LocalMonero.co is now gone for good, logins disabled

LocalMonero disabled logins on July 27, 2025. Attempts to access public profiles via direct links now result in a blank page. Consequently, our crawler is unable to verify import keys. However, you can still verify your reputation at http://openmonero.com/guides/import#cachedUserList, as the top profiles have been cached on OpenMonero and can be verified through alternative methods such as Telegram, Session, XMPP/Jabber, email, PGP, and others.

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

How bad actors try to track Monero

Depending on your operational security, the combination of the various attack types in this article may reduce your privacy significantly, to get the real spend in a ring signature.

These methods have been used to arrest the Incognito Market admin, the operators of Archetyp, a Colombian drug dealer, a Finnish blackmailer, the Bitfinex hacker and 18 Japanese fraudsters.

---

# Eve-Alice-Eve attack

This one’s like a sneaky collusion trick. Two parties (both called Eve) team up to figure out who’s behind a transaction with Alice. Eve1 sends Monero to Alice in one transaction; Eve2 receives Monero from Alice in another.

They compare their transaction records, if Eve1’s address shows up in Eve2’s ring signature, or if amounts and times match up, they can pretty confidently say Alice was involved. Repeating this over and over makes their case even stronger.

---

# Poisoned output attack

Think of this like "marked bills" in the physical world. Here, the attacker "poisons" some Monero outputs, either with a unique amount or a specific pubkey, and then watches to see if those outputs get sent to someone who knows the identity of those who send them monero, and who has agreed to share data with the attacker to help identify the target.

If the target sends that marked Monero to a known colluder, the attacker can identify who sent it. Repeated use helps build a stronger case.

---

# Timing analysis attack

Sometimes, targets try to dodge the poisoned output trap by splitting amounts or churning (sending to new addresses repeatedly). But if they’re doing this on a regular schedule, attackers can catch on by watching the timing between transactions.

For example, if an attacker notices that every Tuesday, a certain person receives Monero and then quickly sends it out again, that pattern can reveal who they are, even if they try to hide it.

Anti-privacy adversaries can leverage timing information to increase the probability of guessing the real spend in a ring signature to approximately 1-in-4.2 instead of 1-in-16.

---

# Decoy elimination attack

This trick is handy if someone has a list of transaction IDs and thinks their target sent Monero in those transactions. They might get this list by scanning the blockchain for transactions that include a special kind of public key known to belong to the target, or from someone who’s interacted with the target a few times, like an exchange or a store.

Once they have the list, they can look up those transactions and check the signatures inside them. These signatures include a bunch of public keys used to hide who actually sent the money. The attacker checks if any of those keys are theirs or someone they know. If they find a match, they can ask the owner if they made that transaction. If not, then that key was just a decoy, not the real sender.

This method helps the attacker narrow down the possible real sender. In the worst case, they can remove all the fake keys and figure out exactly who sent the Monero. From there, they might trace the transaction back or forward, using the same or different techniques, to follow the money’s trail.

---

# Spy node attack

Monero transactions are broadcast through nodes, some are run by honest users, others by malicious actors (spy nodes). If your wallet sends transactions through a spy node, they might log your IP address, which can then be linked to your transaction and real identity.

Full nodes try to protect you with protocols like Dandelion++, but they’re not perfect. Attackers can exploit this by seeing if a transaction is still in its "stem" phase, which can leak your IP.

---

# Tx history lookup attack

If an attacker manages to get hold of your private keys (say, during a raid or if you accidentally share them), they can look up your entire transaction history on the blockchain. This helps them see all the Monero you’ve received and sent.

References:

https://www.getmonero.org/2025/04/05/ospead-optimal-ring-signature-research.html

http://openmonero.com/knowledge/how-bad-actors-try-to-track-monero

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

Centralization of XMR market and tracking every transaction

Recent research conducted by the Weizenbaum Institute, TRM Labs (San Franciso) and TU Berlin indicate that Retoswap, formerly known as Haveno-Reto, does not provide the privacy protections it advertises. Despite its marketing claims, this platform functions as a sophisticated decoy. The narrative of being non-custodial and decentralized is a carefully crafted illusion designed to attract unsuspecting users and foster a false sense of security.

https://xcancel.com/noosphere888x2/status/1922044150716715102#m

Darknet operators who assume Retoswap is suitable for laundering should reconsider. Their activities are under constant surveillance. The supposed privacy offered by Retoswap is an illusion.

Retoswap Trades Are Fully Traceable

> To test our findings, we logged Haveno trades for two weeks and executed five test trades within the observation period. For all five transactions, we successfully identified all XMR transactions.

Additionally, we demonstrate that Haveno trades leave detectable on-chain footprints, allowing cross-chain transaction linking.

Source: https://arxiv.org/pdf/2505.02392

> Haveno has been discussed in greater detail as it evolved to one of the most prominent exchanges in the context of Monero. While strong promises claim privacy with every transaction and independence from any central authority, the current implementation raises uncertainty. Our analysis showed detectable on-chain patterns and weaknesses in the platform that can be exploited to match transactions across chains.

It is noteworthy that some of the most active dark web exchanges, administrators, vendors, and key figures may have already utilized Retoswap to launder illicit gains or transfer substantial amounts of BTC and XMR. These individuals often believe their anonymity is safeguarded due to the platform’s purported decentralization. However, all Retoswap crypto-to-crypto transactions are inherently traceable.

Retoswap has apparently handled over 50 million dollars in transactions, which is pretty impressive considering it’s been around for less than a year. It looks like big players like hackers, darknet admins, and other underground groups are already using it to move big amounts of money.

Source: https://xcancel.com/RetoSwap/status/1930953817228481022#m

While speculative, there are reasons to suspect that recent LE actions may not be coincidental. Authorities have tracked down major operators, likely due to the on-chain trail left by Retoswap activities. According to haveno.markets, approximately 90% of liquidity involves BTC-XMR swaps, transactions that are fully traceable. Every transaction is publicly recorded on-chain with exact timestamps, amounts, and payment methods, leaving a permanent digital footprint.

> While trade statistics provide valuable metrics for users, their network propagation should be obfuscated to preserve trade privacy.

Source: https://arxiv.org/pdf/2505.02392

In summary, admins of coin-swap services can easily monitor BTC to XMR trades. But usually, it’s not a big deal because users trust these providers not to share details like timestamps, amounts, or other info. On the flip side, with platforms like Retoswap, anyone can potentially track transactions, it’s not just the admins. That’s because haveno.markets openly shares trade stats, making it easier for third parties to analyze and follow the transactions.

May freeze or seize funds

Retoswap runs on Haveno, which is a decentralized, non-custodial multi-sig exchange. That’s true because your private key is generated locally, so only you have access to your funds in the Haveno wallet.

However, to publish a sell offer, a vendor must lock up coins (15% security deposit and the trade amount). These funds can potentially be frozen or seized because the admin can easily have two keys required to sign a transaction. The haveno FAQ suggests that the admin/arbiter only has one key, but in practice, anyone can become a taker, there is practically nothing preventing the admin from possessing two keys.

Some users have spoken out about this openly on platforms like Nostr, Reddit, and others, raising concerns about potential exit scams in how the system is set up. So, it’s worth being aware of these issues before jumping in.

https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/

https://archive.ph/gSRVs#25%

Centralization of XMR market and tracking every transaction

Retoswaps objective appears to be the centralization of XMR liquidity through their unique setup with pre-funded offers. Furthermore, Woodser (developer associated with Haveno) has not addressed the rugpuller bot issue that I initially identified six months ago. This is not due to incompetence but rather suggests a lack of independence, as the Reto guy has accepted donations from questionable sources. Such actions raise concerns about the integrity of the haveno development process.

Source: link to shortwavesurfer about donations

Quote mister_monster:

> So, Reto has basically no fees right now. They don’t really benefit financially from being the only haveno network with liquidity. Yet, [b]it does seem that they do want to have a monopoly position within our community[b].

Source: https://monero.town/post/5172146

Amazon used the same tactic to take over the market, operating at a loss and funded by questionable sources until competitors were pushed out. Now, this new platform is promising decentralization, non-custodial transactions, and privacy. But the reality is, none of that seems to hold up. It's all about crushing the competition and cornering the XMR market, and tracking every transaction? That's not exactly a recipe for trust. It might not be a honeypot, but it sure smells a lot like one. Proceed with extreme caution.

Discuss on dread: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/be82f1a0c5e0f79f6dbb

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

openmonero.markets VS. haveno.markets

I still can't get over how haveno.markets shows both the time and amount (XMR) for each trade, which could allow timing attacks and hurt user privacy. On the other hand, openmonero.markets doesn’t show any trade times or amounts.

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

We are pleased to announce the launch of a dedicated statistics and market data page, offering comprehensive information for users.

URL: https://openmonero.com/markets

DONE: xmr/usd, liquidity, top markets, daily volume, sell offers, buy offers, registered users, active vendors, top payment methods, latest trades, total trades, total volume, trades last 30d/24h/yesterday/today, volume last 30d/24h/yesterday/today

COMING SOON: average trade finalization time, top vendors

If you're worried about timing attacks, I've taken out the timestamp, username and amount details from the latest trades table to help protect your privacy.

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

It is easy to fix the rug pull issue if they just disable pre-funded offers and allow each maker to fund the trade after a taker request instead. However, they aren't interested in doing so, since it would significantly decrease liquidity.

Quote shortwavesurfer2009:

The way it would work would be that an arbitrator would create a bot to take the offers and then use the key from the taker bot and their arbitrator key to steal the escrow which contains the seller's Monero plus their security deposit.

Source: nevent1qqs0h2fvwvcsg58l6xw9hwpav4kk3vry933rrm6pparrf0s7p9rel6gpz4mhxue69uhkg6t5w3hjuur4vghhyetvv9uszyrhwden5te0v5hxummn9ekx7mp0qythwumn8ghj7en9v4j8xtnwdaehgu3wvfskuep0mvpr6f

How can anyone honestly think that locked haveno coins are truly in self-custody? In reality, bad haveno arbiters could easily pretend to be legit takers and get the 2/3 majority needed to approve a transaction, which could lead to theft. Even worse, admin bots could just wipe out the whole haveno order book with ease. This issues has been confirmed by official dread mods and some reddit users.

Quote SaberhagenTheNameless:

...afaict Haveno/Retoswap, in it's current state, has more at risk from rugpulls than necessary - currently over a million USD at stake.

Sell offers are sitting there waiting to be automatically locked into a 2/3 multisig once taken (from potentially malicious admins controlling arbitrator/taker bots meaning they would have enough keys to steal)

Right now nothing is really preventing admins from sweeping the entire orderbook on the sell side.

Source: https://primal.net/e/nevent1qqsy7hmx9n2ws94x92ftvc44ylkejyg8ygw9z9pt4eswj44yqewp3jcpzamhxue69uhkvet9v3ejumn0wd68ytnzv9hxgtcppemhxue69uhkummn9ekx7mp0qy08wumn8ghj7mn0wd68yttsw43zuam9d3kx7unyv4ezumn9wshs0gztdf

Cached: https://archive.ph/JOqDC#25%

Quote shortwavesurfer2009:

The way it would work would be that an arbitrator would create a bot to take the offers and then use the key from the taker bot and their arbitrator key to steal the escrow which contains the seller's Monero plus their security deposit.

Source: https://primal.net/e/nevent1qqs0h2fvwvcsg58l6xw9hwpav4kk3vry933rrm6pparrf0s7p9rel6gpz4mhxue69uhkg6t5w3hjuur4vghhyetvv9uszyrhwden5te0v5hxummn9ekx7mp0qythwumn8ghj7en9v4j8xtnwdaehgu3wvfskuep0mvpr6f

Cached: https://archive.ph/gSRVs#25%

Quote /u/WoodenInformation730:

The arbitrators could rug the whole orderbook (all sell offers and security deposits) by taking all the offers at once.

Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn

Cached: https://archive.ph/icuxp#65%

Quote: /u/monero_desk_support:

After some thoughts, I think you are right and that the arbitration system in Haveno doesn't prevent arbitrators from pulling the funds. They would need to create a bot that takes all the offers and automatically unlock the funds with the key of the taker and arbitrator

Source: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42

Quote /u/geonic_ (Monero Outreach Producer):

Reto has been around for a few milliseconds basically and nothing stops the network operators from creating fake orders if the pot gets big enough. A network would have to be operating successfully for a few years before I trust it with any significant amounts.

Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/m0ae3rk/?context=3#m0ae3rk

Cached: https://archive.ph/bB1VN#84%

Quote /u/WoodenInformation730: To post an offer, you have to deposit the amount + security deposit. If an arbitrator acts maliciously, they could take an offer and essentially steal the funds by signing the 2/3 multisig transaction, since they'd have two keys.

Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3

Cached: https://archive.ph/icuxp#45%

Quote /u/jossfun:

Haveno relies upon arbitration by the network you’re operating on. In a case where the arbitrators act maliciously they can create trades where they control 2/3 keys to seize funds.

Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/

Cached: https://archive.ph/bB1VN

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

2 new repos have been released last week and the code is fully built on top of NOSTR.

Frontend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex

Backend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex-api

Demo: http://ek72x7tysgkrr754ce4np4e6ce5rtwtxphxibzmesnsbuyco5onlc5id.onion/

The haveno rugpull amount according to my calc is USD 2.5 millions

NOTE: the security deposits from haveno market markers are part of the pot as well

XMR/USD according to haveno.markets

$283.10

Liquidity according to haveno.markets

7,474.47 XMR

15% security deposits = Liquidity x 15/100

1121.17 XMR

rugpull amount = liquidity + 15% security deposits

rugpull amount = 7,474.47 + 1121.17 XMR

rugpull amount = 8595,64 XMR = 2,433,425.68 USD

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

OpenMonero re-opening!

Regarding the recent security issue on June 6, 2025, there’s no sign that the main backend has been hacked. The breach led to about USD 20,000 (or 62 XMR) being stolen, mainly due to some bad configuration with ufw and wallet rpc. It’s worth mentioning that trade chats and MongoDB are hosted on different servers from the monero-wallet-rpc, so the core infrastructure is still secure. We’ll refund all affected users once the platform has collected enough arbiter fees..

Read more here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/59e5b924658bac9124d0

------SECURITY UPDATES------

- new monero wallet on a different hosting provider

- all passwords and keys have been updated

- monero-wallet-rpc is now bind to 127.0.0.1 to prevent remote access

- arbiter address switched to cold wallet to protect refunds

- DEX API fully isolated from openmonero.com to minimize security issues

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

Haveno’s multi-sig trading only protects trades that have already been accepted, which is about 1% of all the liquidity. The rest, like open offers, aren’t protected and could potentially be taken or misused by the admins. So, it’s confusing why some people still see Haveno as a fully self-custodial exchange, when in reality, it’s more like a centralized liquidity platform.

For a more detailed understanding, please read the section about self-custodial trade funding:

https://openmonero.com/faq#self-custodial-trading-funding

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

How can anyone honestly think that locked haveno coins are truly in self-custody? In reality, bad haveno arbiters could easily pretend to be legit takers and get the 2/3 majority needed to approve a transaction, which could lead to theft. Even worse, admin bots could just wipe out the whole haveno order book with ease. This issues has been confirmed by official dread mods and some reddit users.

Quote /u/WoodenInformation730:

The arbitrators could rug the whole orderbook (all sell offers and security deposits) by taking all the offers at once.

Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn

Quote: /u/monero_desk_support:

After some thoughts, I think you are right and that the arbitration system in Haveno doesn't prevent arbitrators from pulling the funds. They would need to create a bot that takes all the offers and automatically unlock the funds with the key of the taker and arbitrator

Source: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42

Quote /u/geonic_ (Monero Outreach Producer):

Reto has been around for a few milliseconds basically and nothing stops the network operators from creating fake orders if the pot gets big enough. A network would have to be operating successfully for a few years before I trust it with any significant amounts.

Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/m0ae3rk/?context=3#m0ae3rk

Quote /u/WoodenInformation730: To post an offer, you have to deposit the amount + security deposit. If an arbitrator acts maliciously, they could take an offer and essentially steal the funds by signing the 2/3 multisig transaction, since they'd have two keys.

Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3

Quote /u/jossfun:

Haveno relies upon arbitration by the network you’re operating on. In a case where the arbitrators act maliciously they can create trades where they control 2/3 keys to seize funds.

Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

You may find this surprising, but just two days after the hack, I successfully open sourced the first decentralized peer-to-peer platform fully operational on NOSTR. This new repository represents the pioneering P2P Monero exchange featuring a decentralized reputation system and a federated order book. It incorporates all the functionalities typically found on openmonero.com, excluding self-destructing messages. Importantly, anyone can run their own instance, as the backend code is entirely open-source. The implementation is straightforward to audit, lightweight (only 4,500 lines of code) and genuinely decentralized, leveraging an open protocol like NOSTR that requires no additional software.

Frontend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex

Backend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex-api

Demo: http://ek72x7tysgkrr754ce4np4e6ce5rtwtxphxibzmesnsbuyco5onlc5id.onion/

Regarding the recent security incident, there is no evidence to suggest that openmonero.com has been completely compromised. Only funds have been stolen; trade chats and MongoDB are hosted on separate servers from the monero-wallet-rpc, indicating that the core infrastructure remains intact.

The primary objective is not to achieve absolute prevention of hacks, since no system can be 100% secure, but to minimize potential damage from the outset, similar to the principles of Qubes OS. This incident demonstrates that openmonero.com remains one of the most secure platforms available, capable of handling significant volume while maintaining minimal funds at risk, thus limiting potential losses in the event of a breach.

To date, approximately USD 20,000 worth of user funds have been stolen, along with USD 3,000 in arbiter funds, despite a monthly trading volume approaching half a million dollars. Had I employed a setup similar to Haveno, I estimate that losses could have exceeded USD 2 million making recovery efforts challenging.

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr

NOTE: The haveno arbitrators could rug the whole orderbook (2,000,000 USD) despite multi-sig trades.

Additionally, since offers on openmonero.com don’t require any pre-funding, the potential damage remains quite limited (similar to a single McDonald's salary). A quick note: multi-signature setups typically require JavaScript, and possibly Java, which limits scalability and compatibility, especially with browsers like Tor.

Moreover, multi-sig only secures about 1% of the total liquidity (trades in escrow or accepted), making it largely ineffective. On haveno, if a malicious arbiter manages to take all maker offers, they could potentially wipe out the entire order book (despite multi-sig trades). And having a security deposit doesn’t offer much protection either, since an attacker only needs to hold an amount of XMR equal to the lowest security deposit to take all maker offers. This pattern becomes clear when observing how each taker bot balance grows by a ton (logarithmic growth) after each transaction. More here: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

This principle has been validated both by my own analysis and confirmed by the official moderator of the dread sub and some reddit users.

http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42

https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3

https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn

openmonero.com may actually be one of the most secure platforms out there, thanks to its use of non-custodial trade settlements, non-custodial funding, and relatively quick trade finalization (on hour). To date, only about 20k USD of user funds have been stolen, (plus 3k arbiter funds), despite a monthly trade volume of roughly half a million dollars. Had I implemented a setup like haveno, I’d probably have seen at least 2 million USD stolen (good luck trying to refund that).

You can read more about the hack here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/59e5b924658bac9124d0

You can read more about the hack here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/59e5b924658bac9124d0

NOTE: The haveno arbitrators could rug the whole orderbook (2,000,000 USD) despite multi-sig trades.

Ironically, openmonero.com may actually be one of the most secure platforms out there, thanks to its use of non-custodial trade settlements, non-custodial funding, and relatively quick trade finalization (on hour). To date, only about 20k USD of user funds have been stolen, (plus 3k arbiter funds), despite a monthly trade volume of roughly half a million dollars. Had I implemented a setup like haveno, I’d probably have seen at least 2 million USD stolen (good luck trying to refund that).

Additionally, since offers on openmonero.com don’t require any pre-funding, the potential damage remains quite limited (similar to a single McDonald's salary). A quick note: multi-signature setups typically require JavaScript, and possibly Java, which limits scalability and compatibility, especially with browsers like Tor.

Moreover, multi-sig only secures about 1% of the total liquidity (trades in escrow or accepted), making it largely ineffective. On haveno, if a malicious arbiter manages to take all maker offers, they could potentially wipe out the entire order book (despite multi-sig trades). And having a security deposit doesn’t offer much protection either, since an attacker only needs to hold an amount of XMR equal to the lowest security deposit to take all maker offers. This pattern becomes clear when observing how each taker bot balance grows by a ton (logarithmic growth) after each transaction. More here: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

This principle has been validated both by my own analysis and confirmed by the official moderator of the dread sub and some reddit users.

http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42

https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3

https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull

I've just open sourced the first p2p monero platform that is completely based on NOSTR, with a decentralized reputation system (PGP canaries), a federated orderbook, non-custodial trade funding, non-custodial trade settlements and anyone can setup his own instance since the backend is open source as well. I am telling you once again, haveno is a centralized liquidity exchange, since the admin can take all offers. All that is required for such an exploit is access to the admin key, two bots (taker and arbiter bot), and an amount of XMR equivalent to the lowest security deposit (a mechanism evident from the logarithmic balance growth of each taker bot following each transaction. More here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-779f1c27e12e98e6af

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk

Check out the new decentralized exchange based on Nostr and OpenMonero/LocalMonero frontend. The code is production ready but I can't setup a fully working instance right now, since 2 of my servers have been hacked on 6/6/2025. You can checkout the demo below or clone the code and setup your own instance. The Backend has just 4.5k lines of code in a single file and is very easy to audit.

New powerful updates:

Decentralized, new reputation system not locked to any specific location or instance.

Federated and decentralized order book model allows for a combined order book across multiple instances.

All data, including the order book, reputation, profiles, trades, wallet information, and chat, is stored on NOSTR.

Admins do not have access to chat history unless a trade dispute arises (E2EE with NIP-04).

Wallet protection with two-factor authentication (2FA) instead of a traditional password.

Websockets facilitate real-time event updates without requiring a page refresh.

Frontend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex

Backend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex-api

Demo: http://ek72x7tysgkrr754ce4np4e6ce5rtwtxphxibzmesnsbuyco5onlc5id.onion/

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk

I am looking for a browser that has the following features:

- same anonymity as tor browser

- built-in i2p

- adblocker addon pre-installed to prevent fingerprinting

- option to add whitelist for js and persist after restart