Premium review and suggestion spreadsheet#14
First impressions: I don't like that the site loads external fonts from Google, as it means that Google will know when I visit your website. You should be able to move to hosting the fonts locally fairly easily, preventing this privacy leak. I also don't like that the site loads scripts from hCaptcha for the same reason, but it's marginally more acceptable as there is no very simple alternative - hopefully the javascript-free website fixes this.
I tried using a random string of characters for my UniCode, and was surprised to see that the UniCode that shows up at the mixing step was not what I entered. After some experimentation, it seems like the site will give you another random UniCode if the code you entered isn't 6 characters long. This is very very minor, but it would be better if the site gave you an error message instead of replacing your UniCode.
I'd like to echo LoyceV's suggestion to add verification instructions to the website, as I had no idea how to verify my letter of guarantee without seeing their post.
But 8gwifi.org's verification didn't work offline, so chances are the 8gwifi.org server now knows the details of my transaction.
I can confirm that the 8gwifi.org website makes requests to their server in order to verify messages. That site also seems to use Cloudflare, so even if the site owner doesn't log, there's a good chance that Cloudflare will have your mixing transaction info. I did a quick search to find other sites that verify SHA256withRSA messages in hopes of finding one that does it locally, but I surprisingly didn't find anything that just worked - it was a mix of language/library documentation, stackoverflow posts and GitHub scripts. I feel like it will be very difficult for any non-technical user to verify their letter of guarantee in a way that doesn't leak their info to a third party.
I would suggest swapping to using a Bitcoin signed message instead - users would likely be way more familiar with the format, and there are many ways of verifying a Bitcoin signed message, including verification websites that run fully client side. I'd also recommend adding a timestamp to the letter of guarantee, since deposit addresses expire after 24 hours. With the current setup, if an issue occurs, neither you or the user can prove with 100% certainty that they were correct as you can claim that the deposit was received past the 24 hour period, and they can claim that the deposit was received before.
After I mixed my coins and waited out the mixing process, I was redirected to the finish screen. I noticed that this screen showed the last UniCode I entered into the website (since I experimented with different UniCodes after sending my funds in a separate tab), rather than the actual UniCode of my mixing transaction. Not a huge issue but I think it is a bug nonetheless.
The transaction to my destination address was also a 1 input + 2 output transaction, meaning that it was also a fake "CoinJoin". I'm surprised more people didn't call them out on this, since it's advertised as one of their major selling points. Following the input chain, I also ended up with a transaction that looks like a
CoinJoin after a few jumps, so I guess that might be what they actually mean by "using CoinJoin technology". The website definitely does not make that clear though, and seems to make an effort into misleading the user into thinking that their specific mixing transaction is CoinJoin. For example, they say this when referring specifically to "your" crypto funds:
We make this possible by ensuring that the output amounts are exactly the same.
This is just objectively false. However, the website seems to make a decent attempt at never
explicitly stating that your transaction will be CoinJoin - just that they are powered by CoinJoin technology so this might just be an oversight or an interpretation issue. All other mentions of CoinJoin that I saw on the site never explicitly stated that
your transaction would be CoinJoin, and it actually took a bit of effort and careful reading to find this specific instance.
I followed my withdrawal up the blockchain, until I got to
March 29, 2022. This is the first transaction that looks like a coinjoin. But if I follow it
a bit further, I get to many parent transactions that look the same, which makes me think the same funds are being used for several coinjoins in a row. This one is from
February 10, 2022 for instance.
I think it's likely that these are real CoinJoins, rather than transactions back and forth from addresses all controlled by one person. Some of the inputs ended up being from renBTC and various exchanges, so the varied inputs make me suspect that these belong to different users. It's not uncommon for users to participate in multiple CoinJoins in a row to increase their anonymity.
Overall, I'm not a big fan of the mixer's current state. The letter of guarantee isn't worth very much, as users can't use it to prove that they were scammed without any doubt in a worst case scenario due to the lack of a timestamp. The website seems like it's designed to try to mislead users into thinking that their specific mixing transaction will be a CoinJoin, while (almost) never explicitly stating that it will be so they're technically not lying. As a normal mixer, it does seem to work. However, compared to other mixers, it's less safe, and attempts to mislead you.