♻️ Tomboi.io - no KYC/AML exchange with XMR, Tor support | $10,000 escrow

[tomboi]

Hi everyone!

I’d like to introduce Tomboi.io here and share our service with the forum.

Tomboi.io is a privacy-focused crypto exchange built for users who value simplicity, speed, and privacy.


🔒 What Tomboi is about:

• Privacy-focused crypto swaps
• No KYC
• No AML checks
• XMR is one of the main assets for us
• Tor-friendly access
• Orders are executed from our own liquidity pool
• Simple exchange flow without accounts and unnecessary friction

🌐 Website:
• Clearnet
• Tor / Onion

✉ Contact:
• tomboi_exch@proton.me


💬 We’d be glad to hear from the forum:

• Your overall impression of the service
• What you like or what stands out positively
• Suggestions on how we can improve trust, presentation, or usability
• What features or additions you would personally like to see

We’re always open to useful suggestions and constructive feedback, and of course we’d be happy to hear your general impressions as well

Thanks for your time!

[Potato Chips]

Welcome to bitcointalk! Good to see another privacy leaning exchange.

I don't see any letter of guarantee. This would be nice to have
It appears the exchange is low on reserves of some crypto right now. When do refills usually happen?
Honestly, I would like to see another no-kyc exchange with a pretty low minimum trade amounts like in e x c h.

Good to hear you plan to depo funds in a trusted escrow. As a new exchange in the forum, this does help improve credibility. I could get behind the idea of splitting the $10k into multiple trusted escrow like a "don't put all your eggs in one basket" famous quote. Though I think you could still achieve this even with 2-3 people which would be less complicated than 5.

I would like to suggest Little Mouse as one of the escrows, see his thread: https://bitcointalk.org/index.php?topic=5180747.0

[tomboi]

Welcome to bitcointalk! Good to see another privacy leaning exchange.

I don't see any letter of guarantee. This would be nice to have
It appears the exchange is low on reserves of some crypto right now. When do refills usually happen?
Honestly, I would like to see another no-kyc exchange with a pretty low minimum trade amounts like in e x c h.

Good to hear you plan to depo funds in a trusted escrow. As a new exchange in the forum, this does help improve credibility. I could get behind the idea of splitting the $10k into multiple trusted escrow like a "don't put all your eggs in one basket" famous quote. Though I think you could still achieve this even with 2-3 people which would be less complicated than 5.

I would like to suggest Little Mouse as one of the escrows, see his thread: https://bitcointalk.org/index.php?topic=5180747.0

Thanks, I’ve already sent Little Mouse a private message.

We have a larger amount of reserves, but for now we’ve decided to keep some of the funds in the pool. We’ll replenish the reserves a little later, but since we’ve just launched the exchange and conducted our own testing, we want to wait for the first trades from clients and see how everything works in practice.

Regarding the letter of guarantee, that’s a valid point, and we’ll be implementing this feature shortly.

Regarding the low minimum trade amounts, I think we’ll lower it to $10 for certain types of exchanges in the coming days, but this will only apply to certain coins with fast networks and low fees.

Thank you so much for your feedback.

[tomboi]

Deposited $5,000 into the ‘Little Mouse’ escrow account.

[goldkingcoiner]

From a first look the exchange looks a bit simplistic. But I have not tried it because it seems like an unregistered centralized and custodial exchange to me.

So how does this work? A server functions as the exchange engine? Is it not still rated as an unregistered centralized exchange? Can transactions be re-routed? Frozen? Onion servers get taken down easily and an exchange could get DDOSed out of existance.

The entire anonymous and custodial aspect is a red flag. I am guessing that is why you are doing the escrow PR. But there is no guarantee that a large enough amount could not get rugpulled. How do you ensure that user funds do not get stolen/hacked?

[cLoazyL]

Code: (https://tomboi.io/en/terms)

Suspicious or invalid requests may be rejected.

What exactly does that mean? Are you talking about transactions? Give an example.

No information on refunds, no information on jurisdiction, no information on what data is collected.

[tomboi]

From a first look the exchange looks a bit simplistic. But I have not tried it because it seems like an unregistered centralized and custodial exchange to me.
So how does this work? A server functions as the exchange engine? Is it not still rated as an unregistered centralized exchange? Can transactions be re-routed? Frozen? Onion servers get taken down easily and an exchange could get DDOSed out of existance.

The entire anonymous and custodial aspect is a red flag. I am guessing that is why you are doing the escrow PR. But there is no guarantee that a large enough amount could not get rugpulled. How do you ensure that user funds do not get stolen/hacked?

What exactly does that mean? Are you talking about transactions? Give an example.

No information on refunds, no information on jurisdiction, no information on what data is collected.

Thanks for the questions — they are fair questions, especially for a new exchange thread.

To answer the general point first: yes, this is a centralized exchange service, not a decentralized protocol. We do not present it as a DEX. The exchange engine runs on our side, and the purpose of the service is to provide simple privacy-focused swaps without KYC/AML friction. At the same time, we understand very well that this model requires trust, which is exactly why we started adding public trust signals such as the escrow deposit. As already mentioned in the thread, $5,000 has already been deposited with Little Mouse escrow.

Regarding security and custody: user funds are not meant to sit on the service as balances or accounts. A swap request is created, processed, and completed within that request flow. We are not operating a wallet-balance platform where users keep long-term deposits on the site. That does not remove trust requirements, of course, but it does reduce the exposure model compared with a classic custodial account-based exchange.

We also pay special attention to security architecture. The public website and the server environment where exchange operations and fund storage are handled are separated and do not run on the same server. This separation is intentional and is part of our effort to reduce risk and add an extra layer of protection. In general, infrastructure protection and operational security are areas we take very seriously.

As for the question about freezing, rerouting, or rejecting transactions: we do not collect personal identity information, and we do not perform KYC or AML checks. The phrase in our Terms, "Suspicious or invalid requests may be rejected," was poorly worded and I agree it can be misunderstood. What it was intended to refer to was not a normal paid order or a successful deposit, but abnormal or malformed request creation attempts — for example, clearly invalid request parameters, broken input, or non-standard request patterns that look like probing, abuse, or an attempt to attack the service during the order creation stage. It was not meant as a vague excuse to reject a legitimate user’s already created and paid exchange. Because that wording can mislead users, we are going to remove or rewrite that point in the Terms so it is clearer. Thanks for pointing that out.

On data collection: we do not collect KYC data or personal identity documents. In practice, the data we currently keep is limited to normal technical cookies and the exchange request data that is created as part of the order flow and stored in the database so the swap can function correctly. We agree this should be stated more explicitly, and we will add that clarification to the Terms / rules as well.

There is no section on refunds, as we do not carry out AML checks and every request is processed.

So in short:
- yes, this is a centralized privacy-focused exchange service;
- no, we do not collect KYC data;
- the website and the exchange/funds infrastructure are separated for additional protection;
- security is something we take very seriously;
- the "Suspicious or invalid requests" line referred to malformed / abusive request creation attempts, not normal paid swaps;
- we will revise that wording now so it does not create confusion;
- and we will also expand the Terms to clarify data collection and other operational points.

Thanks again for the feedback — this is exactly the kind of thing that helps us improve the service and present it more clearly.

[Little Mouse]

Deposited $5,000 into the ‘Little Mouse’ escrow account.

Message

Code:

I confirm that I have received $5000 USDT (BEP20). For privacy, I'm keeping the escrow address private.

This fund will be used for refunding swap in case tomboi don't fulfill the obligation. Refunds to the accuser will be processed as "first come first serve".

If tomboi requests for a refund of this escrow fund, they must wait for at least 1 week to 1 month after requesting the refund, provided there will be no open scam accusation against them.

In the future, if escrow funds increased, please make surer to check and verify another signed message from this address- bc1q4ytcr43xq6xjpj6z0s76r4x4rx2g4fe5qvv9yc

Signature

Code:

IFzuyObsa9wt8FgWNg/sI93N3/2OHY6pzBm/Krl/iwj4P9vnWKu/M1jKXwbWijalTIRENI1OVQ6kXGR6B6epThw=

Signed by address- bc1q4ytcr43xq6xjpj6z0s76r4x4rx2g4fe5qvv9yc posted here

[hugeblack]

Was this account purchased?   You haven't been active since 2019, so can you sign a message from this address?

#JOIN

Bitcointalk username: tomboi
Forum rank: Sr. Member
Posts count:  (253)
ETH address: 0xB08E8f22e6eA3A6b60821c8D5C898dEc96aE1dF9

Do you speak Indonesian?

If the account was purchased, it's best to start from scratch, as trust isn't based on account rank.

The service is generally good, it lacks several features. For example, when making a deposit, there's no QR code for the deposit address, and there's no guarantee letter.

[tomboi]

Was this account purchased?   You haven't been active since 2019, so can you sign a message from this address?

#JOIN

Bitcointalk username: tomboi
Forum rank: Sr. Member
Posts count:  (253)
ETH address: 0xB08E8f22e6eA3A6b60821c8D5C898dEc96aE1dF9

Do you speak Indonesian?

If the account was purchased, it's best to start from scratch, as trust isn't based on account rank.

The service is generally good, it lacks several features. For example, when making a deposit, there's no QR code for the deposit address, and there's no guarantee letter.

Thank you for raising the concern.

I understand why this question may come up, and I respect the caution of forum members when reviewing a new service thread. That said, I would prefer not to turn this topic into a discussion of private or historical account matters.

I believe it is more useful and fair for the thread to stay focused on the service itself, how we operate, and what public guarantees we are prepared to provide.

For that reason, we are trying to build trust through actions, not just statements. A $5,000 escrow deposit has already been made and confirmed in this thread, and we are currently adding another $5,000 into escrow as well. We also plan to place additional escrow deposits on other platforms/resources to further strengthen public trust.

We also appreciate your product feedback. The missing QR code for deposit addresses and the missing guarantee letter are fair points, and we are already working on improving those parts.

We respect the scrutiny and welcome service-related questions, but I would prefer to keep this thread centered on the platform, its operation, and the guarantees behind it.

[tomboi]

I transferred another $5,000 to the “Little Mouse” escrow account.

The total deposit made to the “Little Mouse” escrow account is $10,000.

[Little Mouse]

I transferred another $5,000 to the “Little Mouse” escrow account.

The total deposit made to the “Little Mouse” escrow account is $10,000.

Message

Code:

I confirm that I have received aditional $5000 USDT (BEP20) and now holding a total of $10000 USDT. For privacy, I'm keeping the escrow address private.

This fund will be used for refunding swap in case tomboi don't fulfill the obligation. Refunds to the accuser will be processed as "first come first serve".

If tomboi requests for a refund of this escrow fund, they must wait for at least 1 week to 1 month after requesting the refund, provided there will be no open scam accusation against them.

In the future, if escrow funds increased, please make surer to check and verify another signed message from this address- bc1q4ytcr43xq6xjpj6z0s76r4x4rx2g4fe5qvv9yc

Signature

Code:

Hxo3DE1ab7sGXoJRMbfiDXgNVO9f/T6mJG1pJxCuLw+nMB0nW3/VIHTBZiA+Ei/grqvr98uIPMON5kwjWsYcN4k=

Signed by address- bc1q4ytcr43xq6xjpj6z0s76r4x4rx2g4fe5qvv9yc posted here

[Y3shot]

Welcome to the forum.

I have gone through the exchange; it is simple for anyone to have access to it. But I tried to see if I could find the license number, and I couldn't locate it.

I also want to know how active the support system works?

[tomboi]

Welcome to the forum.

I have gone through the exchange; it is simple for anyone to have access to it. But I tried to see if I could find the license number, and I couldn't locate it.

We specialize in ensuring privacy and do not require users to undergo KYC/AML procedures. As a result, we do not hold a license; however, we have deposited a security deposit in escrow on this forum to ensure that users do not lose trust in us due to our lack of a license.

I also want to know how active the support system works?

Technical support is available 24/7
It’s very simple: just send a message to
https://tomboi.io/en/chat
and immediately after sending your first message, you’ll receive a code that you can use to resume the conversation at any time. Feel free to test it out and contact our technical support team.

[examplens]

Was this account purchased?   You haven't been active since 2019, so can you sign a message from this address?

Thank you for raising the concern.

I understand why this question may come up, and I respect the caution of forum members when reviewing a new service thread. That said, I would prefer not to turn this topic into a discussion of private or historical account matters.

I believe it is more useful and fair for the thread to stay focused on the service itself, how we operate, and what public guarantees we are prepared to provide.

I think what hugeblack asked is completely understandable and not a deviation from the topic. An honest answer to this is part of the discussion process about your "service itself, how we operate,". Only a direct and honest answer can close the discussion on this.
Now you are focused on building trust, and in the near future, the previous owner of the account may show up, or someone may accuse you of anything related to your account in the past.
All your efforts may become worthless because you have not cleared up the unclear history today.

[tomboi]

I think what hugeblack asked is completely understandable and not a deviation from the topic. An honest answer to this is part of the discussion process about your "service itself, how we operate,". Only a direct and honest answer can close the discussion on this.
Now you are focused on building trust, and in the near future, the previous owner of the account may show up, or someone may accuse you of anything related to your account in the past.
All your efforts may become worthless because you have not cleared up the unclear history today.

I understand the concern, and I’ll clarify this directly.

Yes, I am the current owner of this account.

The reason I chose to use an existing account was mainly practical — to be able to properly present the service (including signature and formatting), since new accounts have strict limitations in that regard.

At the same time, I fully understand that account history alone should not be used as a basis for trust, especially in the context of a service like this.

That’s exactly why I am not relying on the account itself for credibility and instead focusing on verifiable guarantees:
– $10,000 escrow has been publicly deposited and confirmed
– the service is actively maintained and improved
– we are working on increasing transparency (guarantee letter, clearer terms, etc.)

I agree that trust should come from actions, not from account age or rank, and I’m prepared to build that trust over time through consistent operation.

I’m open to any service-related questions.

[examplens]

I understand the concern, and I’ll clarify this directly.

Yes, I am the current owner of this account.

OK, although it may not be the most direct answer, because more questions were asked about the history of the account and who the initial owner is.
Otherwise, even if you created an account from scratch, with the copper membership, you would have all the privileges, and if the service shows itself with good manners, it will easily reach a higher rank.

As for the escrow deposit, I don't know what prompted you to add another $5k, but maybe they rushed you with it. As far as I can see, the current reserves are $22k, so practically over 50% is in your escrow reserves. I think that it would be better if you have larger reserves at this moment, because practically the swap of any coin (except XMR) cannot exceed the escrow reserves. This is good for users, but it limits your offer quite a bit.
It limits you and limits potential growth. Add to that the problem of 3/4 of your reserves being in one currency (XMR).
Honestly, both KycNotList and AntiKYC are still quite minor, so the decision to deposit with them in escrow is a bit surprising.