Analysis of Nym VPN and its "guaranteed" privacy

I decided to create a new, more direct thread based on the following:
https://discuss.privacyguides.net/t/nymvpn-nym/25085/46

The point here is that I can’t find any real-world evidence backing up the company’s claims regarding their 5 nodes against high-level adversaries. I don’t want whitepapers or lab results; what I want is proof based on reality.

Does anyone in the community have this evidence so we can analyze it?

I left 5 questions for their support team on Telegram. No one has replied to my message, and I gave them a reasonable 5-day window so this wouldn’t drag on forever. If they don’t respond, it’s because they are hiding something.

A warning to those without experience: be careful with pretty words that lack any irrefutable backing.

ANALYZING NYM’S ARGUMENTS

A brief report citing public information.

1 - Basic patterns detected:

While our encryption standards are already extremely strong, we aim to make them post-quantum secure, staying ahead of emerging threats and ensuring digital privacy even in the face of evolving technology.
Source: https://nym.com/nymvpn-litepaper

-> The company trusts its encryption against new emerging threats, but forgets that high-level adversaries possess undisclosed, covert weapons.

c. not to engage in any actions aimed at manipulating network responses in a manner that could compromise the integrity and security of the Nym Mixnet or Nyx Blockchain.
Source: https://nym.com/operators-validators-terms

-> Asking node operators to comply with this is positive, but the NSA, for example, just laughs at Nym. Malicious actors (the NSA, the mafia, etc.) will ignore these rules and infiltrate the network, or are already infiltrated; each will operate according to their own agenda.

2 - Advanced patterns detected:

-> Not applicable. It is not fundamental to this service.

3 - Emerging dangers:

Two words - Privacy “guaranteed”.

-> There are high-level risks in placing blind trust in the Nym service without questioning it. People like me have absolute distrust toward Nym. What does this mean? The word “guaranteed” implies that privacy, in this context, is ensured 24/7, year-round, invisibly, just as Nym claims: “anonymous” based on 5 nodes. However, they forget that with even a single minor error, they will be held fully liable, directly contradicting their own Terms of Service.

Nodes run by “volunteers”.

-> Nym pays people for their work and for operating their nodes so that users can obtain privacy benefits. However, this is an open invitation to greater risks from veteran hackers, the mafia, etc., not only to get easy money but also to carry out operations of higher interest. Even if the network is difficult for attackers or unfamiliar to them at first, they will learn how it works if it’s something new, and will stealthily counterattack.

4 - Deep, multi-level reasoning:

-> Not applicable. It is not worth applying a higher level of analysis to this service.

-– —

I have not been able to find any real evidence backing up their use of the word “guaranteed” that proves the reality of their claims. Without actual, verifiable proof against high-level adversaries, such as those mentioned above, their arguments collapse under their own weight.

Warning: Any company that uses arguments like → “guaranteed privacy”, “guaranteed math”, “we guarantee you…”, etc., and similar phrases, is just using marketing with no basis in real-world facts.

So far, no one has replied to my message on Telegram, but they haven’t deleted it either. The CEO is right there answering basic messages from other people.

Am I the only one or do others feel this post is very passive aggressive and that OP is writing this as saying (claiming) all that they are as if they’re the authority on the subject matter?

If you are the authority, then you’d have the maturity to even better and fully explain your claims and statements with how the tech works in more simpler ways as one who is trying to educate and not one who is trying to “get” a company in a lie without proper and more detailed explanation.

There’s an etiquette involved here which I feel you’re ignoring willingly or unknowingly.

What “proof” are you even expecting?

Based on your comments in the other thread, you seem to be expecting some miracle solution that is both capable of providing anonymity while also being very fast. Like, transferring an 8 GB file over any network like this is gonna be slow.

Also, if this is how you wrote to their support, I’m not surprised they’re ignoring you.

I came here expecting an exciting write up about cryptography. I got a rant instead. I’m disappointed.

It reads like OP has made up their mind and is just looking for confirmation. I would call this ‘adversarial skepticism’.

@CloakedNetizen :

Are you attacking me personally, or are you trying to figure out if Nym is lying or not?
If I were to explain it in deep, exhaustive detail, who would even read it? They’d ask for a summary, and I don’t do summaries.

@byesun :

So, you’re basically proving my point. If Nym can’t back it up when it’s a matter of life and death, their use of the word “guaranteed” is just hot air. Besides, it’s completely valid to ask tough questions, and they’re entirely justified because fear isn’t an option. And the fact that I was direct about it in public so everyone could see it isn’t something I just made up.

@Shampoo :

The one who has to prove it based on real-world facts is the company Nym, not me, since they’re the ones claiming it’s “guaranteed.”

This isn’t a “tough question,” it’s a meaningless question. “What if I need to send 3 TB to someone in 5 seconds? I thought my privacy was GUARANTEED! ! !”

In any case, the performance of the mixnet is poor. They’ve stated this themselves many times, and it’s something they’re working on improving. That does not mean it’s somehow not private. If you yourself choose to swap from the mixnet to the two-hop WireGuard setting, you are the one choosing to reduce your privacy in exchange for a faster transfer rate.

Whether there are enough nodes and whether they are decentralized enough is another story. Maybe they are, maybe they aren’t. But the way you’ve gone about this is ridiculous.

Burden of proof is on the accuser. Even more so in situations like this.

Well, in a sense, they guarantee that they use cutting-edge technologies: far more advanced than those listed in the Privacy Guides’ recommendations (for example, the Amnezia 2.0 protocol). The fact that the NSA can control most nodes doesn’t depend specifically on this provider; it affects all market participants. Don’t use nodes in jurisdictions that are easily controlled from the U.S.

I think OP is looking for confirmation bias*

Glad i’m not the only one who noticed the tone and ignorance. I was going to explain the “questions” he had on the nym thread but figured i’d just be losing time considering the mindset of OP here.