AlfaCash A++: Monero Exchange Assessment Pt. 2

Monero Exchange Jan 13, 2021

Following through to the next part of our series, we're going to be taking a look at another vendor called, 'AlfaCash' (they're listed under 'exchanges' for Monero).

Checking Out the Main Website

The main site is pretty straightforward (yes, it works how one would intuitively expect it to work based on the graphical interface of the site itself).

In the interest of not wasting any time, we figured that we'd have Litecoin converted and then sent to some arbitrary Monero address we created.

The address in question (Monero) = 41trUf8HbXUYw3evRmgJBNW5rynzUHDibGCZGmcGZzPxgf5Kmc5rNFFQfWAxJWoCDK9VVq57YaM5eUmWHQhn9vtyS8zVB6v

Let's see what happens when we hit 'exchange' (expecting for there to be no holdups / KYC demands).

Awesome. Appears as though all systems are a go.

Now we just send some bread to this Litecoin address and see whether the exchange takes place (we're picking Litecoin because the fees are cheap and we want to expedite the time it takes for this trade to go through).

Things Looking Good So Far

Sure enough, after sending the funds to the stipulated address, the screen had changed (without any interference from us), showing that the Litecoin was detected on the blockchain and it was simply waiting for the LTC to confirm (6 times) before releasing the Monero (hopefully).

The only thing left to do now is to simply wait until there have been 6 confirmations on the Litecoin blockchain.

fast-forward a few hours later

This didn't take a few hours, but the tab was left open and distractions arose.

But when the page was revisited, we were greeted with the following message:

This appears to be mission success - let's see if we can check that Monero address (since it was just a bullshit throwaway address that we created).

What's dope about this is that it gives us the TX link to 'xmrchain.net' with the TX appended to the end of the URL (here is the specific URL that we received): https://xmrchain.net/tx/c43ab352aaabe2002c16d87536b76a0255f8b576c7b20ca01915d4fa08dfce06

If you visit the raw URL from above, then you'll wind up at the following site:

Notice how only the stealth addresses are present and the total amounts that were sent to each have a question mark.

If we want to see the amount that we received (in order to confirm that it was actually sent to our Monero address), then we need to input our regular Monero address (public address) + the private view key.

Neither of these alphanumeric 'codes' put us at jeopardy of having our funds stolen (it was only $20 in LTC we sent, so the stakes aren't too high here).

If we scroll down the page slightly, we can see the section where it allows us to 'decode outputs':

In the two sections (respectively), we're going to enter:

  1. 41trUf8HbXUYw3evRmgJBNW5rynzUHDibGCZGmcGZzPxgf5Kmc5rNFFQfWAxJWoCDK9VVq57YaM5eUmWHQhn9vtyS8zVB6v (Monero address / subaddress)
  2. c250e2699d9433b500cf99964ba088fb61eea8b2698290587d1ffe7f7f7a2b06 (Private View Key)

See Below:

Now our only remaining step is to press 'decode output', and we should be able to decode the respective output that belongs to us on the blockchain.

Let's see what it shows us:

Boom, we got a match for the amount 0.165230050000 $XMR.

Let's check back with the AlfaCash app to ensure that this is the correct amount:

Yup! Turns out that the swap worked flawlessly.

And we were not required to:

  1. Be in a certain jurisdiction
  2. Log  in or create an account of sorts
  3. Provide information about why we were making the transaction
  4. Tweak any of our browser's protective settings (i.e., UBlock, Adblock, 3rd-party script blocking, purging tracking cookies, etc.)

Assessing the Website Itself

This is the final part where we make sure that the website passes the 'sniff test' (i.e., there are no creepy crawly viruses / sniffers / listeners on the page that may have the ability to compromise our browser and/or XMR swapping sesh).

VirusTotal

Let's start with the classic first pass check: VirusTotal

This part is as  simple as visiting virustotal.com and throwing the URL in the search bar (as depicted above).

The virus scanner will run the website through 70+ known virus scanners to see if any one of them have detected nefarious activities (or anything else of that nature).

Below are the results:

Came back clean. You can check for yourself here.

HybridAnalysis Check

One of the best online tools to use to double check whether a site passes the sniff test or not is the HybridAnalysis tool (by CrowdStrike).

Essentially, this tool spins up a virtual sandboxed instance (which runs on its personal servers), to visit the site in question and record all of the different activity that takes place from then on.

This makes this virus / malware detection tool best for capturing dynamic malware & viruses.

Those are basically the bad guys that are able to evade virus scanner detection because they usually do not manifest the ugly stuff until after the program is started. And, contrary to popular belief,virus scanners only scan a program at one given point in time - then it lets it slide through if its passed that one time, static check.

Think of this as a transformer or something like that...maybe it looks like an innocuous sedan, but once the scan is finished it'll transform into a minivan!! (just joking, maybe something like a jit compiled payload designed to completely escape your sandbox, memory overflow your kernel, escalate to root and own your machine forever).

Setting the Scene

Similar to what we did with the other site (VirusTotal), we're going to visit https://www.hybrid-analysis.com first, then follow the requisite steps to fill in the URL.

From here, we hit analyze and then zoom through a few options (such as the e-mail address you want to receive your report at - if you even want it to go to one).

And then you pick your other customizable parameters for the analysis as seen below before clicking, 'Generate Public Report':

Once the 'Generate Public Report' button has been hit, there's nothing to do but just wait until the report is complete (it'll usually take approx. 10 minutes on a relatively busy day).

The wait time may seem a bit excessive, but you can trust that you're going to receive an extremely thorough report detailing all of the things that you wish for it to contain.

Analyzing the HybridAnalysis Results

After a little bit of time, the results finally came in.

See below:

That means clean as a whistle - but that also does not mean that we're done here.

Its worth at least looking at the report to see if there was anything worthy of note / interest contained within.

If you're interested in taking a look for yourself, the full report can be accessed here: https://www.hybrid-analysis.com/sample/13b6e17f5069ccdd73ad7529d10cff9a11d3bbd85415fa609bb25ed8cc44954f/5ffe497e9a819d31f3484bb4

Think this tool is cool? Well, enjoy it - because that's about the only free thing that CrowdStrike feels that they need to give to any person walking on the planet currently.

Overall Rating For AlfaCash = A+

This tool checks all of the boxes for what we would want out of a Monero swap tool.

Below is a brief list that covers everything:

  1. The technology that the site runs on is open source = https://github.com/ALFAcashier/alfacashier-api-php (entirely)
  2. It operates in a very transparent manner (nothing witchcraft or trickery going on  here - what you see is really what you get )
  3. You get all of the money that it said you would get
  4. The design of the site and the tool was done in such a way to where the creator has some plausible deniability (in fact, they have all of the plausible deniability that one could ever ask for because this is an open source tool... meaning that anyone could come behind them & create the exact same website)
  5. There is no grandiose marketing! This is a huge one. We've been trying to stay away from websites that have marketing material on them such as, "Hide your information from the government here !!!! Beat the NSA!", because they're usually full of shit and by advertising such things, it now appears as though the only reason you're using the tool is to evade the law in some capacity - and as we saw in the DOJ release to the FBI re: darkweb efforts, the United States government has no problem then there are going to be some major hits to blockchain if they're able to blow the roof off of Monero  (somehow) or make it virtually untenable to use as they have with the Tor Network (via various, hard-planned subversive attempts to throw the network).
  6. The logic for how this tool functions is consistent. It is not exactly clear how the matching occurs, but you do get the feeling that most of the process is automated. Obviously, the site itself acts as the third-party mediating these transactions, but if this is occurring strictly through API over TLS 1.3, and the other things I've been really anal about, then this is an 'L' that we can deal with for the time being.

Author's Opinion

In my opinion, if someone would like to obtain Monero or exchange Monero already in their possession for another cryptocurrency, then this website is one of the best resources out for doing so.

Trustpilot Reviews

They've even gone as far as to provide TrustPilot links for those that want to review their service on that site (and that's a highly reputable, legitimate review  site for online business).

And the reviews that they have on there (from what I was able to see), are pretty positive thus far.

Alfacash is rated “Excellent” with 4.6 / 5 on Trustpilot
Bar chart review and ratings distribution for Alfacash, provided by Trustpilot.

For those unfamiliar with TrustPilot, this is the general format of the website.

Their rating is mad fucking high (4.5+). Usually if a crypto project / tool is full of shit, you'll see that very clearly in the reviews. And the fake reviews will look really obvious because they'll look so jarring next to all of the negative feedback.

In my experience, this is one of the more legitimate places to go to, to review a company / online business of any sort (perhaps even better than BBB ; although BBB is probably seen as more impactful on a legal / financial services level)

Tags

cryptomedication

Happy to serve and help wherever I'm needed in the blockchain space. #Education #EthicalContent #BringingLibretotheForefront

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.