# 0trace

Category: exchanges · Instant Swaps
Grade: B
KYC: anonymous_signup, no_kyc
Highlights: NO-KYC, XMR, BTC, TOR
Features: tor_mirror, api_available
Fees: Per-swap (rate set at quote) · own liquidity (not aggregator) · $5K early-access cap per transaction · BTC/USDT/XMR/ETH
Web: https://0trace.io
Tor: http://n55kxqrra37apxjlqirvgxcodeq7q5vp7kez6d2cngeo2ksfo6yzn5qd.onion/
Contact: Email: partners@0trace.io
Last verified: 2026-06-05
Operating since: 2026-05-03 (0y)
Also listed at: KYCnot.me, Monerica

> No-account instant crypto swap — no-KYC ToS (16 sections), own liquidity, per-order encrypted chat, $5K early-access caps.

## Review

No-KYC instant cryptocurrency exchange — swap BTC, USDT, XMR, ETH with no accounts, no registration, and per-order encrypted chat. Listed at **Grade B** because the published ToS is one of the strongest trust documents in the directory (16 structured sections, 76KB, quotable no-KYC/no-AML language, explicit 72h data retention), two peer directories confirm the listing, and a Tor mirror is advertised — but the service is self-described as early-stage with per-transaction caps ($5K max) and the exchange has not yet accumulated a review history.

**What it is.** No-account instant crypto exchange — no KYC, no registration, own-liquidity settlement with encrypted per-order chat. Listed at **Grade B** on the strength of an unusually complete ToS and published operational principles; held under A by early-access caps and thin review surface.

**Background.** The operator positions 0trace as an instant private cryptocurrency exchange in early-access development (operator-published, /about: 'The service is currently at an early stage of development. We are actively expanding execution paths, network coverage, and exchange scenarios.'). The exchange model is no-account — every order is identified solely by an order ID, and a built-in encrypted chat (AES-256-GCM) is tied to each order. No operator background, founding date, or jurisdiction is published — consistent with a privacy-first posture where the service is the surface and the operator stays absent. Contact channels include Jabber, SimpleX, email, encrypted in-app chat, and Twitter. A PGP key is published at /pgp for signed announcements. Community presence on Bitcointalk (EN) and Bits.Media (RU). Stage 2b grok not dispatched.

**What you trust.** No-KYC: Operator-published ToS §2: '0trace does not perform Know Your Customer (KYC) verification. The user is never asked to submit a passport, ID card, driver license, selfie, proof of address, or any identity document. There is no questionnaire about source of funds, employment, residence, or political exposure. There is no document upload form anywhere in the service.' (https://0trace.io/terms). This is the most exhaustive no-KYC clause in any exchange ToS in the directory. No-AML on the user: Operator-published ToS §3: '0trace will never request Anti-Money-Laundering (AML) documentation from the user. The team will not ask for invoices, contracts, screenshots, conversation logs, or any explanation of where the user's deposit came from. AML screening is performed by 0trace on its own payout liquidity — our funds, not yours — so that what the user receives is clean. It is not a screening of the user.' This is a critical architectural distinction: AML is performed internally on the exchange's own reserves, not demanded from the user. Data retention: Operator-published ToS §4: 'Order data — destination address, deposit address, amounts, status — is permanently deleted 72 hours after the order reaches a final state (completed, expired, or canceled). The user can delete a finalized order earlier from the order page itself.' Chat: 'In-app chat messages are encrypted at rest with AES-256-GCM and are removed after 24 hours of inactivity. The user can delete the entire conversation at any time.' No IP logging: '0trace does not store IP addresses tied to order data, does not log user-agent strings against orders, and does not retain access logs beyond what is required for short-term operational debugging.' Order ID as sole credential: Operator-published ToS §8: 'The order ID is the only credential. There is no recovery. If the user loses both the order ID and the browser session in which the order was opened, the order cannot be retrieved by the team.' This is a strong privacy signal — no back-end recovery path means no administrative override to correlate past orders to a user. Verification documents: Operator-published ToS §11: Every order issues a signed Guarantee (at creation) and Receipt (at completion). Both verify locally at https://0trace.io/verify — 'Verification runs locally in the user's browser. The document is not uploaded anywhere. If the signature is valid, 0trace stands by the contents of the document.' This is the strongest consumer-protection mechanism in any exchange listing: a cryptographically signed, locally verifiable commitment that doesn't phone home. Liquidity model: Operator-published ToS §6: orders settle via 'direct on-chain payout from 0trace's own liquidity, or by routing through integrated DEX liquidity.' The FAQ confirms: 'We use our own liquidity through two execution paths.' The /about page adds: 'We operate using our own liquidity — no third-party desk processes your order.' Post-exchange unlinkability: 'the connection between the user's original coins and the payout coins is severed.'

**Operational specs.** Fee structure: Operator-published ToS §5: Service fee + network fee included in the quoted Receive amount — no hidden surcharges. Two rate types: FIXED (locked at creation) and FLOAT (recalculated at payout). Minimum order: $1 USD equivalent. Early-access limits: min $30, max $5,000 per swap (homepage). The 1% service fee is visible in the live exchange widget (operator-published, homepage exchange interface). Asset coverage: BTC, USDT (TRC20), XMR, ETH — visible from live exchange widget, quick-swap presets, and page titles. TRON network used for USDT. Coin list is not exhaustive but covers the four core assets typical of instant-exchange use. Tor mirror: Advertised at `http://n55kxqrra37apxjlqirvgxcodeq7q5vp7kez6d2cngeo2ksfo6yzn5qd.onion/` (operator-published, FAQ and ToS §10). The clearnet `Onion-Location` header is NOT set — so the onion is manual-discovery only. ToS §10 notes: 'Tor traffic is routed only to the public surface — internal operator surfaces remain unreachable over the hidden service.' API documentation: Published at `/api` — a substantial API surface for programmatic exchange. Title: 'Private crypto exchange API | 0trace'. This is the largest API doc page by byte count in any directory listing. Partner program: A partner login exists at `/partner/login` — suggesting a B2B/affiliate tier for volume or integration partners. Contact channels: Encrypted in-app chat (per-order, AES-256-GCM), Jabber (0trace@exploit.im), SimpleX, email (hello@0trace.io), Twitter (@0trace_io). Four encrypted-capable channels. PGP key published at /pgp for signed operator announcements. Verification tool: Standalone page at /verify — paste a signed Guarantee or Receipt document, verification runs locally in the browser. A 'Guarantee confirms the deposit address and quoted order details before payment. A Receipt confirms the completed exchange after payout.' (operator-published, FAQ).

**Operator philosophy.** 0trace's published material reads as an engineer's privacy exchange — every claim in the ToS is falsifiable (72h deletion, no IP logging, AES-256-GCM chat, local document verification, own liquidity). The FAQ answers 'I lost my order ID. Can you help?' with a flat 'No' followed by the structural reason. The /about page states the architecture plainly: 'No unnecessary data collection, analytics, external metrics, or third-party monitoring systems. Privacy is ensured through the architecture of the service and its operating principles.' The absence of a jurisdiction claim, operator background, or founding date is not a gap — it's consistent with the service's premise that the exchange IS the surface. The use of `exploit.im` as the Jabber domain and the `.io` TLD are the only hints of operator identity, neither of which is identifying.

**Grade rationale.** Listed at **Grade B** because: (1) two independent peer directories confirm the listing (kycnot.me + monerica.com. Grade A is withheld because: (a) the service is self-described as early-stage with $5K per-swap caps (operator-published, /about: 'early stage of development' / homepage: 'early access limits'); (b) zero user reviews on any platform yet — the exchange has not accumulated a trust history; (c) the `Onion-Location` header is not set, making the Tor mirror manual-discovery only; (d) no privacy policy page exists independently (privacy/data-retention is embedded in ToS §4). Among instant exchanges, graduating from early-access caps, accumulating a review history, and publishing `Onion-Location` auto-discovery would justify A.

**Caveats.** The 'own liquidity' claim (ToS §6, /about, FAQ) is central to the trust model but cannot be independently verified by the probe. The exchange could route orders through a third-party desk without the user being able to detect it — the settlement path is opaque. This is true of all instant exchanges; 0trace at least publishes the claim in structured ToS language. An instant exchange that receives deposits, holds funds during swap execution, and routes payouts is custodial during the exchange window. 'Non-custodial' is inaccurate. The absence of a standalone privacy policy page is notable given the richness of the ToS. All privacy-relevant claims (data retention, encryption, logging) live in ToS §4 — integrated, quotable, but not a dedicated privacy document. The.legal_links.privacy: `/#/privacy`), suggesting a planned privacy page exists as a route but has no content. The `exploit.im` Jabber domain is an unusual choice — it carries a security/hacking connotation that may put off risk-averse users. It may be a personal or legacy domain of the operator. The functional email (hello@0trace.io) uses the primary domain and is the recommended contact method.

Source: https://xmr.club/exchanges/0trace