Plain-English explainers. Each guide funnels into the directory so you can act on it. Grouped by topic — start with whichever matches what you're trying to do.
KYC explained, why it matters for privacy, and what "no-KYC" actually means in practice for crypto services in 2026.
The 80/20 of crypto privacy for ordinary users. Three habits and four installs that defend against the threats most people actually face, without the operational cost of full opsec.
Quick tour of the surfaces a returning user actually wants: /ask, /stack, /picks, /tag/<slug>, /compare, /freshness, /audit, the JSON + markdown twins. The shortcuts that make the directory useful in 30 seconds.
Six common threat models from "casual ISP / employer" to "state-level adversary", and which xmr.club stack actually addresses each. Avoid the most common mistake: over-buying for a problem you don't have, or under-buying for one you do.
Operational privacy stack for people whose adversary may include state actors, employer pressure, or coordinated harassment. Identity-protective email, money flow, source contact, and hosting — the four pillars where most leaks happen.
You don't need a paid VPN, paid email, paid VPS, and a hardware wallet to be private. The directory's no-cost picks per slot — what works for free, what costs marginally, and where paying actually buys you something.
Comparing the three rails most people choose between for privacy-respecting daily spending. Different threat models, different trade-offs — pick by what you actually need, not by ideology.
Not every transaction needs to be private. Honest breakdown: which KYC services are operationally fine for which use cases, and the few where KYC compounds into real risk.
Step-by-step: swap any coin into native Monero without ID, email or signup. No-KYC routes vetted against the xmr.club rubric.
The seven-step checklist xmr.club curators run on every listing — privacy posture, operator track record, KYC flow tests, withdrawal tests, audit + license review. Apply it to anything we don't cover yet.
Twelve patterns that show up in 80% of scam exits in the privacy-tool space. The chain of questions to run on any "new no-KYC service" before you fund the account.
Browser hardening, onion vs clearnet trade-offs, wallet+Tor configuration, and the pitfalls (JS, fingerprinting, exit-node bias) that break the privacy you came for.
Short list of VPNs that take crypto, accept anonymous signup, and don't make you flash ID. Picks from the xmr.club rubric.
Three independent ways to confirm an onion address actually belongs to the operator — Onion-Location header, signed key fingerprint, and direct PGP-attested links.
Mobile, desktop, or hardware? Hot vs cold, view-key vs full custody. The decision tree + xmr.club picks for each path.
Email is the universal signup credential. The five things that actually matter (signup KYC, payment privacy, encryption, lawful-access posture, longevity) and the providers that score on each.
GPG signature check, hash verification, reproducible builds — the standard procedures for confirming a wallet download is what the project signed, not what an attacker swapped in.
Subaddresses per payee, view-key disclosure trade-offs, integrated addresses, and the receive-side mistakes that link your payments together on chain.
Paper wallets, view-only wallets, hardware wallets, multisig. Which is right for which threat model + amount, and the mistakes that quietly drain you a year later.
Why a personal node is the upgrade most XMR users skip, what hardware/bandwidth it needs, and the bootstrap, sync, and remote-access setup — including a Tor hidden service.
Set up a .onion address for your website, wiki, or app — torrc config, hostname rotation, vanity addresses, and the operational pitfalls (clock skew, leaking real-IP via headers, descriptor uptime) that quietly de-anonymize hidden services.
Registrar choice, WHOIS privacy, payment privacy, TLD politics, and the operational mistakes that link a "private" domain back to your identity anyway.
When running your own infrastructure beats using somebody else's, and when it doesn't. The cost-benefit math, the failure modes, and the middle path most users actually want.
You logged into the wrong account on the wrong session, or sent funds from a labelled wallet, or shared a screenshot with extra context. Triage in priority order: which leaks are recoverable, which are permanent, and what damage-control actually works.
Cluster, taint, and dust attacks rely on a continuous chain from your address to a known cluster. Five techniques to break that — XMR detour, coin-control, CoinJoin, swap-engine isolation, hop-spacing — with the operational caveats most guides skip.
Coffee, groceries, subscriptions, online purchases. The four rails (cash, prepaid card, Lightning, USDT) that handle 95% of daily spending without leaking your crypto wallet history at every point of sale.
Stablecoins (USDT, USDC, DAI) are convenient but every issuer can freeze your address. The privacy-respecting swap routes, the freeze-risk profile per coin, and when an XMR detour makes sense.
Three privacy-respecting paths out of USDT: native XMR exit, fiat P2P, and prepaid-card spend. The freeze-risk profile, the chain-link breaks, and the operational order that survives the most-common analysis patterns.
Buying a Visa/Mastercard prepaid card without ID, paying in XMR/BTC. Single-use virtual vs reloadable physical, what each one costs, and the picks.
Most account signups demand a phone number. The legal grey zone of rentable SMS, eSIM, and VoIP — what works for which use case, and the trade-offs.
Lightning is fast and cheap but defaults route through KYC custodians. The no-KYC stack: non-custodial wallet, LSP choice, channel hygiene, and the XMR↔LN bridges that keep onchain identity off your route.
Surge / Shadowrocket / Stash / Quantumult X / Loon / Clash / sing-box — when each makes sense. Mobile + cross-platform proxy clients compared.
Honest comparison of the tunneling protocols modern proxy clients support. Threat-model fit, performance, detectability, when each makes sense.
Get a no-KYC VPS, install sing-box, terminate TLS on a real domain, run VLESS+Reality, and harden the box. Step-by-step.
Stacking a custom proxy (sing-box, V2Ray) on top of Tor: what it gets you, what it costs, when it makes sense.
In late May 2026 an auditor — with help from an AI — found a four-year-old soundness bug in Zcash's Orchard circuit that could mint undetectable shielded ZEC. No funds were stolen and total supply held. Here is exactly what happened, why the turnstile contained it, and the honest lesson for every privacy coin, Monero included.
Privacy Pools (0xbow) and Monero both promise privacy. They make fundamentally different bargains. Walk through who decides you get to be private, what happens when the gatekeeper says no, and which threat models each model actually defends.
When a government can order an AI cut off overnight, the answer is open weights on your own hardware. Pick a runtime, pick a model, quantize it to fit, and run it offline — no account, no logs, no kill switch.
Self-custody fails dead silent: when you die, the XMR doesn't transfer, it just stops existing. The patterns that solve this without forcing your heirs to publish their identity to the chain — or yours — covered honestly.
Telegram is where the privacy community actually congregates, and it's also a productivity app that holds every message you ever sent in plaintext on its servers. The leaks ranked by how often they catch people — and the fixes ranked by how much effort they cost.
Plain-language explainer of FCMP++ (Full-Chain Membership Proofs Plus Plus): the proposed Monero protocol upgrade that retires the 16-decoy ring and replaces it with a zero-knowledge proof over every spendable output on chain.
Practical pre-fork checklist for the FCMP++ + Carrot Monero hard fork. Which wallets to track, what to do with published view keys, subaddress hygiene, migration timing. No urgency yet — but a few things to line up.
Side-by-side: FCMP++ (Monero) vs zk-SNARKs (Zcash), CoinJoin (Bitcoin), Mimblewimble (Beam/Grin), Lelantus-Spark (Firo). Threat models, trust assumptions, anonymity sets, default-on vs opt-in, and where each makes sense.
How border agents actually inspect phones and laptops, what a cold travel device looks like, the backup-then-wipe pattern, eSIM vs physical SIM, what "lawful refusal to unlock" actually buys you, hotel-WiFi and airport-charger threat models, and the post-trip reset.
xmr.club