xmr.club
EN 中文 ES RU
← all guides
guide · long-form explainer

How to evaluate a privacy service yourself

Most people pick privacy services by reputation or marketing. Reputations can be paid for; marketing always lies a little. The curator team grades every entry in this directory against a published rubric (/methodology), but new services launch weekly and you'll need to evaluate things on your own. This is the same checklist we use, distilled into something you can run in 30 minutes.

The pre-flight question

Before any testing: does this service even need to exist for me? Half the privacy purchases people make solve a problem they don't actually have. Match the service to your threat model first. If a no-KYC VPN buys you nothing because your ISP isn't a threat, stop here.

Step 1 — Operator transparency (5 minutes)

  • Who runs it? Find at least one named person, company registration, or pseudonymous account with a multi-year track record. Anonymous-but-active is fine; anonymous-and-fresh is a red flag.
  • How long has the domain existed? WHOIS + Wayback Machine. Domains less than 6 months old that already sell paid plans deserve extra scrutiny.
  • Is the codebase public? Open-source isn't required but the absence has to be justified by some other trust anchor.
  • Any prior incidents? Search "{service} hacked", "{service} exit-scam", "{service} freezes funds". Read the threads.

Step 2 — Privacy policy (5 minutes)

  • What's collected? Look for "IP addresses", "device fingerprints", "browser identifiers". A no-logs claim that contradicts the privacy policy = lie.
  • How long is it kept? "Retained indefinitely" or "as required by law" is broader than it sounds — usually means everything, forever.
  • Who has access? Subcontractors, payment processors, "law-enforcement requests".
  • Jurisdiction. Where is the company incorporated? Five-Eyes / Fourteen-Eyes operators face data-sharing pressure most non-aligned jurisdictions don't.

Step 3 — Signup test (10 minutes)

Use a clean Tor session + a throwaway email. Capture screenshots at every step.

  1. Does signup require email? Phone? ID? Anything beyond username + password reduces the privacy ceiling.
  2. Try a fake / disposable email. Is it accepted? Some services silently fingerprint disposable-email domains.
  3. Note any captcha provider (Cloudflare / Google / hCaptcha) — they all see your IP at signup.
  4. Does the account-creation page run third-party JS? Open Dev Tools → Network → look for analytics, Stripe-fingerprint, FB Pixel.

Step 4 — Deposit test (5 minutes)

  • Send a small amount (under $20). XMR if accepted; BTC otherwise.
  • Check: does the wallet UI prompt for additional KYC after deposit? (Common anti-pattern at exchanges.)
  • Confirm funds arrive at the published address — not via a re-routed proxy address.
  • Note the actual settlement: is it native, wrapped, or IOU? "We send you XMR" sometimes means "we credit your account, redeemable for XMR".

Step 5 — Withdrawal test (10 minutes)

Most critical step. The privacy posture is whatever survives this:

  1. Withdraw to a fresh address (one the service has never seen).
  2. Does withdrawal require additional KYC? "Verify your identity to withdraw" = retroactive KYC = downgrade.
  3. Is the withdrawal held? Beyond ~24h for a small amount is a yellow flag; beyond 72h without explanation is red.
  4. Does the email confirmation leak information (deposit history, balance, originating IP)?
  5. Try a second withdrawal a few days later. Hidden-tier KYC triggers sometimes appear after volume thresholds.

Step 6 — Audit + license review (5 minutes)

  • Any third-party audit? Read the report, not just the marketing. Audits expire — anything older than 18 months is stale.
  • Compliance posture. Does the operator publish a transparency report? Subpoena count? Warrant canaries?
  • Code license. AGPL > GPL > MIT > closed-source for trust signaling.
  • For exchanges/custody: Proof-of-reserves cadence. Self-reported is weaker than third-party-attested.

Step 7 — Reputation cross-check (5 minutes)

  • Search Reddit r/privacy, r/Monero, r/PrivacyToolsIO for the past 12 months.
  • Search Trustpilot / BBB / Sitejabber for fund-loss complaints, with skepticism for review-farming patterns.
  • Check existing privacy directories: KYCnot.me, PrivacyGuides, Monerica. If multiple disagree with a service's self-claim, weight their consensus.
  • Check us: search the xmr.club audit log and archive for the operator name.

Grade yourself

Map your findings to the xmr.club rubric:

  • Passed all 7 steps cleanly? Likely A-tier. Re-test in 12 months.
  • One trade-off (email at signup, or smaller operator, or fresh domain)? B-tier. Acceptable for matching threat models.
  • KYC creep at withdrawal, or audit gap, or unresolved fund complaints? C-tier. Use cautiously, never for high-value.
  • Active fund-loss reports or hostile legal jurisdiction? Don't use. Tell us — we'll list it as a warning.

When you've done the work, submit it

If you've evaluated something we don't list, share the findings via /submit. We re-run the checklist before publishing, but pre-tested submissions land faster + the curator notes get credit.

Picks

  • Tor Browser — Step 3 signup test — clean session, padded fingerprint. Mandatory.
  • Tuta Mail — Step 3 throwaway email source. Accepted at most no-KYC signups.
  • Feather — Step 4 + 5 deposit/withdrawal testing. Native XMR + Tor.
  • kyc.rip aggregator — Step 4 small-amount test deposits. Multi-engine, no markup.