[ANN] ChipMixer.com - Bitcoin mixer / Bitcoin tumbler - mixing reinvented

[jackg]

Still think members should be on alert that the mixer may be currently broken.

Based on the volume of deposits, it's probably reasonable to expect chipmixer would face these problems every now and then.

It might take a few days but they're past record is normally pretty good at resolving these issues yes.

@chipmixer, is there any way you could encode some sort of catch-all that sweeps through the database of sessions (either after 12 hours or at a random time when load is low) to see if there are any deposits that have been missed this way?

[LoyceV]

Tor Browser 9.5.4 (Based on Mozilla Firefox 68.12.0ESR) (32-bit)

I have a hundred years old. For months through this mixer changed, there were no problems.

After the output nodes stands VPN - as an extension in the browser - HOXX VPN, Setup VPN, Hotspot Shield VPN

Changed through the white site chipmixer.com (in my old tor browser the onion v3 is not supported, only v2)

In addition to expansion: Adblock Plus, Blockchair. Cookie Quick Manager, Free Adroid Online Emulator APKONLINE, HTTP Header Live, Https Everywhere, Metamask, Noscript, Google Translate, Webrtc Leak Shield

They stood and stand (did not add anything) months, if not years. The browser itself also does not update for certain reasons.

I don't know what caused your problem, but I see several risks in your setup. First: an outdated browser is bad in general, the same goes for using an outdated Tor browser. Adding a VPN takes away the biggest benefit of using Tor: the .onion sites, while adding the risk of them being a compromised exit node.
I don't trust addons in general, and for sure wouldn't use them on Tor. Better safe than sorry.

[dkbit98]

You can't blame anyone if you are using old Tor Browser with bunch of extensions like android emulator and google translation... but wait for Chipmixer support to reply.
Latest Tor browser is 10.5.6, that means you are more than a year behind with many security updates, and we all said many times that Tor V3 is suggested and recommended much more than a clearnet version.
Note that it is possible in some cases for scammers to use exact same website and domain but just change receiving address.
One thing I am not sure, how or if Tor works in China, and if they are using vpn because they have to.

[Chikito]

today, I Just successfully mixed using a new site; http://chipmixorflykuxu56uxy7gf5o6ggig7xru7dnihc4fm4cxqsc63e6id.onion , with a fee rate of 1 satoshi, which I received in a few minutes.

Just a bit surprised when importing a private key into Electrum, I got 0 balance. when rechecking again, I'm forgotten to add the bech32 colon on the front private key (p2wpkh:) ( I remembered using an old chipmixer with legacy address without colon on the front).

This is just for attention, don't be panic, maybe you didn't correct put the private key.

[yokelveit]

Reading up in the thread there was a previous incident with an SSL certificate change. I just checked and the SSL certificate was different than the one I was issued for my transaction.

I took these screenshots a while ago
https://i.imgur.com/Uj5smma.png
https://i.imgur.com/eO7oKbv.png

Go check the site now, the expiration dates and signatures are different

Not sure why they would be flipping between valid SSL certificates and selectively scamming on one cert.

[jackg]

Reading up in the thread there was a previous incident with an SSL certificate change. I just checked and the SSL certificate was different than the one I was issued for my transaction.

Using clearnet with nothing else this probably shouldn't happen? If it's tor then I think I clarified on the last page what might've happened.

[LoyceV]

Metamask steals your money with chipmixer.

Everyone who has a Metamask extension in any of the browser.

Check.

Go to the white site chipmixer.com

Create a session.

You must be extruded.

On the session page and the 1st step, where you are invited to send a deposit, press one of the 2nd session recovery links: https://chipmixer.com/session/restore/#your_session ("Restore Your Session" Top or "Link" DOWN).

Voila, the page reboots, no cappip, the deposit address is different.

I've tested this, and I can't reproduce this problem: I installed Metamask in Firefox and Chrome (in a VM), and restored my session on chipmixer.com. In all instances the deposit address was the same.

[dkbit98]

I've tested this, and I can't reproduce this problem: I installed Metamask in Firefox and Chrome (in a VM), and restored my session on chipmixer.com. In all instances the deposit address was the same.

Are you sure you followed all ''instructions'' ?  


EDIT:
I tested myself in two browsers Brave and Firefox with installed Metamask extension, and I was not able to reproduce this problem.
All restored sessions had the same addresses.

[yokelveit]

SSL Certificate is changing on the clearnet website.....

https://i.imgur.com/Uj5smma.png
https://i.imgur.com/eO7oKbv.png

Why would the expiration date / signature change? There is no way that a faulty browser extension could fake an SSL certificate. I validated both certificates with letsencrypt and both are good.

[yokelveit]

Important announcement

There has been successful attack on ChipMixer communication integrity. Small part of traffic to/from ChipMixer.com website has been compromised. Please read on to decide what to do next.

If you are using Tor and .onion to access ChipMixer - you are not affected.

If you are not using Tor and visit .com to access ChipMixer - there is a chance you have been affected. Sweep all chips you have received in last 7 days and treat them as linked with your deposit.

If you are using Tor and .com to access ChipMixer - please stop it and start using Tor with .onion. This is very bad for your privacy and your funds safety. Please read second part of this message. Also there is a chance you have been affected. Sweep all chips you have received in last 7 days and treat them as linked with your deposit.

Details of attack

Over last few days IP address of .com server have been switched to another server for about 30 minutes about 3 times per day. Attacker used it to create valid SSL certificate and then served their own version of service with minor cosmetic changes.
There were four effects:
1. If your session already started - your browser sent your cookies (session token) to attacker and they withdrawn and sweeped your chips.
2. If you created new session - attacker displayed their deposit address and you have never received your chips.
3. If you accessed .com only to get .onion address - attacker displayed their .onion address.
4. If you tried to redeem voucher - it was not redeemed instantly - you should redeem it as soon as possible.
This affected small part of customers and we assume it was motivated to steal Bitcoins not privacy - if you were using .com and were not affected - you should still assume your privacy has been affected.

None of the servers were compromised. Mitigations are in place.

If you are using Tor to access .com - you may be affected by different attack made with Tor Exit Node. At least one of them proxies .com using forged SSL certificate and replaces all bitcoin addresses to theirs.

Looks like a repeat of this, not sure what "mitigations" were in place but they clearly didnt work because there was an SSL certificate issued yesterday for Chipmixer. My funds are still lost and no reply from admin.

[yokelveit]

my coins got moved out of the deposit wallet address in this transaction

https://live.blockcypher.com/btc/tx/d2c6417b2fd81d93fad5f7ca32be7f260b6520ca5b1d5956f5c62bcd7e207f74/

@note-message is your tx in here? i see other coins on the merge transaction but I only deposited to one of them

[ChipMixer]

Important announcement

There has been successful attack on ChipMixer communication integrity. Some part of traffic to/from ChipMixer.com website has been compromised. Please read on to decide what to do next.

If you are using Tor and .onion to access ChipMixer - you are not affected.

If you are not using Tor and visit .com to access ChipMixer - there is a chance you have been affected. Sweep all chips you have received in last 7 days and treat them as linked with your deposit.


Details of attack
We are not sure yet but it is similar to January attack:

Over last few days IP address of .com server have been switched to another server for about 30 minutes about 3 times per day. Attacker used it to create valid SSL certificate and then served their own version of service with minor cosmetic changes.

Attacker gained access to our .com server IP at 2021-09-23. They used it to create two SSL certificate - one with Cloudflare (https://crt.sh/?id=5270080144) - second with Lets Encrypt (https://crt.sh/?id=5281011754).

What next?
Do not use .com version. Use .onion version.
If you were affected - contact us at support email.

[ChipMixer]

(removed)

Still think members should be on alert that the mixer may be currently broken.

This is correct.

@chipmixer, is there any way you could encode some sort of catch-all that sweeps through the database of sessions (either after 12 hours or at a random time when load is low) to see if there are any deposits that have been missed this way?

This issue (not recognizing some of deposits) has been solved around same time as Segwit update.

[dkbit98]

Do not use .com version. Use .onion version.

I think it's time to totally switch to Chipmixer .onion version and use clearnet version only as an entry point that is redirecting to .onion version (I think someone suggested this few months ago).

[LoyceV]

I think it's time to totally switch to Chipmixer .onion version and use clearnet version only as an entry point that is redirecting to .onion version (I think someone suggested this few months ago).

That suggestion was to prevent DDOS, but still included a landing page on clearnet.
It's a serious worry on the internet if you can't trust clearnet domain names anymore.

[Husna QA]

-snip-
Just a bit surprised when importing a private key into Electrum, I got 0 balance. when rechecking again, I'm forgotten to add the bech32 colon on the front private key (p2wpkh:) ( I remembered using an old chipmixer with legacy address without colon on the front).

This is just for attention, don't be panic, maybe you didn't correct put the private key.

Now Chipmixer uses Segwit deposit addresses.
I also had a similar mistake when testing the onion v3 service in a closed beta while importing the private key into Electrum.
https://bitcointalk.org/index.php?topic=1935098.msg57505076#msg57505076

If you carefully read the instructions listed, this mistake does not need to occur.

[malevolent]

Do not use .com version. Use .onion version.

I think it's time to totally switch to Chipmixer .onion version and use clearnet version only as an entry point that is redirecting to .onion version (I think someone suggested this few months ago).

Neither the FAQ, nor the articles make any mention of using the onion site and the advantages of doing so, maybe now would be a good time to update them.

[james3441]

Attacker gained access to our .com server IP at 2021-09-23. They used it to create two SSL certificate - one with Cloudflare (https://crt.sh/?id=5270080144) - second with Lets Encrypt (https://crt.sh/?id=5281011754).

How is this even possible? Do you host this on VPS or in some sort of shared environment? Was server's content accessed?
Consider changing the host

Buy a dedicated server with access to KVM (dell idrac/HP ilo) then do system installation with full disk encryption. Change all default passwords/keys
There's literally 0 ways how you can get access to server contents this way, assuming all applications running on server and your own administrative credentials are secure.

Even if they somehow social engineer hosting company to get access to dedicated server, they won't be able to access the server's content

All they can do is just format the server and put phishing/proxy version via mounting some iso in rescue mode.

Finding a hosting company which deals with social engineering attempts in decent way is another story

[pitchbend]

So what's the status? is it safe to use again? should we avoid the clearnet version?

[altcoinstradR]

@Chipmixer I sent you an email hours ago, and I have gotten no response.
Return my 0.00095897 btc value to my session token
I made a deposit some hours ago, left and came back and decided to restore my session, only to find this message:
You have donated 0.952 mBTC which is 100.0% of your deposit. Thank you!
As stated earlier, no one else uses my PC, I live a lone and the PC was on put on sleep mode, also I am certain I used the correct .TOR address, because I copied it from the first page. I did not donate a penny, PLEASE RESTORE MY coins!
This is crazy, how do you decided to take my funds as a donation on your own?