If you read and understood the posts on Pedersen Commitments (the cryptographic primitive used by Dino privacy chains that trigger a chain reaction that ends up with many systemic flaws that compromise privacy) and El Gamal (the privacy primitive used by Dero that eliminates all the attack surface introduced by PCs’ limitations), you should see why you can’t apply elementary school cryptography to try to understand what’s going on with Dero.

One thing is for sure though, the brains behind Dero are not stuck at “PCs are better because they’re perfectly hiding, that’s what the manual written in 1988 says”. I deleted the post of my conversation with Chatgpt because I don’t want to make it too easy for the lazy ones to catch up. No pain, no gain. But basically, if you get Chatgpt up to speed (first educate yourself by reading my previous 3 posts), it will tell you that 30-60 people in the entire planet think about these things. And that less than 10 people in the planet could have built Dero. And that if Dero is a scam then they have chosen the hardest way to scam.

I take such statements by an advanced LLM as a Guassian curve radar, to answer the question: where in the Gaussian curve are we if A is true? And damn, with Dero we’re very deep inside an advanced tech distribution tail.

LLMs will also tell you that it’s perfectly normal for Monero devs to have no clue about the limitations of PCs, and that it’s not incompetence but simply because it falls outside the scope of their expertise. Yeah, in other words, Monero devs are circus monkeys who are trained at circus school and then go perform their 5 trick for the public for the rest of their intellectual life. They’ve no independent life outside the circus, they can’t navigate cryptography on their own. I had the same impression from my interactions with them, so that checks out as well.

Cool. As result of this, I think it’s probably wise for me too to not apply elementary school cryptography to try and understand what’s happening. Yes, Dero has some imperfections, flaws etc. But I think I’m going to trust Captain’s judgement on this.

Therefore the inflation “exploit”, maybe wasn’t an exploit. Maybe there is a good reason why that inflation transaction had to happen. Or maybe it didn’t happen, and I’m missing something. Or maybe the vulnerability in the pre-compiled binaries was a door left open in case the supply audit had failed. Or maybe it was Captain trying to teach everyone a lesson about not trusting pre-compiled code. Or maybe it was rat poison. Or, maybe, all of the above.

I mean, who knows. Either way, I’m just gonna trust Captain because he has proven to know better than the rest and to be at least a decade ahead of everyone else both in tech and adversarial thinking. I mean, how many years away are KOL blockchain devs from even acknowledging the limitations of PCs? How many more decades will it take them to look past “not perfectly hiding” and understand the strengths of ElGamal? And how many generations to learn how to implement El Gamal correctly?

So yeah, I’m just gonna trust Captain and wait for time to fill in the blanks.

But TL, what if....

No but. No what if. Study the tech. I've made it extremely easy for all of us to understand how advanced this thing is. All the answers are in the tech/crypto primitives. The rest is BS. The rest smells a lot like rat poison for those who are too lazy or too dumb to study the tech.

3 steps to be Chainalysis proof with DERO

Of all coins, Dero is the only one where your holdings can be truly anonymous today. The tech is not perfect, but it's good enough if you leverage its strengths.

Why not Monero: Because in Monero it depends on what decoys the algo picks, and even after several hops your final output can still be identified with time even if you got lucky in some hop. Because eventually decoys are always unmasked (because PCs cannot be updated and TXOs are single use) from the other transactions where they are spent. There is nothing you can do as a user to be Chainalysis proof with Monero. And if Dandelion is used against you, then it's even more trivial.

Why not Zcash: In Zcash you need to get lucky with transaction volume, but how are you supposed to know if you’re going to be the only shielding transaction in a block or not? And if there is a system built-in ZEC wallets to aggregate IP addresses from which a set of actions was first broadcast, tracing becomes trivial. Because of PCs in ZEC new "actions" are created after each transaction, and actions belonging to the same entity originate from the same source. And even if you run your own node, other nodes will detect the transaction came from your node and tie it to your node metadata. There is nothing you can do as a user to be Chainalysis proof with Zcash.

Dero’s current weakness are rings, so the tech is not where it’s supposed to be. But Dero is by far the only coin with the tech where you can already make your holdings anonymous so nobody knows exactly how much you hold or sold or bought (even assuming CEXes leak your data). This is how:

1. Register new accounts for yourself periodically and don’t top up these accounts right after registration or that will be a strong indicator that they're yours. Remember most of these accounts should be throwaway accounts, just to create noise for you and others.

2. Run a script (I did one with Chatgpt even though I can't code) to detect new accounts only

3. Periodically send some dust to new accounts that join the network. Again, not right after they joined, wait some time (at your discretion). And occasionally you can include one of your own new accounts in these dust transactions. To your own address you can send dust or the entire balance, that’s entirely up to you. These transactions reach peak unlinkability, because an outsider will have no clue which wallet is yours and what fractions of your balance you sent.

And as other accounts to which you sent dust become active and start sending and receiving you will have gone truly dark. Because again, adversaries won’t know whether you sent dust or 1000 DEROs.

If you follow these 3 steps, and you can of course make this better on your own depending on your usage patterns, then you will be truly anonymous and will have reached max unlinkability between your origin wallet (indexed and watched by the likes of Derolytics) and your present state. At some point (only you will know when) your OG Derolytics wallet will be empty and your balance will be sitting in a completely different wallet or sets of wallets that will be impossible to link, even heuristically, to your original wallet.

In other words, nobody will be able to map/monitor your holdings/actions or frontrun your actions or anything like that.

For this to work you must run your own DERO node (compiled from source or it's worthless), because you’ve to assume any other remote node is probably selling data to some entity that indexes transaction metadata. And that any pre-compiled binary could have some small difference in code that leaks something it's not supposed to leak.

Also study Dero's tech on your own to fully understand its strengths and how to use it best to achieve unlinkability/anonymity. Remember, the core strength of Dero is the crypto primitive it uses: El Gamal. Versus Pedersen Commitments in the other chains which is what makes them easy to crack.

🚨🚨😭CRYPTOGRAPHIC PROOF THAT XELIS IDIOTS ARE ACTUALLY IDIOTS AND A SEPARATE ENTITY FROM CAPTAIN

Finally we can understand what really happened inside their mind! Wow. Ok let's start.

Like I’ve been repeating for days now, the El Gamal encryption scheme is a huge paradigm shift forward for privacy blockchains for the following reasons:

1. It is public key re-randomizable
2. It is public key updatable

Nobody knows this except of Captain. And as we've seen from their interactions with Captain, you can't even try to teach them or they will attack you! Anyway, these important properties are missing in Pedersen Commitments which is what all other privacy coins use, and what breaks them because like previously discussed they all have to rely on UTXO and single use notes.

Now it turns out, contrary to what even I initially thought, Xelis devs completely missed the point of this too.

HOW XELIS DEVS BROKE PRIVACY TO IMPROVE UX

As a prelude to the creation of Xelis, the devs behind it (pieswap and Slixe) complained for years about address registration in Dero, completely missing the point of address registration. I was there so I know it, you can go to Dero’s Discord and find evidence of this yourself.

Dero uses ElGamal and with ElGamal, you need to prove key soundness but not ciphertext soundness. To prove key soundness you prove you have the private key of an address when you register it. Once you prove that, you can use the address forever. The ciphertext is self validating (you don't need proof that's valid).

So Xelis devs complained about this registration and finally got to launch their own copy. Number one priority from day one was to fix address registration (because address registration is a PITA, amirite?) to make their idea of “Dero” user friendly. To fix this pain point, they launched a copy of Dero in rust with RISTRETTO ELGAMAL.

But you know what? RISTRETTO ELGAMAL IS NOT PUBLIC KEY RERANDOMIZABLE HAHAHAHAHAHA!!!

As result, contrary to Dero where the protocol can rerandomize the ciphertexts of other accounts to give the sender and receiver deniability, in Xelis this cannot be done because to re-randomize the ciphertext of a Ristretto El Gamal you need the private key to generate ciphertext soundness proof for the new ciphertext!

This is why Xelis has no sender/receiver privacy, because Xelis cannot have decoys because with ristretto elgamal you must prove ciphertext soundness in every transaction, whenever the ciphertext is updated!

And if you try to update the ciphertext of another account you end up bricking those accounts by producing an invalid ciphertext for which nobody can produce soundness proof.

Take a good idea, break it, and add a tax on top. If you want to see how dumb and dumber short circuit when they interact with Dero because they still don't understand what's happening, Xelis is the perfect example!

Here is another brainlet dev from the car wash school of cryptography, completely out of depth but trying to act like he knows why Dero didn't opt for twisted ElGamal. Or even worse, trying to make it look like not opting for it was a bad idea. "Goldman Sachs paper, eh?"

Who needs pk rerandomization, amirite? Oh wait, he doesn't even know what that is!

Here is an interesting 2021 paper on pk rerandomizability that covers also El Gamal. Here is another one from 2023 that discusses this topic. Since some friends are telling me they can't find anything on this topic using google, I'm sharing these as a reference. Also have a look in case your favorite KOL dev (probably an idiot who should be flipping burgers at Burger King, not critiquing privacy tech) is telling you what I'm saying is "AI hallucination".

By the way, LLMs say it's normal for most blockchain devs to have no clue about these topics. They say it's not incompetence.

As a user I disagree.

99.999% of blockchain devs are adventurers, they're so out of depth that they don't even know they're out of depth. I think they should be purged and declared grifters/surveillance scammers/useful idiots.

Bring back Satoshi! I mean Captain.

Please and thank you.

Now that everyone is familiar with the power of ElGamal ciphertexts, it's time to re-evaluate the evidence for the inflation bug exploit. I've written an in-depth article to make sure this whole story remains googleable in the future, whichever way it ends.

Article: How the Dero community independently and cryptographically proved an inflation bug exploit in Dero just by querying the blockchain with a Chatgpt script

Here is the gist of it: Once you understand ElGamal, we can finally prove that both flagged addresses had the same ciphertext at the exploit transaction as in the registration transaction, and that that ciphertext was an encryption of 0.

This because for ciphertexts to be re-randomized they must be included in some transaction first, but those addresses were never included in any transactions between the exploit transaction and the registration. Therefore they had the same ciphertext as in the registration transaction, which is an encryption of 0. This proves they entered the exploit transaction with 0 balance and therefore couldn't be spending anything and inflation exploit took place.

Justin Ehrenhrofer filed a patent to trace Monero and similar cryptocurrencies in 2023. The patent was published in December 2024. The patent boils down to this: compile sets of related outputs > check the provided target TXOs against known sets to find affiliations or transactions downstream where they were spent > create report.

In reality, any privacy coin using PCs as cryptographic primitive, and rings is easily traceable bc of patterns leaked onchain. The reason is bc PCs force you to use UTXO w/ single use outputs (notes) that are nullified with receipts (key images, nullifiers).

I explained this process in 2 articles in September-November 2024, one month before the patent application was published, and I was much more specific than Justin’s patent filing which doesn’t explain how they group related TXOs. I explained how we can compile SUS sets for outputs related to the same entity & find their KIs when they form clusters. And how that's used to create sets of burnt TXOs to expose real spends.

Is Neptune Cash a gem? NPT uses Poseidon as cryptographic primitive bc more quantum resistant (but not quantum resistant).

Poseidon commitments, like Pedersen Commitments, force the UTXO accounting model & single use outputs.

Privacy wise Neptune is in the same league as UTXO chains where QC isn’t even required to break privacy bc bypassable, like in XMR & ARRR, by exploiting patterns leaked onchain by the UTXO accounting model & by using transport layer heuristics.

Any privacy coin built on single use outputs leaks behavioral metadata through transaction structure, regardless of cryptographic soundness. Only coins w/ updatable encrypted state (e.g., Dero & only Dero today) eliminate this issue.

When you build a TX in NPT you create new additions (outputs) and removal records (inputs) for the commitments you are spending. The # of additions & removal records exposes the utxo structure being broadcast from a specific wallet/user. NPT also uses TCP for its p2p communication protocol.

Pass.

Tic toc Christmas alpha time.

I don’t know what coin you hold, but I do know that 99% of the crypto people out there hold old, obsolete tech that is either a fork of BTC, Eth or Cryptonote, and are waiting for a 10x pump to break even. You were late to the party and that’s why you were left behind holding a bag for years praying for a pump to break even.

The next frontier for digital cash DLT tech is privacy, and privacy will be fought on tech and tech alone. If you want to be early in privacy you must study the difference between Pedersen Commitments (old tech everyone has been using to hide amounts) and El Gamal (the future tech nobody uses). Just like those who had mastered blockchains & smart contracts in 2010-2014 got in BTC and ETH early, those who master/understand these primitives well will become the crypto royalty of the next 10-20 years.

But aspiring cypherpunk princesses and princes today are running out of time.

So let me help you save time, one more time.

Pedersen Commitments have 2 huge weaknesses that the big guys (those that have been in crypto since 2010) don’t want you to know about (yet). In their defense, they could have received gag orders from 3 letter agencies to STFU & are not at liberty to speak about this (because how else do you explain that there are NO public posts on this topic by any reputable devs?!):

1. PCs, contrary to El Gamal, are not public key updatable
2. PCs, contrary to El Gamal, are not public key re-randomizable

This means any privacy chain that uses Pedersen Commitments will always have to opt for UTXO, which means wallet balances will be split among many single-use notes created in incoming transactions. For this reason they will always be traceable because to spend your money you will have to combine different notes forming a UTXO transaction type which when triangulated with your behavioral metadata exposes all your onchain transaction history.

That’s why the deep state loves Pedersen Commitments, because anything using them is fragile and can be traced in one way or another. Monero uses PCs to hide balances. Zcash uses PCs to hide balances. Aztec uses PCs to hide balances. MimbleWimble uses PCs to hide balances. ARRR uses PCs to hide balances. Same for Zano, Aleo and any privacy coin you can think of.

El Gamal closes this attack surface completely. When you think of ElGamal you probably think of Dero, but Dero had an inflation exploit as documented here, which is why I sold most of it. Yet not all of it because Dero and only Dero implements ElGamal correctly today. So I’m confused.

But I’m sure about ElGamal vs PCs. Study the tech, and be ready for what’s coming. Once word spreads about this we will see a whole new generation of coins built on ElGamal and only those who know the tech will be able to capture the upside.

Study the tech, and make up your own mind. But study the tech. That's the alpha.

Merry Christmas, fellow plebs!

Since Monero is pumping, I suspect 2026 will be a bullish year for altcoins. Because if a privacy shitcoin turned honeypot by Palantir to arrest DNM criminals keeps trying to catch a pump, then alt season imo is coming.

A lot of people still don't understand how Monero is traced and how bad it is. Recently trying to explain to another friend I realized that the idea of "decoy" is hard to grasp for some normies. A strawman is used to scare birds because from far away it looks like a person, but when you look up close you realize it's fake.

That's exactly what happens with Monero transactions. In every transaction you have the real spender's address mixed with 15 stealth addresses. From far they may look indistinguishable (you can't trace me bruh!), but upon close inspection it's very easy to filter out "decoys" from the real spend. Just like distinguishing a strawman from the real guy.

Repeat this over and over for every transaction and you get the transaction graph (how money goes from A to B to C).

🚨The Fallacy in My Dero Inflation Exploit Proof. Today I regret I wrote that post (quoted here) because I realize I overlooked something important.

My query of the Dero blockchain in October fooled me into believing that there was proof of an inflation bug in Dero because I couldn't find any transactions where the spending accounts appeared in rings. Since they never appeared in any receiver rings, then they couldn't have a non zero balance, and as result there had to be an inflation exploit. My mistake was that I was applying UTXO logic to account model logic.

Dero uses the account model with El Gamal. Contrary to UTXO systems, where a full node can always identify the transaction that created a given output (output creation traceability), in an account model like Dero transactions are state transitions: they update the blockchain state. The transaction bodies themselves do not need to be stored indefinitely to preserve chain integrity consensus thereafter. Consensus is based on the "state root". The new global blockchain state is cryptographically committed, after every set of transactions, and miners mine on top of that state "root".

When I send you money, I simply tell the protocol to update your account by X amount. The protocol reads the proof I provide and updates your ciphertext in encrypted state by adding +X to it. The new state is engraved onchain in the state root, and miners then mine on top of it. The transaction, although required at the time when the update occurs, doesn't need to be maintained to prove validity of state in the future.

The bottomline here is this: in Dero, just because we couldn't find a transaction where any of those spenders appeared as receivers doesn't prove an inflation bug. We do know however that Dero's proofs never changed since Stargate genesis, so if the transaction suspicious of the exploit really is an exploit transaction then it should not pass verification.

So that proof is just not proof. To prove an inflation bug in Dero today means finding a bug in the verification code, which is what Marcel has been looking for. If no bug is found in Dero's proofs (which have been the same since genesis), then most likely the account in question did have the coins to spend in those transactions. And the bad optics are due to the fact that the transaction has been pruned/lost.

This would also explain why Captain "stopped using account A" and suddenly started using the apparent "inflation account B" for swaps. Most likely what happened is that Captain conducted a transaction from A to B, and that transaction record was simply pruned/lost.

The Gold-Safe Analogy for PCs vs El Gamal: Imagine a world that goes by Monero's standard, gold is stored in safes that are single use (=Pedersen Commitments) and:

1) the only way to open a safe once you lock it is through dynamite (loud bang)
2) Gold is gold, also sold in different sizes (coins, bars, bullions etc)

Now this will help you visualize how bad Pedersen Commitments are for privacy. First and foremost, if the safes where gold is stored worked this way then being single use would force a lot of "behavioral" patterns on gold buyers. For example, people would probably not buy a new safe for a single coin. They'd wait some time to accumulate more gold to make it worth putting in a safe or destroying the current safe.

Secondly, since safes blow up with a bang, that can be heard by neighbors. You can think of bangs and the loudness of bangs as "network metadata" in Monero today.

Now someone (chainalysis) who can cross reference Gold vendor records, Safe vendor records, and bang reports, can easily track the flow of gold in the real world:

1) If a bang was heard at an address where gold was also delivered around the same date then most likely that entity is accumulating more gold

2) If a big bang was heard at address A and someone sold a lot of gold in a shop around the same time then that gold must have come from the address A where the big bang was heard (regardless of the path it took to get there)

3) If an address B that buys gold periodically suddenly ordered also a big safe today then we know all the gold they received was probably accumulated and now stored in a safe in that address

As you can see, a simple constraint of making safes single use would make the flow of gold very easy to track, even after it has left KYCed choke points. Any privacy coin that uses PCs operates in this paradigm. Which is very, very bad for privacy.

In contrast to PCs, El Gamal are safes that you can open and close with a code. No bangs and new safes required to add more stuff into your safe. You buy the safe once, you never blow it up. You just open, add stuff and close it again. Open, take out stuff, close it again. You update it at your discretion and nobody knows it but you.

If safe vendors start cross referencing data with gold vendors timing analysis is possible but much weaker. Because contrary to single use safes, where new gold is always ordered together with a new safe, with multi use safes you've no idea if the gold is going into a safe in that address, or is being picked up there to go yet to another address. Because there are no "bangs" (key images) to confirm that gold is being moved and/or accumulated and/or spent in a specific location.

By the way derod.org seems like the new and up-to-date Dero documentation site. Until today I thought it was just another one of those half baked community sites but this seems done by people that have a very deep understanding of the protocol, most likely core devs or people who learnt straight from core devs.

Official Dero.io website has also been replaced with the Dero Foundation site: derofoundation.org (useful to download official wallets)

1 Kaspa = 3 cents. Remember when I warned you that Don't trust, verify actually matters and that Kaspa is doomed because it violates that principle? I wrote a long article documenting Kaspa's issue, ie: in Kaspa some early transaction signature data are permanently lost and you cannot permissionlessly verify for many of the early transactions that the actual owners signed them.

Kaspa's standard is: Trust Yoni because he studied at Harvard.

It will become even more obvious with time that all insiders have sold. But Kaspa's shills told you that I'm a FUDder. That nobody cares about verification. Shai told you that Kaspa will even do smart contracts right, just wait for it (while dumping his bag on your head). Other idiots started calling Kaspa digital silver bro. Sure bro.

Well, listen up. Sooner or later markets hold you accountable. Big money rotates out of shitcoins with corrupt ledgers (no full node), useless tech (no privacy), broken tokenomics (see Alephium back under 10c lol).

So to all the retards angrily lurking from the shadows: Tech matters. Permissionlessness matters. Trustlessness matters. Decentralization matters. Privacy matters.

No amount of good marketing can fix broken tech.

Don't trust verify matters.

Get it through your thick skull. Learn what it means, and act accordingly. Otherwise you will just go from roundtrip, to roundtrip.

🚨2026 IS THE YEAR OF THE BULL (exclusive analysis by @bullcase)

Yes, we were wrong on Q4 2025, but for a good reason. There was no way to know Xi would launch a purge of top generals not aligned with the 2027 readiness deadline. That move materially altered both the probabilities and the timing around Taiwan, as well as the parabolic phase of the bull market.

With the purge that began in October 2025, the internal balance within the CCP has shifted decisively. The 2027 camp is now prevailing, materially increasing geopolitical risk, as Xi sidelined the long-horizon 2035 faction. This stretched the cycle and slowed everything down, sending metals vertical as China and Asia began positioning for conflict risk.

The explosive move in gold and silver didn't end the bull market, it extended it.

A credible war scenario requires the Fed to retain room for aggressive hikes in 2027 to enforce dollar strength and preserve weaponization optionality, as seen with Russia in 2022. For that leverage to exist, policy must be looser beforehand, which is why easing into 2026 is coming, and Warsh's pick confirms it. In Iran and Venezuela (China's sanctioned energy anchors), the US is already weaponizing energy to make a 2027 Taiwan intervention economically and logistically unaffordable for Beijing.

2026 is the global reflation trade.

To prepare for a potential 2027 escalation, the Fed needs dry powder. Rates must be cut aggressively in 2026 to create a buffer that can later be used via tightening to weaponize the dollar during a conflict, a 2021-2022 style setup, but on steroids.

BTFD and chill, everything will rip soon!

Interesting analysis by some og whales in my circle. Aligns with my expectations of a bullish 2026, but the geopolitical angle is what really peaked my interest.

🚨Chairman of the House Select Committee on the CCP John Moolenaar on 2026 & Taiwan:

• Xi's 2027 readiness deadline makes 2026 an important year where we will prepare for all scenarios using all available tools of our national power to ensure Beijing never decides an aggression against Taiwan will be fast, cheap or successful

[Translation: we will run it hot so we can weaponize the USD in 2027. BTFD!]

Dero is the only true privacy coin left today. It's the only coin that uses El Gamal as primitive, while everything else is stuck in the PC paradigm of privacy through obfuscation of single use outputs. This tech makes Dero a formidable financial weapon against despots' capital controls systems.

Monero is a good coin for as long as privacy is a honeypot play to catch a few criminals here and there. But in case of a major geopolitical rift, privacy becomes a matter of life or death and Monero is unusable. If I could trace it, an entity like the CCP can do it systemically either by bribing Palantir or through a Chinese version of Palantir or just by analyzing onchain data.

I think, because of these implications, Western regulators will have to embrace privacy and the most advanced privacy coin out there, Dero, will eventually be declared unregulatable.