Stuff like this is the reason I gave up on reporting spam and only report things like malware and illegal activities now. Why bother when we refuse to take action against even the worst of the worst spammers?

Correct, but those are only for paid accounts. A paid account only costs 0.00076 BTC for a year though, and that gives you 5 different addresses.

Sure you will, but at least you can have one "disposable" email which you use to sign up for things like CoinMarketCap where you know just to ignore all the emails it receives, and have a separate "important" email which you use for sensitive financial accounts.

You could receive phishing emails inviting you to enter your seed phrase to claim an airdrop or altcoin giveaway. You could receive fake emails from exchanges, services, and other platforms, containing links to fake websites which will prompt you for your username and password. You could receive emails with attached clipboard malware, keyloggers, or other malware which they will try to make you download. You could receive emails threatening you with release of some private information unless you pay a ransom. The possibilities are endless, but they all still require you to mess up to fall victim to them.

Doesn't even need to be an employee of Binance or CMC. If you look at their Privacy Policy, they share your information with any number of third parties "to contact you about our programs, products, features or services" and "to tailor content, advertisements, and offers for you". When you make an account at CMC, this is what you sign up for - Binance to share you information with any third parties which will pay them.

--nodupchecks isn't a valid argument. It needs to be --no-dupchecks.

The --no-eta option will skip this whole counting process and go straight to the brute forcing.

Up to you if you just leave it running since you are already at 10 billion, but if this is the command which crashed before because you ran out of memory then chances are the same will happen again since you haven't changed anything.

What command did you use? Can you calculate a rough idea of how many passwords your token list is going to generate?

The reason I ask is that screenshot is not actually trying to brute force anything yet - it is simply figuring out all the different passwords it is going to try. ("Counting passwords") In some cases this makes btcrecover much faster, but if you are working with billions of possibilities then it will make things much slower. You might want to restart and use the arguments --no-eta and --no-dupchecks, which should speed things up.

You can read more here: https://btcrecover.readthedocs.io/en/latest/Limitations_and_Caveats/#memory

Emails can be hacked and compromised. All services should allow you to change your registered email address for safety reasons.

I like ProtonMail, and they certainly have a good reputation for privacy, but you should be aware of under what situations they may be forced to break some of that privacy, since there was a recent case which they were forced to comply with Swiss law and hand over IP addresses (but all actual email contents remained encrypted and inaccessible). You'll find other privacy conscious email providers here:
https://www.privacytools.io/#email
https://prxbx.com/email/

ProtonMail Terms and Conditions limit you to a single free account, so if you want more than one account, you'll need to pay for it. I prefer to use different providers though - if I have an email for personal stuff, an email for banking, an email for social media, and an email for crypto, all with the same provider and I consistently access them all simultaneously or in succession from the same IP address, then it becomes fairly obvious to that provider that they are linked.

You initially said the 24 word seed phrase did not recover anything:

But now you are saying the 24 word seed phrase does recover their accounts:

Is this the same 24 word seed phrase? Have you use any additional passphrases? Did you recover it differently on both these occasions?

It won't. Private keys are not transferable between addresses like that.

Have you had a chance to put this seed phrase in to Ian Coleman and cycle through multiple derivation paths?

Exactly. The sites which they own rank themselves as number one. What a surprise! Which exchange is the number one for privacy? Not Binance. What about security of your coins? Also not Binance. Security of your data? Definitely not Binance.

All email accounts are replaceable. What service have you signed up for which doesn't let you replace your email account?

If you have an email account which you really feel is not replaceable, then don't use it for anything else except the bare minimum you must use it for and don't share it with anyone or any service unnecessarily in order to keep it clean and spam-free. Create additional email addresses for everything else.

Sure, but here's the difference: Let's say the US government makes Tor illegal. I can hide the fact that I am using Tor altogether using pluggable transports and Tor bridges and all the rest of it, and continue to fully use Tor to access any and every website I want to. Now, let's say the US government makes Monero illegal. I can hide the fact that I am using Monero by running my own node over Tor and not linking it to my real life identity and all the rest of it, but what can I do with my Monero? No merchant accepts it. I can't use it to buy goods or services. I can maybe trade it peer to peer for bitcoin or fiat, but I can't use it as a currency.

As I said above, the vast majority do not retain their privacy. Even on here, a bitcoin forum which is supposed to be built on the principles of not trusting third parties, we frequently see people more than happy to send their private information to complete strangers to claim some scam airdrop, and we frequently see people (even some senior members) state something along the lines of anyone that is trying to mix or otherwise obfuscate their transaction history is obviously trying to hide something illegal and should instead just let the government stick their noses in and monitor their entire bitcoin history. If that is the general feeling of bitcoin enthusiasts, then what do you think the general feeling would be among the wider population?

As I said above, the government don't ban Tor because so few people use it that their mass surveillance programs still give them the data they want. They don't need to ban bitcoin because so few people use it privately that their blockchain analysis still gives them the data they want.

I mean, that's the route we are going. Pretty much every major government will introduce their own CBDC in the coming years.

So lets say I buy $10k of BTC on Coinbase, send it to Binance to trade some shitcoins, and then instead of cashing out from Binance, I just sell my shitcoins to BTC, transfer the BTC to Coinbase, and cash out from Coinbase. My fiat bank sees money leave to Coinbase and come back in from Coinbase.

Seems a trivial work around for this particular issue, although if you are using centralized exchanges then the IRS have all your details anyway, so the whole process is pretty irrelevant at the end of the day.

People constantly ask not to go bankrupt from healthcare bills or for a wage they can actually live on. The government don't care.

Some governments have banned bitcoin, and most of the ones which haven't are trying to regulate it to oblivion. The same and worse is happening to Monero, for example the IRS offering a bounty of $1.25 million (initially $625,000, but they doubled it when no one could claim it) to anyone who can track and de-anonymize Monero transactions.

Look, if the whole world decided to adopt Bitcoin and Monero as global currencies, I couldn't be happier, and I will continue to use both in the most private possible ways. But I am not naive enough to think governments like those of the US or China are going to let their citizens use a currency which they absolutely cannot trace. The need for privacy is only going to grow over time, as is the government's desire to invade it.

There's the distinction. If you know what you are doing you can make a good effort to hide your traces, but even then it might not be enough for blockchain analysis companies.

Mass surveillance isn't about stopping terrorism or catching criminals, and indeed, there is no good evidence that mass surveillance has ever been the thing which thwarted a terrorist plot. Mass surveillance is about control of the population. If >99% of people don't mix or coinjoin their bitcoin or otherwise try to maintain their privacy, and of the 1% who do the majority do it poorly or incompletely or slip up or make a mistake, etc., then that's good enough for the government. Just as mass surveillance can't track everyone who uses Tails and Tor and PGP and disposable email address and so on, but that's OK because it can track the vast majority of people.

If Chrome, Firefox, Safari, Opera, Edge, etc., all came out in unison and said they would all implement mandatory Tor routing which you couldn't turn off, you can guarantee the government would start screaming about terrorism and "Won't someone think of the children!" For the same reason, they would never accept global use of XMR.

There is a difference between me using Monero and the government accepting everyone in the country using Monero.

Compensating people for coins which are lost is one thing. Compensating people for information which is stolen is impossible. Are Binance going to pay your legal fees when you have to defend yourself in court for insurance fraud you didn't commit because someone stole your identity? Are Binance going to pay your bank for the $50,000 in loans someone else took out against your name? Are Binance going make things right when you are turned down for a mortgage or a car because your credit score is shot because of a bunch of credit cards you never opened? I don't think so.

We have seen time and again that being large, reputable, well known, having large numbers of customers, having large trading volumes, having a wide selection of coins, etc., all means next to nothing when it comes to security. Pretty much every large exchange has leaked or sold customer data on more than one occasion. The only safe KYC is no KYC at all, and yet most people are more than happy to send all the information needed to steal their identity to a variety of complete strangers.

This is a good point. Almost everyone new to this space does not appreciate the privacy implications of their actions until well down the line, and it is significantly harder to regain lost privacy than it is to not lose it in the first place. There comes a point once you've KYCed on multiple exchanges and revealed your wallet addresses to multiple blockchain analysis companies, that nothing short of sending all your coins back to the exchanges you bought them from, selling them, withdrawing the fiat, closing all your accounts, and then starting again from scratch with DEXs, will be enough to claw back some of your privacy. Almost every newbie guide or "How to buy bitcoin for beginners" encourages people to go straight to Coinbase or some other privacy invading CEX and send all their documents immediately, without so much as a second thought. Only individuals who are already very privacy conscious are likely to search for and find other methods to get involved in bitcoin.

Does this happen in practice? Having never used centralized exchanges, I'm out of the loop on this one. If you deposited $10k (or £10k since I think you are UK based?) to Coinbase, and then next month transferred the same amount from Binance back to the same bank account, would you be flagged up as money laundering and get threatening letters from tax agencies and law enforcement? I've never heard of that happening.

Or, use Signal and you can just download the desktop app. No phone needed. Also, WhatsApp is closed source and owned by Facebook - the antithesis of privacy.

These two opinions are mutually exclusive. As soon as you complete KYC, you are no longer anonymous.

Your trust is misplaced, since Binance (and companies they own such as CoinMarketCap) have been hacked on multiple occasions for user information.

Mixing coins does not mean you are money laundering, nor is mixing coins a crime (unless there is some UK law of which I am unaware).

If we ever reach a stage where BTC is globally adopted, then governments will likely only permit its use precisely because it is an open ledger, despite some users taking steps to obfuscate their transaction and history. No government would ever accept widespread use of a completely untraceable coin like XMR.

No, you don't verify Electrum or its signatures against your own key. The only reason you would need to interact with your own key is if you wanted to sign ThomasV's or SomberNight's key with your own to tell your GPG software that these keys are trusted. This step is not necessary. If you don't do this step, then when you verify the Electrum download against ThomasV's or SomberNight's key using GPG Keychain, it will simply tell you "undefined trust", because your GPG software does not know if you trust ThomasV's key. It will still return a valid signature check.

You don't want to download their keys in to your downloads folder - you want to download the signatures they produced using their keys. The keys should be imported in to GPG Keychain, but it sounds like you've already achieved that step. Download the appropriate signature files (.asc files) from here - https://electrum.org/#download - and try again.

In my opinion, your set up should be designed so that one mistake cannot compromise the entire thing, be that for security, privacy, etc.

When it comes to securing coins, most of us will use multiple wallets with multiple different seed phrases. Some of us will go a step further and use one or more passphrases on one or more of those wallets. Some of us will go a step further still and have multi-sig set ups. In my case, the only thing which someone could steal by me making a single mistake would be my mobile hot wallet, which holds trivial amounts of coins. I would have to make multiple mistakes to reveal multiple seed phrases and passphrases for someone to compromise one of my main wallets, and even then, my other wallet would still be protected.

A similar thing applies to privacy. I keep coins from different sources in different wallets which I access on different devices. I mix, coinjoin, and swap all my coins. I am meticulous about where my change ends up. If I was to accidentally consolidate some change outputs together that I didn't mean to, then worst case scenario the guy I buy coffee from will also see that I bought something from the farmers' market. I would have to make multiple mistakes of creating and transferring a PSBT between wallets to accidentally link coins together which would significantly compromise my privacy.

You should design your set up so you that a single accidental click on the "Send all" or "Max" button will not compromise everything.

XMR uses subaddresses for this very reason.

The two are in completely different leagues. If I withdraw coins from a centralized exchange, then the exchange knows my real name and address and has copies of my ID, knows my bitcoin address I am withdrawing to, will use blockchain analysis to track that withdrawal to make sure I don't do anything illegal with it, and will share all that information with third parties and governments. If I buy bitcoin on a DEX, then a single person knows my bitcoin address, and might know my name depending on the fiat method we use. A DEX is far more private, and even has the potential to be anonymous depending on how you use it. A CEX is neither.

The best DEXs don't require accounts.

It is incredibly easy given the current situation to almost completely cover your face and not appear at all out of place. Or if you really need to be anonymous you could use an anonymous money order, cash in the mail to a PO box, cash drop off, etc.

Governments are already intervening because they are scared of what bitcoin could achieve. China banning it eight times.* The US government passing draconian and impossible-to-comply-with reporting laws.

A blockchain is only efficient when you need a distributed database. If you are going to have control centralized to a single party, such as a commercial bank's individual ledger of customer balances, or a central bank's balance sheet, or a government's accounts, then you don't need a blockchain. A standard centralized database is far more efficient in these cases.

*Is it eight? Is it more? How can you ban something eight times? All you are doing when you ban something multiple times is proving that every time you've tried to ban it you have failed. Such is the censorship resistance of bitcoin.

They also have 3.1 million email addresses of people who are definitely involved in crypto, and almost all of which will have a couple of exchange accounts using the same email address. Now they cross reference those email addresses against database leaks from other services in which passwords were also leaked, and start trying to break in to these emails since far too many people reuse passwords across several (or even all) of their accounts.

You answered your own question. Most people either won't even know their details have been hacked, or are too clueless to care. Binance have been hacked multiple times in the past as you point out, and yet people continue to flock to them.

Concur with the above. There are a couple of websites I know which will spit out segwit addresses if you feed them private keys, but I've not examined the code thoroughly enough on any of them to feel comfortable recommending them. Easier and safer to use Electrum.