A VAT MOSS Victory!


I’d just like to take a moment to share a recent victory of mine. Before 2015, EU companies used to charge VAT at the rate of where the business was, leading to companies like Amazon setting up in in low VAT jurisdictions and making sales from there to lower the overall cost of an item, irrespective of where the customer resided in the EU. On the 1st January 2015 however, the VAT MOSS system was introduced which mandated VAT for online sales should be charged in the country of the customer, in an alleged reasoning to make the VAT system fair. However, this imposed a very problematic situation: a requirement for the company to know where the customer is located.

The VAT MOSS guidance added further headaches, especially to one of my upcoming business projects by requiring “proofs” of customer location information, as detailed within the explanatory notes to the legislation. After hours of reading through the document, the main issues arising were that for an anonymous web hosting service, any information being collection would not only breach the breach the privacy of customers, but negates the entire point of the business. As the guidance offers no advice as to how to handle anonymous online transactions, I consulted with HMRC, the UK’s tax authority which is where my company is registered.

Throughout a series of exchanges, HMRC repeated to me the need for 2 proofs to be in line with the VAT MOSS system. However, I have always rejected that happening as I would rather close my business than break the promises I offer. I made various offers to the tax authority on how to reach a middle ground, such as assuming the UK rate is payable on global sales, and to also possibly switch to another VAT scheme even if it costed my business more money.

The deadlock has finally been broken! I received this email from HMRC recently which has now been verified by an accountant to be binding for my business. This means unless there is a law change or the EU courts come to a different conclusion, I may now process transactions anonymously without being required to know the address or any other information about a customer and still charge the required VAT on transactions. Hip hip hooray!


Dear Mr White

Thank you for your email and I apologise for the delay you have experienced in getting a reply to your question, which presents an unusual and difficult situation.

As you collect no information on where your customers belong, and therefore cannot evidence a different place of supply, we will expect you to charge and account for UK VAT on your supplies on the basis that the supply of services are made in the UK.

If a customer contacts you to say that they belong outside the UK, we will expect you to retain the evidence to support the non-application of UK VAT. A simple assertion that they do not belong in the UK will not suffice. If the customer does not provide you with a VAT number, you will be liable to register in the customer’s Member State. If the records presented by the customer enable you to meet the record keeping requirements you may be able to use MOSS to bring the VAT to account.

I hope this is helpful but if you have any further questions please do not hesitate to ask.

Yours sincerely
[HMRC Rep name redacted]


On the importance of decentralisation


As many of you have noticed, there was an FBI seizure page on some of my mirrors earlier tonight. Thankfully, these were fake, and I put them there, intending to ensure this message reaches as many people as possible and to draw attention to the problem that we face. Firstly, for verification though:

echo “You may have just seen the takedown notice on https://patreon.thecthulhu.com. This notice was put up by myself and was not a real takedown thankfully. It is, I hope, a reminder to everyone of the importance of decentralisation and that just because somebody like myself posts a resource, does not mean it will be there forever. I encourage everyone to repost the magnet URI on their sites or setup their own mirrors to prevent such a single point of failure in the future. I included the SHA1 and SHA256 sums of the file for a very good reason too if you wish to verify the integrity of data downloaded from other sources before executing or opening it.” | sha1sum | awk ‘{print $1}’

Produces: 63300df2199f61822fef6c440014359f052ffe61

The hash should match here: https://twitter.com/CthulhuSec/status/650451139473862656

The problem we face is that since the Patreon leak, I have been the only known mirror out there offering the full file, as well as a magnet URI. Many people have been downloading and investigating the data, but no new mirrors have popped up, not even simple magnet URI reposts. This causes a dangerous centralisation problem if I become the only mirror, thus heightening the chance of law enforcement targeting me, but also means there are fewer sources for people to verify the integrity of the data.

Mirroring the data is not hard. The magnet link I provided on the page ensures just linking to that data, is sufficient to mirror it (magnets are a modern replacement for torrents to minimize the need to host a file) securely, but very few have done so. I would like to encourage everybody to make mirrors somewhere of the magnet URI at least, and if possible a full download available over TLS. This not only helps me but improves the security of everyone seeking the files.

I understand not everyone has the resources to put up a mirror, but for those that do and have downloaded the data, remember to give back to the cause in some way. Mirroring data, donations to organisations like Tor Project, or teaching others how to improve their security are all great ways we can make a positive impact on our societies, and I encourage everyone to get involved to do so.

Goodbye Jabber.ccc.de, Hello OpenXMPP.com


Hello all,

As you may have noticed, Jabber.ccc.de has been down for over 24 hours now for reasons at this time, are unknown. As a result of constant downtime over the past year on the service, and the rather sobering fact so many of us in the tech community use Jabber.ccc.de, I have decided to launch my own XMPP server that anyone can sign up to and use.

OpenXMPP.com is now open for registrations. I will be making improvements over the coming weeks that would guarantee 99.99% to 100% uptime. It has upstream DDOS protection, fast connectivity and works perfectly in tandem with existing XMPP servers so you can add contacts who are using any federated service.

As with everything I do, maintaining privacy for users is very important, and, as a result, we will always be trimming back on the amount of data logged. Furthermore, we will regularly clear the system of all but the bare necessities to stay online. Even with this, I still recommend using OTR and Tor for your conversations to guarantee end-to-end encryption.

I foresee this server growing considerably in the coming 12 months and hope everyone uses the service responsibly!


Another Small Release – TCF V2


Another day, another release. This time, the Tor Carding Forum v2 which to my knowledge has now closed down and so this is another one, like yesterday, that will no longer be of much interest to law enforcement. The other possibility being they have quietly taken it down. Either way, I have no further responsibility to withhold this information and since there are still other major hidden services out there not taking basic security steps (such as forcing external data grabs to go through Tor), please remember I have many more sites to go through yet and nobody is untouchable from naming and shaming.

cthulhu@cthulhu:~$ echo -n “The Tor Carding Forum V2 at hidden service address ba6i2qxajcioadj4.onion and IP address will be seized by the British or Dutch police in the very near future. They have used no magic or special technical ability and Tor is not broken.” | sha1sum | awk ‘{print $1}’


From 3rd February 2015: https://twitter.com/CthulhuSec/status/562549685802774528

Information was still correct up until the time of closure. This fuck-up was thanks to them not routing their external lookups through Tor. They also must not check the logs of their webserver given how often I performed this to validate it and it was never fixed.

A small, now benign release


As the following is now benign since it shut down earlier than expected, I feel no problem in releasing this. As far as I know they were a scam market and were being rounded up to tick up the numbers of onions that could be seized as part of the next bust. Ah well, one down, many more to go.

In relation to the following Tweet: https://twitter.com/CthulhuSec/status/572561507571142657

cthulhu@cthulhu:~$ echo -n “The Kiss Marketplace at hidden service address kissmpg5zave56f4.onion and IP address will be seized by the British or Latvian police in the very near future. They have used no magic or special technical ability and Tor is not broken. SALT VyKMK7mojPBlm1JpIGDtA5Zfc0x5ZOTLELqLxgupBpVq5mBnZzP4qcn” | sha1sum | awk ‘{print $1}’