DEV Community: Luftie The Anonymous

Privacy and Security Setup to use in 2026 PART 3 (Payments)

Luftie The Anonymous — Sun, 26 Apr 2026 14:40:32 +0000

GM, Dear Readers !

In last 2 articles, I elaborated on things like OS, Browsers, Search Engines, Messengers and Mail Providers that we could use for increasing our level of privacy.

Now as we're going deeper and deeper into the digital privacy and digital freedom, let's ask another question.

What about private payments ? How about being able to pay privately for stuff irl 🏪 and online 🌐 ?

Before I start with the meaty 🥩 part, if you haven't read my previous articles, check those last 2 ones out. They have low visibility, but have real value and a lot of knowledge in them, so please share with friends and share your feedback.

Luftie The Anonymous

Apr 21

Privacy and Security Setup to use in 2026 (Messengers + Mail) PART 2

#programming #opensource #security #os

Comments

24 min read

Luftie The Anonymous

Apr 17

Privacy and Security Setup to use in 2026 PART 1 (OS, Browser, Search Engines)

#discuss #privacy #tooling #security

Comments 4

31 min read

Unfortunately my markdown skills are very limited 😆 and idk how to implement such list or series with interactive table with direct links to the article, just like @francistrdev does it 🧠 (to be honest I'm envious about his skills, shout out to you amigo, love your articles) !

In order not to digress however 😄, currently there is a lot of supervision and restriction when it comes to payments. Those restrictions are implemented by the governments and institutions around the world are implying as though everyone was a criminal, therefore requiring your ID, details on where you live, your picture and more.

That data and images are then stored in the companies cloud storage, which is prone to be hacked and exploited, thus your data might be obtained by an unwanted third-party like data-broker or hacker.

You cannot pay cash 💰 when the price exceeds some amount (legally you can't ⚖️, others said it's not for hoi polloi, we know it's possible though 🫣). Trust in banks is naive, banks algorithms are flawed and are able to block your account after you make e.g. Github Copilot purchase, you have then to call the bank to unlock your card, being at the same time honeypot for your financial data.

Meaning that banks 🏛️ are giving access to data to any law-enforcement 👮 without a single moment of hesitation 🫣.

All of your transactions in the bank 📃, all the details, all that can be passed to a spy-agencies 🕴 of the state.

Quick Disclaimer (one of many today :D ): I spent entire week, sleeping each day about 4 hours a day on average, working on this article. From it's style, fact checking, reviewing my cryptographic knowledge validity, listening to the podcasts with founders, investigation of compliance, asking questions for validation, waiting on the answers to edition, removing the providers that turnt out to be violating the privacy, while I already had a ready version of an article to push.

I don't write it to make you feel sorry to me or imposing my effort to trigger some of your feelings but rather to personally express my admiration 🫶 to journalists, especially independent ones, who do they work well and in a righteous way just like I tried to do (hopefully I managed to :) ).

Because I gone through a huge pile 🗄️ of articles with rankings/juxtapositions of cryptocurrencies without much details about their mechanism or non-kyc cards, that haven't been checked 🚫 by the authors, if they are fully non-kyc.

I did it the hard way and made thorough "investigation" aka. research 🕵 (I kind of like the word investigation, because for some crypto companies or projects, it might be useful to procedure one 🤣).

Long story short, If you enjoy my articles, I decided to open options for you to send donations 🫴🪙, the details are on the end of the article.

My articles always will be free, though I leave a free space for people that might want to appreciate my work and so helping me.
Thank you very much for your donations in advance 😄 !

These funds would be certainly used for:

purposes of newer articles e.g. test of some tool/device and giving a review on it.
for help to my mom 🧕 financially to keep the house on running 💸 smoothly (currently I'm before applying at the uni and well I'm jobless 📂, so I'm sort of parasite 🦠 some of you might think, but I help as much as I can to take the burden off of her 🫂).
purchase of new equipment 🖥️ to my lab 🧪 aka. room ⛺ for potential co-worker to have workplace and cool experience of working together and perhaps start working jointly 👥 on some project that could then turn into a start-up and potential business (I would never forget the people, who would put a trust in me and help me 🤧).

Perhaps in the future I will grow to a bigger brand 🕶️ and all of the sudden I will start selling hoodies, t-shirts 👕, caps 🧢 with some themes of mine, we will see 😁 On this moment on I want you to make qualitative articles, so we go slowly to the core part of the article now on.

Additionally, as you could see this article will be only about Payments and I excluded AI from the article. You could ask:

Luftie, wtf is going on ? Why can't you keep one plan and stick to it ?

Grasp you chair and hold it thightly.....

Because my articles are good and long, bitch ;D If I kept Payments and AI format, this article would so long like distance from 🌏 Earth to exit of our galaxy 🛸 ! Now I reduced it to a length similar to a distance from Hicksville in South-Portugal 🇵🇹 to Shenzhen 🇨🇳

So I guess you're fine with it and we can fasten ➰ our belts for this beautiful and thriving just like Rust 🦀 on your car journey !.... I mean article, I mean..... JUST SHUT UP and read it 😘

Shout out to Rustaceans 😅 !

Article Navigation Guide

This article will have multiple sections so you can skip to what interest you the most, so in order to e.g. just find a part of article that is interesting to you here's the overview:

Payments

-- Cash

-- Cryptocurrencies

--- Intro, Good Web3 Practices + SURPRISE 🤩

---- # Blockchain 101 explanation

---- # 1 Rule
----- Detailed Cryptographic Explanation of nuances

---- # 2 Rule + Surprise 🥳

---- # 3 Rule

---- # 4 Rule

---- # 5 Rule

---- # 6 Rule

---- # 7 Rule

---- # 8 Rule

---- # 9 Rules

--- Privacy Coins

--- Where to buy anonymously

--- Other Coins

-- Virtual, Prepaid and Physical Cards with no-kyc

-- Alternative forms of payment

DISCLAIMER ⚠️

The presented content does not encourage to commit any actions towards using such solutions, I do not take any responsibility if you use one of those tools and loose money. It's not a financial advice, the article has rather an informative and educational purpose.

The article has not been sponsored by any companies presented in the juxtaposition of card providers or the blockchain organisation.
All opinions on the products are personal, not influenced by any forms of incentive.

The article in some paragraphs comprises writers personal, subjective opinions, experiences, that can include curse-words, if you're sensitive to language used, please don't take things personally or don't read it at all.

Payments

First of all why might you want to commit transactions privately ? Well that's because:

you would not like to get questions from some financial institutions in your country where do you have the money from to commit the transaction ?
you would not like to have an blocked (bank) account all of the sudden and frozen funds on the account.
you want to diversify your risk when it comes to payments, because you are afraid that your bank-account can be suspended and funds frozen due to fake allegations or any other reasons.
you don't want your government or any entity besides you and the other party to know about the transaction.
you would like to make finally a utility tool out of crypto instead of just hodling it and waiting for moon time :D

There are yet other reasons why you might like to make transactions privately, I could make a whole article about, but it would be too longish. So now let's discuss the payment options !

1. Cash

I guess there will be no wonder at all if I say that the most private way of committing a transaction is apparently Cash !

It's of course not digital form of payment, however cash enables you to pay whenever and wherever you would like to and you have the certainty that those funds will not be stolen. Cash is untrackable, basically government does not track where each coin, banknote is, so paying cash is anonymous and you do not live any digital or trackable fingerprint afterwards.

You could use cash however in multiple cases for digital I will name later.

Tradeoffs: Large amount of cash can be tough to transport, you could not transport such large amount of cash in the airport and you would need to report it. But not only in the airport, if police would stop you and open the trunk they prolly detain you, even if it's not determined by the law of certain country that you're guilty. Also cash can be lost, so you need to take care of the banknotes so you don't loose them.

Cryptocurrencies

As I'm really deep into this industry and I know the standards and behaviors that are common for this industry (similiar to other indurstries) and because all of the ways to pay privately will be almost only rely on crypto-currency in terms of replenishment procedure, issuance fee payment and independent payment procedure (meaning you will not have to rely on another person).

At first I want to emphasize, that cryptocurrencies are still considered as high-risk assets due to their volatility, low capitalisation.

You might think how come, though Bitcoin was lately for 128k $ ?!

It all comes to math and the market cap, the maximal market cap of cryptocurrencies was about 4.28 Trillion Dollars (October 2025), now it's about 2.6 Trillion Dollars, so you see that the market cap gone severely down more than 30% in 6 months, which is fast in comparison to traditional markets.

Also to depict the size of cryptocurrencies in juxtaposition with other markets. At the time of writing the article, Global Real Estate Market is worth about 4 trillion Dollars, Total Gold value is about 33 trillion Dollars, Silver is 4.26 Trillion dollars. It's projected that cryptocurrencies have share of ~2% in Global GDP. So we talk about really microscopic market, compared to the other markets like Stocks or Real Estates.

My take is that cryptocurrencies always will be treated such more of speculative, more volatile than other advanced markets and lesser regulated asset than the others, it always will be such market (unless people understand not to purchase stupid flashy coins, without reading the details and investing in another 100 shitcoins).

One should educate themselves to know what they are doing, before taking any action related to this market whether it goes about first purchase or entering this market should be backed by education.

Here I will provide a guide for beginners with crypto, covering the security, not financial rules. So that regardless of who you are, this will fit everyone.

Because not every developer and especially not every person is acquainted with cryptocurrencies at all. Let's now jump into the details.

Intro, Good Web3 Practices + SURPRISE 🤩

What is Blockchain ?

Blockchain in a short description is a type of distributed system 🌐, a decentralized ledger 📄 of transactions, distributed over many computers that running a specific computer program, these computers are called nodes, maintained by variously named, depending on the consensus protocol the network operates on maintainers (people), for the most popular cryptocurrency (Bitcoin) it would be miners, for Ethereum it would be validators.

For the rest of the explanation I will stick to the word miners. The Miners are giving their computational power to the network to validate transactions on the network made by the networks participants.

Why do miners keep the network on going ?

Their incentive to keep validating the transaction and supplying the network with their computational power is trying to solve computational puzzle 🧩 for something called block, which is basically a stack of transactions, which is pushed ➡️ in certain intervals (e.g. In Bitcoin it's 10 minutes or in Ethereum 12 seconds) to the blockchain as a sealed registered, irreversible change of the balances of network users, if they are sound with previous block states.

What makes cryptocurrencies special 🤔 ?

It offers trustless transactions, and it's durability. Meaning that one Node (a miners devide) that has the last state enables the others to reclaim the state and restart the entire process of validating transactions and mining based on the last state. Also if one Node is down, it does not break the entire network, because as it's said it's decentralized, so there is no central entity governing the network, what complete opposite of current bank system that collapses after one bank's systems shut off.

How big is the reward ?

The reward depends on each blockchain, however in Bitcoin Network, for solving the puzzle correctly, currently the prize is 3.125 BTC + fees from the transactions per block. The prize is algorithmicaly determined to be slashed every 4 years on a halve (that pertains only Bitcoin Network, the more blockchains, the more approaches) which is also named halving. It's designed so because the amount of Bitcoins possible to exist is only 21 million of coins, currently the supply is near to 20 million, thus Bitcoin has the got the name of digital gold, at least so called in mainstream.

What is cryptocurrency ?

It's more trickier with cryptocurrency to explain, because they split on coins and tokens.

Coins, which are the native currency of the network for miners to get their reward in and for network participants to transfer the coins between each other.

And there are tokens, that just programs/code (in the industry called smart-contracts) deployed on the blockchain that should imitate a coin and should have feature just like a coin has. There are of course various types of tokens, but this goes beyond the frames of the article. For more knowledge, I advice doing personal searches.

Where to learn on Web3 ?

I could write about cryptocurrencies more, but for more knowledge about cryptocurrencies I highly encourage to read a book like:

or visit this website and watch the materials, I really enjoyed videos made by that guy (shout out again !)

For those who desire to start with web3 programming, here I can recommend checking out Cyfrin Updraft. They have a ton of courses on web3 programming from smart-contracts for beginners to more advanced topics like work of Uniswap etc.

I also highly advice to contact people or join a crypto community, who already have experience in the market and will help you go into the world step by step, if you're a freshman.

Other useful source of knowledge for new and intermediately advanced people who want to broaden their knowledge, would be to join events and conferences and get in touch with people you are interested in, whether a developer, investor, VC, don't hesitate, just talk to them. So have I got my first work as an ambassador in an RWA start-up I worked for 4 months long.

And of course, there will be as always conceited morons 🤵, who think that if they have a sport-car 🏎 or SUV car 🚙 in leasing and are earning 100k$+ annually, that they are rulers of the world 🫅, but to be honest although those people are indeed a significant fraction of web3, but you should not be discouraged to learn about Web3 only because of them.

So now, as I explained the basics of blockchain and cryptocurrencies, I can explain couple of good practices for the security and privacy of the funds you have. The advice will not contain the financial advice, rather how one should operate in this market in order not to loose their funds.

Rules in Web3 to follow

1 Rule

NEVER SHARE YOUR PRIVATE KEY / SEEDS / MNEMONIC

What it means is that you should not give the access to your crypto-wallet to anyone/anything (website, person), unless it's a verified software for a wallet like Metamask, Phantom. It's more of marketing slogan, because what they mean with keys is your seed phrase more known as mnemonic (12-24 words, that are giving you access to your wallet).

And now Mr. Anonymous 🥷 will come with his educational and technical explanation 🤓 of what is the difference between mnemonic and private-key, public key and address (I read Mastering Ethereum 5 times, somewhere I have to utilize this knolwedge). It's fully optional so if you want to go to next rule, skip it.

Detailed explanation of wallet related terms

All blockchains base on one type of cryptography Public-Key Cryptography (also known as asymmetric cryptography).

Essentially, it's feature is based on the fact that users do not have to share the same key for secure interactions with each other (like sending transaction) as in case of symmetric cryptographic algorithms like 3DES, ChaCha, Salsa20, Trivium, AES-256 and more gibberish names you won't probably understand (and you don't have to now). You actually might recall AES and ChaCha from last article mentioned.

I will explain to you how users can interact with each other on chain, because a lot of tutorials actually screw up explaining this and it's because of misunderstanding of how public key cryptography works.

In order to understand how public key cryptography works in blockchain properly, I need to explain 2 concepts. In blockchain mostly often 2 schemes of PKC are used:

Elliptic Curve Cryptography - for key generation
Diffie Hellman Key Exchange - for key-exchange as the name implies, but primarily it also manages the key generation

Now some of you might scratch your head and recall the previous lines that THE PKC WAS ABOUT NOT USING THE SAME KEY !

And you're quite right, nerdy boy/lady. For being alert, you won ticket to become a cricket 🦗🤣 (just kidding)

What is then the Diffie Hellman Key-Exchange ?

It's a mathematically defined scheme designed for key generation and exchange of them, without creation one asymmetric key for interactions. For public key cryptography protocols to allow participants to communicate, which security relies on Discrete Logarithm Problem.

Luftie, WTF IS DISCRETE LOGARITHM PROBLEM ?

Discrete Logarithm Problem - is a mathematical problem based on difficulty of inversion of exponentiation in finite cyclic groups, the main matter to understand that, for DHKE protocols it is easy to generate the keys, but if you want to invert them it is not feasible given current computer powers (I do not take quantum risk into account, there are of course risks of Shor Alogirthm, that poses the threat to Public Key Cryptography. I will not focus on it in this article).

DHKE Framework

Now in order DHKE to work, it needs 2 elements for set-up also
called domain parameters:

The large prime p - it will be a base for generation of every new key
The primitive element also called generator (I will define it as g) - to define the size of the finite cyclic group

The Key Generation and Key Exchange Framework

Setup:

2 parties willing to communicate with each other without third parties
The large prime number p as a base
The primitive element / finite cyclic group generator g for defining the size of the group

Now both party, I'll name them A and B have compute their private and then public keys.

Now what do both parties A and B do ?

For Party A:

The private key a is chosen, such that a belongs to {2, p-2} set of elements.
Then they calculate the public-key by performing action below

A = p^a mod g

You could ask why isn't the group {0, p} ? It's to avoid results zero values and to ensure there are non-trivial values. A private key of 0 would mean that an individual has no influence on the key exchange process, effectively providing no security. This approach helps prevent predictable outputs and potential attacks, ensuring the robustness of the key exchange.

The same action is performed for B party with only change of the variable names

The private key b is chosen, such that b belongs to {2, p-2} set of elements.
Then they calculate the public-key by performing action below

B = p^b mod g

Now, to allow both parties to interact with each other one party needs to send their public key to the other party and then the receiver party signs the received key with their private key and so has the common key been established without a need of chosen symmetric key, so improving the security of our .

If you're still confused, here a Screenshot from book "Understanding Cryptography From Established Symmetric and Asymmetric Ciphers to Post-Quantum Algorithms, Second Edition", written by Christof Paar, Jan Pelzl and Tim Güneysu.

It's a great introduction to cryptography and definitely worth buying. If you want to learn about cryptography however, but not want to spend money, Professor Christof Paar (that I personally wish that one day I met with him irl) and ignited my passion to cryptography even stronger, has a playlist with lectures on cryptography essentials, so click the link to check it out.

Elliptic Curve Explanation

Elliptic Curve Cryptography (for short ECC) - is a scheme of PKC and just like DHKE, it relies on DLP (Discrete Logarithm Problem).

An elliptic curve itself is a special type of polynomial equation that can be presented on Cartesian Plane just like circle can be, by equaltion of x^2 + y^2 = r^2 and it generates a certain group of solutions, elements that the solution has to be in.

The difference is for ECs that they are defined over a finite field and not real numbers, mostly it's prime field where all arithmetic is done modulo a prime p. The formula for elliptic curve looks as following

y^2 is equivalent to x^3 + a * x + b mod p

There are conditions yet to be fulfilled for a valid elliptic curve:

p > 3
4 * a^3 + 27 * b^2 != 0 mod p And it comes together with an imaginary point of infinity, which goes beyond the scope of the article.

How is the public key generated in ECC ?

The formula for generation of the key is much easier on the first glimpse than what was presented in DHKE. The formula is

pubK = G * privKey

Where G is a base point and the final public key is indeed also a point with coordinates of x and y.

However it's not as easy as it might seem to be calculated and it involves elliptic curve arithmetic and usage of add-double algorithm, which goes beyond the scope of this article.

** For those sneaky guys, who are alert, might say it's easily breakable, just divide The e.g. PubK x coordinate with base point's x and you got private key. And all might be cool, except the fact that ** there is no such operation as division in modular arithmetic** on which modular cryptography bases. There are only addition, substraction, multiplication, inversion.

ECC Arithmetics

Just for those who are curious and those who want to understand the workflow in a deeper level of how Elliptic Curve Cryptography Arithmetic works to generate a public key. There are actually 2 main actions that are performed on elliptic curves and it is adding (for 2 different points) and doubling (for the same points). Now how does is it performed on the curve ?

I allow my self to quote the explanations from the Professor Paar's Book:

Point Addition P+Q This is the case where we compute R = P + Q and P != Q. The construction works as follows: Draw a line through P and Q and obtain a
third point of intersection between the elliptic curve and the line. Mirror this third
intersection point in the x-axis. This mirrored point is, by definition, the point R.
Below you can see how the addition is performed on a curve:

Point Doubling P+P This is the case where we compute P+Q but P = Q. Hence, we can write R = P + P = 2P. We need a slightly different construction here. We draw the tangent line through P and obtain a second point of intersection between
this line and the elliptic curve. We mirror the point of the second intersection in
the x-axis. This mirrored point is the result R of the doubling.

Below I provide the depiction of how doubling is performed on a curve together with formulas to calculate the points.

Additionally, it's worth mentioning that ECC provides the same level of security as discrete logarithm systems with considerably shorter operands (approximately 256–512 bits vs. 2048–4096 bits).

It's on average twice as slow compared to symmetric cryptographic algorithms, but it provides convenience, independence and facilitated way to set-up a common secret key without relying on the protocol, because de facto we are responsible for this key generation, having our private key.

So to summarize: Blockchains use DHKE for key exchange only and ECC for key generation which they next exchange in order to set up and mutual key for communication. Below you can see mathematical notation from Professor Paar's Book:

Seed ? Private Key ? Public Key ? Mnemonic ? What is different about them ?

Now I hope you survived my technical, mathematical, gibberishy explanations and now I can tell you what are the differences according to the terms.

Seed phrase/Mnemonic - A seed phrase or mnemonic is a list of 12 to 24 words that is generated to grant access to a cryptocurrency wallet. The generation process involves taking a private key and adding a checksum to it, which effectively increases the bit length from 132 bits to 264 bits. The resulting data is hashed, and the output is split into segments, each with 11 bits. Since there are 2048 words in the mnemonic dictionary (typically derived from the English language), the segments can be mapped effectively to create meaningful words. Some cryptocurrencies, like Monero, use a longer mnemonic of 25 words for additional security.
Private Key - a cryptographic key used to sign transactions on a blockchain. It grants full control over the associated cryptocurrency funds and must be kept secret at all costs. If someone gains access to your private key, they can manipulate your wallet and transfer your assets without your permission. The private key is a long, random string of numbers and letters, and losing it means losing access to the funds tied to that key.
Seed - it's essentially a hash of the private key combined with a checksum. It serves as a master key that can be expanded into multiple private keys, facilitating the management of a wallet containing various cryptocurrencies. The seed is usually derived from or represented by the mnemonic phrase, allowing users to retrieve their wallet through the mnemonic if needed.
Public Key - derived from the private key through a cryptographic algorithm. While the private key must remain confidential, the public key can be shared openly with others. It acts as an identifier associated with a wallet on the blockchain. The public key is necessary for receiving funds, as it allows others to send cryptocurrency to your wallet.
Address - a short string derived from the public key, specifically taking the least significant 20 bits (at least for EVM chains) of it and hashing the result. This address serves as your wallet's public identifier on the blockchain, where others can send cryptocurrency. Because addresses are shorter and formatted for easier sharing, they provide a convenient way for users to send and receive funds without exposing the entire public key.

After this explanation you should no longer confuse address with public key. Once you make a transaction you pass an address to your wallet not public key.

Personal Story on the rule violation 🥲

It's the most important in my opinion and often forgotten about rule, and I actually also fell victim phishing attack, where I violated this rule.

It was back 2024 as I've been developing my start-up 🛠️

I regularly invested my money in stocks from 2022/23 in stocks and Bitcoin (only bitcoin back then), back then crypto were yet before hitting 100k and one evening as I've been seeking people who are working or are from Switzerland to connect with them, I joined a discord channel of an Swiss Cheese Exchange, where I fell a phishing scam attack because of an fake bot announcement about the exchange collaboration with Opensea 🌏. The website looked neatly at that time (I had no clue what Opensea is back then).

I wanted to see/test out how to mint an NFT, I clicked the button to connect my wallet with the website. However it turned out that the popup was coming from the website (it prolly was some shit of absolute position in css or so) and I passed there my seed because it has shown I had no connection of my ledger wallet with metamask.

I was then shown on their website that something went wrong with the wallet connection and I gave up (it was late night and I was exhausted checking out the internet after work on my project), at the next morning I noticed this:

I invested back then about 4k $, so if I were to sell it at the peak or a bit below like 120k $ / 1 BTC. I do not blame anyone, because it is my fault only I didn't fact-check.

I would have earnt about 210% + on the investment. Of course, now one can only contemplate, but apparently I don't regret I lost those funds. Of course it is a loss, but that also made me realise to set certain rules when it comes to my day to day behaviour.

Rule Number 2 + SURPRISE 🤩

This rule is namely to grab oneself a hardware wallet also known as cold wallet, why is cold wallet such a big deal ?

Let's REALLY shortly explain it. There are 2 types of wallets in web3, Software wallets like Metamask or Phantom that are so called hot wallets and are connected to the internet always. And there are cold wallets which are hardware devices that are needed to approve certain transaction ones you want to perform it in cold wallet's software and so noone can move funds from your wallet if they both don't know your mnemonic and do not have access to your hardware device to validate the transaction.

Cold wallet would be a perfect solution if you have funds that you would not like to loose, like personal investments, savings etc. Hot wallet's I'd rather use it for some daily transactions like below 500$ valued wallets to prevent from bigger losses.

Why to bother really about Cold Wallets ?

In case of software wallets like Metamask or Phantom, the vulnerability lies in the fact that it's always connected to the internet and there might be many cases where you could fell a victim of scam or your keys could be captured by a hacker. Also one never knows if metamask will not be hacked and so one.

The most known companies offering the wallets are
Ledger, Trezor, Keystone Wallet and for sure many more companies.

My personally first crypto wallet was Ledger. However due to many controversies with this wallet provider and uncertainties about security of my funds, and the kidnapping of CEO. I thought on buying a new wallet, but always lacked time to do it finally and there was always something more important to be done.

Here you can see what such wallet looks like (It is jus disasambled by me, no worries you will get a full one :D)

SURPRISE TIME !

Surprisingly, my posts got enough visibility, to get an email with an enquiry about partnership from OneKey company.

And after my research, answering of my questions and check of the company, I decided to take up the collaboration and I have a big pleasure to announce, that I have a partnership with OneKey and with my promo-code: Luftie, you got 10% discount.

They are open-source, so I appreaciate the transparency. They are based in Chin, backed by big names but independent and were not involved in any actions with governments like passing data or data breaches, in 2023 there was an vulnerability found that was actually a hardware bug than the firmware, here you can read on it.

The Model of the wallet, I received is OneKey Classic 1S and it looks as above. I have to confess that not the wallet triggered an impression on myself but rather the quality of the box and how well the wallet was packed with add-ons. Shammy leather inside, elegant box, security tapes to strip off to open up the box + cool stickers and equipment like sheets for your mnemonic 😁 and that's for 79$, they have shown care of every detail and took care of customer experience, whereas my Ledger Nano S Plus was bought for about 80$+ and was just a box with set-up but low quality e.g. stickers box.

The wallet has bluetooth support, so when I was about to confirm the transaction, the connection with e.g. PC is not necessary. This has it's convenience pros, but the one con is that there are cases already that via BLE there were malware spread over AI robots performed, so this is a thing to consider if you want to use it.

The things that only caused for me a bit of issues was that I could not connect my wallet with my Desktop PC directly, because it doesn't have USB-C gateway and when I used the adapter even with bluetooth on, it could not find the wallet and I had to import the wallet via transfering via QR-code.

The other things is the Flatpak-version, because it caused crashes on my Linux devices (at least Desktop) so it would be cool if they would have fixed it and also make dedicated versions for distributions specifically like .deb files, so that I could attach the wallet's software to my panel and access it easily.

They have support for all Operating Systems and what I appreciate an APK file, so that you can download the software from the website and it matters to me, due to google's psychopathic conquerence wet dreams to make u use only apps from official store. Again I recommend everyone to go to Keep Android Open Website !

And they have even extensions for chroemium based browsers, so you can use it in Brave, I would be more than happy however to see Firefox support as well.

The Wallet has also a far more advanced Defi activity-participation detection outside of the wallet's software. So it displays more balances and helps you track state of your defi activity and investments like staking, lending or liquidity. Which Ledger does not.

Overall

After using the wallet for a week, I can highly recommend this, it's far better than what I experienced with Ledger. As a side-note OneKey wallets support also Trezor-modes, if one would be curious about this. So if you search for a new wallet or you start with crypto and are about to purchase your first hardware wallet, OneKey is a very good option in my opinion, especially with my code 🥰

3 Rule, Be Wary of Phishing Scams

Scammers often create fake websites or emails that mimic legitimate platforms. Always double-check URLs and avoid clicking on links from unsolicited messages. Educating yourself about common phishing signs can significantly reduce risk.

The best solution would be to use Browser like Brave and Metamask extension that support scam detection on bigger scale.

4 Rule, Understand the Basics of Blockchain

Familiarize yourself with how blockchain works, including concepts like decentralization and consensus protocols. This foundational knowledge helps you make informed decisions about which projects to invest in and understand potential risks.

5 Rule, Research Projects Thoroughly

Before investing in any cryptocurrency, conduct thorough research regarding its technology, team, community support, and use case. Understanding fundamentals helps to identify potentially fraudulent projects. Be doubtful by default about the projects.

6 Rule, Be Aware of Market Volatility

The crypto market is highly volatile, with prices fluctuating significantly in short periods. Prepare for emotional reactions to market swings; consider setting stop-loss limits or using dollar-cost averaging when investing.

7 Rule, Beware of Fake or Scam Airdrops

Airdrops can seem appealing but may mask scams. Always validate the legitimacy of the project offering airdrops by checking their official channels. Never provide your private keys to claim an airdrop.

I myself have plenty of scams ERC-20 tokens and NFT-721, here an example of one pointed out in the red circle.

8 Rule, Understand Transaction Fees

Different blockchains have varying transaction fees based on network demand. Familiarizing yourself with these costs can help in choosing the right time to make transactions without losing excessive funds to fees.

9 Rule, Backup Your Wallets

Regularly backup your wallet data and store it in a safe place. This ensures that you can recover your funds if your device fails. Create multiple copies and consider encrypting sensitive information for added security.

NOW, enough of the stuff and into details of private payment options we go !

Privacy Coins

First option of private payments with cryptocurrencies are indeed those coins, whose base on blockchains with enhanced privacy algorithms. And this section will be about privacy coins indeed.

** Important ⚠️ : In 2027 European Union is about to implement a "ban" 🤣 for privacy coins. Meaning from all the exchanges operating in EU, the privacy coins like Monero (XMR), DASH or ZTrash 🗑... eh sorry, ZCash will be delisted from the exchanges.

That's why one would need a VPN, noone should decide about what one would should what should not purchase when it comes to assets in which one allocates their money. And next article from this series will be indeed on VPNs. But as you will discover later on you might not need VPN 😉

1. Monero

The golden standard for privacy coins, the most well known, the best privacy coin, the most adopted privacy coin. So could Monero be described and here is what is it's features and why it's so good.

In the service kycnot.me you can find the services that accept monero and you can pay monero with.

What is making Monero so private ?

Ring signatures - are the foundation. When you send Monero, your transaction is mixed with multiple other transactions from the blockchain—typically 16 decoys by default. To an observer, it's impossible to tell which transaction in the ring is actually yours. The ring signature proves you authorized the payment without revealing which of your past outputs funded it.

Stealth addresses - handle the receiving side. Instead of having one public address where everyone can see your incoming transactions, Monero generates a unique one-time address for each transaction.

*RingCT (Ring Confidential Transactions) * - hides the amounts. Without RingCT, ring signatures would still leak transaction values, allowing someone to statistically determine which transaction in the ring was real by process of elimination.

Privacy guarantee: All three layers are mandatory and automatic on every Monero transaction. No user choice required. The sender, receiver, and amount are all hidden from the blockchain.

HOWEVER ! Despite the strong cryptography, Monero is not perfectly anonymous in practice. The vulnerability is not the on-chain protocol, but metadata leaks: IP addresses, exchange deposit/withdrawal timing, wallet fingerprints, and behavioral patterns. Thus next article on VPNs will be adviced to read.

2. ZCash

This cryptocurrency seems to play as "the second best", but as already Micheal Sailor said: "THERE IS NO SECOND BEST !", this pertains privacy coins.

Personally I never owned ZTrash and never will do, because it's not genuine Privacy Coin as it does not enable privacy by default, last year it's been pushed with marketing everywhere and was backed by Grayscale VC in my opinion only to suck the wallets of investors dry and generate a narrative.

ZTrash..ekhm, sorry ZCash privacy layer relies on Zero Knowledge Proofs Cryptography, namely a scheme of SNARKs (zero-knowledge Succinct Non-Interactive Arguments of Knowledge, don't fucking worry idk myself yet what it exactly means 😁, but therefore I'm here to learn and educate)

A zk-SNARK is a mathematical proof that lets you prove a statement is true without revealing any information about the statement itself. The proof is "non-interactive"—you don't need back-and-forth communication to prove something is valid.

This is theoretically more sophisticated than Monero's ring signatures. The cryptography is stronger. However, ZCash has a fatal flaw: privacy is not mandatory.

Privacy guarantee: Only if you manually select shielded z-addresses. If you forget, your transaction is as traceable as Bitcoin. The cryptography is potentially stronger than Monero, but adoption is so weak that practical privacy is minimal.

Law enforcement reality: The privacy feature exists, but most people don't use it.

Thus for me it's ZTrash :D Imo, avoid if possible to use this spy-coin 😘

3. Canton - Privacy for Institutions

Canton is fundamentally different from traditional privacy coins because it's an institutional blockchain designed for enterprise use, not pseudonymous privacy. It employs a "need-to-know" privacy model built on the Daml smart contract language.

The key innovation is stakeholder-based privacy: only parties explicitly defined in a smart contract (signatories and observers) ever see the transaction data. The system separates "content" from "ordering"—your participant node stores and validates full, unencrypted contract data, but the sequencer (which orders transactions) only sees encrypted metadata and hashes.

How Private Are Payments ?

Payments on Canton are private from public observers and competitors, but not from regulators or law enforcement. Canton achieves sub-transaction privacy, meaning complex multi-party deals can be broken into smaller private pieces where only relevant parties see their portion.

For example, if Bank A and Bank B are swapping assets via a central bank, Bank A and Bank B can exchange private details that the Central Bank doesn't need to see. However, Canton is explicitly not anonymous-by-design.

Who Sees Your Payments ?

Only the parties you define in your smart contract see your transaction details. A regulator can be added as an "observer" at the contract level for real-time, read-only visibility without exposing data to the market.

The network uses techniques to mask metadata patterns to prevent traffic analysis. Since Canton requires institutional participation with identified entities (financial institutions, market infrastructure providers, etc.), there is no pseudonymity—your identity is known to the system.

Is Your Balance Publicly Visible ?

No. Your balance is private within your participant node. Canton uses Amulets (UTXO-style contracts) rather than account-based balances, and these follow the same privacy rules as any other asset on the network—only relevant parties can see them. Unlike public blockchains, there is no single global state visible to all.

Law Enforcement and Blockchain Analysis risks

Canton is highly traceable by design because it prioritizes regulatory compliance. The system includes built-in auditability and selective disclosure mechanisms. A law enforcement agency can be granted observer access to relevant contracts, providing complete visibility into those transactions.

Because Canton serves major financial institutions (Goldman Sachs, HSBC, BNP Paribas, DTCC, Deutsche Börse) that already maintain extensive AML/KYC compliance, the infrastructure for law enforcement investigation is inherent to the protocol. There have been no known cases of law enforcement struggling to identify Canton participants because the entire design assumes institutional identity and regulatory oversight.

4. MobileCoin - THE ACTUAL SECOND BEST !

If we were to estabilish some SECOND BEST PRIVACY COIN, Mobile Coin deserves it fully in my opinion, here is why.

MobileCoin combines technology from Monero and Stellar, using CryptoNote technology alongside zero-knowledge proofs to hide transaction details. The core cryptographic layers are:

Ring signatures (using MLSAG/CLSAG schemes) - hide which output is actually being spent, creating sender ambiguity

One-time addresses (similar to stealth addresses) - prevent linking outputs to a known recipient address

Ring Confidential Transactions (RingCT) - conceal amounts while preserving verifiability

Intel SGX - secure enclaves running on validator nodes to protect transaction processing.

Transactions are validated in SGX secure enclaves using a consensus protocol adapted from Stellar's Federated Byzantine Agreement. Everything is written in Rust, separating it technically from Monero while maintaining similar privacy principles.

How Private Are Payments?

Payments are cryptographically unlinkable on the blockchain—blockchain analysts cannot connect sender to receiver from transaction data alone. The transaction recipients are hidden through one-time addresses that cannot be linked back to the recipient's actual wallet address. Amounts are hidden using RingCT. However, Signal (the messaging app integrating MobileCoin) itself can see behavioral metadata: who you're sending to, when, and how frequently, though not the transaction content itself. This is a critical distinction between on-chain privacy (strong) and metadata privacy (limited).

Who Sees Your Payments?

On the blockchain level: nobody can identify the sender or receiver from transaction data alone. The recipient's identity is protected by one-time addresses, and the sender is obscured within a ring of possible signers. However, Signal knows the timing, frequency, and recipient patterns of your financial behavior, even though it cannot see the actual amounts or transaction content. This means Signal could provide this behavioral metadata to authorities if compelled.

Is Your Balance Publicly Visible?

No. Your balance is completely private. Only the blockchain contains UTXOs and key images; no addresses or balances are published. However, anyone with your private view key (which you can share for auditing purposes) can see your incoming transactions.

Law Enforcement and Blockchain Analysis

MobileCoin transactions themselves cannot be traced via blockchain analysis because of the cryptographic protections. However, law enforcement can compel Signal for transaction metadata (timing, patterns, recipient information).

The weakness is not the coin itself but the application layer: Signal's servers maintain records of who sends to whom and when. Unlike true decentralized systems, MobileCoin transactions on Signal go through Signal's infrastructure, creating a record even if the blockchain itself is private.

There have been no major publicized cases of law enforcement successfully de-anonymizing MobileCoin transactions on the blockchain itself, but this is largely because MobileCoin has limited adoption and is primarily used within Signal.

However when it comes to an risk of Signal revealing some information about your balance or wallet whatsoever, I guess (check it on your own) they will have everything encrypted and agencies will have troubles detecting detecting the person anyways and likely will not succeed.

My take on privacy and psuedo-privacy coins

For the privacy and security of yourself, stick to Monero and MobileCoin and avoid usage of pseudo-private protocols. In time of October 2025 - January 2026, there was a huge boom on privacy coins market, there were new protcols like GHOST or MIDNIGHT announced and the narrative was pushed strongly to drain people's wallets and it ended up as always with a huge dump.

One important thing we should understand is that, those assets will be volatile and we have to embrace it and have no remorse when e.g. we paid for something with XMR and the price of XMR raised, then such feeling of "Oh fuck, I could have waited to pay less" happens to everyone, but think of it as you would e.g. purchase the headphones for 100$ and after 2 months after purchase, then the price dropped to 85$, would you have remorse of having spent to much ? Well likely not, because you enjoy the headphones technology work and it was worth the price and you live further, no big deal.

Where to but crypto-anonymously ?

Of course if you would like to have cryptocurrencies and you have only fiat, you first need to purchase crypto obviously. But how can you purchase anonymously ? Here I have found approaches you could do.

P2P Exchanges

These types of exchanges are connect you directly with a person who wants to sell their assets or want to buy some assets, instead of automating it like Centralized Exchanges usually do, disabling you from direct contact. In order to make a trade however often a deposit is needed in some currency, in order to allow you to betray the seller.

And other one, that I found out about at the NBX event I was and it's prolly more focused sadly only on polish customers but Spot.Club seems to be interesting. It's not working yet, but it is about to be launched.

Also there was an CEX that offers privacy preserving solution namely Kanga, a polish exchange offers Kanga-Local, where you can meet in person with the local person and purchase/sell your crypto.

It has it's pros such as possibility to connect with the person and make a relationship, become friends and do something together, but the trade-off here would be the fees to be paid.

As it will turn out, PRIVACY COMES AT A PRICE ! Price in terms of finances, convenience, social-acceptance (normies might treat you as weirdo) and other layers of where you would need to pay the price of being different.

The other risk is that the person might be undercover agent or officer that could gather data on you and accuse you and all of the sudden ruin part of your life, it happens, it's not often but it's good to keep it mind.

I mention it because there are far more cases of innocent people, who try to keep themselves away from government or they are preaching their opinions that are not complimentary towards surrveilance-apparatus of governments.

To emphasize it: I'm not supporting criminal activities, I condemn and despise people performing any illegal action, but I condemn even more "legal" actions that violate freedom and privacy of regular people.

ATMs

On the time of writing there are yet places where there is a limit upto 1000 Euro value transaction to deposit/withdraw from the ATM, so checkout if it's available in your country and if there are any distributors of Crypto ATMs.

Exchange Points

In Exchange Points (ger. Wechselstube) you have the same opportunity in some countries in EU yet to make a deposit/withdrawal upto 1000$ value. But from June on it is about to be

Alternative Crypto

By design, cryptocurrencies were about to liberate people from banks and centralized institutions. By having an (pseudo)anonymous network, people were supposed to make transactions without a trust to the 3rd party and even the person we make the tx with.

And although the first one is partially achieved, the second one has been screwed up and currently if you go through KYC on an exchange in any form you can at most remain pseudo-anonymous, and if you do full KYC then it's just as though a woman (or man, coz people might squeek in the comments that I'm misogynist) would say they care about their privacy, but walks out in transparent clothes outside, hope you get the point.

However, as mentioned earlier. There STILL (26.04.2026) are in some places options available to remain private without identification requirement.

Most blockchains are transparent, therefore by chain-analysis law-enforcement can easily determine which wallets are yours together with CEXes support.

And here are suggestions how to preserve anonymity in public blockchains (use EVM-chains, Bitcoin or Solana for convenience):

Coin mixing services

Mixing or tumbling services pool transactions from multiple users, breaking the link between input and output addresses. Services like Tornado Cash (though now sanctioned in some jurisdictions) or CoinJoin for Bitcoin shuffle transactions together, making it harder to trace funds to their original source.

Address separation

Create new addresses for each transaction rather than reusing the same wallet address. This prevents someone from linking multiple transactions to a single entity, though sophisticated chain analysis can still correlate addresses with patterns.

Use multiple wallets

Maintain separate wallets for different purposes (trading, savings, donations) and avoid sending funds between them in traceable ways.

Non-custodial solutions

Self-custody with hardware wallets means no exchange holds your identity data, though KYC (Know Your Customer) requirements at on/off-ramps still create on-chain entry points traceable to you.

VPN and Tor

Route your blockchain activity through privacy tools like Tor or a VPN to hide your IP address from node operators and observers monitoring network traffic.

Non-KYC CEXes

If you have already some crypto and you want to trade it or purchase e.g. coins that are not available in P2P and you want to use CEX, there are CEXes that allow you to use it without going through KYC, email is enough (use aliases ;D for that)

Such exchanges are e.g. HTX or CoinEx

Virtual & Physical Cards

The most desired option to pay and acquire goods is to have a card with some fiat. And here is where Visa/Mastercard Prepaid Virtual or even Physical cards come into play. This comes with certain risks which I will describe, but for now I want to focus on the products specifically.

I just want to emphasize the fact that it took 4 days, with 4 days in a row sleeping on average 3/4 hours a day to make this ranking/list. A lot of other articles on the internet are outdated and most of the products turnt into KYC-required cards or were just non-KYC the same as ZEBEC is.

There are a lot of scammy non-kyc cards providers, that after linking you to the provider to activate the card, they require KYC there. One of such companies is ZEBEC (I still wait for my refund 10$ 😘), that does not require KYC from you on their side, but when you get your activation token with link to third-party, either pass the ID or you got rekt.

That of course is nicely inserted in terms/privacy policy in one of their points:

Third-Party Services & Wallet Control Independent Partners Some features rely on independent third parties such as: Wallet providers Card issuers Payment processors Blockchain networks Staking providers Banking partners These companies operate separately from Zebec and may have their own rules. We do not control their operations and cannot guarantee their performance or availability.

And it occured in 10+ cases with other providers/softwares. The inferrance is simple, READ FUCKING TERMS AND POLICIES ! If not all, then filter it out to check parts you are interested in by searching for keywords (CRTL + F) and discover what the app legally is.

Laso.Finance

First there will be Laso Finance, probably mostly known No-KYC card issuer.

And they offer only one time load cards, so the cards are not reloadable, basically the amount you will be willing to spend, so much only you will be able to spend. And you cannot top-up again.

Laso Finance supports a lot of tokens from 3 chains EVM, Solana and Stellar (Beta).

They offer 3 types of cards:

US Only card - Basically a one-time load card, that you can attach to your digital wallet and pay for products. Payments are possible only in US.
Push to Card - This solution is not a card, rather a tool to replenish your debit card e.g. of your bank or any other card provider with cryptocurrencies without KYC. And usefull for crypto-offramp without KYC, recurring payments, ATMs withdrawals, etc.
- International - This card has the same terms as the US one, with the difference that it has a 3.8% from the initial card load (min 100$ - max 1000$)
Canada Card - The same card type as US and international one, enables you to spend canadian dollars without a fee.

Feature Comparison

Feature	Wise (Multi-Currency Card)	Push to Card	Internationalp (USD)	Canada
Deposit Fee	None	4.8%	3.8%	None
Transaction Fee	None	N/A	None	None
Withdrawal Fee	14%, $10 min (if possible)	N/A	14%, $10 min (if possible)	14%, $10 min (if possible)
Minimum Order	$20	$10	$100	$20
Maximum Limit	$1,000	$9,541.98	$1,000	$1,000
Apple Pay	✓	✗	✓	✓
Google Pay	✓	✗	✓	✓
Reloadable	✗	✗	✗	✗
Automatic Balance/Transaction on Updates	✗	✗	✗	✗
FX Rate	N/A	N/A	-2%	N/A
3D Secure (3DS)	✗	✗	✗	✗
Daily Limit	N/A	N/A	N/A	N/A
Monthly Limit	N/A	N/A	N/A	N/A

As in other cases, there is a list of countries where the product is not available, thus I advice to familiarize yourself with the list before purchasing. The list on the picture is trimmed.

Privacy Gateway

This is non-kyc virtual card provider but besides that they also have their bridge for any coins/tokens to purchase or sell XMR for other crypto, they have plenty of available tokens/coins you can exchange on. I will focus however only on the card this time here are the features that the card offers:

The card it's self that they offer is re-loadable and they have chosen a different approach when it comes to business model compared to the previous options. So you can actually reload this card as much as you would like to and enjoy private payments.

Card Features

✓VISA virtual card

✓Instant card issuance

✓No KYC, just name and email

✓$10,000 monthly limit

✓Tap to pay worldwide

✓Add to Google Pay

✓Apple Pay (coming soon)

✓3DS support

✓0% fee on USD purchases

✓3.5% loading fee

✓24/7 support

No Samsung Wallet Support (checked personally :D)

And instead of some one-time payments they decided to run a subscription model, they charge 5$/mo (currently there is a discount from 10 $ dollars a month)

No other fees included.

How the Card Purchase Works — Step by Step

This explanation comes from official PrivacyGateway.io Support, after contacting them.

Choose your amount
Pick one of the fixed denominations: $250, $500, or $1,000.
Enter your details
• A name (this is what gets printed on the card — it doesn’t have to be your legal name)
• An email address
• Choose your payment method: XMR, BTC, LTC, SOL, USDT/USDC (POL) — and we keep adding more!
Send crypto to your payment address
You get a unique deposit address and an exact crypto amount to send. The amount already includes the 3.5% service fee.
Card is created after a few confirmations
Once your transaction gets enough blockchain confirmations, the system automatically creates your virtual Visa card. You receive a 32-character access hash — this is your only credential. There is no account, no password, no email login. Copy it and save it.
The swap happens automatically
The system automatically converts your crypto to load the card in USD. You do nothing.
Card goes active
Once the funds arrive, your card balance updates. You log into your dashboard with your access hash to see the balance.
Reveal card details
Click “Reveal Card Details” to see your full card number, expiry, and CVV — and you’re ready to use it!

I have to express my gratefulness to the Privacy Gateway Support, who has given me possibility to test out the card on my own and check, if the card will be supported by Samsung Wallet (as I decided to test my setup for private payments): Samsung + No SIM-CARD + dumb email + digital wallet (optionally VPN with thetered internet from my other one) as shown below (yes I glued over the cameras, lol):

And for that money as a genuine tech-jounalist I grabbed my free meal, so thanks Leo 🫡 for giving me the opportunity. So did my meal look like, absolute aristocracy 🙌

Btw do not allege me with being bribed, because if the product would not work or the support would not be so transparent about helpful, I would not put it on the list.

My Take : This is a very low-budget, reasonable option to get started private payments with and to use on a daily basis for expenditures. I personally will soon think about using their product.

Goblin Card

I have to confess at first, I was skeptical about this product because of the fact that it's the only PHYSICAL card that is non-kyc. And you might also have such an impression ? But therefore I gone and asked questions about the details of how the products work, I watch materials available and research the internet and not blindly copy paste from Gepetto-AI or any other Clueless Models (just kidding, lol).

I also faced a bit of behavior, words from people in the group, that I was not about to expect and they weren't nice experiences. However, with the support of Goblin Cards, we jointly clarified everything and all my doubts got resolved. Shortly describing the company, it is a company based in Mexico, with small team, originally being and OTC exchange transforming into an card provider, which as the founder said was natural move.

People might yet be skeptical about the location, but a lot of that has been explained in the podcast by the founder (check it out).

Really interesting stuff to learn about the financial system. The names of the systems like SPEI or Archus caught my interest and I will definitely read about it in my free time). The company attended Monerotopia event in Mexico and intend to be active in that space as well.

I must say that my suspicion was wrong, already after I watched the interview, I had an impression of being wrong. I mean the founder was too transparent and shared so many details about how their product works, that some stupid big-tech CEOs would not share. So I decided to ask directly and clarify it.

How is this legally compliant ?

It bases on physical reloadable PREPAID mastercard cards. The PREPAID adjective to this card makes the situation turn 180 degrees. Because if it was a regular card just like offered by Revolut or any other FinTech, then it would demand KYC/AML.

However, due to the fact that it bases on prepaid cards, just like those one can purchase in a mall, gas-station next to gift cards. It makes it fit completely different category of cards. That's how I understood the compliance.

And the fact that it's both reloadable and prepaid, makes it work and there are people who are actually satisfied with their products on SimpleX or Telegram chat and they offer a great support. Shout out to the Goblin Cards support for collaborating to make this article exist 😎

And to me, it makes sense and I really support such initiatives. If there is a grain yet of the free market and this approach is not forbidden, then it's allowed and noone should be treating them as criminals or shady guys.

In Europe the VISA or Mastercard prepaid cards are barely if at all visible or accessible and it sounds strange to a lot of people. Whereas in US or in countries in the south-america and mexico, those seem to be very popular and often used.

If you want to watch a video on the steps and see that the card works, there is an hindi guy with guideance and PoW of this card at ATM, you can turn on the automatic transalation (don't forget to like if you enjoy and write some shout-out from me 😁) !

How does the workflow from order to activation work ?

*Explanation provided by official Goblin Cards Support.

Purchase the card,
Send shipping address
Receive the card
Message support to activate
Receive login instructions
Proceed to deposit via bot and spend

That are six simple steps, that are allowing you to reclaim the control over your finances and keep it private, independent of banks.

Product Details

Card type: Mastercard Prepaid Reloadable (Physical)

∙ $5,000 USD daily spending limit
∙ $25,000 USD monthly spending limit
∙$500 daily ATM withdrawal limit
∙ Balance maintained in Mexican Pesos
∙ Chip + contactless (tap to pay)
∙ Shipped via UPS (3–5 days worldwide)
∙ Dedicated app for balances and transaction history

Pricing

∙ Card: $350 USD one-time
∙ Deposit fee: 3.5% (XMR: 4%)
∙ Renewal: $100 (after 3 years)

The coins they support for deposit and pay for the card is basic, but solid: BTC, SOL, ETH, USDT, XMR

My Take: I would be keen to buy this card after like 1/2 years of usage of the virtual card provided by PrivacyGateway.io

This solution looks very promising, but we never know what the future regulation might look like and if such solution would not be basically be banned either in EU or somewhere else. But definitely good for diversifying source of payments, if one gets blocked I can use the other.

Shout out to the Goblin Cards support, who answered all my questions and resolved doubts.

TroCador

A service that offers variety of private solutions for payments like cross-chain swaps, bridges, anon donations (to implement for devs), gift-cards to be purchased. However we will focus this time only on the visa cards and how can we pay anonymously.

Trocador offers up to $1000 prepaid visa cards. There is no limit on the number of cards you can buy. You can top-up this card with any cryptocurrency available in Trocador, they support Bitcoin, XMR, ZCash, MobileCoin, Ether, Solana, their tokens and many more (checkout their site)

Issuance fee: 3%, depending on the provider.

2-Monthly payment: 2.5 $

Tx fee: Instead of the usual 2% Currency Conversion Fee, they charge $0.75 for each non-USD transaction

Prepaid Card Providers

MyPrepaidCenter (US Only) (US Dollars) - as the owners of the service say, it might be also used anywhere else but they do not guarantee it will work (likely will not).
Prepaid Cards Provided by Reward (US Only) (US Dollars) - the same as previous option.
Prepaid Cards Provided by Swype (US Dollars) - Available internationally.

Trocador issues a card from 3 different card providers:

Transactions in different currencies than that of the card may incur a currency conversion fee by the card provider (usually 2% or $0.75).

The discomfort might come for VPN users as they will be blocked from redeeming their cards and you would have lost your funds (not worth it, buddy :( )).

Stealths

Stealths as their competitors besides offering visa/mastercard prepaid cards, it also has e-sim card plans and gift cards in their offer. But as said before, here I focus on payment cards only.

There are 4 types of Cards that they offer:

Visa Gift Card (Only US) with upload topup from 5 to 1000$ only one time
American Express Gift Card (Only US) topup from 5 to 3000$ only one time

Here are the details of those products:

This product is delivered automatically.
Card activation code and instructions will be added to order page.
American Express gift cards are issued by amexrewardcard.com
It's possible to view transaction history and balance details on card issuer's website.
Location to use: Only US
Cards are issued by U.S. bank and card currency is USD (Amex).
Support of Digital wallets (Google Pay, Apple Pay, etc.): Yes, But digital wallets checks your IP and trust scores, so we don't guarantee you can link it.
support 3D secure: No. Some merchants may decline the transaction for this reason.
ATMs or recurring billing: Not allowed
Online Acceptance: limited, you are advised to test the product with low amount at first.
Expiry time: 6 months (extension and reload not available) .
You should not redeem more than 2 gift cards from same device in 24 hours.

Fees

5% of the card top-up amount or minimal 5$ ## Reloadable Cards

Stealths also offers reloadable prepaid cards. One of the product is Rewarble Voucher

Rewarble Voucher

Fees: min 5$ or 7.5% of the amount topped up.

Details for the product:
Delivery: automatic, comes together with

Support for Problem: Rewarable (MasterCard) / Visa Support

You need to activate card after purchase. Card issuer will ask for email and address. It's not allowed to use VPN on redemption, you should provide a valid email address.

Issuance of first prepaid card on Rewarble is free, additional cards and reloads cost 4.5% + $1.99. For more details on pricing, check their website.

It's possible to view card balances and transactions on the issuer's website.

Rewarble offers multiple prepaid card options, we recommend "Suna Mastercard" product. Card availability and mobile wallet acceptance might be limited in your region. It's recommended to test with small amount first.

You can use Rewarble voucher code to reload existing card.

Cards are issued by U.S. bank and card currency is USD. Card supports foreign transactions, FX fee may be charged by card issuer.

Rewarble cards are valid for 7 days (+ another 7 days with free extension) initially, after validity period it costs $1.49/mo to keep card active.

Single-Use VCC (High Limit)

Intial topup: min 500$ - max 30k $
Fee: 8% or minimum 40$

Product Details

Delivery of this product is manual. Please do not create order without contacting us, delivery is possible in work hours.
This is a virtual card, not a prepaid card. Virtual cards have higher approval rates.
The card is not for long term use, you need to spend the balance in the same day you receive card details (up to 3 transactions allowed).
Card currency is USD. It can be used internationally with different currencies. The bank charges 2.5% fee for non-USD transactions, please keep that in mind.
The card supports 3D secure. It works on most online merchants; including PayPal, Amazon EU, Stripe checkouts. It does not support mobile wallets.

Terms of the card are available in this link for more info.

BitRefill

It's a marketplace with a variety of gift-cards and products (e.g. E-SIM cards, Phone-refills) you could purchase with crypto. They do not support Monero or from privacy coins, they support only DASH. They support as the name might suggest, Bitcoin, Ether, Solana, LTC, DOGE, TON, SUI and USDC and USDT

How their business model works, is that they apply a fee to your final checkout, when you are about to pay.

How do they earn money ?

From the example you can see they apply some fees to the final checkout. They have lower rate of ETH/EUR pair (at the time of writing it was 2049.65) and there it's 2031.30. So allegedly they charge ETH rate + about 1% fee (222.08 Euro in total), but they can sell it on the market for 224.10 Euro (just as an example, if they would have sold it after the payment would have arrived how the money would be made). So in total they earnt about 2%

The fee might vary depending on the selected coin/token to be paid with.

My take: This product would be used by me in case I would like to gift someone a b-day a gift card, or if I would like to pay for booking or AirBnb wihout attaching my card to their service.

LinkPay

It's a virtual visa/mastercard card provider, that issues cards for specfic usage like to spend for ChatGPT subscription, Netflix.

I messaged the support with request for clarification, what card can be purchased without KYC and here is the answer I got.

Without KYC verification, you can still use basic operations with Linkpay, but there are limitations. The monthly spending limit is $500, and only advertisement cards are available for issuance. Verification is required to increase limits and enable full card functionality.

Verification in Linkpay increases your limits and enables full card functionality. While basic operations are available without it, verification is required for higher limits and extra security. Here are the verification levels:

No Verification:
Monthly spend limit: $500
Only advertisement cards are available.

Basic Verification (Email and other details + ID Upload):

Monthly spend limit: $2000
All cards are available except Apple/Google Pay.
Requirements: Full name, address, and valid ID details.

Unlimited Verification:

No limits on spend or card types.
Requirements: Valid ID photo and passing a live check.

Other Cards (to personal verification)

Above were all card solution presented, that I accessed as legal, not shady, plausible. As I said before there were a lot of cards, who seemed to by non-kyc only, but there are solutions where I had issues to access them if they are scammy or not. Thus I list it here, so you can check it on your own.

BingCard
KardPay
Veil (this one really looks sketchy, similiarly to Privacy.com design, almost all scam opinions on trust pilot)
XHype
Solcard - Although it looks fully legit, their privacy policy and terms of usage didn't allow me to determine whether they their 3rd party does require KYC or not. About the product they offer, they offer a reloadable virtual card.

The offer of this card however is very limited, and if you have the virtual card without KYC, you are not able to attach it to your digital wallet. Here you have the details on the product they offer.

Below you got a screenshot, where they advertise themselves, having non-KYC card:

Again any action you take, you take it on your own, do not allege me afterwards if you loose money and don't come to me whining you lost money, I warned you.

Other Option to pay anonymously/pseudoanonymously

Other methods I thought about to preserve privacy are:

Pay someone cash to pay for the money transfer from their account

Solution that perhaps is the most ridiculous, but having a bank account would be a.....

LET ME FINISH, OK ? DON'T KILL ME YET 🫣.

Having a bank account in a countries without CRS, so that your financial activity stays in that country and is not reported to countries that request the data about you. Cambodia is one of such countries, that offers friendliness towards cryptocurrencies and are allowing people to pay and purchase goods with cryptocurrencies. It of course will demand you to provide your government-ID to open an account, however due to the fact that only you and your bank know about the transaction, some minimal privacy remained, but still not fully private.

Also an interesting fact, Cambodia's National Bank launched Bakong, a blockchain-based digital payment system, which represents one of the most prominent real-world implementations of blockchain technology in a national banking system.

The system was designed to achieve three key objectives: improve financial inclusion (Cambodia had ~78% unbanked population at launch), modernize digital payments infrastructure, and reduce reliance on the US dollar in everyday transactions.

I find it's bold and I find it banger-news ⚡

Again I mention Cambodia, because I reminded myself about the talk I had pleasure to have with people from Relocatify at NBX-event, shout out to them 🫡 !

Summary

Phew..., it's been quite a long ride, didn't it ? I hope you did enjoy the article and it was insightful to you, if so please leave a comment and a like. If you have suggestions what to change, please share it in the comments.

If you're about to purchase your first wallet or a new wallet, you remember to checkout OneKey product and with my promocode: Luftie, you get 10% discount on all products available in their shop, but also 10% off on fees on perpetuals and defi fees like staking etc.

Once again, I want to express my gratefulness to OneKey team, that they noticed me and believed in me. That means a lot to me, because such things do not happen to all of small creators and I got noticed and I'm happy about it, which only propels me to create better content for you.

Donations

As I promised above, here you have the addresses to my wallets for certain chains, if you want to send some coins/tokens to support me, feel free to do so. I'll be more than glad and you can send me the message on Signal (you can also use Telegram, but please avoid it, I prepare to remove my account from there. I'm fed up with it's flashiness, people that are running scams there and hoes with their channels)

Crypto Addresses:

Monero (XMR): 44mBpaeJSuxTSFTXRxAb289mNiPgHTk6tMaKXPjg2DNQMbmxP1dFA86Q9QnHoU8T62XhQputbGkESiQBD31QrtfN377wGD3

Bitcoin: bc1q5dxqaf2xva57rlac8gj5g3apmm0edvanvscyhw

Ether (ETH): 0x524C676f9e31b6a4CaE067c41d01E9878b7FF14B

Solana (SOL): DgsvUBEvQdQVk7bxQSA2cEjFuJRwMFokeGbMXtq6MY4X

Mobile Coin (MOB): 7xB623noRRqqMxbTwqvbJWfcpycYyWEvWQAALigKn4VrwhuHZxsFP4Xkexp5MyK53pE8mfomXzDPaLXuwuQPw8RNveTQDSEuDQcPopv6Foyfei6DCkzJJx1j68j4xuXRQ94Q4SoC22vRMWKA58eNmvG2Nx2sy6wY1pu7ZzZTozYqL1vEDzGK1ajGNB9VLxppXarkpw3kBjUVbtjYzWo2iENpBpfVQ4tXaetUiGrv7EvPDa

Once again. If you donated on one of those addresses, thank you very much for your support 💜

Privacy and Security Setup to use in 2026 (Messengers + Mail) PART 2

Luftie The Anonymous — Tue, 21 Apr 2026 22:00:00 +0000

Gm Hackers !

In recent post, I presented to you what Operating Systems to use, Browsers and search engine. This time we're going into something that also pertains every internet user and namely the communication 📞

Luftie The Anonymous

Apr 17

Privacy and Security Setup to use in 2026 PART 1 (OS, Browser, Search Engines)

#discuss #privacy #tooling #security

Comments 4

31 min read

If you did not read my last post, do it before reading that one, by clicking above 😁

Over what channels/apps should you actually communicate anonymously ? This post will cover the essentials to start using more private tech. But before..., I have something relevant to announce

IMPORTANT ANNOUNCEMENT ⚠️

In September 2026, Google plans to officially block any app that does not belong to a developer, who do not have an account in Google Play Developer Console, haven't uploaded their ID there and paid a fee.

From someone who is kind of a normie guy, does not care about the tech, surrounding world and their only worry is about to be right on time to watch their movie in TV, it might sound as a rational argument, they want to prevent android from having malware/spyware/scam-apps on their systems, thus they require their ID and pay the fee for app deployment and demand the apps to be deployed only via Play Store.

Whereas on the other hand, Android natively with google is the biggest malware and spyware together with Microslop OS (known by Normies as Windows).

By default your Google Play Services have access to all your accessories in the phone like camera, microphone and location. So if you do not turn them off, there is more chance your data is gathered, misused and sold. In such way, you are controlled by the technology and not conversely.

Why it matters ?

The opportunity to build, launch your apps on android without needing to pay fees, load your ID to the Third-party company that is prone to frequent breaches and is has the worst products that could be ever given is exactly the normality the user and developer wants to have.

Developers can independently deploy their apps without needing to have any financial commitments or needing to identify themselves to a third-party company.

Think about programmers, youngster coders from African Countries (I have many friends from Nigeria (shout out to all my Nigerian brothers 💚, you're phenomenal hard-workers. I love you all)). Do you think they will have enough money to purchase a subscription and simultaneously keep their life at the standard they have without any external support ?

I truly doubt it, of course for some it would be feasible, but I hear personally how those people are misused and paid slavery-salaries and try to handle somehow the money for another data packages (they do not have wi-fi, you white-trash morron 😘).

Another thing is that the app might not comply with often imaginary Google Play Requirements to push the app to be visible to the Store.
For now, indie mobile app devs simply can attach an .apk to their website/webapp and let users download from there, which is actually a common solution on the internet e.g. for games.

From the other perspective, it also is a violation of freedom of users of phones with custom ROMs like GrapheneOS or LineageOS, but also the average pure android user, that should decide themselves and take the risk on their own where they want to download their apps from, and it should not be estabilished by only-profit driven company, that is seeing the competition in solutions like FDroid and wants to have a monopoly.

When it comes to custom ROM users without default Google Play Services Support, this hits hard, because it basically disables them from using any apps at all, if the update from google comes irl.

Having done this, Google not only dictates you what is the source of your apps but also what OS you should have your mobile device. This is rudiculous and I will not be silent.

Internet should remain free and this is an attack on digital freedom. And this freedom is about to be violated by an enterprise for profit.

There for I gently request you

-- Go to the KeepAndroidOpen website and perform as many action from the site there as you can do.

E.g. Install F-Droid, message your local regulators and inform about the monopoly attempt, Provide feedback directly to Google using their Android developer verification requirements survey, sign the petition.

All action matters, and even if in the end it will be implemented, you should not have any remorse to yourself, because you did something towards stopping it and were not passive.

Therefore I'm requesting you, If you have the account on Google Developer Console, the best decision would be to remove it. Do not upload any IDs if you haven't yet.

Self-confession time

Me myself unfortunately committed back October/November 2024 a failure by uploading the sensitive data to Google, only because I was in a process of building my start-up and wanted to have a greater outreach with my app. That project has been terminated and failed, but the data remained. Thus I recently decided to remove my account from Google Play Developer Console:

Candidly speaking, when I look at how much spam I got to my gmail and how much I get to my private email addresses, 1 gmail outperforms 5 private mail addresses I have.

Spam/Scam mails quantities on my email addresses in one month:
1 Gmail: 257 mails
5 Private Mail: 0 mails

Announcement Summary

That's it from the announcement. Leave a comment down below what actions have you taken and what do you think about it, and now we can head over to the main part of the article !

Messengers

Ok, until now we only discussed the Operating Systems to be used, but this is not all. You would not like your messages to be spied, misused on or be breached, right ?

Thus we need a private communicators. Me myself on a daily basis use variety of communicators, which I really do not like being completely honest. I use:

Signal (my favorite one)
Telegram
SimpleX
Matrix/Element
Whatsapp

From those 5, only 3 are fully reliable when it comes to privacy respecting and that are:
Signal, SimpleX, Matrix

Before I discuss those 3 chat-apps, here is why I did not include Telegram and Whatsapp

Why not Telegram ?

E2EE is NOT default—standard chats are server-side encrypted, meaning Telegram can decrypt them
Custom encryption protocol (MTProto) instead of widely-audited standards like Signal Protocol
IP address leak vulnerability (MTProxy doesn't actually hide IPs as users think)
2024-2026: 200+ million records leaked via various breaches; 122GB credential archive (361M unique emails) distributed across Telegram channels in late 2023/early 2024
2024: Hackers leaked 31M+ Star Health insurance customers' medical data via Telegram bots
2025: 43.5M Telegram channels blocked for illegal activity, but actors just recreate channels within days (low cost to operate)

Why not Whatsapp ?

Meta collects metadata ruthlessly—who you message, when, how often, your contact lists
Meta monetizes this data for ad targeting
November 2025: Researchers at University of Vienna + SBA Research found 3.5 billion WhatsApp accounts via API scraping due to weak rate-limiting. They extracted profile pictures, "about" text, linked devices, OS info. One researcher: "This is a cybercriminal's dream working list."
June 2025: 16 billion credentials breach affecting Facebook/Instagram/WhatsApp (infostealer malware)
Early 2025: Graphite zero-click spyware (Paragon Solutions) targeted ~90 journalists/activists—gave attackers access to encrypted messages, microphone, location
2021: 533M Facebook accounts scraped; 58% still active on WhatsApp in 2025—leaked phone numbers have permanent value

Thus I really wish to move away from using Telegram. Unfortunately a lot of people from the crypto-industry prefer convenience and flashy effects over security and privacy.

Why the others ?

Signal 💙

Encryption: Signal Protocol (Double Ratchet)

ECDH: Curve25519

Message encryption: AES-256-GCM

HMAC: SHA-256

Perfect Forward Secrecy: Yes (every message has unique keys)

Post-Compromise Security: Yes (ratcheting)

Architecture: Centralized servers (Signal Messenger Inc.)

Minimal data collection: No message history, no contact lists stored server-side

Registration: Phone-number based

Multi-device: Supported but uses Sesame protocol

Metadata Protection: Reasonable—server doesn't see message content, but does see phone number, online status, contact discovery

End-to-end encryption is mandatory across all chats

Open-source, regularly audited, nonprofit model

Zero metadata collection unlike WhatsApp—doesn't store who you message or call logs

Post-quantum cryptography roadmap in progress.

Before I move to the next recommendation, I have to explain couple of terms that will actually repeat themselves throughout the article.

Ratcheting - A cryptographic algorithm for dynamical updates of encryption keys to ensure forward secrecy and post-compromise security. This means that even if a key is compromised, past messages remain secure, as new keys are generated for each message exchange.

Double Ratchet - It's an key-management algorithm designed by first Signal's CEO. The feature of this algorithm is that after the initial key-exchange, it handles the ongoing renewal and maintenance of short-lived session keys.

It combines a cryptographic so-called "ratchet" based on the Diffie–Hellman key exchange and a ratchet based on a key derivation function, such as a hash-function, and is therefore called a double ratchet.

Sesame Algorithm - It's an algorithm designed for message encryption sessions management in an asynchronous across multiple devices. It is however vulnerable due to the lack of cryptographic proof of ownership. Which means that if an attacker gains access or intercepts some messages of a victim, it allows the attacker to register their device and gain access to the victim's account.

Forward Secrecy - An encryption system has the property of forward secrecy if plain-text (decrypted) inspection of the data exchange that occurs during key agreement phase of session initiation does not reveal the key that was used to encrypt the remainder of the session.

All is more nicely described by researchers from University of Luebeck.

Now although there is no flaw in a protocol, meaning that it would leak some information, by falling a victim of social engineering, phishing attack or your device being compromised there are no prevention measurements to cease attacker from accessing the account.

SimpleX

Encryption: SimpleX protocol (custom, but well-designed)

Message encryption: ChaCha20-Poly1305 (AEAD)

Key encryption: XChaCha20-Poly1305 (extended nonce for random salt)

Key exchange: Curve448 ECDH

Forward Secrecy: Yes (ratcheting model similar to Signal)

Architecture: Fully decentralized—no central server required

Users run their own SMP (SimpleX Messaging Protocol) relays or use community-hosted ones

Zero-knowledge: SMP relays don't store messages; they're purely transient delivery points

No user accounts: Connections are queue-based, not identity-based—no UIDs linking users to the network

Metadata Protection: Exceptional—even relay operators can't see who's talking to whom

Tor Support: Built-in Tor integration (transport isolation per contact)

Audit: Trail of Bits security assessment (2022, 2024)

The Trade-off: SimpleX prioritizes privacy over convenience. No multi-device sync yet, no cloud backups, slower message delivery.
But this is intentional—they refuse the push-notification trap that other apps use.

Matrix/Element

Encryption: Olm + Megolm

1-to-1: Olm (Double Ratchet variant, similar to Signal Protocol)

ECDH: Curve25519

Message encryption: AES-256-CBC (non-standard; should be GCM or
ChaCha20-Poly1305)

HMAC: SHA-256

Group chats: Megolm (sender-key model)

Session key: AES-256

Ratcheting: Weaker than 1-to-1; Forward secrecy limited by key reuse

Architecture: Federated—users can run their own home-server

Protocol is open, but implementations vary in security

Default E2EE: Yes

Key Backup Vulnerability: Server-side encrypted key backups can be exploited if home-server is malicious

Metadata: Partially exposed (room names, user IDs, member lists visible to homeserver)

Other worth-mentioning messengers

There also other emerging private messengers that are worth to be paid attention to, namely NCrypt and also Sealed. Both are blockchain focused, and the messages are stored on blockchain at least in Sealed.

Here are some information about Sealed and NCrypt I could find in their privacy policy and on the internet.

Sealed

What Sealed Actually Is (The Honest Technical Take) ?

Sealed is a blockchain-based, end-to-end encrypted messaging app built on a three-tier data architecture. Unlike most messengers that centralize everything on company servers, Sealed explicitly separates data into three distinct realms, each with different controllers. This is the critical design choice that sets it apart.

The app is currently live on iOS and Android, operating on Algorand. The foundational principle is brutal: no single party—not even Sealed's operators—has full control over all your data. That's architecturally honest in a way Signal and Telegram aren't.

The Three Data Realms: How the Architecture Actually Works

Realm A: Your Device (You Alone Control This)

Everything that matters cryptographically stays on your device. Your BIP39 seed phrase, your Ed25519 wallet signing key, your X25519 encryption keypair, and all decrypted message content lives exclusively in your device's secure enclave—iOS Keychain or Android Keystore. There is no recovery mechanism. If you lose your device without a seed phrase backup, your account is gone permanently. Sealed cannot recover it, nor can any authority compel them to.

Your contact list (wallet addresses plus usernames) also stays local. The implication here is clear: Sealed has zero visibility into your social graph. They can't tell who you're talking to, how often, or in what pattern.

Realm B: The Public Blockchain (No One Controls This)

Every message you send goes onto a public blockchain as an immutable transaction. This is where the privacy model gets interesting.

Messages are stored as AES-256-GCM encrypted ciphertext—unreadable without your private key. But the blockchain stores more than just content. Each message includes an ephemeral sender public key (a one-time X25519 key per message, not your permanent identity), a 32-byte HMAC recipient tag used for "stealth addressing," the block-level timestamp, and your sender wallet public key (your pseudonymous identity).

Here's the friction: if you register a human-readable username, that gets written to the blockchain permanently. This is where anonymity breaks if you're not careful. Register as "john_crypto_banker" and link your Twitter, and the pseudonymity collapses. But if you stay wallet-address-only, the blockchain sees only a pubkey, not a name.

The critical point: blockchain data is permanent and immutable. No deletion rights apply. You cannot request removal. An observer can see that a message was sent to a particular wallet address at a particular time, and if encrypted properly, they cannot read it. But the metadata—that a message exists, when it was sent, and who the recipient pseudonymous identity is—that's forever.

Realm C: The Indexer Server (Sealed Controls This, With Guardrails)

This is where Sealed takes a calculated privacy trade-off. To deliver push notifications and enable efficient message sync, they operate an indexer server that stores limited data:

Your wallet public address (for identity and auth)
Your X25519 view key (this is the big one—see below)
SHA-256 hash of your view key
Firebase Cloud Messaging token (for push delivery)
Device platform identifier (iOS or Android)
Optional username
Message metadata pointers (blockchain transaction references for sync, not content)
Last seen timestamp
IP address (standard server logging)

The view key is the most significant privacy tradeoff and Sealed is honest about it. Your X25519 scan/view private key is shared with their indexer server. This allows the server to detect incoming messages addressed to you on-chain and trigger push notifications. The view key does not decrypt content—that's a separate key path. The view key only reveals that a message was sent to you, not what it says.

This is crucial: if Sealed's indexer is compromised, attackers learn who's messaging you. But they don't learn what was said. Content requires your full private key, which never leaves your device.

Retention is clear: indexer data expires after 90 days of inactivity. Message metadata expires after 30 days. IP logs rotate per standard practice (7–30 days). You can manually delete your account at any time with a signed deletion request, and they'll purge the view key and FCM token within 30 days.

Authentication: No Phone Number, No Email, No Password

Sealed uses pure wallet-based authentication. When you log in, your app signs a time-limited challenge string with your Ed25519 wallet private key. The signing key never leaves your device. This means there's no email-based password reset, no SIM-swap attack surface, no centralized identity store. You are your keys.

The tradeoff: if you lose both your device and your seed phrase, you're locked out forever. There's no "I forgot my password" recovery. This is hardcore, but it's the price of true key custody.

Encryption Details: Where Sealed Gets Technical

Message content uses AES-256-GCM with per-message ephemeral keys. The key derivation path is X25519 (ECDH) + HKDF, which is industry standard. Messages are padded to a uniform 1,024 bytes before encryption to prevent length-inference attacks—a sophisticated move that prevents attackers from guessing message type based on ciphertext size.

The ephemeral key per message is the Double Ratchet-adjacent concept: each message has a unique encryption key. This gives forward secrecy—if one key is compromised, only that one message is exposed, not past or future ones.

The roadmap includes ML-KEM-512 (Kyber-512) as a hybrid post-quantum layer on top of X25519. This is planned but not yet deployed. Currently Sealed is quantum-vulnerable, like all classical asymmetric crypto.

API communication to the indexer uses Ed25519 signature-based authentication with signed time-limited nonces, enforced over HTTPS/TLS. The server implements helmet security headers and rate limiting (100 requests/minute per IP).

What Sealed Does NOT Collect (The Important Negatives)

This is where Sealed differs sharply from WhatsApp, Telegram, and especially Messenger:

No real name
No email address
No phone number
No device contacts imported
No location data
No advertising identifiers (IDFA/GAID)
No biometric data
No analytics or behavioral tracking
No crash reports or telemetry beyond server-side operational logs

This is a stark contrast to Signal, which collects your phone number and uses it as your identity. Sealed's wallet-first model means they have no way to know who you are unless you tell them.

Third-Party Dependencies: Where Trust Matters

Sealed uses only two external services:

Google Firebase Cloud Messaging (FCM): For push notifications. Sealed sends Firebase only your FCM device token and a notification payload containing the sender's wallet address and a message reference—not the message content. This means Google sees that you received a message from a particular wallet, but not what was said. Google's privacy policy applies to this data.

AlgoNode (Algorand RPC): A third-party public Algorand node. Transactions you broadcast are globally visible by nature. No personal identifying data beyond your wallet address and encrypted message ciphertext is transmitted.

Sealed explicitly does not use advertising networks, analytics platforms, or data brokers. This is a hard line.

The Privacy Model: Honest About Tradeoffs

Sealed is architected for a specific threat model: you want encryption that no single entity can break, pseudonymity rather than anonymity, and no central server controlling your social graph.

If your threat is a government subpoena, Sealed has a clean answer: indexer data expires, blockchain data is public, and Sealed cannot hand over decrypted messages because they don't have your private key. The police would need your device or seed phrase.

If your threat is Sealed itself, you get a partial win: Sealed cannot read your messages, but they can see who's messaging you (via the view key). If you're concerned about this, you should assume the view key is compromised.

If your threat is length-based message inference, Sealed padded messages to 1,024 bytes, so attackers can't guess what you're saying based on ciphertext size.

If your threat is quantum computers, you're vulnerable until they deploy Kyber-512.

The Uncomfortable Realities

Realm B is permanent: Anything you write to the blockchain stays forever. If you message someone's wallet address, that metadata (sender, recipient, timestamp, message reference) is immutable. In a world of blockchain analysis and wallet clustering, this is a permanent link. Sealed can't delete it, and neither can you.

The view key is a vulnerability: It's the single point where Sealed can learn your incoming message graph. If the indexer is breached, attackers get a list of everyone messaging you. Sealed is transparent about this, but it's still the biggest attack surface in the architecture.

Usernames break pseudonymity: If you register a human-readable name, it's on-chain forever. Anyone can link your wallet to your identity. Sealed can't prevent this; it's a user error problem.

Firebase adds a Google dependency: FCM tokens reveal to Google that you're using Sealed, and when you receive messages. Google's privacy standards are better than most, but it's still a third party with visibility.

No audit: The privacy policy doesn't mention any independent security audit. The encryption primitives (AES-256-GCM, X25519, HKDF) are solid, but there's no third-party verification that the implementation is correct.

How This Compares to the earlier mentioned ones ?

Sealed is architecturally more honest than Signal or SimpleX about what data they hold and why. Signal doesn't explain its data architecture; they just say "we don't store messages." Sealed breaks it down into three realms and explains the controller for each.

Sealed is less mature than Signal (which has been battle-tested for a decade) and less audited than SimpleX (which had Trail of Bits assessment).

Sealed is more decentralized than Telegram (which holds all data server-side) but less decentralized than Element (which is federated) or SimpleX (which has no central relays—queues are ephemeral).

Sealed is more private than WhatsApp or Messenger because it doesn't collect phone numbers, emails, or contact graphs.

NCrypt (Gen6 Dapp)

NCrypt is a decentralized messaging app built as part of the Gen6 ecosystem. It's E2EE messaging integrated with Gen6's decentralized identity system (Gen6.Me). Messages are encrypted, transmitted through Gen6 validator nodes, and stored on the Gen6 blockchain.

The Technical Stack:

Blockchain: Gen6's own chain (Enhanced Proof-of-Authority consensus)

Validator Network: 100+ distributed validators securing the chain

Identity Layer: Gen6.Me (verified, pseudonymous, or fully private)

Encryption: Not explicitly stated, but likely AES-256 or ChaCha20-Poly1305 (industry standard)

Storage: Encrypted messages on Gen6 blockchain

Roadmap: Q4 2026 includes post-quantum security upgrade
Integration with Gen6 Ecosystem:

NCrypt isn't standalone—it's one dApp in a larger system:

RealSeal: On-chain cryptographic signing and timestamping
Gen6.Me: Verifiable identity (proof-of-attendance, credentials)
FONO: Event verification and community management
GSX Token: Utility token for transaction fees and ecosystem incentives

The Reality Check:

NCrypt is more honest but less audited than it claims:

No independent security audit — Gen6 was founded by security experts (David Pethes, Sergey Gerodes) but that's not a substitute for third-party audit.
Validator-dependent privacy — Your messages go through Gen6 validators. If a validator node is compromised, they see metadata (though not content if encryption is solid)
Identity is optional but integrated — You can be pseudonymous, but the whole ecosystem incentivizes verified identity (which is good for trust, bad for pure privacy)
Post-quantum still in roadmap — They're targeting Q4 2026; currently quantum-vulnerable like most messengers.
Smaller community — ~30,000 users vs millions for Signal. Smaller attack surface, but also less battle-testing.

Emails

Alright forwards we go ! We have now private OS, Private Browser, so we reduced successfully amount of spyware on our day-to-day activity on the internet. We keep our messages secure, by using Signal or SimpleX, but what if we want to receive mails and send mails in a more private way ? For that there is also a couple of solutions and for that I highly recommend checking out the Privacy Savvy article. I think this blog is a huge source of knowledge when it comes to privacy (So shout out to them :D):

ProtonMail
TutaMail
StartMail
MailFence
AtomicMail

Tuta (formerly Tutanota) – Most Privacy-Focused

Server Location: Germany 🇩🇪
Founded: 2011
Business Model: Private company, no outside investors, subscription-based
Free Tier: Yes (very limited)

Privacy Tech Stack
Tuta's doing it right here. They encrypt everything – emails, subject lines, calendar events, contacts. Most providers skip subject lines (that's a metadata vector), but Tuta's like "nah." They've implemented TutaCrypt, a proprietary hybrid system using:

CRYSTALS-Kyber (post-quantum key exchange) + X25519

AES encryption for content Zero-access architecture – they literally can't read your stuff, even if they wanted to.
They don't use PGP (which has known weaknesses), so no pulling of Google Play services like ProtonMail does.

Government Interventions & Data Compliance
No major data breaches on record.

Transparency Report (Jan-Dec 2025):

Received: 389 total requests from German courts

Complied: Only ~75 cases out of ~389 (they rejected 75% of requests)

Key insight: Tuta can only be compelled by German courts under German law. No backdoors, no FISA orders ever received. They publish a warrant canary confirming this.

What they CAN release: Metadata (sender/receiver emails, timestamps, IPs), NOT encrypted content

Notable incident (2019-2021): A German court tried to force Tuta to capture unencrypted incoming emails before they encrypted them – essentially creating a backdoor.

Tuta appealed, saying this violates German law. Court still ordered it, but Tuta refused to implement system-wide monitoring, only complying for specific cases. They appealed to German Federal Court and stood firm. No data was handed over that compromised encryption.

False Accusations (2023): A former Canadian RCMP officer claimed Tuta was a "storefront" for Five Eyes intel agencies. Completely false. Tuta denied it, published their entire codebase on GitHub for peer review, and pointed out they've zero FISA orders.

Availability 📲
They support mobile apps for android and IOS, they have also proton mail desktop app but this one is paid and is available for Linux, windows and IOS.

Free Tier Details
Storage: ~1 GB
Aliases: 15-30 depending on plan
Accounts deleted after 6 months inactivity (this is intentional for privacy – they don't want ghost data)
Support: Forum-only for free users
Custom domain: No
IMAP: Not supported (design choice, not a limitation)

ProtonMail

Server Location: Switzerland 🇨🇭
Founded: 2013
Business Model: NOT a non-profit – it's a for-profit company funded by investors. This matters because pressure to monetize is real.
Free Tier: Yes (extremely limited)

Privacy Tech Stack

End-to-end encryption for user-to-user emails (between ProtonMail accounts)

Zero-access encryption – they encrypt with your public key, can't decrypt

AES encryption for storage - Supports PGP for external recipients (standard, but not as comprehensive as Tuta's approach)

Does NOT encrypt subject lines – metadata leakage

Uses Google Play Services on Android (Tuta doesn't)
Government Interventions & Data Sharing – THIS IS CRITICAL
Confirmed data breaches to law enforcement:

2021 French Climate Activist Case:

French police obtained ProtonMail user's IP address via Swiss legal channels. Activist was identified and arrested.

ProtonMail did comply – they had no "legal possibility to appeal"
2022-2023 FBI Case:

FBI obtained recovery email address and phone number from ProtonMail
User in US harassment investigation was de-anonymized
Again, ProtonMail complied

Transparency Report (2022):

5,957 data requests received
Complied with significant portion – they don't break down exact numbers clearly.

They contest requests they can legally contest (~750 in 2022), but they will hand over metadata if Swiss courts order it

The Real Talk: ProtonMail markets itself with "Swiss privacy laws" but:

They can be legally compelled to enable real-time IP logging for specific users
They will share recovery emails, phone numbers, payment info, IP addresses
Swiss courts work with other governments – their "strict Swiss law" claim is marketing BS
They have secondary offices in the US, which complicates jurisdiction
No warrant canary. They don't publish a statement saying they've never received FISA orders (unlike Tuta).

Availability 📲
They support PWAs, mobile apps for android and IOS, they have also proton mail desktop app but this one is paid and is available for Linux, windows and IOS.

Free Tier Details
Storage: 500 MB (brutally limited)
1 email address only
No folders (can't organize)
Limited sending (cap per day)
Paid plans start at $4.99/month – one of the most expensive

To me proton is like "private google", as they are the most well known company and the most visible (advertised) one, that provides private mail services and generally cloud-services as well.

MailFence

Server Location: Belgium 🇧🇪
Founded: 2013
Business Model: Subscription-based
Free Tier: Yes (limited)

Privacy Tech Stack
OpenPGP encryption (industry standard, not proprietary)
Encrypts emails, calendar, contacts
Zero-knowledge architecture
IMAP/SMTP support (unlike Tuta, easier migration)
Belgian servers under GDPR
Government Interventions
No major breaches reported.

Mailfence doesn't publish as detailed a transparency report as Tuta or ProtonMail, but they're transparent about responding to valid Belgian court orders and cannot decrypt encrypted content.

Availability 📲
They support only PWAs and mobile apps for android and IOS.

Free Tier Details
Storage: 500 MB
1 email address
Limited folders
Paid plans start at €2.75/month (cheaper than Proton)

StartMail

Server Location: Netherlands 🇳🇱
Founded: 2013
Business Model: Subscription (no free plan)
Free Tier: No (7-day trial only)

Privacy Tech Stack
OpenPGP encryption (standard)
IMAP/SMTP support (great for external clients)
Dutch servers under GDPR
Unlimited aliases even on base plans
Government Interventions
Netherlands has reasonable privacy laws, but they can be compelled by Dutch courts. No major incidents reported.

Pricing
Starts at $5-7/month (no free option, disqualifying for your "free only" requirement)
Honorable Mentions (Active but Limited Free Tiers)
Atomic Mail – The New Kid on the Block
Founded: 2024
Server Location: Germany
Free Tier: Yes (generous – unlimited storage, rare for new providers)

Availability 📲
They have only a PWA support, so you can see the icon of them and it will bring you to your mail in browser, which I find cool and I really appreciate them to implement PWA.

Very new, so limited track record
Claims to have passed 1M users in <1 year
Offers unlimited storage free (vs. competitors' 500 MB-1 GB)
No security incidents yet (new service)
Cons: In beta, unproven long-term

Atomic Mail (The Underdog 🐶)

Location: Headquarters in Estonia 🇪🇪, Servers in Germany 🇩🇪

Founded: 2024 (launched by a team of privacy advocates and cybersecurity engineers)

Company Structure: AtomicMail Systems OÜ (private company, not a non-profit)

Current Status: Beta release (actively in development, iterating fast)

Growth Rate: Hit 1 million users in <1 year (straight up aggressive expansion)

Privacy & Encryption Tech Stack

Core Encryption Primitives:

ECIES (Elliptic Curve Integrated Encryption Scheme) – Asymmetric key exchange between Atomic users. Fast, modern, not some legacy PGP garbage.

AES-256 – Symmetric content encryption (industry standard, trusted by security researchers globally)

SHA-256 – Cryptographic hashing for data integrity verification

TLS 1.3 – In-transit encryption (TLS 1.2 is dated, they went for the newest standard)

BIP39 seed phrases – THIS IS THE CRYPTO TOUCH. Users recover accounts with a 12-word seed phrase (like a blockchain wallet), NOT a phone number or backup email. That's genuinely novel for email. No five-eyes backdoor through phone carriers.

Zero-Access Architecture (The Real Deal):

Here's the trick – Atomic Mail uses a client-side encryption model:

Client encrypts before upload – Your plaintext message is encrypted on YOUR device

Server only sees ciphertext – It gets transmitted and stored as meaningless scrambled data

Only recipient decrypts – Private keys never leave your device
Atomic Mail literally can't read encrypted messages – Even if hackers breach them, or a government issues a court order, the data is mathematically useless without your private key

This is fundamentally different from ProtonMail (which CAN decrypt if forced) because the architecture prevents them from having the keys in the first place.

Data-at-Rest + Data-in-Transit Protection:

All emails encrypted at rest (AES-256)

All communication encrypted in transit (TLS 1.3)

7-day log retention for IP addresses and SMTP metadata (troubleshooting + spam/phishing detection). Logs auto-delete after 7 days.

User vault storage – All messages sit in encrypted user vaults on secure servers.

Government Compliance & Legal Requests
Atomic Mail's Policy (From Official Privacy Policy, Last Updated: March 3, 2026):

"We will only comply with requests from Estonian judicial authorities and will not honor requests from other authorities. Atomic Mail does not cooperate with voluntary surveillance programs."

So only Estonian courts can force Atomic Mail to comply
No FBI, no GCHQ, no Five Eyes – They explicitly refuse non-Estonian requests. No secret surveillance programs – No FISA, no Tempora, no bulk metadata tapping.

Real-World Application:

If a US court demands data on an Atomic Mail user, Atomic Mail's legal stance is: "Get an Estonian court order or nothing happens." Since the US and Estonia don't have an automatic data-sharing treaty that works like that, this is effectively a firewall.

Third-Party Requests:

"We will not comply with requests for user information from private third parties unless we receive a valid court order from an Estonian court."

So even if Facebook or your ex's lawyer demands user data – no way. Only Estonian courts.

Data Breach History
As of April 2026: ZERO confirmed security incidents or data breaches on record.

Why does this matter?

They're new enough (founded 2024) that they haven't had time to accumulate the baggage of older providers.
Their encryption design means even if they were breached, attackers get useless ciphertext.
They practice extreme data minimization – less data = less to leak

Comparison: Tuta (been around since 2011) has no breaches. ProtonMail has complied with government data requests multiple times and handed over metadata. Atomic Mail's track record is clean, and the architecture prevents worst-case scenarios.

Unique Features (The Tech Deep Dive)

1. Seed Phrase Recovery (Borrowed from Crypto)
Instead of:

SMS OTP (SIM swap vulnerable)
Recovery email (metadata leakage)
Secret questions (brutalizable)
Atomic Mail uses BIP39-compliant seed phrases – a 12-word mnemonic that only you hold. Even Atomic Mail's admins can't reset your password. This is inspired by blockchain wallet design (think MetaMask, hardware wallets).

Why it matters: No phone carrier backdoor, no recovery email dependency, mathematically sound.

2. Multiple Encryption Options for External Recipients
Can't encrypt to Gmail users with ECIES (they're not on Atomic).

Solutions:
Password-Protected Email – Send encrypted message, recipient enters password
Encrypted as File – Send encrypted .zip file via any channel
TLS – Standard in-transit encryption (basic, but better than plaintext)

3. AI Suite (Privacy-First)
The Plus plan includes AI tools:

Writing assistant
Grammar checker
Summarizer
Translator
Security Helper (flags sensitive content in drafts, suggests encryption)
Text-to-voice
Critical: These AI tools can only process unencrypted drafts. They can't touch your encrypted emails. Zero training data on user messages.

4. Anonymous Email Aliases
Create up to 10 free unique email addresses from one account. Use them for:

Newsletter signups (throwaway)
Financial accounts (separate identity)
Work vs. personal (compartmentalization)
If one alias gets compromised in a data breach, you know exactly which service leaked it, and you can nuke that alias without affecting your main inbox.

5. Availability 📲
They have for now available apps for IOS, Android, MacOS and Windows. What actually surprised me that they do not have a linux version yet and I really would love to have one. What is yet disappointing to me is that they do not support PWA, so I can have an icon on my screen for quicker access.

To be honest I have the account on 3 of the mails provided Tuta, Atomic Mail and Proton and atomic mail appears to become my favorite mail from them all. Their UI is slick, they have nice privacy policy. Surely it's yet quite young but I root for them to have even a billion users.

Summary

This is 2/8 of our privacy journey, I hope you enjoyed it this time and I convinced you to switch over to any of either Messengers or Mail Providers.

Let me know down in the comments. In the next post there will be more info on AI and payments. I rearranged the order with Firewalls and VPNs, because I'm almost done with full research on this part.

So stay tuned because things might get much more interesting in the future than before and I will have surprise for you.

Don't forget to leave like 💜 and follow my account for more privacy-focused content. Also please share the article with your fellows (devs) or family to spread more awareness on privacy in the internet.

That's it for today, hope you'll have a great time and until next time.

Cheerio !

Privacy and Security Setup to use in 2026 PART 1 (OS, Browser, Search Engines)

Luftie The Anonymous — Fri, 17 Apr 2026 12:20:19 +0000

Hello Dev.to Community !

This time, I decided to write on tools/services/software etc. that have been designed and created to care about your privacy on the internet. I will present some tools that I use and/or can recommend and much more tools on which I made research on.

I've dedicated a huge amount of time, therefore at the very beginning, I request you to share ⤵️ this article with your fellows or someone that you think, that it would be useful to share this article with :D

Thank you in advance 💜 !

Introduction

I didn't want to make this just another brief article, that will list you down the tools to use, brief info on them and that's all, download, put your trust into a thing and fingers crossed. This article delved a bit deeper into internals of each tool presented.

While writing the article I quickly realized that, writing a one long article with all of those tools/services is pointless, because I lost often my minds while checking the cohesion. Secondly, noone would like to direct through one hour+ long article, that could actually be a book (lol).

I decided, I will split this into an article series posted one per week. The split will be looking as following:

First Post (This one)

Introduction

Online Privacy:

Operating Systems (OS)

-- Dekstop OS

-- Mobile OS

Browsers
Search-engine

Second Post:

Messengers
Email

Third Post:

VPN
Firewalls

Fourth Post (In this one there will be a special announcement with surprise for you all):

Payments
AI

Fifth Post:

Location Privacy
Productivity Apps

Sixth Post:

DNS Privacy

Seventh Post:

Device-Level Security & Authentication

Eight Post:

Offline Privacy:

Outfit
Everyday Items
Payment Methods
Events
Transport
Youtube Creators
Educational Resources

BUT before I go into the main details, I want to start with an introduction on privacy and why it matters to everyone, regardless of who you are.

Why actually bother with privacy ?

A lot of people, when they hear term privacy, in front of their eyes emerges a chap in anonymous-mask, who likely commits cybercrimes and lives in a basement or some other shady place.... Probably something like this 🙍 is the match for what they see:

Candidly speaking, I do not wonder why people have such imagination about people who "obsessively" care about their privacy. On the other hand, for me as an crypto-anarchist, it's really harmful, because it generalizes every privacy-focused dude is like the guy on the image above.

I guess it will never disappear as human-species likes very much to over-facilitate things instead of understanding the more complex puzzles behind one's decision.

Moreover, the image of privacy preserving people in press or (social) media is rather prone to shift towards calling them some party's extremists or try to assign them to political fraction of the politics' scene, whereas it's not always the case when it comes to individuals.

Important thing to understand on the very beginning is:
Not everyone will need the same level of privacy !

And that should be the nr. 1 thing, you should take out from this article.

There will be a different need of software-developer, who is politically repressed and hounded, and completely different need will be of an regular woman out there who just doesn't want the companies to know about her to many details.

Having said that, I can move straightly into examples of why privacy matters.

Number 1. Advertisement and personal-data trade

Have you ever wondered, where tha heck is your money gone ?
Well...... Ads of some flashy product you talked about and decided to buy it without a real need could be the answer 😅

I will tell you a story, recently I was by a family-gathering and one person had a talk about bike-roads, and what did they saw first ? You guessed it ! The add of bike-road. I checked their permissions for facebook and everything was set to allowed. And this is a case where big techs ambush a lot of people, who are not aware enough.

I like to recall words said in some video by ThePrimeagen (shout out to you, Micheal :D). Those words were something like:
If you want to be a head of leading silicon-valley company, you have to sell either ads or hardware.

And it's actually true, at least at some point, look at some of the big-techs and their revenue model:
Facebook - Ads
Nvidia - Hardware
Tiktok - Ads

Google - Well they do everything, lol (Ads, hardware, software services etc.)
Microsoft - software services + ads

And in order to specifically profile you, the data is needed, Huge amount of data. Which often is used by unethical methods e.g. wiretapping (as in my story).

Thus, given you have issues that you lack money on some essentials, it might be that you purchase things that you actually don't need and only talked about with friend and under impulse, you bought those things. If you see you have issue with it, guess what privacy is for you !

There is not always about rigid self-control, but also a tooling to it. Sure you can pound a metal-bolt in a wall with your hand, but using hammer makes more sense though, especially as it would be less painful (Lol).

Having said that, I hope I managed to keep you engaged.

Number 2. Banking and Financial Operations

This case pertains a lot of people, not only those who are repressed or alleged of some crime.

I had almost every f*cking time I made a transaction online not even for big amount of money, it were transactions like 5$ or 100$, my account got temporarily frozen, because bank accessed it as suspicious activity, meanwhile it were just regular purchases like Copilot or Brilliant Subscription or even purchase of something from services like Temu or Ebay.

And you really would not like to listen to words I spit out to the consultant and to the bank in emails 😅

And in the times of growing surveillance (especially in sucky europe), I think it's real threat to most of us, than you think.

Therefore, you might want to have more privacy when it comes to your financial affairs, but also not like to relinquish digital payments.

Number 3. Location Tracking and Stalking

People who experience stalking or being bewilderingly frequently followed by some track while they go outside from somewhere, they also might want to have more privacy, when it comes to their actual location. Regardless if stalking pertains their kids or themselves.

Number 4. Password/Data-leaks

It's very common that in big/middle-sized companies occur breaches, and all of the sudden details about your life, might actually not be the same as the breach might have released a lot of sensitive private messages or data.

Number 5. Remote work setups

Companies very often while video calls, require candidates to perform some task live or to perform some task at all e.g. Make some coding recruitment-task. I have again a perfect example of why you might want to prevent your PC's content private.

To give you more context from December 2025 until Mid January 2026, I was actively looking for a job in IT, especially blockchain industry given my background. And all of the sudden I got a message. Here I will reveal some screen shots from the conversation and there is some pattern I noticed (likely they used AI for it) the account seemed to be legit (thus I hate linkedin 🤬, imo they should pivot their name to TornApart, describes perfectly the faith in not being scammed there)

Here step 1, the message arrives to potential prey/victim:

Here, I honestly answered that this position is beyond my skills and expertise, but they kept insisting

I got offered that I can actually for practice purposes, I can try solving the task so I agreed.

Note, that the messages were poem-long to convince me to run their code on my machine, but when I agreed and wanted to chat a bit more and expected a bit longer answer, I just was ghosted with one word response. Meaning they achieved their goal, so I can piss off now.

Then I was required to solve the task, which I did but I haven't run it purely on my machine, I used DOCKER !, about which fact I informed the employer. Surprisingly the recruitment task was super easy, it was about to build a WETH-like token with accruing value for depositors and test it in hardhat (whereas my setup is foundry and never used it). It turned out that although my code was correct, the test was specially written wrongly in some places especially when it come to rounding-math for the values given as output.

In the end I got no response back from the company, but from the service where the job offer was hoisted.

I cannot say what was their irregular behaviour, but I can assume that there was indeed some malicious code to be run and potentially I could loose my all crypto-assets I have purchased for my money and I could get robbed from my PRIVATE information on my PC.

Thus people like this, could are also highly welcome to read this article.

Number 6. State Oppression

There are a lot of people, who are targeted by the state. You would not even have to commit a crime, being regular chap is enough for the state to have interest in you. But the most frequent targets are people with anti-government attitude (e.g. like me). There were a lot of journalists or other activists that were victims of state oppression and not even activists. But if being an journalist or activist is not enough for you, Nigel Farage could not open a bank account in England and was separated from his money !. All because the government decided to seperate him from the financial system.

Summary of the section

Privacy is not just for weirdos from basements, but considers every single person, because we never know, how the our data is used or how we ourselves are viewed by the company, government or other institution. If you're interested on what's more, let's finally go into the details !

Online Privacy

As I emphasized in the introduction, in this section, I will do my best to present you the privacy tools I use on a daily basis, explain nuances related to each element from the list I mention. And why I recommend them specifically.

I will start with the with the very core of our internet usage, namely Operating Systems !

Operating Systems

Here I have split it into 2 types

Desktop OS
Mobile OS

I'll present you first the Desktop Operating Systems.

Desktop Operating Systems 🖥️

There is no wonder that I will say I use LINUX !

Yes, Linux is the operating system I use on daily basis. Why this operating system specifically is chosen by people with privacy concerns ?

There are many reasons, but I will name most important of them:

Linux is open-source: This provides transparency and more certainty that the OS is not malware or spyware, due to contributors and people who are interested in technical details and further Linux development.
No telemetry: Linux does not have a built-in telemetry, thus the operating system does not send the information about your activity to third party. The core of Linux is that you are the lord of your OS. If you want more analytics or tracking, you install tools specifically for it :D
No Forced Updates: In Linux you decide if you want to update your operating system or not and you are not forced to do it under circumstance of not being able to use some features or something like that as it happened often to Windows or MacOS users.
Selective Permission Management: In Windows everyone is an admin, which makes it one of reasons why Windows is often a target for hackers. In Linux there is a split between what you can run as a regular user and what you can run as an administrator. Which averts from some successful hacks on your machine.
Customizability: In Linux unlike Windows, you can customize your operating system however you want. You want to compile custom Kernel ? You can do it. You can rebuild the whole OS. Whereas in Windows, Microsoft decides what goes in, what stays out.

Distributions I use

Personally, I'm yet a freshman into Linux (8 months passed since I started using Linux). I use(d) until now Debian as a distribution, so I have no clue about other distributions. And I can recommend Debian for start with Linux as Operating System, it has slick design, and is very intuitive Operating System. Also I noticed a significant increase of free space on how my PC works in comparison to what I experienced with Windows.

However as I mentioned in my latest From Zero to Crypto-Hero post, I said I started playing around with QuebesOS on Virtual Machine, however I did not have enough time to test it out properly. I would say the learning curve is quite steep and basic browser usage like firefox was quite of not understandable for me.

For now on my laptop, I wanted to try out something different than debian, so currently I'm playing around with CachyOS on my laptop. If you ever would like to hear a review on the operating system, feel free to mention it in a comment.

I will only list down here some alternatives, if you don't want to use debian specifically.

Recommnded by experts for beginners: Ubuntu, Mint OS, Zorin
Specified distros for privacy: QuebesOS, Whonix OS, Tails OS

BEAR IN MIND !
That distros like Quebes come up with tradeoffs when it comes to UX, so people that are comming directly from microslop OS aka. Windows or Apple, might not want to choose those particular distros as they require more knowledge on Linux

Mobile Operating System 📱

We all know how pure-android and AppleOS phones are filled with spyware. Eavesdropping is one of the most privacy violating action those phones do. However there is a solution for it, name use AOSP (Android Open Source Project) Operating systems that are privacy focused. My phone for daily usage is Pixel 6a with GrapheneOS on board.

Why GrapheneOS ?

There are multiple reasons, why I decided to use GrapheneOS instead of Samsung. But instead of more technical explanations let's start from the user POV.

No Google by default - This is the first principle of GrapheneOS. Liberation of an operating system from google by default. Currently every android phone is merged/synchronized together with google by default, using google services.
Your images are handled by google images, every service you use is basically bloated with google spyware (aka. personalization daemon-softwares).
For me also one of the most important features, that GrapheneOS offers is blocking phone-calls from unknown unsaved numbers avoiding phishing or scam calls to your phone. You have first save the number of someone, to be able to receive calls from them.

However you can use your google play in GrapheneOS and are not exposed on mass surveillance over your entire phone. That's because GrapheneOS sandboxes the app usage and does not grant permission to access anything on your device.

Though if you really want to liberate your self from big tech, you probably would like to use open-source app-stores like F-droid, Aurora Store or APK Pure.

Heavy protection against unknown (0 day) vulnerabilities - GrapheneOS uses measurements to prevent from security flaws in software or hardware that are unknown to the vendor and the public.

The measurements that used are following:

Attack surface reduction - Removing unnecessary code or exposed attack surface eliminates many vulnerabilities completely. GrapheneOS avoids removing any useful functionality for end users, but we can still disable lots of functionality by default and require that users opt-in to using it to eliminate it for most of them.
Containment through sandboxing at various levels - Fine-grained sandboxes around a specific context like per site browser renderers, sandboxes around a specific component like Android's media codec sandbox and app/workspace sandboxes like the Android app sandbox used to sandbox each app which is also the basis for user/work profiles.

GrapheneOS improves all of these sandboxes through fortifying the kernel and other base OS components along with improving the sandboxing policies.

What sandboxing really means is that e.g. if there is an app compromised, then because it's in sandbox, meaning isolated, no other app is compromised.

Preventing an attacker from persisting their control of a component or the OS/firmware through verified boot and avoiding trust in persistent state also helps to mitigate the damage after a compromise has occurred.

Attack surface reduction

Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary code.
Making more features optional and disabling optional features by default (NFC, Bluetooth, UWB, etc.), when the screen is locked (USB, USB-C, pogo pins, camera access)
Optionally after a timeout (Bluetooth, Wi-Fi)

USB-C port and pogo pins control

USB-C port and pogo pins setting protects against attacks through USB-C or pogo pins while the OS is booted. For the majority of devices without pogo pins, the setting is labelled USB-C port.

The default is Charging-only when locked, which significantly reduces attack surface when the device is locked.

After locking, it blocks any new USB connections immediately through either USB-C and pogo pins at both the hardware level via configuring the USB controller and also at the OS level in the kernel to provide a second layer of defense.

The highest security however is when our charging is set to Off mode.

Other privacy protections are following, about GrapheneOS there could be really created separate posts series:

Hardened kernel
Hardened app runtime
Sensors permission toggle: disallow access to all other sensors not covered by existing Android permissions. Or even there is a feature, that can send you alerts whenever an app will request for sensors.
LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of both legacy code (2G, 3G) and bleeding edge code (5G).

Wi-Fi privacy

MAC randomization per each connection unlike in standard android it's done per network. So regardless whether I've been connected to the network or not, if I reconnect, my device is treated as completely different one.

There is a whole much more when it comes to GrapheneOS and what they do, when it comes to privacy protection. If you're more tech savvy than me and you know the infrastructure of the internet from the ground up, you can check out the GrapheneOS website

Unfortunately, GrapheneOS is limited only to Pixel 6 and newer phones, however there was announced that arguably Motorola will have partnership with GrapheneOS

Now you might wonder, why tha heck is a private OS available only on Google's phones ? Let me explain.

The Technical Constraint

GrapheneOS needs direct control over the Titan M2 security chip, which only Pixels expose at the required level. This isn't arbitrary gatekeeping; it's a hardware reality. Other devices either don't provide the necessary low-level access or have weaker security foundations. You're not choosing Google—you're choosing the only viable hardware that can run proper security hardening.

Stripping Google Down

Here's what actually happens: GrapheneOS removes Google Play Services, GMS, and proprietary Google binaries by default. Your bootloader locks with your key, not Google's. No persistent telemetry pipeline. The OS doesn't phone home unless you explicitly enable Sandboxed Google Play for specific apps.

So yeah, you bought from Google. But the software surface they can exploit is drastically smaller than stock Android.

The Trust Question

Can Google backdoor you through the Titan chip? Technically yes. But realistically? It'd destroy their business model (which runs on advertising data, not targeted espionage) and burn every ounce of credibility they have.

What you can actually verify:

Audit the open-source code yourself
Run tcpdump to inspect network traffic
Enable reproducible builds to verify the binary matches the source
Confirm zero Google domains in your traffic

The Real Answer

You're not achieving perfect de-googling. You're reducing Google's attack surface from massive to moderate. It's not self-denial—it's accepting that perfect security doesn't exist and choosing the best available option given the constraints.

The alternative isn't "truly de-googled." It's either stock Android (guaranteed surveillance) or building your own phone from discrete components (impractical). GrapheneOS + Pixel is the pragmatic best-in-class solution for commodity mobile privacy.

Alternative Privacy Operating Systems: CalyxOS, IodeOS, LineageOS

Browsers

We've got private OS, private messengers, now it's time to talk about private browsers so that you're not screwed and spied by simply browsing through the internet.

There are couple of privacy options that are worth switching to. The Browsers are following:

Tor Browser
Brave
Firefox
LibreWolf
Mullvad Browser
DuckDuckGo

Tor Browser — The Gold Standard

Tor's the closest you get to truly untraceable. Here's what makes it beast-level:

Onion routing: Your traffic bounces through minimum 3 encrypted nodes. Even if someone sniffs the exit node, they can't connect it back to you because the previous relay is encrypted.

Letterboxing: Rounds your screen resolution to standard buckets (1000x1000, 1400x900, etc.) so sites can't fingerprint you via screen dimensions.

First-Party Isolation (FPI): Cookies are isolated per-domain. A tracker pixel from Facebook can't see what you did on Amazon because they're treated as completely separate contexts.

Standardized everything: User agent, fonts, extensions—everyone looks identical on the network, so statistically you're hidden in a crowd of thousands.

Tradeoff: Slower (routing overhead), some site breakage from hardened CSP/XSS protections.

Brave

Brave is the pragmatic choice for daily use. You get strong protections without sacrificing UX:

Shields: Built-in tracker blocking (uses multiple blocklists) + ad blocking at the rendering level. No extensions needed.

Script sandboxing: Third-party scripts execute in isolated contexts, limiting their ability to communicate across sites.

Cookie isolation: Tracks HTTPS/HTTP + domain separation so cross-site tracking is harder.

Fingerprint randomization: Changes some fingerprinting vectors (Canvas, WebGL) on reload.

Additionally when it comes to features that some people might search for, is actually ads-blocking so you can enjoy watching youtube without any ads and I think it's awesome, I remember how much I suffered because of stupid ads that were kind of targeted at me by youtube.

Brave supports extensions as it's based on chromium engine.

It supports also in-background running by default so you don't have to spend monthly on spotify subscription or something else. You can run youtube music on brave and you have the same effect.

Firefox

I was honestly shocked it is privacy browser, because as I was younger I always associated it with spyware. However Firefox turns out to be privacy respecting.

Firefox lets you actually own your privacy config:

Total Cookie Protection (ETP): Isolates cookies in a "cookie jar" per website. Cross-site tracking via cookies is blocked by default.

Container tabs: Firefox Multi-Account Containers segregate cookies/data per container, so different "identities" don't bleed together.

Advanced hardening via about:config: You can disable WebGL, limit canvas fingerprinting, disable plugins, tweak timing attacks, etc.

Catch: Requires manual tuning for maximum security. Stock Firefox is good, but paranoid Firefox requires config knowledge.

Furthermore, they added 50GB Free VPN recently for every user. And firefox is one of the only browsers that support extensions/add-ons in mobile browsers, so if you have something like blocking keywords or you basically want to add nsfw extensions to your phone it's a good solution to use firefox, while keeping you private.

Mullvad Browser

This is the Tor Project + Mullvad VPN collab. Basically:

Takes Tor's hardening tech (letterboxing, FPI, standardized fingerprints).

Removes the onion routing overhead.

Assumes you'll pair it with a external VPN for network-level privacy.

Key quirk: Zero persistent state. You log out when you close the browser. No bookmarks saved, no history. That's intentional—harder to track habits.

LibreWolf

LibreWolf's Firefox with Mozilla's telemetry ripped out + pre-baked security config:

No telemetry, no studies, no data sharing with Mozilla.

Ships with hardened about:config by default.

uBlock Origin pre-installed.

Minimal network calls back to Mozilla servers.

Perfect if: You like Firefox's ecosystem but want Mozilla's data collection gone.

DuckDuckGo Browser

I actually used to use Duckduckgo as a browser, but because it was annoying that they had no extensions support for mobile apps. I would rather treat it as quick-search browser and nothing else. However I do use DuckDuckgo products and I really appreciate them. Also they do not support the in-background running by default just as firefox, so you're prolly need an extension for it.

Core Privacy Tech Stack

Search Layer (No Tracking)
Zero search history storage: DuckDuckGo doesn't save or tie your searches to you. Compare that to Google storing everything linked to your account.

No user profiles: Unlike Google's ad-targeting, they literally can't build a profile because they don't collect the data in the first place.

Business model is honest: Makes money from context-based ads (ads based on what you're currently searching, not your history), not behavioral targeting. This is key—it removes the incentive to spy on you.

Third-Party Tracker Blocking (The Heavy Hitter)
This is where DDG flexes. They've built multiple overlapping protections:

3rd-Party Tracker Loading Protection — Blocks trackers before they even load

Uses Tracker Radar (their own open-source web crawler) to identify tracking domains

Prevents requests to known trackers (Google Analytics, Facebook pixels, etc.) from being sent at all
This is crucial: Stops your IP + other identifiers from being sent
to tracker endpoints

3rd-Party Cookie Protection — Isolates cookies per domain
A Facebook tracker pixel on Amazon can't see what you did there
1st-Party Cookie Protection — Protects against persistent cookies on individual sites

CNAME Cloaking Protection — Blocks sneaky tracker domains hidden under first-party CNAME records
Tech companies sometimes mask tracker domains to look like the site's own domain to bypass cookie protections

Fingerprinting Protection
Randomizes canvas/WebGL fingerprinting vectors
Limits what scripts can detect about your device

Google-Specific Protections (Because Google is Everywhere)

They literally have dedicated protections for Google's tracking schemes:

Google AMP Protection — Strips Google AMP wrappers that let Google track your clicks

Google Topics Protection — Blocks Google's Topics API (their creepy replacement for third-party cookies)

Google Protected Audience API Protection — Blocks FLEDGE (their new ad auction system that still tracks you)

Google Sign-In Pop-Up Protection — Removes those annoying "Sign in with Google" nags

Link Tracking Protection
Strips tracking parameters from URLs before you click
Example: amazon.com?utm_source=facebook&utm_medium=ad gets cleaned to just amazon.com

Referrer Tracking Protection
Blocks the HTTP Referer header from leaking where you came from
Encrypted Connections (Smarter HTTPS). Automatically upgrades to HTTPS when available. Prevents ISP/network-level snooping.

Email Protection
Generates unique @duck.com email aliases when signing up for services. Aliases forward to your real email but mask your identity
Strips email tracker pixels before forwarding
Example: You get unique-alias@duck.com, give it to a sketchy site, it forwards to your real inbox but without the tracking pixel

Duck Player (YouTube)
Strips YouTube's tracking and disables personalized recommendations
Reduces invasive ads. Your video views don't pollute your YouTube history.

Cookie Pop-Up Protection
Automatically clicks the most privacy-friendly option on GDPR/CCPA pop-ups. Then hides the pop-up so you don't see it again.

The Fire Button
One-click nuke of recent browsing data. Clears locally stored data instantly.

Global Privacy Control (GPC)
Sends a standard signal to websites telling them not to sell/share your data.Works via HTTP header + JavaScript signal (platform-dependent). On Windows, it sends both header + JS. On Mac, JS only for compatibility reasons.

Search Engines

Ok, now as we took care of the Operating System, Browser it's time for Search Engines. And in advance I say, no there will be no google in this list (lol).

That's because we would not like to be targeted for ads and having collected our data by company or companies that appear to be friendly to your privacy and data and apparently they see and store all our movements, conversations and more. We would do it for many reasons, either to prevent ourselves from unnecessary expenditures, prevent from trackers e.g. location trackers, profiling us etc.

Before we start yet, I have to mention that there are a ton more search engines, than I thought there are. Therefore I will not discuss each one but will discuss only 6 and for more knowledge I highly encourage to read this article.

Let's first understand the fundamentals of how these systems operate before we list the details on each search-engine. This knowledge is crucial for appreciating the technical differences between privacy-focused and traditional engines.

The Web Crawler: Your Digital Librarian

A web crawler (also called a bot or spider) is an autonomous software agent that systematically browses the web to discover and index content. Think of it like a tireless librarian that never sleeps. Here's how it works:

Discovery: The crawler starts with a list of known URLs, then follows hyperlinks to discover new pages
Fetching: It downloads the HTML, CSS, and other content from each page
Indexing: The content is analyzed and stored in a massive database (the search index)
Processing: Text is extracted, links are catalogued, and metadata is recorded
Updates: Crawlers continuously revisit pages to detect changes

The crawled data is stored in an inverted index — a data structure that maps every word on the web to the pages containing that word. This allows lightning-fast lookups when you search for a query.

The Search Algorithm & Ranking System

When you submit a query, the search engine doesn't re-crawl the web — it queries its pre-built index. The ranking algorithm determines which results appear first. Traditional engines like Google use factors like:

Relevance: How well the page matches your query keywords
Authority: Link count and quality (PageRank)
Personalization: Your search history, location, device, and browsing behavior (the privacy killer)
Click-through rates: Which results users click on
Freshness: How recently the page was updated

The Privacy Problem in Search

Here's where traditional search becomes invasive. When you search Google:

Your IP address is logged
Your search query is stored and linked to your account/device
Cookies track you across the web
Your behavior is profiled to personalize ads
This data is cross-referenced with your other Google services (Gmail, YouTube, Android)

This creates a detailed profile of your interests, location, health concerns, financial status, political beliefs, and more. That's the data economy that funds free search.

And in order to prevent companies or even governments from taking advantage of your searches, you should use private search engines.

1. DuckDuckGo

Location: Paoli, Pennsylvania, United States

Founded: September 25, 2008

CEO/Founder: Gabriel Weinberg

Market Share: ~2% (highest among privacy engines)

DuckDuckGo is the heavyweight of private search — and for good reason. It's been my personal choice because the entire ecosystem they've built goes beyond just search.

I personally use DDG as my search-engine together with other products offered by DDG, but more on that in next posts.

How DuckDuckGo Works

Unlike many competitors, DuckDuckGo doesn't rely on a single source. Its search results come from a hybrid of over 400+ sources:

Bing API: Primary source for general web results
DuckDuckBot: DDG's own web crawler that supplements Bing results
Wolfram Alpha: For computational queries
Yahoo! Search BOSS: Historical data
Yandex: International coverage
Wikipedia: Knowledge panels

This is crucial because it means DDG isn't fully dependent on Microsoft's infrastructure. They've invested in building their own crawler (DuckDuckBot) to create partial independence.

Privacy Architecture

DDG's privacy model is straightforward:

Zero Tracking: No IP address logging, no search history storage, no user profiling
No Search Leakage: Your search query isn't passed to the websites you click on (this alone is huge)
Encryption: All connections use HTTPS, preventing ISP snooping
No Cookies for Tracking: Only essential cookies for functionality
Global Privacy Control (GPC): Auto-signals opt-out preferences to websites

Pros

✅ Largest privacy search community — best network effects

✅ Actual independence — uses own crawler + multiple sources

✅ Clean interface — no bloated UI

✅ Respectable search quality — Bing's index is solid

✅ Full ecosystem — everything integrates

✅ Open source contributions — DuckDuckHack community

✅ Transparency — clear about what they don't collect

Cons

❌ Depends on Microsoft Bing — During 2024 Bing outages, DDG stopped working

❌ Less personalized results — No history means generic suggestions

❌ Limited independent index — DuckDuckBot is supplementary, not primary

❌ Ad-supported model — Non-personalized ads still shown

❌ Search quality inconsistency — Sometimes results lag behind Google

❌ Premium required for full privacy — Basic version still has limitations

The Real Talk

DDG is solid if you want the path of least resistance. The ecosystem approach means you get privacy across multiple touchpoints. But here's the thing — it's still fundamentally dependent on Bing's infrastructure. That 2024 outage proved it.

2. StartPage

Location: The Hague (Den Haag), Netherlands

Founded: 2006

Ownership: Dutch company, part of System1 (US-listed)

Market Share: ~0.06%

StartPage is the proxy-based privacy champion. If you want to understand sophisticated privacy architecture, this one's worth studying.

The Architecture: Proxy-Based Anonymization

Here's what makes StartPage different from DDG — it uses a middleman approach:

Your Query: You search on startpage.com
Premise Servers: Locked cabinets with non-US administrators
Your IP Removed: All identifying info stripped (full IP, not just last octet)
Query to Google: Startpage's servers ask Google for results (no user info attached)
Results Returned: Google sees Startpage, not you
You Get Results: Back to your browser without tracking

This is clean. Google literally doesn't know who's searching. The encryption uses:

SSL/TLS: Secure socket layer between you and Startpage
Perfect Forward Secrecy (PFS): Each session gets unique encryption keys
HTTPS Everywhere: All connections encrypted

Why Google Results Matter

StartPage literally serves Google's search results but anonymizes your query. This is a trade-off:

Pro: You get Google-quality results (often considered the best)

Con: You're still dependent on Google's index, just with privacy wrapping

Pros

✅ Google-quality results — Best-in-class search

✅ True anonymity — Full IP removal, not partial

✅ EU jurisdiction — GDPR protections, privacy-first legislation

✅ Transparent operations — Explains technical flow clearly

✅ Anonymous View feature — Proxy browsing for extra privacy

✅ No account required — Works anonymously out of the box

✅ Endorsed by privacy experts — Edward Snowden recommends it

Cons

❌ Completely dependent on Google — No independence if Google changes

❌ Tiny market share — Niche product, limited resources

❌ Slower than direct Google — Added proxy layer = latency

❌ Limited feature set — Minimal instant answers compared to DDG

❌ Less aggressive crawler — Supplementary indexing only

❌ Owned by System1 — US company owns the parent (though Dutch HQ adds protection)

Technical Depth

The premise server setup is where the magic happens. Unlike traditional architectures, the servers are:

Physically locked in cabinets
Managed only by non-US staff (avoiding US legal jurisdiction)
Isolated from cloud providers (avoids Patriot Act issues)
Running their own anonymization pipeline

This is more robust than DDG's approach because there's no direct connection between your query and Google's servers.

3. Brave Search

Location: San Francisco, California, USA

Founded: June 2022 (beta), fully released

Parent Company: Brave Software, Inc.

Current Status: Growing, recently hit 100% independence

Brave Search is the young gun with serious ambitions. This is what a true independent index looks like.

The Independence Factor

Here's what makes Brave radical: it's building its own web index from scratch.

Aspect	Brave	DuckDuckGo	StartPage
Search Index	Own independent index	Bing (80%+) + own crawler	Google
Dependence	Minimal Big Tech	High (Microsoft)	High (Google)
Index Size	93% of results from own index	Supplementary	0%
Crawling	Brave owns the crawler	DuckDuckBot supplement	No crawling

This is huge. Brave doesn't have to negotiate with Microsoft or Google. They built their own.

How It Works

Web Crawling: Brave's crawler indexes the entire web
Independent Storage: Results stored in Brave's servers
Community Feedback: Users can upvote/downvote to improve results
Goggles: Custom ranking filters users create
No Bing/Google: Zero reliance on Big Tech indexes

Privacy By Design

Brave Search doesn't track because it wasn't built to track:

No User Profiles: Engine designed from ground-up for privacy
No Cookies: Zero tracking cookies by default
No Browsing Data: Device info not collected
No IP Logging: IP addresses not stored
Optional Web Discovery Project: Users can opt-in to help improve results (anonymously)

Innovative Features

Goggles: This is brilliant. You create custom ranking rules:
Example Goggle:

Boost scientific papers
Hide social media
Prioritize academic sources
Downrank clickbait

Others share their Goggles, creating community-curated search experiences.

Discussions: See real discussions about topics (Reddit threads, forums) integrated into results.

AI Summarizer: Generates concise answers with cited sources (not hallucination-prone like competitors).

Pros

✅ True independence — Own index, no Big Tech dependencies

✅ Private by architecture — Not bolted on as afterthought

✅ Goggles feature — Community-driven ranking customization

✅ Growing rapidly — 100M+ monthly active users (Brave browser)

✅ Excellent privacy defaults — Zero tracking, zero profiling

✅ Web Discovery Project optional — Can contribute anonymously

✅ US-based but transparent — Open about design principles

✅ Premium option — Ad-free for supporters

Cons

❌ Young search engine — Still refining result quality

❌ Different results than Google — Learning curve for power users

❌ Smaller index — 93% own index still maturing

❌ Brave browser required for best integration — Works standalone but better with ecosystem

❌ US jurisdiction — No GDPR-level protection (though privacy-first design)

The Blockchain Angle

Brave is built by people who understand decentralization. Their philosophy of "no Big Tech dependency" aligns with blockchain thinking. They're even working on integrating Web3 concepts into search (cryptocurrency tipping, decentralized indexing discussions).

4. Swisscows

Location: Egnach, Switzerland

Founded: Originally as web directory in 2002, evolved to search engine

Data Center: Swiss Alps

Unique Selling Point: Family-friendly + Swiss data protection

Swisscows is the extreme privacy option. They don't mess around.

The Switzerland Advantage

Switzerland has:

Federal Data Protection Act — Stricter than GDPR in some ways
"Bunker" Data Center — Swiss Alps location, highest security
No US Jurisdiction — Patriot Act doesn't apply
Strong banking privacy traditions — Culture of secrecy

Swisscows headquarters is in Egnach, serving this exact jurisdiction.

Technical Stack

Own Servers: Swisscows has its own infrastructure (unlike most competitors):

Located in Switzerland only
Not using cloud providers (avoids Patriot Act)
Only Swiss staff can access servers
Queries anonymized after 7 days

Search Index: Originally powered by Bing, but recently partnered with Brave to develop independent European index. This is strategic.

Privacy Features (Standard)

No data collection on free version
IP address removal
No user profiling
No cookies for tracking
Semantic search (intelligent understanding)

Swisscows Pro (Premium)

For absolute paranoia (in the good way):

Feature	What It Does
Zero Data Storage	Literally no data saved about you, ever
100% Anonymous	Complete anonymity, even from Swisscows
Ad-Free	No advertising revenue model needed
Custom Results	You curate which sources appear
Swiss Servers Only	No data leaves Switzerland

Family-Friendly Feature

Swisscows filters pornographic and violent content by default:
This is useful for:

Schools wanting safe search
Parents protecting kids
Organizations with content policies

Some see this as censorship, others appreciate it.

Pros

✅ Strictest privacy jurisdiction — Swiss law is gold standard

✅ Own servers — No cloud, no Patriot Act risk

✅ Bunker data center — Physically secure infrastructure

✅ No US parent company — Completely independent

✅ Partner with Brave — Contributing to European index independence

✅ Family-friendly filtering — Good for institutions

✅ Very transparent — Clear about what they do/don't collect

✅ Semantic search — Intelligent query understanding

Cons

❌ Tiny market share — ~0.001% usage

❌ Limited result quality — Smaller index means gaps

❌ Expensive premium — Around €89/month or €899/year

❌ Content filtering controversial — Some see it as censorship

❌ Newer to independence — Recently partnered with Brave for index

❌ Language limitations — Better for European languages

❌ Poor search features — Minimal instant answers or tools

5. Qwant

Location: Paris, France

Founded: February 2013

Founders: Jean-Manuel Rozan, Éric Léandri, Patrick Constant

Government Support: Backed by French state investment

Market Share: ~0.5% (mostly in Europe)

Qwant is France's answer to Google dominance — and it's complicated.

The French National Project

Qwant received backing from French government and Caisse des dépôts (French investment bank) because of geopolitical concerns about US tech dominance. This is interesting from a sovereignty perspective.

How It Works

Qwant uses Microsoft Bing as primary index with its own improvements:

Fetches Google results for some queries
Has own index but it's supplementary
Uses Wikipedia for knowledge panels
Integrates APIs from TripAdvisor, DeepL, YouTube, Twitter, Facebook

The results are similar to Bing because that's the underlying technology.

Privacy Model (Mostly)

Here's where it gets murky:

What Qwant Claims:

No tracking cookies
No personalized ads
No user profiling
Queries anonymized

What Actually Happens:

Sends data to Microsoft Bing Ads for ad targeting
IP address is masked (last octet removed) but not fully anonymized
User-Agent and search keywords sent to Microsoft
Data retained up to 18 months (not "never stored")
This wasn't disclosed until mid-2021, causing privacy backlash

This is the fundamental weakness. They claim privacy but still feed Microsoft your behavioral data for ad targeting. It's better than Google, but not actually private.

Unique Features

Junior Mode: Filtered version for kids (similar to Swisscows)

Collections: Save and organize search results like Pinterest

Qwant News: Aggregated news with diverse sources (actually good feature)

Translation Integration: Built-in DeepL translator for results

Pros

✅ EU/France jurisdiction — GDPR protected

✅ Government investment — Funding stability

✅ No personalized ads — Ad model isn't behavior-targeted

✅ Decent search quality — Bing is solid index

✅ News aggregation — Good for current events

✅ Junior mode — Family-friendly filtering

✅ Fast interface — Minimalist design

Cons

❌ Misleading privacy claims — Says "private" but feeds Microsoft data

❌ Bing dependent — No independence from Microsoft

❌ Data retention — 18 months storage contradicts privacy narrative

❌ Limited features — Fewer tools than Google/DDG

❌ Tiny market share — Limited resources for improvement

❌ French government ties — Some see as political tool

❌ IP masking not anonymization — Last octet removed ≠ private

❌ Unreliable history — Financial struggles, multiple pivots

The Real Problem

Qwant markets itself as private but fundamentally isn't. The Bing Ads data sharing was buried in their privacy policy. For crypto people doing sensitive research, this is a no-go. You're still being profiled, just not visibly personalized.

6. Ecosia

Location: Berlin, Germany

Founded: December 2009

Founders: Christian Kroll, Achim Steiner (UN figure)

Business Model: Non-profit, B Corp certified

Market Share: ~0.04%

Ecosia is unique because it's not primarily about privacy — it's about environmental impact. But it's worth understanding because the trade-offs are interesting.

The Mission

Ecosia uses search revenue to plant trees. 50% of profit goes to reforestation projects:

45+ million trees planted (as of 2024)
Partnerships with The Nature Conservancy, IUCN
Multiple continents: Brazil, Indonesia, Ethiopia, Peru, India
Verified impact tracking

This is legitimate environmental work, not greenwashing.

How It Works (Technically)

Ecosia uses Bing index (like DuckDuckGo and Qwant):

Powered by Microsoft Bing results
Own supplementary crawler (Ecosiabot)
Generates revenue through Bing partner ads
Takes ~€0.50 per search to tree planting

The economics: You search → Bing shows ads → Ecosia gets commission → ~50% goes to trees

Privacy Features

Here's the reality check:

What Ecosia Does Right:

No persistent user tracking
No search history storage
HTTPS encryption
No third-party profiling cookies
GDPR compliant (EU based)

Where Privacy Falls Short:

IP address logging — Stored for debugging, cleared after 7 days
Bing data sharing — Microsoft sees your searches (anonymized but still shared)
Analytics cookies — Matomo analytics (privacy-focused but still collects)
Limited anonymization — Not like StartPage's full proxy approach

Ecosia is more private than Google but less private than DuckDuckGo/StartPage.

Environmental Breakdown

Initiative	Details
Tree Planting	45M+ trees in 70+ countries
Carbon Negative	Offsets more CO2 than servers emit
B Corp Certified	Independent third-party verified
Transparent Reporting	Monthly impact dashboard public
Partnership Model	Works with local organizations

The tree count is audited. They show exact locations, coordinates, photos. This is serious environmental work.

Pros

✅ Environmental impact verified — Real trees, real numbers

✅ Decent privacy — Better than Google, not as strict as DDG

✅ B Corp certified — Independent auditing of social mission

✅ Reasonable search quality — Bing index is solid

✅ Transparent financials — Public impact reports

✅ EU jurisdiction — GDPR protection

✅ Growing adoption — ~15M monthly active users

✅ Mission-driven team — Passionate about environment

Cons

❌ Privacy not primary focus — IP logging, Bing data sharing

❌ Bing dependent — No search independence

❌ Effectiveness questioned — Tree planting ROI debated

❌ Limited instant answers — Fewer tools than Google/DDG

❌ Smaller index — Result quality gaps on niche queries

❌ Free version slower — Premium for faster results (weird model)

❌ Can't verify tree quality — Planting numbers public, survival rates less so

❌ Ad-supported — Still needs advertising revenue

The Trade-Off Philosophy

Ecosia explicitly says: "Choose environmental impact over maximum privacy"

This is honest. If your primary concern is privacy, use DuckDuckGo or StartPage. If you want to offset carbon while searching reasonably privately, Ecosia makes sense.

Comparison Matrix

Engine	Privacy Tier	Independence	Speed	Search Quality	Jurisdiction	Best For
DuckDuckGo	Excellent	Medium (Bing+own)	Fast	Very Good	USA	General use, ecosystem
StartPage	Extreme	Low (Google proxy)	Medium	Excellent	Netherlands	Google quality + privacy
Brave	Excellent	High (own index)	Fast	Good/Improving	USA	Independence-focused
Swisscows	Extreme	High (own infra)	Fast	Fair	Switzerland	Absolute privacy, bunker
Qwant	Fair (misleading)	Low (Bing)	Fast	Good	France	EU users, news
Ecosia	Good	Low (Bing)	Medium	Good	Germany	Environmental impact

Summary

Online Privacy is not like a road from Point A to B. It's a rather a multi-layer process, that if taken seriously and applied correctly, can benefit you and your environment by liberating you from big-tech, government surveillance.

This is a way I would envision privacy. Btw, the Penguin is probably the Linux one :D

I hope you enjoyed this article and you learnt something from it. I honestly have spent hours on reading, fact checking, researching, comprehending and editing the text so that not only me but also you could understand it.

Be ready for Part 2 ! Where I will present couple of alternatives for Mail Providers and Messengers for you, so that you can switch from the big-tech ones to more private ones.

From Zero To Crypto Hero (Week 5) - BIG CHANGES !

Luftie The Anonymous — Sun, 05 Apr 2026 01:35:20 +0000

Hi Dev.to Community !

As a weekly habit I decided to post an update on what I actually did recently and there are actually some changes to be announced.

But before the main part, I would like to wish you all happy easter out there, hope you do not grind and touch grass in this time and you're afk, same as here me and other fellow dinos !

_Btw. There should be easter, not eastern. It's because of german word Ostern, I have primarily mismatched the words. And even after request to corrrect the text, it remained the same. 😅
_

I wish you that you charge your batteries and after easter, you'll be rested out and ready for challenges and difficulties. I know that it's easier said then done, but belief dies at last.

Introduction

This week I have been doing a lot of research for an article I write on privacy-tools and privacy in general. What I mean by tools is actually a set of a lot of digital-world/IT world elements like OS, VPNs, Marketplaces, almost everything, that I use and I prepare a list of tools, I recommend.

I decided that for reliable tech-journalism, I also have to test out one of the other most popular phone OS, that cares about privacy, besides the one I'm using, so it will take time to write.

How is PokeStake doing ?

As you could see there have been couple of changes committed, most of them were mostly minor, but I actually fixed one important bug that was inside my code. Namely it was about real-time updates on frontend, it was working fine, until some time and afterwards the page crashed i.e. both players were not able to utilize their turn.

Luckily I reminded myself on useEffectEvent-hook, which basically enables you to prevent useEffect from unnecessary calls, due to it's dependency. Here's a video I recommend to see if someone does not like reading docs 😂

Now after the change the battle is working greatly, the only things now to be implemented are handling reconnections, fixing frontend bugs, handling proper display of the winner state and looser state e.g. If user leaves when the battle started already, timeout of turn. Next up there are plans to implement the rewarding-system with implementation of ZKProofs by means of Noir language, so that the contract instead of getting the data of the battle and based on it verify and grant user the reward, user could pass a hash of the battle-data and verify soundness onchain, so that the minimal anonymity is reached (that are for now just plans, but I look forward to do it).

Not everything went as planed...

It might sound, that it's almost nothing however it's good to bear in mind that I have an allergy, which occurs in the time of end of March - April and I actually got the symptoms and literally I used 2 toilet-paper rolls (not to jerk off, perverts) to blow my nose basically. It feels tough to focus and code, but somehow I manage it. So may future bring better health condition soon.

Aside from coding

I participated recently also in Hashlock online networking-event, where I got acquainted with 2 cool devy mates, whom I reckon I can
learn a lot from.

For context, Hashlock is a comapany that offers to web3 projects the security-audits, while they also host events either online or offline around the world.

Shout out to Fletcher Roberts, who invited me on the meeting ❤️

What are the impending changes ?!

Now everyone might wonder, what are the changes about that I want to announce and and label them as BIG. Before I start, I have say that I really enjoy reading and writing technical articles, coz in such way I learn from others experience, what actually can decrease the occurance of the same situation in my case.

However, weekly updates are for me kind of tough to be handled I realised. I could just ChAd-jIpiDi everything given my description, but it would take the entire joy from the process of writing. Because you have to know, that every line, every word, letter, embedding, video, has been done by me personally. And writing it is really time consuming.

Thus I decided, to temporarily cease postage of the series "From Zero To Crypto Hero", and I will hopefully come back to it later, and restart it as I finally start with actual cryptography and blockchain development/architecture.

Another big change, that I wanted to announce is that I'd rather post less, but more valuable content, I guess bi-weekly or monthly posts would be manageable with what I want perform. I currently work on an extensive article that covers a lot about digital privacy-extending tools to use, and it's gonna be really long and reliable, but I need time to do it, and recently I fell like frog hopping from a lilly-pad onto another one and another one. Something like that:

So the announcement sounds, that this month it's likely not to be any posts because weekly updates turned out to be for me a bit of burden and too short period of time to do a significant change to my devy process for now and also the I will have a lot of private matters to be resolved this month.

Summary

Temporary cease of posting for a month and change of content and series of "From Zero To Crypto Hero". Switch from weekly updates, to bi-weekly or monthly mode. Less frequent posts, but more value in posts, more to infer and learn.

That's all from my side for today, wish you all the best and take care !

Cheerio, Luftie :D

From Zero to Crypto Hero (Week 4) - Week of Break from Coding and Big Regret

Luftie The Anonymous — Mon, 30 Mar 2026 21:39:02 +0000

Hello Dev.to Community

This time I'm writing the article one day later, as I usually kept to push the updates to appear regularly on sunday. Well today is monday, so I guess it's not a big deal 😅 (Especially coz mostly my posts do not make big outreach). Anyways, promise is a promise, thus I upload this tiny update on my work.

Are you ready ? Let's go !

Introduction

So if I said, that I took break from coding, it means I've been buggering around, doing nothing and I just post it to just keep the streak ? Well technically correct :D

Thanks for reading, I hope you enjoyed this part, don't forget to hit a like or some other cool emoji and till next time. See ya !

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

Ok, I was joking 🤣. If you're still here to read further, congrats your curiosity is out of space 🚀.

This week perhaps was not filled a lot of with coding/programming whatsoever. But for sure it was not boring or completely wasted time.

So what have I been doing throughout this week ?

Let's start with the fact, that I've been 3 days out and about in Warsaw on the conference Next Block Expo, specially devoted to cryptocurrencies but discussed from financial angle. I have shared more of my views on the event in that article (If you're interested go on and read it)

Luftie The Anonymous

Mar 27

My Experiences from NBX and Privacy Hell For Crypto....

#discuss #web3 #event #blockchain

Comments 1

5 min read

As I reached my home-town and woke-up the next day, I honestly felt as though someone would have completely stolen my batteries🪫

In general, I liked the event from the point of view, that there were more projects that were genuinely interesting me than on the last edition, however here are yet couple of inferences that came into my mind. Not only about

Inferences

I'm not a fan of big cities

I know in previous article I have written, that I do not like big cities, but that was very general statement. I've written in the article that I hate big cities, I forgot to add that at least in Poland, but more on that later.

Before I start let's define what is a big city (at least for me) ? A big city at least for me is a agglomeration in which live 500k+ people (incld. commute-workers + students).

Although I personally do not live in some hicksville, I used to say so about place where I live. Warsaw felt for me like rotten, toxic and fake. I felt more endangered than even in Berlin tbh, whereas Berlin got the most unliked city in my hierarchy.

And additionally the air-conditions in Warsaw seemed awful to me (However I'm kind of over-sensitive in this case, so I might be biased). I mean indeed, the centre, accompanied by skyscrapers is looking nice and the most popular places are impressive, but for me it was enough to see how the city looks like 2/4/6 km away from the highlight-spots, to realise that Warsaw's beauty is only marketing (as always lol).

It's actually quite common in Poland, but I guess every city has it's issues, regardless of the country. I remember back 2023, as I gone for my first ever solo-trip to Manchester, England. I've been there for about 4 days, back then I really didn't experience something that would be hideous in some way, except a hobo, who pissed on a wall while I've been walking through the city, seeking a place to purchase a ticket for public-transport.

I admire always England for their infrastructure and architecture, when it comes to metropolis like Greater Manchester. I always laughed that Manchester is smaller than my city, but then I realised that the cities fade between each other and I remember that I could not realise if I'm in Salford/Trafford or Manchester. So were my experiences at least.

The World is centralized, not by government, by technology:

Sorry, I had no clue how to name this inference lol. I want to tell about my experience in Warsaw that indeed, was very mixed because I had kind of emergency situation. I haven't taken the phone-charger to my phone, although before leaving the house I had been plugging in the power-bank to pack it into backpack.

Unfortunately both power-bank and charger have been left at home by the time of my departure. Unluckily, my phone's battery's level was decreasing rapidly, like never before.

And I was looking for place where to purchase a charger and I had impression that almost everything is against me. Suddenly some arab-guy and afterwards a hobo wanted to scrounge money from me and as I gone to the mall by bus, there was some shady-guy following me weirdly as though he wanted to pick-pocket me or something, he resigned after I have shown him a pepper-spray in my hand, not having even made an eye-contact with that guy.

I gone to a first mall and the charger cheapest charger was 100 PLN, it was Media-Markt shop. I asked the assistant, if can help me choose some cheap charger, and shockingly he advised me to go to the mall on the other side of the street to buy a charger in a supermarket.

The price there ? 18.50 PLN (for cable and the charger-cube) ! Whereas the cable at Media-Markt its-self was 79 PLN ! Can you comprehend it ? There is more 500% spread between price in special IT-RTV-AGD Shop and Super-market. It just blew my mind, honestly speaking and would never say it was reality.

I almost burst in tears when I have experienced the vibration of my phone going out of battery and me being not even with knowledge, where to purchase a charger.

What I meant by centralisation is that everything nowadays is heavily based on electronics and current/electricity. Perhaps that's another problem to be solved, huh ? I know it's my fault in the end of the days, that I hadn't taken the charger 😅. I do not seek for excuses.

Small events > Big events: I reckon smaller events that are highly technical or devoted specifically for specific topic, are better than big events, where there are a lot of people. Big events tend to be more general and kind of discombobulating, as there are so many people talking to each other one has an impression to be a weirdo, not having talked to anyone.

Big events have also a flaw, that there is very intrusive and pressure-full marketing done and on one day you can buy the same ticket for 65$ and the next day you can have 2 tickets in the same price, which is annoying. Smaller events often have stable price of the event-ticket, which I find a great solution, even if for someone it out of budget.

However for sure good things about big-events is bigger amount of projects and companies to be approached and talked to, to know what services are nowadays offered on the market.

And therefore, the amount of stickers is also greater :D Here's the new layout/design of my laptop. Hope you like it 😁

Whereas smaller events like for sure Monero Konferenco could be such event......

Unfortunately, I guess I will not be able to get to the event, due to the financial circumstances on my own. Now, I've an impression as though I wasted my money on NBX to be honest, although there are visible benefits from that event.

I really would love to visit Monero Konferenco this year's edition (even though it's in Warsaw). This event is going to be technical and specific, something I had dreamt about and could not find so specifically. It sounds it's not going to be sort of scattered gibberish about financial matters.

Don't get me wrong, finances are super-important field of human-life, but when it comes to such events, it ends up on artificially looking for me severe talks about the future, another 101 sessions instead of bringing some more medium-advanced/advanced knowledge so people can develop.

And unfortunately a lot of speakers in my eyes are just dreams-sellers and are excluded from reality, pushing from the stage some truisms about hard-work, persistence, everything everyone knows about. But in the end of the days, everyone has to deal with their own issues and do everything what they can in their scale to solve them, not in the speaker's scale.

Furthermore, I do not preach that big-events, are bad and you should not attend them. No I just present the trade-offs of both types of events. Both have pros and cons, that should be basically taken into a count and should be treated separately and not as a comparing-pair.

I have to confess, even though there were projects that interested me like Gen6, Relocatify or Sealed. Most of the projects were already about combining Tradfi with Defi. Speaking outspoken, that hurts. Cryptocurrencies were the hope, which were about to turn the way we understand finances and the way we pay. Unfortunately, it seems that cryptocurrencies become only an asset instead of what their real purpose was. It seems crypto became alternative and is not going to become a payment-system. At least not in next 5/10 years, I suppose.

That doesn't mean however that I stopped being engaged in cryptocurrencies and blockchain. No, I just know that I'm just likely to build a very niche product if I were to build a private-blockchain and it will not be something that institutions would put money into (Which I actually would not like them to do).

We saw how big pump was on ZTrash (ZCash) and even bigger dump occured, only to pump the narrative and take the money from naive people, who blindly believed in privacy-turn. Unless markets are controlled by big whales, that operate in fiat, psychotically indulge theirself in seeing wars and blood of other innocent people, and understand only money-language, no change in financial-system is about to occur, and people will exist, so long will the markets be manipulated.

Resign from my privacy standard was a failure - On NBX, I came to a conclusion, not to cover my face as I usually do in public and not only. I did it for common convenience and not to trigger controversies among people there (usually a covered face is associated mostly with criminals, than carrying about privacy). Also as I got to the venue, it turned out light was shit and the air was slightly humid for me, so I could suffocate in the mask and could basically fall on someone or cause damage while walking, if I had my glasses on.

Also I gone there with an attitude that, if I don't show my face in social media anywhere, so I will not be recognisable by anyone (Previously I used to post my images in a mask online).

Big events have their flaw also that there are basically cameras everywhere, everyone is recording something and I genuinely felt, when I was just resting after networking as though someone would basically put the camera right into my face. Whereas MoneroKonferenco seems to be a really private arrangement. They have even their Photo Policy, which sound like:

Ask before snapping, all persons in a photo/video must have explicitly given consent to be photographed/recorded. As such, please avoid taking photos/video of large crowds, audience, or workshop participants.

Don't get me wrong, I'm not saying those all fluffy stuff about that conference, trying to scrounge money from you guys or something, no.

Rather just express my genuine willingness to appear, there though given my financial situation I know it will be tough. I will not create a fund-raising for a trip to Warsaw specifically for Monero-Konferenco, if I cannot even give you anything in exchange.

One option would be to go and work there as an volunteer, as they get the ticket for free. Which sounds as an interesting experience in my opinion, we will see if the event will fit my schedule or not.

People on the big-events: I was surprised, when I saw people who have less knowledge about cryptocurrencies than I have, are younger than me, and make money in this industry, whereas I, not being fake-modest have a quite big knowledge on cryptocurrencies both from financial and technical point of view and haven't made a single penny.

I do not complain or say I'm worse, just assert the facts that some people make money faster.

Candidly, I'm more looking on events for connecting with devs and people who build and also people who worked on projects already, than financial or businessman connection.

I decided to resign from hackathon participation

Given the fact that my financial struggle nowadays and my experience from trips, I decided not to participate in ETHSilesia hackathon, that I intended to.

Apparently everything seemed to fit in time perfectly, but the budget doesn't lie and I cannot pump it somehow out of nowhere. My investments currently are 60% down, and I will not resolve the loss.

Hence, I decided to devote this time to implement solid gameplay feature with reward system based on ZKP (likely to be implemented with Noir).

Was there something technical, that I've done ?

Obviously !

I have tested for the first time Quebes OS in VirtualBox env.
I watched couple of youtube videos from a guy called Reject Convenience and his second channel where they show discrepancies in Proton narrative and their actual state. And that intrigued me even more to read privacy policies (spoiler Dev.to has no better pplcy than other social media platforms). They openly state to sell and share data with their business partners or sponsors. But, what can I do ?

And ofc, a Week without going is lost week though :D (Don't take it literally). On Sunday/Monday I started implementing the gameplay functionality with socket.io and was fixing the bugs with the actual frontend code in my Pokestake project, that I work on.

You can see above the mechanism, that the connection between two players, has been successfully estabilished.

If you have some suggestions, feel free to visit my repos and create an issue with your suggestion :D If you see some bug or see a way to make code more efficient, also feel free to post an issue

Frontend

LuftieTheAnonymous / PokeStake-Dapp

A Pokemon themed staking protocol with usage of Chainlink VRF

PokeStake 🎴⛓️

A decentralized staking protocol where you can lock Pokemon cards and draw random rewards daily. Built on-chain with verifiable randomness and IPFS storage.

Overview

PokeStake is a Web3 staking protocol that lets users stake Pokemon cards and participate in daily random draws. Each day, stakers can claim a random card from the pool—powered by Chainlink VRF for cryptographically secure randomness and Pinata for decentralized card metadata storage.

Tech Stack

Technology	Purpose	Version
Next.js	Frontend framework & API routes	Latest
TypeScript	Type-safe development	Latest
Solidity	Smart contract logic	^0.8.0
Foundry	Smart contract development & testing	Latest
RainbowKit	Wallet connection & UI	Latest
Wagmi	Ethereum hooks & contract interaction	Latest
TanStack Query	Server state management	Latest
Chainlink VRF	Verifiable randomness	v2
Pinata SDK	IPFS pinning & card metadata	Latest

Features

🎴 Stake Pokemon Cards - Lock your cards into the protocol
🎰 Daily Random Draws - Once per day, draw…

View on GitHub

Smart-Contracts

LuftieTheAnonymous / PokeStake_Protocol

A Staking protocol with usage of Chainlink VRF for drawing a random pokemon Card

Foundry

Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.

Foundry consists of:

Forge: Ethereum testing framework (like Truffle, Hardhat and DappTools).
Cast: Swiss army knife for interacting with EVM smart contracts, sending transactions and getting chain data.
Anvil: Local Ethereum node, akin to Ganache, Hardhat Network.
Chisel: Fast, utilitarian, and verbose solidity REPL.

Documentation

https://book.getfoundry.sh/

Usage

Build

$ forge build

Test

$ forge test

Format

$ forge fmt

Gas Snapshots

$ forge snapshot

Anvil

$ anvil

Deploy

$ forge script script/Counter.s.sol:CounterScript --rpc-url <your_rpc_url> --private-key <your_private_key>

Cast

$ cast <subcommand>

Help

$ forge --help
$ anvil --help
$ cast --help

View on GitHub

Backend Code

LuftieTheAnonymous / pokestake-backend

Robust server-side gaming component powering the Pokestake web3 ecosystem

pokestake-backend

📑 Table of Contents

📝 Description

Pokestake-backend is the robust server-side engine powering the Pokestake web3 ecosystem. Leveraging the high performance of Express.js and the strict type safety of TypeScript, this project provides a scalable and secure infrastructure to handle core application logic and seamless API integrations. It is designed to offer a reliable and efficient backend solution for Pokémon-themed web3 project, ensuring a smooth experience for end-users.

✨ Features

🎮 Pokemon Battle Gameplay Handling
📡 Event Driven Blockchain State Mirroring

🛠️ Tech Stack

🚀 Express.js
📜 TypeScript
🔃 Socket.io
🏎️ Redis
Ether.js
Mongoose/MongoDB

⚡ Quick Start

# Clone the repository
git clone https://github.com/LuftieTheAnonymous/pokestake-backend.git

# Install dependencies
npm install

# Start development server
npm run dev

📦 Key Dependencies

@types/express: ^5.0.6
@types/socket.io: ^3.0.2
eiows: ^8.2.0
express: ^5.2.1
redis: ^5.11.0
socket.io: ^4.8.3
tsc: ^2.0.4
tsx:

…

View on GitHub

How have you been doing ?

What were you up to in recent week ? Some event attended ? Some side-project done ? Some wins ? Some failures ? Let me know down in the comments, hope you reading enjoyed the article (I have edited and written it about 7 hours).

Cheers for reaching until the end, Luftie

My Experiences from NBX and Privacy Hell For Crypto....

Luftie The Anonymous — Fri, 27 Mar 2026 19:21:00 +0000

Hello Dev.to Community !

It's been a while since my recent post on the platform. Today I would like to share with you my experience from NBX (Next Block Expo) event, that was organized in Warsaw, Poland. Although this post will not be filled so much with technical or programming knowledge, I just want to share my view on the conference, from my perspective and couple of thoughts that came into my mind.

Introduction

First, let's define what Next Block Expo is ? NBX or Next Block Expo is an cryptocurrency-focused event, where all sorts of people from blockchain-technology gather in one place, where there are lectures for newbies or also more advanced market-participants, projects present their product and many more. And by having said all sorts of people, I mean literally ALL SORTS OF PEOPLE, from investors, businessmen/women, CEOs, Journalists, and even politicians through software-devs, people that have no clue what blockchain actually is, scammers, moon-boiz, marketing guys to companies that had their stands at the event.

What companies/projects where at the event ?

It actually needs to be pointed out, that this NBX-edition was combined together with an AI-Summit event, although there were only a couple of companies, having their stands that were focused on AI particularly, and not being an "AI-company" only because they added an tranding OpenClaw-Bot to aid customer's portfolio.

A lot of the stands were either belonging to B2B-focused companies that help businesses to implement crypto-payments, offering immediate-conversion from crypto to fiat-transfers, off-ramp and on-ramp and this sort of stuff, or exchanges there were BingX, Bybit, ZondaCrypto, Kanga Exchange.

Besides that, what really has thrilled me, is that there were 4 companies or projects that I kept eye on, that were in some-sense delivering or willing to deliver privacy-extending product or they care about privacy.

I will list them out shortly:

Relocatify - A company that provides help while opening a bank account in Cambodia and purchase of an real-estate in Cambodia. Why Cambodia is somehow related to privacy ? It's because they do not have KYC once you want to purchase/sell crypto.

Their financial system is outside of the CRS-system, so they do not report your financial activity. Does it sound like a safe-heaven for criminals ? Well technically yes, but remember criminals were/are/and unfortunately will exist everywhere but will use different methods for their operation.

For me living in EU, where surveillance grows and privacy already seems as a luxury and one needs to fight for it, usually with miserable outcome.

Sealed - A private messenger, that is using Falcon as key-signature algorithm, that provides quantum-resistant. It's still developing and I had an opportunity to test-out the MVP.
For now it's going to be supporting only text-messages, but the founders say, that they work on implementing features that support images and documents. The messages will be safely stored on blockchain. The blockchain they are going to use is Algorand.
Gen6 - It's a blockchain that already has it's collective of Dapps like NCrypt, a private messenger (does not store messages on blockchain and is free to use). There is also RealSeal signs and timestamps your work on-chain. Gen6 Me Identity as an alternative to linktree, but on-chain. And many other products.
Neti - A company that is actually all into blockchain and privacy. They are those guys, who can manage everything from tokenization, ZK-Proofs, Privacy tools to Building a Blockchain from ground up. I asked if they have any intern-program and the lady I talked to, has said that it's limited but they are about to organize hackathons and blockchain-dev community.

My View on freedom and privacy in Europe and Cryptocurrencies in Europe

Although I talked to a lot of cool people from the industry, collected a lot of merch as you can see on the pictures:

Then one thing is certain for me. When it comes to Europe, privacy of your financial-matters, does not already exist in Europe. And there is no sign of hope to change this trend, as surveillance will only grow and grow in this region, together with stupid regulations taking away your freedom.

The privacy for cryptocurrencies in Europe is gone, because every for transaction even in ATM or in Exchange-Points, will require from you to go through KYC, which I personally hate and find it only as a part of mass-surveillance.

It's actually for me disastrous to see, how cryptocurrencies from technology that was about to threaten the entire monetary system and became only an assets or alternative form of payment.

I think this image explains everything, better than anyone would.

My Personal Experiences

To the event its-self, I'd say I'm disappointed, this time organizers have decided to care more about quantity and not quality of the event, although indeed there were cool projects, this event seemed as a ghost-town for me and the venue was for me not as intuitive as previous one.

The organizers indeed announce a big success, on the event there were more than 2500 people. But the venue for me was a shot in the foot, because of the amount of free space and the actual design of the halls.

I realized also, there is not so much to learn for me from the panels or lectures, but that's was obvious to me and tremendously outraged when one of the organizer in the interview said, that those speeches, panels are rather as an add-on and more it's focused for businesses to be a gateway for new connections and so on.

Is it good ? Is it bad ? I guess as always, depends on the personal perspective. I also did not really like the fact that there has been a separate event for people who speak Ukrainian or Russian.

Don't get me wrong, I do not have anything against any nation, I don't care where are you from and what is your skin color, though organizing an separated event solely for certain language-speaking people, this is for a cause that splits people and separates from each other.

Conclusion: I do not like big places e.g. halls and non-technical talks. It was my last NBX-event attended and will look definitely look for technical events or those that are within my field of interest. So cryptography, privacy, blockchain and cybersecurity.

What about you ?

What have you guys been up to recently ? Have you been building some project or have you been doing something else ? Let me know down in the comments and feel free to share your opinion on any part of my article.

Cheers for reading, till next one :D

From Zero To Crypto Hero (Week 3) - Further Work on Web3 Pokemon Project

Luftie The Anonymous — Sun, 22 Mar 2026 09:21:49 +0000

Hello Dev.to Community !

It's almost a month as I have started writing articles on Dev.to. Candidly speaking it's a mesmerising, how much fun and knowledge can writing and reading articles bring to ones life. And I want to express my gratefulness to all of my readers until now.

⚠️ WARNING: Next couple of paragraphs will not be related to coding and my week effort's specifically. If you want the gritty details, scroll down to Introduction section.

Ofc there is a jeopardy that I might be feeding a infinitely hungry dragon called "AI" with the data about my efforts and daily workflow and I might be targeted by the ads.

However...... SCREW THAT, coz as I mentioned in my post about AI (Although there were mentioned more topics from AI 🦾 to React and homo-sapiens species root of behaviour 🦍).

Luftie The Anonymous

Feb 27

My Take On AI and Technology (Besides the Pure Developer PoV)

#discuss #ai #future #machinelearning

Comments 6

7 min read

Humanity seems already to be at the verge of its existence, given the blazingly fast changes in the world, all of unsettling occurances, that it's tough to catch up with.

Tech CEOs (for me those are dumb assholes, not from the intellectual side, rather what they say publicly and how they influent others) and media spreading fear and uncertainty, willing you only to watch another clickbait video under label of "geopolitics", "development" across all of the people,only to get money for ads, simultaneously killing ambitions and eagerness to grow.

And in the end you've got linkedin posters (which are managed likely by an agent, given the quality of those posts) and triggering me to puke with rainbow on them all.

So, imo it's high-key better to have an attitude as though world would end up tomorrow, than caring about when will the next bomb blow in Iran and what causes will it bring to all of us at all.

Answering however finally why SCREW THAT, and isn't it self-hypocrisy, as I used to define myself as privacy first ? Well not really, I genuinely like the way it's been described in Cypherpunk Manifesto by Eric Hughes

Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.

And thus I do not expose it to the entire world per se, coz my post will likely have less than 25 views and 2 likes from people I met on dev.to, 5 likes from me and that's it.

Introduction

Ok, enough of general prattling and I hope you didn't leave me at this time (Thank you :D) and perhaps I managed to bring you laugh. Let's go into nitty-gritty details.

What have I been doing actually ?

As you might know I'm still working on my web3 pokemon-themed protocol or should I call it ecosystem, because it already has a mechanism for random card drawing ability 1 per day for each user, staking protocol for the cards, marketplace and yet in-build but there will be a pokemon battle mode, based on socket.io.

All of the sudden, getting rid of the most mundane part of coding for me throughout those years, which was designing and frontend UI-building, allowed my brain to fall back onto an idea to implement ZKP (Zero-Knowledge Proofs) to this project for Pokemon Trades, like e.g. users want to swap Pokemon with each other and there could be a proof that a user has the pokemon without a need to reveal it to the actual 3rd party.

Here you have links to particular parts of my project:

Smart-Contracts

LuftieTheAnonymous / PokeStake_Protocol

A Staking protocol with usage of Chainlink VRF for drawing a random pokemon Card

Foundry

Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.

Foundry consists of:

Forge: Ethereum testing framework (like Truffle, Hardhat and DappTools).
Cast: Swiss army knife for interacting with EVM smart contracts, sending transactions and getting chain data.
Anvil: Local Ethereum node, akin to Ganache, Hardhat Network.
Chisel: Fast, utilitarian, and verbose solidity REPL.

Documentation

https://book.getfoundry.sh/

Usage

Build

$ forge build

Test

$ forge test

Format

$ forge fmt

Gas Snapshots

$ forge snapshot

Anvil

$ anvil

Deploy

$ forge script script/Counter.s.sol:CounterScript --rpc-url <your_rpc_url> --private-key <your_private_key>

Cast

$ cast <subcommand>

Help

$ forge --help
$ anvil --help
$ cast --help

View on GitHub

Web-app

LuftieTheAnonymous / PokeStake-Dapp

A Pokemon themed staking protocol with usage of Chainlink VRF

PokeStake 🎴⛓️

A decentralized staking protocol where you can lock Pokemon cards and draw random rewards daily. Built on-chain with verifiable randomness and IPFS storage.

Overview

Tech Stack

Technology	Purpose	Version
Next.js	Frontend framework & API routes	Latest
TypeScript	Type-safe development	Latest
Solidity	Smart contract logic	^0.8.0
Foundry	Smart contract development & testing	Latest
RainbowKit	Wallet connection & UI	Latest
Wagmi	Ethereum hooks & contract interaction	Latest
TanStack Query	Server state management	Latest
Chainlink VRF	Verifiable randomness	v2
Pinata SDK	IPFS pinning & card metadata	Latest

Features

🎴 Stake Pokemon Cards - Lock your cards into the protocol
🎰 Daily Random Draws - Once per day, draw…

View on GitHub

Backend

LuftieTheAnonymous / pokestake-backend

Robust server-side gaming component powering the Pokestake web3 ecosystem

pokestake-backend

📑 Table of Contents

📝 Description

✨ Features

🎮 Pokemon Battle Gameplay Handling
📡 Event Driven Blockchain State Mirroring

🛠️ Tech Stack

🚀 Express.js
📜 TypeScript
🔃 Socket.io
🏎️ Redis
Ether.js
Mongoose/MongoDB

⚡ Quick Start

# Clone the repository
git clone https://github.com/LuftieTheAnonymous/pokestake-backend.git

# Install dependencies
npm install

# Start development server
npm run dev

📦 Key Dependencies

@types/express: ^5.0.6
@types/socket.io: ^3.0.2
eiows: ^8.2.0
express: ^5.2.1
redis: ^5.11.0
socket.io: ^4.8.3
tsc: ^2.0.4
tsx:

…

View on GitHub

This week I focused on handling the UI display of the onchain data to the user, with error and loading states, improving the smart-contract tests and implementing the marketplace. The tests had to be conducted from scratch because there's been some issues with the initial code split I approached to build.

I also finally grasped how socket.io works, I had huge issue with understanding it and was having mind-fuck after mind-fuck, whenever I approached to learn it. But I guess many factors have impacted the fact I was not able to learn it, nevermind.

I visited this week also the university, that I'm likely to be a student of, here a link to the post with my impressions and a bit of linux-propaganda :D

Luftie The Anonymous

Mar 19

My Impressions on the Uni Open Day

#discuss #learning #programming #career

Comments

3 min read

I will not lie, that I would really like to integrate ZK into this project, however I also know that 17th of April is incoming with giant steps and I have to be ready to select a project I want to build and no theme has been announced yet. Thus I decided to build the project as long as the theme is not announced.

Current focus

Pokestake PVP mode implementation with socket.io with ability to win some SNORLIEs (in-app token)
Keeping an eye on the theme announcement for the ETHSilesia Hackathon and drafting a plan on what to build as a project on the hackathon.

Honestly I also have to say, that this project is by far the most engaging and perhaps not the most complex in terms of logic, but in case of tools you though. And it's weird that all of that happens, all of those experiences are emerging while I decided to leave web-dev and smart-contracts to delve into cryptography and so will it be.

How about your week ?

Feel free to share how has your week been going and share it in the comments ?

Cheerio, your Luftie !

[Boost]

Luftie The Anonymous — Sat, 21 Mar 2026 05:55:27 +0000

Daan Acohen

Mar 20

Windows Servers Are a Cryptographic Liability: Entire Countries Can Be Left Exposed to Quantum Attacks

#webdev #programming #security #openssl

Comments

4 min read

My Impressions on the Uni Open Day

Luftie The Anonymous — Thu, 19 Mar 2026 14:44:03 +0000

Hello Dev.to Community

Today I got a quite special article to you because I'm about to tell you what are my impressions on the university's open day I'd pleasure to attend.

You're ready ? Let's go !

This article is not an paid-article or advertisement for the university, it's just an expression of my own experiences after such event.

Introduction

Firstly let's establish where the heck have I been to ? So I've attended the open-day at the IT-Faculty of ZUT (pl. Zachodniopomorski Uniwersytet Technologiczny), in english West-Pomeranian Technological University, placed in Szczecin.

The open-day consisted of walk-around tour, where I and other visitors visited 3 Laboratories. One, where there was a car drive simulator and visitors got the opportunity to try driving a car simulator experiencing what's called immersion.

Then we headed over to the basement-part (No they haven't wanted to show us kittens), rather the embedded-systems lab and the studio where there can occur a voice manipulation and prove that IT is not only about strictly profit-maximalization focused software for analysis or other tasks. But also about things like voice manipulation, voice recognition ect.

Below you can see some from the labs mentioned:

Image 1: Car Simulator Lab

Image 2: Machine which prints elements on the board needed for a component's circuit

Image 3: PC with a special device to manipulate the sound (I cannot name)

As the labs we directed to the game-dev student research club lab, where we have been given the opportunity to play a game that students have done during their internal game-jam event.
And finally, the most awaited part of the entire open-day was about to start, the lecture about voice conversion, meaning how the voice is actually understood by the machine.

BUT UNEXPECTEDLY

The beautiful and flawless day had to be interrupted by shitty Microsoft SpywareOS by other called "Windows", which had either to debug or update, I don't remember already. And that's a great reasons for the uni-principals or heads of the university to start considering switching uni-PCs to Linux ;D (Half Joke, Half Truth).

Therefore the Lecture was shortened and fully conducted. However I did manage to catch the terminology and the overall grasp of how the voice is actually converted to numbers and also why sometimes PCs or electronical devices do not understand what we tell to them.

Image one with explanation and visualisation, what Sound pressure (Ciśnienie akustyczne) is.

Slide with defintion of Phoneme and visualisation.

It's been really interesting and I have written some of the key-words where I could expand my knowledge on voice manipulation and general voice-machine work.

After the lecture, there was also a possibility to get some university's merch or even win something, if a valid answer on drawn question was valid. I actually was successful with answering the question and I won a bag of the faculty, which really fits my office colours.

Summary

Overall, the event was a satisfying introduction to the student although it were only 2 hours. I'm high-key disappointed, that the lecture had to be sped up and some slides were just flashed over. In general, I give in US-grade-scale A- as an encouragement to switch to Linux and perhaps prepare and check the work of presentation before the lecture :D

I'm looking forward to become a student at the uni to learn as well as share knowledge I gained throughout my journey with IT.

Are you a real dev or just a coder ? Go and read this article.

Luftie The Anonymous — Sun, 15 Mar 2026 20:41:48 +0000

Konark Sharma

Mar 15

Are You Really a Developer? The Mindset That Matters More Than Code

#discuss #webdev #career #learning

Comments 9

5 min read

From Zero To Crypto-Hero - (Week 2) A Dream Came True...

Luftie The Anonymous — Sat, 14 Mar 2026 22:50:22 +0000

Hello Dev.to Community !

This week, I would like to share with you, what I've built throughout last 7 days, what I learned, discovered and what happened by me in general as well. There will be some project, some crypto-geekish teasers, perhaps something more 😉...

Interested ? Let's fucking go 💥

Introduction

As I announced in recent week, I decided to focus for now until the hackathon-time on web3, web-dev and building some small-projects to test myself for the farewell hackathon :D And build under time-pressure.

Well I didn't fit the time I expected to. But at least I built in a bit of cool features into the dapp, that I built.

But what have I built actually ?

I have been lately vibing a lot with pokemon and by a lot, I mean freaking out like berserk.

Fun fact: I got even 3 the same Gengar-hoodies in my cloth-wardrobe, lol 😆.

However as I said, before I had realized I'm fed-up with web-dev and smart-contracts, and now I do it solely because I want my farewell with this part of my programming journey and my life to be unique.

I had been planning to build a pokemon-themed web3 project (namely a multiplayer game with ZK implementation), but the designing part and not allowing to focus on actual logic, made me upset and frustrated.

Back then I had been conceptualising/brainstorming about the project infra and logic and all of the sudden I fell into thoughts like: Should my app on mobile be in landscape or in portait mode ?, in meanwhile designing the mock-up in Figma, that was a point were I really told myself, I need to departure from board called web-dev, design because it's an anchor for me and does not allow me for proper work.

Ok, but what have I been building finally ?

Now, as I feel no guilt, if I screw up the hackathon or not, henceforth I decided to build as a hackathon-training project a simple staking protocol with drawing a random card of a pokemon once a day.

The staker can gain coins for the staking, which then can be used in the in-app marketplace, where players can sell their cards in exchange for either Ether or specific amount of the in-game currency.

You can click here to see how cool effect I built for drawing the card, what made me really smile.

The Stack I used for the project

I decided that I will not build UI from scratch and will use an AI tool for it so that after elaborate specification of the imagination, I got the template, which was actually something I would need at least 1 month to build.

The colours ? Well selected. The files and folder split ? Far from ideal and had to tweak it, but it's ok. The actual code ? Sort of messy, because the pages have been by default turned into the "use client" and not being server-rendered.

But the actual tech-stack is following:

Frontend: Next.js + Typescript + V0 (AI generated base UI)
Smart-Contracts: Foundry + Solidity
Key SDKs, Libaries:

TRN-generation: Chainlink-VRF
Wallet-agnosticism: RainbowKit
Interactions with smart-contracts: Wagmi
Storage of NFT-data in IPFS: Pinata SDK
Data Fetching and display: Tanstack-Query

If you're interested what it looks like visit here !

If you're willing to see the code base, click here to see frontend-code and if you're more into smart-contract side click here !

WARNING ⚠️

By the time of article-release (Sunday 12 AM, GMT + 1), the project it yet not ready to use and still works on the marketplace implementations are conducted. I will make special post on the project, for now please star the repo on github, would be really thankful.

My Inferences on the project and take on AI usage

I only asserted that my choice of leaving web-dev is rational and well substantiated. If something what I really put effort into and forced myself to do things I didn't want to do throughout 3 years can be replaced with chat-bot prompting with just a tweak to display something, use appropriate libraries. It's a sign to leave imo.

I've really shun using AI in generating UI, because I really wanted to prove myself that I also can build beautiful UIs and also can build phenomenal website on my own, and I just need time.

I experienced how AI sped up my work with the UI, this peace, that I do not have to care about pixels on the screen, settled me down tremendously.

What I learned by building this project ?

Besides realizing the real aid of AI, I kind of avoided (if you want to know my previous usage of AI feel free to checkout this article)

I was slightly wondering that the transfer of my NFT from my account to my StakingProtocol-contract, was not successful. I figured out that contracts need a special function kind of fallback or receive for the NFTies. It really surprised me because I haven't found it even in Mastering Ethereum example with auctions. This function is derived from a special extension for the contracts, namely an interface of IERC721Receiver.

   function onERC721Received(address operator, address from, uint256 tokenId, bytes calldata data)
        external
        override
        returns (bytes4)
    {

   // Here place your logic what to do after the token has been
// successfully transferred to the contract     

        return IERC721Receiver.onERC721Received.selector;
    }

This function can be thought of as fallback() or receive() for NFTIes, as I've written before. For those who do not know, fallback() and receive() functions in soldity can execute code after an amount of ether has been transferred to the contract.

What does `fallback()` differ from `receive()` ?

receive() – takes only ether, no data. Executes when someone sends ETH to your contract with empty calldata.

fallback() – takes ether AND data. Executes when calldata doesn't match any function signature, or when someone sends ETH with non-empty calldata and there's no receive().

Another Surprise 🤩

I recently just checked my Luma account to see if there are any updates on the hackathon rules, terms or so. There was no update on it, however I got an invitation for Co-work Event organised by ETHWarsaw ! and I was really wondered and shocked seeing it.

Not only because the event is something I wanted to participate in something like that, whereas my city although it's almost 400k dwellers is rather treated as an no-go zone for any coding initiatives like co-work coding events, what really made me sob sometimes.

But also because it collides in time with my private family-event, so quite suspicious coincidence (I do not believe in such thing as coincidence).

And although I'm about to leave smart-contracts development and the EVM, then I'm looking forward to feel the spirit of that even there, meet brainy people in Ethereum-ecosystem circle and of course steal some stickers so I can glue over my entire laptop and some merch if possible (and even if not then cmon I'm polish though) :D

Summary

This week was absolutely challenging but at the same time, I've saw how easily my work can be sped-up without mundane effort. I've reminded myself and also learned crucial facts when it comes to Soldity and handling ERC721 in external contracts. I got an surprise I did not expect and look forward now only to the hackathon and can't wait to make the farewell and go cryptography all-in.

What about you ?

How was your week ? Have you been successful ? stuck ? Or completely derailed this week ? Let me know in the comments and let's connect :D

From Zero To Crypto-Hero - (Week 1)

Luftie The Anonymous — Sun, 08 Mar 2026 10:25:19 +0000

Hello Dev.to Community !

This time I will share with you what I did in a full week 1 of my transition from zero to crypto-hero ? And as I promised, every sunday I will post a weekly-summary of my effort.

Are you ready ?

Let's go !

1 Week Overview

Surprisingly, I haven't done much this week in terms of cryptography development. I had a bit of tiny errands this week, that took my time and energy. One of them you can see here: One of the Errand-video

I would not say that my efforts were low because of lack of time, but rather because of cognitive overload I would name it.

What have I done ?

I have practiced modular mathematics together with turning the binary into a polynomial and practiced modular reduction of an polynomial, that is actually needed for AES on the substitution-layer level, as in the substitution table in order to get the value we have 2 approaches.

To those who do not know in short AES is an symmetric block-cipher that is built in a following way.

input                      original-key
|                          |
|                          |
|                          |
v                          V
key addition    <---   nth round-key
|
|
|
v
substitution layer
|
|
v
shift-row layer
|
|
v
mix-column
|
|
v
add-round-key

Not comming much into details this process above of encryption is repeated depending on the key length in AES, which is:
For 128 bits: 10 rounds / 11 round-keys
For 192 bits: 12 rounds / 13 round-keys
For 256 bits: 14 rounds / 15 round-keys

Because key addition is done on the beginning before actual encryption and at the end as the last round is finished, thus there are round-quantity + 1 amount of keys.

And for the substitution-layer we get the value for the input either by turning the byte value to a position in a look-up table or we will turn the byte value to polynomial and find an inverse for this polynomial in GF(2^8), by usage of Extended Euclidian Algorithm with irreducible polynomial of the GF(2^8), such that:

input-polynomial * input-polynomial-inverse = 1 mod field-irreducible-polynomial.

I have been relearning DES and AES cipher, whereas I spent about 2 days on AES, because I could not understand fully it's key-schedule workflow.

I have explored the bit manipulation key-words in TS like left-shift, right-shift or that we can xor without turning into binary, what I actually did in my implementation for OTP 😅

I recapped all of my notes on cryptography from Christof Paar course.

I implemented decimal to hex value helper function, Euler's totient function and Extended Euclidian Algorithm to my crypto-library project in TS.

And here are couple things I inferred.

My notes were purely theoretical and were mostly math-focused and for understanding concept instead of ready to implement the cipher in code. For instance I wanted to implement RSA, because it's quite simple math, that is rather math-focused than about bit shifting etc.

What I realized was that in order to get an p and q value, that would be prime-values, that are at least 2^512 bit long, I need to implement primality test from Miller-Rabin Primality Test or Little Fermat's Theorem, whereas Miller-Rabin is more efficient for large numbers than Little Fermat's approach. And I actually run into headache to understand how miller-rabin primality test works 😬

I would need to recap the ciphers all from scratch by reading the book and focusing on implementation rather than understanding how it works.

Unexpected Approval and Plan Change

Additionally there came an unexpected surprise, I have written an article on this this week, however to recall it I got approved to participate in an ETHSilesia Hackathon. Where honestly I did not expected to approved.

And it kind of forced me to change my plans. Namely I decided to temporarily cease development of my crypto-library that I started and my plans to move all-in to cryptography and blockchain architecture. And focus purely on web3-focused matters together with the hackathon-preparation, sometimes such shit happens. And I will comeback to cryptography development all in, after the hackathon.

So that's it for this week, to every woman in programming and in the world, I wish you all the best, you're rocking !

Cheers and see you next week :D

Ps. if you found some mistake feel free to correct me in terms of AES explanation.