Using tor is of little use when they can mark you in the premix and then put you together with previously marked transactions of other users.
Discussion
The main problem is not that they can get your ip, it is that if they want, they could know for example where 100 btc that were mixed up went, once you have this information it is easier to get the ip or more information.
Whether they do or not, we don't know, and that's why from my point of view it's not a good solution.
It's like if you have to trust a third party for the crypto to be valid, what would the crypto be good for then? what reliability would it have?
But let everyone use what they see fit, I just show information, I don't like wasabi, I don't like whirpool, and I'm not convinced by joinmarket.
Coinjoin has a serious fungibility problem, it is not the solution.
Bills shit claim. First of all SW coordinator is blinded run over tor and CoinJoin coordinators are simply message passers. They simply pass data packets to connected clients. Clients never surrender custody to any 3rd party. Clients collaborate w/ each other, and for equal outputs to exist there will be doxxic change and coordinator is blinded (soon decentralized in SW) It doesn't know the links between a coinjoin's inputs and outputs. That was one of the major goals of the zerolink framework. Also doxxic change is completely unaffected by mixes since it has never been mixed. And it sits in the separate derivation path (sparrow wallet)
Every SW user knows exactly what to do with that doxxic change so there is no combining with other doxxic change that didn’t come from the same source. Software freezes these change utxo so one cannot accidentally spend or combine them.
The Tx0 makes all your UTXO's share a tx hash, which prevents them from mixing with each other, preventing an "accidental" Sybil attack from entering a large amount of BTC, Samourai wallet software separates the coordinator fee in the Tx0 no fee flagging in the fee addresses. Every communication between Alice and the coordinator is made with a different Tor identity. It's transparent for the coordinator if one of the messages is actually sent by Bob, so when Alice sends her clear output to the coordinator it's made with a Tor identity different from the Tor identity used to submit the input and the blinded ouput. Who is using this Tor identity is transparent for the coordinator. It’s two separate Tor identities. This was even in the original zerolink docs.
So once coins are mixed, they are segregated and can't "accidentally" make their way back to unmixed section of wallet. You have to manually generate a receive address and send from postmix to get utxos back there, which obviously you shouldn't do. This is the only way to have true ZeroLink, where a user can't spend mixed and unmixed together. This is not happening in wasabi or joinmarket.
SW doing ZeroLink original spec, which is simultaneous denominated pools, max entropy mixes for the number of inputs/outputs, never 2 or more same previous tx in a same mix, and unequal amount coinjoined spends post-mix if the user chooses.
Let's play through your scenario and assume they are a bad actor.
- I initiate a mix of 2M sats in the 1M sat pool
- My random Tor IP is tagged on both premix outputs
- As a result, each one of those two mixed outputs are tagged as one user with the originating Tor IP
- After each one of those outputs are mixed, they now have a 1 in 5 chance of knowing which output I am.
- To demix me here, they'd need to know who the other 4 outputs belong to. Even only knowing 3 of the 5 outputs means that they have a 1 in 2 chance of knowing which output belongs to me.
- This becomes exponentially difficult to follow f I remix 2, 3, 4 or more times.
- Whirlpool's design makes it extremely difficult to sibyl attack it, by charging fees for all new incoming liquidity.
Do you see how ridiculous your claim is, given how many Whirlpool users run their own node?
The promise of Whirlpool is on-chain privacy. It's verifiably the most private way of using bitcoin today. There is no second best alternative. From a privacy perspective, the one thing you rightfully point out is that the coordinator is currently centralized, so you have to trust they're running the same code that they've published.
In a few months, you will be able to run your own coordinator and gain access to the same liquidity pool as everyone else, thus eliminating this as a concern.