PrivacyImportant
Newbie
 Offline
Activity: 9
Merit: 1
|
 |
February 17, 2018, 12:26:24 PM |
|
I am using your service for a long time now and I am very satisfied with it. But lately I have been investigating possibilities to track transactions which were send over mixing services and I found two possible attack vectors to cluster transactions which were mixed with your service.
The first one is less effective but there is still a decent risk. The transaction fees of your service are constant when the transaction has the same size. For example three transactions with one input and two output addresses had the same size of 42.598 sat/B. Obviously the fees vary when there are more input addresses but most of the time I received transactions with one input two output and the fees were constant.
The second is more severe. Let's say we have a setup of x-forward addresses and all of them are differently delayed in time. Normally you should think that this setup is bullet proof but it isn't. As the delay steps in your service are hour based and your service is sending the transactions at exactly the same time just hourly shifted (for example: 01-01 21:10:21, 01-01 14:12:20, 01-01 03:12:18) it is easy to cluster all transactions which are connected to one mixing step. With the help of the first attack vector the analysis becomes even more effective.
With the help of those information it should be no big deal for future blockchain analysis techniques to track down the source of mixed coins. This is a big risk for a mixing service which should offer a high grade of privacy.
My advice to improve the privacy of your service would be:
First attack vector: Add a small randomly chosen amount to your transaction fee. This hides the fact that a transaction is send by the same service/wallet.
Second attack vector: Offer the functionality of choosing the delay on minute basis OR add a randomly chosen delay (for example +- 10 minutes from the chosen hourly delay) to your transaction time.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"The nature of Bitcoin is such that once version 0.1 was released, the
core design was set in stone for the rest of its lifetime." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
CryptoMixer.io (OP)
Full Member
Offline
Activity: 312
Merit: 127
Ever used CryptoMixer? Leave your feedback ↓
|
|
February 20, 2018, 07:44:51 PM |
|
My advice to improve the privacy of your service would be:
First attack vector: Add a small randomly chosen amount to your transaction fee. This hides the fact that a transaction is send by the same service/wallet.
Second attack vector: Offer the functionality of choosing the delay on minute basis OR add a randomly chosen delay (for example +- 10 minutes from the chosen hourly delay) to your transaction time.
These improvements sound reasonable. We are constantly improving our algorithms and believe there is never too many measures when you deal with security and privacy. Thank you for your feedback! |
|
|
|
|
Reatim
Sr. Member
Offline
Activity: 2814
Merit: 357
Eloncoin.org - Mars, here we come!
|
|
February 20, 2018, 07:51:06 PM |
|
I am using your service for a long time now and I am very satisfied with it. But lately I have been investigating possibilities to track transactions which were send over mixing services and I found two possible attack vectors to cluster transactions which were mixed with your service.
The first one is less effective but there is still a decent risk. The transaction fees of your service are constant when the transaction has the same size. For example three transactions with one input and two output addresses had the same size of 42.598 sat/B. Obviously the fees vary when there are more input addresses but most of the time I received transactions with one input two output and the fees were constant.
The second is more severe. Let's say we have a setup of x-forward addresses and all of them are differently delayed in time. Normally you should think that this setup is bullet proof but it isn't. As the delay steps in your service are hour based and your service is sending the transactions at exactly the same time just hourly shifted (for example: 01-01 21:10:21, 01-01 14:12:20, 01-01 03:12:18) it is easy to cluster all transactions which are connected to one mixing step. With the help of the first attack vector the analysis becomes even more effective.
With the help of those information it should be no big deal for future blockchain analysis techniques to track down the source of mixed coins. This is a big risk for a mixing service which should offer a high grade of privacy.
My advice to improve the privacy of your service would be:
First attack vector: Add a small randomly chosen amount to your transaction fee. This hides the fact that a transaction is send by the same service/wallet.
Second attack vector: Offer the functionality of choosing the delay on minute basis OR add a randomly chosen delay (for example +- 10 minutes from the chosen hourly delay) to your transaction time.
I have given merit to your account since I'm been also using cryptomixer for a long time and I have notice the same specially the second attack vector. I would love to see it being implement a delay of -/+ 10 minutes will be OK I guess on my end. My advice to improve the privacy of your service would be:
First attack vector: Add a small randomly chosen amount to your transaction fee. This hides the fact that a transaction is send by the same service/wallet.
Second attack vector: Offer the functionality of choosing the delay on minute basis OR add a randomly chosen delay (for example +- 10 minutes from the chosen hourly delay) to your transaction time.
These improvements sound reasonable. We are constantly improving our algorithms and believe there is never too many measures when you deal with security and privacy. Thank you for your feedback! Thank you for your fast reply. I hope that we can see this implemented in the future release of cryptomixer and more power to you guys. |
▄▄████████▄▄
▄▄████████████████▄▄
▄██████████████████████▄
▄█████████████████████████▄
▄███████████████████████████▄
| ███████████████████▄████▄
█████████████████▄███████
████████████████▄███████▀
██████████▄▄███▄██████▀
████████▄████▄█████▀▀
██████▄██████████▀
███▄▄████████████▄
██▄███████████████
░▄██████████████▀
▄█████████████▀
█████████████
███████████▀
███████▀▀ | | | Mars,
here we come! | ▄▄███████▄▄
▄███████████████▄
▄███████████████████▄
▄█████████████████████▄
▄███████████████████████▄
█████████████████████████
█████████████████████████
█████████████████████████
▀███████████████████████▀
▀█████████████████████▀
▀███████████████████▀
▀███████████████▀
▀▀███████▀▀ | ElonCoin.org | │ | | .
| │ | ████████▄▄███████▄▄
███████▄████████████▌
██████▐██▀███████▀▀██
███████████████████▐█▌
████▄▄▄▄▄▄▄▄▄▄██▄▄▄▄▄
███▀░▐███▀▄█▄█▀▀█▄█▄▀
██████████████▄██████▌
█████▐██▄██████▄████▐
█████████▀░▄▄▄▄▄
███████▄█▄░▀█▄▄░▀
███▄██▄▀███▄█████▄▀
▄██████▄▀███████▀
████████▄▀████▀█████▄▄ | .
"I could either watch it
happen or be a part of it"
▬▬▬▬▬ |
|
|
|
PrivacyImportant
Newbie
Offline
Activity: 9
Merit: 1
|
|
February 21, 2018, 12:16:15 PM |
|
My advice to improve the privacy of your service would be:
First attack vector: Add a small randomly chosen amount to your transaction fee. This hides the fact that a transaction is send by the same service/wallet.
Second attack vector: Offer the functionality of choosing the delay on minute basis OR add a randomly chosen delay (for example +- 10 minutes from the chosen hourly delay) to your transaction time.
These improvements sound reasonable. We are constantly improving our algorithms and believe there is never too many measures when you deal with security and privacy. Thank you for your feedback! It would be nice to see these improvements implemented as fast as possible so that anybody using your service receives a far better privacy. Can I somehow speed up this process by helping to implement those changes or send you some financial support? PS: Sadly I can't send you private messages because of my Newbie status. If you are interested then leave me a private message with some contact information. Thank you! |
|
|
|
|
PrivacyImportant
Newbie
Offline
Activity: 9
Merit: 1
|
|
March 10, 2018, 12:00:54 PM |
|
Sad to see that still nothing has changed. I don't want to overexagerate but as long as this hasn't been fixed the whole mixing is useless and easily traceable even with open source blockchain analysis tools like BlockSci. And I am sure there exist even more powerful proprietary tools of services like Chainalysis and Elliptic which are already used to trace transactions of mixing services. When a service which pretends to offer privacy is shown that their privacy model is utterly broken one should at least hope that this problem is fixed asap.
|
|
|
|
|
CryptoMixer.io (OP)
Full Member
Offline
Activity: 312
Merit: 127
Ever used CryptoMixer? Leave your feedback ↓
|
|
March 11, 2018, 11:40:11 AM |
|
Sad to see that still nothing has changed. I don't want to overexagerate but as long as this hasn't been fixed
Sorry for the late response. I was sure, I have answered your last message. |
|
|
|
|
CryptoMixer.io (OP)
Full Member
Offline
Activity: 312
Merit: 127
Ever used CryptoMixer? Leave your feedback ↓
|
|
March 11, 2018, 11:41:25 AM |
|
My advice to improve the privacy of your service would be:
First attack vector: Add a small randomly chosen amount to your transaction fee. This hides the fact that a transaction is send by the same service/wallet.
Second attack vector: Offer the functionality of choosing the delay on minute basis OR add a randomly chosen delay (for example +- 10 minutes from the chosen hourly delay) to your transaction time.
These improvements sound reasonable. We are constantly improving our algorithms and believe there is never too many measures when you deal with security and privacy. Thank you for your feedback! It would be nice to see these improvements implemented as fast as possible so that anybody using your service receives a far better privacy. Can I somehow speed up this process by helping to implement those changes or send you some financial support? We are working on improvements that will cover your risk cases. We will roll out this update together with SegWit support. Your help will be highly appreciated during the production tests. I'll contact you directly as soon as we would be ready. Thank you |
|
|
|
|
PrivacyImportant
Newbie
Offline
Activity: 9
Merit: 1
|
|
March 11, 2018, 11:51:28 AM |
|
Sounds great, especially the SegWit support, but could you already estimate when this update will roll out (days, weeks, months)?
|
|
|
|
|
CryptoMixer.io (OP)
Full Member
Offline
Activity: 312
Merit: 127
Ever used CryptoMixer? Leave your feedback ↓
|
|
March 13, 2018, 12:02:55 PM |
|
Sounds great, especially the SegWit support, but could you already estimate when this update will roll out (days, weeks, months)?
We expect to deliver this update before Apr, 3. |
|
|
|
|
Backo
Newbie
Offline
Activity: 98
Merit: 0
|
|
March 18, 2018, 09:29:20 PM |
|
Hello! I am available for franch and Arabic translation .Whether you need it please contact me on telegram @backobtc thank you I'm waiting for your response
|
|
|
|
|
NowYouAreSee
Jr. Member
Offline
Activity: 65
Merit: 1
|
|
March 19, 2018, 01:09:27 PM |
|
I am using your service for a long time now and I am very satisfied with it. But lately I have been investigating possibilities to track transactions which were send over mixing services and I found two possible attack vectors to cluster transactions which were mixed with your service.
The first one is less effective but there is still a decent risk. The transaction fees of your service are constant when the transaction has the same size. For example three transactions with one input and two output addresses had the same size of 42.598 sat/B. Obviously the fees vary when there are more input addresses but most of the time I received transactions with one input two output and the fees were constant.
The second is more severe. Let's say we have a setup of x-forward addresses and all of them are differently delayed in time. Normally you should think that this setup is bullet proof but it isn't. As the delay steps in your service are hour based and your service is sending the transactions at exactly the same time just hourly shifted (for example: 01-01 21:10:21, 01-01 14:12:20, 01-01 03:12:18) it is easy to cluster all transactions which are connected to one mixing step. With the help of the first attack vector the analysis becomes even more effective.
With the help of those information it should be no big deal for future blockchain analysis techniques to track down the source of mixed coins. This is a big risk for a mixing service which should offer a high grade of privacy.
My advice to improve the privacy of your service would be:
First attack vector: Add a small randomly chosen amount to your transaction fee. This hides the fact that a transaction is send by the same service/wallet.
Second attack vector: Offer the functionality of choosing the delay on minute basis OR add a randomly chosen delay (for example +- 10 minutes from the chosen hourly delay) to your transaction time.
You raised an important topic. All services provided by a cryptomixer were not anonymous all this time. I think that the cryptomixer is compromised. All this time they did not make the transaction anonymous, but just took a commission for false anonymity! |
|
|
|
|
CryptoMixer.io (OP)
Full Member
Offline
Activity: 312
Merit: 127
Ever used CryptoMixer? Leave your feedback ↓
|
|
March 20, 2018, 07:06:48 PM |
|
You raised an important topic. All services provided by a cryptomixer were not anonymous all this time. I think that the cryptomixer is compromised. All this time they did not make the transaction anonymous, but just took a commission for false anonymity!
Don't let the fact, that we are implementing the proposed measures confuse you. Cryptomixer offers ones the most advanced and secure mixing algorithms. As I already said we are constantly improving our algorithms and believe there is never too many measures when you deal with security and privacy. We are building the Cryptomixer with inputs from the forum community to make transactions safer and untraceable while contributing towards privacy over internet transactions. The improvements proposed by "PivacyImportant" member will really bring even more security to Cryptomixer in certain cases. |
|
|
|
|
NowYouAreSee
Jr. Member
Offline
Activity: 65
Merit: 1
|
|
March 21, 2018, 07:24:07 AM |
|
You raised an important topic. All services provided by a cryptomixer were not anonymous all this time. I think that the cryptomixer is compromised. All this time they did not make the transaction anonymous, but just took a commission for false anonymity!
Don't let the fact, that we are implementing the proposed measures confuse you. Cryptomixer offers ones the most advanced and secure mixing algorithms. As I already said we are constantly improving our algorithms and believe there is never too many measures when you deal with security and privacy. We are building the Cryptomixer with inputs from the forum community to make transactions safer and untraceable while contributing towards privacy over internet transactions. The improvements proposed by "PivacyImportant" member will really bring even more security to Cryptomixer in certain cases. You have to admit that at the moment your mixer does not meet the high requirements for anonymity. |
|
|
|
|
cryptomixerscam
Newbie
Offline
Activity: 1
Merit: 0
|
 |
March 21, 2018, 11:51:06 AM
Last edit: March 21, 2018, 12:03:16 PM by cryptomixerscam |
|
CRYPTOMIXER - UNRELIABLE! STOP USING IT! SERVICE COMPROMISED!
LIST OF ALL OUTCOMING ADDRESSES FOR THE LAST MONTH:
https://justpaste.it/1ik93
|
|
|
|
|
CryptoMixer.io (OP)
Full Member
Offline
Activity: 312
Merit: 127
Ever used CryptoMixer? Leave your feedback ↓
|
|
March 21, 2018, 06:43:31 PM
Last edit: March 21, 2018, 07:40:28 PM by CryptoMixer.io |
|
CRYPTOMIXER - UNRELIABLE! STOP USING IT! SERVICE COMPROMISED!
LIST OF ALL OUTCOMING ADDRESSES FOR THE LAST MONTH:
https://...
What is this?  We do respect our competitors and ask for the same. Don't confuse forum members with this Anyway, we used to treat security issues with all respect. If you believe that you have any security-related issue, kindly contact support. Thank you |
|
|
|
|
Feqlizer
Newbie
Offline
Activity: 5
Merit: 0
|
|
March 25, 2018, 05:15:36 AM |
|
What is this? Hello! It seems to be real list of outgoing addresses of your service. I did use your services last month and found my addresses in this list. If last poster tried to confuse some of your customers he succeed at least in my case. Do you use single key for all your outgoing addresses permanently? How did he found them all? I find all this case disturbing. |
|
|
|
|
Feqlizer
Newbie
Offline
Activity: 5
Merit: 0
|
|
March 25, 2018, 05:35:09 AM |
|
Second attack vector: Offer the functionality of choosing the delay on minute basis OR add a randomly chosen delay (for example +- 10 minutes from the chosen hourly delay) to your transaction time. I do not think this will resolve issue. Does it matter that repayment delay step is hour or minute or second? It does not. Every repayment delay should be modified with absolutely random "time noise" which would be hard to quantize. |
|
|
|
|
CryptoMixer.io (OP)
Full Member
Offline
Activity: 312
Merit: 127
Ever used CryptoMixer? Leave your feedback ↓
|
|
March 26, 2018, 05:33:49 AM |
|
Do you use single key for all your outgoing addresses permanently? How did he found them all? I find all this case disturbing.
No we do not use single key. It seems to be some random list of addresses. We still haven't got any confirmation on this list as we do not have the ability to check it and the author hasn't contacted us. As you seems to be the real cryptomixer customer who follow the tread, kindly contact me directly with you real account (not this alt) to confirm some details. This will help us to to dig into this issue. |
|
|
|
|
Feqlizer
Newbie
Offline
Activity: 5
Merit: 0
|
|
March 31, 2018, 08:47:27 AM |
|
This is not my alt account. I have registered specially for this case. I may suggest better way of confirmation. I keeped your signed letters of guarantee. I will PM one of it to you shortly so you can ascertain everything yourself.
|
|
|
|
|
motherhacker
Newbie
Offline
Activity: 5
Merit: 1
|
I registered this account to share my findings.
Once a lot people mention some weak points of your service I tried to code a little.
I wrote a simple js script sending random cryptomixer codes to server. The server responds with a discount for each code. Running script for about two hours I succeeded to found the code with 0.1% discount: 34ntw. Anyone can check it, though they likely delete the code soon after posting.
My message to cryptomixer: please guys, improve your server responses. You can restrict the rate per IP, for example. Turns out that 5 letters code does not give you good level of security.
|
|
|
|
|
|
