When Satoshi Nakamoto created Bitcoin, he flaunted the digital currency's potential as “digital, electronic cash.” But in the early days following Bitcoin's launch, one immediate real-world use case surfaced: buying illegal goods on the internet.
Of course, it turns out that Bitcoin isn't actually anonymous. While your name and location may not be attached to your Bitczoin wallet, every transaction sent over the Bitcoin network is tied to a public address. If you bought your Bitcoin from a service like Coinbase that's attached to your real name, your transactions can be linked back to your identity.
This possibility has led to the creation of a number of privacy coins that focus on secure and anonymous transactions. But a coin self-advertising as “private” doesn't necessarily mean that it actually is. The best privacy coins rely on real innovations in cryptography, such as ring signatures and zero-knowledge proofs for confidential transactions. The worst privacy coins advertise as “private” but are functionally vaporware.
In this article, we'll walk you through our recommendations for the best privacy coins and how to use them securely to help you separate the wheat from the chaff.
Table of Contents
🥇 The Best Privacy Coin: Monero
Monero is our top pick for best privacy coin because it has the best mix of cryptographic guarantees and ease of use as well as widespread adoption on the darknet.
|Wall Street Market||✅||✅||❌||❌||❌|
The chart above shows which currencies are accepted by the six top darknet markets.
Early Coinbase team member and 1confirmation Founder Nick Tomaino says:
Monero (symbol XMR) is the current leader of the privacy-focused digital currencies.
With Bitcoin, every transaction on the network is public. That means you can check the balance of a public address and its entire transaction history. With Monero, you can check to see that a public address exists, but you can't see its balance or history without a corresponding private key.
There are two core cryptographic elements that make this work:
- Stealth addresses: Unlike Bitcoin, where coins are sent from one address to another, with Monero each transaction creates a stealth address. The sender deposits funds into the secret address, which can only be accessed by the recipient. This address is visible only to the participants in the transaction.
- Ring signatures: With only stealth addresses, the sender of a transaction would be able to see when the recipient retrieves their Monero. This is where Monero's ring signatures come into play. Ring signatures basically mix together transactions on the Monero network. Each transaction randomly selects funds from other transactions in the same block. That way, no one on the network can determine the original source of a transaction.
If you're having a hard time following this, don't worry! This Stack Exchange thread provides a helpful analogy for understanding how it all works. Here's another good low-level explanation of how Monero works compared to Bitcoin.
Privacy is great, but it also has to be easy for the layperson to use to actually be useful. Monero gets high marks on this front. For starters, Monero is the only coin on our list where all transactions are private by default. Every other coin requires enabling a specific feature or undergoing a specific process for private transactions.
It also has a lively ecosystem, with a lot of different wallets and tools to make it easy to send, receive, and exchange Monero.
In the image above, Monero's GUI wallet is synchronizing with a remote node. The ring size setting is set to seven, which is the default for Monero. It means that for this transaction a single input will come from the wallet shown, and the other 6 will come from the Monero blockchain.
There are a number of different wallet options for managing your Monero:
- Monero Wallet with full node: The most secure way to run Monero is by running a full node on your computer and using Monero's own wallet. The Monero blockchain is currently over 60 gigabytes, so this isn't the most convenient option. Here's a helpful guide to running the Monero GUI wallet with a full Monero node.
- Monero Wallet with remote node: If you have limited hard drive space or don't want to run your own full node, you can use the Monero Wallet with a remote node. That means that you're syncing your wallet to someone else's copy of the blockchain. The primary risk here is that the remote-node operator can associate a transaction with an IP address. It's recommended that you use a VPN if you're relying on a remote node. Here's a list of remote Monero nodes you can connect to.
- My Monero Wallet: If you're sending and receiving small amounts of Monero and you value convenience over security, consider the web-based My Monero Wallet, which is operated by Monero lead maintainer Riccardo Spagni.
Monero also enjoys a lot of support from exchanges and is listed on 98 different ones. Meanwhile, tools like XMR.to and ShapeShift make it easy to anonymously exchange your Monero for other cryptocurrencies without having to log into an exchange.
While Monero is our number one recommended option for privacy coins, it's important to remember that perfect privacy doesn't exist. As Monero lead maintatiner Riccardo Spagni said in a Wired interview, “Privacy isn’t a thing you achieve, it’s a constant cat-and-mouse battle.”
It's possible that there are undiscovered bugs in the Monero codebase that can be exploited to deanonymize the network. Further, as a proof-of-work chain, Monero is susceptible to a 51% attack. The estimated cost of this would be around $1.51 billion—which isn't out of the reach of state-level actors.
Despite these flaws, Monero is the best privacy option for most users.
🥈 Runner-Up: Bitcoin
While Bitcoin isn't completely anonymous, there are ways that you can safely privatize your transactions on the network with a bit of extra work. It's also the most widely accepted cryptocurrency on our list, making it our number two pick for privacy coins.
As angel investor Naval Ravikant writes:
Bitcoin takes powers from the central actors and returns it to merchants and consumers, savers and borrowers. Bitcoin brings back some pseudonymity in the transactions, and can be irrevocably traded like cash. And finally, it points a way towards a single currency – it is a bug, not a feature, that we have multiple global currencies with exchangers and transaction fees in between.
Bitcoin is often called a pseudonymous cryptocurrency. That means that, while Bitcoin addresses are not linked to a real identity, transactions on Bitcoin are public on the entire blockchain. If someone can link your identity to your Bitcoin address, they can see every historical transaction you've made on the network—and every future transaction that you will make.
If you want to use Bitcoin as a privacy coin, you basically have two different options.
The first is to buy bitcoin anonymously. Most people will buy Bitcoin through a centralized exchange like Coinbase. These exchanges require users to provide their real names and addresses, which in practice is like writing your name on your Bitcoin address with a Sharpie.
Buying Bitcoin locally in the UK with the GBP.
Fortunately, there are a bunch of peer-to-peer services, such as Paxful, BitQuick, and LocalBitcoins, that allow you to buy Bitcoin without your real name. These services match buyers and sellers of Bitcoin and often include anonymous payment options, such as Amazon gift cards or even cash in person.
Be mindful that this approach isn't bulletproof. A centralized service can store your IP address and enable law enforcement to connect your address to you.
The second option is to buy your Bitcoin from a centralized exchange, and then use a Bitcoin mixing service to sever the connection between the address that you bought Bitcoin from and the one you're sending it to.
If you send Bitcoin from a Coinbase wallet to a darknet market, the transaction isn't private because anyone who has your Coinbase address can see that you sent funds to the darknet on the public ledger. The way that mixers work is pretty simple: Instead of sending your Bitcoin to the destination address, you send your Bitcoin from a wallet to the mixing service. Your Bitcoin is deposited into a stash of bitcoins that the service holds. The amount that you sent—minus a 1–3% fee—is substituted with the same number of bitcoins from different sources and sent to the destination address.
Because the destination address isn't actually receiving any bitcoin associated with the origin address, the link between the two is severed.
The graphic above visualizes how Bitcoin mixing works between four different participants. Unless the mixer is compromised, observers of the blockchain can't link transaction inputs to outputs. [image source: ACM]
If you want to use a Bitcoin mixer, it's important to do your own research and carefully audit the mixer you select. Bitblender has the most helpful guide we've found online on Bitcoin mixers, and they also offer their own mixing service.
Unlike using Monero, our top pick for privacy coins, using Bitcoin anonymously typically involves relying on a trusted third party to help secure your transactions. While this isn't ideal, it's a functional option for those willing to compromise on security for convenience.
🥉 For the Cryptography Nerd: Zcash
We don't recommend Zcash for most people looking for a privacy coin. That's because although Zcash may have the strongest cryptography of the coins on our list, limited tooling makes it hard for the average user to actually send private transactions. The privacy feature of Zcash also isn't heavily used, and Zcash wasn't accepted by any of the seven top darknet markets we researched.
If you want to participate in the bleeding edge of cryptography, though, Zcash may be the perfect coin for you.
As Vitalik Buterin says:
If I was doing anything seriously privacy-demanding I'd probably go for Zcash first.
The first thing you should be aware of is that not all Zcash transactions are private by default. Private transactions need to be sent from a special “z address” and they cost higher transaction fees.
As of September 19, 86.6% of transactions on Zcash were sent publicly. [image source: Blockspur]
Z-addresses designed for private transactions are encrypted so that they're functionally invisible to the blockchain. The balances associated with the z-addresses are also encrypted, which means that the only way to check a balance for a z-address is if you control its private key.
If both the address and the balances are hidden from the network, then there has to be some way for the protocol to verify that a sender has enough Zcash to actually settle a transaction as well as verify on the other end that the funds were received. It has to accomplish this without revealing any information attached to an address to the sender or receiver.
Zcash solves this through zk-SNARKs (or “zero-knowledge succinct non-interactive argument of knowledge”). Zk-SNARKs were developed by academic cryptographers, and while the math behind them is complicated, the way they work in Zcash is pretty simple. Typically, the way that you would prove that you have the funds to settle a transaction is to reveal your balance, either on a public blockchain or a centralized server. With zk-SNARks, instead of showing your hand, you provide cryptographic proof that shows that you have the available funds, without revealing anything else.
When you send a private transaction through Zcash, zk-SNARks establish that the addresses exist and that the sender has enough funds to settle a transaction. The funds are then “burned” and exchanged for a metaphorical IOU, which then creates new coins for the recipient. There's no way to trace the coins that were burned to the coins created.
While the cryptography behind Zcash is really cool, the biggest downside of Zcash is that there are limited options for actually using private transactions.
For example, while there are a number of third-party wallets available to Zcash, only two of the wallets listed on ZCash's website support private transactions:
- Zcashd: A Linux-based command-line interface for creating and managing a Zcash wallet via a terminal shell.
- WinZec: A Windows-based GUI wallet.
If you're using a Mac, your options are severely limited. You can either install Linux on your computer, or you can rely on an unofficial community tool like Zcash-Apple—which isn't audited and may have security holes.
For now, limited adoption of Zcash and lack of easy access to applications and wallets make it difficult for everyday use, which is why we recommend Monero and Bitcoin over Zcash.
🤡 Buyer Beware: Dash
We don't recommend Dash as a privacy coin because it has weak privacy features and hasn't achieved meaningful adoption.
The core privacy feature of Dash is called Private Send. Private Send is basically a simpler version of tumbling than the services we discussed earlier. With a Private Send transaction, three users combine their coins into a single transaction, which then randomly distributes coins to new addresses generated for each user. You can repeat this up to eight times. Theoretically, the more you mix your coins, the more private your transaction, because the Dash in your destination address can't be traced back to a single source.
The problem is that Private Send is completely undermined by Dash's network architecture. Dash is powered by “masternodes.” These are like Bitcoin nodes, except they're designed to reward node operators. Masternodes secure and validate transactions on the network. As a reward, they receive 45% of newly created Dash.
When you send a transaction through Private Send, masternodes validate the transactions and send them between addresses. That means that the random masternode processing your transaction can see the source and destination of your “private” transactions. It only takes 1,000 Dash to run a masternode, which means that a government, a law enforcement agency, or a malicious actor can easily set one up.
As Riccardo Spagni, Lead Maintainer at Monero puts it:
Most countries have bank secrecy laws, and access to your account even within a bank is privileged and logged. Dash, on the other hand, exposes information publicly to anyone running a node.
If you want to send transactions anonymously, don't use Dash.
💩 Avoid At All Costs: Verge
While Verge advertises itself as a “secure and anonymous” cryptocurrency, it fails to offer meaningful privacy. Steer clear.
Verge began as “Dogecoin Dark” in 2014 and rebranded as Verge in 2016. It was a fork of Dogecoin, which forked Litecoin, which in turn forked Bitcoin. Verge's claim to privacy comes from the fact that it uses Tor to hide users' IP addresses.
The biggest flaw with this is the fact that all transactions and addresses are publicly indexed on the blockchain. If you buy your Verge from a centralized exchange, your Verge address is still connected to your real identity. Second, research shows that running cryptocurrency over Tor isn't a good idea in a first place.
Verge also uses what's called the “Wraith protocol” to implement stealth addresses. Basically, the way this works is that when you send Verge, you can generate an address from which the receiver can control the funds. The problem is that it doesn't actually provide any privacy for the sender.
As Facebook engineer Noah Ruderman writes:
Verge is not private. It never was. This is not subjective. It fails to provide privacy in any meaningful way that would protect you from the people trying to violate it who could compromise your freedom or safety.
Finally, the Verge blockchain has been hit by multiple 51% attacks, which were made possible by exploiting bugs in Verge's codebase. Not only is Verge not private, but it's also much easier to attack than coins like Bitcoin and Monero. We don't recommend using Verge for any purpose.
🙇 A Practical Guide to Using Private Coins
So far we've covered all the different options you have for privacy coins. But while picking the right privacy coin is important, how you use it is equally important. A number of missteps and mistakes can deanonymize your transactions.
That's why we put together this simple guide for how to use private coins, organized according to the type of coin accepted by the vendor.
1. Vendor Accepts Monero
Because all transactions on Monero are private by default, if a vendor accepts Monero there's very little you have to do secure your transaction.
The main thing to keep in mind is that if you buy Monero from a centralized exchange with your real name, you should not send it directly from the exchange to your destination.
That's because while the transaction itself is private, the exchange has information on the transaction size and withdrawal address that the Monero was sent to—as well as your name and address. If the recipient address is say, tied to a darknet market that is busted by law enforcement, this lapse can come back to haunt you.
The popular darknet market Wall St. Market accepts Bitcoin and Monero on all orders.
To send Monero to a Monero address privately:
- Send the Monero from a centralized exchange to a private wallet that you control. We lay out some of the best options in the earlier section on Monero.
- In your Monero wallet, make sure that the “ring size” setting is set to at least 7, which is the minimum recommended by Monero. The higher the ring size, the more secure the transaction. This option is enabled by default on most Monero wallets.
- Send Monero to your destination address.
2. Vendor Accepts Bitcoin: Exchange Monero for Bitcoin
If the vendor or market you're sending funds accepts Bitcoin, you can still privatize your transactions with Monero!
A service like XMR.to allows you to privately exchange Monero for Bitcoin. Even though XMR.to is a third-party service, since you're sending Monero to a Monero address, your privacy remains secure.
The web interface for XMR.to
- Send the Monero from a centralized exchange to a private wallet that you control.
- Go to XMR.to. For additional security, access the service via Tor.
- Type in the amount of Bitcoin you want to receive and the address you want to receive it at. (For additional security we highly recommend that this wallet is on a secure operating system like Tails.)
- Click the “Create” button to create the transaction.
- From there, XMR.to will provide you with a Monero destination address and the amount of Monero you need to settle the transaction.
- Send the exact amount displayed to the address within fifteen minutes.
- You'll receive your Bitcoin in 30 minutes or less.
3. Vendor Accepts Bitcoin: Use a Bitcoin Mixer
If a vendor accepts Bitcoin, and you don't want to clean your Bitcoin through the process outlined above, you can use a Bitcoin mixer to privatize your transaction.
The web interface for Bitcoin Blender. You simply input an address into the blender, set a randomized delay, and send Bitcoin to the address that the blender provides you.
Using a mixer securely requires several steps:
- Buy Bitcoin from a centralized exchange.
- Send the Bitcoin to a wallet that you control.
- Send Bitcoin from the wallet to a tumbling service like Bitcoin Blender (Onion Address) or Bitcoin Fog (Onion Address). Expect to pay a 1-3% per transaction for using a tumbling service.
- Enter the address of a second Bitcoin wallet. For maximum security, this second wallet will be located on a secure operating system such as Tails .
Keep in mind that there are always hazards when relying on centralized services to protect your privacy. You're relying on the tumbling service to work as advertised.
Privacy is a Cat and Mouse Race
It's important to remember Monero Lead Maintainer Riccardo Spagni's point that privacy isn't a static, fixed, thing. Privacy is a moving target—it's a constant battle between cryptographers and hackers. Absolute privacy doesn't exist.
While we recommend Monero as the #1 privacy coin for most people, that can change in the future. Developments like Mimbelwimble for and Beam and Grin or Schnorr signatures for Bitcoin in the future may render monero obsolete. Or gaps in Monero's protocol may be uncovered that compromise the privacy of Monero users.
While users should recognize these concerns, we live in the present. Based on the underlying technology, adoption, and ease-of-use, Monero is the best fit for folks looking for a privacy coin today.
We'll continually update this guide with the latest developments in privacy coins, so check back here for more!