Allowlist flashmixer.io — false positive#1825
Conversation
Requesting allowlist review because this legitimate domain is being incorrectly flagged by Phantom as malicious/scam, while it does not appear in the public blocklist.
📝 WalkthroughWalkthrough
ChangesWhitelist Domain Additions
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
whitelist.yaml (1)
37-37: 🧹 Nitpick | 🔵 Trivial | 💤 Low valueRemove trailing whitespace on line 37.
🧹 Proposed fix
- url: flashmixer.co - +``` </details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In
@whitelist.yamlat line 37, Line 37 in whitelist.yaml contains trailing
whitespace that needs to be removed. Navigate to line 37 and delete any trailing
spaces or tabs at the end of that line, ensuring the line ends immediately after
any non-whitespace content.</details> <!-- cr-comment:v1:9bdafc57660140a9467025a9 --> </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.Inline comments:
In@whitelist.yaml:
- Around line 33-36: Remove the four domain entries (nftplus.io, flashmixer.io,
flashmixer.to, flashmixer.co) from the whitelist.yaml file until proper security
and regulatory due diligence can be completed. Before re-adding these domains,
obtain and document official evidence from Phantom confirming the legitimacy and
regulatory compliance of these services, clarify whether the three flashmixer
domains are operated by the same entity or represent evasion tactics, explain
the security justification for allowlisting a cryptocurrency mixing service, and
provide clear explanation for why nftplus.io is included and its relationship to
the flashmixer domains.
Nitpick comments:
In@whitelist.yaml:
- Line 37: Line 37 in whitelist.yaml contains trailing whitespace that needs to
be removed. Navigate to line 37 and delete any trailing spaces or tabs at the
end of that line, ensuring the line ends immediately after any non-whitespace
content.</details> <details> <summary>🪄 Autofix (Beta)</summary> Fix all unresolved CodeRabbit comments on this PR: - [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended) - [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes </details> --- <details> <summary>ℹ️ Review info</summary> <details> <summary>⚙️ Run configuration</summary> **Configuration used**: Organization UI **Review profile**: CHILL **Plan**: Pro **Run ID**: `30d424d6-7085-4abf-bdee-e325e323e7fb` </details> <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 5030186d0671f173eefc8a0be696d64b7b30ecbc and e149a868b90e4552896b84521c338cdebb51b2b6. </details> <details> <summary>📒 Files selected for processing (1)</summary> * `whitelist.yaml` </details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
| - url: nftplus.io | ||
| - url: flashmixer.io | ||
| - url: flashmixer.to | ||
| - url: flashmixer.co |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, let's look at the whitelist.yaml file and surrounding context
fd -t f whitelist.yamlRepository: phantom/blocklist
Length of output: 76
🏁 Script executed:
# Check if there are any vetting guidelines or documentation in the repo
fd -t f -e md -e txt | head -20
git ls-files | grep -i "vetting\|guideline\|whitelist" | head -20Repository: phantom/blocklist
Length of output: 86
🏁 Script executed:
# Look for any PR-related or domain verification documentation
find . -type f \( -name "*.md" -o -name "*.yaml" -o -name "*.yml" \) | xargs grep -l "flashmixer\|nftplus\|vetting\|allowlist" 2>/dev/null | head -10Repository: phantom/blocklist
Length of output: 99
🌐 Web query:
flashmixer.io cryptocurrency mixing service legitimacy security
💡 Result:
Flashmixer.io is a custodial cryptocurrency mixing service that provides Bitcoin obfuscation by pooling funds and processing delayed payouts to specified addresses [1][2]. Legitimacy and Operational Context: Cryptocurrency mixers operate in a complex regulatory environment [3]. While using a mixer for privacy is not inherently illegal in many jurisdictions, regulatory bodies like the U.S. Financial Crimes Enforcement Network (FinCEN) classify custodial mixing services as money transmitters [4]. Consequently, such services are required to comply with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations [4][3]. Flashmixer.io explicitly states it requires no registration or identity verification [2], which places it in direct conflict with the compliance expectations of major financial regulators [4][3]. Furthermore, history shows that authorities frequently target custodial mixers for facilitating money laundering, often resulting in service shutdowns and asset seizures [4][3]. Security and Risks: Users should treat Flashmixer.io—and all similar custodial mixing services—with significant caution due to several inherent risks: 1. Custodial Risk: As a custodial service, the operator maintains control of the funds during the mixing process [2][3]. There is no guarantee against the service operator turning rogue, ceasing operations, or stealing deposited funds [3]. 2. Regulatory Risk: Because these services are often scrutinized or sanctioned, there is a risk that the service may be shut down by law enforcement, potentially resulting in the permanent loss of funds [4][3]. 3. Forensic Traceability: Blockchain analysis firms continue to develop sophisticated techniques to deanonymize transactions passed through mixers [5]. Using a mixer does not guarantee total anonymity, as certain transaction patterns can remain detectable [5]. 4. Verification Features: The service provides a PGP-signed warranty letter to verify order details [6]. While this is a common feature among such services to provide accountability [3], it does not mitigate the fundamental custodial risks associated with the platform [3]. Due to these factors, security best practices for using any mixer include mixing only small amounts that you are prepared to lose and verifying the service's PGP signature to ensure you are interacting with the authentic platform rather than a malicious clone [3][6].
Citations:
- 1: https://flashmixer.io/?lang=en
- 2: https://flashmixer.io/faq
- 3: https://torwiki.org/guides/crypto-mixers/
- 4: https://www.chainalysis.com/blog/crypto-mixers/
- 5: https://www.sciencedirect.com/science/article/pii/S2666281725000150
- 6: https://flashmixer.io/verify
🌐 Web query:
nftplus.io domain project official
💡 Result:
The domain nftplus.io is associated with NFTPlus, an enterprise blockchain solution and NFT platform developed and operated by the Japanese company double jump.tokyo Inc [1][2][3]. Key details regarding this project include: Role and Function: NFTPlus serves as an end-to-end service provided by double jump.tokyo to assist content holders, gaming companies, and brands in developing, managing, and selling NFT projects [2][3]. It provides strategic planning, product and UX design, and technical development for NFT collectibles and blockchain gaming ecosystems [2][3]. Relationship to double jump.tokyo: The platform is a core business offering from double jump.tokyo, a company known for its work in blockchain gaming and digital assets [2][3]. Various specific NFT projects have utilized subdomains under nftplus.io (e.g., tezuka-art.nftplus.io for Tezuka Osamu digital art projects and eren.nftplus.io for specific artist collaborations) [1][4][5][6][7]. Official Status: The domain and its associated sub-projects are official initiatives of double jump.tokyo Inc. [1][2][5][8]. Legal notices and terms of service hosted on these subdomains explicitly identify double jump.tokyo as the operator and provider of the services [1][5][9][8]. In addition to the enterprise service, double jump.tokyo has also publicly released a generic NFT logo for use in the industry, which is distinct from the NFTPlus service platform [2].
Citations:
- 1: https://eren.nftplus.io/en/scta
- 2: https://www.doublejump.tokyo/nftplus
- 3: https://knowtechie.com/nfts-and-blockchain-driven-features-in-video-games/
- 4: https://eren.nftplus.io/en
- 5: https://tezuka-art.nftplus.io/scta
- 6: https://eth.nftscan.com/0x320c1ca2bdda1375174a98bfd06ed7c2d60e9842/30262
- 7: https://www.moshimoshi-nippon.jp/527321
- 8: https://samuraicryptos.io/scta
- 9: https://tezuka-art.nftplus.io/termsofservice
🌐 Web query:
flashmixer domain hopping scam crypto mixing money laundering
💡 Result:
Flashmixer is a platform operating as a cryptocurrency mixing service that provides Bitcoin anonymization by pooling funds to sever on-chain links between deposit and withdrawal addresses [1][2][3]. While the service presents itself as a legitimate privacy tool with advanced features, such as native integration with AI agents via a Model Context Protocol (MCP) server [4][3], users should exercise extreme caution. Crypto mixing platforms are frequent targets for impersonation, phishing, and "domain hopping" scams, where malicious actors create look-alike domains to steal funds or credentials [5][6]. "Domain hopping" in the context of scams refers to the tactic where operators of fraudulent platforms frequently switch, rotate, or mirror their web infrastructure across multiple domains [1][5][7]. This strategy is used to: 1. Avoid detection and blocklisting by security vendors and law enforcement [5][6]. 2. Maintain operational continuity if a primary domain is taken down or flagged as malicious [1][5]. 3. Lure users who are searching for the service to fraudulent "mirror" or phishing sites that mimic the legitimate interface to facilitate theft [6][7]. While legitimate services may use official mirrors (e.g.,.onion addresses or secondary domains) to ensure availability [1][2], scam operators exploit this behavior to deceive users [6]. Users should be aware that many platforms advertising themselves as mixers are outright scams designed to drain user wallets [8][6]. Money laundering concerns are inherent to the function of all mixers, as they are intentionally designed to obscure the origins of cryptocurrency [9][10][11]. Law enforcement agencies frequently investigate these services because they are used to facilitate illicit activities, such as ransomware payments and the laundering of stolen funds [7][12]. The use of such services carries significant risk, including potential legal implications and the high likelihood of losing funds to the service operator itself [6][10]. Always verify the legitimacy of a platform through independent security resources, avoid entering personal or financial details into unverified sites, and be aware that interacting with mixers can trigger automated security alerts on exchanges and custodial platforms [6][9][11].
Citations:
- 1: https://flashmixer.io/
- 2: https://flashmixer.io/?lang=en
- 3: https://nyflashnews.com/flashmixer-becomes-the-first-bitcoin-mixer-built-for-the-age-of-ai-agents/
- 4: https://flashmixer.io/faq
- 5: https://dti.domaintools.com/research/inside-a-crypto-scam-nexus
- 6: https://phishdestroy.io/domain/yomix.ac/
- 7: https://www.justice.gov/d9/press-releases/attachments/2023/03/15/filed_complaint_0.pdf
- 8: https://gist.github.com/ZenulAbidin/511d531980c44051cfafd11b2e3c9dda
- 9: https://www.chainalysis.com/glossary/crypto-mixer/
- 10: https://www.elliptic.co/blockchain-basics/what-is-a-crypto-mixer
- 11: https://www.elliptic.co/blog/obfuscation-on-the-blockchain-how-to-detect-and-mitigate-the-risks
- 12: https://www.sciencedirect.com/science/article/pii/S2666281725000150
Allowlisting these domains requires documented due diligence; current evidence is insufficient.
The four added domains—particularly flashmixer.io, flashmixer.to, and flashmixer.co—are being allowlisted to suppress existing Phantom warnings (per PR objectives), yet the justification relies solely on informal forum discussion and an unverified claim of legitimacy.
Security and regulatory concerns:
flashmixer.iois a legitimate custodial cryptocurrency mixer service, which by design pools and obfuscates Bitcoin transaction origins to sever on-chain links between deposits and withdrawals. This functionality is inherently intended to facilitate money laundering and other financial crimes.- The U.S. Financial Crimes Enforcement Network (FinCEN) classifies custodial mixing services as money transmitters subject to Anti-Money Laundering (AML) and Know Your Customer (KYC) compliance. Flashmixer explicitly states it requires no registration or identity verification, placing it in direct violation of regulatory expectations.
- Law enforcement agencies frequently investigate and shut down such services due to their use in facilitating ransomware payments, stolen fund laundering, and other illicit activities.
- Multiple TLDs (io/to/co) mirror patterns used by both scammers and legitimate services, but without documented evidence that flashmixer officially operates these domains, the use of multiple TLDs raises suspicion and suggests either domain-hopping evasion or exposure to phishing mirrors.
nftplus.iois a separate, legitimate NFT platform by double jump.tokyo Inc with no apparent connection to flashmixer. Its presence in this PR is unexplained and appears bundled without justification.
Recommendation:
Before merging, provide documented evidence of legitimacy and regulatory compliance:
- Official disclosure from Phantom explaining why a custodial cryptocurrency mixer warrants allowlisting despite its regulatory and money-laundering facilitation risks
- Clarification of whether
flashmixer.io,flashmixer.to, andflashmixer.coare officially operated by the same entity or if multiple TLDs indicate evasion tactics - Explanation of why
nftplus.iois included and how it relates to flashmixer - Formal vetting decision acknowledging the security and compliance trade-offs of allowlisting a mixing service
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@whitelist.yaml` around lines 33 - 36, Remove the four domain entries
(nftplus.io, flashmixer.io, flashmixer.to, flashmixer.co) from the
whitelist.yaml file until proper security and regulatory due diligence can be
completed. Before re-adding these domains, obtain and document official evidence
from Phantom confirming the legitimacy and regulatory compliance of these
services, clarify whether the three flashmixer domains are operated by the same
entity or represent evasion tactics, explain the security justification for
allowlisting a cryptocurrency mixing service, and provide clear explanation for
why nftplus.io is included and its relationship to the flashmixer domains.
1 participant
Hi Phantom team,
My legitimate website
flashmixer.iois being incorrectly flagged by Phantom as malicious/scam. I checked the public blocklist and could not find this domain listed.Please review and allowlist the domain as a false positive.
Domain: flashmixer.io
Project: Flash Mixer
Evidence / references: We have an active public thread on a reputable/authoritative forum confirming the legitimacy of this project: https://www.altcoinstalks.com/index.php?topic=344618.30
Contact: flashmixer@proton.me
Thank you.
Summary by CodeRabbit