[END-review campaign]🤡 JokerMix.to | Reward upto $100

[jokermix]

We are delighted to receive your feedback and suggestions; we take note of them and consider implementing some of them .

[Mate2237]

Username: Mate2237
BTC SegWit Address: bc1qw0xsgmegzpr8v54mv60ry62p7d5n3n72vndqsa

My Honest Review

JokerMix.to is a very good and simple mixing company but there are some things to fix. In the process of mixing i encounter many things and I will state them one after the other.in any review work, it is the ability of the person to use the service and detect the weak points and strong areas. And it is in turn for the company to improve on the weak points. Therefore I will want you to look into those area as soon as possible.

The Destination Address:

From my Electrum wallet, there are two ways to get public address and that is there are two public addresses and I copied the URL address from my Electrum wallet address and pasted in the JokerMix.to mixing destination address but it didn't work and it shows RED cycle to indicate that it was not accepted. And you can see it in the image below.


When I copied the address from above image highlighted place, this how it shows.


But when I copied the address from the place written "Address" and insert it in the destination address, the red line didn't show again and that indicated that, it has been accepted that address to receive the coins. And I don't know if the mixing can be configured or set in a way that the two addresses can work. If the url is used let it work because they are from the same bitcoin wallet.
This is the one that worked and not the url.

The Minimum Deposit

As mixing service company, you need more people to use the service and people can use the service when the minimum mixing amount is affordable. The minimum mixing amount is 0.001 which equivalent to $65 at the time of my mixing but currently it is $63. And it is good to reduce it to $30 and that should be 0.00048 BTC.

Deposit/Mixing in Progress

After the deposit/payment and once the mempool confirmed the transaction, the mixer automatically detect the payment. And with a bold writing " Mixing in Progress"  it is recommendable.

Then the status shows* Awaiting Other Participants". Now my question on this "Phrase" is if other are not mixing at the moment, what will happen to the person that have initiated his, though there is a time frame to send out the coins which is 1 hour to 120 hours. But if only one person has initiated, will the person still wait? Because nif the person want to use the coins to do something immediately, it might affect him. Though mine was very fast and I used the 2% transaction fee yet it didn't take much longer when the mixed coins arrived at the destination address. It is one of the fastest mixer, I have ever seen.

Destroy My Session

This is the danger zone I saw in the mixer and it is the most dangerous section in the mixing process because if the person mistakenly touched or clicked that danger link, the mixing process would be terminated and your coins would be done. Therefore I suggest that, "Destroy My Session" link should be faded out when the transaction is in progress so that someone will not mistakenly click on it and lost his coins. And when the transaction has been completed then it should appear for the person to click if he wants to.

Conclusion

And finally my mixing was concluded and the coins we received.

I also downloaded the letter of guarantee as instructed and the mixing was smoothly concluded so i didn't use it but it is good to download it if yiu face any issue.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Payment Address:

ONLY 1 TRANSACTION ALLOWED!
-----BEGIN PGP SIGNATURE-----

I have made some suggestions above but I will still emphasize on some of them.
1. The URL and Address should work in the destination address box because they are going to the same wallet.
2. The Basic Mathematics of captcha should be removed because it has no reasonable function there. This is coin mixing and not to identify humans.
3. The 2% transaction and the amount the mixer deducted from my deposit is not really clear. I deposited 0.001074 and Electrum transaction fee was $0.99 which was equivalent with 0.00001525 deposited 0.00105875. And I received 0.00100295 and that means the mixer deducted 0.0000558 which is equivalent to $4 as of the time.of the mixing or transaction. Meaning the transaction fee is even more higher than the mempool transaction fee. I suggest you show reduce the mixing fee.
4.  "Awaiting Other Participants" should be reviewed.
5. "Destroy My Session". It is a good feature if it displayed after the mixing process and not when the mixing is going on. Someone might lost coins through that link.
6. The customer Support in Telegram is very slow in responding. Therefore they should improve on that because communication in such services is very important. And they should be live chat service in the mixer.

Finally, I had a good mixing time with JokerMix.to. But they should look into those suggestions and other people reviews for good mixing process.

[notblox1]

username: notblox1
BTC SegWit Address: bc1q97lnvzlf9m550c8y2s4a78tj4ek4sswkth6y6v

Let me add first that JokerMix website is supporting English and French language, this should be expanded to more languages in my opinion.



Another thing I noticed from start when I click on JokerMix logo in Tor browser I am getting new page opened with clear net JokerMix domain.
This should not be happening, logo should open Tor link or no link at all.

I decided to test JokerMix to see how it is working but right from the start I was facing some issues with this website.
It was impossible to mix any Bitcoin and I tried entering different address but I could not pass main screen after clicking Continue button.
Website was always showing me red lines around the address field like I made some mistake, but I checked everything and tried many times with same negative result.
You can see second screenshot posted below:





Than I decided to give a try to other altcoin that is available DASH.
This time everything worked fine in this segment, and I was able to solve a math problem and send my coins.
So there must be some issue with Bitcoin system on JokerMix that needs to be fixed.



Minimum amount for Bitcoin mixing is 0.001 BTC and I think this should be lower for next mixer like JokerMix.
For DASH minimum amount is 1 DASH and I think that is fine.
I sent my coins and I received a message that Mixing is in process and I have to wait for other participants.
I downloaded and saved letter of guarantee and my Session ID, this is important to say for later.





Now this is where the real problems start.
I waited for many hours and nothing was happening, but I was thinking this was normal because in Help Center they explained that waiting can sometimes be longer than 120 hours
http://ryhyp4yrlaydw2rs7znzwr7ovkx7cxnhkzumfihll4jurtbcwxdlvtid.onion/help-center

After waiting several hours I decided to check the link again for JokerMix website and see if there is any change of status for my coins.
I receive bad greeting with 404 error page, and this error page is showing for me!


http://ryhyp4yrlaydw2rs7znzwr7ovkx7cxnhkzumfihll4jurtbcwxdlvtid.onion/crypto-mixer.php?id=d_669a28f1e4c25

Than I decided to open a new page and enter my Session ID code in the bottom of the page.
There I saw another bad greeting showing me that this is invalid session ID!!!
I am totally sure this is correctly save Session ID and I have letter of guarantee to prove it.
I tried repeating the same procedure many times but it was always showing the same error.



Result from my testing is that I lost my coins to JokerMix and this website is telling me I did something wrong.
I expect this problem to be resolved, issue should be detected, fixed and I should receive a refund and explanation.
Mixing services that are not ready should not be released in public.

[jokermix]

username: notblox1
BTC SegWit Address: bc1q97lnvzlf9m550c8y2s4a78tj4ek4sswkth6y6v

After waiting several hours I decided to check the link again for JokerMix website and see if there is any change of status for my coins.
I receive bad greeting with 404 error page, and this error page is showing for me!


http://ryhyp4yrlaydw2rs7znzwr7ovkx7cxnhkzumfihll4jurtbcwxdlvtid.onion/crypto-mixer.php?id=d_669a28f1e4c25

Than I decided to open a new page and enter my Session ID code in the bottom of the page.
There I saw another bad greeting showing me that this is invalid session ID!!!
I am totally sure this is correctly save Session ID and I have letter of guarantee to prove it.
I tried repeating the same procedure many times but it was always showing the same error.



Result from my testing is that I lost my coins to JokerMix and this website is telling me I did something wrong.
I expect this problem to be resolved, issue should be detected, fixed and I should receive a refund and explanation.
Mixing services that are not ready should not be released in public.

We added the language (Russian), we think that when we reset the site = the session must have been confused.
Sorry for the inconvenience , we are in beta, please write to us for a refund. As described, Dash does not have many participants.

[notblox1]

We added the language (Russian), we think that when we reset the site = the session must have been confused.
Sorry for the inconvenience , we are in beta, please write to us for a refund. As described, Dash does not have many participants.

You cant allow something like this to happen or letter of guarantee and session ID are worthless.
Not many participants for DASH coin is not the reason for erasing any session from your service, and you should remove coins if they are not used enough.

[jokermix]

We added the language (Russian), we think that when we reset the site = the session must have been confused.
Sorry for the inconvenience , we are in beta, please write to us for a refund. As described, Dash does not have many participants.

You cant allow something like this to happen or letter of guarantee and session ID are worthless.
Not many participants for DASH coin is not the reason for erasing any session from your service, and you should remove coins if they are not used enough.

We acknowledge the error on our part during the site update with the addition of the Russian language, which caused confusion during downloading, resulting in blank pages and unavailable ID.
In the future, during site updates and maintenance, we will notify users on the forum before taking any corrective action to prevent issues.

--
Precautionary measures have been implemented, including warnings on the site and during the session.
--

Your feedback is appreciated, and we apologize for any inconvenience caused.
This is why we have launched the review and improvement campaign.

[PX-Z]

bech32 address: bc1qxjzwdwc4atxjmh5dsmspp3gk2x6zm5zx7u3q49

Here's my review.

Before doing this i'm previously testing blockchain info api's for my current side project, then later tested the jokermix's site. I got an error eventually after hitting the "Continue" button. That red border shows too when i added characters on the address which is not valid address so it won't proceed. So emphasize the error message to avoid confusion too.


Well, upon checking the developer's tool tab errors, i checked that it using the blockchain.info's api on to check addresses' info e.g.transactions, total received, total sent, current balance etc.

Code: [Select]

https://blockchain.info/rawaddr/{address}




Well, i refer this incident just like the Royalmix for using third party (BlockCypher API) to verify the validity of destination addresses. But on this case it's Blockchain.info, there's no wrong using it, since it's open to all, but upon using it before, they limit their users to use the api, that's why i received such error shows in the developers tool tab. Plus, i believe no ones here trust and uses blockchain.info/com's services anymore so i don't think using them is better than using other service.

Mempool.space has api for this, checking their docs i found this, it is a good alternative for free uses. 

Code: [Select]

https://mempool.space/api/address/{address}The balance cannot be seen on the api response but you can get that after with a math like this

Code: [Select]

balance = funded_txo_sum - spent_txo_sum
While checking the code on checking the validity of the address on main.js below..

Code: [Select]

function StartCheck() {
        const isValidAddress = (address, coinType) => {
            const patterns = {
                btc: /^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$/,
                dash: /^X[1-9A-HJ-NP-Za-km-z]{33}$/
            };
            return patterns[coinType] ? patterns[coinType].test(address) : false;
        };
   
        const checkAddressInBlockchain = (address, coinType) => {
            const urls = {
                btc: `https://blockchain.info/rawaddr/${address}`,
                dash: `https://api.blockcypher.com/v1/dash/main/addrs/${address}`
            };
         }       
    }

I saw this line for isValidAddress on regex

On this btc: /^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$/
You see, this is for validity of the address more on the characters, length, uses to check the address. The (bc1|[13]) is to check that the address start with which is the native segwit, legacy and nested segwit. The [a-zA-HJ-NP-Z0-9] are the  allowed characters. The {25,39} should be the address length in characters which the legacy address has length of 26-36, nested segwit is 34 and the native segwit address is 42-62 (even more in the future). But the code only check it for til 39 which will show probably an error.

About the UI, this color bright red with a background of purple/violet is too much for my eye, it hurts actually. It would be better to use a lighter colors or just remove the red color, then put "Error" word with color white text (or anything light) instead so it will be "Error: Invalid session ID"


I hope this helps.

[NotATether]

Username: NotATether
Bech32 Address: bc1qlgjlpx2rnzvnavrf6gj55hudwlfye0n60me82t

Review of the JokerMix mixer

If you follow what I do, you will know that mixing is very important for your privacy, and I have a list of resources to that end. Generally speaking, a mixer:

- should have a reasonable fee for each mix, so that the operation is useful for both customer and provider
- should give users coins sourced from exchanges (to achieve 0 - 25% AML)
- should not take too long to perform
- and most importantly should give you a letter of guarantee.

The last one is especially important because the letter of guarantee is the only way you can recover your bitcoins if they get lost or if some other mishap happens. Mixing is a very trustless industry (you only have to make sure the mixer is not a scam), in that this widely agreed-upon system insures your deposit.

Today I am going to look at a new mixer called JokerMix. In recent months, authorities have been cracking down hard on mixers, so it's always good to see a few brave faces come out and make a new one.

The interface

The interface is wonderful. It is like The Dark Knight Rises. In fact, there are only three things I'd like to comment about.

The first, is the background - case must be taken to avoid the white starts overlapping the text, in order to prevent it from becoming unreadable. This can currently be simulated by running the website using a 1920x1080 resolution. For those who don't have such a montirr, the Chrome Devtools device tolbar (ctrl - shift - m) can simulate that.

The solution is to make the starts in this SVG image: https://jokermix.to/img/background.svg slightly more grey, same brightness as the cards, so that they don't get in the way of the text.

Second issue is that the PGP fingerprint at the bottom is too small and is not easily readible.

The solution is to open the CSC and in the .pgp class, replace 'font-size: 14px;' with 'font-size; 14pt' to make the size in points instead of pixels.

The last issue is that the destination address field appers to have a beginning of a bitcoin address in it. While I'm aware that it is an example address, the font used for it implies that people might think that it it already has an address inside the destination field which is not desireable. The solution I can provide for this is to either use a more generic placeholder like <insert address here> or to change the placeholder color to grey instead of white.

The mixing process

This is the meat of the sandwich and at first glance it looks like JokerMix has a variety of tools to fight chain analysis:

- Variable mixing fees to make your amount a nice round number
- Random return time from an hour to 5 days
- sessions which you can delete yourself

The interface seems to offer 3 different mixing modes: Basic from 2-4%, Standard from 4-6%, and Premium from 6-8%. At first glance, it is unclear exactly what these are referring to, but perhaps they are referring to different kinds of methods used for mixing. Coinjoin processes can beam your transaction through many rounds, which enables you to have more privacy, since the more round outputs there are in each step, the harder it will be for chain analysis to discern which is which, as long as you *do not make change outputs when sending to the mixer* as these can be linked back to you.

The higher fees appear to incentivize the mixer to give you better protection but this is not true for all mixers, so choose carefully.

I have decied to open a sample mix, using a sample output which can be linked back to me (caveat emptor - I don't believe in 'taint', but AML analysis does), so we will see if it can make a anonymized output. I used a 6% fee for this session.

After solving the captcha (see below), I proceeded to the section where you send a transaction to start the mix. JokerMix allows you to send only one transaction to the specified address. They also give you the session ID, which you can type back into the website if you close the browser by accident, and you also get a letter of guarantee to download. I had imported the PGP key of JokerMix successfully, and then downloaded the letter of guarantee. But when I attempted to verify the letter of guarantee, I got this message from gpg:

Code: [Select]

$ gpg --verify pgp-signature.txt
gpg: invalid clearsig header
gpg: invalid armor header: ZmFzZjMyNGprSiMkSmtmajo6MDU0MTA0NTlmZmJkMWVkZWZmMzMzNGU0NWY3M2IwODFjYTIwN2ZiNWRmMGRiZGI0NmU3NDJkNWZjZmJjNTMzMg==
The signature in question was:

Code: [Select]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Payment Address:
bc1q3qju0lellrrhy87vy5ec5w5vmrav6kmcq62svs
ONLY 1 TRANSACTION ALLOWED!
-----BEGIN PGP SIGNATURE-----
ZmFzZjMyNGprSiMkSmtmajo6MDU0MTA0NTlmZmJkMWVkZWZmMzMzNGU0NWY3M2IwODFjYTIwN2ZiNWRmMGRiZGI0NmU3NDJkNWZjZmJjNTMzMg==
Something is wrong with the signature that was being provided, maybe it is cut off because I don't see an "end PGP message" at the end. This is both in the clipboard and the downloaded file.

I am not sure why it was doing that, but since I could not verify the letter of guarantee then I aborted the mix out of caution.

By the way - why is there no expiration date? I think that for the client's security, and also to free resources at your end, you should make unused sessions expire automatically after a time period like 7 days, if they have sent no transaction.

The captcha

The captcha unfortunately is very weak and it can be broken by a script that uses the developer tools console. For example, it is provided in headless browser environments like Selenium. It asks you to add two numbers, and at a first glance these numebrs are not available in the DOM. However, they can be trivially retrieved using jQuery and thus I was able to break the captcha like so:

Code: [Select]

var value1 = $('.pop-up-inputs-wrap .capcha').first().val();
var value2 = $('.pop-up-inputs-wrap .capcha').eq(1).val();
$('.pop-up-inputs-wrap .capcha').last().val(parseInt(value1) + parseInt(value2))
Screenshot of the flaw:



I suggest that an image-based captcha is served from the PHP backend instead. These are harder to mitigate and require external resources as opposed to just the local computer.


Summary:

- The letter of guarantee is not verifying successfully. It needs to be fixed.
- The captcha needs to be enhanced.
- Various enhancements can be made to the visual design of the website as well for usability purposes.

I hope especially the first issue is fixed because I also want to do an AML analysis on the result.

[Gladitorcomeback]

So here is review of Jokermix.to Mixer. I will try my best to check out all functions and feature. I will try to find out any limitations which could be challeng to compete with other mixer such as Anonymity,Fee ,User friendly dashboard and Security .

Domain:
I don't know why Jokers Team decided to take .to domain which is not trusted like other top quality domains such as .com  an  .org.  The only benefit I researched is short to remember.

DASHBOARD:
Looking every thing fine and user friendly. I double checked spelling and grammar mistake but couldn't found any which is appreciated.


Support:
There is no live chat support in the website and user have to install telegram or mail for help. There should be live chat service. Suppose if someone hasn't created telegram account then he has to go for long process to get help from customer support 🤔🤔

I open telegram support bot to check support service . I leaved help message and got reply after 5 minutes. Telegram support is ok for me as normally reply under 30 minutes are usually marked as fast service.

Mixing:
As I already mentioned that I am trying to use mixer from Android phone. I tried 3-4 times to mix btc but I think we cannot mix through mobile phone. Below is screenshot where site giving error for btc address (red marked). I used different address but faced same problem.

Customer Support told me that taproot address are not available yet but I haven't used any taproot address. I used Sample Electrum wallet and Safepal wallet Segwit address but still facing same. I will wait for update and then will review further




Note: I will update once problem solve

[FinneysTrueVision]

Bech32 Address: bc1qsyexcqgdgv530ekwxmcf7rsdzzr9uula7ca9c9

Based on the information another user shared in their review, I was able to find their deposit to JokerMix on the blockchain and analyze the effectiveness of their mixing. What I found is that JokerMix is not actually using their own algorithm but are instead just charging a fee to act as a middleman for wabisabi coinjoins. I wanted to get more confirmation for my hypothesis but when I tried to do a mix using my own funds the JokerMix website was not really functional. When I entered an address and did the math equation nothing happened when I pressed the “continue” button.

In its current state I would not advise anybody to use this mixer. The website is too buggy and there are some red flags. You can get the same level of privacy for lower fees by using any of the available trustless coinjoin methods and cutting out any intermediaries.

I did not include transaction hashes because the user whose deposit I analyzed might not want sensitive information exposed but I can share it privately or users can just use information from the screenshots in this thread to figure it out themselves.

[jokermix]

Bech32 Address: bc1qsyexcqgdgv530ekwxmcf7rsdzzr9uula7ca9c9

Based on the information another user shared in their review, I was able to find their deposit to JokerMix on the blockchain and analyze the effectiveness of their mixing. What I found is that JokerMix is not actually using their own algorithm but are instead just charging a fee to act as a middleman for wabisabi coinjoins. I wanted to get more confirmation for my hypothesis but when I tried to do a mix using my own funds the JokerMix website was not really functional. When I entered an address and did the math equation nothing happened when I pressed the “continue” button.

In its current state I would not advise anybody to use this mixer. The website is too buggy and there are some red flags. You can get the same level of privacy for lower fees by using any of the available trustless coinjoin methods and cutting out any intermediaries.

I did not include transaction hashes because the user whose deposit I analyzed might not want sensitive information exposed but I can share it privately or users can just use information from the screenshots in this thread to figure it out themselves.

That’s why we launched a review campaign. This is not to criticize, but only to point out problems.
If you can't read: The site is in beta = unstable the bugs here are only reported at the end so that we can correct them correctly we gradually update the fixes and bugs.
The review campaign ends on July 25 and we have already started fixing some bugs.

We are currently experiencing an issue when users enter their Electrum address.

We are not the only ones to use methods somewhat similar to coinjoin: anonymixer.com, mixero.io

Also other cryptomixers use third-party services and external intermediaries such as ( Jambler.io ).

[bitmover]

My address: bc1qdg8ddrl746gs78f4ayddcxs582dq2sjqnuec4z


I took a closer look at the captcha problem (already mentioned by NotATether), and I found out that the captcha is being logged into the console with console.log. Making it even easier for attackers to abuse and bypass the captcha.



many functions in the frontend are defined globally, which isn't a good practice and could lead to some security problems (such as StartCheck() which you can see in the screenshot).

For example, as all functions are globally defined, I can just bypass the captcha entirely and add any address I want to my session:

Just click F12, open console e write this. You will bypass captcha and go straight to the session.

Code: [Select]

document.getElementById('input-adress').value = '111111'   //any address here
sendAjaxRequest()




I tried to many times to destroy my session, but it doesn't work... Need to take a closer look at this as well. My data is still there even after destroying the session


As mentioned earlier by PX-Z, exposing the client IP (i.e. the customer IP) to blockchain.info to validate the address is a bad privacy practice. And there is absolutely no need for that. Address verification should be done locally or in the backend.

The root of the problem lies here:

Code: [Select]

https://jokermix.to/js/submit-adress.js

function isValidBitcoinAddress(address) {
    var re = /^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$/;
    return re.test(address);
}

This is not the correct way to validate a bitcoin address on client side. You cannot use regex for that, because there are some checksum which the address must pass.

The best way to validate a bitcoin address is using a proper bitcoin or cryptography library, such as bitcoinjs.

This is a simple code of validating bitcoin addresses using bitcoinjs (this method does not works for taproot, however, you don't support it, so it is even better). This is how I do in my domain, bitcoindata.science

Code: [Select]

import * as bitcoinjs from "bitcoinjs-lib";
const value = "3CrySAp8G1PfvjrYT4HPQhE8MouBKWd9WB";

const isBitcoin = !!bitcoinjs.address.toOutputScript(value, bitcoinjs.networks.bitcoin);
source: https://bitcoin.stackexchange.com/questions/52740/how-do-you-validate-a-bitcoin-address-using-bitcoinjs-library-in-javascript

[jokermix]

My address: bc1qdg8ddrl746gs78f4ayddcxs582dq2sjqnuec4z


I took a closer look at the captcha problem (already mentioned by NotATether), and I found out that the captcha is being logged into the console with console.log. Making it even easier for attackers to abuse and bypass the captcha.



All many functions in the frontend are defined globally, which isn't a good practice at all and could lead to some security problems (such as StartCheck() which you can see in the screenshot).

For example, as all functions are globally defined, I can just bypass the captcha entirely and captcha entirely and add any address I want to my session:

Just click F12, open console e write this. You will bypass captcha and go straight to the session.

Code: [Select]

document.getElementById('input-adress').value = '111111'   //any address here
sendAjaxRequest()




I tried to many times to destroy my session, but it doesn't work... Need to take a closer look at this as well. My data is still there even after destroying the session


As mentioned earlier by PX-Z, exposing the client IP (i.e. the customer IP) to blockchain.info to validate the address is a bad privacy practice. And there is absolutely no need for that. Address verification should be done locally or in the backend.

The root of the problem lies here:

Code: [Select]

https://jokermix.to/js/submit-adress.js

function isValidBitcoinAddress(address) {
    var re = /^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$/;
    return re.test(address);
}

This is not the correct way to validate a bitcoin address on client side. You cannot use regex for that, because there are some checksum which the address must pass.

The best way to validate a bitcoin address is using a proper bitcoin or cryptography library, such as bitcoinjs.

This is a simple code of validating bitcoin addresses using bitcoinjs (this method does not works for taproot, however, you don't support it, so it is even better). This is how I do in my domain, bitcoindata.science

Code: [Select]

import * as bitcoinjs from "bitcoinjs-lib";
const value = "3CrySAp8G1PfvjrYT4HPQhE8MouBKWd9WB";

const isBitcoin = !!bitcoinjs.address.toOutputScript(value, bitcoinjs.networks.bitcoin);
source: https://bitcoin.stackexchange.com/questions/52740/how-do-you-validate-a-bitcoin-address-using-bitcoinjs-library-in-javascript

Thank you very much for the feedback, this is an important defect, it is a real sharing of a major correction.
We will fix this flaw.
We will put the site under maintenance while we carefully consider repairing this flaw.

[Yamane_Keto]

BTC address: bc1qgt35kdx373y6f7ng4dc0awctwgygc7nch9w38z


Since the majority have tested the service, I will test the mixing and the strength of the mixing algorithm.

1) Mixing address:

I tried using two different addresses for Bitcoin and DASH, but when using Pay-to-Taproot (P2TR) or DASH addresses, it starts with 7.

2) Destination addresses: The mixer gives one receiving address. It is better to have several addresses and to have the option of dividing the Bitcoin among them or even merging the DASH addresses with the Bitcoin addresses in the destination addresses.

3) Network fees: One of the ways to track down mixers is by tracking transaction fees. If the fee code always gives fees higher than the average, then jokermix.to transactions may be easily detected. I suggest that you give the user the option to specify the withdrawal fees, provided that the minimum is mandatory.

4) Delay time: jokermix mixer does not allow the use or modification of the delay time, and if the mixing is instantaneous, the transactions can easily be tracked.

Things that need quick updates:

1) Run full node: mixer relies on API.blockcypher.com and it is better to run a full node as you can verify addresses without relying on a third party.
2) add more server IP address:
I encountered difficulties accessing the site and a lot of Error 1016 messages. Adding more IP addresses would be useful.
3) Add the fees calculator to the deposit page.

Security attacks:
Hackers can easily add an invalid address mix-up, claim that the transaction is confirmed to drain your balance and track customer transactions.
For those who want to use mixer please read privacy-policy for blockcypher https://www.blockcypher.com/privacy-policy.html

May add more but site is slowly loading.....

[bitmover]

Thank you very much for the feedback, this is an important defect, it is a real sharing of a major correction.
We will fix this flaw.
We will put the site under maintenance while we carefully consider repairing this flaw.

Thanks. I am happy to participate in this campaign.

I will be glad to join  a next round after the your team have implemented the improvements suggested by the users in this thread.

Good luck in your project!!