Mistex

What it is. A no-KYC, non-custodial instant swap service supporting 1000+ cryptocurrency pairs with float and fixed-rate modes. Listed at Grade B- because the privacy architecture is genuinely well-documented — no IP logs, no analytics, no user profiles, swap data discarded after completion — but the anonymous operator and thin external trust footprint (one monerica listing, zero community reviews) keep this in the experimental tier.

Background. Mistex is operated by an anonymous team described as ‘cryptography engineers and privacy advocates’ (operator-published, `/about`). The about page explicitly states: ‘We don’t show our faces because we practice what we preach. In a world of surveillance, anonymity isn’t suspicious — it’s responsible.’ No founding date, jurisdiction, or parent entity is published. The privacy policy and terms of service are effective April 23, 2026. The service is listed on monerica.com ( — direct hit at monerica.com/site/mistex) but not on kycnot.me (404). Contact channels: support@mistex.io, X / `@mistex_io`, Telegram / `@mistex_bot`. The site supports English only. No community sentiment was found in web/forum/X searches — the service appears to have zero independent reviews or discussion threads as of a public audit date.

What you trust.

• No KYC — verbatim. The homepage states: ‘No registration. No KYC. No logs.’ The privacy policy reinforces: ‘No name, no email, no phone, no date of birth. No ID documents, no selfies, no proof of address. No social login, no OAuth, no third-party identity broker. No mandatory account.’ (operator-published, `/privacy`). Swaps work without any identity disclosure — accounts are optional and only needed for cashback/referrals/API access.
• No-logs policy — specific, not aspirational. The privacy policy states: ‘We don’t run request logs with client IPs. The reverse proxy strips identifying headers before they reach our application. The application itself writes only operational diagnostics — things like “rate fetch failed, retrying” — which never include addresses or amounts you’d need to link a person to a swap.’ (operator-published, `/privacy`). This is unusually specific: it names the reverse-proxy mechanism and describes exactly what IS logged (operational errors without PII).
• No user profiles, no retained swap data. The terms state: ‘Funds only live in the system for the duration of a single swap. There are no user balances, no “accounts with money” on our side.’ (operator-published, `/terms`). The privacy policy adds: ‘Once a swap terminates this working state is no longer needed. We don’t build histories keyed to anyone — no “user profile”, no behavioural graph, no ad IDs.’ This is a meaningful structural commitment: swap data is ephemeral by design, not just ‘not shared.’
• Own liquidity — reduced third-party exposure. The service claims ‘own liquidity pools’ (operator-published, `/about`, homepage ‘◈ Own Liquidity’ badge). The about page contrasts this with typical exchanges that ‘depend on third-party liquidity’. If true, this means swap execution does not route through external exchange APIs — reducing the number of parties that see the transaction. Notable caveat: the privacy policy acknowledges ‘upstream liquidity provider outages’ as a possible cause of delay, suggesting not ALL pairs are self-liquidity.
• Tor v3 mirror with proper Onion-Location header. The onion `hyktea5pdx57p3qgzg4fpvtydlre24jlmzh5oiv2gwh3pirtgfu7hryd.onion` is advertised on the homepage and footer. The clearnet `Onion-Location` header matches ( — populates the same onion). The privacy policy explicitly addresses cookie scoping: ‘Cookie and login state on the onion mirror are scoped to the onion origin — a login on clearnet does not propagate there, and vice versa. That’s deliberate.’
• Monero-address sign-in. Users can register and log in ‘by signing a challenge with your XMR primary address’ (operator-published, homepage) — no email required. Compatible with Cake Wallet, Feather, and Monero GUI. This is the strongest identity model in the directory — wallet-address-based auth without any personal identifier.
• No analytics, no third-party tracking. The privacy policy states: ‘We don’t run analytics, pixels, session recording, A/B experiments keyed to individuals, or any third-party tracking scripts. There is nothing in the page that phones home about you.’ (operator-published, `/privacy`). The cookie policy is specific: ‘session cookies needed to keep you logged in... and one short-lived attribution cookie if you arrived via a referral link. They are HttpOnly, SameSite=Strict, and scoped to the origin.’

Operational specs.

• Site. https://mistex.io — conventional multi-page web app (not an SPA). Published pages: `/` (home + embedded FAQ), `/about`, `/terms`, `/privacy`, `/contact`, `/affiliate`.
• Tor mirror. `http://hyktea5pdx57p3qgzg4fpvtydlre24jlmzh5oiv2gwh3pirtgfu7hryd.onion/` — v3 hidden service, advertised on the homepage and footer. `Onion-Location` header on clearnet matches. Proper origin-scoped cookie behaviour across clearnet and onion.
• Pricing. Fee structure not publicly documented on a standalone page. The FAQ on the homepage states: ‘Float rate follows the live market price... Fixed rate locks the exchange rate for 20 minutes... Fixed rates include a premium to cover market risk.’ (operator-published, homepage FAQ). No fee schedule, no commission tiers, and no `/fees` page discovered. The terms note ‘Rates and fees are displayed before you initiate a swap.’
• Payment surface. 1000+ cryptocurrency pairs across multiple networks (operator-published, homepage FAQ). XMR is prominently featured as both source and destination — the homepage highlights BTC→XMR, ETH→XMR, USD→XMR, USDT→XMR, LTC→XMR, SOL→XMR pairs plus reverse routes. Monero-native swap support is a first-class feature, not an afterthought.
• Swap modes. Float rate (market-following, 0.8% service fee) and Fixed rate (locked for 20 minutes, 2% premium over float). The FAQ explains: ‘Float rate follows the live market price — the amount you receive may slightly change... usually works in your favor. Fixed rate locks the exchange rate for 20 minutes, guaranteeing you receive exactly the quoted amount.’
• Account model. No-account swaps are the default. Optional cabinet account (email+password or Monero-address challenge sign-in) unlocks cashback, referral commissions, and API access. The terms state: ‘If you don’t create one, nothing changes about the swap itself.’
• Partner / referral program. 0.3–0.5% lifetime commission on referred swaps (operator-published, homepage Partner section). Registration requires only an XMR payout address. Dashboard shows earnings in BTC and XMR, withdrawable anytime.
• Support channels. support@mistex.io, X / `@mistex_io`, Telegram / `@mistex_bot`. The homepage FAQ mentions ‘24/7 support via Telegram, email, or the on-site chat.’ No Matrix, Simplex, Signal, or PGP key published.
• **FAQ is embedded on the homepage. an extensive FAQ section is embedded directly on the homepage, covering account requirements, data collection, Tor/VPN usage, swap duration, rate types, minimum/maximum amounts, stuck transactions, wrong-address recovery, memo/tag requirements, cancellation, and API access.
• No AML page. The site does not publish a standalone AML/KYC policy. The privacy-by-architecture model (no data collected, no identities held) is the functional equivalent, but it is not stated as an AML posture.
• No reserves transparency. No proof-of-reserves page, balance attestation, or audit report is published. Own liquidity is claimed but not verifiable from outside.
• API surface. Documented REST API at `https://mistex.io/api-docs`. Base URL `https://mistex.io/api/v1`. Public endpoints `/currencies` and `/partner/rates` require no authentication; order endpoints (`/partner/orders`) authenticate with a Bearer-token API key (`key_id.secret` format, no request signing). Default rate limit 60 req/min on unauthenticated calls; higher quotas for partners. The operator-published positioning: *"suitable for bots, payment integrations, and partner platforms."*
• Contact channels. Support (24/7, <5 min average): Telegram bot `@mistex_bot`, Telegram channel `@mistexio`, support email `support@mistex.io`, on-site live chat at `https://mistex.io/contact`, plus an anonymous-allowed contact form (the email field is optional — leave blank for unattributed reports). X / Twitter: `@mistex_io`. The support flow does not require an account; supplying a Transaction ID is the only continuity hook.
• Domain. `mistex.io` — the `.io` TLD is a British Indian Ocean Territory ccTLD widely used by tech startups. It has no history of mass seizures but is not a privacy-community standard like `.org`.

Operator philosophy. Mistex is overtly ideological — the about page positions the project as ‘Built by privacy advocates. For privacy advocates.’ and frames financial privacy as ‘a right, not a privilege.’ The team explicitly embraces anonymity: ‘We are anonymous. By design. We don’t show our faces because we practice what we preach. In a world of surveillance, anonymity isn’t suspicious — it’s responsible.’ (operator-published, `/about`). The policies are unusual in their specificity and plain-language confidence — the privacy policy opens with ‘Most privacy policies exist to explain how a service collects and monetizes your data. Ours exists to explain how we don’t’ and the terms are a concise 11 sections with no dense legalese. The project presents a clear contrast table on the about page (Mistex vs ‘typical exchange’) covering KYC, data storage, IP logging, fund-freezing, data-sharing, and liquidity sourcing. The ‘Three pillars. Zero compromise’ framing (Privacy first, Speed matters, Radical transparency) is more manifesto than marketing.

Grade rationale. Listed at Grade B- — the half-step *"B-shape positive signals at tenure-zero"* tier. The privacy posture is genuinely strong: the privacy policy names its mechanism (reverse-proxy header stripping before the application sees the request), the no-log claim is specific rather than hand-wavy, the Tor mirror is properly configured with a matching `Onion-Location` header, the Monero-address sign-in model is the strongest identity approach we list, the REST API is documented at `/api-docs` with a concrete auth model. Grade B is withheld because: (a) only one peer-directory match (monerica) with zero independent community reviews; (b) anonymous operator team, no individual names, no jurisdiction, no fallback if the project dissolves; (c) own-liquidity is claimed but no proof-of-reserves, no audit report, no balance attestation — the reserves claim is unverifiable; (d) no incident history yet, so operator response under stress is untested; (e) under Tor Browser's *Safest* security setting (which blocks JavaScript) the swap-creation flow does not function — the site requires JavaScript end-to-end despite the multi-page legal surface. Path to B: publish reserves attestation (view-key or signed wallet address), accumulate 6+ months of post-2026-06 operating-since without a withheld-funds incident, and earn a second peer-directory listing.

Useful when:

• You need to swap between cryptocurrencies without creating an account, providing an email, or disclosing any personal identifier — the no-account default swap flow requires only a destination address.
• You want maximum privacy for a swap and prefer a service with a native Tor v3 mirror, origin-scoped cookies, and a documented no-IP-logging reverse-proxy configuration.
• You’re a Monero user who wants to log in or register by signing a challenge with your XMR primary address instead of providing an email — Mistex supports Cake Wallet, Feather, and Monero GUI for this flow.
• You want a swap service with claimed own-liquidity pools (reducing the number of external exchanges that see your transaction) rather than one that routes everything through third-party aggregators.
• You run a blog, Telegram group, or community and want to earn referral commissions (0.3–0.5%) on swaps without KYC — the partner program requires only an XMR payout address to join.

Caveats.

• Pair-selector dropdowns sometimes render empty. The currency selectors next to the YOU SEND / YOU GET amount fields can show as blank chevrons depending on render state — refresh the page or click the selector if you don't see the chosen pair label. Affects the visual feedback of *what am I swapping*; the underlying swap is still going to the pair you picked, but verify the rate-line confirmation (`1 BTC ≈ X XMR`) before clicking EXCHANGE NOW.
• Long deposit lock — 32 confirmations. Mistex requires 32 confirmations on the deposit side before releasing the output coin. That is materially longer than the 1–10 confirmations most instant-swap competitors use. For BTC deposits this is several hours of waiting; for XMR deposits, roughly an hour. Plan around the wait if you have a price-sensitive swap; the *float-rate* protection means the displayed rate is not locked across that window.
• Reserves are claimed but unverifiable. Mistex claims its own liquidity pools but publishes no proof-of-reserves, no view-key, no signed wallet address, and no third-party audit. You are trusting the operator's word that the liquidity exists. If they vanish mid-swap, there is no on-chain artefact you can point to that says "the funds were ever there."
• Tor Browser Safest mode breaks the swap flow. The site requires JavaScript end-to-end for swap creation. Tor Browser's *Safest* security setting (which disables JavaScript globally) renders the site readable but the swap form non-functional. Use *Standard* or *Safer* for the actual trade; bookmark the onion (`hyktea5...hryd.onion`) so you don't browse to it via clearnet first.
• Anonymous operator team — no recourse channel. No founder names, no jurisdiction, no legal entity disclosed. The only recourse if a swap goes wrong is the support ticket form on-site. No regulator, no chargeback, no legal recourse. Standard for the no-KYC swap category, but worth acknowledging.
• Anonymous team — zero accountability surface. The about page describes the team as ‘cryptography engineers and privacy advocates’ with no names, no pseudonyms, no individual identities, no jurisdiction, and no legal entity. ‘Anonymous by design’ is philosophically coherent but at the operational level it means there is no person to hold accountable if the service disappears with deposits. Every trust signal in this listing is self-published — the policies, the claims, the comparison table — with no external verification beyond one monerica listing.
• ‘Own liquidity’ is claimed but unverifiable. The homepage and about page prominently feature ‘own liquidity pools’ as a differentiator. However, the privacy policy also references ‘upstream liquidity provider outages’ as a potential cause of delays, suggesting own-liquidity coverage may not be complete. No reserve proof, balance attestation, or liquidity-verification mechanism is published.
• Fee structure is discoverable only at swap time. The homepage and FAQ mention float/fixed rate mechanics and a premium for fixed rates (the swap form shows 2% on fixed vs 0.8% float) for fixed rates, but there is no published fee schedule, no fee-comparison page, and no way to compare Mistex’s rates against competitors without initiating a swap. ‘Rates and fees are displayed before you initiate a swap’ (operator-published, `/terms`) is true but insufficient for comparison shopping.
• Only one peer-directory listing. mistex.io is listed on monerica but not on kycnot (404), orangefren, web3privacy, monero.fail, or privacyguides. The external trust footprint is a single match with no community reviews.
• Zero community sentiment found. No reddit threads, no bitcointalk discussions, no monero.town posts, no X reviews, and no independent blog coverage mention Mistex in any context — positive, negative, or neutral. The service appears to have zero user-generated discussion anywhere on the indexed web.