I have spoken about this matter on the roundtable already but that information stays on the vendor roundtable for now. For the claims of Prof, if he believes I simply bought the information from a third party then he is gravely mistake as we still have the logs sending requests to the site and I stated several days before release we held a lot of data. It is however nice to Prof's statement in deteriorating English come through when he is under stress, that would perhaps explain where the coding from his shopping cart comes from. Don't poke the bear, it will bite and the only person being dishonest in this situation has already been shown. If anyone doubts anything about this exploit, nationchemz has already repeated it himself after figuring out just how basic this attack is. The story about another person asking for a bounty could be true, but it wasn't us for sure and if anything only highlights Prof has been aware of the exploit for some time now and since nationchemz managed to replicate it then it is clear the "fix" of it is not true. Protip to all other hidden services - if you are going to hardcode some guard nodes into your server then actually change them once in a while because once we know your guard nodes then it is trivial to find your IP under a DOS attack. This applies because even if you are in a virtual environment while we cannot retrieve the server IP, simply watching the guard nodes and correlating the traffic is simple work.