[CLOSED]💰 Review MyCryptoMixer.com and receive 0.002 BTC 💰

[eXtremal]

This is my review :
Honestly here I am a new user in Bitcoin Mixer

Website display

- Look simple
- Easy to access, even though the connection is a bit poor
- Save data and I do not find that annoying like advertisements on the website display

In the case of a transaction

Honestly at this time I have not done any transactions in the bitcoin mixer, that's why I only saw a simple one

Feature addition
- Adding local languages in each country, this will make it easier for users and will be faster in understanding users who do not really understand in English.

Note: the review that I gave is quite simple and I'm talking improperly from what I see from the bitcoin mixer

[1714852923]

1714852923

[1714852923]

1714852923

[1714852923]

1714852923

[1714852923]

1714852923

[1714852923]

1714852923

[mocacinno]

Is this offer still open? If so, i'd like to review your mixer aswell... I'm always interested in new mixers entering the market

[lolxxxx]

Working fine here. It has all the functionalities and complete pages. You should try it again, Are you using tor on mobile?

How are your Tor security settings? I used Tor on my desktop.

Standard.

One more thing the source code won't get changed, It is the same for all levels of securities nothing gets changed. You probably not seeing anything because your security setting is set at a safer/safest level.

It automatically disables javascript, images, fonts, etc.

So set your tor to standard and then it will work perfectly I believe.

Regards

[LoyceV]

You probably not seeing anything because your security setting is set at a safer/safest level.

Correct. In my opinion a mixer should work in that setting.

[khaled0111]

...

It's because they use JavaScript. Even if you visit the clearnet link and disable JavaScript from your browser settings, you will get a blank page (Your Tor settings are probably set to disable JS).

will add my review later when I receive the mixed coins

[Csmiami]

It's because they use JavaScript. Even if you visit the clearnet link and disable JavaScript from your browser settings, you will get a blank page (Your Tor settings are probably set to disable JS).

So that means they are going against their own reccomendations on their "Step-by-step guide on how to mix your coins" article?

Assuming these coins are going to be sent to a darknet market… if you don’t already have your deposit address, sign in and get it while having JavaScript disabled. Never use any market that requires you to enable JS!

[lolxxxx]

It's because they use JavaScript. Even if you visit the clearnet link and disable JavaScript from your browser settings, you will get a blank page (Your Tor settings are probably set to disable JS).

So that means they are going against their own reccomendations on their "Step-by-step guide on how to mix your coins" article?

Assuming these coins are going to be sent to a darknet market… if you don’t already have your deposit address, sign in and get it while having JavaScript disabled. Never use any market that requires you to enable JS!

Well you are right I just disabled the JS on chrome and the site is just showing me the blank page.

[posi]

You probably not seeing anything because your security setting is set at a safer/safest level.

Correct. In my opinion a mixer should work in that setting.

I support that cause a mixing company thats up to the task ought to work in almost every angle because the purpose of using their services to keep ones fund save and clean.
I would have love to join the reviewer of the company but i have limited time to spend online these days and i dont like doing things half way.

[efialtis]

My 2 cents quick and dirty:

Before I start, the website and its contents remind me a lot of smartmixer, seriously... - I hope there is no affiliation... Its quite strange though that there are so many similarities when it comes to layout, contents, wording, "ETH soon" etc. - some titles are even exactly the same... Even if you are not affiliated - why would you "copy" from a service provider who rightfully earned himself a bad reputation?

Well, now lets get right into the mixing part. The service is easy to use and even newbies shouldnt face any problems when trying to mix coins for the first time. The website has a simple layout and is very clean - I like that. The necessary steps are explained well enough and I didnt face the slightest problem. The mixing worked fine and I have already received the mixed coins. As someone mentioned earlier, I would like you to be a little bit more transparent when it comes to fees - please present that information also on the respective pages and not just on homepage. Other than that, not much more I can say for now. Your service did exactly what it is supposed to do - mixing coins. No need to be a rocket scientist in order to use your service and thats cool.

I see the other guys are already analyzing your service "technically" - lets see what comes out of that.

[AdolfinWolf]

I don't want to get paid, please don't send me anything.

I just want to point out that your design makes me think of several other mixers, but that could just be a coincidence.

Just like those several other mixers, you also use Cloudflare on your clearnet address (bad practice!)
https://who.is/whois/mycryptomixer.com


That's not even the worst thing: You also embedded a google TAG MANAGER.
You basically let google track everything on your site. That's terrible. I don't see how you can tell you offer privacy when you have such intrusive tracking/analytical tools embedded on your site.

Unless i'm missing something, how exactly is this "Bringing privacy back to the users"

(Even for people who disabled javascript you added a GTM tag. That's just.. lol)

[mocacinno]

Disclaimer 0: this is a work-in-progress.... It'll be updated soon

Disclaimer 1: i only read the posts by the owner of the mixer, i did not read the posts of other testers in order not to be influenced.
   
Disclaimer 2: I have not actually used your mixer, i'll only test it out with my own funds AFTER i get the confirmation i'll be getting payed. I'm not going to throw my own money at this project, and lose mixing and miner's fees, if i'm not 100% sure i'll be getting refunded. If i get a confirmation of payment, i'll test out the mixer and update this review EDIT: received some testing funds and actually ran a mixing session

Disclaimer 3: i'm holding you to a higher standard than i hold myself... You are delivering a mixing service, you should be helt to the highest standards.

Disclaimer 4: there are many things i like... But i think you'll have more added value from the topics that need improvement

Security
There are several remarks i'd like to have fixed if i would ever have to consider using the mixer:

• You use cloudflare's SSL... Cloudflare acts as a MITM... They DECRYPT every package between the browser and their servers, then POTENTIALLY re-encrypt this data using your server's ssl cert. Cloudflare is a US based company, if a 3 letter agency requests data, they'll give all unencrypted data (no doubt in my mind). The sollution is as easy as ditching them and moving to a letsencrypt x3 certificate... They even have a certbot to make life easy for you
• You are not enforcing HSTS
• You are loading external javascript from googletagmanager.com, they'll be able to inject js on your page, and they'll be able to track your visitors. Google is a US based company... Same as cloudflare
• You are loading external javascript from google-analytics.com, they'll be able to inject js on your page, and they'll be able to track your visitors. Google is a US based company... Same as cloudflare
• You are not enabling DNSSEC
• HPKP is not enabled
• Your domain does not have clientUpdateProhibited set
• Your CSP header is not set
• X-Content-Type-Options header was not set
• XFO header was not set
• X-XSS-Protection header was not set
• X-Frame-Options header was not set
• You have a robots.txt file set, this is often used to crawl your site and find vulnerable scripts
• Referrer-Policy header was not set
• Feature-Policy header was not set
• Your server support TLS 1.0 and TLS 1.1., miminum is 1.2
• mymixerxtukle6mo.onion is a V2 address... It's as easy as setting HiddenServiceVersion 3 in your torrc. You can even run V2 next to V3 if you really want
• Access-Control-Allow-Origin header was not set
• Public-Key-Pins header was not set
• Public-Key-Pins-Report-Only header was not set
• What's with all these methods to either contact you or get push notifications... You're a mixer, don't offer to send sms's or phone calls, don't have so many contact options...Your presence on bitcointalk and an email address suffices EDIT: misclicked... I was looking at the wrong tab when i wrote this
• Limit your attack vectors... Why would you run a blog on the same tld? Why such a big help center? The more scripting, the more potential attack vectors. If you want a blog and a ticketing system: fine... Rent two extra dedicated servers from a different provider, add an a-record for blog.mycryptomixer.com and for tickets.mycryptomixer.com, link to these subdomains instead of your main domain. If your blog contains a vulerability, the hackers will only learn info about those visitors that visited your blog... If there is a sql injection, they only mess up your blog's db, if they succeed in elevating permissions they now have access to a completely isolated server running only your blog...

Design

• Don't use any techology that won't work on Lynx or w3m... To start: no javascript... Not all browsers support this, and (as noted above) you'll be tempted to link to external librarys
• I'm not a fan of scrolling... Your main page fills several screens, it contains starting mixing sessions, but also a salespitch, a faq, a bigger-than-need to be header and footer
• I get you can change the service fee between 0.5 and 5%, but why is it always set to high >4% by default? I'd either chose a lower range (1-2%) or set no default and let the user chose by himself
• Why wouldn't you go with a native segwit wallet? It makes you likeable in the community... Don't overload the first mb of those blocks if it's not necessary

Workflow/Usability

• I'd like a bit more emphasis on the button to start a mixing session... I mean, it's a big button with the bitcoin symbol on it, but it might not be 100% clear that this button starts a mixing session
• the slider for the time delay and the div where the time delay is actually shown are seperated by the button to add new addresses. This makes it a bit confusing
• I've verified the letter of guarntee, and it checks out (i realise i'm invalidating my own mixing session this way, since an exact timestamp is shown, but i used funds that could be tied to me anyways, and a lot of people know i speak dutch... So whatever) However, i'd like to have a message signed with an address. I already have my wallet open to send the to-be-mixed funds, so it's just easyer to verify a signed message using my already open wallet
• For me, it's clear what the order ID and mycryptocode means, but for others this might be confusing
• It's nice to push updates, however, i'd still urge you not to use technology that's not supported on all browsers... Maybe you can have a "simple" version where the user will need to refresh his order-page manually but where you cut out all non-essential code next to a "full featured" version where you use ajax, jquery,... Whatever floats your boat?
• The 0.25 mBtc fee per address was a bit harder to find... I chose a fee between 0.5 and 0.75 and mixed between 0.004 and 0.01, and ended up paying >5%. I know why these funds are asked, but some newbie might not know about fees, so he might feel scammed if you don't make it more obvious that on top of the 0.5-5%, the user is going to have to pay the miner's fee aswell...

Taint analysis
It's really hard to do a real taint analysis without using specialised algo's and parsing the whole blockchain and putting it in a relational database... However, i did do some manual checks (following the inputs/outputs chain) and without going in depth, everything seemed fine to me

[examplens]

I am received 0.0031 BTC from MyCryptoMixer to test his service. So here is how it's going

I agree with some previous feedback, you can't have google tag script or any analytics on your mix service.

First, about website interface. The design looks simple and easy to use, I don't think it will be difficult for a beginner to cope. Everything that happened during the transaction was clear to me. Nevertheless, I think some explanation would be desirable about: what is "Order ID" or "MyMixerCode"? Also, you need to give your user info what is important to know about mixing transaction if something goes wrong (it is useful for bitcoin mixing novice). Just edit FAQ.

the transaction process itself goes by the usual method. I sent 0.003 BTC, with 1-hour transfer delay and 1.5% service fee. Received exactly 0.00270500 BTC to the destination address, (first confirmation) after 1 hour and 5 minutes. There was a little delay, not sure why. the initial transaction was regularly confirmed.
So, I sent 0.003 (+ 0.0001 tx fee). Mixing service cost me 0.000295 (flat fee + 1.5% for mixing service). In this case, it is more than 10% (+ 0.0001 tx fee) which is a little tricky because I set service fee to 1.5%.
There is an option to send mixed coins to 5 different addresses where you can set transaction time for each address. Now I'm sorry I didn't try it, I hope some of the other testers will try it.

I did not see any technical problem during the transaction, but some things need to be implemented here.
- Service fee can be from 0.5-5%. It is a user decision, I guess 0.5% is acceptable as low fee service. I suggest changing to have a slider for a fee, something like the slider on transfer delay. rather than the form-input field.
- Also, in this case, the calculator where the user can see how much BTC they can expect on the destination address. (as far as I understand you have this in your plan)
- You have an additional flat fee of 0.25 mBTC per each destination address which is not clearly highlighted on mixing page, though it changes significantly mixing costs, especially in small transactions.
- "MyMixerCode" is a random generic string, so if I want to use them again, I need to remember them or write it somewhere... It is unnecessary to complicate, why not let the user type in a phrase on their own which he will remember.
- if you delete all logs 24 hours after successful mixing, where you keep user mixer code and details related to this code?
- Don't call them "MyMixerCode" and in another place "MyCryptoCode". it confuses.
- Maybe it can be added some more features what happens to the transaction, time remaining ... We have only this: https://ibb.co/gWVYTvD
- There is no live support! I think it is important. support only via email sound very slow and unreliable. Who would like to wait for a reply to the email to know "where is his money"

[khaled0111]

I just received the mixed coins and read all the above reviews. I'll try to avoid repeating what have already been  said and will focus on things which I believe should be improved.

• The first thing I noticed is that setting a precise value using "Funds distribution" and "Transfer delay" sliders is very hard. It gets harder whenever you add a new receiving address.
• You provide an order_id for each mixing operation but I can't find how to use it. Where to enter it in order to restore my session and check its status?
• JS, CloudFlare and all google's services aren't suitable for mixers. You should use more privacy-oriented alternatives
• According to your FAQ, the mixing order is vald for 24 hours only. What will happen if the depositing transaction doesn't confirm within those 24 hours
• There is nowhere where you explain how your mixer works so we can judge how reliable it is and to what degree it can be resistant to chain analysis

Other than that, everything went smoothly. I received the mixed coins exactly as I was expecting and have to say that the process was not complicated and didn't require any technical knowledge however transactions fees are a little bit too high.

[Danslip]

First, everything was smooth and easy for me and I doubt the new users will overthink about the process. I have tested the new service with sending the minimum required amount for mixing and I am impressed with the quality of the service. Instead of the BTC mixing, I strongly prefer to mix the Ethereum but this choice has been frozen due to unknown reasons.

Stay anonymous while making bitcoin transactions
Choose your coin and make it untrackable

For the header titles on the first page, I suggest to change the lines and use the better ones. Not untrackable, maybe untraceable and using more tempting motivational letters

There is only one way to contact and ask the questions which have not been answered in the help or FAQ section. Adding a Telegram, Twitter and other well-known social media sites will increase the awareness for the mixing services including Mycryptomixer.

There is no mixing calculator which can be useful for calculating the concrete input and output BTC amounts. Using the calculator will help the user to find the precise amount for mixing, I hope you will add this feature too in the future.

Letter of Guarantee and the visualization of the mixing process were prepared well and I didn't feel bad about the lack of any feature. After sending the BTC, the system shows it "unconfirmed input" and after first network confirmation, the output has sent to the stated BTC address instantly. Overall, as I said in the beginning, I am impressed and will continue to use the Mycryptomixer.

[MyCryptoMixer]

• You are loading external javascript from googletagmanager.com, they'll be able to inject js on your page, and they'll be able to track your visitors. Google is a US based company... Same as cloudflare
• You are loading external javascript from google-analytics.com, they'll be able to inject js on your page, and they'll be able to track your visitors. Google is a US based company... Same as cloudflare

Oh well, our GTM is ultra important because our SEO guys can not live without it.
You can avoid this by using the TOR mirror of the site. We did research and many other sites are also using this.

You use cloudflare's SSL... Cloudflare acts as a MITM... They DECRYPT every package between the browser and their servers, then POTENTIALLY re-encrypt this data using your server's ssl cert. Cloudflare is a US based company, if a 3 letter agency requests data, they'll give all unencrypted data (no doubt in my mind). The sollution is as easy as ditching them and moving to a letsencrypt x3 certificate... They even have a certbot to make life easy for you

The issue here is not the cretificate, it is the ease of putting load on our service through clearnet. We're present on tor network and you are advised to use it when accessing the service with highest privacy in mind. We're exploring the possibilities of making the service available without CloudFlare (or other public content delivery network), but since this takes time, for now we find it sufficient to offer tor alternative. I'm not pointing fingers here, but please note many other mixers also use CloudFlare or other doubtful provider for their clearnet service.

• Your server support TLS 1.0 and TLS 1.1., miminum is 1.2

The CloudFlare is set to support old TLS standards, on our end we accept 1.2 and 1.3 only. We'll consider disabling these on CloudFlare too.

• You are not enabling DNSSEC
• Your domain does not have clientUpdateProhibited set

We're going to investigate these options, though I can not guarantee either will be implemented due to the nature of our service.

• You are not enforcing HSTS
• Your CSP header is not set
• X-Content-Type-Options header was not set
• XFO header was not set
• X-XSS-Protection header was not set
• X-Frame-Options header was not set
• Referrer-Policy header was not set
• Feature-Policy header was not set
• Access-Control-Allow-Origin header was not set

We're going to investigate and put approperiate headers in place

• You have a robots.txt file set, this is often used to crawl your site and find vulnerable scripts

Our robots.txt is generic, there's absolutelly no restricted content on MyCryptoMixer.com website

• mymixerxtukle6mo.onion is a V2 address... It's as easy as setting HiddenServiceVersion 3 in your torrc. You can even run V2 next to V3 if you really want

We opted in to use V2 address as our default address for recognizability. We'll consider adding v3 address in the future.

• HPKP is not enabled
• Public-Key-Pins header was not set
• Public-Key-Pins-Report-Only header was not set

This is no longer a recommended practice. No other mixers are using it.

• What's with all these methods to either contact you or get push notifications... You're a mixer, don't offer to send sms's or phone calls, don't have so many contact options...Your presence on bitcointalk and an email address suffices

Last time I checked we didn't offer sending SMS, making phone calls nor push notifications. Our contact options are restricted to contact form, email and bitcointalk topics.

• Limit your attack vectors... Why would you run a blog on the same tld? Why such a big help center? The more scripting, the more potential attack vectors. If you want a blog and a ticketing system: fine... Rent two extra dedicated servers from a different provider, add an a-record for blog.mycryptomixer.com and for tickets.mycryptomixer.com, link to these subdomains instead of your main domain. If your blog contains a vulerability, the hackers will only learn info about those visitors that visited your blog... If there is a sql injection, they only mess up your blog's db, if they succeed in elevating permissions they now have access to a completely isolated server running only your blog...

As with the previous point. we do not have a big help center nor ticketing system. Our blog has no connection with the rest of the site.

• Why wouldn't you go with a native segwit wallet? It makes you likeable in the community... Don't overload the first mb of those blocks if it's not necessary

Sending to native segwit addresses (P2WPKH) is still not supported by many wallets out there, we had to opt for P2WPKH-in-P2SH for the best support across available wallets and services.

• Don't use any techology that won't work on Lynx or w3m... To start: no javascript... Not all browsers support this, and (as noted above) you'll be tempted to link to external librarys

We are considering opening an API for advanced users in the future. We are also working on a visuals stripped no js version of the service which will work on TOR strict security mode.

The first thing I noticed is that setting a precise value using "Funds distribution" and "Transfer delay" sliders is very hard. It gets harder whenever you add a new receiving address.

Setting precise value is not advised. Using random values is highly encouraged.

According to your FAQ, the mixing order is vald for 24 hours only. What will happen if the depositing transaction doesn't confirm within those 24 hours

Unfortunately you have to send us your LoG in this case. It is not possible to get around this without compromising security.

Really appreciate the feedback Mocacinno. Please message me your bitcoin address so you can start testing the mixing process!

[ice098]

This my insights/review in the page, assuming that I am very satisfied to the security and algorithm of this mixing website, I will put some points in other areas:

1. The first thing that I'd notice is the UI, it is actually a bit similar to a mixing website as well.
solution: You change your them in a different way, and create some unique palette.

2. Other coin should not be posted if it is not yet working.
solution: Just put the word  "soon" is enough, do not put the image on it, if the other option is not yet done, I think people will continuously ask you that question on when will you put that.

3. I don't know if you will put your contacts there, or just because it is only a preview?
suggestion: if you will going to put the contacts on it then I think it would be good, just a little glimpse like if you are in LA, Europe or what. I just want to know where does the company is based.

4. The design is quite dull for me I guess? no offense. Put some real-time clock as well, since time is very important in mixing.
suggestion: put some animation when you will click the buttons/options.

5. Make a company tagline , it will help the people know your difference in other companies in a phrase only. Make sure it will be a good one, because remember, first impression will last. Also , make some official accounts as well, and put it in the contacts.

This is about my review in the UI, and nothing else.

[LoyceV]

I received a 0.003 BTC to test the mixer, so I did
First, I had to adjust my Tor settings to "Safer" instead of "Safest":

This is unfortunate, it would be great if the site can work in the safest possible browsing mode.

The 0.003 BTC I received wasn't enough to pay for fees and still meet the minimum mixing amount (0.003 BTC), so I used other funds. That gave me a chance to use the QR-code, and scan it with a tablet. Note that it's always wise to check if the scanned address matches the one shown on the screen. This worked as expected.

Things I've noticed
Changing the mixing time isn't very intuitive: I can't click where it says "After 2 hrs", which is what I expected to do. I use a small screen for my Tor browser, so I had to scroll a bit to find where to change this. If I add a new address after adjusting the mixing time, everything resets again. The same happens when I remove an address. I can imagine this is annoying if a user sets many different receiving addresses.
I choose "Instantly", so I can complete my review tonight.

Maximum amount
Quoting the site:

Transfer between 0.0030 BTC and 1.0825 BTC to the following address:

The maximum is quite low, is that because you're still testing? I wouldn't recommend anyone to send a full Bitcoin to a new mixer (or any new website for that matter), but if you increase this amount in the future, can you provide proof of funds? This could be done by a signed message sent to a trusted person (note that Cloudflare can read every PM you send, who can then confirm it without publishing your addy.

Letter of Guarantee
I've seen other mixers with a PGP signed LoG, but it's much easier to check if you can sign a message from a Bitcoin address instead. Anyone who uses Bitcoin should already have a wallet that can check this, while PGP software is less standard for Bitcoin users. I for one downloaded the LoG, but didn't verify it. I do recommend anyone to confirm the LoG before depositing though, especially when sending larger amounts.
Can you stake your PGP key somewhere that shows you haven't edited it yet? You can for instance post it in this thread.

Contact
I contacted support to test their response time: 33 minutes. I can't tell if they're available at any hour of the day, but this is a pretty good start.

Finished
The funds were sent to my (native SegWit) addy after one confirmation. Everything worked as expected.

Miscellaneous
Overall, the site works just fine. I haven't tried to link the input and output addresses through the blockchain though.
The transaction fee used was pretty close to the fee I was charged (0.25 mBTC per output addy). If that's always the case, this could make it easier to link transactions to your mixer. The fee was also a bit higher than the highest fee Bitcoin Core currently recommends. That means you could be wasting more money on fees than necessary.

Oh well, our GTM is ultra important because our SEO guys can not live without it.

Your SEO guys should also man up and get rid of Google in the source code

please note many other mixers also use CloudFlare or other doubtful provider for their clearnet service.

Although it's true that there are other mixers that use Cloudflare, great mixers don't use it. Taking privacy to the absolute maximum achievable level is how a mixer can show they care about privacy.

[MyCryptoMixer]

Because of multiple requests we have now published a tutorial on how to use MyCryptoMixer - We also have an animated video tutorial that is work in progress.
The tutorial will also be visible on the main page with the next update.
https://mycryptomixer.com/blog/getting-started-with-mycryptomixer/

Changing the mixing time isn't very intuitive: I can't click where it says "After 2 hrs", which is what I expected to do.

Noted, input fields will be added.

The maximum is quite low, is that because you're still testing?

Yes, this is just for testing purposes, we have multiple pools ready to send into the site.

[PuertoLibre]

I will keep it short and will mention the general experience + some issues. The website was simple, self-explanatory and very easy to navigate. Decided to try the new mixing service and got my coins in one hour due to the network congestion. Site design is straight to business, no eye strain with fancy colors. Instructions are clear, even noobs can get a fresh BTC by clicking a few buttons after reading the help area. BTW, Segwit addresses are supported and this means low fees will be applied on the final amount.

I have several concerns about the liquidity because the deep liquidity pool is essential for cleaning the traces and no other questions will be asked if the random outputs are used in mixing. Actually I guess the received coins will be from the same day transactions which have been used by other authors here. Between 0.5% and 5% service fee range, the user can choose how anonymous he wants to see the new coins, honestly, 5% is high for larger turnovers. Adding a transaction ID is simple and straight but maybe a direct link to blockchain explorer will be useful for saving time and calculating the cost or loss which can be done at the first step if there was a mixing calculator.

Before clicking to the "continue" button, the max and min transaction limits warn the user who doesn't need to dig the FAQ for finding that info. Anyway, I doubt someone will ignore the gold rules and will try to mix 1.08 BTC on a new mixing service. My suggestion is about adding a small pop-up window for receiving feedback after each successful transaction, sending service quality review in the form of short answers to questions will be a win-win for both parties. You can add multiple languages too depending on the demand from regions.

Reason for edit: Reward received

[mocacinno]

@MyCryptoMixer: i've read your reply, and i'm happy you'll be looking into the issues i wrote down

There are some extra remarks i do want to give, and 2 small apologys i need to make:

The apology (1):
I'm a guy that has, at any given time, at least 20 open tabs on my browser. Next to MyCryptoMixer.com, there was a tab open with an exchange i sometimes use that uses the exact same color scheme as your site. The exchange had an option to get notified of deposits by mail, phone, sms, push notification, telegram bot,... They had contact options via mail, ticketing system, facebook, skype, whatsapp, telegram,... I accidentally clicked their tab instead of yours, that's why i wrote the part about not needing so many contact options. It was an honest mistake, and i'll remove this mistake from my review (i'll scratch it).

The apology (2):
After re-reading my initial post, i do come of as quite harsh. I forgot to clearly mention there are loads of good things about your site (layout, security, workflow design,...), but i figure you'll always have tons of people telling you the positive things because they want that payment. That's why i tend to bring up the "bad" things that are fixable instead of focussing on how nice feature "x" is, or how good it is you added header "y", or that you've cleaned up the server signature. Don't read my post as: "this guy thinks my mixer is all bad", but rather as "this guy is bringing up some things i might need to look into to make my service even better"

The extra remarks:
I get that your SEO guy needs those stats, but instead of giving your visitor's data to google, have you tought about Matomo? I've used it's predecessor (piwik) on privacy-centered sites for many times. They give you about the same info as google analytics, but they're just a free (open source) php/mysql script that runs on your own server, keeping all your visitor's info with you (and there even is an anonimizing function included).

About cloudflare: i do get why people use cloudflare. Don't get me wrong, they do a great job and for any site where privacy isn't so very important, i wouldn't mind seeing the use of cloudflare's cdn, ssl certificates, dns services,... I realise you're defenately not the only one using cloudflare for a mixer, but every time i see a mixer using cloudflare, i raise exactly this point. What people seem to miss is that, eventough it looks like you're using a secure connection, cloudflare actually acts like a MITM. This means the data is encrypted between your browser and cloudflare with cloudflare's cert, cloudflare DECRYPTS the data (they now know everything, including the deposit address, the letter of guarantee, the withdrawal address, the user's ip, browser fingerprint, timestamp,..). They have ALL tools in hand to completely de-anonimise the mixing session. Sure, they re-encrypt this data with your cert before they foreward the package to your server, but nothing is stopping them from sharing the complete de-anonimised mixing session with the CIA, FBI, ATF, DOD,...
I get you need a WAF, i get you need DDOS protection, i get that it's only the clearnet... But a lot of your users won't know what tor is, they just want privacy and they're looking at you to provide them with this privacy. The very least you should do (in my opinion) is print a very big, bold warning on the clearnet version telling your users that, eventough their coins will be safe from bad guys, their session *might* be monitored by law enforcement unless they use the tor version.

There are a couple of hosts that offer Ddos protected dedicated servers. If you combine this with a decent setup and a letsencrypt certificate, you're much safer than you are now (security wise).

Last but not least: i messed up some of the header recommandations. I have a couple of secure setups i'm involved with (but not that many) and i have a messy checklist to verify if everything is more or less correct. Sometimes this checklist is not up-to-date and headers that are no longer best practices are still on the list. You've given me something to think about, and if you are correct, i'll remove those headers both from the services i'm involved with and my checklist... Thanks

BTW, i'll send you a PM with an address, so i can review the rest of your setup