Well it is the escrow's job to ensure the trade goes smoothly, and if it doesn't to see that the scammer does not end up with the money. That is what they are getting paid to do. If the escrow is not willing to do basic due diligence before releasing the money, I don't see the point of using them.

The amount in question in this case is $50k. I don't think it is unreasonable to use a little bit of care when dealing with that much of other people's money.

Lightning Network protocol has measures in place that specifically prevent the theft of bitcoin by your channel partners. As far as I can tell, there are no similar measures in place with Mercury protocol.

I don't think it is accurate to say that you have full custody of your coins at all times, or at least this would not be true if you were to say "sole custody". This is according to my understanding of how Mercury works.

Every centralized service that holds custody of your bitcoin says that you can withdraw at any time. So did most ponzis before they imploded.

I don't think it is safe to entrust your money with Mercury until the issue of an malicious SE stealing your money is addressed.

That website appears to be intended to get people to want to get vaccinated. Certainly an interesting way of trying to achieve that adjective.

IMO, the best way of getting people to use smoke detectors is to explain the benefits of using smoke detectors. Simply providing the data as to why smoke detectors are going to prevent fire-related deaths is going to get almost everyone to want to use a smoke detector.

Similarly with vaccines, giving the data as to why getting the vaccine will benefit them is going to get most people to want to get vaccinated. If you try to force people into doing something, many people are going to reflexively try to resist.  

PS - if you are the one behind this website, can you PLEASE make the font more readable? The 24 pt font is ridiculous. Granted it does give more space for more ads.

According to what appears to be the escrow agreement, the coins were to be shipped to the buyer.

This was not long after eseayan's password was changed, and should have set off red flags.

I am interested to see what MJ plans to do about the situation.

I think wanting to wait for a study to confirm a drug is efficient in treating covid is reasonable. Although if potential side effects are minimal, and the risk of taking the drug is low, there is an argument to allow people to take the drug (ivermectin today, or HCQ mid last year) as long as patients understand the risks, and studies are ongoing.

The opposition to ivermectin today is not that there needs to be a study confirming that ivermectin is effective against covid. When studies on HCQ were ongoing, many on the left were actively hoping that HCQ would not show to be effective, as is the case for ivermectin today. 

Thanks. The documentation at https://docs.mercurywallet.com/docs/ should be updated with their clarification.

I think the other issues are probably more important to be addressed before anyone should consider trusting their money with this type of service.

Minerjones has a history of playing fast and lose with what he is willing to do for his own (potential) profit. He is willing to auction off items on behalf of third parties without being in possession of said items, and does not take responsibility when he cannot deliver the items (no disclaimer is made that he is not the seller, that the auction is subject to any additional terms, or that he is not the one actually shipping the items).

It is not unusual for an escrow provider to have the seller ship directly to the seller -- as an escrow provider, I engaged in this practice, and would give terms to this effect, I would say that in the event of a dispute the respective parties would need to provide evidence to support if they lived up to the terms of the agreement.

It is best to confirm all the terms of the trade before a funding address is provided, and that does not appear to have occurred in this case. MJ said it is safe to "ship" the physical coin once the escrow address is funded, but MJ later posted that he was told via PM that delivery would be done in person. IMO this should have set off red flags, and he should have either asked for additional verification from the buyer to confirm he is speaking to the correct person, or delayed releasing the funds to see if someone shows up claiming to be the buyer whose account was hacked.

There seems to be a lot of forum members who were last active in the 300-500 days ago range on this list. I can't help but wonder if these people were somehow negatively affected by covid. My guess is that at least some of them were.

Some of these people had moved on from the forum before the advent of the merit system, but received merit because of their prior contributions. Some of these people likely abandoned their old forum accounts in favor of new accounts in order to improve their anonymity -- this is something that has always happened, but the merit system brings attention to when a good forum member stops using their account.

Some people on this list have moved on from using the forum for a variety of reasons. Years ago, I remember reading posts about people writing that they had to look for jobs after suffering a theft or loss, with those posts being one of their last posts.

It appears there are some studies that are ongoing regarding ivermectin currently.

There is opposition to using ivermectin even on an experimental, or compassionate use basis. There was similar fierce opposition to hydroxychloroquine even while studies were ongoing. The reason for this is that if there was an efficient treatment for covid, the lockdowns and other means of control under the guise of "protection" from covid could no longer be justified.

I read the documentation, and it appears there might be some missing information.

The second paragraph in the "overview" section starts talking about the "SE" but this term is never defined. It is unclear what this is.

At the end of the first paragraph of the "statechains" section, it says that any collusion between the "SE" and an old owner of a UTXO that results in theft of a UTXO can be trivially proven. This does not explain any consequences of this collusion. If someone were to buy up all the 0.0001 BTC UTXOs one at a time, and sell each UTXO before buying the next one, if they are colluding with the "SE" what would prevent them from being able to have a tx confirmed to an arbitrary address? I don't see anything in the documentation that would.

The "fraud proof" paragraph again says that it can be trivially proven if the "SE" is corrupt, and alludes that the ability to prove a "SE" is corrupt is an incentive to be "honest". Again, the documentation does not explain the actual consequences for the "SE" for being corrupt. The LN protocol for example, has concrete consequences for publishing an old channel state to close the channel -- the other party is able to recover the entire channel balance of both parties. There does not appear to be any financial consequences for a corrupt "SE" that I can see.

I am curious if you are in any way associated with this project.

This is according to Joe Rogan, and may or may not be true.

The opposition to Ivermectin is not about Ivermectin, nor is it about the vaccine. It is about control. The opposition to Ivermectin is about control. Democrats want to mandate (aka force) people into doing something they know they will receive pushback to, and force as many people to do what they don’t want to do as possible. This will lead to Democrats being able to get even more people to do what Democrats want them to do.

I don’t think the day of the week new videos are released is particularly important, as long as it is consistent. You should set this according to your schedule so that you can reliably release videos that day. If your release schedule doesn’t match when viewers are able to watch new videos, viewers will watch new videos later. If you say you will post new videos on Tuesday, and someone can view new videos on Thursday, if they check your channel on Thursday to not find a new video, they might not come back to look for additional videos.

I think this is an escrow address. It was posted as being the address to watch for payments last year. It is certainly not a new address.

If LL said he would find escrow two weeks ago, he should do so.

I don't understand the potential benefit to the end user. If someone doesn't want to spend their own bitcoin, they can simply not broadcast a valid transaction spending their bitcoin. nLockTime is a means to allow a transaction to be prevented from confirming in the event of some kind of dispute between parties conducting business, so the other party can broadcast a conflicting transaction in the interim.

There is no "proper" way to try to bruteforce something.

While this is a bad security practice, many people reuse passwords, or reuse passwords while appending something to the end of a password each time a new one is created. If this is the case, there is a decent change the OP's friend knows her passphrase is one of a dozen or so potential passphrases, but isn't sure which one, and she can check them all in a few minutes.
There are setup costs associated with using a program/script such as btcrecover such as reading the documentation to figure out how to use it. Spending 30 minutes "manually" checking potential passphrases before using a tool to systematically trying to bruteforce the passphase is not going to hurt anyone.

The input from this could be replicated by "just attach a standing miniature fan next to your box and then place a sensor in front of it to measure its turbulence".

When generating private keys of any sort, you should not try to reinvent the wheel. If you are using something as a means to generate entropy in addition to using entropy from a known secure way of generating entropy, at best, you are going to have the same amount of entropy, but you may end up with less entropy.

You either trust your computer to generate a random number or you don't. Using additional input is not going to change this trust. If you don't trust your computer to generate a random number, you should use something that you know will produce a random output, such as a coin toss or a dice roll.

Some people use a passphrase as an additional security measure to prevent theft in the event their hardware wallet is stolen. I think it is fairly common for people to be more lax with their hardware wallets with regards to security, while backups are almost always kept under some kind of lock and key. Some people may also use a passphrase to prevent a $5 wrench attack while spending your coin. It really depends on your security model and assumptions.

If the OP's friend knows their passphrase is one of a dozen or so possibilities, the setup/reading the documentation for something like btcrecover may take longer than using iancoleman's tool.

It is too late now for your friend, however it is a good practice to have backups of everything needed in order to recover your bitcoin. This would include any 25'th word passphrase. If it makes you more comfortable, you can store your passphrase separately from the rest of your seed.

If your friend is able to figure out her passphrase, it would be a good idea to add her passphrase to her backups.

---

As mocacinno said, your friend can change the derivation path to BIP84 on the tool you are using. By default, this will change the path to m/84'/0'/0'/0 -- I am not sure what path ledger uses by default, but if this is not the path that ledger uses, you will have to update the account and internal/external fields accordingly. Otherwise, you will generate different addresses, even if you have the correct passphrase.

Well I do think it would be strange for only email addresses to leak. There is typically more information that leaks when a database is compromised. I would have expected for at least IP addresses and some data about the accounts to leak.

There is a very narrow set of circumstances in which only email addresses would leak from CMC.

Email addresses (and other non-password data) is normally stored in a database. The database itself will usually have permissions restrictions prevent an arbitrary person from accessing the database. The reason this information is stored in a database is so the business, in this case CMC can query this information to complete various tasks, such as emailing their customers.

A password on the other hand is typically stored in a "hashed" format. This means the actual is not actually stored, but rather the result of the password being passed into a hash function is stored. This means that someone querying the database cannot actually get the actual password, but if the correct password is entered into a query, it is trivial to confirm the correct password was entered. The reason passwords are stored this way is because there is no valid business reason for someone to query someone's password. Also, the number of people who can access even the hashed passwords is generally more restricted than other parts of the database.

There have been a lot of hacks of various crypto services over the years. It is not inconceivable to believe that the leaked list is actually a compilation of email addresses used by crypto users.