Because they log everything you do. It's a closed source wallet which communicates exclusively through their servers. They know exactly how many users they have, and exactly which addresses belong to whom.

Sell all the shitcoins for BTC and then store the BTC in either an open source hardware wallet such as Passport or on an airgapped cold storage device using Electrum.

If you want to keep holding shitcoins for some reason, then you are going to be stuck using insecure or closed source wallets. Your best bet will be some multi-coin hardware wallet.

I think this scenario is somewhat different if the user can indeed provide the correct letter of guarantee.

In the previous scenario, the only thing the user could provide was a signed message from the address he used to deposit. He was unable to provide a private key or a letter of guarantee. This is insufficient for Whirlwind to draw any conclusions, and I was in complete agreement that this could not be the basis for a refund.

In this scenario, the user has stated he can provide a letter of guarantee. Assuming this letter of guarantee is indeed the correct one, it will have a deposit address inside it. If the user can also sign a message from the address(es) which sent funds to the address contained within the letter of guarantee, I would say that's pretty compelling evidence that the user is telling the truth and does indeed own those funds.

Happy to be corrected if I've misunderstood anything, though.

Absolutely not.

Absolutely.

The derivation path tells your software how to turn a seed phrase in to an extended private key and extended public key. So if you use m/49/0/3, this tells the wallet to derive the extended key at the 50th index, then use that to derive the extended key at the 1st index, then use that to derive the extended key at the 4th index. This final extended key is the xprv/xpub used in your multi-sig wallet.

It doesn't matter if every seed phrase in your multi-sig uses a different derivation path - each one will end up with an xprv/xpub which are combined to create your multi-sig. In fact, the wallet does not even need to know the derivation paths at all. Indeed, there doesn't even need to be a seed phrase in the first place. You could just generate an xprv directly from some entropy source.

As long as you feed it it the same xprvs/xpubs, it will always generate the same addresses, regardless of where these xprvs/xpubs came from.

If you have the letter of guarantee from the address you deposited you, then you should have no issues getting your money refunded. This is proof you generated that address, even if you neglected to save the private key.

In terms of your scam accusation, as I pointed out to another user above, you just have to check the multi-sig escrow address: https://mempool.space/address/bc1qf8h5k6sash8007vpesymxkw2xsg5d0r3j4l5vmcrwpz2pqu66fjstzgd3r

There have been dozens of withdrawals processed since you first posted here, the most recent one just over an hour ago. Everything is running normally.

It depends on the hardware wallet. If you are using a permanently airgapped device like a Passport, then maybe. If you are using a device which connects to an internet enabled computer like a Trezor or a Ledger, then no.

It also depends on your threat model. Against remote electronic attacks, the security might be similar. Against physical attacks, an airapped laptop is superior. There have been multiple attacks against multiple hardware wallets which have demonstrated seed extraction. I'm not aware of a single successful attack at extracting data from a drive running full disk encryption done properly. If an attacker sees a hardware wallet, they know you have coins worth stealing. If they see an encrypted laptop, they have no idea what is on it. I can even use hidden volumes to decrypt it to decoy "sensitive" data.

I'd contest that. Sparrow is even easier to use privately than Electrum is. There is no need to run additional server software for an Electrum server and go through the hassle of getting your server to talk to your node and your Electrum client to talk to your server, which from experience is rarely a completely straightforward task and usually throws up one or two issues. These issues are maybe easily solved for you or I, but for a newbie with no experience of such things they can completely derail the process and cause them to abandon it altogether.

With Sparrow, on the other hand, it's a simple as adding server=1 to your bitcoin.conf and then clicking the "Bitcoin Core" button in Sparrow. I was amazed the first time I used it at just how easy it was to set up.

There is a lack of demand for alternative coordinators because anyone with a shred of sense is not using Wasabi at all.

As I've mentioned before, why would anyone waste their time, money, and resources to set up their own coordinator, spend weeks or months advertising it and enticing people to use it, all so they can run flawed coinjoins, when they can just set up and use JoinMarket in a fraction of the time.

Their amounts are fixed and therefore easily identifiable: https://docs.wasabiwallet.io/FAQ/FAQ-UseWasabi.html#what-are-the-equal-denominations-created-in-a-coinjoin-round

Yes, it is possible to generate truly random numbers. Whether or not your seed phrase was generated using a truly random number or a pseudorandom number depends on the method in which you generated it.

https://en.wikipedia.org/wiki/Hardware_random_number_generator

You should certainly transfer everything to a new wallet if you have any concerns about your seed phrase being leaked or the security of your back ups, but such a transfer is meaningless when it comes to brute forcing, which does not need to be protected against in the first place.

Two devices. Both formatted, clean install of good Linux distro of choice, full disk encryption. All software verified prior to installation. Both devices used for nothing else and kept physically and digitally secured.

Device 1, internet connected:
Your own node running over Tor.
Your own Electrum server of choice.
Your watch only Electrum wallet connecting exclusively to your own server.

Device 2, permanently airgapped at a hardware level:
Your Electrum wallet containing seed phrase/private keys.

That's the basics of it for maximum security/privacy while still being fairly easily usable. I could write a guide spelling out each step in detail, but what if I use Debian and someone else chooses to use Mint? What I choose Electrs and someone else wants to use EPS? How can I possibly write a guide for how to remove the WiFi card from every model of laptop in existence? What if someone's threat model is different to mine? Maybe they place more emphasis on $5 wrench attacks, so want to use passphrases for decoy wallets. Or perhaps they want to delete their watch only wallet when not in use. Maybe they want to run mempool.space or JoinMarket on Device 1 as well. And so on.

As Loyce says, people need to understand why they are doing things and what those things achieve, not just blindly follow a list of instructions.

All the more reason not to recommend wallets which actively spy on their users, since newbies won't have the requisite knowledge to evaluate this information or act accordingly by choosing a different wallet.

Once your privacy is lost, it is extremely hard to recover it. There are plenty of users I've spoken to over the years who wished they knew more about privacy when they first started out, as they now find themselves in situations where they cannot get back that which was lost. By recommending newbies' first wallet to be one which actively funds blockchain analysis to spy on their UTXOs, you set them down a path they may never be able to recover from.

I use a combination.

I have small amounts of coins in hot wallets on both mobile and desktop. I used to use a number of different hardware wallets, but given the number of hardware wallets over the last few years that have been shown to have critical vulnerabilities, data leaksm horrendous privacy features such as implementing KYC exchanges or supporting AOPP, horrendous security features such as online back up, and so on, I've pretty much abandoned them all. The vast majority of my coins are stored in permanently airgapped devices using full disk encryption.

In generally, users would be far better setting up their own 2-of-3 multi-sig rather than relying on a third party, sacrificing all their privacy, and paying the excessive fees charged by TrustedCoin.

The only safe Electrum server is your own one.

Don't reuse addresses when you can. If you must, such as in recurring payments from a third party, use it for that one purpose and one purpose only - never reuse the same address for different purposes. And then as mentioned above, mix the coins you have received to prevent other tracking where they are going and what you are doing with them.

I appreciate that completely, but we both know people store large amounts of money on mobile wallets when they shouldn't.

Again, should be, but we both know lots of people don't use 2FA, use weak passwords, reuse passwords, have had passwords leaked in various databases such as haveibeenpwned, and so forth. In an ideal world an encrypted back up stored in the cloud secured by a long and random password and hardware 2FA key is very secure, but very few people actually use this set up, and the people who do use a secure set up like this will likely be using seed phrases and not cloud back up in the first place. As I mentioned above, I suspect the subset of users who would back up their seed phrase to the cloud overlaps pretty heavily with the subset of users who have substandard account security or general security practices.

Maybe it will be deleted from your account, but I doubt very much Google actually ever delete anything. Data makes them money. Google have been fined in multiple jurisdictions for collecting data they weren't meant to or not deleting data they were meant to. Not to mention it could have been leaked, hacked, stolen, shared, or whatever from the many servers around the world it is likely duplicated on. Once your back up has been exposed to the cloud, you should assume it is there permanently. The only safe course of action here is to move all your coins to new wallet.

I appreciate this is optional, and I appreciate it is only for the hot mobile wallet, but I am of the opinion that cloud storage is never secure.

So if the third party coordinators are not publicly accessible, how is the average Joe going to use them? It would also be trivial for Wasabi to answer this question - just pull every Wasabi coinjoin from the blockchain, and then subtract their own ones. The fact that they don't tells you everything you need to know.

He can't tout "Use a third party coordinator" as the ultimately solution for every problem Wasabi has, when he knows fine well there are very few third party coordinators and the ones that exist have almost no volume.

And none of that does anything to solve the rampant address reuse, some coinjoin participants receiving zero privacy, or Wasabi grinding outputs in to dust as has been discussed elsewhere.

Essentially, yes. P2WSH (pay to witness script hash) is the address type for any segwit address which is based on a script (such as a multi-sig script) rather than based on an individual public key (as is the case with standard single sig addresses).

However, you could also nest a segwit multi-sig inside a legacy P2SH address, just as you can nest a regular segwit address inside a P2SH address.

There is no difference. Every P2SH output starts with a 3, regardless of what the script inside is. The script could be a legacy multi-sig, it could be a segwit pubkey, it could be a multi-sig segwit script as I've explained above, it could be a timelock, or it could be hundreds of other things. It is impossible to say what the script is until the address has been spent from, at which point the locking script must be revealed. Prior to being spent from, all we know is the hash of the script, not the script itself.

P2WSH addresses start with bc1q.

P2WPKH-P2SH, which are standard segwit addresses nested in a P2SH script (so called nested segwit), start with 3, as do all P2SH addresses.

P2WSH addresses, on the other hand, are native segwit scripts and are not nested in anything else. These start with bc1q, the same as standard segwit P2WPKH addresses.

A P2WPKH address is 42 characters long, which contains a 20 byte witness program - RIPEMD160(SHA256(pubkey)). Here's an example transaction spending from such an address: https://mempool.space/tx/bebb7ccaaf9141340a803df0b21d0296ce6c103dc2bac69b2771a8a5703564e9
A P2WSH address is 62 characters long, which contains a 32 byte witness program - SHA256(script). Here's an example transaction spending from such an address: https://mempool.space/tx/de85fa66ea73d6e280e2bd077399b1027bc0832856c77f9114a4dda568baad2e

Completely agree it should be removed, or at the very least have its privacy rating downgraded from "Good" to "Caution". Under the Wasabi page (https://bitcoin.org/en/wallets/desktop/linux/wasabi/?step=5&platform=linux) it currently says "Prevents spying on your payments" which is just categorically not true - they pay Coinfirm to actively spy on your payments.

Maybe worth pointing out that Wasabi now apparently automatically starts coinjoining everything, charging you a fee to be spied on, whether you want it to or not: https://nitter.net/DiracDel/status/1672294717193859074

Fun fact: BSV has already implemented this! It allows CSW and his buddies to freeze or seize any coins from any wallet at any time for any reason! Super fun! https://blog.bitmex.com/bitcoin-sv-hardfork-significant-security-risks/

The fact that BSV has just recently hit an all time low against bitcoin of 0.1% of the bitcoin price should tell you all you need to know about what people think of this kind of "feature".

Except you absolutely can't. If your coin is rejected, even if you think it is private you have no idea if you are being Sybil attacked or if Coinfirm have deemed your coins too naughty. Given that we have no idea what criteria Coinfirm use (you won't even confirm that it is Coinfirm that you are partnered with!) then it is impossible for users to make a judgement. Coinfirm could very well simply reject all coins coming from mixers or from other coinjoin protocols, in just the same way as many centralized exchanges who similarly partner with blockchain analysis firms. User have no idea if this is happening, and you won't tell them.

At least we agree on one thing. The solution to Wasabi's many flaws is "Get your privacy elsewhere." Lol.

---

All the points he is making have already been addressed multiple times. He just ignores everything he can't answer (which is most of it) and endlessly repeats the same bullshit.

Regarding setting up your own coordinator:

He never did answer the question about how much volume there is on third party coordinators. I wonder why...