[Exit Scam] RoyalMix.io

[NotATether]

Thanks for the answer. RoyalMix just informed me that they have fixed the problem. Validation takes place on the server, and then all information is deleted, so everything is safe. Information on the site has been updated (FAQ).

The public IP address posted above is still accessible.

And also I have found that the IP belongs in Hostinger's namespace and ASN.

Hostinger is a very anti-mixer web hosting company (they banned my site from their platform), so this is another issue that needs to be rectified.

Ultimately, switching hosts and fixing the DDoS-Guard IP leakage should mitigate this.

Also it appears that there's an SSH server running on that port that is not properly firewalled - generally speaking it should only be accessible from IP addresses inside the developers' ISP. Please raise this issue with them too.

Mixer security is very very important because they are very attractive targets for hackers.

Edit: HOLY SH!T! It's worse than I initially thought.

Apparently, Censys has IP addresses for all mixers and many other sites, even the ones behind cloudflare.

You have definitely got to use the Tor mirrors, but it only works if it's on a different server.

[SamReomo]

Snip

+1 Those are some good suggestions for the mixer's security. I remember when your site faced issue because of Hostinger and that's why I also believe that any mixer or mixer related service should avoid hosts like Hostinger at any cost.

[dkbit98]

Also, mempool.space has its own api to check wallet address too but i don't think its okay to use it.

Mempool.space is open source and it's easy to run your own with bitcoin node, that can be done by anyone including RoyalMix.
This is much better option than using blockcypher.

Hostinger is a very anti-mixer web hosting company (they banned my site from their platform), so this is another issue that needs to be rectified.

Hostinger should not be used by anyone, especially not by a mixer.
There are many better hosting alternatives that user respect and they accept crypto payments.

You have definitely got to use the Tor mirrors, but it only works if it's on a different server.

That is obvious, we should always use onion links whenever possible.

[Yamane_Keto]

Thanks for the answer. RoyalMix just informed me that they have fixed the problem. Validation takes place on the server, and then all information is deleted, so everything is safe. Information on the site has been updated (FAQ).

Have they fixed submit-addresses.js and are still using the BlockCypher API or are they now running a full node?
Without full node the problem still exists.
I can confirm that I can still access the mixer using the public IP.
userID still 6 digit, so i think they only fix the Potential Privacy Issue

[examplens]

Access to the site via the royalmix.io domain is currently not possible, it is offline. Although it is still possible to access directly via IP address.
I assume that it is about maintenance and solving recognized issues

[icopress]

Friends, from time to time I will convey messages from the RoyalMix team.

Here is one of them (regarding recent events).

Dear users

Thank you for your concern about the safety of our mixer and for sharing your concerns. We greatly appreciate your feedback and have done our best to address the identified vulnerabilities. We would like to inform you about the improvements made 

The real server IP address is protected: We have implemented additional levels of protection, which eliminates the possibility of direct access bypassing DDoS proxy protection. Now our site is completely protected from such threats.

Apache HTTPD vulnerabilities fixed: We have updated Apache HTTPD to the latest version and applied all the necessary patches to address known vulnerabilities. This ensures your interaction with our site is secure.

Improved order security: We have redesigned the order generation system. Now instead of a random 6-digit number, a 9-digit number is used. This makes guessing someone's order nearly impossible. In fact, the probability of guessing is 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456.

Additionally, we have configured and strengthened our firewall to prevent any potential attacks and improve overall security. We constantly monitor new threats and use the latest security techniques to keep your data safe.

[PX-Z]

Mempool.space is open source and it's easy to run your own with bitcoin node, that can be done by anyone including RoyalMix.
This is much better option than using blockcypher.

Oh, right, they can self-host mempool.space instead since its open source, its better way or just like i mentioned about regex too for cheaper choice.

[Cantsay]

Access to the site via the royalmix.io domain is currently not possible, it is offline. Although it is still possible to access directly via IP address.
I assume that it is about maintenance and solving recognized issues

They are back online - this one was quite faster than the previous one, I believe this update (if that’s what they actually did) was not as difficult and  time consuming as the previous one that made them take their site down for more than 24 hours.

[Yamane_Keto]

Friends, from time to time I will convey messages from the RoyalMix team.

Here is one of them (regarding recent events).

I can confirm inaccessibility using public IP and improved order security, but RoyalMix needs a check-order page where you can search for the transaction using the order ID or search using the Bitcoin address or the transaction ID.

Royalmix page still contains Google fonts, which may collect some data such as log data (e.g. browser version) and IP address, so it is best to remove them. https://www.fontsquirrel.com is a good alternative.

[Roseline492]

Access to the site via the royalmix.io domain is currently not possible, it is offline. Although it is still possible to access directly via IP address.
I assume that it is about maintenance and solving recognized issues

Actually the site was conducting some maintenance and perhaps adding some more good features so that it will be very easy for the users and work very perfectly for them, however they have finished there maintenance and the site is working perfectly fine now because I just access it now and everything is good, though from the beginning I already know it will be site maintenance that was the caused, however I love the way it was resolved so fast.

[dkbit98]

RoyalMix is back online and they are claiming that all security issues are now fixed, but it is always better for others to confirm this if they can.
Now we are all waiting for Klq!@Gjqoqp./ to come back once again and post his report if everything is OK or maybe he found something else.
Since he is already here maybe he can check security of ALtcoinsTalks forum also

[AGM]

I decided to re-test RoyalMix, but this time in public.

As expected, the coins were received from the Exchange and have a very low AML (there is no point in publishing 7 pages of the report since virtually all the key information is displayed in this screenshot). 

Thanks for sharing that info. I am impressed with RoyalMix's transparency and transaction management efficiency. In particular, they have confirmed their commitment to minimal AML risk and from what I see, one can definitely trust and believe in them. This level of transparency will surely provide a strong evidence for others to follow this platform and RoyalMix team deserves praise for all this.

[Makus]

Confirming that Royalmix are back online, it thought as much that it be be a reason of maintenance that prompted the blackout however it's been resolved and they are as perfect as ever. Their response time is solving issue is top notch. What more can a user ask for than a quick response from the DevelopmentTeam .

[examplens]

Among other things, the Bitcoin community fights against the narrative of "dirty" and "clean" coins. I think that mixers should also stick in that direction.
"Does the mixer clean bitcoins" sounds like a call to AML fighters to fight against all mixers. I would suggest that this be rephrased in something more acceptable, for example, "Does the mixer anonymize bitcoins?"

[NotATether]

Among other things, the Bitcoin community fights against the narrative of "dirty" and "clean" coins. I think that mixers should also stick in that direction.
"Does the mixer clean bitcoins" sounds like a call to AML fighters to fight against all mixers. I would suggest that this be rephrased in something more acceptable, for example, "Does the mixer anonymize bitcoins?"

I don't think it is very important, because clean and anonymize have the same meaning in AML terminology, to the point where even "coinjoin" and "mixer" are bad words.

Besides, the service is actually in Russian language, and the English language is provided automatically by means of calling Google Translate dynamically. That means there's no way to actually change the text short of making an English version by hand.