Privacy in crypto: tools, compliance, and legitimate use

Information guide. Updated February 15, 2026.

Privacy is not anonymity, and anonymity is not escapism. This distinction is crucial to understanding the privacy debate in crypto — and to understanding which tools are legitimate, which are risky, and which have been sanctioned. The blockchain is pseudonymous by default, not anonymous: every transaction is permanently visible to anyone.

Because privacy is relevant even for those who have nothing to hide

A fully transparent blockchain exposes information that in any other financial context would be private. If your on-chain address is known, anyone can see every transaction, every balance, every protocol you’ve used — today and in the past. This transparency can be exploited for targeting (personalized scams based on visible on-chain assets), for competitive pressure (a company revealing its treasury movements) or simply as a violation of personal confidentiality.

Financial privacy — the right to transact without every detail being public — is considered a fundamental right in many jurisdictions. The European GDPR applies to personal data; even if blockchain addresses are pseudonymous, when they can be associated with real identities they become personal data. The tension between blockchain transparency and user privacy is one of the most important open questions in the industry.

On-chain privacy tools: overview

Monero (XMR): privacy by design

Monero is the cryptocurrency with the most robust privacy set among those with real adoption. Each transaction uses by default: RingCT (hides the amounts), Ring Signatures (hides the sender among a set of decoys), Stealth Addresses (hides the recipient). The result is that even with full access to the blockchain, it is computationally very difficult to trace the sender, recipient or amount of a transaction.

The cost of privacy: Monero transactions are larger in bytes (higher fees), do not support complex smart contracts, and have less liquidity on exchanges than Bitcoin and Ethereum. Several exchanges (Coinbase, Kraken) have delisted XMR due to regulatory pressure. As of February 2026, XMR remains available on P2P exchanges and some non-KYC exchanges.

Zcash (ZEC): selective disclosure

Zcash uses zk-SNARK to enable shielded transactions with full cryptographic privacy. The mechanism is technically more advanced than Monero: zero-knowledge proofs mathematically prove the validity of a transaction without revealing the data. The distinctive feature is selective disclosure: the user can choose to reveal a specific transaction to a counterparty (e.g. a tax auditor) without revealing the others.

The practical limitation: most Zcash transactions occur in “transparent” mode (similar to Bitcoin), not shielded. Adoption of cryptographically strong privacy remains low for reasons of usability and computational weight.

Tornado Cash and the regulatory consequences

Tornado Cash was a mixer on Ethereum that allowed you to break the link between sending and receiving addresses by depositing and withdrawing ETH/ERC-20 from an anonymous pool. In August 2022, OFAC (Office of Foreign Assets Control, USA) sanctioned Tornado Cash smart contracts — a historic precedent because for the first time, immutable contracts, not people or entities, were sanctioned.

Co-founders Alexey Pertsev and Roman Storm were arrested. Pertsev was sentenced in the Netherlands to 5 years and 4 months in prison in May 2024 for money laundering. Use of Tornado Cash by US users has been illegal since 2022. Use by European users remains in a complex legal gray area.

Privacy Pools: the post-sanctions attempt

Privacy Pools is a protocol proposed by Vitalik Buterin and other researchers in 2023 that seeks to separate privacy from compliance. The idea: A user can cryptographically prove that they are part of an “association set” that excludes sanctioned addresses, without revealing their specific identity. It is an attempt to build privacy that is demonstrably not used for illegal activity. As of February 2026 it is still in development and has no mainstream adoption.

Off-chain privacy: metadata and connections

On-chain privacy is only half the problem. When you connect to an Ethereum or Bitcoin node, your IP address is visible to the nodes you communicate with. An ISP provider or attacker listening on your network can potentially correlate your IP with the transactions you transmit.

Light node vs full node

Light mobile and desktop wallets (light clients) connect to third-party servers to obtain blockchain data. This means that the server provider knows which addresses you are tracking. Using a local full node eliminates this dependency and improves privacy: queries start from you directly to the p2p network.

VPN and Tor for nodes

Connecting your node via Tor hides your real IP address from the nodes you communicate with. Bitcoin Core supports Tor natively. Ethereum can be connected via Tor with additional configuration. A VPN offers partial protection (the IP is hidden from other nodes, but the VPN provider sees the traffic) — Tor is more robust for this specific use.

Compliance and regulatory framework

Travel Rule and FATF

The Financial Action Task Force (FATF) requires Virtual Asset Service Providers (VASPs) to collect and transmit sender and recipient information for transactions above certain thresholds (typically €1,000 in the EU). In practice, when you withdraw from a KYC exchange to a self-custody wallet, the exchange may request information about the destination wallet for compliance with the Travel Rule.

The MiCA (Markets in Crypto-Assets) regulation, in force in the EU from 2024-2025, strengthens these requirements. European VASPs must increasingly apply the Travel Rule.

Legitimate use of privacy

Financial privacy has widely recognized legitimate uses: protection from theft (not making your assets public), corporate confidentiality, donations to controversial associations in repressive countries, protection from financial stalking. None of these uses are illegal. The regulatory challenge is to separate legitimate use from tax evasion and money laundering — a problem that has no perfect technical solution.

What to avoid: real legal risks

Tornado Cash: use by US residents is illegal (OFAC sanctions). For European residents, use extreme caution and consult a lawyer before any use.
Mixing without KYC: Centralized mixing services without KYC have been shut down and their operators arrested in multiple jurisdictions (Chipmixer, BestMixer).
Purchasing XMR with the stated intent to evade: the currency is legal, the intent to evade is not.
Use privacy tools to hide assets from tax authorities: it is escapism, regardless of the tool used.

On-chain analysis and de-anonymization: how it works

Understanding how on-chain analysis happens is necessary to understand why privacy in crypto is harder to achieve than it seems. Public blockchains are, by definition, open ledgers: every transaction is visible to anyone, forever.

Clustering heuristics

Blockchain analytics companies (Chainalysis, Elliptic, TRM Labs) use heuristics to group addresses that likely belong to the same user. The best known is the “common input ownership heuristic”: in Bitcoin, if a transaction uses multiple UTXOs as input, it is assumed that they belong to the same wallet. This is correct in ~95% of cases (the exception being CoinJoin transactions).

Other heuristics: change output (the “rest” of a transaction returns to a change address that belongs to the same wallet), temporal patterns (transactions that always occur at the same time suggest automation and often the same user), and the dust attack (sending small amounts of BTC to an address and then tracking where that dust is “spent” together with other funds).

How exchanges link addresses to identities

When you withdraw from an exchange with KYC, the exchange records the destination address and associates it with your identity. This data may be shared with authorities upon legal request. Anyone with access to Chainalysis databases (authorities in many countries, regulated exchanges) can take that address and track all subsequent movements — even if those movements occur between non-KYC addresses.

“Taint analysis” — tracing funds across multiple transactions — is standard in investigating illegal activity. It is also used for compliance: an exchange can reject deposits from addresses associated with sanctioned activities, even if there are multiple intermediate transactions.

Privacy on Ethereum: the challenge of the account model

Ethereum is structurally more difficult to take private than Bitcoin. The account model means that all funds are visible in a single address — balance, complete history, interactions with each contract. There is no natural equivalent of Bitcoin’s “change address”.

Stealth addresses on Ethereum

ERC-5564 introduces stealth addresses to Ethereum: a sender can send funds to a “stealth” address that only the recipient can derive from their private key, without the address being publicly linked to the recipient. It is a “sender-pays” privacy mechanism being adopted in February 2026 — supported by a few wallets but with growing potential.

Account abstraction and privacy

The account abstraction (ERC-4337) could theoretically facilitate some privacy features — such as paying fees in tokens instead of ETH, hiding the connection between the address that has ETH and the one that uses the services. In practice, implementing robust privacy via AA still requires significant development.

Privacy and taxes: the risk of inconsistency

One of the most important practical consequences of the crypto privacy landscape concerns taxation. Using privacy tools — Monero, CoinJoin, mixer — does not eliminate your tax obligation. Transactions remain fiscally relevant even if not traceable on the chain. The risk of tax inconsistency — having untraceable flows on-chain but movements of real value emerging in bank accounts — is a major vector of tax investigations.

The rule of thumb: If you use privacy tools for legitimate reasons, still maintain an internal record of transactions for tax reporting. A private ledger (offline, not shared) with date, amount, reason and fiat value at the time of the transaction is sufficient for most jurisdictions. This does not require you to make your on-chain history public — it only requires that you can prove the correctness of your tax filing if requested.

The future of privacy in crypto

The industry is moving toward a balance between privacy and compliance that seemed impossible just a few years ago. Privacy Pools (proposed by Vitalik Buterin), ZK proofs of compliance (proving that you are not on a sanctioned list without revealing your identity), and selective disclosure systems are maturing. The goal is to enable legitimate financial privacy while maintaining the ability of authorities to prosecute illegal activities — a difficult but technically achievable balance.

Regulation is moving in the same direction, at a slower pace: the FATF Travel Rule, MiCA, and OFAC guidelines are creating a framework where compliance-friendly privacy could become the standard. For end users, the distinction between privacy as a right and privacy as a criminal tool will become increasingly important to understand and communicate.

Privacy for developers: Building with privacy by design

If you are building a crypto application, user privacy is a design responsibility. The architectural choices made at the outset determine how easily user data can be exposed.

Don’t collect unnecessary data: If your application doesn’t need to know what other addresses a user has used, don’t query this data. If you don’t need the IP address, don’t log it. Privacy by default — collecting only the minimum necessary — is both a good ethical practice and a legal protection.

Use RPC providers with clear privacy policies: Infura and Alchemy log the addresses that are queried. For applications where user privacy is relevant, consider non-logging RPC providers (Ankr with privacy option, own nodes) or implement an RPC proxy that removes identifying metadata before passing the query.

ZK proof as a scalable privacy tool: zero-knowledge proofs allow you to prove properties (“this user is an adult”, “this user has more than $1000 in his wallet”) without revealing the specific data. Protocols like Semaphore and Zupass are building infrastructure for ZK identity and ZK attestations that could become standards in the ecosystem in the coming years.

User privacy isn’t just a value — it’s a competitive advantage. Digital autonomy-conscious users (often those with the biggest wallets) choose apps that don’t track them unnecessarily. Building with privacy by design attracts this segment of users and reduces GDPR regulatory risk in the European ecosystem.

Privacy by design: choose tools that protect by default

The distinction between optional privacy and privacy by default is crucial in the choice of tools. A tool that offers privacy as an opt-in feature — like Zcash’s optional shielded transactions — has a much smaller anonymity set than one that enforces it mandatory like Monero. The smaller the anonymity set, the easier it is for an outside observer to isolate private transactions from public ones.

In practice, this means preferring protocols where privacy is the norm and not the exception. A wallet that uses CoinJoin automatically offers more protection than one that makes it available as a manual option, because the majority of users never activate the optional features.

Conclusion

Privacy in crypto is a legitimate right with legitimate tools — and a regulatory minefield. The line isn’t between “privacy = bad” and “transparency = good”: it’s between use to protect legitimate personal information and use to hide illegal activity. Those who want financial privacy have tools available that do not violate the law; Those who want to evade taxes will find that the available tools offer less protection than they seem, and that the legal risks are real and growing.