Bitcoin Privacy Best Practices: A Practical Guide

Privacy is not a feature of Bitcoin — it is a prerequisite for Bitcoin to function as money. Without privacy, Bitcoin cannot achieve fungibility: the property that every bitcoin is interchangeable with every other bitcoin. If specific bitcoins can be traced, flagged, and rejected based on their transaction history, then some bitcoins become worth less than others. A non-fungible money is a broken money.

The Bitcoin blockchain is a public ledger. Every transaction ever made is permanently recorded and visible to anyone with an internet connection. This radical transparency was a deliberate design choice — it enables trustless verification without intermediaries. But it also means that without deliberate countermeasures, your entire financial history can be reconstructed by anyone motivated enough to look.

This guide presents practical steps for improving your Bitcoin privacy, ordered from foundational habits that everyone should adopt to advanced techniques for users who require stronger guarantees. Each step builds on the previous ones.

Why Privacy Matters: Beyond “Nothing to Hide”

The argument that privacy is only for criminals is comprehensively refuted by the daily behavior of everyone who makes it. People close the bathroom door. People seal envelopes. People do not post their bank statements on social media. Privacy is a normal human need, not evidence of wrongdoing.

For Bitcoin specifically, privacy matters for concrete, practical reasons:

Fungibility and censorship resistance. If chain analysis firms can trace the history of every bitcoin, then miners, exchanges, and merchants can discriminate based on that history. Bitcoin that has passed through a sanctioned address, a mixing service, or even certain geographic regions can be “tainted” and refused. This creates a two-tier system where “clean” bitcoin trades at a premium and “dirty” bitcoin at a discount — destroying the uniform value that defines money.

Personal security. If your Bitcoin holdings are known, you become a target. Physical attacks on known Bitcoin holders have occurred in multiple countries. The $5 wrench attack — where someone forces you to transfer bitcoin at physical gunpoint — is mitigated primarily by privacy: attackers cannot target what they do not know exists.

Commercial confidentiality. If a business’s Bitcoin addresses are known, competitors can see their revenue, supplier payments, and cash reserves in real time. No business can operate effectively under total financial transparency to competitors.

Protection from state overreach. Governments have a history of financial surveillance escalation. What starts as anti-money-laundering measures expands to social credit systems, political donation tracking, and economic controls. Financial privacy provides a buffer against authoritarian overreach — not theoretical, but actively occurring in numerous jurisdictions worldwide.

Level 1: Foundational Habits (Everyone Should Do These)

Never Reuse Addresses

Address reuse is the single most damaging privacy mistake in Bitcoin. When you receive multiple payments to the same address, all those payments are publicly linked on the blockchain. Anyone who knows one of your addresses can see all transactions associated with it.

What to do: Use a wallet that automatically generates a new address for each transaction. All modern HD (Hierarchical Deterministic) wallets do this. If you publish an address for donations (on a website, for example), use a payment server like BTCPay Server that generates a unique address for each visitor.

Why it matters: Consider this scenario: you give your employer a Bitcoin address for salary payments. You also use that same address to purchase something from an online store. Now your employer can see that purchase. The store can see your salary. And anyone who knows either address can trace both.

Use a Wallet with Coin Control

Coin control is the ability to select which specific UTXOs (Unspent Transaction Outputs) are used as inputs when you make a payment. Without coin control, your wallet automatically selects UTXOs, potentially combining coins from different sources and revealing connections between them.

What to do: Use a wallet that supports manual coin control. Sparrow Wallet (desktop), Bitcoin Core, Electrum, and Wasabi Wallet all support this feature. When making a payment, consciously select which UTXOs to spend.

Why it matters: Suppose you have two UTXOs — one received from a KYC exchange (linked to your identity) and one received from a peer-to-peer sale (not linked). If your wallet combines both as inputs in a single transaction, a chain analysis firm can now link your identity (from the exchange UTXO) to the previously unlinked UTXO. This is the Common Input Ownership Heuristic (CIOH) in action.

Label Your UTXOs

UTXO labeling is the practice of annotating each UTXO with information about its origin: where it came from, whether it is KYC-linked, and any privacy-relevant context.

What to do: In Sparrow Wallet or Bitcoin Core, add labels to each receiving address and each UTXO. Example labels: “Bisq purchase 2024-03-15, no KYC,” “Coinbase withdrawal 2024-01, KYC-linked,” “CoinJoin output round 5.”

Why it matters: Without labels, you cannot make informed coin control decisions. You need to know which UTXOs are privacy-sensitive and which are not, so you can avoid accidentally combining them.

Use Separate Wallets for Separate Purposes

Maintaining a single wallet for all Bitcoin activity means that a privacy breach in one context can cascade to all others.

What to do: Maintain at least three separate wallets:

1. KYC wallet — for withdrawals from exchanges that have your identity
2. Non-KYC wallet — for bitcoin acquired without identity verification (peer-to-peer, mining, etc.)
3. Spending wallet — a small-balance wallet for daily transactions

Never send funds directly between these wallets. If you must move funds from KYC to non-KYC, use CoinJoin or other mixing techniques first.

Level 2: Network-Level Privacy

Run Your Own Node

When you use a third-party node (including a wallet’s default connection), you are leaking your transaction queries to that node operator. They can see which addresses you are checking, which transactions you are broadcasting, and your IP address. Light wallets that use SPV (Simplified Payment Verification) or Electrum servers are particularly vulnerable — they query specific addresses, allowing the server operator to build a profile of your wallet.

What to do: Run Bitcoin Core on a dedicated device (a Raspberry Pi running Umbrel, MyNode, or RaspiBlitz is sufficient). Connect your wallet to your own node. Sparrow Wallet, Electrum, and most hardware wallet software support connecting to your own Electrum server or Bitcoin Core node.

Why it matters: Your own node validates all transactions locally. No third party learns which addresses belong to you. This is the most fundamental privacy improvement at the network level.

Use Tor

Even if you run your own node, your ISP can see that you are running Bitcoin software and broadcasting transactions. Using Tor routes your Bitcoin network traffic through multiple relays, hiding your IP address from peers and your ISP.

What to do: Configure Bitcoin Core to run over Tor (add proxy=127.0.0.1:9050 to your bitcoin.conf). Most node-in-a-box solutions (Umbrel, MyNode) configure Tor by default. For wallet software, Sparrow Wallet has built-in Tor support.

Why it matters: Without Tor, the first node that receives your transaction can log your IP address. Network-level surveillance can correlate IP addresses with transaction broadcasts to deanonymize users.

Avoid Blockchain Explorers with Your Real IP

When you look up a transaction or address on a blockchain explorer website (blockchain.com, mempool.space, blockstream.info), you are revealing your interest in that specific transaction or address to the website operator and potentially to their analytics partners.

What to do: Run your own block explorer (Mempool, BTC RPC Explorer) connected to your own node. If you must use a public explorer, access it through Tor Browser.

Level 3: Transaction-Level Privacy

CoinJoin

CoinJoin is the most established technique for breaking the link between transaction inputs and outputs. Multiple users combine their transactions into a single transaction with equal-value outputs, making it impossible for observers to determine which input corresponds to which output.

How it works: In a CoinJoin with five participants, each contributing 0.1 BTC, the transaction has five inputs (from different owners) and five outputs (each 0.1 BTC to different addresses). An observer sees a transaction with five identical outputs but cannot determine which input funded which output — there are 5! = 120 possible mappings.

Implementations:

Wasabi Wallet uses the WabiSabi protocol for automated CoinJoin. Users deposit bitcoin, and the wallet automatically participates in CoinJoin rounds. The coordinator cannot see the mapping between inputs and outputs (the protocol uses cryptographic blinding). Wasabi enforces a minimum denomination and charges a coordinator fee.

JoinMarket is a decentralized CoinJoin implementation with a maker-taker model. “Makers” offer their bitcoin for CoinJoin and earn fees; “takers” initiate CoinJoin and pay fees. JoinMarket has no central coordinator — makers and takers find each other through a decentralized messaging protocol. This makes it more censorship-resistant but less user-friendly than Wasabi.

Practical advice: Perform multiple rounds of CoinJoin for stronger privacy. A single round provides plausible deniability; multiple rounds make analysis exponentially harder. After CoinJoin, do not consolidate outputs — this can undo the privacy gains by linking the outputs through common spending.

PayJoin (P2EP)

PayJoin (also called Pay-to-EndPoint or P2EP) is a privacy technique where the sender and receiver both contribute inputs to a payment transaction. This breaks the Common Input Ownership Heuristic in a way that looks like a normal transaction.

How it works: Instead of Alice sending Bob a payment from her UTXOs only, both Alice and Bob contribute UTXOs as inputs, and the transaction has outputs going to both parties. To an outside observer, this looks like a normal transaction where one person is spending multiple UTXOs. The observer cannot tell which inputs belong to the sender versus the receiver, and cannot determine the actual payment amount.

Why it matters: PayJoin is steganographic — it is indistinguishable from a normal transaction. Unlike CoinJoin (which creates distinctive equal-output transactions), PayJoin leaves no fingerprint. If PayJoin adoption reaches critical mass, it undermines the fundamental assumptions of chain analysis for all Bitcoin transactions, not just those using PayJoin.

Implementation: BTCPay Server supports PayJoin for merchants. Sparrow Wallet supports sending PayJoin transactions.

Avoid Unnecessary Change Outputs

When you spend a UTXO, any value not sent to the recipient becomes a change output returned to your wallet. This change output is linked to the transaction and can be used by analysts to track your future spending.

What to do:

• When possible, spend exact amounts to avoid change outputs entirely
• Use coin selection to choose UTXOs that closely match the payment amount
• If you must create change, send it to a CoinJoin wallet for mixing before reuse

Level 4: Acquisition Privacy

Acquire Bitcoin Without KYC

KYC (Know Your Customer) requirements at exchanges create the most direct link between your identity and your Bitcoin holdings. Once an exchange has your passport and your withdrawal address, that address — and all addresses that can be linked to it through chain analysis — is permanently associated with your legal identity.

Methods for non-KYC acquisition:

Peer-to-peer exchanges. Bisq is a decentralized exchange that requires no identity verification. HodlHodl and RoboSats (on Lightning) also facilitate non-KYC trades. Trades typically carry a premium (3-10% above market price), which is the cost of privacy.

Bitcoin ATMs. Many Bitcoin ATMs allow purchases below certain thresholds ($250-$900 depending on jurisdiction) without identity verification. Be aware that most ATMs have cameras, and some operators share data with chain analysis firms.

Mining. Mining bitcoin produces “virgin” coins with no prior transaction history. For individual miners, joining a mining pool means the pool knows your payout address, so solo mining (where practical) is superior for privacy.

Earning bitcoin. Accepting bitcoin as payment for goods or services creates no KYC link, especially if you provide a unique address for each payment.

Break the KYC-to-Non-KYC Link

If you have already purchased bitcoin through a KYC exchange, the link between your identity and those coins exists in the exchange’s records (and likely in chain analysis databases). To prevent future transactions from being traced back to your identity:

1. Withdraw from the exchange to your own node-connected wallet
2. CoinJoin the withdrawn funds (multiple rounds)
3. After CoinJoin, send to a fresh wallet that has never been connected to your KYC identity

This process does not erase the exchange’s records of your initial purchase, but it breaks the on-chain trail that connects your KYC identity to your current holdings.

Level 5: Advanced Techniques

BIP-47 Reusable Payment Codes

BIP-47 solves a fundamental UX problem: how do you receive Bitcoin payments from someone repeatedly without address reuse and without requiring interactive address exchange each time?

How it works: You publish a single “payment code” (which looks like a Bitcoin address but is not directly used for payments). When someone wants to pay you, their wallet uses this payment code to derive a unique, never-before-used Bitcoin address for each payment. Only the sender and receiver can connect the payment code to the derived addresses.

The notification transaction: The first payment from a new sender includes a special “notification transaction” that establishes a shared secret between sender and receiver using ECDH (Elliptic Curve Diffie-Hellman). This notification transaction is the main privacy weakness of BIP-47 — it links the sender’s wallet to the receiver’s payment code on-chain. Subsequent payments leave no such link.

Implementation: Sparrow Wallet and Samourai Wallet (before its seizure) supported BIP-47. PayNym is the most well-known BIP-47 implementation.

Silent Payments (BIP-352)

Silent Payments are an evolution of BIP-47 that eliminates the notification transaction, solving BIP-47’s main privacy weakness.

How it works: The receiver publishes a single static address (their Silent Payment address). The sender uses this address plus the private key of their transaction inputs to derive a unique output address that only the receiver can detect and spend. There is no on-chain link between the Silent Payment address and the derived output addresses — not even a notification transaction.

The trade-off: Receiving wallets must scan every transaction on the blockchain to detect payments addressed to them (specifically, they must perform an ECDH computation for each transaction’s inputs). This increases the computational cost of wallet operation significantly, though it can be optimized with light client protocols.

Status: BIP-352 is in development with growing wallet support. It represents the current state of the art in Bitcoin payment privacy.

Coin Control with Privacy Scores

Advanced privacy practitioners assign privacy scores to each UTXO based on:

• Source: KYC (low score), non-KYC (high score), CoinJoin output (high score)
• Mixing rounds: More rounds = higher score
• Age: Older UTXOs that have been dormant are slightly harder to analyze
• Amount: Round amounts (0.1 BTC, 1.0 BTC) are more common in CoinJoin outputs and less distinctive

When making a payment, choose UTXOs with appropriate privacy scores for the context. A purchase that will be linked to your real identity (shipping an item to your address) does not require high-privacy UTXOs. A donation to a controversial cause does.

Practical Privacy Workflow

Here is a concrete workflow that implements most of the techniques above:

Setup (One-Time)

1. Set up a Bitcoin node on a dedicated device (Umbrel on Raspberry Pi or old laptop)
2. Install Sparrow Wallet on your desktop, connected to your own node over Tor
3. Create three wallets in Sparrow: “KYC,” “Mixing,” and “Private”
4. Set up a Bisq or RoboSats account for non-KYC purchases

Acquiring Bitcoin

• From exchanges: Withdraw to KYC wallet. CoinJoin in Mixing wallet. Move to Private wallet.
• From peer-to-peer: Receive directly in Private wallet.
• From earning: Provide a unique address from Private wallet for each payment.

Spending Bitcoin

• For purchases linked to your identity: Spend from KYC wallet (privacy is already broken for these)
• For private purchases: Spend from Private wallet using coin control to select appropriate UTXOs
• For donations or sensitive payments: Spend CoinJoined UTXOs from Private wallet

Ongoing Maintenance

• Label every UTXO as you receive it
• Periodically CoinJoin accumulated UTXOs in the Mixing wallet
• Never consolidate CoinJoin outputs
• Never send directly between KYC and Private wallets
• Keep your node running 24/7 for maximum privacy and to support the network

Common Privacy Mistakes

Consolidating small UTXOs. When you combine many small UTXOs into one transaction, you reveal that all those UTXOs belong to the same person. If even one of them is linked to your identity, all are now linked.

Using the same wallet for Lightning and on-chain. Lightning channel opens and closes are on-chain transactions. If your Lightning node is publicly identifiable (through its node ID), linking your on-chain wallet to it compromises the privacy of both.

Posting addresses on social media. An address posted publicly can be monitored indefinitely. Even if you used it only once, the transaction history of all connected addresses can be traced.

Trusting “privacy coins” as a substitute. Monero and Zcash offer stronger default privacy than Bitcoin, but they have significantly less liquidity, less infrastructure, and face greater regulatory hostility. For most users, Bitcoin with proper privacy practices is a more robust long-term solution.

Ignoring timing analysis. If you withdraw from an exchange and immediately deposit to another address, the timing correlation alone can link those transactions even through CoinJoin. Add random delays between related transactions.

The Austrian Case for Privacy

From the perspective of Austrian Economics, financial privacy is not merely a personal preference — it is an economic necessity. Friedrich Hayek argued that the price system functions as a distributed information-processing mechanism, coordinating the actions of millions of individuals through price signals. For this system to work, market participants must be free to transact without fear of surveillance or punishment.

When every transaction is monitored, market participants alter their behavior — not to optimize economic value, but to avoid scrutiny. This distortion of economic calculation leads to what Mises called a breakdown in rational economic planning. Just as central planning fails because planners lack the distributed knowledge embodied in market prices, financial surveillance fails because it replaces genuine market behavior with performance for the surveillance apparatus.

Privacy-preserving money — whether physical cash or properly used Bitcoin — enables honest price discovery and genuine economic calculation. It is not a luxury for the paranoid. It is infrastructure for a functioning market economy.

For more on Bitcoin’s privacy properties, see Bitcoin and Financial Privacy and CoinJoin. For self-custody practices that complement privacy, see our dedicated guide.