Wasabi report is a document made up of scanned images. In addition, the page template used for the Wasabi report is not used in any other EC3 report available which all use identical page layout and style templates.

    Wasabi Wallet caught using fraudulent data against a competitor http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/bb22f5e261bbeb24e157

    114 new arrests of individuals associated with the PlusToken scam https://twitter.com/molllliy/status/1288771023437852677

    3 arrests following use of Wasabi wallet mixing by the #TwitterHack scammers http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/325349fd8c53d0a7320f

    OXT Research identifies vulnerabilities in Wasabi Wallet mixing http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/dadd01b95a8f0586109f/

    6th instance of user account blocked due to proximity to Wasabi Wallet http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/c6220de5b865e09d4c8c

    Upon Wasabi's refusal to acknowledge reported vulnerabilities, OXT Research publishes report which confirms that a modified Wasabi client can be used to observe the anonymity set without taking part in any actual mixes. Chain analysis companies and law enforcement have probably been doing the same thing for quite some time which would certainly explain the 132 arrests and the 6 blocked/flagged accounts https://twitter.com/anwfr/status/1297068327165026304

    Wasabi Wallet linked to demise of Empire Market. Addresses "peeled back" https://twitter.com/nixops/status/1299013819210096643

    Wasabi Wallet developer "NothingMuch" warns users to not use Wasabi Wallet for DNM puchases http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/2e822260eb74f8b85496 It should be noted that "NothingMuch" is the same developer who teamed up with a business associate of Wasabi Lead Dev in order to provide a list of faked data in an attempt to make a security disclosure against a competitor.

    Security researcher 6102Bitcoin releases data on Wasabi symmetric address reuse. Symmetric address reuse occurs when a same address is used as both an input and an output in a same mix transaction. This is a huge flaw that degrades the anonymity set. https://twitter.com/6102bitcoin/status/1318583039006511104 After contacting Wasabi Lead Dev in order to disclose findings, he is banned from Wasabi chat rooms https://twitter.com/6102bitcoin/status/1313447816379981827

    After repeated reports on Dread submitted by many different users, Wasabi’s coinjoin implementation is classified as a scam by Hades Onion Directory http://hades3nre5yvwmoy5h4tgitvqu56e5j4euaatvyp62regy3ivwhwjwad.onion/

    KuCoin hackers use Wasabi, mixes unwound https://research.oxt.me/china-and-north-korea

    User ‘DominicG’ in Wasabi Telegram group reports ( https://t.me/WasabiWallet/54236 ) that Voyager exchange ( https://www.investvoyager.com/ ) is telling users not to deposit outputs from Wasabi or to use Wasabi after withdrawal.

Mod note: consecutive posts merged
Jump to: