Hello Privcoin,

I created this account for the sole purpose of posting on the forum for all to view in the future, rather than posting my questions in your support function. I'm apprehensive about a few points and I'd love for you to clarify for me and the rest of us who may be wondering.


Finally, can you tell us anything about how your service is hosted? I'm confused as to how you have a clearnet detached from the onion.

• Does this mean your clearnet has absolutely no link to your onion?
• Different hosting providers, different countries, and different server architectures to prevent fingerprinting and surely different TTPs to administrate them both?
• If they are hosted on different hosts, then how do you manage to link the databases securely?

Again and again in your postings and on your website you make statements about the disadvantages of doing business in the United States and yet the vast majority of your English is American dialect. This has me very concerned.

• How can your repeated use of Americanisms and American dialect English be explained despite your strong stance against business in the United States?

Not everyone celebrates Christmas. I'd argue that it's more likely it's NOT the most popular holiday.


Thankfully, you've stated that you're one of the founding members and you can answer technical questions. You stated also that Privcoin is created by security professionals, so it's with that hope that you'll be able to address my technical questions.

• Can you tell us a little bit about what sort of cryptographic solution you use to track every sincle coin and fraction of a coin that a user has originally owned so they will never receive it again?
• Can you tell us some statistics about what the maximum length of time a single coin, or fraction of a coin, has remained on the tumbler before finally being tumbled out?
• What about a coin that later returns to the tumbler, because another user has brought it back? Perhaps a bot who can register and manage hundreds of users and intentionally redeposits old funds to destroy the ability to successfully obfuscate funds, thus partially deanonymising your users funds.
• What would a database solution look like for tracking the entire life of a coin? This doesn't seem feasible.
• I'm assuming to increase security and privacy that your service is writing all the tumbling operations into the blockchain directly. How are you purging this metadata when you're producing these writes? Does this get included in the 24 hour logs?

This raises additional questions:

• Can you tell us anything about your reserves or volume of BTC, approximate or exact that you use for tumbling? Greater coin count means great obfuscation. Bitmixer.io historically had their coin count total freely listed.
• If you can't tell us, citing a security reason, can you tell us what the security issue would be? I've never consider how showing total volume is a concern.

This is an alarming statement.

• Why would a mixer want to limit itself? The very principle of a mixer is that more is better.
• What is the reason you can't disclose the reason why not? This is unacceptable and very alarming.

In a screenshot posted on this thread, you showed a preview of the investor panel, which looks great, but raises a couple questions for me.

• In the investor amount, the total amount of profit coins is listed, yet you declare you don't retain logs, so how is this possible?
• The footnote below the graph only mildly explains this perplex display. Can you clarify please?

• Can you discuss when this feature will be implimented? It's been over a year.

• And just on the next page, you recommend yet another mixer. Why do you continually recommend many different mixers?

Now this sounds absolutely fascinating! Would you mind open sourcing the tool you've led us to believe you've developed that has allowed you to anlayse injections to the degree you've caught their attack? This raises several questions:

• You state that you've detected 'tracking companies'. You're saying this is plural, as in more than one. How do you know there's more than one company attacking your mixer?
• How do you know it's not just one company trying different methods?
• Would you be willing to publish a list of their public addresses and any other relevant data?
• You say you've been purging logs, but it seems you're keeping at least some logs, such as in regards to these 'tracking companies'. Is this true?

Please tell us more about this incident and how you came to know about the incident.


Finally, will you be publishing some Bug Bounty programme with guidelines for reporting? If there is a vulnerability to report, but without financial motivation, it seems moot.

I asked many questions, some strange and seemingly unrelated, but all with a purpose. I hope you'll answer them all.[/list]

TheClarifier would like some clarification on this point.

• Does this mean that if I were to deposit 10 BTC today, and let them sit there for one year and then withdrawal them after a year, they will be more 'mixed'?
• Can you tell us a little bit about what sort of cryptographic solution you use to track every sincle coin and fraction of a coin that a user has originally owned so they will never receive it again?
• Can you tell us some statistics about what the maximum length of time a single coin, or fraction of a coin, has remained on the tumbler before finally being tumbled out?
• Do you mean to say that if User A deposits 1 BTC into Deposit Address A, that User B who withdrawals 0.5 BTC will receive half of the 1 BTC from Deposit Address A? Is this the minimum amount of tumbling?

This raises an additional question:

• Can you tell us anything about your reserves or volume of BTC, approximate or exact that you use for tumbling? Greater coin count means great obfuscation. Bitmixer.io historically had their coin count total freely listed.
• If you can't tell us, citing a security reason, can you tell us what the security issue would be? I've never consider how showing total volume is a concern.

I don't feel like my question was thoroughly answered, and forgive me if I'm mistaken.

• I asked about how often the 'QUICK MIX' withdrawals are made and at what times of day. You stated on your website that they happen 'four times a day'. Does this mean it's the same four times a day; i.e. 0636, 0911, 1758, 2325? And each day is the same time, or each day is a different time of day?

This references a question I asked above.

• Does this mean that the oldest coin, or fraction there of, in your tumbler is never more than a week old?
• Do you believe that depositing 10 BTC and waiting a very long time to initiate a withdrawal will improve the obfuscation?

My concern here is not how the coins are tracked while in the tumbler, but how they are tracked if returning to the tumbler.

• What about a coin that later returns to the tumbler, because another user has brought it back? Perhaps a bot who can register and manage hundreds of users and intentionally redeposits old funds to destroy the ability to successfully obfuscate funds, thus partially deanonymising your users funds.
• What would a database solution look like for tracking the entire life of a coin? This doesn't seem feasible. Is there a compromise somewhere to tracking it at least for a year?

Now below, you reference something that caters to my above two questions. However, it leaves me concerned. Are you saying that your tool is effective and your tumbler uses this tool? Would you be willing to open source this tool?

I suppose the limits you've discussed are the practical limits of the system and we're left with these limits.

I want to propose a final hypothetical to you: let's propose that I've fancied hacking myself an exchange or two and I've come across 100.000 BTC at the current market value. The BTCs are split between four wallets, unevenly. All four wallets are known to my adversaries. What method would you suggest to pass through 100.000 BTC through your tumbler, or other tumbler also?

Finally, can you tell us anything about how your service is hosted? I'm confused as to how you have a clearnet detached from the onion. Does this mean your clearnet has absolutely no link to your onion? Different hosting providers, different countries, and different server architectures to prevent fingerprinting and surely different TTPs to administrate them both?

Hello blender,

I created this account for the sole purpose of posting on the forum for all to view in the future, rather than posting my questions in your support function. I'm apprehensive about a few points and I'd love for you to clarify for me and the rest of us who may be wondering.


The purpose of a tumbler is privacy and anonymity. How can this be achieved if you are maintaining backups? You state that logs are deleted nightly which sounds good. However, you go on to state that hourly backups are made and stored in an encrypted Truecrypt container. Now, given that Truecrypt is obsolete, I hope you are using at least Veracrypt, and even better, dmcrypt, but it seems that you may be running this on a Windows box based on several statements you've made.

• How is this 'container' copied to another server? FTP?
  
• Is this secondary server bare-metal and do you have full control over the the so-called 'redundant discs'?
• How do you guarantee the purging of the hourly backups that get moved to 'redundant discs'?
• How is the container managed? Are you creating a new container every hour and sending this off, each with a unique key?
• You state that you destroy logs on your primary server, but do you destroy these containers?
• Could you please state officially each item that is in the log that is purged?

Moving along to your tumbler's functionality, I have a few more questions. Several statements are made on your website that are not clear and need additional clarification. The statements and subsequent questions are:


When logged in, under the 'WITHDRAW' tab:

I'd like some clarification on the context of this message. I understand that the tumbler is ready, but I don't understand what you mean to imply by stating that if the user is to withdrawal the 'entire' and 'full' amount at one time, the user will receive new coins. This is how I have interpreted this message and it's left me flabbergasted.

• What are 'new coins' in this context?
• Is receiving these 'new coins' solely dependent on withdrawing the entire amount at one time?

Under the same tab, but further down below 'Automatic Withdrawal':

Are these 'four times per day' at the exact same time each and every day, or are these four times randomised between days? I'm concerned that if they are not at randomised time, this could be a vulnerability in your 'QUICK MIX' feature that could lead to fingerprinting.


While NOT logged in and under the 'QUICK MIX' tab:

I scoured this entire thread and all the documentation available on your website, and no where is the function of the 'Quick Mix ID' explained anywhere.

• How does the 'Quick Mix ID' function? Does it ensure that I can continue to reuse the 'QUICK MIX' function without ever mixing in with previously mixed in coins?
• Does this ID function track previously tumbled in coins? If so, to what degree?
• Is the 'Quick Mix ID' used only for tracking the tumble function while in-progress and immediately after for support?

And finally just one more question. If a user were to create a single account and use your service over the course of a single year, making 100 deposits and 50 tumble operations to various wallet addresses, how can the user be sure that they will never have the unfortunate issue of receiving one of their previously entered coins from months earlier?

Let's say that the user deposited Coin A in January, Coin B in February, requested a withdrawal for the total value of Coin A and Coin B and receiving this withdrawal and now have an account balance of 0.0 BTC and then later Coins C and D are deposited in August and a subsequent withdrawal is made resulting in a part of the earlier Coin A being tumbled into the mix with Coins C and D.

Have you protected against this?

I am looking forward to viewing a substantial addressing of these points as I believe I'm not the only one curious. Thank you for the wonderful service and continued support.