The Traceless Web3 PlexiMail

All Phishing Attacks Are Social Engineering in Origin

Many of us have some experience with internet scams. It is hard to collect statistics of scams inflicting on ordinary consumers, as the reporting mechanism is generally lacking. In the business environment the statistics are much easier to come by, as the financial losses due to ransomware and business interruptions are so damaging to the bottom line that dedicated IT professionals are carefully keeping the tab. Most of the attacks start out as a victim clicks on a phishing email when their guards are down. More than 50% of IT decision makers state that phishing attacks represent a top security concern. Weaknesses in security policies, processes and infrastructure enable phishing threats to reach end users, along with ineffectual training intended to instill cyber security awareness in employees. Let’s look at some of the appalling statistics: Roughly 15 billion spam emails make their way across the internet everyday. In 2021, 83% of organizations reported experiencing phishing attacks. In 2022, an additional six billion attacks are expected to occur. Last year, roughly 214,345 unique phishing websites were identified, and the number of recent phishing attacks has doubled since early 2020. Thirty-percent of phishing emails are opened. This increases the probability of an individual unintentionally clicking on a malicious link or downloading a compelling-looking document that’s laced with malware. Forty-two percent of workers self-reported having taken a dangerous action (clicked on an unknown link, downloaded a file, or exposed personal data) while online, failing to follow phishing prevention best practices. Roughly 90% of data breaches occur on account of phishing. According to the FBI. Phishing attacks may increase by as much as 400% year-over-year. IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organizations an average of $4.65 million. I am running out of time to continue this list of miserable statistics.

It is difficult to know where and how those bad actors operate from and exactly how much they know about us, but we all were shocked to learn the amount and details of information they have on us. The so-called attack surface probably includes the usual suspects like Facebook, Instagram, TikTok, Amazon, emails, gaming sites,etc. Since we are not able to pin down the source of the attack, it stands to reason that we are still continually feeding our life stories to those nefarious actors as I carry on living our life on the internet. Living without those “attack surfaces” is simply unimaginable. Living off grid is even less likely. Now, in addition to the nagging dread of constantly being watched, we are upset at ourselves for literally keeping our profile regularly updated for all to see from the dark side of the internet by simply staying online. We must start reducing our internet exposures in order to cut future losses.

Most IT professionals blame “Weaknesses in security policies, processes and infrastructure enable phishing threats to reach end users, along with ineffectual training intended to instill cyber security awareness in employees.”  With this attitude, we might as well throw in the towel in this fight. It is the moral equivalent of asking teenages not to play video games or watch tik-tok. Phishing is an attack through social engineering, which is so rooted in our culture and human nature that fighting them is futile. The root cause stems from the fact that it is difficult to separate what is invited from what is not. The line between public and private contacts is difficult to draw. We at PlexiMail are advocating a new paradigm so we can shift our focus and target our efforts in a more effective way to avert this losing battle.

PlexiMail aims to offer a truly secure email such that every one can click on anything presented through PlexiMail without much anxiety or drama. The email media is chosen due to its ubiquity, offline delivery and easy targeting. We will be able to build up, or more accurately, re-build my private email contacts from ground up. Phishing may become a thing of the past as our newly crafted contact list would eliminate spams in a protective sphere which individuals build around themselves. There will be no bad actors watching over our shoulder while writing pleximail to my friends and family. will be everyone’s go-to email “When it absolutely, positively has to be there privately”. Spams and Phishings will continue to flood our “public” email accounts, but PlexiMail offers everyone a safe haven so we don’t have to agonize over whether to click or not within this new shield. Businesses may also have much leeway to enforce policies on what is public and what is private.

If Something Is Free, You Are the Product

During the discussion of privacy protection, the elephant in the room is clearly those service providers which conduct surveillance on us behind their free offers. Worse yet, their databases are the most alluring low hanging fruits to hackers. Big tech service providers frequently lose their amassed data to hackers without much consequences. They are also honeypots for search warrants, justified or not. Those big techs are too big to fail even under GDPR, which is simply an attempt to close the barn door after the horse has bolted.

The Serverless Web3 Transformation

Along came the Web3 transformation based on the blockchain technology, which is reinventing many public services by breaking them down into elements built into the blockchain. The blockchain can be pictured as a universal computer shared by all humanity with virtual instances replicated over a large number of hosts across the globe. Any data in any one of the hosts lives in a block embedded on a super long ever growing chain. Compromising a block on the chain requires alteration on the majority of the hosts. The last count of active hosts for Ethereum blockchain is over 8000, which is so spread out over just about all the sovereign countries that it is believed to be impossible to compromise by any dark powers, including those 3-letter agencies.

Blockchain is based on the Public Key Cryptography (PKC), a type of cryptography that uses a self-generated pair of keys, one public and one private, to encrypt and decrypt messages. The public key can be freely shared with anyone as your PlexiMail address, while the private key must be kept secret and protected by individual holders. However, in order to be transparent to all participants, the universal blockchain computer can’t keep any secrets except those private keys kept by individual users for authentication purposes. To remedy this lack of privacy, PlexiMail implements its security in a so-called Smart Contract to extend the narrow blockchain function for privacy protection. It also keeps many identity and encryption keys in the same safe or wallet containing their private keys. PlexiMail adopts the blockchain technology not to speculate on the cryptocurrencies or NFT, but only to take advantage of its decentralized and trustless properties.

Blockchain and Smart Contract Are Not Free

A user needs to make a one-time direct payment to the Ethereum blockchain for establishing their new PlexiMail identities of total obfuscation and zero trackability. To register your new PlexiMail identities would cost you some real money, which is around 2 to 3 US$ per Ethereum account as of the beginning of 2023. We’d consider this a bargain for a defense that stops us from perpetually leaking metadata to the underworld. “Security is relative, privacy is absolute”. Be leery of any free services making non-recoverable damages to your identities. Other than that, the PlexiMail software and all non-blockchain components are offered for free. Hopefully, the rest of the maintenance cost can be met by donations.

However, before you pay for registering your accounts on the Ethereum blockchain, you may test the waters by first setting up and sending/receiving PlexiMail on a trial environment, which is commonly conducted on a test environment, commonly referred to as “testnet”. Currently PlexiMail recommends “Goerli” for testing.  Depending on the wallet you adopted originally, all your PlexiMail contacts, activities and transactions are relative to your chosen network. You can’t reach anyone outside of this Goerli testnet once configured as such. Note that these testnets are for practice only. The various PlexiMail dataset on the testnet is not guaranteed to stay forever. It does not have the protection and permanency of a real blockchain. To get the real protection promised by the blockchain you must be working through the Ethereum Mainnet, which costs real money. Other than the cost, all available networks behave pretty much the same.

The Learning Curve

So, what’s the catch?  To start, there is a small learning curve to wade through. This ought to be expected as PlexiMail is implemented with the latest blockchain-based Web3 technology, which is all the rage these days but yet to be widely adopted.

To take advantage of this latest technology, you must be versed in the following:

  1. Adopting a new set of identities: Make a new start and desist from all past identities contaminated by uninvited surveillance in the past. Expect no badges assigned by any third parties, create your own based on the blockchain addresses and keep them in a wallet. Re-establish your circle of trust one partner at a time the old-fashion way through the TOFU (Trust On First Use) process.
  2. Acquiring your own web3 storage space: To be provider-less and trust-less, you must be self-reliant. There are plenty of Web3 resources for your assistance. Web3Storage is our choice.

Those terms in bold above are the only hurdles to clear. They are a mouthful but not difficult to grasp, just unfamiliar to most of us who are utterly steeped in the Surveillance Capitalism.

PlexiMail claims to be trustless in the sense that it involves no big tech such as Gmail and Outlook or any third parties. It is provider-less and therefore account-less. So, Instead of signing up for an account with a service provider looking over your shoulder, you are in charge of your own PlexiMail Identities and answer to no one.

To benefit from this new architecture, first, you need to supply a set of new PlexiMail identities, which are void of any PII. You will hear this term PII many more times as we go along. It stands for Privately Identifiable Information, or put differently, it is what is necessary to track us. Examples of our PII include our phone number, driver license number, passport ID, credit card numbers, email addresses, Twitter account or @handle, Google ID, etc., any of which can lead directly to who you are. Your new PlexiMail identities look like the following:

Don’t be bothered by how unwieldy this address looks. We provide a couple of tools for you to easily pass it around. Notice that your new PlexiMail identities have not been contaminated by the dark forces, and PlexiMail takes pains to make sure it stays that way. Those new PlexiMail identities are freshly minted by taking the public key part of the self-created PKI key pairs, which are managed through a crypto wallet. Second, you register your new identities to the blockchain to prove that you are in possession of the private key of the key pair. Once your ownership of the address is established, you then announce your contact information through the same blockchain address to those personally admitted into your circle of friends. This registration process involves no PII, without which PlexiMail can gain no surveillance capabilities. Similarly, no one can spam you without knowing what and who you are..

With this provider-less paradigm comes a new set of responsibilities. Your new PlexiMail identities are protected on a blockchain in a similar way to NFT technically. To work with the blockchain, you safekeep all your PlexiMail identities in a Wallet, just like what we normally do in carrying our cash and driver license in a wallet. Similarly, you need to somehow provide your own storage space to store your emails for there are no more service providers to supply it. However, getting your own cloud storage space was normally a hassle in the past, but the recent advances of Web3 and the NFT craze have ushered in a new age of decentralized storage services. This cloud storage requirement of PlexiMail is easily met with the Web3.Storage offering. PlexiMail incorporates both the wallet function and the cloud storage from various external sources but still allows the flexibility to mix and match with new solutions as they come along in the future. Before we can start adopting PlexiMail, we need to understand how the wallet, and the Ethereum blockchain all fit together, with Ethereum as the trustless counterpart of the “servers” in the traditional service-provider-centric architecture. On the user side, there is a web-based “fat” client that pieces all the decentralized cloud elements together allowing us to pass emails around effortlessly in the brave new world of PlexiMail.

The best way to shorten the learning curve is to understand the foundational elements of PlexiMail. The first part of this presentation is mostly conceptual.

So You Want a Thing Done Well

Being trustless, supplying no storage and operating without a provider, PlexiMail sounds more like a simple self-service delivery scheme than a service. It turns out that this is not too far off what PlexiMail actually offers. PlexiMail lives by the motto “If you want a thing done well, do it yourself.” This is particularly cogent when privacy is at issue. As a matter of definition, privacy and so-called third party services don’t mix. For privacy protection, there isn’t much option other than engaging ourselves more in managing our own private affairs. There ain’t no such thing as a free lunch. You need to be self-sufficient and independent in order to construct a protected sphere around your identities.

Many are pleasantly surprised that there isn’t that much more work than with traditional emails as far as the daily PlexiMail operations go. If anything, you actually save time by not having to attend to any junk mails. And the peace of mind is priceless while working within the private and safe PlexiMail community personally built up by you to fend off undesired intrusions.

Even so, the initial configuration setup was a bit overwhelming when we are faced for the first time with unfamiliar concepts like blockchain, the provider-less infrastructure, the wallet, Web3 and the “tokenized” cloud storage. Once getting over those conceptual hurdles, everything falls out naturally. Actually, it’s not just all work and no play.  A pleasant upside is that there is no upper limit on the size of our pleximails as long as there is room in your self-funded storage, as you are the master of your own private storages. This feature is highly valued to those who frequently send large emails.

Now, a bit of historical background I’ve gathered from using PlexiMail.

Misnomers, Misnomers and More Misnomers

Most of us don’t pay for the E-Postcard service, as the E-Postcard service providers like Gmail, Outlook, Yahoo Mail, AOL, etc., have totally figured out how to monetize the service. It is an open secret that they constantly keep our operations under surveillance, package what they find and peddle our private data to advertisers on the open market. It is the economic backbone of Surveillance Capitalism. This kind of “free” email service offers zero privacy, which is clearly stated in the Term of Service and “accepted” by us at the time of account sign-up. We are very clear-eyed about this bargain, but with very limited understanding on what’s behind the curtain.

It took the Internet 30 years to catch up with the post office in offering the “Secure EMail”, with the content enclosed in an envelope sealed through encryption. This is again another misnomer. The more accurate description of it is actually simply the “EMail”, a digital equivalent of the traditional letter services. Notably, the increasingly popular “Secure EMail” vendors almost always charge for their services, as it is more difficult for them to spy on their subscribers for financial gains, due to either designed-in technological hurdles or contractual restraints that make it difficult to engage in surveillance capitalism. It is just more difficult for them to conduct surveillance.

Are those popular “Secure Email” services the last word in the secure delivery of emails? The answer is emphatically a no. The time of sending, the communicating parties, the route of the delivery and the destination are all openly displayed on the envelope, based on which the service providers and snooping hackers can compile a clear picture of the contact map and the frequency of interactions of those involved in the communication. Emails are a critical source of inputs to this spider’s web of social graphs, the bread and butter of surveillance capitalism, which every single one of us is snared by.

Luckily Edward Snowden does not show up on my social graph (not directly at least) and there is no one in Iran I correspond with. However, even without the capability of peeping into your messages, knowing your circle of email friends collected over an extended time tells a lot about you. This "relationship map" is part of the metadata, which describes all your social footprints and digital associations through emails collected over an extended period of surveillance. Obviously you don't want any "third party" to learn your visit to a psychiatric clinic, dropping by a battered women's shelter, booking a hotel room next to a Las Vega casino, or contacting your counterpart of the other company in a merger negotiation. If Edward Snowden were among your correspondents, you would be on NSA's radar screen instantly.

Nothing to Hide, but Everything to Lose

This gradual loss of privacy brings about the crisis of losing our relationship map, which becomes increasingly exposed to all kinds of bad actors. Around 65% of cybercriminals have leveraged spear phishing emails as their primary attack vector of late. Social engineering attacks are the most prevalent and dangerous types of cybercrime that organizations around the world are currently facing. According to Verizon’s 2022 Data Breach Investigations Report, the majority of social engineering attacks are delivered by email. Our continued loss of privacy through emails feeds squarely into this worrisome trend. Our social graph in the parallel world of the dark net increasingly gains accuracy and precision as most of us merrily help update the map voluntarily daily without fully realizing the consequences. Without protecting our metadata we are rapidly losing “our right to act free”.

Most of us have nothing to hide, but everything to lose. We all harbor the same wishful thinking in expecting our providers to shield us from leaking any metadata in order to protect our innocence. Clearly that can only be achieved over their dead bodies, literally, since they subsist almost entirely on our metadata. We need to have a safe harbor for our private virtual lives, far from the madding crowd around the big techs. This is a binary preposition, to coexist with the big techs. We don’t want to throw the baby out with the bathwater. We are advocating to render unto Caesar only the things that are Caesar's., the sponsor of PlexiMail, offers just such a parallel metaverse for us to roam freely. It protects your email metadata, the materials that your social graph is made of. PlexiMail is a new breed of email. The traditional service-provider-centric email providers simply are not capable of providing the protection for our metadata for reasons already explained. We have tried to explain how critical the protection of your metadata is. We also want to recommend a YouTube channel “Rob Braxman Tech” that is dedicated to expose the cyber threats on our privacy and to offer practical advice to counter them. In the PlexiMail website you will find a link to one of its representative programs about metadata. It is quite insightful and informative.

Technically, the number one value of email providers to us is the cloud storage offered to us for “free”. Equally valuable is the “federated” infrastructure jointly maintained by all the traditional email providers. We can email anybody as long as they have a valid public email address, including all our friends and partners regardless of the email domain they belong to. Our email addresses have become an important part of our PII (Personally Identifiable Information). We delegate their preservation and protection to our chosen service providers. This reason alone will continue to keep us attached to the traditional email infrastructure, even when the blockchain is rapidly gaining momentum and the cost of cloud storage continues its downward trend. The traditional email community is here to stay for the foreseeable future as being part of a deeply ingrained social fabric for netizens. It is neither realistic nor correct to contort those public services into something they are not as far as our privacy is concerned. What we need is a secured and separate infrastructure designed to work where we don’t want our PII revealed and our metadata exposed, which clearly must not overlap with the traditional email services., the sponsor of PlexiMail, offers just such a parallel metaverse for us to roam freely. It protects your email metadata, the materials that your social graph is made of. PlexiMail is a new breed of email. The traditional service-provider-centric email providers simply are not capable of providing the protection for our metadata for reasons already explained. We have tried to explain how critical the protection of your metadata is. We also want to recommend a YouTube channel “Rob Braxman Tech” that is dedicated to expose the cyber threats on our privacy and to offer practical advice to counter them. In the PlexiMail website you will find a link to one of its representative programs about metadata. It is quite insightful and informative.

OK, enough of the background stuff.

Re-Construct Your Social Map thru TOFU

So, a PlexiMail sent from 0x… to 0x… really doesn’t reveal the real identities or the PII of either the sender or the recipient(s). The critical issue is how to info your friends and partners that that long unintelligible hex string is actually you. Well, you do this one friend at a time through the TOFU protocol, MANUALLY. The TOFU  (or Trust On First Use) is simply a private exchange of contact information between you and your partners without relying on any third parties.  The more “manual”, the more private. For this manual person-to-person TOFU protocol, it is suggested to conduct it “out of band”, namely to utilize a different messaging application such as phone calls, instant messenger, traditional email, etc, other than PlexiMail itself. This “out of band” exchange of pleximail addresses may sometimes become a hassle and an attack surface if not done correctly. PlexiMail offers an encrypted “Address Token” for assisting in this process, which encodes the long address string into a QR code with an optional passcode so that they can be openly passed around between pleximail correspondents. You can even send a PlexiMail through our bridging function (by simply specifying a traditional email address) with your address embedded, in which case you trade off some metadata with convenience.

Privacy is the state of being free from public attention. Once the PlexiMail addresses are set up, you are in the driver’s seat in demarcating your social network constructed through PlexiMail from unwanted public attention.

As far as PlexiMail goes, it serves only as a simple monitoring agent for TOFU, displaying the warning message as in the above reminder screen whenever the correspondents contact each other for the first time. Similar warning is triggered again if the “signatures” changes are detected, which usually occurs when the other party has changed their phone. In the PlexiMail ecosystem, you are the muppet master, the phantom of the pleximail opera and the wizard behind the curtain. This property also makes it easy for you to obtain multiple identities, one for each application scenario. PlexiMail has no idea who you are, by design. It is not possible to extract any of your PII from the Pleximail environs, full stop.

Lastly, you need to acquire the so-called Web3Storage from the website The Web3 storages are frequently described as “tokenized”, with FileCoin as the leading provider. Mediated by services like FileCoin, the tokenization technology allows individuals to

acquire their needed cloud storage from any number of sources. Once acquired, the allocated storage may be accessed through a standard interface without worrying about its location, connectivity, hardware characteristics, persistency (file backup and redundancy specification), etc.

The PlexiMail WorkFlow

Now a bit of gory details about how PlexiMail operates.

Before being able to send and receive pleximails, both Alice and Bob need to register their PlexiMail addresses to the PlexiMail Root Registry to establish their PlexiMail identities and supply the relevant contact info. This registration is carried out through the Smart Contract, which is labeled simply as “Ethereum'' in the diagram. The Root Registry is where the PlexiMail addresses are managed and all dynamic session logic and keys are stored. The Root Registry is an extension of the Smart Contract and maintained “off chain” due to its size and allowance for flexible deployment. The adoption of the Ethereum Smart Contract makes the Root Registry logic completely transparent and eliminates any Cloak & Dagger attacks or Invisible Grid vulnerability on the server side.

In this example workflow of the PlexiMail, Bob is the sender and Alice is the recipient. Before they can correspond with each other, both must have established their PlexiMail addresses and declared their contact information on the Roote Registry through the Ethereum Smart Contract, as already noted. The Root Registry works like an address authenticator and session directory but positively contains no PII (or Personally Identifiable Information). Most Importantly, the association of Alice and Bob the persons with their respective pleximail addresses are considered PII and NOT managed through PlexiMail. For Bob to find out Alice’s PlexiMail Address, he must personally contact Alice in order to establish the TOFU. This TOFU protocol is carried out in 3. Note that TOFU is conducted outside of the PlexiMail workflow.  As far as the Root Registry is concerned, all addresses are anonymous and/or pseudonymous.

In 4, prior to Bob’s sending an email to Alice for the first time, he retrieves all relevant data required to contact Alice from the Ethereum data store and the Registry. He then asynchronously negotiates an end-to-end Signal encryption session with Alice, who need not be online. In 5, Bob places his mail content in his own private Web3Storage and pushes his notification to Alice, with the decryption key authorized only to Alice. Finally in 6, on notice, Alice retrieves the content from Bob’s private storage. She decrypts the content only after verifying the various TOFU parameters.

The Full Circle

In summary, your PII identity and your contacts are hidden, the content is stored and protected in your own private Web3Storage and the recipients are notified privately by you through an opaque channel. This is how all the metadata is kept out of sight and recognizable only among your friends and partners. We believe we can all agree this is pretty close to what we understood as privacy from the beginning of human society.

Note that the “From:” part is displayed symbolically based on the privately maintained Contacts list. The menu list is expanded here to show the “Settings”.

PlexiMail takes advantage of our familiarity with the email services in designing its user interfaces. The homepage or “connect page” or PlexiMail Application page looks familiar, just like a standard no-frills email client. The site is actually just a download site. Once downloaded, there is no service provider behind the curtain to handhold you through your operations. The Ethereum Smart Contract and the downloaded script on your browser are the only components involved in the PlexiMail operations.

On the upper rightmost corner, the subtitle “Goerli” indicates the network you are running from currently. In this case it is a testnet for Ethereum blockchain. Depending on the wallet you adopted originally, all your PlexiMail contacts, activities and transactions are relative to this selected network. You can’t reach anyone outside of this Goerli testnet once configured for it. Again, as previously explained, any testnets are for practice only.

The drop-down menu will take you to a list of runtime options. The hex text string displayed above the selected network is the PlexiMail account address. The “Contacts” icon manages all your PlexiMail contacts about their addresses and symbolic names/ids. It is pulled from the Settings as one of the most used functions from the “Settings”.

Since the pleximail address is represented by a long hex string, which is unwieldy, and a hassle to pass around, it can be turned into an “Address Token”, that is a generated file containing the PlexiMail address encoded into a QR code. An Address Token may be scrambled with a passcode to protect its transmission. It can be entered into the Contacts list by scanning it in.

To send someone a PlexiMail, you click on the “Compose” button to get to the New Message screen. To specify the recipients, you can enter either the straight pleximail addresses in hex format, a name from the Contacts or a QR code or Address Token for scanning it in. The QR code scanning function works in both this Compose screen and that in the Contacts.

As previously mentioned, there is no upper limit on how much data you can send. Its size is constrained only by the amount of Web3Storage you own. This is a side benefit for owning your own storage space.

The Bridge

In addition to emailing your PlexiMail contacts, you may take advantage of the “bridging” function to send emails outside of the domain by entering a public address as the “To:” data. However, sending emails outside of the domain potentially may expose your PlexiMail address and/or the metadata, even if they are through a VPN or the Tor network before reaching the forwarding server. This is why there are many restrictions on bridged delivery. Use the bridging function only to suggest to your friends and family to also adopt PlexiMail in order to extend your circle of PlexiMail Contacts.

The PlexiMail Live on USB

(Coming Soon)

Absolute security is a false narrative, but frequent running of virus scanners, judicious use of Incognito mode, segregating your accounts as per applications, adopting Tor, accepting platform updates promptly, changing passwords, etc., would drastically reduce your exposure to cyber attacks. The PlexiMail, once downloaded, runs within the bounds of the browser sandbox. The is just a download site protected by TLS. For those PlexiMail users not comfortable with only the browser sandboxing or questioning the authenticity of the downloaded software, they may go to the site directly to download or verify the code checksum, which is also available at the open source site for PlexiMail on github.

As an open source project, it also offers a “Live PlexiMail” on a USB stick that is based on the Tails Linux, bootable from any WinTel platforms. Tails is a portable operating system that protects against surveillance and censorship. It is highly recommended by Edward Snowden.It is stateless and therefore immune to theft and physical damages. The content on the USB is only the downloaded PlexiMail software, which is activated only after entering the application password that authorizes the access to the session data backed up previously. PlexiMail application package is completely buildable from the ground up based on its open sources in Github. It is originally offered in preparation for security audit and for full auditability.  Building your own PlexiMail helps eliminate the “supply chain attacks” and can also be configured with its own Wallet technologies or PlexiWallet which is considered more secure than most hardware crypto wallets by taking advantage of hardware redundancy. You may find more details about this magical wallet at the website under the blog heading “Counterseal Wallet”. By the way, in the above picture the USB live version of PlexiMail is designed to inject into the Secondary Seal position.

Traceless PlexiMail Payments

(Coming Soon)

Another tricky issue PlexiMail has solved for you is how to anonymously fund your PlexiMail accounts/addresses. Most crypto exchanges enforce KYC, which throws away the anonymity of your addresses if you fund your crypto account with credit card or other payments with PII attached. You may work around this issue by using cash or a cash card, which is a hassle if the amount is small. To eliminate this trackability of your credit cards or other payment methods, PlexiMail offers a refill service in two steps: first it converts your PII-contaminated payment into PlexiMail tokens, which is basically a modified e-cash scheme generating a set of non-trackable PlexiMail token. Once you have received the PlexiMail token, you can take your time to spend those tokens to fund your PlexiMail addresses/accounts anonymously through Ethereum blockchain. The tokens you have received are minted just like cash and not possible to be linked to your PII. Note that this is assuming that you don’t use these addresses as transaction accounts on Ethereum, which immediately loses their anonymity.

This anonymizing service is described in more detail under the heading of “Tokens” on the portal page of

Recovery and Account Ownership Monitoring

A PlexiMail user can present themselves with multiple “identities”, each of which originates from an Ethereum blockchain address usually meant to serve a particular application scenario. Each self-managed PlexiMail identity is internally maintained by its configuration database accessible through a lock involving two parameters:

  1. The PlexiMail address and its corresponding key-pair
  2. The Password

This configuration records all the sessions and all the emails exchanged with the underlying identity. All historical emails and their associated session descriptors are recorded in the identified configuration database. This track of historical email data will go on indefinitely until its configuration database becomes inaccessible, usually due to a hijack attempt, loss of devices or the loss of the password.

Item 1 must not be lost. Losing the private key is the same as losing the ownership of your PlexiMail address.  Item 2 coupled with item 1 defines your PlexiMail identities and other related channel data. Two identities with the same address but different Password are handled as a hijacking event. The person with the original first Passcode would discover this hijacking incident and need to react to it accordingly.


We have reached the end of this introduction to PlexiMail. If you’ve managed to follow alone, you should be sufficiently equipped to complete the configuration process on your own without much difficulty. There is a demo screencast at for those who want to configure their own for trying out the app.  Enjoy.