How to evaluate a privacy service yourself

The pre-flight question

Before any testing: does this service even need to exist for me? Half the privacy purchases people make solve a problem they don't actually have. Match the service to your threat model first. If a no-KYC VPN buys you nothing because your ISP isn't a threat, stop here.

Step 1 — Operator transparency (5 minutes)

• Who runs it? Find at least one named person, company registration, or pseudonymous account with a multi-year track record. Anonymous-but-active is fine; anonymous-and-fresh is a red flag.
• How long has the domain existed? WHOIS + Wayback Machine. Domains less than 6 months old that already sell paid plans deserve extra scrutiny.
• Is the codebase public? Open-source isn't required but the absence has to be justified by some other trust anchor.
• Any prior incidents? Search "{service} hacked", "{service} exit-scam", "{service} freezes funds". Read the threads.

Step 2 — Privacy policy (5 minutes)

• What's collected? Look for "IP addresses", "device fingerprints", "browser identifiers". A no-logs claim that contradicts the privacy policy = lie.
• How long is it kept? "Retained indefinitely" or "as required by law" is broader than it sounds — usually means everything, forever.
• Who has access? Subcontractors, payment processors, "law-enforcement requests".
• Jurisdiction. Where is the company incorporated? Five-Eyes / Fourteen-Eyes operators face data-sharing pressure most non-aligned jurisdictions don't.

Step 3 — Signup test (10 minutes)

Use a clean Tor session + a throwaway email. Capture screenshots at every step.

1. Does signup require email? Phone? ID? Anything beyond username + password reduces the privacy ceiling.
2. Try a fake / disposable email. Is it accepted? Some services silently fingerprint disposable-email domains.
3. Note any captcha provider (Cloudflare / Google / hCaptcha) — they all see your IP at signup.
4. Does the account-creation page run third-party JS? Open Dev Tools → Network → look for analytics, Stripe-fingerprint, FB Pixel.

Step 4 — Deposit test (5 minutes)

• Send a small amount (under $20). XMR if accepted; BTC otherwise.
• Check: does the wallet UI prompt for additional KYC after deposit? (Common anti-pattern at exchanges.)
• Confirm funds arrive at the published address — not via a re-routed proxy address.
• Note the actual settlement: is it native, wrapped, or IOU? "We send you XMR" sometimes means "we credit your account, redeemable for XMR".

Step 5 — Withdrawal test (10 minutes)

Most critical step. The privacy posture is whatever survives this:

1. Withdraw to a fresh address (one the service has never seen).
2. Does withdrawal require additional KYC? "Verify your identity to withdraw" = retroactive KYC = downgrade.
3. Is the withdrawal held? Beyond ~24h for a small amount is a yellow flag; beyond 72h without explanation is red.
4. Does the email confirmation leak information (deposit history, balance, originating IP)?
5. Try a second withdrawal a few days later. Hidden-tier KYC triggers sometimes appear after volume thresholds.

Step 6 — Audit + license review (5 minutes)

• Any third-party audit? Read the report, not just the marketing. Audits expire — anything older than 18 months is stale.
• Compliance posture. Does the operator publish a transparency report? Subpoena count? Warrant canaries?
• Code license. AGPL > GPL > MIT > closed-source for trust signaling.
• For exchanges/custody: Proof-of-reserves cadence. Self-reported is weaker than third-party-attested.

Step 7 — Reputation cross-check (5 minutes)

• Search Reddit r/privacy, r/Monero, r/PrivacyToolsIO for the past 12 months.
• Search Trustpilot / BBB / Sitejabber for fund-loss complaints, with skepticism for review-farming patterns.
• Check existing privacy directories: KYCnot.me, PrivacyGuides, Monerica. If multiple disagree with a service's self-claim, weight their consensus.
• Check us: search the xmr.club audit log and archive for the operator name.

Grade yourself

Map your findings to the xmr.club rubric:

• Passed all 7 steps cleanly? Likely A-tier. Re-test in 12 months.
• One trade-off (email at signup, or smaller operator, or fresh domain)? B-tier. Acceptable for matching threat models.
• KYC creep at withdrawal, or audit gap, or unresolved fund complaints? C-tier. Use cautiously, never for high-value.
• Active fund-loss reports or hostile legal jurisdiction? Don't use. Tell us — we'll list it as a warning.

When you've done the work, submit it

If you've evaluated something we don't list, share the findings via /submit. We re-run the checklist before publishing, but pre-tested submissions land faster + the curator notes get credit.

Reference picks for each step

More guides