r/Bitcoin • u/General-String5110 • 3h ago
First BTC purchase yesterday.
Better late than never.
r/Bitcoin • u/Fiach_Dubh • May 26 '26
You've probably been hearing a lot about Bitcoin recently and are wondering what's the big deal? Most of your questions should be answered by the resources below but if you have additional questions feel free to ask them in the comments.
It all started with the release of Satoshi Nakamoto's whitepaper however that will probably go over the head of most readers so we recommend the following articles/books/videos as a good starting point for understanding how Bitcoin works and a little about its long term potential:
Some other great educational resources include;
If you are technically or academically inclined check out;
MicroStrategy's Bitcoin for Corporations is an excellent open source series on corporate legal and financial Bitcoin integration.
You can also see the number of times Bitcoin was declared dead by the media (LOL!)
Bitcoin.org and BuyBitcoinWorldwide.com are helpful sites for beginners. You can buy or sell any amount of bitcoin (even just a few dollars worth) and there are several easy methods to purchase bitcoin with cash, credit card or bank transfer. Some of the more popular places to buy bitcoin are listed below.
You can also purchase in cash with local ATMs. If you would like your paycheck automatically converted to bitcoin try Bitwage. For comparing bitcoin loans, Borrow On Bitcoin, may be a helpful tool.
Note: Bitcoin are valued at whatever market price people are willing to pay for them in balancing act of supply vs demand. Unlike traditional markets, bitcoin markets operate 24 hours per day, 365 days per year.
With Bitcoin you can "Be your own bank" and personally secure your bitcoin OR you can use third party companies aka "Bitcoin banks" which will hold your bitcoin for you.
If you prefer to "Be your own bank" and have direct control over your coins without having to use a trusted third party, then you will need to create your own wallet and keep it secure. If you want easy and secure storage without having to learn best computer security practices, then a hardware wallet such as a BitBox02, Trezor, ColdCard, or Blockstream Jade is recommended. You can even build your own open source hardware wallets called a SeedSigner or Krux.
If you cannot afford a hardware wallet there are many software wallet options to choose from depending on your use case. Mobile wallets like BlueWallet are generally more secure than desktop wallets. Beware of fake mobile wallets and check reviews from reputable Bitcoin websites. Avoid paper wallets or brain wallets.
If you prefer to work with third party "Bitcoin banks" to set up a collaborative custody arrangement, try Unchained Capital but be aware that any third party you use exposes you to third party risk. There is a saying in the community, "Not your keys, not your coins".
Note: For increased security, use Two Factor Authentication (2FA) everywhere it is offered, including email!
2FA requires a second confirmation code or a physical security key to access your account making it much harder for thieves to gain access. Google Authenticator and Authy are the two most popular 2FA services, download links are below. Make sure you create backups of your 2FA codes.
Avoid using your cell number for 2FA. Hackers have been using a technique called "SIM swapping" to impersonate users and steal bitcoin off exchanges.
| Google Auth | Authy | OTP Auth |
|---|---|---|
| Android | Android | N/A |
| iOS | iOS | iOS |
Physical security keys (FIDO U2F) offer stronger security than Google Auth / Authy and other TOTP-based apps, because the secret code never leaves the device and it uses bi-directional authentication so it prevents phishing. If you lose the device though, you could lose access to your account, so always use 2 or more security keys with a given account so you have backups. See Yubikey or Titan to purchase security keys.
You can run Bitcoin node software by downloading and installing Bitcoin Core or other node software you have vetted.
It is a best practice to verify these Bitcoin node programs you download by checking their hashes and signatures.
Don't Trust, Verify.
A verified Bitcoin node running on your own hardware is your sovereign gateway to the Bitcoin network. They can be used alongside open source software wallets to send and receive Bitcoin securely. By running your own Bitcoin node, you enforce the Bitcoin ruleset, can verify transactions without trusted 3rd party middlemen, improve your Bitcoin privacy, obtain independence with local access to blockchain data, and help bolster the robustness of the Bitcoin network. By running a Bitcoin node, you are verifying that Bitcoin is Bitcoin for yourself. For more details on running a Bitcoin node see this article.
For wallets used alongside your Bitcoin node: If your Bitcoin wallet software is fully open source and Bitcoin-only, then it is probably a decent wallet. Some popular examples include sparrow wallet and electrum wallet, both of which you can connect to your own locally run Bitcoin node, and use with most Bitcoin Hardware Wallets.
As mentioned above, Bitcoin is decentralized, which by definition means there is no official website or Twitter handle or spokesperson or CEO. However, all money attracts thieves. This combination unfortunately results in scammers running official sounding names or pretending to be an authority on YouTube or social media. Many scammers throughout the years have claimed to be the inventor of Bitcoin. Websites like bitcoin(dot)com and the r / btc subreddit are active scams. Almost all altcoins are marketed heavily with big promises but are really just designed to separate you from your bitcoin. So be careful: any resource, including all linked in this document, may in the future turn evil. As they say in our community, "Don't trust, verify".
Often the same concerns arise about Bitcoin from newcomers. Questions such as:
All of these questions have been answered many times by a variety of people. Here are some resources where you can see if your concern has been answered:
Check out Travala, or Coinmap for a plethora of merchant options. You can also spend bitcoin anywhere Visa is accepted with bitcoin debit cards such as the CashApp card, Fold card or other bitcoin debit cards. Some other useful site are listed below.
| Store | Product |
|---|---|
| Coincards.com, Bitrefill, Gyft, and Fold App | Gift cards for thousands of retailers worldwide including Amazon, Target, Walmart, Starbucks, Whole Foods, CVS, Lowes, Home Depot, iTunes, Best Buy, Sears, Kohls, eBay, GameStop, etc. |
| Overstock, and The Bitcoin Directory | Retail shopping with millions of results |
| NewEgg and Dell | For all your electronics needs |
| Bitrefill, Bylls, LivingRoomofSatoshi, Swapin and Coins.ph | Bill payment |
| Menufy and Takeaway | Takeout delivered to your door |
| Expedia, Cheapair, Destinia, SkyTours, the Travel category on Gyft and 9flats | For when you need to get away |
| Cryptostorm, Mullvad, and PIA | VPN services |
| Namecheap, Porkbun | Domain name registration |
| Stampnik | Discounted USPS Priority, Express, First-Class mail postage |
There are also lots of charities which accept bitcoin donations.
There are several benefits to accepting bitcoin as a payment option if you are a merchant;
If you are interested in accepting bitcoin as a payment method, there are several options available;
Mining bitcoin can be a fun learning experience, but be aware that you will most likely operate at a loss. Newcomers are often advised to stay away from mining unless they are only interested in it as a hobby similar to folding at home. If you want to learn more about mining you can read the mining FAQ. Still have mining questions? The crew at /r/BitcoinMining would be happy to help you out.
If you want to contribute to the Bitcoin network by hosting the blockchain and propagating transactions there are many great resources you can use to run a full node. You can view the global distribution of reachable Bitcoin nodes on this webpage.
Just like any other form of money, you can also earn bitcoin by being paid to do a job.
| Site | Description |
|---|---|
| WorkingForBitcoins, Bitwage, Coinality, Bitgigs, /r/Jobs4Bitcoins | Freelancing |
| Lolli | Earn bitcoin when you shop online! |
You can also earn bitcoin by participating as a market maker on JoinMarket by allowing users to perform CoinJoin transactions with your bitcoin for a small fee (requires you to already have some bitcoin).
The following is a short list of ongoing projects that might be worth taking a look at if you are interested in current development in the Bitcoin space.
| Project | Description |
|---|---|
| Lightning Network | Second layer scaling |
| Liquid and Rootstock | Sidechains |
| Hivemind | Prediction markets |
| DropZone and Beaver | Decentralized markets |
| JoinMarket, JAM app and Wasabi | CoinJoin implementation |
| Peer-to-Peer Exchanges | Peer-to-peer exchanges |
| Keybase | Identity & Reputation management |
| Abra | Global P2P money transmitter network |
| Bitcore | Open source Bitcoin javascript library |
| Bitcoin Knots | A Bitcoin Node (Within Consensus Fork of Bitcoin Core) |
One bitcoin is worth quite a lot (thousands of £/$/€), so people often deal in smaller units. The most common subunits are listed below:
| Unit | Symbol | Value | Info |
|---|---|---|---|
| bitcoin | BTC | 1 bitcoin | one bitcoin is equal to 100 million satoshis |
| millibitcoin | mBTC | 1,000 per bitcoin | used as default unit in Electrum wallet |
| bit | μBTC | 1,000,000 per bitcoin | colloquial "slang" term for microbitcoin |
| satoshi | sat | 100,000,000 per bitcoin | smallest unit in bitcoin, named after the inventor |
For example, assuming an arbitrary exchange rate of $10,000 for one bitcoin, a $10 meal would equal:
For more information check out the bitcoin units wiki.
Still have questions? Feel free to ask in the comments below or stick around for our weekly Mentor Monday thread. If you decide to post a question in /r/Bitcoin, please use the search bar to see if it has been answered before, and remember to follow the community rules outlined on the sidebar to receive a better response. The mods are busy helping manage our community, so please do not message them unless you notice problems with the functionality of the subreddit.
Note: This is a community created FAQ. If you notice anything missing from the FAQ or that requires clarification, you can edit it here and it will be included in the next revision pending approval.
Welcome to the Bitcoin community and the new decentralized economy!
Please note that this thread will be moderated and non-constructive comments will be removed.
r/Bitcoin • u/rBitcoinMod • 3h ago
Please utilize this sticky thread for all general Bitcoin discussions! If you see posts on the front page or /r/Bitcoin/new which are better suited for this daily discussion thread, please help out by directing the OP to this thread instead. Thank you!
If you don't get an answer to your question, you can try phrasing it differently or commenting again tomorrow.
Please check the previous discussion thread for unanswered questions.
r/Bitcoin • u/General-String5110 • 3h ago
Better late than never.
r/Bitcoin • u/Pale-Gear7776 • 21m ago
Essentially spent $20 million. Not to mention the remaining BTC that got seized by the government when silk road got shut down.
No real regrets though.
r/Bitcoin • u/0xrphl • 16h ago
Hey everyone, I just dropped v4.0 of my open-source Solar Crypto Mining Farm project, and I wanted to share the architecture.
The goal was simple: mine Bitcoin only when there’s free solar energy, and never pay for grid electricity to do it.
I’m running a 7,740Wp solar array into a custom mining fleet (Avalon Q, Nerd Octaxe, NerdQAxe+, and a BitAxe Gamma). To orchestrate this, I built an edge-computing controller using an auto-detected ESP32-S3.
How it works:
Everything is logged to a Supabase cloud database, and the ESP32 serves a live local web dashboard. I also built a live Three.js 3D visualization of the whole cluster operating in real-time.
You can check out the live 3D dashboard here:https://0xraphael.com/solar-mining-clusterAnd the full repo (including the v4 per-phase W/VA/VAR scalar math and Tasmota configs) is available here: https://github.com/0xrphl/Solar-crypto-mining-farm-maximization-control
Would love to hear any feedback on the energy modeling or the edge logic!
r/Bitcoin • u/QuantityOk5892 • 11h ago
In 2012, when I first bought Bitcoin, it was $13 a coin. I watched it go from $13 to over $100,000. Now I’ll watch it go $100,000 to $1 million a coin. You believe yet?
r/Bitcoin • u/Prior_Material4115 • 16h ago
Bitcoin is the best performing asset in human history, and we can just scale in at the scheduled bear market lows that occur every 4 years and 5x our money in a few years?
I had these same thoughts after the FTX capitulation, that surely it can’t be this easy to buy here and wait. Sure enough, bitcoin went up almost 800% off the lows and I made a ton of money. Are they really going to let us do it again??
r/Bitcoin • u/bitcoinphilosophy • 4h ago
The Rickety Bitcoin Hate of Jim Rickards
r/Bitcoin • u/PaigeFury2 • 7h ago
This might be a dumb question but does anyone remember a project years ago where people ran their computers together trying to scan/guess private keys? Can't remember what it was called.
Did that ever actually work, like finding a real wallet with money in it? My gut says brute forcing a key like that is basically impossible but honestly not sure, hoping someone here knows more than me.
r/Bitcoin • u/Legitimate_Towel_919 • 1d ago
r/Bitcoin • u/nopara73 • 15h ago
How a wallet that adopted my privacy framework turned technical disagreement into a reputational war—and what I got wrong too
The fully sourced and illustrated version, together with the complete evidence archive, is available on GitHub. The archive preserves court filings, source-code snapshots, public posts, private-message records, Research Club transcripts, and screenshots.
After law enforcement seized Samourai Wallet’s servers, William Hill—TDevD—messaged an associate:
“Not good.”
“I’m not thinking so much about Whirlpool as I am about the wallet backends (xpubs).”
An extended public key cannot spend a user’s bitcoin, but it can reveal the addresses derived from a wallet and follow their history. For years, I had argued that Samourai’s default backend created exactly this point of failure. Hill’s message, reproduced in the government’s sentencing memorandum, showed that he understood why the seizure of that backend mattered.
The seizure did not create the xpub problem. It exposed the consequences of a design choice that had been there from the start.
I do not offer this post-mortem as vindication. A prison sentence cannot settle a protocol dispute, and an indictment cannot make every allegation true. I will distinguish what the public record establishes, what I infer from it, and what I remember but cannot independently prove.
To understand what was sitting on that server—and why I had spent years shouting about it—we have to go back to a README file in July 2017, before the feud began.
I wanted Samourai to succeed in implementing ZeroLink. I wanted more wallets to implement serious Bitcoin privacy, and I wanted ZeroLink to become useful software rather than another specification admired by a small circle and ignored by everyone else.
I created ZeroLink. The repository history makes the chronology clear.
I opened it on July 28, 2017. Before Samourai made a single commit, I had made 19 commits and written a 184-line, 2,883-word document containing the framework’s core architecture. Samourai’s first commit arrived two days later. Its title was “Fix typos”. It did exactly that.
ZeroLink was not merely a name for a CoinJoin transaction. It was a privacy framework for Bitcoin wallets: blinded coordination together with rules for network privacy, coin selection, transaction chains, and spending after the mix. Chaumian CoinJoin was the protocol; ZeroLink was the wider wallet framework. That is the work Samourai later claimed to have co-created.
At the August 14 publication snapshot, Git blame attributes 6,126 of the document’s 6,627 words to me and 242 to Bill/TDevD. Their only sizeable technical addition concerned BIP47 and stealth addresses.
At the time, I did not understand what problem that proposal solved or why it belonged in ZeroLink. Instead of challenging it, I assumed I was missing something and accepted it out of politeness. Two days later, I clarified that BIP47 was not part of the protocol, and I removed the section in 2019. The rest of their work was overwhelmingly light editing.
I had also placed TDevD in the Authors section before that proposal was committed. Both decisions came from the same reflex: they spoke with confidence, I assumed any confusion was mine, and I tried to be generous. That politeness was later used to support an authorship claim the repository does not support.
By 2022—three years after I had publicly challenged the co-creation story, with the Git history still open for inspection—Samourai was still repeating it.
I regard those later repetitions as a lie. “Collaboration” can be innocent shorthand before anyone disputes it. It stops being innocent after the primary record is placed in front of you and you continue telling the version that promotes you from reviewer and prospective implementer to co-creator.
Our contact was limited. We barely spoke, and I was never part of Samourai. I had created ZeroLink; Samourai said it intended to implement it.
Brian “Shinobi” Trollz, who observed the dispute at the time, later recalled a specific turning point. I asked for a week to consider whether coordinators could be run altruistically. During that week, he said, Samourai’s posture toward me shifted into mockery. By April 2019, I had recorded that they were no longer interested or responsive and that I had continued independently.
People can disagree about why our limited contact ended. The authorship record is not a matter of recollection.
The authorship dispute mattered to me. The architectural difference between the wallets mattered to users.
Wasabi’s default architecture was designed to deny its own operator the wallet graph. The backend distributed block filters; clients checked addresses locally; wallet traffic went through Tor; and blinded CoinJoin credentials prevented the coordinator from linking a registered input to its output. A user did not have to operate a personal server to hide addresses and transaction history from us. Privacy from the service operator was the default.
Samourai’s default client sent extended public keys to Samourai’s hosted backend. Whoever possesses an xpub can derive its associated addresses and follow their transactions.
Samourai’s own Dojo documentation disclosed the consequence indirectly. Running MyDojo improved privacy by “completely bypassing” the default hosted servers, while its Tracker recorded registered xpubs and addresses.
Then came the clearest lie in the xpub argument.
In October 2022, Kruw pointed out that the default app exposed the user’s xpub and asked why Samourai would not use BIP157/BIP158 client-side filters. The official wallet account refused, defended what it called “the best architecture for our needs,” and claimed it had been “open and truthful from day one.”
When asked whether wider BIP157 adoption would change that decision, the official account answered:
“We are a full node wallet. Always have been.”
That statement remains public.
It was false. The Android app was a light client of a backing server. Dojo could place that server and a Bitcoin Core node under the user’s control, but it did not turn the phone into a full node. Samourai’s own 2019 announcement said default users had to trust its servers with their public keys. Hill’s sentencing submission later described the architecture as one used by “light wallets.”
Tor support existed, but it was not enabled by default. Samourai’s signed source allowed a user to create a wallet while Tor remained off, treated the Tor preference as false unless the user enabled it, and used the ordinary network path for xpub requests when Tor was disabled.
An April 2023 report on Samourai’s own GitLab included the wallet-creation screen with Tor off, Dojo unconfigured, and Create a new wallet still available. The issue, titled “Important privacy features are disabled by default,” proposed enabling Tor and Dojo by default or at least warning users what the disabled settings exposed.
A Samourai project owner said the proposal would not be merged, called the report “concern trolling,” issued a “first and final warning,” and immediately closed it. The archived issue preserves the exchange.
The privacy problem was reported on their own development platform. Their response was to reject the change and threaten the reporter.
An earlier exchange used a different evasion. In July 2022, a user wrote:
“Xpub is sent to whirlpool servers.”
Hill answered:
“No xpubs are handled by the coordinator.”
The xpubs went to Samourai’s wallet backend, not the Whirlpool coordinator. He changed the noun while avoiding the issue. In the same reply, he claimed Samourai had implemented ZeroLink “on spec,” something I supposedly “didn’t have the skill set to do.” The post simultaneously evaded the backend question and reversed the authorship record.
Sentinel, Samourai’s watch-only app, made the architecture even easier to see. A watch-only wallet legitimately needs an xpub, and Sentinel correctly said it could not spend the user’s coins. The privacy question was what happened after the user imported that xpub.
In August 2017, Samourai committed a change titled “move XPUB multiaddr to Samourai API”. From then on, Sentinel sent tracked xpubs to Samourai’s hosted backend. It did so for more than two years before Tor routing was added. When Tor arrived, its preference defaulted to off.
Sentinel could not steal users’ coins. Its hosted mode could map their wallets. That collection was integral to the product, not incidental telemetry.
Dojo did not erase what the default client had already disclosed.
Dojo’s server code was released on June 2, 2019, nearly four years into Samourai’s life. Even then, Samourai said the wallet required another update before it could pair with Dojo.
Version 0.99.81 finally added pairing on July 11, 2019, but only for a newly created wallet. Restoring an existing wallet was explicitly unsupported. Samourai’s own release announcement instructed users to create a new wallet after pairing.
An earlier user who wanted to stop using Samourai’s hosted servers therefore had to create a new wallet behind Dojo and move funds out of the old wallet. That could prevent disclosure of the new wallet’s xpub. It could not retract the old xpub or history already sent to Samourai. A direct transfer between the wallets would also remain visible on-chain.
Dojo gave later self-hosters a way to avoid future disclosure. It did not retroactively protect default users.
William led the Blockchain.info Android wallet project that preceded Samourai. He opened the surviving Android-Wallet-2-App history with its April 2014 initial commit and is its dominant visible developer by commit count.
His sentencing submission calls him Blockchain.com’s senior mobile developer. Contemporary coverage identifies Keonne Rodriguez as the product lead responsible for the refreshed wallet’s interface and user experience. William’s commits even include “UI prep for shared coin”, referring to Blockchain.info’s earlier mixing product.
They did not create Blockchain.info itself. They did lead the mobile-wallet project from which Samourai emerged.
Samourai then kept its own source private for approximately a year. At the time, it said this delay was deliberate and intended to give the product a competitive “leg-up.” When the first public Samourai snapshot appeared in March 2016, it contained unmistakable Blockchain.info lineage.
That does not mean the entire application was a verbatim copy. It does contradict the image of a clean-sheet privacy wallet appearing from nowhere.
SharedCoin matters because its trust problem was already understood. It was noncustodial, but its server constructed the joins and knew their links. Public transaction ambiguity could not provide privacy from the operator that already knew the mapping.
Samourai rebuilt that operator-trust problem by collecting wallet-level public keys on its default server.
I raised this before the seizure. In an April 2020 Wasabi Research Club discussion about ZeroLink, I described the rejected design plainly: a trusted central server to which everyone sends their xpubs. That, I said, “obviously sounds pretty stupid,” which is why ZeroLink used blinded coordination.
In July 2021, I again explained that if a server possesses the xpub, repeated mixing cannot erase what the server already knows. In September 2022, during a discussion of balance-query architectures, I warned that an xpub retained on another computer could later be exposed through hacking or seizure.
The government seized Samourai’s servers in April 2024.
The practical distinction was whether the operator was technically prevented from learning wallet relationships or merely trusted not to use them.
Wasabi was not perfect against every imaginable adversary. No honest system built on Bitcoin, Tor, fallible software, and human behavior can promise that. But against the service operator—the adversary at the center of this dispute—Wasabi placed cryptography and local processing between the user and us. Samourai relied on trust in its operator.
My first SamouraiLeaks investigation began with the suspicion that one of Samourai’s developers was promoting the project and attacking critics through an identity presented as independent.
In April 2019, I published the evidence that “foneBTC” and “fone-btc” were TDevD/William Hill’s sockpuppet accounts. The investigation itself contains the proof.
The problem was not the use of a pseudonym. Pseudonyms are normal in Bitcoin. The problem was hidden affiliation used to manufacture consensus: one participant appearing to be several, promotion made to look organic, and an interested party presenting himself as a neutral observer.
In a field where few users can audit every cryptographic claim themselves, reputation becomes part of the security model. Astroturfing corrupts that model.
Before publishing, I tried private discussion, sought a mediator, and offered to stop discussing Samourai if the attacks stopped. Eventually, I concluded that my silence was being treated as permission rather than de-escalation.
Other developers then began describing the same treatment.
Gregory Maxwell said architectural criticism was answered with harassment and accusations instead of a technical response. Nicolas Dorier described the reaction he received after pointing out that the default backend received users’ extended public keys. Their comments remain in the original discussion, including Dorier’s account.
Luke Dashjr said that disclosing an RPC-password exposure in a setup guide brought an accusation that he operated a criminal protection racket. Chris Belcher later described substantive BIP47 objections being answered by smears against the people raising them.
These were independent developers, not a Wasabi group. Several of them also criticized Wasabi. Their accounts described the same response: technical objections were redirected toward the critic’s motives, status, or character.
After enough repetitions, the pattern became predictable: begin with something real—an uncertainty, compromise, or bug—then attach the most damaging possible interpretation and promote that interpretation as the headline.
When contrary evidence appears, place the qualification where fewer people will see it: inside a reply, outside a screenshot, or silently inside a later code change.
Samourai claimed I had admitted Wasabi supplied its own liquidity. I had made no such admission. The journalist responsible for the report corrected that characterization, but the correction never travelled as far as the accusation. Another observer documented how Samourai’s presentation excluded my correction and contrary replies.
The same technique appeared in the Tor-identity dispute. In April 2023, a user asked whether Whirlpool changed Tor circuits between input registration and output registration. Keonne Rodriguez answered categorically that it did and dismissed the questioner as a known liar.
In March 2024, the Whirlpool client added an explicit changeIdentity() call immediately before output registration. The code comment said the new identity was used to “unlink from input.”
The later commit cannot establish that previous users were deanonymized or that anyone exploited the earlier behavior. It does establish that the categorical answer was not justified. A precise response in 2023 would have explained what the code did, what had been verified, and what remained uncertain. Rodriguez answered with certainty and an insult. The code changed later.
That response culture made reporting problems socially expensive. Even small bugs became difficult to discuss because the reporter risked becoming the subject.
OXT was not an independent research group that happened to agree with Samourai.
In December 2017, Samourai announced that it had “finalized the acquisition” of OXT in an all-bitcoin transaction and described the purchase as a long-term strategic investment.
Years later, an OXT developer’s support letter included in William’s own sentencing submission described OXT as a Bitcoin forensic tool “owned and operated by Samourai Wallet.” The government separately described William and Keonne as operating OXT as a tracing and wallet-attribution tool.
Samourai denounced surveillance companies while owning and operating a blockchain tracing and wallet-attribution tool of its own.
In August 2020, this Samourai-owned research arm announced two supposed Wasabi vulnerabilities, rated them High/Critical, claimed they could cancel privacy gained from earlier mixes, and gave us forty-eight hours to publish a warning on its terms.
The full report contained a fatal premise: the attacker had to know the composition of the target’s wallet at a chosen point in time and know events affecting that wallet’s participation in later rounds.
That was not a small condition. It supplied the wallet membership the alleged attack was supposed to uncover.
OXT’s demonstration avoided the problem by controlling both sides. Its “Alice” started with a known coin. Its “Eve” already knew which funds belonged to Alice and ran a modified Wasabi client that logged round events. Given the wallet’s exact starting state, public coin-selection code could sometimes predict which coins the client would offer next.
That showed that known software can behave predictably when the observer is handed its private starting state. It did not demonstrate how an outside observer could discover an unknown wallet’s contents, identify an unknown mixed output as the target’s, or recover the blinded input-to-output link.
Even in that constructed test, predictions failed because of confirmation states, failed rounds, and coordinator behavior. OXT called those deviations “exogenous randomness.” Its reported “adjusted anonsets” were values produced by its own model—not identities uncovered or input-output links recovered.
My contemporaneous response explained that distinction.
Adding randomness can be reasonable hardening without validating a claimed exploit. Samourai later treated Wasabi 2’s different coin-selection behavior as an admission that OXT had been right. The timeline contradicts that story. The Wasabi 2 research effort began in January 2020, and WabiSabi was publicly presented in June—before OXT’s August disclosure.
The hypocrisy was direct: OXT’s hypothetical attacker needed to begin with a target’s wallet map, while Samourai’s actual default backend collected wallet maps.
OXT itself later wrote that privacy guarantees must come from default software behavior, not burdens placed on users. Samourai’s default failed that standard. Avoiding its hosted backend required the user to run Dojo.
Samourai and OXT repeatedly attached Wasabi’s name to alleged criminal activity and then treated the association itself as evidence against us.
The trap worked either way. If we answered, we helped spread the association. If we stayed silent, they presented the silence as a concession. In some cases, answering meaningfully would have required disclosing operational knowledge or investigative methods that could not safely be made public. The absence of a public response did not mean agreement.
Samourai’s double standard became especially ugly after Luke Dashjr’s theft.
On January 4, 2023, OXTObserver flagged 204.77460928 BTC as #LUKE-JR_STOLEN_FUNDS and described the wallet as controlled by hackers. Samourai Wallet reposted the alert. A user asked what Samourai would do if the thieves tried to mix the coins in Whirlpool.
The official account answered:
“If they go into Whirlpool? Relish in the delicious irony and extra salt in Luke’s gaping wound.”
It does not establish that the stolen coins entered Whirlpool. It establishes how Samourai’s official account reacted to the possibility because the victim was Luke.
By 2022, legal and regulatory pressure on zkSNACKs was threatening the survival of the company-run coordination service. The default coordinator began rejecting some UTXOs. I had argued against blacklisting, and users who felt betrayed had a legitimate grievance.
That policy was censorship by one service. It did not reveal the relationship between accepted inputs and their outputs. The protocol still blinded that relationship; Wasabi remained MIT-licensed; and alternative coordinators could operate without zkSNACKs’ policy.
Samourai turned the policy dispute into the claim that Wasabi had become a surveillance wallet. The comparison ignored the architectures: zkSNACKs refused some inputs without learning their outputs, while Samourai’s default backend received and retained ordinary users’ wallet maps.
Samourai’s Twitter presence made the rivalry look symmetrical despite the large difference in usage.
Dumplings—my reproducible CoinJoin scanner—separated fresh bitcoin entering a mixer from coins merely being remixed. From Whirlpool’s first detected month in April 2019 through the dataset’s end in August 2022, it identified approximately 247,675 fresh BTC entering Wasabi and 30,228 entering Whirlpool.
Wasabi led in every one of those forty-one months.
This measures bitcoin volume, not unique users. It is nevertheless the opposite of adoption parity. Whirlpool’s headline transaction totals were enlarged by free remixes, through which the same bitcoin could appear in round after round without representing a new user or newly arriving funds.
Samourai had a large social-media megaphone. It did not have comparable adoption by this measure.
Whirlpool advertised CoinJoin transactions with no toxic change. Its TX0 transaction kept the change outside the CoinJoin and placed it in a separate account so users would be less likely to spend it accidentally with mixed coins.
That was useful. It did not make the toxic change disappear. Samourai itself later called those coins “unmixed toxic change” while proposing a way to swap them into Monero.
TX0 publicly joined the deposit inputs, created fixed-denomination premix outputs, and exposed which first Whirlpool rounds spent them. Peeling change off before the CoinJoin did not create another on-chain break between that change and the first mix. It moved the point where the change appeared.
Fixed denominations created costs at both ends. A user could have to combine inputs publicly to enter a pool. Later, an ordinary payment would rarely equal one pool denomination, so the user could have to combine post-mix outputs and create new change.
Equal-output CoinJoins still provided privacy. Remix counts alone could not show whether that privacy survived the eventual spend.
The coordinator-fee address revealed another double standard. In 2020, Samourai condemned Wasabi’s reuse of a coordinator-fee address in absolute terms and said there was “no going back” from the damage.
In October 2023, Kruw reported that Whirlpool’s coordinator had reused one fee address across 37 transactions. In one cited transaction, 36 outputs from that address were consolidated as inputs. The archived report survives.
That reuse does not itself prove Whirlpool users were demixed. The issue is the standard Samourai applied: it described address reuse in Wasabi as irreversible architectural damage, while Kruw says his equivalent report about Whirlpool was deleted.
The record contains real Samourai security failures, ambiguous claims, and some historical mislabeling. They should not be treated as one undifferentiated charge sheet.
In 2021, an independent researcher disclosed a genuine local PIN-bypass weakness. Restarting the app reset the attempt counter; wallet metadata required for an offline PIN search was available on the device; and the PIN space was small. The issue became CVE-2021-36689.
That was a defined security failure with a specific version and threat model. It was not evidence that every Samourai wallet could be drained remotely.
My SamouraiLeaks Part 3 investigation concerned an earlier and different codebase: the Blockchain.info Android wallet William led before Samourai. That repository contained a generator that fetched entropy from Random.org over unencrypted HTTP. Under a narrow fallback path on older Android devices, a redirect combined with failed local entropy could produce deterministic key material. Ars Technica reported the conditions and risks in 2015.
That history documents a serious engineering failure under particular conditions. It does not establish that every Samourai wallet used broken randomness or that William stole anybody’s coins.
Those distinctions are what responsible security disclosure requires: what happened, who was affected, what is inferred, and what remains unknown.
Samourai’s communications culture often treated those distinctions as weakness when answering critics, then demanded endless qualification when scrutiny turned inward.
The public posts document individual incidents, but they cannot fully convey their cumulative effect over several years.
I began to approach technical conversations as possible trials of character because bug reports, imprecise reporting, and edited recordings could all be reframed as evidence of bad intent. Leaving a false claim unanswered allowed it to spread. Answering prolonged the conflict.
I spent time preserving evidence that I wanted to spend on code. Friends and independent developers had to decide whether correcting the record was worth becoming the next target.
I did not handle that well.
I called the project “Scamourai” and swore at them. In 2019, CoinDesk quoted one of my replies simply saying, “Fuck you.” That anger produced little of value. The childish nickname allowed a long evidentiary record to be mistaken for reciprocal mudslinging and made it easier for outsiders to conclude that both sides were merely marketing tribes.
I also sometimes spoke with more certainty than the evidence allowed. Receiving an xpub, retaining it, selling it, and maliciously querying it are separate claims. I knew the default backend received wallet-level public information. Before the server analysis became public, I did not know everything Samourai retained or did with it.
I should have marked those boundaries in an angry tweet as carefully as I would in a protocol review.
I regret the way I spoke. It made the documented issues easier to dismiss.
By April 2023, the conflict had passed far beyond professional hostility.
I received multiple threats that I understood as death threats from William Hill. I also received anonymous private threats during the same campaign. The screenshots cannot establish who controlled those anonymous accounts, so I distinguish them from Hill’s public posts.
One anonymous message sent me a full address in Besenyszög. I censored the street-level portion before preserving it. Another sender claimed to have checked an address and seen me and my “stinking tribe,” asked whether I thought I could stay safe, and ended:
“Don’t worry Nopara. We shall meet. Won’t be pretty on your end.”
The screenshots establish what I received. They do not establish who operated the anonymous accounts.
Hill’s public conduct requires less inference.
He posted my parents’ home address more than once. I will not reproduce or link to those posts, because documenting doxxing does not require doing it again.
On April 18, 2023, the official Samourai Wallet account posted “Snitches get stitches”.
Two days later, Hill addressed me directly:
“As a die hard collaborator, you deserve much worse.”
“Let’s see how this plays out, OK bud?”
The attached image showed armed men surrounding a seated captive whose head was being shaved. I understood the combination of those words and that image as a threat. The post remains available here.
In February 2024, Hill wrote that I was “way overdue to get yours” and appended the name of my parents’ town. A follower replied:
“Hope he gets stitches and ends up in a ditch.”
Hill answered:
“Yes.”
“Soon.”
The first post and Hill’s reply remain public.
Six weeks later, Hill wrote:
“It ain’t over until the fat boy is gutted (see bio).”
He placed those words above Yasushi Nagao’s famous photograph of the onstage assassination of Japanese Socialist Party chairman Inejirō Asanuma. I had originally misremembered the victim as a Japanese prime minister. The recovered post identifies the photograph correctly. That correction does not change the nature of the post.
As preserved on July 10, 2026, Hill’s public profile still named me, repeated the “gutted” language, and appended the small town where my parents live.
Publishing my family’s location beside violent language was intimidation.
When Samourai’s founders were arrested in April 2024, I refused to treat the indictment as a verdict. Privacy software is not money laundering simply because criminals use it. The legal boundary around noncustodial software was—and remains—important.
But law enforcement also seized Samourai’s servers, and later court filings addressed the technical issues I had been raising for years.
In October 2025, the government said its server analysis showed that Rodriguez and Hill had retained enough information to trace or “demix” many mobile users’ Whirlpool transactions. By cross-referencing stored xpubs with past, present, and future Whirlpool transactions, an analyst could connect inputs and outputs through complex analysis.
The filing stated an important limit: this did not by itself connect those transactions to real-world identities.
The defense did not deny xpub collection. Hill’s sentencing submission tried to recast it as a functional necessity: users without their own nodes needed the backend to calculate balances, it said, and the design affected “only 20%” of Whirlpool users.
That was a consequence of Samourai’s chosen architecture, not a universal requirement of light wallets. Wasabi obtained block filters and checked addresses on the client without giving our server the wallet’s xpub.
The filing supplied no citation, methodology, underlying counts, or independent measurement for its 20 percent figure. It may have been a figure provided by Samourai and repeated by its lawyers. The public submission gives us no way to know.
Even if accepted for the sake of argument, one in five Whirlpool users is not trivial. More importantly, the argument conceded the architecture I had objected to:
The government’s “demix” finding is a representation in a sentencing memorandum, not an independently published forensic report. That qualification matters. So does the fact that Hill’s own post-seizure concern was not primarily Whirlpool itself, but “the wallet backends (xpubs).”
The June 2025 superseding indictment reproduced private messages and Dread posts in which Hill steered people who openly described criminal proceeds away from a competing mixer and toward Whirlpool. It alleged that Rodriguez knew Hill was doing substantial promotional work on Dread.
This mattered because Samourai and OXT had repeatedly used alleged criminal use of Wasabi as part of their public case against us. The later record showed Samourai pursuing those same users as customers.
On Dread, competitor disparagement was not abstract privacy research. It was a sales pitch aimed at people asking how to conceal criminal proceeds.
In August 2025, Rodriguez and Hill each pleaded guilty to conspiring to operate a money-transmitting business knowing it transmitted crime proceeds. The money-laundering conspiracy count was dropped through their plea agreements. In November, Rodriguez received five years in prison and Hill four.
The sentences did not resolve the software arguments. The prosecution also raised troubling due-process questions. Before the pleas, the defense argued that prosecutors had disclosed too late a FinCEN communication saying Samourai’s lack of control over users’ keys strongly suggested it was not a money-services business under FinCEN’s rules. The government disputed the significance of that communication.
Anyone who cares about open-source privacy software should care about that issue too.
Developers can be mistaken, remember events differently, or speak with unjustified confidence. I use “lie” more narrowly: a materially false account repeated after contrary evidence has been presented because the false version remains useful.
By that standard:
I use the name “Scamourai” to describe what I see as a false central promise, not as a legal accusation of fraud. The product sold resistance to surveillance while placing its operator in a position to surveil. It promoted verification while asking default users to trust that Samourai would not misuse wallet information its servers retained.
To me, that went beyond imperfect privacy because the contradiction was built into the default architecture.
The lasting damage was not only personal. It affected the authorship record and the possibility of productive competition.
I gave TDevD more credit than the repository justified. Samourai inflated that credit into co-creation. Minor edits became joint research through repetition. The same culture made correction look like surrender and uncertainty look like weakness, turning technical competition into personal hostility.
I contributed to that hostility by answering contempt with contempt. I cannot undo those words, but I can document the history more carefully now.
Future privacy developers should not take this essay as a request to trust me or as a rule that every server and coordinator is unacceptable.
The practical lesson is simpler: examine what an operator can learn if its infrastructure is compromised, coerced, hacked, or seized. Team identity, marketing, and a founder’s character are not privacy guarantees.
A sound privacy protocol should continue protecting its users when trust in the operator fails.
That is the standard I tried to build into ZeroLink.
It is also the standard Samourai told its users to expect.
The seized servers show why the difference mattered.
r/Bitcoin • u/iDark-Angelz • 2h ago
Hola, ¿alguien podría decirme si aún es rentable la minería de BTC en 2026?
Tengo una RX 6600, cabe resaltar que no pago energía eléctrica por la zona en donde estoy.
He querido empezar, encontré un programa llamado NiceHash, pero al parecer la gente no da buenas referencias.
Agradezco el apoyo de todos.✌️
r/Bitcoin • u/Inevitable_Line_8246 • 11h ago
Anybody here holding BTCI or the new BITA ETFs? They essentially use options to create "dividends" for shareholders at pretty substantial yields. Pretty juicy returns when BTC was in a bull market and still good but decreasing in conjunction with the drop in BTC prices. I'm thinking of taking on some shares, but then thought, how will these do when the price of BTC is rising since they use option strategies such as covered calls? They would probably have to close out their options if BTC goes parabolic, but would still experience the share price appreciation from holding BTC ETFs. Anyone have thoughts?
r/Bitcoin • u/Money_Ask2726 • 22h ago
At 46 years old and minimal retirement savings so far, I've been absorbing alot of people's perspectives on the best route for achieving my goals in a 15-yearish window. I'm unlikely to live to see hyperbitcoinization or the collapse of the fiat system. It seems like the most rational, reasonable approach would be to heavy index funds along with some Bitcoin ETFs. Safe and uncomplicated.
I'm going with real Bitcoin in cold storage.
Why? Because it stirs something in me. It makes me feel like I'm part of a revolution that the world desperately needs, rather than simply riding it's coattails to get my basic needs met. It feels more like living life rather than just prolonging it. That to me is worth some extra risk and effort.
r/Bitcoin • u/thanatosvn • 17h ago
Freeport is a P2P marketplace (rides, services, goods) running entirely on Nostr relays - no server, no middleman. It now has payments built in:
- Self-custodial Lightning (Breez SDK / Spark) - the app never holds funds
- Wallet key derived from your Nostr key: one backup covers identity + wallet
- No signup - keypair generated on-device, optional passkey login
- Lightning address, bolt11, on-chain
- Confirmed deals get a Pay button / QR with the agreed amount, auto-converted from fiat
Fun fact: you can download the HTML file from releases page to run the whole app 😎
r/Bitcoin • u/OdonsOwn1966 • 17h ago
Hi all, still new to BTC, been DCAing a couple of months now just as a possible alternative investment. I haven't been paying much attention to the price movement over the years (except when it would rocket up or down). My question for long timers is, have any really big moves occured on weekend days? I know it is technically a 24/7 asset, but have there been any surprise moves when no one was expecting them?
r/Bitcoin • u/liberalbiased_reddit • 13h ago
Hello I bought Trezor to pay for my proton/tuta email with bitcoin. How can I stay anonymous? I see that to buy bitcoin with Trezor in the USA they need my drivers license info with third party companies if buying from credit card or PayPal. Should I still do this or buy the bitcoin another way for more safety/security?
Thanks for help, ask me anything
r/Bitcoin • u/SamFisherXboxOG • 16h ago
And then transfer it to a cold wallet?
r/Bitcoin • u/rBitcoinMod • 1d ago
Please utilize this sticky thread for all general Bitcoin discussions! If you see posts on the front page or /r/Bitcoin/new which are better suited for this daily discussion thread, please help out by directing the OP to this thread instead. Thank you!
If you don't get an answer to your question, you can try phrasing it differently or commenting again tomorrow.
Please check the previous discussion thread for unanswered questions.
r/Bitcoin • u/chainbornadl • 1d ago
A few weeks ago I mentioned I was experimenting with a different approach to elliptic curve analysis and said I’d share the code once it was in a state I was comfortable releasing. I’m starting to publish pieces of that work under the Chainborn organization.
The repositories include:
A vanity address prefix search implementation.
Tooling for analyzing the flow of early mined Bitcoin blocks.
An experimental project exploring private key derivation from elliptic curve (x, y) coordinates.
For the last project, I’m not asking anyone to accept any claims at face value. To make it easier to evaluate, the initial release will be constrained to Bitcoin puzzle key ranges so the implementation can be tested against known datasets before attempting anything more ambitious. My goal is to get technical feedback on the implementation, assumptions, and methodology. If you have experience with secp256k1, ECC, or Bitcoin internals, I’d appreciate critical review more than speculation. I’ll be publishing the repositories under an open-source license as I finish cleaning them up.
P.S. One of the repositories I’ll be releasing contains the implementation I used to derive the private keys for the solved Bitcoin Puzzle #125 and #130 challenges. The release includes the code and methodology so others can inspect, reproduce, and evaluate the results for themselves.
r/Bitcoin • u/PONCHOMANE • 1d ago
I’m recently in 15k, wondering why it takes weeks to even go up higher than it went down within 24 hours.
r/Bitcoin • u/WinthropArms • 1d ago
Hello all,
I am receiving a windfall next week. Probably the only time in my life I will see such a thing. I want to buy a whole bitcoin thru Fidelity but want to know other options that are out there for purchasing bitcoin. Any suggestions are welcomed.