anyway, here is the guy you are talking about
LocalMonero correct? weirdly, they also logged in today after being inactive for a long time.
Yup, that's us. We logged in today to respond to this thread.
If they have evidence that the accounts are connected. Then they should be able to produce proof linking the accounts. Have they shown you any proof in the telegram chats you had with them?
We never act without thoroughly investigating something and gathering evidence. We believe the owner of the banned account, and by extension the original poster of this thread to be
BuyCoinFast, who we've banned along with his Australian trading alt
CryptodileDundee, among other alts, in May of 2021, and we believe that we are able to prove it beyond a reasonable doubt.
Correcting some of the inaccuracies in the OP: 1. His alt was banned with ~20.5 XMR, not 35 XMR. The figure is inflated by ~75%. 20.5 XMR = approx. 5000 USD;
2. There were no 10 XMR deposits to that account before the account was banned. The last deposit made to that account was around 2 days before it got banned;
3. The screenshot of the Telegram conversation with us omitted the message where we said that all further communications should be directed to our email. We require this because Telegram chats aren't as easily publicly verifiable as emails are, and with
BuyCoinFast there's always a high risk that he'll delete the messages, as he did with all the message history between himself and our staff. We haven't received any emails from him.
The evidence (TLDR at the bottom):1. Both accounts engaged in third-party payments in a similarly diverse geographical distribution.BuyCoinFast's trading style constantly employed different payment methods and countries. If you take a look at his and
Audy's offers, you'll see that they are quite diverse, both in terms of payment method and in terms of geography. This is because
BuyCoinFast doesn't actually accept or send the payments himself, he uses third parties and himself acts as a middleman between them (brokering). See how both of their offers are rather diverse:
And here's some evidence of
Audy engaging in
third party payments, since the payment details he provides differ from trade to trade:
In some cases you're even going to be able to catch a direct match between the location advertised by
BuyCoinFast and that by
Audy, take, for example these two offers:
They're basically the same offer in the exact same place. What are the chances that two random unrelated people would have a cash-in-hands offer in such a specific location?
But it goes further than that:
2. Identical texts between the ad offers posted by Audy and those posted by BuyCoinFast, despite "Audy" claiming not to know who BuyCoinFast is.There are multiple examples of similar/identical texts between
Audy's and
BuyCoinFast's offers. We invite the readers to compare the offer texts by themselves. As an example, let's take a look at
We have text blocks which are
identical. You might explain this as
Audy simply copying the trade terms from one of
BuyCoinFast's ads, but
BuyCoinFast's account has been banned since May of 2021, which means that their ads are not visible in public search results. The only way you'd be able to see the text of the offer is if you directly went to
BuyCoinFast's user page and/or found a direct link to that ad. The cash by mail ad posted by
Audy was posted in November, way after
BuyCoinFast and his old alts were banned. Remember, "
Audy" claims to not even know who
BuyCoinFast is:
And this is despite the fact that "
Audy"'s telegram account,
https://t.me/SpikeMilligan, being a member of the
BuyCoinFast-run Telegram group
https://t.me/MoneroUK and
even having messaged BuyCoinFast in that group (we consider it to be a
sock puppet):
3. BuyCoinFast speaks Russian, "Audy" seems not to understand Russian in Telegram, while at the same time forgetting to change his keyboard layout from Russian to English in the trade chat of one of his trades and speaking native Russian in other trades:
It's actually not just limited to a slip, there's whole conversations where he starts to employ Russian. The kind of Russian that can't be autotranslated, with slang and misspelled curse words:
All of this is already plenty of evidence, but we can go even further:
4. BuyCoinFast and his alts including CryptodileDundee all withdrew coins way back in May of 2021 to the exact same address as Audy is withdrawing to in November of 2021:
Withdrawing coins to the same address from different accounts in vastly different dates is already enough proof. But we can go even further:
5. CryptodileDundee and Audy both triggered our firewall, Imperva, to log security events when they were logging in, and the Imperva security event logs show that both accounts logged in from the same IP address within a day of each other: For our DDoS protection and general WAF (Web Application Firewall) needs we use
Imperva, because they're the best in the business.
Imperva doesn't store access logs of normal activity, but whenever their firewall detects patterns that it deems suspicious it will think that a certain client accessing the site may be a bot and issues additional challenges. Sometimes it's cookie challenges, sometimes it's JS challenges, sometimes it's a CAPTCHA challenge, sometimes they just block the request outright.
For whatever reason,
BuyCoinFast's activity was deemed suspicious by
Imperva (he is known for using weird combinations of browsers, VPNs, devices, and OS's, because he would contact our support staff to help him with some website bugs that appeared due to the edge cases caused by his weird setup). So
Imperva logged two security events:
We were able to associate the Oct 5th security event with
BuyCoinFast in the first place because the entry page is shown to contain the trade ID of a dispute that's still open in which
BuyCoinFast is the buyer (as his alt
CryptodileDundee, which is suspended from trading as opposed to banned completely, because we need to let him login to answer in the dispute that's still open with him). From there, we took the IP associated with that security event and searched for other security events with that IP. Fortunately, we came across the second login, on Oct 6th.
At the bottom of each of these images, we can see the data for the POST requests that were used to login. The response code was 200 (OK), meaning the logins were successful. These requests contain the username, password, and some other stuff that we use to process logins.
When
Imperva logs security events with sensitive data, such as during logins, they use a salted hash to mask the data. It's not possible to unmask the data, because hashes are generated by a one-way function. This is why it says:
username=TSshzN7eYiVe/Cx3lD2RQgIJb6LHhUgoBOO32E54Az0=
However, if you know ahead of time what you're looking for, you can test whether a certain username does translate into a certain hash. In this case, we know exactly what we're looking for:
CryptodileDundee and
Audy.
The hashing algorithm that
Imperva uses is SHA256. The salt that is used in the hashing process is "t6RwOaRilCUlSqZeXxYH1H8_CrCAi6uA", it is appended after the plaintext to be hashed. Finally, the 256-bit hex output of the hash function is converted to Base64.
So, for testing whether the masked username in the Oct 5th security event is actually CryptodileDundee, we do:
1. CryptodileDundee + SALT = CryptodileDundeet6RwOaRilCUlSqZeXxYH1H8_CrCAi6uA
2.
SHA256(CryptodileDundeet6RwOaRilCUlSqZeXxYH1H8_CrCAi6uA) = 4d2b21ccdede62255efc2c77943d914202096fa2c785482804e3b7d84e78033d
3.
Base64(4d2b21ccdede62255efc2c77943d914202096fa2c785482804e3b7d84e78033d) = TSshzN7eYiVe/Cx3lD2RQgIJb6LHhUgoBOO32E54Az0=
4. TSshzN7eYiVe/Cx3lD2RQgIJb6LHhUgoBOO32E54Az0= is equal to TSshzN7eYiVe/Cx3lD2RQgIJb6LHhUgoBOO32E54Az0=, therefore
5. username=CryptodileDundee
Same process for testing audy (he used lowercase to login, our login is case-insensitive) against the masked username value in the Oct 6th security event:
1. audy + SALT = audyt6RwOaRilCUlSqZeXxYH1H8_CrCAi6uA
2.
SHA256(audyt6RwOaRilCUlSqZeXxYH1H8_CrCAi6uA) = 2f8a6a315eb831c369bbd57ac4bb1f13df325bc02741730bae9a8624c459f227
3.
Base64(2f8a6a315eb831c369bbd57ac4bb1f13df325bc02741730bae9a8624c459f227) = L4pqMV64McNpu9V6xLsfE98yW8AnQXMLrpqGJMRZ8ic=
4. L4pqMV64McNpu9V6xLsfE98yW8AnQXMLrpqGJMRZ8ic= is equal to L4pqMV64McNpu9V6xLsfE98yW8AnQXMLrpqGJMRZ8ic=, therefore
5. username=audy
We've proven, with the help of our firewall provider's security event logs and a bit of math, that both CryptodileDundee and audy logged in from the same IP within a day of each other.We rest our case.
...or do we?
BONUS EVIDENCE: BuyCoinFast self-incriminated by forgetting to wipe EXIF data from the screenshot that he uploaded in the original post of this very thread.Notice that we've highlighted the user-agent in the Oct 5th
Imperva security log:
User Agent :Mozilla/5.0 (Linux; Android 10; VOG-L09 Build/HUAWEIVOG-L09) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
Compare that to the EXIF data that's visible at the bottom of the page of his uploaded screenshot:
We have an exact match. The screenshot uploaded by the original poster in this thread was made from the same device as the one BuyCoinFast used to login to his alt CryptodileDundee on our platform on October 5th.We rest our case.
TLDR:1. Both accounts engaged in third-party payments in a similarly diverse geographical distribution;
2. Identical texts between the ad offers posted by
Audy and those posted by
BuyCoinFast, despite "
Audy" claiming not to know who
BuyCoinFast is;
3.
BuyCoinFast speaks Russian, "
Audy" seems not to understand Russian in Telegram, while at the same time forgetting to change his keyboard layout from Russian to English in the trade chat of one of his trades and speaking native Russian in other trades;
4.
BuyCoinFast and his alts including
CryptodileDundee all withdrew coins way back in May of 2021 to the exact same address as
Audy is withdrawing to in November of 2021;
5.
CryptodileDundee and
Audy both triggered our firewall,
Imperva, to log security events when they were logging in, and the
Imperva security event logs show that both accounts logged in from the same IP address within a day of each other;
6. BONUS EVIDENCE:
BuyCoinFast self-incriminated by forgetting to wipe EXIF data from
the screenshot that he uploaded in the
original post of this very thread.
We'll be petitioning the mods and admins of this board to remove this thread and ban OP's account.
