xmr.club
EN 中文 ES RU
★ FRONT-PAGEAEl Capo— Monero-first private exchange · no KYC, no logs · no records after 30 days. Tor-native with published onion mirror.
/exchanges · verified 2026-05-24

OpenMonero

C

Agoradesk fork — P2P marketplace for buying/selling XMR with self-custodial trade settlement. Tor + I2P mirrors. Recent (May 2026) exploit; operator refunding affected users.

Incident timeline

  1. 2026-05-21 Prior exploit (~40 XMR); operator later claimed all affected users were fully refunded.
  2. 2026-06-08 Operator posted an "OpenMonero is Back" announcement following the May incident.
  3. 2026-06-10 OrangeFren publicly reported "hacked again, 200 XMR stolen" (citing an OpenMonero Telegram screenshot). Downgraded to D.
  4. 2026-06-11 Operator has not confirmed the 06-08 incident. Some claim a negative-trade-amount input bug, others call it a rug — unverified. Treat funds as at-risk pending a verifiable post-mortem.
  5. 2026-06-25auto Within the last 7 days, OpenMonero's operator issued a post-breach remediation notice (tracked by kycnot.me ~10h before this scan, source: openmonero.com): all user 2FA tokens were reset, users were told to change passwords and settlement wallet addresses, April 12-May 22 registrants were asked to file support ticke…
  6. 2026-06-28 Operator recovery post: "OpenMonero is back after 2 weeks of downtime." Security posture rebuilt — servers switched, new onion address generated, env vars and backup codes reset, full wallet isolation from the frontend, backend IP hidden. 90 XMR were refunded to affected users on 2026-06-24 (partial recovery vs. the ~200 XMR reported stolen by OrangeFren; not the full loss). No independent audit disclosed.
  7. 2026-07-07 Curator re-verified: clearnet homepage carries an alert banner directing users registered Apr 12 – May 22 to open a support ticket, passwords in that window to be reset, OTP codes reset platform-wide (users must reactivate 2FA), and the new onion pinned. xmr.club rotated the tor field to the new onion address. Grade held at D — the 2026-06-28 recovery post reports 90 XMR refunded of a claimed ~200 XMR loss (partial, not full), and no public post-mortem or independent audit has been published. This is a resumption of service, not a rehabilitation of the trust track.

At a glance

Grade
C ()
KYC posture
no kyc · anonymous signup
Fees
Platform fee structure inherited from Agoradesk fork — per-trade fee on buyer side (small). Sellers list freely. Optional listing-promotion not aggressive.
Last verified
2026-05-24
Operating since
2024 · 2y — WHOIS 2024 predates archive.org first snapshot 2018; treated as current-entity year (domain may have been re-registered)
Tor mirror
http://3lhctkho2dj6vm2vikklkoeoszksqdg67ztvjky565itm47nhfc3aeid.onion
I2P mirror
http://sex2vkgaeigmgk5dou4pw4uegokxnc3k3vksotlmyldmual5guyq.b32.i2p
Incident
⚠ Active since 2026-06-08 — /incidents
C Why grade C?

Acceptable with reservations. Posture intact but evidence is older, lighter, or the provider sits on a known weakness (custody risk, history of customer-fund freezes resolved, etc.).

Full rubric + 7-step verification walkthrough at /methodology.

Review

Agoradesk fork with self-custodial trade settlements for sellers and several privacy upgrades over the original (session notifications, self-destructable chat history, etc.). P2P marketplace pattern: buyers and sellers post offers, on-site chat handles negotiation, payment + delivery is arranged peer-to-peer. Funded payment methods include PayPal, credit/debit, bank transfer, gift cards, cash by mail, BTC, Venmo, etc.

Mirrors: clearnet at openmonero.com, Tor onion (`fgssv2btn4…njev6sjbyd.onion`), I2P (`sex2vkgaei…ual5guyq.b32.i2p`). Reach matters for users in restricted networks.

Anonymous signup. No KYC, no government ID. Account creation is username + password. Per-seller reputation accrues across trades and is the trust mechanism.

May 2026 incident (acknowledged). Reported by OrangeFren on 2026-05-21: "OpenMonero hit by another exploit only a day after RetoSwap users lost nearly $3M to an exploit on their platform. Losses for OpenMonero users unknown." OpenMonero replied: "This is now fixed, everything is back to normal, all victims will be refunded by next week." A KYCnot writeup independently cites ~40 XMR but the operator hasn't published a confirmed loss figure. Curator-side verification of refund completion is pending. The directory takes this kind of incident seriously — non-custodial design is a buffer, but exploits against the platform itself still surface real risk; the response (acknowledgement + refund commitment) is what moves the grade.

Grade B (post-incident). Held at B rather than A because of the open refund cycle + 18 user ratings averaging 3.2/5 on KYCnot (some operational friction reported). The Agoradesk lineage + Tor + I2P + self-custody design + transparent incident response keep it a serious option for P2P XMR trading. Pairs with XMRBazaar — both are non-custodial, both are XMR-native, both are part of foundational Monero peer-to-peer infrastructure.

Useful when:

  • You want to buy XMR with cash / fiat / unusual payment rails (PayPal, gift cards, Venmo)
  • You want a Tor- or I2P-reachable trading surface
  • You're willing to do small-first-trade vendor validation before scaling up

Caveats:

  • Recent platform-level exploit (May 2026). Operator response is the right shape; full refund completion not yet verified by curator.
  • 18 user ratings on KYCnot average 3.2/5 — meaningful operational friction
  • P2P self-defense applies: small first trade, verify seller reputation + comms quality, escalate via on-site dispute channel if needed

Fees

Platform fee structure inherited from Agoradesk fork — per-trade fee on buyer side (small). Sellers list freely. Optional listing-promotion not aggressive.

Live ops data

kyc.rip hasn't routed swaps through OpenMonero yet, so we have no first-party settlement data (typical XMR settlement, slow-tail, confirmations) for it.

Operator? Request integration: @kyc_rip_bot

Integration status does not affect this provider’s grade or review.

Links

Audit trail — receipts for the editorial claim

  • UPSTREAM Up · HTTP 200 · 34ms · checked 3h ago
  • ONION Matches operator-published 3lhctkho2dj6vm2vikklkoeoszksqdg67ztvjky565itm47nhfc3aeid.onion
  • MANUAL Last manual verification 2026-05-24 (<90d)

Reviews — moderated · rules

No community reviews yet. Be the first below.

Add a review

Honest, brand-neutral feedback welcome. A curator approves before it appears here. No JS required.

Required: review body. Honest, descriptive reviews get approved within a day. Marketing copy, slurs, or invective get rejected. Per-day cap of 5 submissions per IP.