It's certain that some exchanges are lying about how much they have in reserve, but you are right - they still hold millions of bitcoin. But if you look at some independent data such as the Glassnode graphs presented in OP's article, or this from Glassnode, it does show huge outflows from exchanges and the total balance being held on exchanges to be the lowest it's been in over 4 years.

As long as centralized exchanges exist there will be people who are dumb enough to leave their coins on them, but we should be happy to see that number reducing.

I don't have an account so I can't try to log in, but the link you have provided loads normally for me on Tor.

Isn't it amazing that centralized exchanges have managed to convince people that writing down 12 words is outside of their capacity, and they need to give all their coins to complete strangers instead.

Pretty much every centralized exchange has lost coins in a hack at some point, so such an opinion is just provably wrong. Or take a look at FTX as a shining example - one of the biggest crypto exchange in existence, and court documents show that they were storing private keys on an unsecured group email account. This is the kind of "security" you get with centralized exchanges.

Such a system is not that safe. By using a seed phrase which was generated in a hot wallet on an online machine, and stored for an unknown amount of time on the same online machine, then the seed phrase has still been exposed to the internet and any malware on OP's device, even if he now deletes it from his device and sets up a watch only wallet instead. And indeed, simply deleting the wallet file does not completely scrub it from the hard drive, and it could still be recovered. Not to mention that without an airgapped computer he can't make any transactions without importing his seed phrase back on to his online machine and again risking exposing it.

If you want a secure watch only wallet, then the corresponding seed phrase needs to be generated on a permanently airgapped machine and kept permanently airgapped itself.

I don't see it that way. Rather, it is a good sign that more and more people are finally waking up to the mistake that is centralized exchanges and are pulling their money off said exchanges.

Afraid I can't. As you say, I'm not a trader, and my point is that bitcoin was designed to be a currency, not to be a tool used to simply increase the amount of fiat you own. If less people used centralized exchanges for trading and more people simply bought and used bitcoin peer to peer as a currency, we wouldn't be in this mess to begin with. The decentralized exchanges I would recommend, such as Bisq or RoboSats, do not lend themselves to daily trading.

We can absolutely live without them. I have never once used a centralized exchange in my entire life, and yet I would wager that I am more involved in the bitcoin ecosystem than 99% of other bitcoin users given that I use and spend bitcoin as a currency almost daily. Yes, we might not see the same fiat denominated prices without centralized exchanges, but bitcoin itself does just fine (better, in fact) without them.

It means nothing. Every exchange is as risky as every other exchange. The only safe place for your coins is your own wallet.

"Blockchain" isn't a single entity. Bitcoin is decentralized. Centralized exchanges are not. Most altcoins are not. If your money is in altcoins or on centralized exchanges, then you are liable for large losses. If your money is in bitcoin and in your own wallet, then you are quite safe.

I still find this highly surprising, given that it was 100% proven in court documents and filings that Tether is fractional reserve and do not hold nearly enough assets to cover all outstanding USDT. And yet for some reason they continue to attract new users.

It's worth noting that this method of mixing is only used by ChipMixer. All other mixers simply consolidate all their deposits and send them around a bit before paying out. Only ChipMixer uses pre-funded addresses which helps to further break the link between deposit and withdrawal.

Unfortunately, it is outdated. When theymos wrote that post, Wasabi was indeed a decent wallet and a decent coinjoin provider. However, since then they have began cooperating with blockchain analysis companies, sharing data with these companies, spying on their users, and censoring their users, so are now a very poor choice for anyone interested in privacy.

Then your wallet is empty. Coins which disappear after a rescan have been spent at some point since the wallet was last fully synced.

Since you are struggling with syncing your wallets properly, the simplest thing to do is probably just going to be to look up individual addresses on a block explorer such as https://mempool.space/. If you happen to find an address which still has coins in it, then you can rescan that wallet and spend those coins. But it does seem like all your coins have been spent years ago.

Feel free to at least try and keep the discussion civil.

That's not what their website says, but as I said above, I am more than willing to admit that I am wrong. Nothing in the link you have provided makes it clear that you can see other user balances in plain text, only that you can see each user's Merkle leaf, which as per the code I linked to above, contains a hashed representation of their balances. If someone with a Binance account could download and then share the Merkle tree, that would be very helpful.

But regardless, even in such a case the Merkle root does not prove solvency. Binance could quite easily look for every account which hasn't been active in (for example) 6 months, and set their balance to zero or just exclude them entirely, being relatively sure that these inactive users are not going to check and expose their fraud. And given that Binance already show on their screenshots that accounts can have a negative balance due to things like leverage, margins, loans, etc., then again nothing stopping Binance from padding the books with several thousand negative balance accounts which don't really exist.

One way or the other, the only thing the Merkle tree proves is that you have an entry on their spreadsheet. It does not prove they are solvent.

It's not that Electrum is unsafe - it's that your entire set up is unsafe.

The current version of Electrum has no critical bugs or vulnerabilities which could directly lead to your coins being stolen. In that sense, it is a very safe piece of software. However, it cannot protect you against malicious parties attacking your computer, stealing your wallet file, planting clipboard malware, keyloggers, or other malware, and so on. You are storing funds in a hot wallet and so no wallet software, regardless of how good it is, can possibly mitigate against all potential threats.

I must say that downloading pirated software on the same computer that stores a bitcoin hot wallet is a particularly dangerous move. As is using anything Google related.

A hardware wallet, or a cold airgapped wallet.

Yup, done all that. Here's the page I've read directly from Binance which explains their process: https://www.binance.com/en/proof-of-reserves#proof-of-reserves

Each user uses their unique account code, a salt, and the audit ID, concatenates all this, and then SHA256s it to create their "record ID". The record ID is then concatenated with all their balances, hashed again, and the first 16 characters (8 bytes) taken as that user's individual Merkle leaf.

Great. So I can verify that my balances are accurately hashed in to my Merkle leaf, and I can verify that my Merkle leaf is contained with the Merkle tree. Now, here is the bit you seem to be missing, I can verify absolutely nothing about any one else's balances or leaves. I have no idea if your balances are accurately reflected in your leaf. I don't even know if your leaf is even included. I don't know if CZ has included a fake account with -10,000 BTC to balance the books. The screenshot on the page I linked above even shows "Balance" and "Debt" at the time of the audit with a final negative equity in the account in question, so the process to have negative accounts already exists.

Here's an example to illustrate. I'll take you as an example customer with 50 BTC on your account. Your hash input will be "franky1,BTC:50". For the sake of simplicity of this example, everything is single hashed as simple text.
User 1 - 828ab4dea3944c2aae12c2e4faa3cc7d7c79d2f1903323c0d1110cc233d02855
franky1 - bdf65086e0f247c9fd0a14368833b65530750fcb79128a5e7186de313589c25c
User 3 - dccf02131c89244750fffc1bc647c5e1cd8bb536b98700d6f002066497e73893
User 4 - ad3d8ae71b24929d1eb84fd10f25c1ea2e159dc1ddf453d3832c78899a08b419

User 1 + franky1 = 38fd94e48ec804a3616fe20a4c2bc4f9a3d9c0b0812d5c421bc49ce9784a4b95
User 3 + User 4 = 6a712e021ef304ae0c8226602ffe934e1ea8868771ef429d43d73029e3205b5d

Merkle root = fa45368d13a36054cca1db862adfde5ae1c6f0bf6c479ad54c799fee47e3fdd1

Now, you have this Merkle tree, and you see Binance have posted a wallet with 200 BTC in it. Are they backed up 1:1? You have absolutely no idea. Is that 4 users with 50 BTC each? Or are there 2 users with 100 BTC and one fake account with -50 BTC? Who knows. Only Binance. You have verified that your balances are within the Merkle tree, but the Merkle tree itself tells you absolutely nothing about whether or not Binance are solvent. The whole thing is a sham.

Each word encodes 11 bits of data. As hosseinimr93 has pointed out, for a 24 word seed phrase the checksum is 8 bits. This means the final word has 3 bits which are not checksum, which gives 2³ = 8 possible combinations. For each of these 8 combinations, there will be exactly one correct checksum, meaning there will be 8 valid final words for any given 23 words.

For a 12 word phrase which has 4 bits of checksum, there will be 2⁷ = 128 possible valid final words.

And of course, I have to ask, why are you manually picking words to create a seed phrase? Such a process leaves you with a very insecure seed phrase and liable to have all your coins stolen.

I have previously frequently used zero confirmation transactions when transacting in person. This change is not ideal for me either, but I understand why it needs to happen. Moving forward I suspect I will continue to use them at a few merchants with whom I have built sufficient trust, and at other merchants I'll be looking at using Lightning instead.

Because 24.0 with the mempoolfullrbf setting has already been released and it isn't going to be reversed. Like it or not, I'm afraid that point is now.

I never said that. In fact, I argued to delay this until 25.0 to allow such companies to address it. But arguing about it now, when it has already been released, is pointless.

Still possible, just more risky than before.

There are many very legitimate reasons, with one of them being that it is necessary for certain Lightning developments. This isn't just being introduced for the fun of it. I would suggest you read the links I provided previously.

Well, maybe I'm massively mistaken since I don't own a Binance account to check, but everything I have read on their website, blog, Twitter, etc., says that you can only see that data for yourself and not for the several million other Binance users (and the screenshots they have shared seems to confirm that too). It would be a massive privacy breach for Binance to start sharing the account balance of every user with every other user. Yes, I can check that my balance is correctly included in the Merkle tree, but I cannot verify that anyone else's balance is included correctly or indeed included at all.

And knowing the Merkle root or indeed the entire Merkle tree tells me exactly nothing about the value of the other transactions in that Merkle tree. All I know is that my transaction is included in it.

Except they can't see all the balances which add up to the total. They can see the hashes in the Merkle tree, and the balance on their own individual leaf. That's it. They don't know if the 100 other hashes they are looking at represent 1 BTC each, or if 99 of the hashes represent 2 BTC each and 1 represents negative 98 BTC. In one case the exchange is solvent; in the other they aren't.

Jesse Powell of Kraken at least understands this: https://nitter.it/jespow/status/1596227031637045248#m

Except CZ could just leave that account out of the Merkle tree entirely and no one would know. He's not exactly about to expose himself, and you as a user have absolutely no way to verify that all accounts are included in the Merkle tree.

And no exchange will ever release data which shows the Merkle tree does not tally with their claimed liabilities. They will just fudge the numbers until it shows you what they want it to show you (which as we've just discussed is trivially done), rendering the entire thing meaningless.

Except people don't do this. Case in point: Binance flooded the mempool last week moving a ton of funds in to their proof of reserve addresses, and also moved $2.7 billion worth of crypto out of their proof of reserves addresses the day after publishing them. And yet we see this forum/Reddit/Twitter flooded with people thinking that Binance are somehow now safe.

That's exactly the point I'm making. You don't know, not can you verify. By using any centralized exchange, you are trusting.

But they can't see who else is or is not accounted for within that total. If an exchange publishes proof of reserves of 10,000 BTC, and no customer has more than 10 BTC, then they will all be falsely reassured. But turns out the exchange is hiding the fact they have 100,000 customers all with 1 BTC and are massively fractional reserve.

First place to start would be here: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki. This BIP explains how you can use the information at one level of the derivation path to derive the necessary information at the next level.
If you find that too technical, then you could try here instead: https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc#private-child-key-derivation

Once you understand how child key derivation works, then the next thing to read is this: https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki. This BIP explains the standard for generating derivation paths.

Here's another less technical resource: https://learnmeabitcoin.com/technical/derivation-paths

The same false equivalence as above. Just because I personally have no desire to spend my time with the limited tools and information available to me to try to locate your stash, does not mean that a nation state which spends hundreds of millions of dollars on surveilling the blockchain and gathering data from a multitude of resources hasn't already located it.

It was also significantly easier for the majority of users to maintain anonymity in 2012 when they could, as you've just pointed out, GPU mine from their own computer, than it is for the same majority of users today, most of whom will be buying bitcoin through fully KYCed accounts at centralized exchanges. Now I know your next argument and I agree that that isn't bitcoin's fault, but that doesn't mean people can't use tools like mixers or coinjoins to regain that lost privacy.

No? You aren't worried about your insurance companies looking at your incoming and thinking "Well, we can jack his prices a bit, he can afford it." You aren't worried about your boss seeing that you donated to a specific political party or candidate, and deciding to let you go because of it? You aren't even worried if the dodgy characters in your neighborhood know that you are secretly quite wealthy? Nobody ever posts their bank statements on social media. Why would you be fine with your bank statements being shared among data brokers?

A false equivalence. Asking a random internet user, who probably at most has access to some posts you made on here and a blockchain explorer, is not the same as the global surveillance committed by nation states who have access to all that, to the best blockchain analysis companies and software, to IP addresses, browser fingerprints, and other information gathered and sold by your OS, browser, installed software, and so on, information from your ISP, etc., etc.

If you asked a random person on the street to break in to your laptop, they would struggle. If you asked the FBI to do it, they would likely have no problem.

It cannot be done. You will always be left trusting the exchange, and as I said above, an exchange will never release information or data which shows they are insolvent or shows you anything other than exactly what they want you to see.

They can sign messages from addresses holding coins to prove they own these coins. Great. How do we know those coins aren't a loan? How do we know those coins aren't some outstanding investment they've pulled back in just for the sake of proof of reserves and will immediately be moved out again? How do we know that those coins aren't going to be moved tomorrow to some other address? (Binance have already done this.) You can't even be sure Binance didn't just bribe someone to sign a message saying their coins belong to Binance. CZ could be doing this with his own personal stash. Impossible to verify.

Even putting all that aside, and assuming you trust this unverifiable proof of reserves, once again, it means nothing without a proof of liabilities, which cannot be provided in a trustless manner. How do you verify the data they used to create the Merkle tree? How do you know they haven't created a fake account with a balance of negative ten thousand bitcoin in order to balance the books? If they ever actually involve a third party auditor, how do you know Binance aren't hiding some information from them. How do you verify the work of this auditor?

Trust upon trust upon trust. You cannot verify anything, with or without this "proof of reserves" illusion.

You want full transparency? Run a full node and keep your coins in your own wallet. That's the only solution.

That doesn't solve the problem though. The ATM owner would still need to wait for one confirmation on their CPFP transaction so as to prevent the attacker just upping the fee even more and double spending the parent back to themselves. It doesn't matter if you are waiting for one confirmation on the attacker's transaction or on your own CPFP transaction - you are still waiting for one confirmation.