Now that everyone is familiar with the power of ElGamal ciphertexts, it's time to re-evaluate the evidence for the inflation bug exploit. I've written an in-depth article to make sure this whole story remains googleable in the future, whichever way it ends.

Article: How the Dero community independently and cryptographically proved an inflation bug exploit in Dero just by querying the blockchain with a Chatgpt script

Here is the gist of it: Once you understand ElGamal, we can finally prove that both flagged addresses had the same ciphertext at the exploit transaction as in the registration transaction, and that that ciphertext was an encryption of 0.

This because for ciphertexts to be re-randomized they must be included in some transaction first, but those addresses were never included in any transactions between the exploit transaction and the registration. Therefore they had the same ciphertext as in the registration transaction, which is an encryption of 0. This proves they entered the exploit transaction with 0 balance and therefore couldn't be spending anything and inflation exploit took place.

Justin Ehrenhrofer filed a patent to trace Monero and similar cryptocurrencies in 2023. The patent was published in December 2024. The patent boils down to this: compile sets of related outputs > check the provided target TXOs against known sets to find affiliations or transactions downstream where they were spent > create report.

In reality, any privacy coin using PCs as cryptographic primitive, and rings is easily traceable bc of patterns leaked onchain. The reason is bc PCs force you to use UTXO w/ single use outputs (notes) that are nullified with receipts (key images, nullifiers).

I explained this process in 2 articles in September-November 2024, one month before the patent application was published, and I was much more specific than Justin’s patent filing which doesn’t explain how they group related TXOs. I explained how we can compile SUS sets for outputs related to the same entity & find their KIs when they form clusters. And how that's used to create sets of burnt TXOs to expose real spends.

Is Neptune Cash a gem? NPT uses Poseidon as cryptographic primitive bc more quantum resistant (but not quantum resistant).

Poseidon commitments, like Pedersen Commitments, force the UTXO accounting model & single use outputs.

Privacy wise Neptune is in the same league as UTXO chains where QC isn’t even required to break privacy bc bypassable, like in XMR & ARRR, by exploiting patterns leaked onchain by the UTXO accounting model & by using transport layer heuristics.

Any privacy coin built on single use outputs leaks behavioral metadata through transaction structure, regardless of cryptographic soundness. Only coins w/ updatable encrypted state (e.g., Dero & only Dero today) eliminate this issue.

When you build a TX in NPT you create new additions (outputs) and removal records (inputs) for the commitments you are spending. The # of additions & removal records exposes the utxo structure being broadcast from a specific wallet/user. NPT also uses TCP for its p2p communication protocol.

Pass.

Tic toc Christmas alpha time.

I don’t know what coin you hold, but I do know that 99% of the crypto people out there hold old, obsolete tech that is either a fork of BTC, Eth or Cryptonote, and are waiting for a 10x pump to break even. You were late to the party and that’s why you were left behind holding a bag for years praying for a pump to break even.

The next frontier for digital cash DLT tech is privacy, and privacy will be fought on tech and tech alone. If you want to be early in privacy you must study the difference between Pedersen Commitments (old tech everyone has been using to hide amounts) and El Gamal (the future tech nobody uses). Just like those who had mastered blockchains & smart contracts in 2010-2014 got in BTC and ETH early, those who master/understand these primitives well will become the crypto royalty of the next 10-20 years.

But aspiring cypherpunk princesses and princes today are running out of time.

So let me help you save time, one more time.

Pedersen Commitments have 2 huge weaknesses that the big guys (those that have been in crypto since 2010) don’t want you to know about (yet). In their defense, they could have received gag orders from 3 letter agencies to STFU & are not at liberty to speak about this (because how else do you explain that there are NO public posts on this topic by any reputable devs?!):

1. PCs, contrary to El Gamal, are not public key updatable
2. PCs, contrary to El Gamal, are not public key re-randomizable

This means any privacy chain that uses Pedersen Commitments will always have to opt for UTXO, which means wallet balances will be split among many single-use notes created in incoming transactions. For this reason they will always be traceable because to spend your money you will have to combine different notes forming a UTXO transaction type which when triangulated with your behavioral metadata exposes all your onchain transaction history.

That’s why the deep state loves Pedersen Commitments, because anything using them is fragile and can be traced in one way or another. Monero uses PCs to hide balances. Zcash uses PCs to hide balances. Aztec uses PCs to hide balances. MimbleWimble uses PCs to hide balances. ARRR uses PCs to hide balances. Same for Zano, Aleo and any privacy coin you can think of.

El Gamal closes this attack surface completely. When you think of ElGamal you probably think of Dero, but Dero had an inflation exploit as documented here, which is why I sold most of it. Yet not all of it because Dero and only Dero implements ElGamal correctly today. So I’m confused.

But I’m sure about ElGamal vs PCs. Study the tech, and be ready for what’s coming. Once word spreads about this we will see a whole new generation of coins built on ElGamal and only those who know the tech will be able to capture the upside.

Study the tech, and make up your own mind. But study the tech. That's the alpha.

Merry Christmas, fellow plebs!

Since Monero is pumping, I suspect 2026 will be a bullish year for altcoins. Because if a privacy shitcoin turned honeypot by Palantir to arrest DNM criminals keeps trying to catch a pump, then alt season imo is coming.

A lot of people still don't understand how Monero is traced and how bad it is. Recently trying to explain to another friend I realized that the idea of "decoy" is hard to grasp for some normies. A strawman is used to scare birds because from far away it looks like a person, but when you look up close you realize it's fake.

That's exactly what happens with Monero transactions. In every transaction you have the real spender's address mixed with 15 stealth addresses. From far they may look indistinguishable (you can't trace me bruh!), but upon close inspection it's very easy to filter out "decoys" from the real spend. Just like distinguishing a strawman from the real guy.

Repeat this over and over for every transaction and you get the transaction graph (how money goes from A to B to C).

🚨The Fallacy in My Dero Inflation Exploit Proof. Today I regret I wrote that post (quoted here) because I realize I overlooked something important.

My query of the Dero blockchain in October fooled me into believing that there was proof of an inflation bug in Dero because I couldn't find any transactions where the spending accounts appeared in rings. Since they never appeared in any receiver rings, then they couldn't have a non zero balance, and as result there had to be an inflation exploit. My mistake was that I was applying UTXO logic to account model logic.

Dero uses the account model with El Gamal. Contrary to UTXO systems, where a full node can always identify the transaction that created a given output (output creation traceability), in an account model like Dero transactions are state transitions: they update the blockchain state. The transaction bodies themselves do not need to be stored indefinitely to preserve chain integrity consensus thereafter. Consensus is based on the "state root". The new global blockchain state is cryptographically committed, after every set of transactions, and miners mine on top of that state "root".

When I send you money, I simply tell the protocol to update your account by X amount. The protocol reads the proof I provide and updates your ciphertext in encrypted state by adding +X to it. The new state is engraved onchain in the state root, and miners then mine on top of it. The transaction, although required at the time when the update occurs, doesn't need to be maintained to prove validity of state in the future.

The bottomline here is this: in Dero, just because we couldn't find a transaction where any of those spenders appeared as receivers doesn't prove an inflation bug. We do know however that Dero's proofs never changed since Stargate genesis, so if the transaction suspicious of the exploit really is an exploit transaction then it should not pass verification.

So that proof is just not proof. To prove an inflation bug in Dero today means finding a bug in the verification code, which is what Marcel has been looking for. If no bug is found in Dero's proofs (which have been the same since genesis), then most likely the account in question did have the coins to spend in those transactions. And the bad optics are due to the fact that the transaction has been pruned/lost.

This would also explain why Captain "stopped using account A" and suddenly started using the apparent "inflation account B" for swaps. Most likely what happened is that Captain conducted a transaction from A to B, and that transaction record was simply pruned/lost.

The Gold-Safe Analogy for PCs vs El Gamal: Imagine a world that goes by Monero's standard, gold is stored in safes that are single use (=Pedersen Commitments) and:

1) the only way to open a safe once you lock it is through dynamite (loud bang)
2) Gold is gold, also sold in different sizes (coins, bars, bullions etc)

Now this will help you visualize how bad Pedersen Commitments are for privacy. First and foremost, if the safes where gold is stored worked this way then being single use would force a lot of "behavioral" patterns on gold buyers. For example, people would probably not buy a new safe for a single coin. They'd wait some time to accumulate more gold to make it worth putting in a safe or destroying the current safe.

Secondly, since safes blow up with a bang, that can be heard by neighbors. You can think of bangs and the loudness of bangs as "network metadata" in Monero today.

Now someone (chainalysis) who can cross reference Gold vendor records, Safe vendor records, and bang reports, can easily track the flow of gold in the real world:

1) If a bang was heard at an address where gold was also delivered around the same date then most likely that entity is accumulating more gold

2) If a big bang was heard at address A and someone sold a lot of gold in a shop around the same time then that gold must have come from the address A where the big bang was heard (regardless of the path it took to get there)

3) If an address B that buys gold periodically suddenly ordered also a big safe today then we know all the gold they received was probably accumulated and now stored in a safe in that address

As you can see, a simple constraint of making safes single use would make the flow of gold very easy to track, even after it has left KYCed choke points. Any privacy coin that uses PCs operates in this paradigm. Which is very, very bad for privacy.

In contrast to PCs, El Gamal are safes that you can open and close with a code. No bangs and new safes required to add more stuff into your safe. You buy the safe once, you never blow it up. You just open, add stuff and close it again. Open, take out stuff, close it again. You update it at your discretion and nobody knows it but you.

If safe vendors start cross referencing data with gold vendors timing analysis is possible but much weaker. Because contrary to single use safes, where new gold is always ordered together with a new safe, with multi use safes you've no idea if the gold is going into a safe in that address, or is being picked up there to go yet to another address. Because there are no "bangs" (key images) to confirm that gold is being moved and/or accumulated and/or spent in a specific location.

By the way derod.org seems like the new and up-to-date Dero documentation site. Until today I thought it was just another one of those half baked community sites but this seems done by people that have a very deep understanding of the protocol, most likely core devs or people who learnt straight from core devs.

Official Dero.io website has also been replaced with the Dero Foundation site: derofoundation.org (useful to download official wallets)

1 Kaspa = 3 cents. Remember when I warned you that Don't trust, verify actually matters and that Kaspa is doomed because it violates that principle? I wrote a long article documenting Kaspa's issue, ie: in Kaspa some early transaction signature data are permanently lost and you cannot permissionlessly verify for many of the early transactions that the actual owners signed them.

Kaspa's standard is: Trust Yoni because he studied at Harvard.

It will become even more obvious with time that all insiders have sold. But Kaspa's shills told you that I'm a FUDder. That nobody cares about verification. Shai told you that Kaspa will even do smart contracts right, just wait for it (while dumping his bag on your head). Other idiots started calling Kaspa digital silver bro. Sure bro.

Well, listen up. Sooner or later markets hold you accountable. Big money rotates out of shitcoins with corrupt ledgers (no full node), useless tech (no privacy), broken tokenomics (see Alephium back under 10c lol).

So to all the retards angrily lurking from the shadows: Tech matters. Permissionlessness matters. Trustlessness matters. Decentralization matters. Privacy matters.

No amount of good marketing can fix broken tech.

Don't trust verify matters.

Get it through your thick skull. Learn what it means, and act accordingly. Otherwise you will just go from roundtrip, to roundtrip.

🚨2026 IS THE YEAR OF THE BULL (exclusive analysis by @bullcase)

Yes, we were wrong on Q4 2025, but for a good reason. There was no way to know Xi would launch a purge of top generals not aligned with the 2027 readiness deadline. That move materially altered both the probabilities and the timing around Taiwan, as well as the parabolic phase of the bull market.

With the purge that began in October 2025, the internal balance within the CCP has shifted decisively. The 2027 camp is now prevailing, materially increasing geopolitical risk, as Xi sidelined the long-horizon 2035 faction. This stretched the cycle and slowed everything down, sending metals vertical as China and Asia began positioning for conflict risk.

The explosive move in gold and silver didn't end the bull market, it extended it.

A credible war scenario requires the Fed to retain room for aggressive hikes in 2027 to enforce dollar strength and preserve weaponization optionality, as seen with Russia in 2022. For that leverage to exist, policy must be looser beforehand, which is why easing into 2026 is coming, and Warsh's pick confirms it. In Iran and Venezuela (China's sanctioned energy anchors), the US is already weaponizing energy to make a 2027 Taiwan intervention economically and logistically unaffordable for Beijing.

2026 is the global reflation trade.

To prepare for a potential 2027 escalation, the Fed needs dry powder. Rates must be cut aggressively in 2026 to create a buffer that can later be used via tightening to weaponize the dollar during a conflict, a 2021-2022 style setup, but on steroids.

BTFD and chill, everything will rip soon!

Interesting analysis by some og whales in my circle. Aligns with my expectations of a bullish 2026, but the geopolitical angle is what really peaked my interest.

🚨Chairman of the House Select Committee on the CCP John Moolenaar on 2026 & Taiwan:

• Xi's 2027 readiness deadline makes 2026 an important year where we will prepare for all scenarios using all available tools of our national power to ensure Beijing never decides an aggression against Taiwan will be fast, cheap or successful

[Translation: we will run it hot so we can weaponize the USD in 2027. BTFD!]

Dero is the only true privacy coin left today. It's the only coin that uses El Gamal as primitive, while everything else is stuck in the PC paradigm of privacy through obfuscation of single use outputs. This tech makes Dero a formidable financial weapon against despots' capital controls systems.

Monero is a good coin for as long as privacy is a honeypot play to catch a few criminals here and there. But in case of a major geopolitical rift, privacy becomes a matter of life or death and Monero is unusable. If I could trace it, an entity like the CCP can do it systemically either by bribing Palantir or through a Chinese version of Palantir or just by analyzing onchain data.

I think, because of these implications, Western regulators will have to embrace privacy and the most advanced privacy coin out there, Dero, will eventually be declared unregulatable.

Since 2020, when I first started taking privacy seriously and stopped seeing it as a niche for criminals, this is the first time I finally see where that Snowden moment will come from. If you followed me from the beginning, I've always said that for privacy to eventually break through and stop being a niche it needs to become a political issue. Covid helped expand it by waking up a few people (like me) who were caught up in the cross fire of the draconian covid laws. And a few high profile crises, like that of the Canadian truckers, inspired many. But privacy still never really became a political issue.

Those of us who got involved relatively early, or late from the perspective of OG cypherpunks, have witnessed a fractured community of sorts. There are the criminals (eg: DNM admins caught with honeypots like Monero), the mercenaries (eg: Cake wallet/Chainalysis employees/PR agents), the tourists (moonboys who got rekt by the likes of Haven, Xelis etc), the og cypherpunks (who lurk in the shadows), useful idiots (Monero maxis who have no clue about the tech) and a few purists (who try to understand how things work).

For a purist like me the question has always been, how do we break out of here? The West's political compass has been dead set to fight and abolish privacy in every occasion. So where will the masses required to hold the line come from? Because if they don't then the few of us holding the line will eventually be rolled over and liquidated as collateral damage at best.

Personally, I stuck around because of principled opportunity: as a matter of principle because I think privacy is a key prerequisite to freedom, but also because of opportunity when considering the low valuation of something as advanced as Dero compared to honeypots like Monero that are symbols of an era where privacy's main use case wasn't freedom but that of being a trap to catch those looking for impunity.

Anyway, now I finally see an angle for that mass adoption to happen. I think the air support those like me have been waiting for should finally come if the tensions over Taiwan, which seem to be escalating under the surface, boil over in 2027. That will probably be the perfect shit hit the fan scenario that wakes everyone up.

🚨Chainalysis Alternatives for Monero Tracing Probably as result of the many crime marketing campaigns and their promise of impunity, another bunch of criminals was encouraged to double down on a crime and request a ransom in Monero to get away with it. The victim this time is 84-year-old Nancy Guthrie, her kidnappers are now reportedly requesting a $6m ransom in Monero (after requesting a ransom in BTC first 3 weeks ago).

I hope LE doesn't hire Chainalysis/Palantir (whose shills do crime marketing 24/7) but opts for other firms that can trace XMR for cheaper. Because for every grant that goes to Chainalysis, we will probably see crime rate increase 10 fold when a fraction of that money flows back into crime marketing campaigns encouraging people to commit crimes. And more crime marketing means more victims.

What alternatives are there? Well, for example, Bezalel Eithan Raviv, CEO of Lionsgate Network, seems to be well versed when it comes to Monero tracing. In this Newsweek article he gives a statement carefully putting out plenty of cues that demonstrate he has a deep understanding of the tech. To quote a few:

1) "Behavioral patterns (ie: UTXO structure, clusters, churning transactions, fees), timing analysis (recency heuristic) and specialized forensic tools (eg: OSPEAD or other algorithms to detect related output when they form clusters) can still reveal who is behind a wallet once investigators obtain an address"

2) "Monero presents a harder path, not an impossible one, with the right intelligence, we can follow the money and expose the entity behind the scenes."

Please spread the word about alternatives like Lionsgate Network. Tracing Monero is easy and therefore, it shouldn't be a monopoly of Chainalysis/Palantir sister companies.

By the way if any Monero tracing startup wants to sponsor my channel feel free to message me 🤝

So you must be familiar with the 2026 bull thesis by now, apparently 2027 is an important year for China and Xi. Xi dreams of being the Chinese leader who brings Taiwan home, but of course that's most likely not going to happen peacefully. And since Taiwan is where 90% of world's chips are produced, a war there also means a lot of trouble for the rest of the world.

Question: what happens to Bitcoin in case of a Taiwan crisis in 2027 that leads to a blockade? Maxis may consider it a tail risk but the tail is getting quite fat.

OTOH, this seems a STHF scenario that DERO was designed to resist from its inception thanks to AstroBWT which can be mined on old CPUs and for which ASICs & GPUS cannot be created. So in case of a Taiwan crisis Dero mining would remain unaffected as it can always rely on old CPUs & devices as well on chips that don't require TSMC.

An interesting big picture is emerging here. I mean..imagine, just imagine if SHTF in 2027, push comes to shove, the market starts looking for a real fit.