[Invite only] JokerMix review campaign Round#2 | bitmover and NotATether

[AB de Royse777]

Important Links

• ANN topic : Altcoinstalks Discussions
• Email : [email protected]
• PGP : Click to download
• Telegram : @jokermixbot
• Help Center : JokerMix Help
• Website Tor : JokerMix Onion Tor Official
• Website URL : JokerMix Official
• TOR URL : JokerMix Onion

About the campaign
This is an invite only campaign and continuation of the first review campaign. In the last conversation with me, the JokerMix team confirmed that the following updates were made which I posted already in their ANN thread.

-We removed the fee adjustment, we had a problem here, so we put 2% plus the additional fee.
-We fixed the flaw in the captcha.
-We removed all third-party communications.
-We changed the session deletion time from 6 days, we put 7 days for Bitcoin and 13 days for Dash.
-We added more details on the PGP guarantee letter: session ID, domain address, and the destination address.
-We added on the session the real-time session expiration time to indicate to the user.
-We changed the red button now, when the user clicks on delete session, a warning message opens to avoid accidental clicks.
-We also updated the help center to better clarify the user.
-If a problem occurs with the session or there are not enough participants now a message will be displayed on the session to contact support.

Job description
Test the system, mix coins, please save the Letter of Guarantee file. Do an extensive research of the platform functionality, find anything that needs to fix. Take note of anything that you think is require to make JokerMix your home for mixing your coins. This review will be conducted as discussion basis. I will invite the management to address your findings and join the discussion. The team will openly take your suggestions and work on the fixes if require. Continue the discussion until you and the team is satisfied to make the perfect mixer for bitcoin and crypto community.

Invited members and rewards
bitmover and NotATether.
Both of you will receive $90 each for the time and intellectual effort. I believe that you two are the best match and you will make me proud to achieve the goal and eventually satisfy the Jokermix team. If anyone else wants to volunteer the discussion then they are welcome too.

Good Luck!

General Disclaimer: We would like to make it clear that Royse777 Campaign Management, Signature & Bounty, managed by Bitcointalk member AB de Royse777, is an independent entity and is not directly affiliated with any of the crypto startups we advertise. While we strive to promote these startups in the best possible light, our views and opinions expressed in our advertising materials do not necessarily reflect those of the startups themselves. We work with various clients across the crypto industry, and our goal is to provide high-quality advertising services to help them achieve their marketing objectives.

[NotATether]

There seems to be an error when I make a mixing session now.

After passing the captcha, it is stuck on the home page:

Code: [Select]

fetch("https://jokermix.to/php-back/create_wallet.php", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-US,en;q=0.9",
    "cache-control": "no-cache",
    "content-type": "application/json",
    "pragma": "no-cache",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Linux\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://jokermix.to/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": "{\"userAddress\":\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\",\"feeRate\":\"2\"}",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Code: [Select]

{
    "error": "\u0418\u043c\u044f \u043a\u043e\u0448\u0435\u043b\u044c\u043a\u0430 \u0443\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f"
}
Which decodes to "Имя кошелька уже используется" or "The wallet name is already in use". I do not speak Russian, so this is probably not accurate.

Anyway, looking forward to posting my review once we get to the bottom of this.

[jokermix]

There seems to be an error when I make a mixing session now.

After passing the captcha, it is stuck on the home page:

Code: [Select]

fetch("https://jokermix.to/php-back/create_wallet.php", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-US,en;q=0.9",
    "cache-control": "no-cache",
    "content-type": "application/json",
    "pragma": "no-cache",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Linux\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://jokermix.to/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": "{\"userAddress\":\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\",\"feeRate\":\"2\"}",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Code: [Select]

{
    "error": "\u0418\u043c\u044f \u043a\u043e\u0448\u0435\u043b\u044c\u043a\u0430 \u0443\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f"
}
Which decodes to "Имя кошелька уже используется" or "The wallet name is already in use". I do not speak Russian, so this is probably not accurate.

Anyway, looking forward to posting my review once we get to the bottom of this.

We are currently in maintenance while we fix the problem on our side we have disabled mixing for Bitcoin.

[AB de Royse777]

Anyway, looking forward to posting my review once we get to the bottom of this.

Hello , We are currently in maintenance there is a problem with the code    it's hard.

This is what I received from the team just a few minutes ago. Please have patience if you face any issue.

[bitmover]

I  looking forward to start the review as well.

Thanks for the opportunity AB de Royse777 and jokermix

I wasn't able to bypass the captcha the same way as before, there were many improvements in the website already

[jokermix]

Anyway, looking forward to posting my review once we get to the bottom of this.

Hello, We are currently in maintenance.

This is what I received from the team just a few minutes ago. Please have patience if you face any issue.

Yes please be patient you will be able to test the service soon don't worry.

[AB de Royse777]

@bitmover, @NotATether

I was informed from the team that the maintenance work is over. Feel free to use it however please be cautious.

Cheers.

[bitmover]

Joker Mixer Review

Address validation

I don't see API requests to blockchain.com anymore, and this is very good. Fixed.

I know you don't support taproot addresses. However, I think the message is misleading. The error message should be "taproot addresses not supported".



By pass Captcha

The relies in 4 HTML elements: 3 input tags and 1 button.

programatically, it is quick to break it in the following steps:

Code: [Select]

function breakCaptcha(address) {
    // Add an address and click continue
    document.getElementById('input-adress').value = address;
    document.querySelector("#form-start > button").click();

    // Wait for CAPTCHA generation (3 seconds delay)
    setTimeout(() => {
        // Complete CAPTCHA
        document.querySelector("body > div.pop-up-wrap.dflex > div > div.pop-up-inputs-wrap > input:nth-child(5)").value =
            parseInt(document.querySelector("body > div.pop-up-wrap.dflex > div > div.pop-up-inputs-wrap > input:nth-child(3)").value) +
            parseInt(document.querySelector("body > div.pop-up-wrap.dflex > div > div.pop-up-inputs-wrap > input:nth-child(1)").value);

        // Click the button
        let button = document.querySelector("body > div.pop-up-wrap.dflex > div > button");
        button.removeAttribute("disabled");
        button.click();
    }, 3000); // 3000 milliseconds = 3 seconds
}

// run function

breakCaptcha('3FYAqaLMNyN5LBDtmN4Cx2ALQEPMKJCGkJ') //any address will work

Just open your Developer Tools (F12 in browser firefox/chrome/edge) and paste the above code to test it.

There are other techniques that are safer for  captcha. It is very common to use images that looks like numbers, and things like that (which i can't break). It took me about 15minutes to break the captcha, and I am not a professional.

Captcha should be handled in the backend imo.

PGP verification:

PGP verified successfully using https://pgptool.org/



Letter of guarantee

I miss important information in the letter of guarantee. I think the receiving address should be stated there, as a proof where the funds should go to.

I confees that I was a bit worried about sending my funds, because I created many sessions ID. Even sending my funds to the one I just created, I wish I saw a confirmation in the letter of guarantee that my receiving address is the one I expect.

Mixing

The first message I saw after sending my coins was this: waiting other participants



Is this real? Does this mixing process need other participants to get completed? I don't think so, specially because as far as I know nobody else is using the mixer right now (or very few people)

Maybe this is not the correct message, as this is not happening now. Probably "wait while we mix your coins" is better.


The mixing was completed in 20 minutes (4 blocks between sent/received).

I sent 0.0011 and received 0.00105

There was only 2 transactions between my original coins and the received coins from the mixer. Basically, I received the same coins which were mixed with other ones.



This transaction in the middle had about 250 inputs and 300 outputs.

suggestions about the mixing

I believe you are spending too much money in fees (about 50 usd in fees according to mempool.space).
There is really no need to use 250 inputs and 300 outputs to mix so few coins as I sent.

It would be much better if there was a separate transaction. I would prefer to receive totally uncorrelated coins from 2-5 different addresses at most. You would also save in fees, because each UTXO costs like one transaction (and you are using about 450 utxo)

[jokermix]

Joker Mixer Review (Work in progress..........)

Address validation

I don't see API requests to blockchain.com anymore, and this is very good. Fixed.

I know you don't support taproot addresses. However, I think the message is misleading. The error message should be "taproot addresses not supported".



By pass Captcha

The relies in 4 HTML elements: 3 input tags and 1 button.

programatically, it is quick to break it in the following steps:

Code: [Select]

function breakCaptcha(address) {
    // Add an address and click continue
    document.getElementById('input-adress').value = address;
    document.querySelector("#form-start > button").click();

    // Wait for CAPTCHA generation (3 seconds delay)
    setTimeout(() => {
        // Complete CAPTCHA
        document.querySelector("body > div.pop-up-wrap.dflex > div > div.pop-up-inputs-wrap > input:nth-child(5)").value =
            parseInt(document.querySelector("body > div.pop-up-wrap.dflex > div > div.pop-up-inputs-wrap > input:nth-child(3)").value) +
            parseInt(document.querySelector("body > div.pop-up-wrap.dflex > div > div.pop-up-inputs-wrap > input:nth-child(1)").value);

        // Click the button
        let button = document.querySelector("body > div.pop-up-wrap.dflex > div > button");
        button.removeAttribute("disabled");
        button.click();
    }, 3000); // 3000 milliseconds = 3 seconds
}

// run function

breakCaptcha('3FYAqaLMNyN5LBDtmN4Cx2ALQEPMKJCGkJ') //any address will work

Just open your Developer Tools (F12 in browser firefox/chrome/edge) and paste the above code to test it.

There are other techniques that are safer for  captcha. It is very common to use images that looks like numbers, and things like that (which i can't break). It took me about 15minutes to break the captcha, and I am not a professional.

Captcha should be handled in the backend imo.

PGP verification:

PGP verified successfully using https://pgptool.org/



......

mixing in process, I will edit this post soon.

We would like to put a message in 2 but this would require us to add additional code that would allow us to write an invalid address since the address is not in the right format otherwise.
For the captcha did he open an additional session without entering the destination address? or is an error message displayed?

However, do not share the ID publicly, anyone can delete the session.

[bitmover]

For the captcha did he open an additional session without entering the destination address? or is an error message displayed?

The address is added programmatically when the above function is called.

I am just pointing out that it is very easy to bypass the captcha. For some reason you added a captcha there (maybe to prevent bots from creating multiple useless sessions?). But, someone who wants to create a bot to do that can easily pass the captcha.

I will come back after the mixing to finish my review.

[AB de Royse777]

@bitmover @NotATether, can we wrap up the discussion and help the team to progress with the feedback. We have more marketing in the pipeline :-)

Cheers,

[NotATether]

I can confirm that the letter of guarantee is working now. I will test the rest of the mixer tomorrow or something.

[bitmover]

@bitmover @NotATether, can we wrap up the discussion and help the team to progress with the feedback. We have more marketing in the pipeline :-)

Cheers,

My review is completed @AB de Royse777 and @jokermix

I have edited my previous post with my experience.

Thanks for the opportunity.

This is my address:
bc1qdg8ddrl746gs78f4ayddcxs582dq2sjqnuec4z

[NotATether]

Review of the Jokermix mixer, take two

My previous draft was unfortunately wiped by my browser, so I had to start over again. So anyway, if you remember, I had started reviewing it one time before, but decided not to continue with the mixing session since the letter of guarantee verification was not working. Well now that is working, fortunately, and so here is a list of other things that have improved since the last time I used the mixer:

- The mixing fee is now fixed to 2%. I like this rate, it makes it very competitive.
- There seems to be automatic translation support for English now. I see a large list of strings in the Developer Tools console in a file called "i18n" that supports this thesis.
- It's much harder to accidentally destroy your session, and now in fact the session id is included in the letter of guarrantee.

One thing that hasn't changed, however, is the captcha. That is a bit unfortunate, because as I had demonstrated in the previous review, it's easy for a bot to crack it. As in the previous post, I strongly recommend loading an image captcha like this one: https://github.com/S1SYPHOS/php-simple-captcha (I did not make this tool). Image captchas can still be broken by really sophisticated bots but it is much slower to break them and/or more expensive.

So now that these preliminaries are out of the way, let's get to the actual mixing. Jokermix displays a status symbol that either says "not started", "in progress", or "finished". Pretty standard for a mixer. But also more importantly if you accidentially close the tab you can easily get back to your session by going to the history since the session ID is included in the URL.

But the more interesting thing is the fact that Jambler is using its own software and it's not relying on any third party on doing the mixing. That is inferred because the letter of guarantee is signed by a different public key identified from them.

I sent a non-round amount (you know, an amount with random digits at the end like 0.00157893 or similar) into the mixer for testing. Using only one transaction input and one transaction output to limit chain analysis.

It turns out that the mixing was completed fairly quickly, in 9 blocks actually. Or about 1 and a half hours roughly, assuming a block takes on average 10 minutes. I was a bit disappointed at this, unless I was extremely lucky to get a really fast mix, because I have the impression that a mixing session is most secure when it is done across several dozen blocks. That means more transactions for blockchain analysis to filter through, naturally. 9 blocks is not really enough IMO.

One thing that is very interesting to note is that the mixer's receiving address was spent in the same block as the one I received my coins in. the mixer's receiving address was inside a transaction with an extremely large set (120+) inputs and outputs each in what looks like a very efficient coinjoin. As for my receiving transaction, it was part of a payjoin - a smaller coinjoin with 2 inputs and 2 outputs each, both the inputs were the same size by the way. So this really works for anonymity.

All of the Jokermix UTXOs appear to be spent in very large coinjoins for moving them around between rounds (i.e. making outputs that have round amounts) and for sending coins to a person's walet they use payjoins so as to not raise any alarms in case custodial wallet software were to be the receiving address.

AML analysis

I am using Bestchange's address checker, since AMLbot's prices are a rip-off for a single address ($3 per address) and don't directly accept Bitcoin or even LN.

Unfortunately it appears the algorithm could use some work, since it successfully detected that a majority of the funds came from a mixer:

Risky
●Mixer76.80% (red)
●Dark market0.30% (red)
●Exchange unlicensed 10.60% (yellow)
●Exchange licensed 12.10% (green)

Since I am familiar with Bestchange's scoring method, let me explain how these roughly translate to percentages"

Generally speaking, a low AML score will have the red and yellow no greater than 1%. The red areas being mixer, dark market, gambling, sanctions, enforcement action, and similar. The yellow areas is basically just exchange unlicensed (any exchange not forcing KYC). Green being the licenced exchanges, payment processors, miners, and anything coming from a custodial wallet from the above providers. (government seized bitcoins are for some stupid reason marked green too.)

The AML score is divided into four sections, delimited by intervals of 25%. The customer starts getting problems when the AML score is more then 50%, getting asked for documents or whatnot. In my experience, anything more than 10% of the amount sourced from red sources will trigger this. The yellow activities - ie non-kyc exchanges - do not really affect this at all. It's just that if the blockchain analysis sees that a significant (i.e. non-negligible) percentage of the funds is from red sources, the customer could get into some hassle and be required to show proof of funds and such.

My suggestions for alleviating this:

- Implement a program where you reward people who supply you with "clean" bitcoins like from exchanges and miners. It worked really well for Jambler and their coins are squeaky clean.
- You need to spread the coinjoins across many, many rounds, like Wasabi Wallet used to do. A few rounds is not going to cut it. Sure, nobody knows currently where your mixed money comes from, but they know for sure it came from a mixer.

So these two things will really help your mixer become better. And also the captcha, don't forget that!

bc1q4djl6pxt90nfs8fufdul26ufxukxxrczsfjj0h

[jokermix]

Many thanks to NotATether, bitmover for your feedback, we will take note of it and improve the functionality of the mixer as well as the captcha issue.

✍🏻

We are delighted to have led this review campaign.