I’d just like to take a moment to share a recent victory of mine. Before 2015, EU companies used to charge VAT at the rate of where the business was, leading to companies like Amazon setting up in in low VAT jurisdictions and making sales from there to lower the overall cost of an item, irrespective of where the customer resided in the EU. On the 1st January 2015 however, the VAT MOSS system was introduced which mandated VAT for online sales should be charged in the country of the customer, in an alleged reasoning to make the VAT system fair. However, this imposed a very problematic situation: a requirement for the company to know where the customer is located.

The VAT MOSS guidance added further headaches, especially to one of my upcoming business projects by requiring “proofs” of customer location information, as detailed within the explanatory notes to the legislation. After hours of reading through the document, the main issues arising were that for an anonymous web hosting service, any information being collection would not only breach the breach the privacy of customers, but negates the entire point of the business. As the guidance offers no advice as to how to handle anonymous online transactions, I consulted with HMRC, the UK’s tax authority which is where my company is registered.

Throughout a series of exchanges, HMRC repeated to me the need for 2 proofs to be in line with the VAT MOSS system. However, I have always rejected that happening as I would rather close my business than break the promises I offer. I made various offers to the tax authority on how to reach a middle ground, such as assuming the UK rate is payable on global sales, and to also possibly switch to another VAT scheme even if it costed my business more money.

The deadlock has finally been broken! I received this email from HMRC recently which has now been verified by an accountant to be binding for my business. This means unless there is a law change or the EU courts come to a different conclusion, I may now process transactions anonymously without being required to know the address or any other information about a customer and still charge the required VAT on transactions. Hip hip hooray!

———————————————

Dear Mr White

Thank you for your email and I apologise for the delay you have experienced in getting a reply to your question, which presents an unusual and difficult situation.

As you collect no information on where your customers belong, and therefore cannot evidence a different place of supply, we will expect you to charge and account for UK VAT on your supplies on the basis that the supply of services are made in the UK.

If a customer contacts you to say that they belong outside the UK, we will expect you to retain the evidence to support the non-application of UK VAT. A simple assertion that they do not belong in the UK will not suffice. If the customer does not provide you with a VAT number, you will be liable to register in the customer’s Member State. If the records presented by the customer enable you to meet the record keeping requirements you may be able to use MOSS to bring the VAT to account.

I hope this is helpful but if you have any further questions please do not hesitate to ask.

Yours sincerely
[HMRC Rep name redacted]

———————————————

Hello all,

As you may have noticed, Jabber.ccc.de has been down for over 24 hours now for reasons at this time, are unknown. As a result of constant downtime over the past year on the service, and the rather sobering fact so many of us in the tech community use Jabber.ccc.de, I have decided to launch my own XMPP server that anyone can sign up to and use.

OpenXMPP.com is now open for registrations. I will be making improvements over the coming weeks that would guarantee 99.99% to 100% uptime. It has upstream DDOS protection, fast connectivity and works perfectly in tandem with existing XMPP servers so you can add contacts who are using any federated service.

As with everything I do, maintaining privacy for users is very important, and, as a result, we will always be trimming back on the amount of data logged. Furthermore, we will regularly clear the system of all but the bare necessities to stay online. Even with this, I still recommend using OTR and Tor for your conversations to guarantee end-to-end encryption.

I foresee this server growing considerably in the coming 12 months and hope everyone uses the service responsibly!

-Cthulhu

Another day, another release. This time, the Tor Carding Forum v2 which to my knowledge has now closed down and so this is another one, like yesterday, that will no longer be of much interest to law enforcement. The other possibility being they have quietly taken it down. Either way, I have no further responsibility to withhold this information and since there are still other major hidden services out there not taking basic security steps (such as forcing external data grabs to go through Tor), please remember I have many more sites to go through yet and nobody is untouchable from naming and shaming.

cthulhu@cthulhu:~$ echo -n “The Tor Carding Forum V2 at hidden service address ba6i2qxajcioadj4.onion and IP address 185.10.57.138 will be seized by the British or Dutch police in the very near future. They have used no magic or special technical ability and Tor is not broken.” | sha1sum | awk ‘{print $1}’
ba993b4a132df12537aab9fde4b297197b92a45a

From 3rd February 2015: https://twitter.com/CthulhuSec/status/562549685802774528

Information was still correct up until the time of closure. This fuck-up was thanks to them not routing their external lookups through Tor. They also must not check the logs of their webserver given how often I performed this to validate it and it was never fixed.

As the following is now benign since it shut down earlier than expected, I feel no problem in releasing this. As far as I know they were a scam market and were being rounded up to tick up the numbers of onions that could be seized as part of the next bust. Ah well, one down, many more to go.

In relation to the following Tweet: https://twitter.com/CthulhuSec/status/572561507571142657

cthulhu@cthulhu:~$ echo -n “The Kiss Marketplace at hidden service address kissmpg5zave56f4.onion and IP address 185.61.148.62 will be seized by the British or Latvian police in the very near future. They have used no magic or special technical ability and Tor is not broken. SALT VyKMK7mojPBlm1JpIGDtA5Zfc0x5ZOTLELqLxgupBpVq5mBnZzP4qcn” | sha1sum | awk ‘{print $1}’
713922b8fffeb764c482e0e0c3f3efcbd0930d92