Skip to content

Allowlist flashmixer.io — false positive #1825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
flashmixer wants to merge 1 commit into
base: master
Choose a base branch
from
+5 −1
Open

Allowlist flashmixer.io — false positive #1825

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion whitelist.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,8 @@
- url: "*.tistory.com"
- url: "*.surge.sh"
- url: revoke.cash
- url: nftplus.io
- url: nftplus.io
- url: flashmixer.io
- url: flashmixer.to
- url: flashmixer.co
Comment on lines +33 to +36

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the whitelist.yaml file and surrounding context
fd -t f whitelist.yaml

Repository: phantom/blocklist

Length of output: 76

🏁 Script executed:

# Check if there are any vetting guidelines or documentation in the repo
fd -t f -e md -e txt | head -20
git ls-files | grep -i "vetting\|guideline\|whitelist" | head -20

Repository: phantom/blocklist

Length of output: 86

🏁 Script executed:

# Look for any PR-related or domain verification documentation
find . -type f \( -name "*.md" -o -name "*.yaml" -o -name "*.yml" \) | xargs grep -l "flashmixer\|nftplus\|vetting\|allowlist" 2>/dev/null | head -10

Repository: phantom/blocklist

Length of output: 99

🌐 Web query:

flashmixer.io cryptocurrency mixing service legitimacy security

💡 Result:

Flashmixer.io is a custodial cryptocurrency mixing service that provides Bitcoin obfuscation by pooling funds and processing delayed payouts to specified addresses [1][2]. Legitimacy and Operational Context: Cryptocurrency mixers operate in a complex regulatory environment [3]. While using a mixer for privacy is not inherently illegal in many jurisdictions, regulatory bodies like the U.S. Financial Crimes Enforcement Network (FinCEN) classify custodial mixing services as money transmitters [4]. Consequently, such services are required to comply with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations [4][3]. Flashmixer.io explicitly states it requires no registration or identity verification [2], which places it in direct conflict with the compliance expectations of major financial regulators [4][3]. Furthermore, history shows that authorities frequently target custodial mixers for facilitating money laundering, often resulting in service shutdowns and asset seizures [4][3]. Security and Risks: Users should treat Flashmixer.io—and all similar custodial mixing services—with significant caution due to several inherent risks: 1. Custodial Risk: As a custodial service, the operator maintains control of the funds during the mixing process [2][3]. There is no guarantee against the service operator turning rogue, ceasing operations, or stealing deposited funds [3]. 2. Regulatory Risk: Because these services are often scrutinized or sanctioned, there is a risk that the service may be shut down by law enforcement, potentially resulting in the permanent loss of funds [4][3]. 3. Forensic Traceability: Blockchain analysis firms continue to develop sophisticated techniques to deanonymize transactions passed through mixers [5]. Using a mixer does not guarantee total anonymity, as certain transaction patterns can remain detectable [5]. 4. Verification Features: The service provides a PGP-signed warranty letter to verify order details [6]. While this is a common feature among such services to provide accountability [3], it does not mitigate the fundamental custodial risks associated with the platform [3]. Due to these factors, security best practices for using any mixer include mixing only small amounts that you are prepared to lose and verifying the service's PGP signature to ensure you are interacting with the authentic platform rather than a malicious clone [3][6].

Citations:

🌐 Web query:

nftplus.io domain project official

💡 Result:

The domain nftplus.io is associated with NFTPlus, an enterprise blockchain solution and NFT platform developed and operated by the Japanese company double jump.tokyo Inc [1][2][3]. Key details regarding this project include: Role and Function: NFTPlus serves as an end-to-end service provided by double jump.tokyo to assist content holders, gaming companies, and brands in developing, managing, and selling NFT projects [2][3]. It provides strategic planning, product and UX design, and technical development for NFT collectibles and blockchain gaming ecosystems [2][3]. Relationship to double jump.tokyo: The platform is a core business offering from double jump.tokyo, a company known for its work in blockchain gaming and digital assets [2][3]. Various specific NFT projects have utilized subdomains under nftplus.io (e.g., tezuka-art.nftplus.io for Tezuka Osamu digital art projects and eren.nftplus.io for specific artist collaborations) [1][4][5][6][7]. Official Status: The domain and its associated sub-projects are official initiatives of double jump.tokyo Inc. [1][2][5][8]. Legal notices and terms of service hosted on these subdomains explicitly identify double jump.tokyo as the operator and provider of the services [1][5][9][8]. In addition to the enterprise service, double jump.tokyo has also publicly released a generic NFT logo for use in the industry, which is distinct from the NFTPlus service platform [2].

Citations:

🌐 Web query:

flashmixer domain hopping scam crypto mixing money laundering

💡 Result:

Flashmixer is a platform operating as a cryptocurrency mixing service that provides Bitcoin anonymization by pooling funds to sever on-chain links between deposit and withdrawal addresses [1][2][3]. While the service presents itself as a legitimate privacy tool with advanced features, such as native integration with AI agents via a Model Context Protocol (MCP) server [4][3], users should exercise extreme caution. Crypto mixing platforms are frequent targets for impersonation, phishing, and "domain hopping" scams, where malicious actors create look-alike domains to steal funds or credentials [5][6]. "Domain hopping" in the context of scams refers to the tactic where operators of fraudulent platforms frequently switch, rotate, or mirror their web infrastructure across multiple domains [1][5][7]. This strategy is used to: 1. Avoid detection and blocklisting by security vendors and law enforcement [5][6]. 2. Maintain operational continuity if a primary domain is taken down or flagged as malicious [1][5]. 3. Lure users who are searching for the service to fraudulent "mirror" or phishing sites that mimic the legitimate interface to facilitate theft [6][7]. While legitimate services may use official mirrors (e.g.,.onion addresses or secondary domains) to ensure availability [1][2], scam operators exploit this behavior to deceive users [6]. Users should be aware that many platforms advertising themselves as mixers are outright scams designed to drain user wallets [8][6]. Money laundering concerns are inherent to the function of all mixers, as they are intentionally designed to obscure the origins of cryptocurrency [9][10][11]. Law enforcement agencies frequently investigate these services because they are used to facilitate illicit activities, such as ransomware payments and the laundering of stolen funds [7][12]. The use of such services carries significant risk, including potential legal implications and the high likelihood of losing funds to the service operator itself [6][10]. Always verify the legitimacy of a platform through independent security resources, avoid entering personal or financial details into unverified sites, and be aware that interacting with mixers can trigger automated security alerts on exchanges and custodial platforms [6][9][11].

Citations:

Allowlisting these domains requires documented due diligence; current evidence is insufficient.

The four added domains—particularly flashmixer.io, flashmixer.to, and flashmixer.co—are being allowlisted to suppress existing Phantom warnings (per PR objectives), yet the justification relies solely on informal forum discussion and an unverified claim of legitimacy.

Security and regulatory concerns:

  • flashmixer.io is a legitimate custodial cryptocurrency mixer service, which by design pools and obfuscates Bitcoin transaction origins to sever on-chain links between deposits and withdrawals. This functionality is inherently intended to facilitate money laundering and other financial crimes.
  • The U.S. Financial Crimes Enforcement Network (FinCEN) classifies custodial mixing services as money transmitters subject to Anti-Money Laundering (AML) and Know Your Customer (KYC) compliance. Flashmixer explicitly states it requires no registration or identity verification, placing it in direct violation of regulatory expectations.
  • Law enforcement agencies frequently investigate and shut down such services due to their use in facilitating ransomware payments, stolen fund laundering, and other illicit activities.
  • Multiple TLDs (io/to/co) mirror patterns used by both scammers and legitimate services, but without documented evidence that flashmixer officially operates these domains, the use of multiple TLDs raises suspicion and suggests either domain-hopping evasion or exposure to phishing mirrors.
  • nftplus.io is a separate, legitimate NFT platform by double jump.tokyo Inc with no apparent connection to flashmixer. Its presence in this PR is unexplained and appears bundled without justification.

Recommendation:
Before merging, provide documented evidence of legitimacy and regulatory compliance:

  • Official disclosure from Phantom explaining why a custodial cryptocurrency mixer warrants allowlisting despite its regulatory and money-laundering facilitation risks
  • Clarification of whether flashmixer.io, flashmixer.to, and flashmixer.co are officially operated by the same entity or if multiple TLDs indicate evasion tactics
  • Explanation of why nftplus.io is included and how it relates to flashmixer
  • Formal vetting decision acknowledging the security and compliance trade-offs of allowlisting a mixing service
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@whitelist.yaml` around lines 33 - 36, Remove the four domain entries
(nftplus.io, flashmixer.io, flashmixer.to, flashmixer.co) from the
whitelist.yaml file until proper security and regulatory due diligence can be
completed. Before re-adding these domains, obtain and document official evidence
from Phantom confirming the legitimacy and regulatory compliance of these
services, clarify whether the three flashmixer domains are operated by the same
entity or represent evasion tactics, explain the security justification for
allowlisting a cryptocurrency mixing service, and provide clear explanation for
why nftplus.io is included and its relationship to the flashmixer domains.


Loading