When Satoshi Nakamoto created Bitcoin, he flaunted the digital currency's potential as “digital, electronic cash.” But in the early days following Bitcoin's launch, one immediate real-world use case surfaced: buying illegal goods on the internet.
Of course, it turns out that Bitcoin isn't actually anonymous. While your name and location may not be attached to your Bitcoin wallet, every transaction sent over the Bitcoin network is tied to a public address. If you bought your Bitcoin from a service like Coinbase that's attached to your real name, your transactions can be linked back to your identity.
This possibility has led to the creation of a number of privacy coins that focus on secure and anonymous transactions. But a coin self-advertising as “private” doesn't necessarily mean that it actually is. The best privacy coins rely on real innovations in cryptography, such as ring signatures and zero-knowledge proofs for confidential transactions. The worst privacy coins advertise as “private” but are functionally vaporware.
In this article, we'll walk you through our recommendations for the best privacy coins and how to use them securely to help you separate the wheat from the chaff.
Table of Contents
🥇 The Best Privacy Coin: Monero
🥈 Runner-Up: Bitcoin
🥉 For the Cryptography Nerd: Zcash
🏘 Community-Developed MimbleWimble: Grin
🏦 Venture-Funded MimbleWimble: Beam
🤡 Buyer Beware: Dash
💩 Avoid At All Costs: Verge
🙇 A Practical Guide to Using Private Coins
🥇 The Best Privacy Coin: Monero
Monero is our top pick for best privacy coin because it has the best mix of cryptographic guarantees and ease of use as well as widespread adoption on the darknet.
|White House Market||❌||✅||❌||❌||❌||❌||❌|
The chart above shows which currencies are accepted by the six top darknet markets.
Monero (symbol XMR) is the current leader of the privacy-focused digital currencies.
With Bitcoin, every transaction on the network is public. That means you can check the balance of a public address and its entire transaction history. With Monero, you can check to see that a public address exists, but you can't see its balance or history without a corresponding private key.
There are two core cryptographic elements that make this work:
- Stealth addresses: Unlike Bitcoin, where coins are sent from one address to another, with Monero each transaction creates a stealth address. The sender deposits funds into the secret address, which can only be accessed by the recipient. This address is visible only to the participants in the transaction.
- Ring signatures: With only stealth addresses, the sender of a transaction would be able to see when the recipient retrieves their Monero. This is where Monero's ring signatures come into play. Ring signatures basically mix together transactions on the Monero network. Each transaction randomly selects funds from other transactions in the same block. That way, no one on the network can determine the original source of a transaction.
If you're having a hard time following this, don't worry! This Stack Exchange thread provides a helpful analogy for understanding how it all works. Here's another good low-level explanation of how Monero works compared to Bitcoin.
Privacy is great, but it also has to be easy for the layperson to use to actually be useful. Monero gets high marks on this front. For starters, Monero is the only coin on our list where all transactions are private by default. Every other coin requires enabling a specific feature or undergoing a specific process for private transactions.
It also has a lively ecosystem, with a lot of different wallets and tools to make it easy to send, receive, and exchange Monero.
In the image above, Monero's GUI wallet is synchronizing with a remote node. The ring size setting is set to seven, which is the default for Monero. It means that for this transaction a single input will come from the wallet shown, and the other 6 will come from the Monero blockchain.
There are a number of different wallet options for managing your Monero:
- Monero Wallet with full node: The most secure way to run Monero is by running a full node on your computer and using Monero's own wallet. The Monero blockchain is currently over 60 gigabytes, so this isn't the most convenient option. Here's a helpful guide to running the Monero GUI wallet with a full Monero node.
- Monero Wallet with remote node: If you have limited hard drive space or don't want to run your own full node, you can use the Monero Wallet with a remote node. That means that you're syncing your wallet to someone else's copy of the blockchain. The primary risk here is that the remote-node operator can associate a transaction with an IP address. It's recommended that you use a VPN if you're relying on a remote node. Here's a list of remote Monero nodes you can connect to.
- My Monero Wallet: If you're sending and receiving small amounts of Monero and you value convenience over security, consider the web-based My Monero Wallet, which is operated by Monero lead maintainer Riccardo Spagni.
For more options, we wrote a detailed guide to the best wallets on Monero.
Monero also enjoys a lot of support from exchanges and is listed on 98 different ones. Meanwhile, tools like XMR.to and ShapeShift make it easy to anonymously exchange your Monero for other cryptocurrencies without having to log into an exchange.
While Monero is our number one recommended option for privacy coins, it's important to remember that perfect privacy doesn't exist. As Monero lead maintatiner Riccardo Spagni said in a Wired interview, “Privacy isn’t a thing you achieve, it’s a constant cat-and-mouse battle.”
It's possible that there are undiscovered bugs in the Monero codebase that can be exploited to deanonymize the network. Further, as a proof-of-work chain, Monero is susceptible to a 51% attack. The estimated cost of this would be around $1.51 billion—which isn't out of the reach of state-level actors.
Despite these flaws, Monero is the best privacy option for most users.
🥈 Runner-Up: Bitcoin
While Bitcoin isn't anonymous, there are ways that you can privatize your transactions on the network with a bit of extra work. It makes number two on our list because it's the most widly-accepted cryptocurrency on our list.
Bitcoin takes powers from the central actors and returns it to merchants and consumers, savers and borrowers. Bitcoin brings back some pseudonymity in the transactions, and can be irrevocably traded like cash. And finally, it points a way towards a single currency – it is a bug, not a feature, that we have multiple global currencies with exchangers and transaction fees in between.
Bitcoin is often called a pseudonymous cryptocurrency. That means that, while Bitcoin addresses are not linked to a real identity, transactions on Bitcoin are public on the entire blockchain. If someone can link your identity to your Bitcoin address, they can see every historical transaction you've made on the network—and every future transaction that you will make.
If you want to use Bitcoin as a privacy coin, you basically have two different options.
The first is to buy bitcoin anonymously. Most people will buy Bitcoin through a centralized exchange like Coinbase. These exchanges require users to provide their real names and addresses, which in practice is like writing your name on your Bitcoin address with a Sharpie.
Buying Bitcoin locally in the UK with the GBP.
Fortunately, there are a bunch of peer-to-peer services, such as Paxful, BitQuick, and LocalBitcoins, that allow you to buy Bitcoin without your real name. These services match buyers and sellers of Bitcoin and often include anonymous payment options, such as Amazon gift cards or even cash in person.
Be mindful that this approach isn't bulletproof. A centralized service can store your IP address and enable law enforcement to connect your address to you.
The second option is to buy your Bitcoin from a centralized exchange, and then use a service that employs Coinjoin to help sever the connection between the address that you bought Bitcoin from and the one that you’re sending it to.
If you send Bitcoin from a Coinbase wallet to a darknet market, the transaction isn't private because anyone who has your Coinbase address can see that you sent funds to the darknet on the public ledger. The way that CoinJoin works is pretty simple. Instead of sending your Bitcoin directly to your destination, a Coinjoin service will mix your transaction with combine your transaction with another transaction— or several other transactions. A snoop on the blockchain thus has a harder time tying back which outputs belong to you.
The graphic above visualizes how CoinJoin works. [image source: Bitcoin Wiki]
If you want to use CoinJoin, it's important to do your own research and carefully audit the mixer you select. We recommend only using open-source services where the code can be independently audited.Research shows that online mixing services that use three rounds of mixing or fewer can be linked back to the sender with a high degree of accuracy.
The CoinJoin panel of open-source privacy wallet Wasabi.
We recommend using a tool like Wasabi Wallet if you want to anonymize your Bitcoin transactions. Wasabi Wallet is completely open-source, which means that the code can be independently audited. Many mixing services, such as Bitcoin Laundry or Blender are centralized services, which means relying on a trusted third party to help mix your transactions. You send your Bitcoin to the service, and you get mixed Bitcoin in return— which means that you run the risk of the service stealing your coins, or holding onto transaction logs that can deanonymize you.
The way that Wasabi Wallet works is by essentially coordinating a CoinJoin between a group of peers. Each user who wants to participate queues Bitcoin that they want to mix within the wallet. The default anonymity set on Wasabi is 50, which means that a minimum number of 50 users have to register a minimum amount of ~ 0.1 BTC each for the round to proceed. Each user sends their BTC to a CoinJoin transaction.
While it can take one to two hours to mix coins with Wasabi from start to finish, it provides a safer and more user-friendly approach than finding a centralized mixer on the darknet. An added bonus is that Wasabi Wallet is cross-platform across Windows, Mac, and Linux. If you’re using an Android phone, Samourai Wallet is another wallet with Coinjoin that we recommend.
While the privacy guarantees around CoinJoin are less strong than with our top pick, Monero, it’s a functional option for those willing to compromise on security for convenience.
🥉 For the Cryptography Nerd: Zcash
We don't recommend Zcash for most people looking for a privacy coin. That's because although Zcash may have the strongest cryptography of the coins on our list, limited tooling makes it hard for the average user to actually send private transactions. The privacy feature of Zcash also isn't heavily used, and Zcash wasn't accepted by any of the seven top darknet markets we researched.
If you want to participate in the bleeding edge of cryptography, though, Zcash may be the perfect coin for you.
If I was doing anything seriously privacy-demanding I'd probably go for Zcash first.
The first thing you should be aware of is that not all Zcash transactions are private by default. Private transactions need to be sent from a special “z address” and they cost higher transaction fees.
As of September 19, 86.6% of transactions on Zcash were sent publicly. [image source: Blockspur]
Z-addresses designed for private transactions are encrypted so that they're functionally invisible to the blockchain. The balances associated with the z-addresses are also encrypted, which means that the only way to check a balance for a z-address is if you control its private key.
If both the address and the balances are hidden from the network, then there has to be some way for the protocol to verify that a sender has enough Zcash to actually settle a transaction as well as verify on the other end that the funds were received. It has to accomplish this without revealing any information attached to an address to the sender or receiver.
Zcash solves this through zk-SNARKs (or “zero-knowledge succinct non-interactive argument of knowledge”). Zk-SNARKs were developed by academic cryptographers, and while the math behind them is complicated, the way they work in Zcash is pretty simple. Typically, the way that you would prove that you have the funds to settle a transaction is to reveal your balance, either on a public blockchain or a centralized server. With zk-SNARks, instead of showing your hand, you provide cryptographic proof that shows that you have the available funds, without revealing anything else.
When you send a private transaction through Zcash, zk-SNARks establish that the addresses exist and that the sender has enough funds to settle a transaction. The funds are then “burned” and exchanged for a metaphorical IOU, which then creates new coins for the recipient. There's no way to trace the coins that were burned to the coins created.
While the cryptography behind Zcash is really cool, the biggest downside of Zcash is that there are limited options for actually using private transactions.
For example, while there are a number of third-party wallets available to Zcash, only two of the wallets listed on Zcash's website support private transactions:
- Zcashd: A Linux-based command-line interface for creating and managing a Zcash wallet via a terminal shell.
- WinZec: A Windows-based GUI wallet.
If you're using a Mac, your options are severely limited. You can either install Linux on your computer, or you can rely on an unofficial community tool like Zcash-Apple—which isn't audited and may have security holes.
For now, limited adoption of Zcash and lack of easy access to applications and wallets make it difficult for everyday use, which is why we recommend Monero and Bitcoin over Zcash.
🏘 Community-developed MimbleWimble: Grin
If you're interested in the new generation of privacy coins, keep an eye on Grin. We don't currently recommend using it for private transactions today, because, as a newer coin, there aren't many places it's accepted and there are a lot of UX kinks still being worked out.
If Grin is successful, it will be linearly inflationary and disempowered in a few key aspects. Imagine: Monero = crypto Swiss bank; Grin = confidential emailable cash transactions.
The name “MimbleWimble” comes from a tongue-tying spell in Harry Potter and was initially proposed in the #bitcoin-dev IRC channel. The way that Bitcoin works is it essentially that all transactions visible on a public ledger, which allow nodes on the network to verify transactions. With MimbleWimble, Grin doesn’t actually use a system of public addresses, and it is able to hide the amount of transactions on the network, as well as the identity of users. It does so in two key ways: Confidential transactions, and CoinJoin.
With Confidential Transactions, the amounts involved in a transaction on Grin are blinded, or hidden, so that the amount being sent or received can equal out—without revealing how much actual money was involved. MimbleWimble, as implemented by Grin, also enables CoinJoin by default, which means that individual transactions are combined into a larger transaction, helping to hide where transactions are coming from and where they’re going.
One of the downsides to Grin’s implementation of MimbleWimble is that both the sender and recipient of a transaction have to be online for the transaction to go through. That makes it less convenient than our top pick Monero, which permits asynchronous transactions. Another is that there isn’t currently a large ecosystem of tools or users around Grin, which can make it difficult to use.
Sending a transaction from Niffler, an open-source GUI wallet for Grin [image source: Grin Forum]
- Grin Wallet: The official wallet for Grin, accessible by command line.
- Niffler Wallet: A community-developed Grin wallet with a graphical interface.
Grin is still a new coin, and we recommend that users wait for it to become battle-tested before relying on its privacy guarantees. Further, it’s not widely adopted, so it’s currently difficult to use in the wild. It’s not currently accepted on any of the darknet markets we list above.
🏦 Venture-funded MimbleWimble: Beam
Beam is a competing MimbleWimble implementation to Grin. The key difference is that while Grin is developed and funded by volunteers—similar to Bitcoin or Monero—Beam is developed by the Beam foundation and is venture-funded. Like Grin, Beam implements exciting new privacy tech, but it isn’t widely adopted, which is why we don’t recommend it to users today.
As Casa's Jameson Lopp writes:
If you're interested in cutting edge cypherpunk protocols you should be keeping an eye on Grin and Beam. . . If the tech works then it ought to be a pretty good way to make private payments.
Beam, like Grin, also uses Confidential Transactions and CoinJoin to anonymize transactions. Plus, it adds in an extra step of creating decoy unspent transaction outputs to each phase of CoinJoin. Beam has also developed a system of decentralized addresses, which is intended to prevent users from leaking IP addresses.
From a usability perspective, Beam may prove superior to Grin—although for now, the biggest hurdle for both coins is the lack of adoption. That’s because Beam has created a way that transactions can be sent asynchronously. Unlike Grin, Beam has also developed its owngraphical-interface wallet (https://beam.mw/wallet-instructions) that operates across iOS, Android, Mac, Windows, and Linux devices.
🤡 Buyer Beware: Dash
We don't recommend Dash as a privacy coin because it has weak privacy features and hasn't achieved meaningful adoption.
The core privacy feature of Dash is called Private Send. Private Send is basically a simpler version of tumbling than the services we discussed earlier. With a Private Send transaction, three users combine their coins into a single transaction, which then randomly distributes coins to new addresses generated for each user. You can repeat this up to eight times. Theoretically, the more you mix your coins, the more private your transaction, because the Dash in your destination address can't be traced back to a single source.
The problem is that Private Send is completely undermined by Dash's network architecture. Dash is powered by “masternodes.” These are like Bitcoin nodes, except they're designed to reward node operators. Masternodes secure and validate transactions on the network. As a reward, they receive 45% of newly created Dash.
When you send a transaction through Private Send, masternodes validate the transactions and send them between addresses. That means that the random masternode processing your transaction can see the source and destination of your “private” transactions. It only takes 1,000 Dash to run a masternode, which means that a government, a law enforcement agency, or a malicious actor can easily set one up.
As Riccardo Spagni, Lead Maintainer at Monero puts it:
Most countries have bank secrecy laws, and access to your account even within a bank is privileged and logged. Dash, on the other hand, exposes information publicly to anyone running a node.
If you want to send transactions anonymously, don't use Dash.
💩 Avoid At All Costs: Verge
While Verge advertises itself as a “secure and anonymous” cryptocurrency, it fails to offer meaningful privacy. Steer clear.
Verge began as “Dogecoin Dark” in 2014 and rebranded as Verge in 2016. It was a fork of Dogecoin, which forked Litecoin, which in turn forked Bitcoin. Verge's claim to privacy comes from the fact that it uses Tor to hide users' IP addresses.
The biggest flaw with this is the fact that all transactions and addresses are publicly indexed on the blockchain. If you buy your Verge from a centralized exchange, your Verge address is still connected to your real identity. Second, research shows that running cryptocurrency over Tor isn't a good idea in a first place.
Verge also uses what's called the “Wraith protocol” to implement stealth addresses. Basically, the way this works is that when you send Verge, you can generate an address from which the receiver can control the funds. The problem is that it doesn't actually provide any privacy for the sender.
Verge is not private. It never was. This is not subjective. It fails to provide privacy in any meaningful way that would protect you from the people trying to violate it who could compromise your freedom or safety.
Finally, the Verge blockchain has been hit by multiple 51% attacks, which were made possible by exploiting bugs in Verge's codebase. Not only is Verge not private, but it's also much easier to attack than coins like Bitcoin and Monero. We don't recommend using Verge for any purpose.
🙇 A Practical Guide to Using Private Coins
So far we've covered all the different options you have for privacy coins. But while picking the right privacy coin is important, how you use it is equally important. A number of missteps and mistakes can deanonymize your transactions.
That's why we put together this simple guide for how to use private coins, organized according to the type of coin accepted by the vendor.
1. Vendor Accepts Monero
Because all transactions on Monero are private by default, if a vendor accepts Monero there's very little you have to do secure your transaction.
The main thing to keep in mind is that if you buy Monero from a centralized exchange with your real name, you should not send it directly from the exchange to your destination.
That's because while the transaction itself is private, the exchange has information on the transaction size and withdrawal address that the Monero was sent to—as well as your name and address. If the recipient address is say, tied to a darknet market that is busted by law enforcement, this lapse can come back to haunt you.
The popular darknet market Wall St. Market accepts Bitcoin and Monero on all orders.
To send Monero to a Monero address privately:
- Send the Monero from a centralized exchange to a private wallet that you control. We lay out some of the best options in the earlier section on Monero.
- In your Monero wallet, make sure that the “ring size” setting is set to at least 7, which is the minimum recommended by Monero. The higher the ring size, the more secure the transaction. This option is enabled by default on most Monero wallets.
- Send Monero to your destination address.
2. Vendor Accepts Bitcoin: Exchange Monero for Bitcoin
If the vendor or market you're sending funds accepts Bitcoin, you can still privatize your transactions with Monero!
A service like XMR.to allows you to privately exchange Monero for Bitcoin. Even though XMR.to is a third-party service, since you're sending Monero to a Monero address, your privacy remains secure.
The web interface for XMR.to
- Send the Monero from a centralized exchange to a private wallet that you control.
- Go to XMR.to. For additional security, access the service via Tor.
- Type in the amount of Bitcoin you want to receive and the address you want to receive it at. (For additional security we highly recommend that this wallet is on a secure operating system like Tails.)
- Click the “Create” button to create the transaction.
- From there, XMR.to will provide you with a Monero destination address and the amount of Monero you need to settle the transaction.
- Send the exact amount displayed to the address within fifteen minutes.
- You'll receive your Bitcoin in 30 minutes or less.
3. Vendor Accepts Bitcoin: Use a Bitcoin Mixer
If a vendor accepts Bitcoin, and you don't want to clean your Bitcoin through the process outlined above, you can use a Bitcoin mixer to privatize your transaction.
The web interface for Bitcoin Blender. You simply input an address into the blender, set a randomized delay, and send Bitcoin to the address that the blender provides you.
Using a mixer securely requires several steps:
- Buy Bitcoin from a centralized exchange.
- Send the Bitcoin to a wallet that you control.
- Send Bitcoin from the wallet to a tumbling service like Bitcoin Blender (Onion Address) or Bitcoin Fog (Onion Address). Expect to pay a 1-3% per transaction for using a tumbling service.
- Enter the address of a second Bitcoin wallet. For maximum security, this second wallet will be located on a secure operating system such as Tails .
Keep in mind that there are always hazards when relying on centralized services to protect your privacy. You're relying on the tumbling service to work as advertised.
Privacy is a Cat and Mouse Race
It's important to remember Monero Lead Maintainer Riccardo Spagni's point that privacy isn't a static, fixed, thing. Privacy is a moving target—it's a constant battle between cryptographers and hackers. Absolute privacy doesn't exist.
While we recommend Monero as the #1 privacy coin for most people, that can change in the future. Developments like Mimbelwimble for and Beam and Grin or Schnorr signatures for Bitcoin in the future may render monero obsolete. Or gaps in Monero's protocol may be uncovered that compromise the privacy of Monero users.
While users should recognize these concerns, we live in the present. Based on the underlying technology, adoption, and ease-of-use, Monero is the best fit for folks looking for a privacy coin today.
We'll continually update this guide with the latest developments in privacy coins, so check back here for more!