CoinJoin

What Is CoinJoin?

CoinJoin is a trustless protocol for combining Bitcoin transactions from multiple independent users into a single transaction. By mixing inputs from different owners and producing outputs of equal denomination, CoinJoin makes it difficult for outside observers to determine which input funded which output. The technique preserves privacy without requiring any custodial service or trusted intermediary.

The concept was formally proposed by Gregory Maxwell on August 22, 2013, in a bitcointalk post titled "CoinJoin: Bitcoin privacy for the real world." The term itself was coined by Peter Todd. Maxwell recognized that Bitcoin's transparent blockchain allowed chain analysis firms to track funds across transactions by exploiting a simple assumption: all inputs in a transaction belong to the same person. CoinJoin directly breaks this "common-input-ownership heuristic" by making it false.

Unlike mixing services that take custody of funds, CoinJoin participants retain control of their keys throughout the process. Every participant verifies that their output appears in the final transaction before signing. No single party can steal funds or learn the mapping between inputs and outputs.

How It Works

A standard Bitcoin transaction has inputs (coins being spent) and outputs (new coins being created). Blockchain analysts assume all inputs belong to the same wallet. CoinJoin exploits the fact that a Bitcoin transaction is simply a list of inputs and outputs with no inherent link between them.

The basic CoinJoin process involves multiple participants collaborating to build a single transaction:

1. Each participant selects UTXOs they want to mix and connects to a coordinator (or peers in a decentralized model)
2. Participants register their inputs and provide a destination address for their output, using cryptographic blinding so the coordinator cannot link the two
3. The coordinator assembles a transaction with all inputs and all outputs, each output being the same denomination (for example, exactly 0.01 BTC)
4. Each participant verifies the transaction contains their output for the correct amount, then signs only their inputs
5. The coordinator collects all signatures and broadcasts the complete transaction to the Bitcoin network

Because all outputs are identical in value, an observer cannot determine which input produced which output. If 50 participants each produce one output of 0.01 BTC, each output has a 1-in-50 chance of belonging to any particular input. This ratio defines the "anonymity set."

Breaking the Common-Input-Ownership Heuristic

Standard Bitcoin transactions typically have inputs from one wallet and outputs to one or two destinations. Chain analysis companies cluster addresses by assuming shared input ownership, building profiles across millions of transactions. Research has shown error rates exceeding 63% when this heuristic is applied to CoinJoin transactions, rendering cluster-based surveillance unreliable.

The Change Output Problem

When a participant's input exceeds the standard CoinJoin denomination, the excess must be returned as a change output. This "toxic change" has a high deterministic link back to the original input, creating a privacy vulnerability. Different implementations handle this differently:

• Change inclusion: change stays within the CoinJoin transaction (JoinMarket, Wasabi 1.0). Efficient but risky if later consolidated with mixed outputs
• Change isolation: a preparatory transaction separates change before mixing (Whirlpool's Tx0). Prevents contamination but the isolated change has no cover traffic
• Multi-denomination mixing: eliminates toxic change entirely by allowing arbitrary output amounts using cryptographic credentials (WabiSabi). Amounts decompose into standard denominations that match other participants

Chaumian CoinJoin Protocol

Most coordinator-based implementations use a Chaumian blind signature scheme to prevent the coordinator from learning the input-to-output mapping. The protocol works in distinct phases:

Phase 1: Input Registration
  - Participant connects via Tor circuit A
  - Registers input UTXO + proof of ownership
  - Provides blinded output address
  - Coordinator signs the blinded address

Phase 2: Output Registration
  - Participant connects via NEW Tor circuit B
  - Unblinds the signed output address
  - Registers output (coordinator verifies signature)
  - Coordinator cannot link this to Phase 1 identity

Phase 3: Signing
  - Coordinator constructs transaction with all inputs/outputs
  - Each participant verifies their output is present
  - Each participant signs their input(s)
  - Coordinator broadcasts the fully signed transaction

The coordinator facilitates the protocol but is cryptographically prevented from learning which outputs belong to which inputs. Participants verify the transaction before signing, ensuring the coordinator cannot steal funds.

Implementations

Wasabi Wallet (WabiSabi)

Wasabi Wallet launched in October 2018 with a Chaumian CoinJoin implementation using fixed-denomination outputs. In June 2022, Wasabi 2.0 introduced the WabiSabi protocol, which uses keyed-verification anonymous credentials (KVACs) and homomorphic value commitments. This allows arbitrary output amounts and eliminates toxic change by decomposing values into standard denominations that achieve k-anonymity across participants.

In June 2024, zkSNACKs (the company behind Wasabi) permanently shut down its CoinJoin coordinator, citing increasing regulatory hostility following the Samourai Wallet arrests. The wallet remains open-source and functional with third-party coordinators. Community-run coordinators like OpenCoordinator (which completed over 5,000 CoinJoins in its first year at zero fees) and others listed on wabisator.com have filled the gap.

JoinMarket

Launched in January 2015, JoinMarket is the oldest working CoinJoin implementation and the only fully decentralized option. It uses a maker/taker economic model with no central coordinator:

• Makers keep their wallet online, advertising available liquidity on a peer-to-peer orderbook. They earn fees for providing CoinJoin liquidity
• Takers initiate CoinJoins on demand, selecting makers from the orderbook and paying them small fees. The taker constructs the transaction, collects signatures, and broadcasts

JoinMarket uses fidelity bonds as a reputation mechanism to prevent Sybil attacks: makers lock Bitcoin in time-locked outputs to prove trustworthiness. However, the taker/maker distinction creates identifiable transaction patterns, as fee payments can reveal which participant is the taker.

Whirlpool

Introduced in June 2019 by Samourai Wallet, Whirlpool used a preparatory Tx0 transaction to separate change before mixing. Each round involved exactly five participants with fixed pool denominations (0.001, 0.01, 0.05, and 0.5 BTC). New entrants (premixers) paid miner fees while existing participants (remixers) could remix for free indefinitely, achieving 100% entropy per mix with no toxic change.

The original Whirlpool coordinator was seized when Samourai's founders were arrested in April 2024. An independent group called Ashigaru forked the code and revived the service with a new coordinator, operating two pools (0.025 and 0.25 BTC) with a 5% coordinator fee. All connections route through Tor.

CoinJoin vs. Other Privacy Techniques

CoinJoin is one of several Bitcoin privacy techniques. Understanding the differences helps users choose the right approach for their coin control strategy:

CoinJoin provides the strongest anonymity set among collaborative techniques but leaves a detectable on-chain footprint. PayJoin transactions are indistinguishable from regular payments but only involve two parties. Silent payments eliminate address reuse without requiring interaction. In practice, these techniques are complementary: a user might CoinJoin their UTXOs for anonymity, then use PayJoin for individual payments.

Chain Analysis and Detection

CoinJoin transactions have distinctive on-chain fingerprints: multiple inputs from different addresses and multiple equal-denomination outputs. Chain analysis firms can identify CoinJoin transactions with high accuracy based on these structural patterns.

Demixing (linking specific inputs to outputs) is more difficult but not impossible. Known techniques include:

• Change address analysis: tracking toxic change outputs as they are spent and consolidated
• Post-mix clustering: identifying when multiple CoinJoin outputs are later merged into a single transaction, revealing common ownership
• Timing analysis: correlating when inputs enter and outputs leave mixing rounds
• Amount correlation: subset-sum analysis on non-equal outputs to find matching amounts

Research suggests that the majority of privacy leakage comes from user behavior after mixing rather than cryptographic weaknesses. Consolidating mixed outputs, spending them alongside unmixed coins, or reusing addresses can undo the privacy gains of a CoinJoin.

Regulatory Landscape

CoinJoin has faced significant regulatory scrutiny. The most consequential enforcement action came in April 2024, when the U.S. Department of Justice arrested the founders of Samourai Wallet, charging them with conspiracy to commit money laundering and operating an unlicensed money transmitting business. Both founders pleaded guilty in July 2025 and were sentenced to four and five years in prison respectively.

The case created a notable contradiction: during proceedings, FinCEN confirmed that non-custodial software providers are not money transmitters under their 2019 guidance. Despite this, the DOJ pursued charges. In September 2024, FinCEN formally withdrew a proposed 2020 rule that would have imposed KYC requirements on non-custodial wallets.

The regulatory uncertainty prompted zkSNACKs to preemptively shut down Wasabi's coordinator. However, the open-source nature of these protocols means community-run coordinators continue to operate, and JoinMarket's decentralized model has no coordinator to shut down.

Why It Matters

Bitcoin's public blockchain means every transaction is permanently visible. Without privacy tools, any merchant, employer, or counterparty who learns a user's address can trace their entire financial history. CoinJoin provides a practical way to break this surveillance chain while remaining fully on-chain and self-custodial.

For the broader Bitcoin ecosystem, privacy is a fungibility requirement. If individual coins can be traced and blacklisted based on their history, Bitcoin loses a key property of sound money. CoinJoin helps preserve fungibility by making transaction histories ambiguous. Layer 2 protocols like Spark and the Lightning Network offer complementary privacy benefits: transactions happen off-chain, reducing the on-chain footprint that chain analysis depends on.

Risks and Considerations

Post-Mix Behavior

The privacy gained from CoinJoin can be entirely undone by careless spending. Consolidating multiple mixed outputs into a single transaction reveals common ownership. Spending mixed coins alongside unmixed ones links them. Effective coin control after mixing is essential to preserve the anonymity set.

Coordinator Trust

While coordinators cannot steal funds or link inputs to outputs (cryptographically enforced), they can censor participants, perform Sybil attacks by flooding rounds with their own inputs, or be compelled by authorities to do so. The Samourai seizure demonstrated that centralized coordinators are vulnerable to shutdown. Decentralized alternatives like JoinMarket avoid this risk but come with usability and privacy trade-offs.

Transaction Fees

CoinJoin transactions are larger than standard transactions because they contain many inputs and outputs. Participants share the mining fee, but during periods of high fee estimation, the cost can be significant. Some implementations charge additional coordinator fees on top of miner fees.

Legal Risk

The Samourai case established a precedent that operating a CoinJoin coordinator can result in criminal charges under U.S. law. Users should be aware of their jurisdiction's regulations regarding transaction privacy tools. The legal landscape remains uncertain, with conflicting positions between FinCEN guidance and DOJ enforcement actions.

Anonymity Set Limitations

A CoinJoin round provides a finite anonymity set: typically 5 to 150 participants depending on the implementation. This is significantly smaller than the anonymity sets claimed by some non-Bitcoin privacy systems. Multiple rounds of mixing increase the effective anonymity set, but each round costs time and fees.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.