don't advertise a single bitcoin address
Right now we advertise a single Bitcoin address on the donate page:
(well, technically, there's many: one per altcoin, but it's always the same, per alt coin.)
Because of this, we can tell how much money was paid to that address. For example, looking at that page:
https://www.blockchain.com/btc/address/bc1qtt04zfgjxg7lpqhk9vk8hnmnwf88ucwww5arsd
... we can tell that account received 10.87363514BTC ($457,737.41), and has a current balance of 0.00025257 BTC ($10.64).
I don't think we want those numbers to be that public. Maybe we don't care, because those end up in our annual reports anyways. But I think there are other, more serious issues at play here. Take the last transaction for example:
https://www.blockchain.com/btc/tx/e99d13972e0ee51575222e09f86aceeb2cd868951cc676e60ef683cffc765b56
"At the time of this transaction, 0.00653778 BTC was sent with a value of $278.10. The current value of this transaction is now $275.38."
So someone sent us $300, great! (You should also appreciate how the actual value of that transfer fluctuated in the one hour since it was made, but that's not the point.)
That was paid from this wallet:
https://www.blockchain.com/btc/address/bc1q8zrxl2lk66llzrhduqjg7qkpwlxjcyhr9em7yn
That is an ... interesting wallet:
This address has transacted 12,052 times on the Bitcoin blockchain. It has received a total of 92,529.64257253 BTC ($3,898,153,553.05) and has sent a total of 91,069.01833338 BTC ($3,836,619,352.66). The current value of this address is 1,460.62423915 BTC ($61,534,200.38).
You read that right: that wallet currently holds more than a THOUSAND bitcoin, for a value of more than sixty million dollars!
If I was that person, the last thing I'd want is someone being able to tell who I'm transferring money to and why.
And this is just scratching the surface. There's much more things we can do from here: people have been able to deanonymize transactions and wallets like this pretty effectively by doing all sorts of tricks, which I'm less familiar with.
The blockchain is public, that's the whole thing here. I understand that. But we don't have to deanonymize people that way: we can (and should) generate bitcoin addresses on the fly. This is what BTCpayserver does, and I don't quite get why we have those addresses there.
It seems like a huge honeypot to me.