Privacy and security: why anonymity matters in crypto

Most crypto is not anonymous

One of the most persistent misconceptions about cryptocurrency is that it provides anonymity. For the vast majority of cryptocurrencies — Bitcoin, Ethereum, Solana, and most others — it does not. These networks are pseudonymous: your wallet address acts as a pseudonym, but every transaction you make is permanently recorded on a public blockchain, visible to anyone, forever.

Think of it this way: your wallet address is like a transparent bank account with no name on it. Anyone can look inside and see every deposit, withdrawal, transfer, and balance. The only protection is that the account does not have your name attached to it — yet.

There are exceptions — cryptocurrencies and tools specifically designed for true anonymity — but they come with significant trade-offs. We cover them below.

How your identity gets linked to your address

Once your real identity is connected to a wallet address, your entire financial history on that address becomes public knowledge. This connection can happen in many ways:

• Exchange KYC -- When you buy crypto on a regulated exchange (Coinbase, Binance, Kraken), you verify your identity. The exchange knows which addresses you withdraw to.
• ENS and SNS names -- Registering "john.eth" or a similar name service links a human-readable identity to an on-chain address. If that address holds $500,000, anyone who knows John can see his exact holdings.
• Social media posts -- Sharing your wallet address for donations, tips, or to show off a transaction permanently connects it to your public identity.
• Payments -- Receiving or sending a payment to someone who knows you creates a link between your identity and your address.
• Blockchain analytics -- Companies like Chainalysis and Elliptic specialize in tracing transactions across addresses, clustering wallets, and de-anonymizing users. Law enforcement uses these tools routinely.

The exceptions: crypto that IS anonymous

There are exceptions. Some cryptocurrencies and tools are specifically designed to provide true anonymity or break the traceability chain:

The regulatory cost of privacy

Here's the difficult reality: privacy tools work, but they face serious regulatory pressure.

• Tornado Cash was sanctioned by the U.S. Treasury (OFAC) in August 2022. Using it became illegal for U.S. persons. Its developer was arrested and convicted in the Netherlands. The smart contracts still function on-chain, but interacting with them can flag your address on exchanges and potentially expose you to legal action.
• Monero has been delisted from most major exchanges in many jurisdictions (EU, UK, Japan, Australia). While you can still use it, buying and selling through regulated on-ramps is increasingly difficult. Some jurisdictions are considering outright bans.
• Privacy wallets and services face increased scrutiny. Regulators view them through the lens of anti-money laundering (AML) compliance, and several have been shut down or forced to add KYC.
• Travel Rule — Regulations like the FATF Travel Rule require exchanges to share sender and recipient information for transactions above certain thresholds. This directly conflicts with privacy-preserving tools.

The transparency trap

For the vast majority of crypto users — those using Bitcoin, Ethereum, Solana, and other major networks without privacy tools — blockchain transparency is total. It's a design feature: it allows anyone to verify that the system is working honestly, that balances are correct, and that rules are being followed. But this same transparency means that your financial life is more exposed on a blockchain than in any traditional banking system.

Your bank balance is private. Your credit card transactions are private. Your investment portfolio is private. On a blockchain, once your address is known, none of this is private. Not your balance, not your transaction history, not the services you use, not the people you transact with.

The physical danger -- why this matters for your safety

This is not a theoretical concern. The lack of privacy in crypto has led to real, documented cases of violence, kidnapping, and extortion. When criminals can see exactly how much crypto someone holds, that person becomes a target.

The $5 wrench attack

The "$5 wrench attack" is a widely referenced concept in the crypto community. The idea is simple and sobering: it is far easier to threaten someone physically than to hack their wallet cryptographically. A wallet protected by the most advanced encryption in the world can be emptied if someone holds a weapon to the owner and says "send me your crypto."

Unlike bank transfers, crypto transactions are irreversible. There is no fraud department to call, no chargeback to initiate, no way to reverse the transaction. Once the crypto is sent, it is gone.

Real-world cases

These are not hypothetical scenarios. Documented incidents include:

• Home invasions -- Crypto executives and known holders have been targeted for home invasions specifically because their holdings were publicly known or inferable.
• Kidnapping for ransom -- Individuals have been kidnapped and held until they transferred crypto to their captors' wallets.
• Family threats -- Family members have been threatened or harmed to force wallet owners to give up access to their funds.
• Social engineering from social media -- Posts showing large gains, expensive NFT purchases, or screenshots of portfolio balances have directly attracted criminal attention.
• In-person robbery -- People arranging to buy or sell crypto in person have been robbed at the point of exchange.

Why crypto is different from traditional finance

In traditional finance, your wealth is largely invisible to the public. Your bank does not publish your balance. Your brokerage account is private. Even extremely wealthy individuals can maintain a degree of financial privacy.

In crypto, once the link between your identity and your address is established:

• Your exact balance is visible in real time
• Every transaction you make is visible
• Anyone can monitor your address for changes
• The information is permanent -- it cannot be removed or hidden after the fact

This is why privacy in crypto is not just a preference -- it is a safety issue.

What is a zero-knowledge proof?

A zero-knowledge proof (ZK proof) is a cryptographic technique that allows one party (the "prover") to prove to another party (the "verifier") that a statement is true -- without revealing any information beyond the truth of the statement itself.

Simple analogies

Zero-knowledge proofs are easier to understand through examples:

• Age verification -- Proving you are over 18 without revealing your date of birth, your name, or any other personal information. The verifier learns only that you meet the age requirement -- nothing else.
• Balance check -- Proving you have more than $10,000 in your account without revealing your actual balance. The verifier learns that you meet the threshold, but not whether you have $10,001 or $10,000,000.
• Membership -- Proving you belong to a group (e.g., citizens of a particular country) without revealing which specific member you are.

How it works conceptually

You do not need to understand the underlying mathematics to understand what ZK proofs enable. The process works like this:

1. The prover has some private information (e.g., their account balance is $50,000).
2. The prover wants to demonstrate a statement about that information (e.g., "my balance is greater than $10,000") without revealing the actual value.
3. Using cryptographic techniques, the prover generates a proof -- a small piece of data that mathematically guarantees the statement is true.
4. The verifier checks the proof. If the proof is valid, the verifier is convinced the statement is true -- without ever learning the underlying data.

The key property: the proof reveals nothing except that the statement is true. It cannot be faked, and it does not leak any additional information.

Types of zero-knowledge proofs

You do not need to understand the cryptographic details of either system. What matters is what they enable: proving things without revealing things.

ZK in practice -- real applications

Zero-knowledge proofs are not just theoretical. They are being used in production systems today, primarily in two areas: scaling and privacy.

ZK Rollups (scaling)

The most prominent current use of ZK proofs is in Layer 2 scaling solutions for Ethereum. These systems batch many transactions together off-chain, then submit a single ZK proof to Ethereum that verifies all the transactions are valid -- without Ethereum having to re-execute every one of them.

Important distinction: ZK rollups use zero-knowledge proofs primarily for scaling, not for privacy. The transactions on most ZK rollups are still publicly visible. The "zero knowledge" part refers to how Ethereum verifies the batch -- it does not need to "know" every transaction to be convinced they are all valid.

Private transactions

Some protocols use ZK proofs specifically for transaction privacy:

• Zcash -- Pioneered the use of ZK-SNARKs for shielded transactions. Users can choose to send transactions that hide the sender, recipient, and amount from public view while still being verified by the network.
• Aztec Network -- A privacy-first Layer 2 on Ethereum, designed to enable private DeFi transactions using ZK proofs.
• Tornado Cash -- A mixing protocol that used ZK proofs to break the link between deposit and withdrawal addresses. It was sanctioned by the U.S. Treasury in 2022, illustrating the tension between privacy technology and regulation.

Identity and compliance

ZK proofs have powerful applications beyond financial transactions:

• Proof of personhood -- Proving you are a unique real person without revealing your identity.
• Proof of citizenship -- Proving you are from a specific country without revealing your passport details.
• Proof of compliance -- Proving you have completed KYC verification or paid your taxes without revealing personal financial data.

These applications represent a potential future where privacy and regulatory compliance are not in conflict -- where you can satisfy legal requirements without exposing yourself to the risks described above.

Practical privacy measures

You do not need to wait for perfect privacy technology to reduce your exposure. Here are concrete steps you can take today:

Address management

• Use different addresses for different purposes. Do not consolidate all your holdings into a single address. Separate your long-term holdings, your trading activity, and your everyday transactions.
• Do not link your real identity to your main holding address. If you need a public address (for receiving payments or donations), use a separate address that holds only minimal funds.
• Be careful with ENS and SNS names. These are convenient, but they are also permanent, public identity links. A name like "yourname.eth" turns your address into a searchable, identifiable record of your wealth.

Information discipline

• Never post wallet addresses on social media. Even a single post creates a permanent, searchable connection between your identity and your on-chain activity.
• Do not discuss specific holdings publicly. Saying "I bought 10 ETH" or sharing portfolio screenshots gives criminals actionable intelligence.
• Be skeptical of portfolio-sharing features. Social platforms that encourage sharing your gains are incentivizing you to make yourself a target.

Technical measures

• Use a hardware wallet. Physically secure your keys so they cannot be extracted remotely. Devices like Ledger and Trezor keep your private keys offline.
• Use a VPN when accessing crypto services. Your IP address can reveal your location and be linked to your wallet activity.
• Consider privacy-preserving tools -- but be aware of the legal implications in your jurisdiction. Some privacy tools have been sanctioned or restricted by regulators.

Privacy vs. regulation

There is a genuine tension between two legitimate interests: regulators want transparency to prevent money laundering, tax evasion, and terrorism financing. Users want privacy for personal safety and financial freedom. These interests are not inherently opposed, but finding the right balance is one of the most important challenges in crypto.

The current state

• KYC requirements at exchanges already link identity to addresses. If you have ever used a centralized exchange, the connection between your identity and at least some of your addresses exists in a database.
• Blockchain analytics firms like Chainalysis and Elliptic can trace transactions across addresses, cluster wallets, and de-anonymize users. These firms work with law enforcement agencies worldwide.
• Regulatory actions -- The sanctioning of Tornado Cash demonstrated that privacy tools themselves can become targets of regulation, even when they have legitimate uses.

The future: ZK proofs as a bridge

Zero-knowledge proofs may offer a path forward that satisfies both sides:

• Prove you paid taxes without showing your balance or transaction history.
• Prove you passed KYC without revealing your personal data to every service you use.
• Prove your funds are not from sanctioned sources without exposing your entire financial history.

This vision -- compliance without surveillance -- is still being developed. But it represents a future where privacy and regulation can coexist, rather than being forced into opposition.

For a deeper look at the regulatory landscape, see our guide on privacy, taxes, and regulation.

CleanSky's privacy approach

CleanSky was built with the understanding that privacy is not a feature -- it is a requirement. Our architecture reflects this: