Bitcoin Privacy Tools Compared: CoinJoin, PayJoin, Silent Payments

Bitcoin Privacy Tools Overview

Bitcoin transactions are pseudonymous, not anonymous. Every payment is recorded on a public ledger, and chain analysis firms routinely link addresses to real-world identities. Privacy tools exist to break these links, but they vary widely in approach, cost, usability, and the strength of their guarantees.

This guide compares the major Bitcoin privacy techniques available today: CoinJoin (via Wasabi Wallet and JoinMarket), PayJoin (BIP78 and the newer BIP77), silent payments (BIP352), and Lightning Network onion routing. Each tool solves a different privacy problem, and understanding the distinctions is critical for choosing the right approach.

CoinJoin: Breaking the Transaction Graph

CoinJoin is the oldest and most studied Bitcoin privacy technique. The concept, first described by Gregory Maxwell in 2013, is simple: multiple users combine their inputs and outputs into a single transaction, creating ambiguity about which input funded which output. When done correctly, an observer cannot determine the connection between any specific input and output.

Wasabi Wallet (WabiSabi Protocol)

Wasabi Wallet uses the WabiSabi protocol, which employs keyed verification anonymous credentials and homomorphic value commitments to enable CoinJoin rounds with arbitrary output amounts. Unlike earlier equal-output CoinJoin designs, WabiSabi allows participants to register outputs of different sizes without revealing which inputs they own.

In June 2024, Wasabi discontinued its built-in zkSNACKs coordinator service following the arrest and prosecution of the Samourai Wallet founders. Users now connect to third-party WabiSabi coordinators discovered via Nostr. The Wasabi client defaults to 0% coordinator fee, though third-party coordinators may set their own rates. Mining fees are shared proportionally among participants based on the block space each consumes.

WabiSabi rounds can include hundreds of inputs and outputs, and the protocol ensures that remixing (re-entering a CoinJoin with previously mixed outputs) is free of coordinator fees. The minimum balance for automatic CoinJoin in Wasabi is 0.01 BTC, below which the mining fee overhead makes mixing uneconomical.

JoinMarket (Maker/Taker Model)

JoinMarket takes a fundamentally different approach: it operates as a decentralized market where "makers" offer their UTXOs for CoinJoin and earn fees, while "takers" initiate CoinJoins and pay for the service. The taker acts as the coordinator, selecting which makers to include. This eliminates the need for a centralized coordinator entirely.

Maker fees are typically 0.01% to 0.03% of the mixed amount, set competitively by each maker. The taker also pays the full mining fee for the transaction. JoinMarket has been running on mainnet since 2015 and remains the most decentralized CoinJoin implementation available.

The Jam web interface (currently at v0.4.1) makes JoinMarket accessible to non-technical users and runs on node platforms like Umbrel, Start9, and RaspiBlitz. However, JoinMarket requires a Bitcoin Core full node, and Jam is not yet compatible with Bitcoin Core v30 or later versions that removed legacy BDB wallet support.

Samourai Whirlpool (Discontinued)

Samourai Wallet's Whirlpool was a popular CoinJoin implementation that used fixed-denomination pools (0.001, 0.01, 0.05, and 0.5 BTC). In April 2024, the US Department of Justice arrested Samourai's founders, charging them with operating an unlicensed money transmitting business and conspiracy to commit money laundering. Both founders pleaded guilty in August 2025. The Whirlpool service is no longer operational, and Sparrow Wallet removed its Whirlpool integration in response to the legal proceedings.

PayJoin: Privacy During Payments

PayJoin (also called P2EP, or Pay-to-Endpoint) breaks a different heuristic than CoinJoin. Chain analysis relies heavily on the "common input ownership" assumption: if a transaction has multiple inputs, they likely belong to the same wallet. PayJoin defeats this by having both the sender and receiver contribute inputs to a payment transaction. For a deeper technical explanation, see our PayJoin research article.

The original PayJoin protocol (BIP78) required the receiver to run a server and be online at the moment of payment. This limited adoption to merchants running BTCPay Server and technically advanced users. BIP77 (PayJoin v2), designed by Dan Gould, solves this by introducing an untrusted relay server called the Payjoin Directory. Communication is encrypted and routed through an Oblivious HTTP proxy, so the relay cannot inspect the transaction data.

BIP77 also enables asynchronous PayJoin: the receiver's wallet can be offline when the sender initiates payment, and the protocol completes when both parties are available. Bull Bitcoin became the first commercially available mobile wallet to ship BIP77 support, followed by Cake Wallet in 2025.

A key advantage of PayJoin is cost: the resulting transaction looks like a normal payment and costs the same as a standard Bitcoin transaction. There is no additional fee overhead, no mixing pool, and no coordinator. The privacy benefit scales with adoption: the more wallets that support PayJoin, the less reliable the common-input-ownership heuristic becomes for all Bitcoin transactions.

Silent Payments: Reusable Addresses Without Address Reuse

Silent payments (BIP352), authored by Josie Baker and Ruben Somsen, solve the address reuse problem. Today, sharing a single Bitcoin address publicly (for donations or in a bio) means every payment to that address is trivially linkable on-chain. Silent payments allow a recipient to publish a single static address from which senders derive a unique Taproot output address for each payment. The recipient can detect and spend these payments, but no on-chain observer can link them to the published address or to each other.

BIP352 was merged in May 2024 and is supported in Bitcoin Core 28.0+ for both sending and receiving. Wallet adoption is growing: Cake Wallet, Silentium (a dedicated silent payments wallet), and Nunchuk have added support. Hardware wallet compatibility works for signing, but address derivation must happen in the software wallet before passing the PSBT to the signing device.

Silent payment addresses are approximately 117 characters (compared to ~62 for standard bech32m addresses), making them impractical to type manually. In practice, they are shared via QR codes or copy-paste. A related proposal, BIP375, specifies how to send silent payments using PSBTs, enabling compatibility with existing transaction workflows.

The main tradeoff is receiver-side scanning cost: the recipient must scan every transaction in every block to detect payments addressed to them. Light clients cannot efficiently receive silent payments without additional infrastructure, though an Electrum-compatible server for silent payments is in development.

Lightning Network Privacy

The Lightning Network provides privacy through a fundamentally different mechanism: payments happen off-chain and are routed through multiple hops using onion routing (the SPHINX protocol). Each routing node only knows its immediate predecessor and successor in the payment path. It cannot determine the original sender, the final recipient, or how many hops remain. For a detailed analysis, see our Lightning privacy research article.

Lightning payments leave no trace on the base-layer blockchain (beyond the channel open and close transactions). This makes them inherently more private than on-chain techniques for day-to-day payments. However, Lightning has its own privacy challenges:

• HTLC payment hash correlation: the same hash is used across all hops, allowing a node that controls multiple routing positions to correlate payments
• Timing analysis: intermediate nodes can infer the sender or receiver based on response latency patterns
• Channel graph analysis: public channel balances and capacity data can reveal information about payment flows
• Payment probing: adversaries can probe channel balances to track funds across the network

Upgrades to PTLCs (Point Time-Locked Contracts) would eliminate hash correlation by using unique adaptor signatures per hop. Blinded paths allow receivers to hide their identity in BOLT12 invoices. Trampoline routing lets mobile wallets outsource pathfinding without revealing the final destination, using nested onion layers that preserve sender and receiver privacy.

Privacy Guarantees Compared

Each tool addresses a different aspect of Bitcoin privacy. The following table maps specific privacy threats to the tools that mitigate them.

Costs and Practical Tradeoffs

Privacy is not free. Each technique imposes costs in fees, time, complexity, or usability. CoinJoin transactions are larger than standard transactions because they combine many inputs and outputs, so mining fees are higher. During low-fee periods (1-2 sat/vB, common in 2025), a CoinJoin round might cost each participant a few hundred to a few thousand sats in mining fees. During fee spikes, costs increase proportionally.

PayJoin adds zero fee overhead: the resulting transaction is the same size as a normal payment (or slightly larger if the receiver adds an input). Silent payments also cost the same as a standard transaction for the sender, though the receiver bears a computational cost for scanning. Lightning routing fees are typically 0-50 sats per payment plus a small percentage (commonly 0.01-0.1%) of the routed amount.

From a usability standpoint, Lightning provides the best experience: privacy is automatic and invisible to the user. Silent payments require only that the sender's wallet supports BIP352. PayJoin requires both sender and receiver wallets to support the protocol. CoinJoin requires the most active participation: the user must run a compatible wallet, wait for rounds to form, and manage their UTXO set carefully to avoid undoing the privacy gains.

How to Choose a Privacy Strategy

The right approach depends on your threat model and use case. These tools are not mutually exclusive: combining multiple techniques provides layered privacy.

For receiving donations or public payments without linking them: use silent payments. Publish a BIP352 address and each sender creates a unique on-chain output that cannot be linked to your public address.

For breaking the history of existing UTXOs: use CoinJoin. JoinMarket is the most decentralized option, while Wasabi with third-party coordinators offers a more automated experience.

For everyday payments with built-in privacy: use Lightning. Payments are off-chain, routed through onion-encrypted paths, and leave no public transaction record. Layer 2 protocols like Spark further reduce on-chain footprint by enabling fast Bitcoin and stablecoin transfers without individual channel management.

For privacy during on-chain payments between two parties: use PayJoin. It costs nothing extra and breaks the most common chain analysis heuristic. Enable it in any wallet that supports BIP77 or BIP78.

For maximum privacy, combine techniques: CoinJoin your UTXOs first, then spend via PayJoin or move funds to Lightning. Use silent payments for any address you share publicly. Inspect your transaction details with the transaction decoder to verify what information is visible on-chain.

Frequently Asked Questions

Is CoinJoin legal?

CoinJoin itself is a Bitcoin transaction format, not a regulated activity. However, operating a CoinJoin coordination service may carry legal risk. The Samourai Wallet founders were convicted in 2025 for operating an unlicensed money transmitting business, though prosecutors acknowledged that FinCEN stated CoinJoin and non-custodial wallets do not constitute money transmission. The legal landscape varies by jurisdiction and is evolving. Users should understand their local regulations.

What is the difference between CoinJoin and PayJoin?

CoinJoin combines inputs and outputs from many unrelated users into one large transaction, creating ambiguity about ownership. PayJoin involves only two parties (sender and receiver) and makes a payment transaction look normal while breaking the assumption that all inputs belong to the sender. CoinJoin is used to mix existing UTXOs; PayJoin is used during an actual payment.

How do silent payments differ from stealth addresses?

Silent payments (BIP352) and earlier stealth address proposals share the goal of deriving unique addresses from a static public key. The key difference is that BIP352 uses Taproot outputs and Schnorr signatures, producing standard-looking P2TR outputs that are indistinguishable from regular Taproot payments on-chain. Earlier stealth address schemes required OP_RETURN outputs or non-standard scripts that were easily identifiable.

Are Lightning payments truly private?

Lightning provides strong but not perfect privacy. Onion routing prevents intermediate nodes from knowing the sender or receiver, and payments are not recorded on-chain. However, HTLC hash correlation allows a node controlling multiple routing hops to link payment segments. Timing analysis and channel probing can also leak information. Upcoming upgrades like PTLCs and blinded paths address these weaknesses.

Which Bitcoin wallets support privacy features in 2026?

Wasabi Wallet supports WabiSabi CoinJoin via third-party coordinators. JoinMarket (via the Jam UI) supports decentralized CoinJoin. BTCPay Server supports PayJoin (BIP78). Bull Bitcoin and Cake Wallet support PayJoin v2 (BIP77). Bitcoin Core 28+, Cake Wallet, Silentium, and Nunchuk support silent payments (BIP352). All major Lightning wallets provide onion-routed payment privacy by default. Check the Bitcoin wallet ecosystem map for a broader overview of wallet capabilities.

Can I combine multiple privacy techniques?

Yes, and this is recommended. A common strategy is to CoinJoin on-chain UTXOs to break their transaction history, then move funds to Lightning for everyday spending. Silent payments can be used alongside any on-chain technique. PayJoin can be used whenever making a direct payment to a compatible wallet. Layering techniques compounds privacy because an analyst must defeat every layer independently.

What are the risks of using Bitcoin privacy tools?

Technical risks include connecting to malicious CoinJoin coordinators, accidentally merging mixed and unmixed UTXOs (which undoes CoinJoin privacy), and wallet bugs that leak metadata. Operational risks include network-level surveillance (IP address correlation) if Tor is not used. Legal risks vary by jurisdiction: some countries have restricted or proposed restrictions on privacy-enhancing tools. Always use self-custodial wallets and understand the regulatory environment in your jurisdiction.

This tool is for informational purposes only and does not constitute financial or legal advice. Privacy tool availability, wallet support, and legal status change frequently. Data reflects publicly available information as of early 2026. Always verify current capabilities and legal requirements before using privacy tools.