Zachxbt (Chainalysis) traced a WHITE marketing wallet to the Zkasino scam. Zkasino raised 10k ETH & team went MIA.
It's highly likely that Chainalysis (Zachxbt) traced Monero transactions to get to the bottom of the WHITE scam. Quote:
I noticed a number of transactions in late Feb to early Mar 2025 where Zkasino funds were sent to an instant exchange and WhiteRock wallets received similar quantities from other instant exchanges via XMR.
The flow chart has no evidence of Zkasino funds that were sent to swap services to buy XMR. If that's how he traced them, then show us the ~60ETH TXs from Zkasino to instant exchanges that preceded the funding of the WHITE wallet so we can verify timing and amounts, no? No, bc that's probably not how he traced them.
WHITE is the same type of scam as EOS. EOS raised $4.1bn (2018), delivered 0, but is going public today as Bullish ("Peter Thiel backed"). Zach won't look into EOS/Bullish, despite being 100x bigger. But he'll trace XMR for WHITE. Paypal mafia, innit?
It's highly likely that Chainalysis (Zachxbt) traced Monero transactions to get to the bottom of the WHITE scam. Quote:
I noticed a number of transactions in late Feb to early Mar 2025 where Zkasino funds were sent to an instant exchange and WhiteRock wallets received similar quantities from other instant exchanges via XMR.
The flow chart has no evidence of Zkasino funds that were sent to swap services to buy XMR. If that's how he traced them, then show us the ~60ETH TXs from Zkasino to instant exchanges that preceded the funding of the WHITE wallet so we can verify timing and amounts, no? No, bc that's probably not how he traced them.
WHITE is the same type of scam as EOS. EOS raised $4.1bn (2018), delivered 0, but is going public today as Bullish ("Peter Thiel backed"). Zach won't look into EOS/Bullish, despite being 100x bigger. But he'll trace XMR for WHITE. Paypal mafia, innit?
π€3π€―2π€‘2π2π1
A quick ICYMI'd update on the only protocol that is not chain analyzable today:
1. In April, Civilware released new Dero binaries that contain new seed nodes and some other updates. Link to Civilware's most recent Dero binaries (141): https://github.com/civilware/derohe/releases/tag/Release141
2. In May, Civilware released a wallet version that patches the wallet payload randomness re-use bug. If you want to review/test the patched wallet and provide feedback you can download it here: https://github.com/civilware/derohe/commit/f5b765417b949f62e19f043d370993db9b837f31
SixofClubs, Dank, Azylem and other community contributors are part of Civilware. If you're new to Dero and want to get started running a node and/or mining, you should be using Civilware's binaries as they are the most recent ones.
UTXO chains (XMR, Zano, ARRR, ZEC) are old tech, both onchain (because of UTXO and single use outputs generated with each transaction) as well as at the network level, which is always TCP based. Their p2p protocols were not designed to resist state actors or well funded actors like Chainalysis/Palantir.
DERO combines homomorphic encryption with the account model for onchain privacy-through-encryption, and UDP (connectionless, no handshake metadata) with erasure coding in its p2p communication protocol. This obfuscates transaction origin and reduces traceable patterns.
1. In April, Civilware released new Dero binaries that contain new seed nodes and some other updates. Link to Civilware's most recent Dero binaries (141): https://github.com/civilware/derohe/releases/tag/Release141
2. In May, Civilware released a wallet version that patches the wallet payload randomness re-use bug. If you want to review/test the patched wallet and provide feedback you can download it here: https://github.com/civilware/derohe/commit/f5b765417b949f62e19f043d370993db9b837f31
SixofClubs, Dank, Azylem and other community contributors are part of Civilware. If you're new to Dero and want to get started running a node and/or mining, you should be using Civilware's binaries as they are the most recent ones.
UTXO chains (XMR, Zano, ARRR, ZEC) are old tech, both onchain (because of UTXO and single use outputs generated with each transaction) as well as at the network level, which is always TCP based. Their p2p protocols were not designed to resist state actors or well funded actors like Chainalysis/Palantir.
DERO combines homomorphic encryption with the account model for onchain privacy-through-encryption, and UDP (connectionless, no handshake metadata) with erasure coding in its p2p communication protocol. This obfuscates transaction origin and reduces traceable patterns.
π₯18π5π€‘3β€1π1π€―1
Another XMR-only hacker goes down, with at least 3 huge hacks attributed to him whose ransoms were collected in XMR. Guy's name is Kai West and he went by the monicker 'IntelBroker'.
In the Palantir controlled press they are saying he got caught because of a $250 BTC transaction in February 2023, before any of the 3 huge hacks between March 2023 and November 2024 had happened. Seriously dudes, so they knew who he was and let him on the loose for 2 years despite that $250 BTC transaction tied to a Ramp account with his driving license being 'how they caught him'?
I read the complaint, and here is what the complaint actually says. Forum user IntelBroker, which was part of a digital ransomware gang, accepted $250 in BTC once in February 2023, and this transaction is used to prove that the identity of Kai West and that of the IntelBroker forum user are connected. That's it. The bulk of his criminal activity however occurred much later. According to the DOJ complaint, there have been at least 4 more high profile victims spanning from March 2023 until December 2024 whose ransoms were collected in XMR.
Since in all the successive breaches he sold the data for XMR, the only way to prove that these ransoms went to Kai West is to be able to trace Monero and see where the money goes. You know, to make sure that ransoms don't go to someone else that has stolen Kai West's identity or that is using Kai West as a front. So either Monero was traced, or it was traced. There is no other way you can attribute those hacks to Kai West without tracing Monero for confirmation that it's actually him and not someone impersonating him. Or someone else inside the gang.
As recently as 2 months ago, Intelbroker gave an interview to Palantir Crime Marketing shill Sam Bent (Bent is the guy that encourages people on social media to commit crimes with XMR). At some point Sam Bent does his favorite crime marketing question. What is your favorite privacy coin, IntelBroker? 'XMR, for the flawless privacy tech' he answers. Woah! Palantir you saw that? Give Sam Bent a raise please.
In the Palantir controlled press they are saying he got caught because of a $250 BTC transaction in February 2023, before any of the 3 huge hacks between March 2023 and November 2024 had happened. Seriously dudes, so they knew who he was and let him on the loose for 2 years despite that $250 BTC transaction tied to a Ramp account with his driving license being 'how they caught him'?
I read the complaint, and here is what the complaint actually says. Forum user IntelBroker, which was part of a digital ransomware gang, accepted $250 in BTC once in February 2023, and this transaction is used to prove that the identity of Kai West and that of the IntelBroker forum user are connected. That's it. The bulk of his criminal activity however occurred much later. According to the DOJ complaint, there have been at least 4 more high profile victims spanning from March 2023 until December 2024 whose ransoms were collected in XMR.
Since in all the successive breaches he sold the data for XMR, the only way to prove that these ransoms went to Kai West is to be able to trace Monero and see where the money goes. You know, to make sure that ransoms don't go to someone else that has stolen Kai West's identity or that is using Kai West as a front. So either Monero was traced, or it was traced. There is no other way you can attribute those hacks to Kai West without tracing Monero for confirmation that it's actually him and not someone impersonating him. Or someone else inside the gang.
As recently as 2 months ago, Intelbroker gave an interview to Palantir Crime Marketing shill Sam Bent (Bent is the guy that encourages people on social media to commit crimes with XMR). At some point Sam Bent does his favorite crime marketing question. What is your favorite privacy coin, IntelBroker? 'XMR, for the flawless privacy tech' he answers. Woah! Palantir you saw that? Give Sam Bent a raise please.
π€£13π¨βπ»3β€2π€‘2π2π©1
Deanonymizing a XMR transaction from X using simple onchain heuristics. Someone forwarded this tweet to me, so I had a look at it. Let's start with what we know:
1. Real spends are recent TXOs (we eliminate super old TXOs)
2. this is a retail transaction, real spends are fragments from the same retail wallet (rest TXOs) and therefore should share transaction heuristics (structure, fees)
3. since it's the same user, they should share other behavioral patterns (day, time zone)
4. the target transaction happened in August 6th, 15:19 UTC, with a fee of 0.000044360000 XMR, with 2 inputs and 2 outputs (retail structure)
With these heuristics I went through the decoys in the TX and added next to each their onchain metadata. Siblings refer to other outputs that were created with that specific output. KIs (key images) refers to the number of inputs in the TX that created that output. The fee is the fee paid in the TX that created the output. In my next post I'll explain how to identify the highly likely real spends.
1. Real spends are recent TXOs (we eliminate super old TXOs)
2. this is a retail transaction, real spends are fragments from the same retail wallet (rest TXOs) and therefore should share transaction heuristics (structure, fees)
3. since it's the same user, they should share other behavioral patterns (day, time zone)
4. the target transaction happened in August 6th, 15:19 UTC, with a fee of 0.000044360000 XMR, with 2 inputs and 2 outputs (retail structure)
With these heuristics I went through the decoys in the TX and added next to each their onchain metadata. Siblings refer to other outputs that were created with that specific output. KIs (key images) refers to the number of inputs in the TX that created that output. The fee is the fee paid in the TX that created the output. In my next post I'll explain how to identify the highly likely real spends.
π₯10π4π€―2π€‘2β€1
Since we know our real spends come from a retail wallet then we rule out all TXOs created in many-to-many or one-to-many transactions. These are the TXOs that have more than one sibling (marked with asterisk). The reason is that the transactions where these TXOs were created are not compatible with normal users because normal user transactions have 2 outputs (receiver and rest). By doing this we eliminate 8 decoys in the first ring and 10 decoys in the second input ring (among which also the oldest).
Next we start looking for TXOs that share a fee with our target transaction. By comparing fees there is only 1 TXO in the first ring that matches our fee, and 2 TXOs in the second ring. We have most likely found the real spend of the first ring. If we look at the time when this candidate TXO was created, it's 13:32 UTC, which is UTC afternoon time of the same day of our target transaction (2h prior). This TXO (from block 3209243) is the first highly likely real spend because it is recent (created 2h earlier), is generated by a user (not program), and uses the same fee structure.
When we look at the 2 candidate TXOs that are left in the second ring (on the right), we notice that one of them was created at 10AM UTC (5h earleir), while the other was created at 14:26 UTC (1h earlier). By following the recency heuristic the most recent TXO is the second real input of the transaction (from block 3209273).
Therefore based on onchain data and what we know from X, the highly likely real spends of this 2 input XMR transaction are the one from block 3209243 and block 3209273.
To find the receiver we need to identify the rest TXO (that stays in user's wallet). One way of doing so would be to monitor the blockchain for when one of those TXOs is included in another transaction in afternoon UTC time that shares the same fee size (or some other pattern). By exclusion, once the rest is found we can get the highly likely receiver.
Ok, so this is what I can do with a simple explorer by applying simple heuristics. Something like Chainalysis can cross reference with other Monero databases and get hits with 100% certainty. Therefore, like I've said for a while, Monero is 100% traceable just like Bitcoin. And by the way, this kind of analysis is not possible on Dero because Dero uses the account model where balances are simply updated (homomorphically), we don't have new outputs created with every transaction. Therefore there is no "recency" heuristic or heuristics like "retail/non retail" that are made possible by the UTXO accounting model such as in the one/many-to-many structure in this case.
Next we start looking for TXOs that share a fee with our target transaction. By comparing fees there is only 1 TXO in the first ring that matches our fee, and 2 TXOs in the second ring. We have most likely found the real spend of the first ring. If we look at the time when this candidate TXO was created, it's 13:32 UTC, which is UTC afternoon time of the same day of our target transaction (2h prior). This TXO (from block 3209243) is the first highly likely real spend because it is recent (created 2h earlier), is generated by a user (not program), and uses the same fee structure.
When we look at the 2 candidate TXOs that are left in the second ring (on the right), we notice that one of them was created at 10AM UTC (5h earleir), while the other was created at 14:26 UTC (1h earlier). By following the recency heuristic the most recent TXO is the second real input of the transaction (from block 3209273).
Therefore based on onchain data and what we know from X, the highly likely real spends of this 2 input XMR transaction are the one from block 3209243 and block 3209273.
To find the receiver we need to identify the rest TXO (that stays in user's wallet). One way of doing so would be to monitor the blockchain for when one of those TXOs is included in another transaction in afternoon UTC time that shares the same fee size (or some other pattern). By exclusion, once the rest is found we can get the highly likely receiver.
Ok, so this is what I can do with a simple explorer by applying simple heuristics. Something like Chainalysis can cross reference with other Monero databases and get hits with 100% certainty. Therefore, like I've said for a while, Monero is 100% traceable just like Bitcoin. And by the way, this kind of analysis is not possible on Dero because Dero uses the account model where balances are simply updated (homomorphically), we don't have new outputs created with every transaction. Therefore there is no "recency" heuristic or heuristics like "retail/non retail" that are made possible by the UTXO accounting model such as in the one/many-to-many structure in this case.
π₯13π€‘5π«‘5π3π©3π€―2
Here is a recap of the top privacy coin tracing heuristics, and how vulnerable different privacy coins are to each method. As you can see, none of the top heuristics works on DERO because of its choice to use the account model with homomorphic encryption, and on the transport layer to resort to UDP over TLS and erasure coding.
The weakest privacy coin where an attacker can employ the biggest number of heuristics, Monero, has the highest market cap. Almost as if some companies (Palantir? Chainalysis? TRM Labs?) are inflating its valuation, and promoting it with crime marketing, exactly because it can be traced.
The weakest privacy coin where an attacker can employ the biggest number of heuristics, Monero, has the highest market cap. Almost as if some companies (Palantir? Chainalysis? TRM Labs?) are inflating its valuation, and promoting it with crime marketing, exactly because it can be traced.
π₯16π€‘7π€―3π€1π1π―1
π¨The privacy community has a right to know that a core developer of Pirate Chain doesn't know that his own chain is a UTXO chain.
That's not a minor misunderstanding so I can't help but wonder, how can he not know? One explanation I've heard, which sounds plausible, is that Forge simply forked the ARRR codebase from Zcash so he has no deep understanding of it.
The UTXO heuristic with respect to ARRR stands and is not weak. Even though links between inputs and outputs are broken onchain with ZK proofs, these can be unmasked by applying transport layer heuristics. When a user creates a transaction, the wallet generates new outputs (notes) and zk-SNARK proofs. It then broadcasts everything: the nullifiers of the spent inputs, the new notes, and the zk-SNARKs to the network.
By checking for the node/IP that first broadcasts a group of nullifiers and new notes, we can correlate nullifiers to new outputs created and learn if the outputs come from a consolidation, one to many, or many to many transaction.
That's not a minor misunderstanding so I can't help but wonder, how can he not know? One explanation I've heard, which sounds plausible, is that Forge simply forked the ARRR codebase from Zcash so he has no deep understanding of it.
The UTXO heuristic with respect to ARRR stands and is not weak. Even though links between inputs and outputs are broken onchain with ZK proofs, these can be unmasked by applying transport layer heuristics. When a user creates a transaction, the wallet generates new outputs (notes) and zk-SNARK proofs. It then broadcasts everything: the nullifiers of the spent inputs, the new notes, and the zk-SNARKs to the network.
By checking for the node/IP that first broadcasts a group of nullifiers and new notes, we can correlate nullifiers to new outputs created and learn if the outputs come from a consolidation, one to many, or many to many transaction.
π13π6π€―5π€‘3π₯±3π2π€ͺ1
After reading this reply, I'm now really concerned about the expertise of the people working on Pirate Chain. Despite my explanation, their team still completely misses the vulnerability of UTXO heuristics when applied to their chain.
In my next post I will publish an ordered rebuttal of Pirate Chain teams's latest response...
In my next post I will publish an ordered rebuttal of Pirate Chain teams's latest response...
π€£6π6π
2π1π€―1π€‘1
Techleaks24 π΅πΈ
After reading this reply, I'm now really concerned about the expertise of the people working on Pirate Chain. Despite my explanation, their team still completely misses the vulnerability of UTXO heuristics when applied to their chain. In my next post I willβ¦
1. I'm glad they acknowledge ARRR is technically a UTXO chain.
2. Because ARRR is UTXO, in each transaction new shielded notes (outputs) are created locally, together with the zk-SNARK proof. Then the nullifiers of the spent inputs, the zk-SNARK proof and the newly created notes are broadcast together from the sender's wallet to the wider network.
3. While the linkage between shielded notes and nullifiers created with each transaction is broken once they are published onchain, links can be revealed by spying who broadcast them first (through network layer heuristics).
4. "Transport layer applies to every other chain" - Not true. Not all chains have a transport layer that allows tracking who broadcast a transaction first. VPN, TOR are not a solution as they are easy to compromise for a state actor. The only privacy coin I know that eliminates transport layer heuristics is Dero. Dero does it not by telling users to use a VPN or Tor, but by using UDP over TLS with erasure coding. On Dero, even if the user doesn't use a VPN/TOR, other nodes can't tell which node a transaction originated from.
5. If the accounting model wasn't UTXO, then there would be nothing to leak. Since Pirate is UTXO a user/entity has to broadcast different amounts of nullifiers and new notes depending on the transaction type.
6. By exploiting transport layer heuristics, and monitoring the amount of nullifiers and new notes published by a wallet/user node, we get not only the transaction's origin but also behavioral information on the sender (from the transaction structure, such as consolidation transaction, one to many or many to many).
7. Even when it comes to UTXO, I'd happily mention another coin but the only coin to have eliminated UTXO heuristics is Dero which does it by using the account model. So even if Dero was using Pirate Chain's weak p2p communication protocol, you still wouldn't be able to glean behavioral information such as those provided by one to many or many to many transactions because Dero's accounting model is not UTXO.
To conclude, like explained in my infographic (check pinned), UTXO heuristics apply to ARRR and reveal a lot of information on senders. Stating the contrary would be malicious towards all those naΓ―ve users that rely on ARRR for privacy.
2. Because ARRR is UTXO, in each transaction new shielded notes (outputs) are created locally, together with the zk-SNARK proof. Then the nullifiers of the spent inputs, the zk-SNARK proof and the newly created notes are broadcast together from the sender's wallet to the wider network.
3. While the linkage between shielded notes and nullifiers created with each transaction is broken once they are published onchain, links can be revealed by spying who broadcast them first (through network layer heuristics).
4. "Transport layer applies to every other chain" - Not true. Not all chains have a transport layer that allows tracking who broadcast a transaction first. VPN, TOR are not a solution as they are easy to compromise for a state actor. The only privacy coin I know that eliminates transport layer heuristics is Dero. Dero does it not by telling users to use a VPN or Tor, but by using UDP over TLS with erasure coding. On Dero, even if the user doesn't use a VPN/TOR, other nodes can't tell which node a transaction originated from.
5. If the accounting model wasn't UTXO, then there would be nothing to leak. Since Pirate is UTXO a user/entity has to broadcast different amounts of nullifiers and new notes depending on the transaction type.
6. By exploiting transport layer heuristics, and monitoring the amount of nullifiers and new notes published by a wallet/user node, we get not only the transaction's origin but also behavioral information on the sender (from the transaction structure, such as consolidation transaction, one to many or many to many).
7. Even when it comes to UTXO, I'd happily mention another coin but the only coin to have eliminated UTXO heuristics is Dero which does it by using the account model. So even if Dero was using Pirate Chain's weak p2p communication protocol, you still wouldn't be able to glean behavioral information such as those provided by one to many or many to many transactions because Dero's accounting model is not UTXO.
To conclude, like explained in my infographic (check pinned), UTXO heuristics apply to ARRR and reveal a lot of information on senders. Stating the contrary would be malicious towards all those naΓ―ve users that rely on ARRR for privacy.
π―10π€£3π₯2π€―2π2β€1π1π€‘1
Three researchers from the Technische UniversitΓ€t of Berlin and TRM Labs, released a paper in May explaining why Haveno crosschain swaps are not private.
By using UTXO, timing and transaction fee heuristics, and combining these with Haveno's public trade history, they were able to create a system to completely deanonymize Haveno XMR-BTC crosschain trades. Here is a quick breakdown of how these heuristics are used:
1. Fee heuristic: Haveno uses an unusually high fee for its transactions, such as when initiating security deposits (whenever a trade is taken).
2. UTXO heuristic 1 (2->2 high fee transaction): Since security deposits happen in pairs, using the fee heuristic to look for pairs of transactions where outputs are mined in the same block creates leads of potential Haveno trades.
3. UTXO heuristic 2 (cluster analysis): Once a trade is completed successfully, Haveno releases the security deposits in a single high fee transaction, where one of the outputs goes to the taker and one to the maker. So next they look for 2 of the outputs from the previous transactions to appear together as inputs in a new transaction.
4. Timing heuristic 1: Since Haveno trades (offchain wrt XMR) must be completed within 24h, the second transaction (UTXO heuristic 2) must happen in less than 24h
5. Timing heuristic 2: Haveno publishes its trade history by obfuscating amounts by +-5%, therefore by looking up the transaction history and time, and analysing the BTC chain for transactions in the same amount in the obfuscation window, they expose the BTC transaction involved in a specific trade.
Not much else to say, just that when they tell you buy XMR on Haveno to go dark, you're not really going dark. Any KYC data (home address, photo of you holding your ID) tied to your BTC address is now transferred to your XMR outputs.
This attack combines many heuristics (UTXO, fee, timing) with information exposed by relying on a semi-centralized third party Haveno, such as trade amounts and time, to deanonymize all cross chain swaps.
By using UTXO, timing and transaction fee heuristics, and combining these with Haveno's public trade history, they were able to create a system to completely deanonymize Haveno XMR-BTC crosschain trades. Here is a quick breakdown of how these heuristics are used:
1. Fee heuristic: Haveno uses an unusually high fee for its transactions, such as when initiating security deposits (whenever a trade is taken).
2. UTXO heuristic 1 (2->2 high fee transaction): Since security deposits happen in pairs, using the fee heuristic to look for pairs of transactions where outputs are mined in the same block creates leads of potential Haveno trades.
3. UTXO heuristic 2 (cluster analysis): Once a trade is completed successfully, Haveno releases the security deposits in a single high fee transaction, where one of the outputs goes to the taker and one to the maker. So next they look for 2 of the outputs from the previous transactions to appear together as inputs in a new transaction.
4. Timing heuristic 1: Since Haveno trades (offchain wrt XMR) must be completed within 24h, the second transaction (UTXO heuristic 2) must happen in less than 24h
5. Timing heuristic 2: Haveno publishes its trade history by obfuscating amounts by +-5%, therefore by looking up the transaction history and time, and analysing the BTC chain for transactions in the same amount in the obfuscation window, they expose the BTC transaction involved in a specific trade.
Not much else to say, just that when they tell you buy XMR on Haveno to go dark, you're not really going dark. Any KYC data (home address, photo of you holding your ID) tied to your BTC address is now transferred to your XMR outputs.
This attack combines many heuristics (UTXO, fee, timing) with information exposed by relying on a semi-centralized third party Haveno, such as trade amounts and time, to deanonymize all cross chain swaps.
π₯6π€£4π€―1π€‘1π1
Privacy activist Derolytics has just released a Dero explorer for all transactions between January 2022 and July 2025. By exploiting the randomness reuse bug, Derolytics has brute forced amounts, sender and receiver (where possible) of all Dero transactions conducted with the first generation Dero wallets.
Did this reveal an inflation bug? No.
Derolytics findings prove Dero's bulletproofs, the most critical component of any privacy coin, work as intended and have no known or unknown vulnerabilities.
Is there a protocol privacy flaw? No.
His work exploits a wallet bug. Transactions were deanonymized through bruteforce bc all Dero wallets to date re-use randomness. These transactions were NOT deanonymized
bc of a protocol weakness or flaw.
Will future transactions with new wallets be affected? No.
All transactions with new wallets that don't reuse
randomness will be immune against all the heuristics used to trace Monero & other UTXO privacy chains (ie the most private in crypto today).
Did this reveal an inflation bug? No.
Derolytics findings prove Dero's bulletproofs, the most critical component of any privacy coin, work as intended and have no known or unknown vulnerabilities.
Is there a protocol privacy flaw? No.
His work exploits a wallet bug. Transactions were deanonymized through bruteforce bc all Dero wallets to date re-use randomness. These transactions were NOT deanonymized
bc of a protocol weakness or flaw.
Will future transactions with new wallets be affected? No.
All transactions with new wallets that don't reuse
randomness will be immune against all the heuristics used to trace Monero & other UTXO privacy chains (ie the most private in crypto today).
π13π±4π4π―4π€£4π€‘3π€―1π1
Bulletproofs verify (without seeing balances, "zero knowledge" proofs) that Alice, with a balance of 10, cannot send Bob 10M coins. In privacy coins they are extremely important because they make sure the tokenomics are respected and the supply isn't inflated by minting illegal coins.
We've seen bulletproof exploits in the following projects:
1. Haven, where the amount of illegal coins in circulation turned out to be over 400M. This was more than 10 times the official circulating supply based on the emissions schedule. Haven was forced to shut down
2. Zephyr (16M minted)
3. Salvium (10M minted)
4. Xelis (team refuses to do a supply audit so we don't know the amount minted)
A bug in bulletproofs is fatal because exploits are very difficult to detect since balances are hidden and as result network participants can't detect the extra coins just by inspecting the blockchain (like they can do with Bitcoin and other transparent chains).
Dero's rocket bulletproofs are tailored to Dero's account based model and its integration with smart contracts. Rocket bulletproofs are undocumented anywhere in literature, they are first of their kind and released for the first time on Dero in 2022.
Considering how advanced Dero's bulletproofs are, and the risks of a bug in anything that is new and cutting edge, it makes sense that Captain released them in 2022 with a mechanism in place to detect a potential bulletproof exploit. To be clear, this is my opinion. Captain himself has not commented on the bug so far.
A counterargument I've heard is that this still makes him incompetent because someone could have built a custom wallet without randomness reuse to exploit BPs in case of a bug. Yes, they could have, but that would have also been detectable. Yet nobody had created such wallet until at least May 2024.
Derolytics' explorer exploits RR to deanonymize, among others, transaction amounts. It has done this for all transactions from genesis to date, and nothing indicative of a BP exploit has been found. Dero's rocket bulletproofs are, therefore, proven to be safe and bug free as of today.
Can randomness reuse (RR) be considered a backdoor by Captain? No, because RR was placed in Dero's wallet and the wallet has a warning stating that it is to be used for testing purposes only. Anyone who used Dero's CLI wallet even once saw the warning.
The reason we refer to RR as a bug is that those outside Captain who found and publicised it decided to disclose RR as a bug. This most likely because they couldn't comprehend the rationale behind RR.
Does RR tarnish Dero's reputation? RR cements Captain as someone that cares not only about innovation but also security. Releasing such advanced bulletproofs without an auditing mechanism on a chain that already had 12M coins in circulation would have been reckless from a security point of view.
To this day, Dero's protocol is the most advanced privacy protocol in existence because it is immune to all the key image, UTXO, transport layer and recency heuristics that are used to successfully deanonymize Monero and other UTXO privacy coins. The combination of the account model with homomorphic encryption, and UDP with TLS and erasure coding in the transport layer, eliminates all those heuristics at once.
We've seen bulletproof exploits in the following projects:
1. Haven, where the amount of illegal coins in circulation turned out to be over 400M. This was more than 10 times the official circulating supply based on the emissions schedule. Haven was forced to shut down
2. Zephyr (16M minted)
3. Salvium (10M minted)
4. Xelis (team refuses to do a supply audit so we don't know the amount minted)
A bug in bulletproofs is fatal because exploits are very difficult to detect since balances are hidden and as result network participants can't detect the extra coins just by inspecting the blockchain (like they can do with Bitcoin and other transparent chains).
Dero's rocket bulletproofs are tailored to Dero's account based model and its integration with smart contracts. Rocket bulletproofs are undocumented anywhere in literature, they are first of their kind and released for the first time on Dero in 2022.
Considering how advanced Dero's bulletproofs are, and the risks of a bug in anything that is new and cutting edge, it makes sense that Captain released them in 2022 with a mechanism in place to detect a potential bulletproof exploit. To be clear, this is my opinion. Captain himself has not commented on the bug so far.
A counterargument I've heard is that this still makes him incompetent because someone could have built a custom wallet without randomness reuse to exploit BPs in case of a bug. Yes, they could have, but that would have also been detectable. Yet nobody had created such wallet until at least May 2024.
Derolytics' explorer exploits RR to deanonymize, among others, transaction amounts. It has done this for all transactions from genesis to date, and nothing indicative of a BP exploit has been found. Dero's rocket bulletproofs are, therefore, proven to be safe and bug free as of today.
Can randomness reuse (RR) be considered a backdoor by Captain? No, because RR was placed in Dero's wallet and the wallet has a warning stating that it is to be used for testing purposes only. Anyone who used Dero's CLI wallet even once saw the warning.
The reason we refer to RR as a bug is that those outside Captain who found and publicised it decided to disclose RR as a bug. This most likely because they couldn't comprehend the rationale behind RR.
Does RR tarnish Dero's reputation? RR cements Captain as someone that cares not only about innovation but also security. Releasing such advanced bulletproofs without an auditing mechanism on a chain that already had 12M coins in circulation would have been reckless from a security point of view.
To this day, Dero's protocol is the most advanced privacy protocol in existence because it is immune to all the key image, UTXO, transport layer and recency heuristics that are used to successfully deanonymize Monero and other UTXO privacy coins. The combination of the account model with homomorphic encryption, and UDP with TLS and erasure coding in the transport layer, eliminates all those heuristics at once.
β€13π4π€2π€‘2π―1π¨βπ»1
How do DNM admins launder their profits with Monero? I will tell you in the next paragraph, but first let me announce that another Darknet Market has shut down, this time it's Abacus market. Abacus used both BTC and XMR.
Per TRM Labs: Faced with the decision between profit-seeking and self-preservation, Abacus's admins likely chose the latter.
Monero, despite being the weakest privacy coin, has been promoted for years by influencers bribed by unknown sources as the "most private cryptocurrency out there today" (a good example).
This led XMR to take market share from BTC and become (for a while) the favorite money laundering cryptocurrency of DNM admins. The Abacus voluntary shutdown suggests that DNM admins may have finally figured out there is no way out of the hole they've dug themselves in, even for a Monero chan.
Here is how DNM admins laundered profits with XMR:
1. Receive payments in BTC or LTC (for sales or ransoms in BTC or LTC).
2. Take this money and swap it for XMR through a non KYC swap service like FixedFloat.
3. To be safe bro, don't send this XMR straight to Binance but use an intermediary wallet first.
4. Then send it to Binance and cash out because Monero is untraceable. cough cough
They still got caught because Monero is not untraceable.
I will refer to any admin that has been exposed to use this scheme to launder profits as "Chan" because they're obviously a product of the Monero Chan gets away with it narrative.
Now let's see what has come out since February 2024 alone:
π¨March 2024: Incognito Chan arrested (who btw has pled guilty since)
πbut muh heuristics are probabilistic, they don't hold up in court!!
π¨April 2024: Vestaanmo Chan arrest
πbut it was bad opsec, he had to send to yet another address before Binance!!
π¨September 2024: Chainalysis video pitching XMR tracing to the IRS leaked on the web showing how they traced the XMR of a Colombian Chan after 4 hops without ever depositing to a CEX.
πbut bad opsec, he had to use his own node!!
π¨July 2025: Yours only traces a XMR transaction using a simple XMR explorer regardless of any user OpSec
πWait for FCMP++!!
π¨October 2024: Dutch Police takes down Cannabia/Bohemia and posts banner with names of 58 users that were arrested (probably all Monero Chans)
πThe image is AI generated, they're not real!! (yes they are)
π¨October 2024: Yuta Kobayashi Chan arrested by the Japanese police.
π¨June 2025: Intelbroker Monero only hacker (Chan?) arrested
π¨June 2025: Archetyp DNM taken down
π¨July 2025: Abacus DNM shuts down (or maybe it's been taken down? Time will tell).
Per TRM Labs: Faced with the decision between profit-seeking and self-preservation, Abacus's admins likely chose the latter.
Monero, despite being the weakest privacy coin, has been promoted for years by influencers bribed by unknown sources as the "most private cryptocurrency out there today" (a good example).
This led XMR to take market share from BTC and become (for a while) the favorite money laundering cryptocurrency of DNM admins. The Abacus voluntary shutdown suggests that DNM admins may have finally figured out there is no way out of the hole they've dug themselves in, even for a Monero chan.
Here is how DNM admins laundered profits with XMR:
1. Receive payments in BTC or LTC (for sales or ransoms in BTC or LTC).
2. Take this money and swap it for XMR through a non KYC swap service like FixedFloat.
3. To be safe bro, don't send this XMR straight to Binance but use an intermediary wallet first.
4. Then send it to Binance and cash out because Monero is untraceable. cough cough
They still got caught because Monero is not untraceable.
I will refer to any admin that has been exposed to use this scheme to launder profits as "Chan" because they're obviously a product of the Monero Chan gets away with it narrative.
Now let's see what has come out since February 2024 alone:
π¨March 2024: Incognito Chan arrested (who btw has pled guilty since)
πbut muh heuristics are probabilistic, they don't hold up in court!!
π¨April 2024: Vestaanmo Chan arrest
πbut it was bad opsec, he had to send to yet another address before Binance!!
π¨September 2024: Chainalysis video pitching XMR tracing to the IRS leaked on the web showing how they traced the XMR of a Colombian Chan after 4 hops without ever depositing to a CEX.
πbut bad opsec, he had to use his own node!!
π¨July 2025: Yours only traces a XMR transaction using a simple XMR explorer regardless of any user OpSec
πWait for FCMP++!!
π¨October 2024: Dutch Police takes down Cannabia/Bohemia and posts banner with names of 58 users that were arrested (probably all Monero Chans)
πThe image is AI generated, they're not real!! (yes they are)
π¨October 2024: Yuta Kobayashi Chan arrested by the Japanese police.
π¨June 2025: Intelbroker Monero only hacker (Chan?) arrested
π¨June 2025: Archetyp DNM taken down
π¨July 2025: Abacus DNM shuts down (or maybe it's been taken down? Time will tell).
π₯10β€2π€£2π1π€―1
Techleaks24 π΅πΈ
Xelis is officially an inflation bug scam. This is not a small scam. Today, after a 90% correction, Xelis has a FDV of $61M. Evidence strongly suggest the Xelis team itself exploited the bug, meaning that they're well funded having sold minted coins at $610Mβ¦
π¨Derolytics is promoting Xelis. In the past I've shared full evidence that Xelis is a fraud (inflation scam, unlimited supply attack like Haven): post 1, post 2. Supporting Xelis makes Derolytics a proven malicious actor.
I advise against using or visiting derolytics[.]com. Here are some risks:
1οΈβ£ log your searches, and if your IP is associated to a DERO node he could try to correlate your DERO node to your onchain address for when you broadcast transactions (something otherwise impossible on DERO because of UDP over TLS and erasure coding)
2οΈβ£ planning to use the site to spread malware in the future (once trust builds up)
3οΈβ£ he could be farming data for another type of attack vector we're not even aware of
The best defense is to not interact with the website at all.
Anyone who spent so much time building such explorer cannot pretend to not know that Xelis is an inflation scam. If they do, that proves they're 100% a malicious actor themselves.
The website is also quite pointless. We've known for a long time that the bug allows bruteforcing of transactions and Dero should be considered fully traceable until new wallets that don't have randomness reuse are released.
I advise against using or visiting derolytics[.]com. Here are some risks:
1οΈβ£ log your searches, and if your IP is associated to a DERO node he could try to correlate your DERO node to your onchain address for when you broadcast transactions (something otherwise impossible on DERO because of UDP over TLS and erasure coding)
2οΈβ£ planning to use the site to spread malware in the future (once trust builds up)
3οΈβ£ he could be farming data for another type of attack vector we're not even aware of
The best defense is to not interact with the website at all.
Anyone who spent so much time building such explorer cannot pretend to not know that Xelis is an inflation scam. If they do, that proves they're 100% a malicious actor themselves.
The website is also quite pointless. We've known for a long time that the bug allows bruteforcing of transactions and Dero should be considered fully traceable until new wallets that don't have randomness reuse are released.
π9π₯4π©1π€1
Techleaks24 π΅πΈ
If privacy is a niche, then why does almost everyone use a pseudonym online? Why do people share fake countries, fake names, fake ages, and fake professions when chatting online? Privacy is an instinct, just like sex. We don't need Naomi Campbell to promoteβ¦
Are you ready for crypto's Snowden moment? In early 2013 the consensus was that encryption was pointless for the average Joe and mostly something for activists, journalists and criminals.
Nobody cares about your messages, Billy. They do those things only to criminals and terrorists, not people like you
But then when Snowden happened and his NSA leaks were dropped, everyone realised that global mass surveillance was real.
That single event created, overnight, the multi-billion dollar encrypted messaging app market. The shift was lightning fast and that's when Signal started gaining momentum and when Telegram was created.
If when Snowden informed the world of PRISM and xKeyscore someone came to you offering an encrypted but compliant messaging app where encryption can be revoked only by law enforcement, would that have qualmed your surveillance worries? I don't think so.
In 2013, "only law enforcement with a warrant can access your messages" stopped working for messaging apps, everyone realized that was code for mass surveillance. As result people started flocking into encrypted messaging apps like Signal and Telegram. The momentum was so strong that even established messaging apps, like Whatsapp, had to eventually give up and offer end to end encryption to be able to compete and survive.
I think we will see the same in crypto although the whistleblower here will most likely involve something like Palantir's Foundery of Crypto and will reveal how everyone that ever completed KYC in a CEX has their entire financially history recorded in a Palantir (or competitor) database.
Everyone will find out that the KYC documentation, such as a photo of the user holding their driving license, and their entire transaction history from chain to chain and even passing through so called "non KYC exchanges", is contained and updated in a Palantir database.
The whistleblower may also reveal how Foundry of Crypto can reverse dox social media users from addresses they shared on social media (to participate in an airdrop or to receive a tip). This allows profiling based on political views or other information shared on social media. Said information is then used to determine police response time in case of emergency at their address, or to profile them for employment, scholarships, visas etc.
When that Snowden moment comes, which I think is going to be soon, a trillion dollar market for a private-through-encryption cryptocurrency will be created overnight. That's why you should not sleep on privacy and on trying to hunt down the strongest privacy tech out there today (spoiler: it's not XMR, ARRR, or ZEC, or any of the VC-funded compliant L2s).
Contrary to what they tell you on MSM, people care a lot about privacy. Privacy is an instinct that no amount of money, psychological manipulation or delusional billionaires shouting I-don't-think-so can take away from human nature.
P.S.: Kryptoid has released a pre-compiled beta of the DERO CLI wallet with fixed randomness reuse. It is a pre-release but much more accessible for anyone wanting to test the beta since it's pre-compiled. This also means we're getting really close to a beta release that would allow anyone to leverage the full capabilities of the most advanced privacy protocol out there today.
Nobody cares about your messages, Billy. They do those things only to criminals and terrorists, not people like you
But then when Snowden happened and his NSA leaks were dropped, everyone realised that global mass surveillance was real.
That single event created, overnight, the multi-billion dollar encrypted messaging app market. The shift was lightning fast and that's when Signal started gaining momentum and when Telegram was created.
If when Snowden informed the world of PRISM and xKeyscore someone came to you offering an encrypted but compliant messaging app where encryption can be revoked only by law enforcement, would that have qualmed your surveillance worries? I don't think so.
In 2013, "only law enforcement with a warrant can access your messages" stopped working for messaging apps, everyone realized that was code for mass surveillance. As result people started flocking into encrypted messaging apps like Signal and Telegram. The momentum was so strong that even established messaging apps, like Whatsapp, had to eventually give up and offer end to end encryption to be able to compete and survive.
I think we will see the same in crypto although the whistleblower here will most likely involve something like Palantir's Foundery of Crypto and will reveal how everyone that ever completed KYC in a CEX has their entire financially history recorded in a Palantir (or competitor) database.
Everyone will find out that the KYC documentation, such as a photo of the user holding their driving license, and their entire transaction history from chain to chain and even passing through so called "non KYC exchanges", is contained and updated in a Palantir database.
The whistleblower may also reveal how Foundry of Crypto can reverse dox social media users from addresses they shared on social media (to participate in an airdrop or to receive a tip). This allows profiling based on political views or other information shared on social media. Said information is then used to determine police response time in case of emergency at their address, or to profile them for employment, scholarships, visas etc.
When that Snowden moment comes, which I think is going to be soon, a trillion dollar market for a private-through-encryption cryptocurrency will be created overnight. That's why you should not sleep on privacy and on trying to hunt down the strongest privacy tech out there today (spoiler: it's not XMR, ARRR, or ZEC, or any of the VC-funded compliant L2s).
Contrary to what they tell you on MSM, people care a lot about privacy. Privacy is an instinct that no amount of money, psychological manipulation or delusional billionaires shouting I-don't-think-so can take away from human nature.
P.S.: Kryptoid has released a pre-compiled beta of the DERO CLI wallet with fixed randomness reuse. It is a pre-release but much more accessible for anyone wanting to test the beta since it's pre-compiled. This also means we're getting really close to a beta release that would allow anyone to leverage the full capabilities of the most advanced privacy protocol out there today.
π₯17π―7π€―2π€£2π1π©1
What if Dandelion was introduced to compromise Monero's p2p network, not to make it more private? The official explanation is that Dandelion++ makes it more difficult for surveillance actors to identify the node that broadcast a transaction first.
This is achieved by opting for a sequence where the node that first creates a transaction chooses a single node to broadcasts it to (stem phase), instead of sending it to all nodes it's connected to. That second node that receives the stem transaction can also broadcast it to another single node or can move to the fluff phase where it broadcasts it to all connected nodes. Each node in the stem phase makes a probabilistic decision about whether to continue the stem phase by picking another single node or to just fluff it (ending the stem phase).
The process through which that first node is picked is crucial. The narrative is that Dandelion picks a random node, but in practice that's not the case. Stem phase peers come from a subset of healthy and connected nodes. Healthy here is defined through parameters such as good historical uptime and low latency.
Which nodes are more likely to be healthy, user nodes or industrial surveillance nodes? Which nodes are more likely to have low latency, user nodes or industrial surveillance nodes? Which nodes are more likely to have a good uptime, user nodes or industrial surveillance nodes?
Industrial surveillance nodes.
Chainalysis and its partners could therefore set up a network of high performing nodes, with low latency and high uptime, ensuring they have very high odds of being picked as first nodes by Monero. This would give them all relevant onchain metadata even for transactions of users running their own node.
Because of Dandelion, a strong (sub)network of well connected nodes could compromise the entire p2p network by skewing first hop odds in their favor through manipulated performance metrics. Dandelion would feed all first hops to the compromised nodes, due to their high reliability from a technical point of view.
So was Dandelion really an upgrade, or a successfully implemented attack on network layer privacy?
This is achieved by opting for a sequence where the node that first creates a transaction chooses a single node to broadcasts it to (stem phase), instead of sending it to all nodes it's connected to. That second node that receives the stem transaction can also broadcast it to another single node or can move to the fluff phase where it broadcasts it to all connected nodes. Each node in the stem phase makes a probabilistic decision about whether to continue the stem phase by picking another single node or to just fluff it (ending the stem phase).
The process through which that first node is picked is crucial. The narrative is that Dandelion picks a random node, but in practice that's not the case. Stem phase peers come from a subset of healthy and connected nodes. Healthy here is defined through parameters such as good historical uptime and low latency.
Which nodes are more likely to be healthy, user nodes or industrial surveillance nodes? Which nodes are more likely to have low latency, user nodes or industrial surveillance nodes? Which nodes are more likely to have a good uptime, user nodes or industrial surveillance nodes?
Industrial surveillance nodes.
Chainalysis and its partners could therefore set up a network of high performing nodes, with low latency and high uptime, ensuring they have very high odds of being picked as first nodes by Monero. This would give them all relevant onchain metadata even for transactions of users running their own node.
Because of Dandelion, a strong (sub)network of well connected nodes could compromise the entire p2p network by skewing first hop odds in their favor through manipulated performance metrics. Dandelion would feed all first hops to the compromised nodes, due to their high reliability from a technical point of view.
So was Dandelion really an upgrade, or a successfully implemented attack on network layer privacy?
π₯17π€―2π1π€1
It has never been easier and cheaper to start mining Dero. If you want to mine some coins (you can mine dero with anything because it has the most egalitarian CPU algo in crypto) here's how to get started in less than 4h:
STEP 1: Download Civilware Dero binaries for your OS
STEP 2: Launch daemon (the node) with --fastsync. Fastsync takes 2-3h to complete and works for solo mining. Commands to launch with fastsync for Windows and Mac:
- Windows: ./derod-windows-amd64.exe --fastsync
- Mac: ./derod-darwin --fastsync
NB: Fastsync must be done from scratch, so if you already started a full sync delete the mainnet folder and start fastsync from scratch
STEP 3: Launch the CLI wallet and register an address (1 time process, should take 20-30 minutes)
STEP 4: Save your address and launch the miner with the following commands (Mac & Windows):
- Windows: ./dero-miner-windows-amd64 --wallet-address=<insert your address> --daemon-rpc-address=127.0.0.1:10100 --mining-threads=<number of threads>
- Mac: ./dero-miner-darwin --wallet-address=<insert your address> --daemon-rpc-address=127.0.0.1:10100 --mining-threads=<number of threads>
That's it, you're done and officially mining the most advanced privacy protocol out there. Btw for number of threads I put 3 (mining on my laptop), the more you put the more CPU it uses so increase/decrease based on what you're comfortable with.
We're still in the Satoshi era of Dero (1st halving in January 2026), so happy mining to all who jump in!
PS: If you want to optimize your hashrate further then use Tritonn's Dero miner, which you can find here.
STEP 1: Download Civilware Dero binaries for your OS
STEP 2: Launch daemon (the node) with --fastsync. Fastsync takes 2-3h to complete and works for solo mining. Commands to launch with fastsync for Windows and Mac:
- Windows: ./derod-windows-amd64.exe --fastsync
- Mac: ./derod-darwin --fastsync
NB: Fastsync must be done from scratch, so if you already started a full sync delete the mainnet folder and start fastsync from scratch
STEP 3: Launch the CLI wallet and register an address (1 time process, should take 20-30 minutes)
STEP 4: Save your address and launch the miner with the following commands (Mac & Windows):
- Windows: ./dero-miner-windows-amd64 --wallet-address=<insert your address> --daemon-rpc-address=127.0.0.1:10100 --mining-threads=<number of threads>
- Mac: ./dero-miner-darwin --wallet-address=<insert your address> --daemon-rpc-address=127.0.0.1:10100 --mining-threads=<number of threads>
That's it, you're done and officially mining the most advanced privacy protocol out there. Btw for number of threads I put 3 (mining on my laptop), the more you put the more CPU it uses so increase/decrease based on what you're comfortable with.
We're still in the Satoshi era of Dero (1st halving in January 2026), so happy mining to all who jump in!
PS: If you want to optimize your hashrate further then use Tritonn's Dero miner, which you can find here.
β8π―6π4π«‘3β€1π1