(This is a duplicate of post #8318 because we want to cross-link to it and the direct link to it didn't work.)Here are our thoughts about the whole debacle with MEGA terminating our account (and the accounts of many other miner developers), and NiceHash's "overreaction", which
we now believe was a deliberate smear campaign, and perhaps something even more malicious.
We will post here some relevant private messages between us and representatives of NiceHash over the past several months. There was some internal debate if this is the right thing to do, but after some thought we decided that we can not stay silent when someone is trying to tarnish our reputation. The only changes in the messages bellow were to remove any personally identifiable information (names, etc.).
TimelineThe story begins last November, when a NiceHash representative tried to persuade us to sign our binaries with code singing certificate:
NiceHash representative on Fri, Nov 27, 2020, 11:20 AM
Hello!
We would request that you code sign your releases of the binaries (*.exe's and *.dll's) you own. If possible please choose a globally accepted CA authority of your choice. If this is something you are not inclined to do please inform us why and what your concerns might be?
Code signing would reduce AV detection and would increase users' confidence in the software and of course, would increase our confidence that we are shipping correct binaries.
Note, that we will prefer and primarily use the miners who are signed.
Regards,
The signing of our files would involve revealing our identities, which is something we are reluctant to do because of the reasons outlined in our response to their message:
PhoenixMiner on Sun, Nov 29, 2020, 9:19 AM
Hello!
Unfortunately, we can't do this for the following reasons:
* We want to keep our anonymity as well as possible, and this is at odds with getting a valid certificate from major CA. Part of our reasoning is that this is an integral part of the cryptocurrency ideology - you don't need to know, or have explicit trust in others in order to do business with them. However, much more important are a few high profile "accidents" with sudden unexplained disappearances of prominent software developers and pool owners (e.g. Claymore, the sudden closure of Dwarfpool, etc.). Some may call us paranoid but we are just cautious.
* Ulike the exchanges, pools, or services like yours, we don't hold any amount of user's cryptocurrency, nor do we have any server infrastructure that is publicly accessible, so there is no inherent risk that we will be hacked, or steal the funds of the users in any significant way. If our software does something malicious, it will be quickly detected and we will lose our reputation without much financial gain for it.
* As far as the AV detection goes - ever since the first release of our miner, various AV scanners "discovered" a lot of threats in an absolutely clean executable (built from entirely our source, without any external "blobs", so we knew it was totally clean). For a while we tried to argue with them, and several of the major ones made exceptions in their databases. However we soon discovered that we will need to go through this with each new release, which is a totally unproductive use of our time. We don't even use full executable encryption like some of our competitors - just some (admittedly advanced) anti-tampering code to protect our IP and detect attempts to reverse-engineer parts of our software. So, our choice is to either bow to the AV makers and make our software easy to reverse and lose our competitive advantage, or ignore them and provide the end users with the necessary tools (e.g. checksums) to check the authenticity of our software.
Our "chain of trust" starts with bitcointalk.com, which may seem absurd at first but it has proven to be reliable and impartial over the years, and never bowed to any outside pressure, which is more than can be said for most CAs.
Best regards!
We will only add that
the sudden disappearance of Clyamore some time ago had really spooked us (
"are we next?"), especially given that the one of the last versions of his miner contained digitally signed Windows driver, which implies that he had to reveal his identity to the signing authority. This may be coincidence, but we are not willing to gamble with our lives, and the safety of our families by ignoring the risks. In the end, we decided to continue developing PhoenixMiner but with strict measures to keep our identities private.
March 7thNow let's jump to the present. Some time last weekend
MEGA decided to delete our account, as well as accounts of many other miner developers. We don't know the reasons but our best guess is that probably someone complained, or even threatened them with lawsuits. Whatever the reason, there are alternatives, and it seems that they didn't do anything evil like replacing the binaries with something malicious, so while inconvenient, this was not a big deal. Unfortunately, we were offline at the time and couldn't react fast enough.
When we found out about the situation, we checked our messages. Among all well wishes, anxious questions, some death threats (yep, we got some of those), there was this quite normal and reasonable message from Nicehash:
NiceHash representative on Sun, Mar 7, 10:20 AM
Hello!
Can you explain what happened with your account at MEGA.cz?
Regards
We didn't know that much about the situation yet but we already established that none of our accounts were compromised, so we reassured them that while our MEGA account was deleted, we are not hacked in any way:
PhoenixMiner on Mar 8, 2021, 5:56 AM
Hello!
We don't know the reason either but MEGA just terminated our account without any explanation besides "you violated our TOS". As the same has happened to Clyamore's account and some other miners, it is obvious that there is a cryptomining software "purge" on MEGA. We are looking for a new hosting solution for our software and it will be up and running very soon.
We still have full control of our bitcointalk.org account and we are busy making the next version of PhoenixMiner.
Best regards!
Our first task was to remove the MEGA link in the first post in our thread, and post a message clarifying the situation, and providing checksums of the individual executable files in PhoenixMiner 5.5c archive, in case someone was trying to check if his copy of the miner is genuine. Then we created a github account and uploaded the latest version of PhoenixMiner there.
In the meantime we received this message from one of higher-ups of Nicehash (apologies, if we get his title incorrect but he did not find it necessary to introduce himself, probably assuming that everyone should know who he is):
djeZo on March 8th, 2021, 05:09:07 AM
First, let me tell you that we are very sorry for the damages caused to you. We will make public apology.
I hope you agree that this was now very bad for us and for you - and all because of a simple misunderstanding! This should not happen in the future anymore.
Is there any way that you reveal your identity at least to us? Because if we know your identity, then we don't have this issue anymore and would publish all of your updates asap. We could perhaps even work out some deal to get your bins signed for NHM.
Ideally for us would be if you already provided signed bins - we could use them to go mainstream, to make every gamer also a miner and for miners to have a choice among mining tools is never a bad thing. I hope you did not see our action as a way of pushing our new QuickMiner by killing your product, because QuickMiner cannot be replacement, far from that - it has no AMD support and it works only on Windows thus is targeted towards different audience. It was just very convenient for a lot of people to start pouring all the hate they usually have against us - we gave them a perfect chance and reasons.
Our intentions were completely legit - to protect our customers and to throw off any possible responsibility if in fact there was an evil plan behind your product - this is something we are very much scared of and there is only one reason why - because your identity is not known. We do have 3rd party EULA users have to agree to, but this could only protect us in court, our reputation would be ruined badly. I hope you understand our point of view and why we did actions that we did.
So, beneath some genuine sounding apologies, we find another attempt to find out our real identities. Despite the polite tone of the message, its contents can be translated to: "
We asked you nicely before and you refused, so if you want us to retract our FUD post about your miner, you must reveal your identity to me." Well, we don't react well to threats, even polite ones, so our response was:
PhoenixMiner on March 08, 2021, 06:12:59 AM
Regardless of your intentions, this wasn't the best way to react to this not-so-dramatic event - none of our accounts have been hacked, and none of our customers that follow the simple procedure of downloading from the official MEGA link, or at least comparing the checksums, were at risk at any time. Please note that there were much more serious security incidents in your company's past.
We find it hard to believe in your sincerity, so let's see your retraction post first, and then we can talk about what kind of identity proof we can give you. Otherwise we will be rewarding your damaging over-reaction, which is not a good thing in our book.
We are moving to github as a first (probably temporary) solution, and then will set up a few backup hosts in case github also caves under pressure.
After that we checked out more closely the NiceHash website, and their Reddit page, and we found that
rather than a mere FUD post, they have created a full-blown smear campaign, with some gems like a "spontaneous"
post (with nearly 5000 words!) sanctioned by NiceHash themselves, which warns you not only against the dangers of using PhoenixMiner but why you shouldn't use any other miner, besides the official miner of Nicehash. Frankly, we were half-expecting to find warnings that prolonged use of PhoenixMiner can lead to Covid-19, balding, or erectile dysfunction. At the end of this "work of art", there was this "promise":
Would you apologize to PhoenixMiner if it turns out that there was trully just a misunderstanding and some third force made him unable to fix issue with download location?
Yes, we would make public apology to PhoenixMiner if this ever happens and turns out that there was indeed no evil plan behind. But at this moment in time, we had to warn our customers about potential dangers.
Still waiting for that apology. Not holding our breaths though.
Our next order of business was to find some way to prove to all concerned miners that our bitcointalk.org account is not compromised. This was a bit tricky but we finally settled on making a big ETH transaction out of our main devfee wallet, and announcing the exact amount of the ETH to be transferred beforehand in our bitcointalk.org thread. As we all keep only parts of the keys for the devfee accounts, and we don't live at the same place, this took some time. In the meantime, we received another message, with quite different tone:
djeZo on March 8th, 2021, 07:58:33 AM
Everything will be established back as it was. But I am really curious, why are you so anonymous? I got another hint from someone that you are collecting fees from botnets. Is that true? Because then this is really not good for our business - we cannot afford to be linked with a crime of such proportions. And we would have to make greater distance between.
Also what I dont understand is, even if you are connected with a crime somehow and this is the reason to stay anonymous, why not create a second miner, as a legal business - a miner that you could sign and distribute without any worries for end users?
So, going from apologizing, to practically accusing us of being criminals almost mid-sentence? Mind you, we are not angels, but the worst things we are guilty of include a number of speeding tickets, and one citation for disorderly conduct after a night of heavy drinking
Another curious thing is that there is a well-known and publicized association of some high-caliber NiceHash employee (perhaps former?) with ... botnet creation! At least have the decency to fabricate some other crime, instead of accusing us of your own past wrongdoings.
The last part of this message however is rather interesting - "
even if you are connected with a crime somehow and this is the reason to stay anonymous, why not create a second miner, as a legal business - a miner that you could sign and distribute without any worries for end users?" So, our imaginary criminal activity wouldn't be a problem for them as long as we create another, properly signed miner?!
At this point we were frankly fed up, and we decided that any further communication with NiceHash is pointless. After that there were several exchanges with wild allegations and counter-allegations between djeZo and (apparently) former member of NiceHash. Hopefully none of what was written there was true but the bad taste remains. Thankfully most of the messages were deleted by their authors, but not before destroying their credibility even further. A couple of hours after that we received this final message:
djeZo on March 08, 2021, 09:47:19 AM
I have just talked to our lawayers and they suggested to take over from here. They are being very cautions because you could actually make serious damage to us, so it seems that we will be stuck in this deadlock until this is cleared out with your KYC or smth like that. Also KYC will be mandatory for all other 3rd party miners. We may lose some customers if you wouldn't be interested to perform this action, but it is less risky than continuous red button that you could press any time to destroy us.
Perhaps you should have consulted your lawyers before making unfounded allegations?
Some time after that we have finally got our private keys together, and performed the "verifying" transaction of 123.456 ETH out of our main devfee wallet as detailed here:
https://bitcointalk.org/index.php?topic=2647654.msg56518728#msg56518728So, what exactly happened?This is
pure speculation at this point but given all the information before, we can think of two scenarios: best and worst. The truth is probably somewhere between them.
Best case scenario: NiceHash were not especially concerned when our MEGA accounts were deleted, but instead saw this as an opportunity to start smear campaign against us, hoping that their users will stop using our miner, and switch to theirs instead. They were probably encouraged by the fact that we weren't online for more than a month, and hoped that we would just disappear like Claymore before, and they would be able to spew whatever BS they want without any opposition from us. When we surfaced online, they first panicked that we may somehow prevent our users from mining on NiceHash as retaliation. A couple hours later, when they saw no such retaliation, the tone of djeZo messages quickly switched from apologetic to confrontational. At that point, they probably decided to just go all in, and continue spewing BS "because we can't be sure about PhoenixMiner's identity".
Worst case scenario: The whole MEGA mining software purge was initiated by complains and take down notices from NiceHash themselves. After that, this scenario is pretty much identical to the one above. However, the burning desire of NiceHash to reveal our identities, even if it is only to them, is quite disturbing. Maybe they just want to dug up some dirt on us (good luck with that!), but maybe they want to do something much more sinister.
Ok, but how can we trust PhoenixMiner?We can't give you indisputable "proof of trust" because there is no such thing. However there are other things that you can consider:
- We have developed PhoenixMiner for more that three years, and we have thousands of users
- There never was any security incident with our miner, as long as it was downloaded from the official download location (MEGA link before, now moved to github).
- We provide checksums in our thread here, so you can check the integrity of your miner even you have downloaded from somewhere else. Making sure that the checksums match should be done by everybody, even if you download the miner from the official link
- We don't hold any amount of user's cryptocurrency, nor do we have any server infrastructure that is publicly accessible, so there is no inherent risk that we will be hacked, or steal the funds of the users in any significant way
- We are group of old school developers with real passion about computing, and programming
- We believe in the crypto, and we are fully invested in its future (yes, it is easy to say this now when the profits are at ATH, but during the first few years the profits weren't that great compared to our day jobs at the time)
- Over the years our market share grew substantially, so it would be extremely foolish to jeopardize our legitimate income by doing something malicious. If you can't trust our integrity, you can at least trust our rationality.
Final thoughtsThe whole thing is quite extraordinary because due to the nature of our business, we had some dealings with all major pools. In every single case,
we found them to be totally reasonable, professional, and reliable (even when we were newbies and messed up in the beginning). Even when we had some disagreements, everything was solved in respectful and constructive manner. We never promoted, or badmouthed any pool because we feel that we must be impartial in order to develop good mining software.
However, after only a couple of months that we had contact with NiceHash, we are frankly just fed up with them.Still,
we won't tell you to stop using NiceHash - it's not our place to do so, and everyone can decide for themselves. However, we personally wouldn't want to be associated with them in any way. Our advice is to
be very cautious when dealing with them, withdraw your earnings as soon as possible, monitor your miner performance, and so on. We wouldn't put it beside them to start banning you, or creating some fake issues when you mine on their pool with PhoenixMiner.
After this colossal waste of everyone's time, we hope that this issue is behind us.
Edited for spelling and clarity
