Author: Fugui

Origin

In early June 2026, two things collided, like an on-site teaching session specially prepared by the encryption circle on the topic of "privacy".

One is that the Orchard privacy pool of Zcash (ZEC) has been exposed to a zero-knowledge proof circuit vulnerability that has existed for nearly four years. The attacker can theoretically double-spend hidden ZEC infinitely in the shielded pool. The most fatal part is not the vulnerability itself, but: no one can prove whether anyone has secretly used it in the past four years. The emergency patch (NU6.2) was launched within 48 hours, and on-chain analysis found no signs of actual exploitation - but the fact that "it cannot be proven that it did not happen" is enough in itself to destroy the narrative. As soon as the news came out, Arthur Hayes publicly liquidated his positions, and ZEC immediately fell by about 50% within 48 hours. Behind every "public" action this person takes, there is a high probability that he has already done what he was supposed to do.

Another incident is that the Zama protocol’s cUSDC contract was frozen by Circle based on a temporary restraining order (TRO) from a U.S. federal court, involving approximately $12.6 million. The starting point of the matter was the governance dispute of another project, Overnight Finance - the funds involved were transferred into Zama's confidential encapsulation contract to avoid tracking, and Circle directly blacklisted the entire contract address after receiving the order. Zama did not receive any notification in advance, and innocent users’ funds were also locked because cUSDC is a fund pool structure and everyone’s money in the contract shares the same address. Zama's core technology is fully homomorphic encryption (FHE). In theory, even the calculation process can be completed in the ciphertext - one of the most cutting-edge privacy technologies currently. As a result, he was completely frozen by a court order. Cryptography can fool mathematics, and the law does not require decryption.

These two incidents give a hint of a larger problem. This article starts from the original privacy design of Bitcoin, goes through the rise and fall of three old privacy coins, and then to the flourishing of new generation privacy protocols. Finally, it comes to a place that is rarely discussed positively: how privacy is used as a weapon in actual scenarios, and how it is used against weapons.

Bitcoin is actually a love letter to privacy

In 2008, Satoshi Nakamoto released a white paper. There were two problems he wanted to solve, and these two problems were tied together from the beginning: Financial independence and Privacy and anonymity.

Financial independence is easy to understand - it does not rely on banks or the government, and value transfer is completed directly between two people. In the tenth section of the white paper, he specifically discussed privacy and gave a very clever design at the time: Public key anonymity. Your Bitcoin address is a hash of your public key and contains no real identifying information. Anyone can see "how much money was transferred from a certain address to a certain address," but they cannot see who is behind the address. He also recommends using a brand new address for each transaction and discarding the old address after use. The UTXO model itself also brings a bit of natural privacy - the change address and the payment address are exactly the same on the chain. In theory, outsiders cannot tell which one is for others and which one is for oneself.

This design has a core implicit logic: to protect individuals by expanding the anonymity set. The larger the anonymity set, the more expensive it is to track individual addresses. The early Bitcoin community was filled with a hacker-style romance: replacing identity with numbers, replacing trust with cryptography, and replacing banks with peer-to-peer networks. Everyone believes that Bitcoin is "untraceable."

Then in 2013, this belief was debunked by a paper. Sarah Meiklejohn of the University of California, San Diego published "A Fistful of Bitcoins", which stacked two heuristic rules together: the multi-input merging rule (a transaction uses multiple addresses as inputs, those addresses must belong to the same person) and the change address identification rule (the change amount is usually not an integer, and the change address is usually the first new address that appears). She marked the address clusters of more than 1,000 known entities, proving that even if the principle of "new address for each transaction" is strictly followed, on-chain activity can still be completely reconstructed - the anonymity set collapsed in the face of statistical tricks. This paper directly gave birth to Chainalysis and Elliptic, and later won the "Time Test Award" at the 2024 ACM Internet Measurement Conference, and is recognized as a foundational work in the field of blockchain forensics.

Bitcoin has never been anonymous, it is pseudonymous. The difference between these two words is the difference between a person wearing a mask and a person truly without a face.

The golden age and sunset of the three old cannons

After the privacy myth of Bitcoin was exposed, the market needs real privacy coins. Around 2017, three projects came to the stage with different appearances.

Monero (XMR), Privacy Fundamentalists. Born in 2014, it technically uses a three-piece set: Ring Signatures to cover up the sender, Stealth Addresses to hide the receiver, and Ring Confidential Transactions (RingCT) to erase the amount. The most important thing is that Monero has no "transparency mode" - all transactions are completely hidden by default, with no options and no compromises. This also means that its anonymity set is all users, rather than the few who choose to use privacy features. The 2017 bull market peaked at nearly $480.

Zcoin (ZEC), the academic compliance pioneer. Launched by the Zcash Foundation in 2016, it uses zk-SNARKs zero-knowledge proof, which is theoretically the most sophisticated privacy design in cryptography at the time. It provides both transparent addresses and shielded addresses (z-address), which users can choose, and also provides viewing keys for auditors to disclose transactions. ZEC had extremely low liquidity in the early days of its launch in 2016, and the price was once artificially high at about $5,900; after entering the official bull market in 2017, it reached a maximum of about $744.

DASH is a project whose identity is obscured from its name. It was originally called XCoin, later changed to Darkcoin, and in 2015 it was changed to Dash, the abbreviation of "digital cash". The privacy function PrivateSend is essentially an on-chain currency mixing. It is the weakest of the three and takes the payment pragmatism route.

After the surge in 2017, the regulatory winter came quickly, but it did not happen overnight. Japan was the first to take action - in 2018, the Japanese exchange Coincheck suffered the largest hacker attack in history, and the authorities immediately required exchanges across the country to remove privacy coins on the grounds of AML. South Korea followed suit and in 2019 OKEx Korea delisted XMR, DASH, and ZEC. Australia joined in 2020. But the real global wave of delistings only reached its peak after the EU MiCA regulations were advanced. In 2024, nearly 60 exchanges around the world delisted privacy coins, the highest in history. Binance announced the global delisting of XMR in February 2024, OKX followed suit in January 2024, and Kraken delisted it from Ireland and Belgium in April 2024, expanding to the entire European Economic Area in October of the same year. From 2018 to 2024, this is a net that took six years to complete.

Then in the second half of 2025, the story took a turn.

The privacy narrative is back, institutional funds have entered the market, and the entire sector has rebounded collectively. Monero hit an all-time high on January 14, 2026, approaching $800. ZEC surged from a low of $16 to a high of about $744, a gain of more than four thousand five hundred percent. Binance re-launched the ZEC/USDC perpetual contract, Grayscale submitted a ZEC ETF application, and the SEC officially announced in January 2026 that it would not take enforcement action against the Zcash Foundation. Things that were collectively removed from the shelves a year ago are now collectively welcomed back.

There are several details worth pondering in this round of ZEC’s return. The actual usage ratio of shielded transactions has not increased simultaneously with the price. Institutional disclosure actions are highly consistent with price nodes. The narrative of institutions entering the market is "compliance privacy" rather than real privacy needs. If you say it is a good thing, it is still a good thing; if you say it is a performance, it is still a performance.

As for Dash, it still sells coffee in Latin America and is occasionally used as a case of "regulatory-friendly privacy currency". It is essentially a payment project, and privacy is just a label in its history.

New generation: privacy changes from coin to protocol (infrastructure)

The logic of the old privacy coins is to build privacy into the currency itself. The new generation's thinking has turned around: making privacy a pluggable protocol layer so that the entire Web3 can be used.

Behind this transformation is the large-scale engineering of zero-knowledge proofs (ZK-SNARKs/ZK-STARKs) around 2020: Ethereum’s ZK Rollup ecosystem has matured, the proof generation speed has been compressed from minutes to seconds, and the cost has dropped by several orders of magnitude. Fully Homomorphic Encryption (FHE) has also begun to move from pure theory to the deployable stage. The commercialization of these technologies makes "privacy as a service" possible.

Aztec Network is the representative of Ethereum privacy L2. It uses the self-developed Noir privacy programming language and efficient PLONK proof system to allow developers to write privacy loans, privacy DAOs, and privacy NFTs on it, not just private transfers.

Railgun Go the other way: add a privacy layer to existing ERC-20s and NFTs directly on Ethereum without migrating assets. In 2025, it began to introduce a mechanism to restrict sanctioned addresses from entering the privacy pool, which can be regarded as a proactive compliance gesture.

Namada and Penumbra each build a cross-chain privacy layer in the Cosmos ecosystem. The former supports shielded transmission of any type of assets, while the latter has built a cross-chain DEX that is private by default across the entire chain. Namada just launched the first phase of the mainnet in May 2026.

Midnight Network, a project incubated by the Cardano team, will be launched on the mainnet in March 2026. Google Cloud and Moneygram have already been developed on it. The design philosophy is "programmable selective disclosure", turning privacy from a switch into a finely controlled infrastructure, which is much friendlier to businesses and institutions than Monero.

Then there is Zama—that is, the project whose contract was frozen by Circle in the origin of this article. Its technical route is fully homomorphic encryption (TFHE), which allows operations to be performed directly on encrypted data without decryption in the entire process. There is no problem with the technology. The problem is that it applied this technology to a centralized stablecoin contract that relied on Circle, and then was taught a lesson by a court order.

There is also a project called Interfold, which is a coercion-resistant voting protocol (CRISP) that combines ZK-SNARKs, FHE and distributed threshold cryptography. It will be launched in May 2026 and is publicly recommended by Vitalik Buterin.

The overall trend of the new generation of privacy protocols is to move from "absolute anonymity" to "programmable selective privacy". Regulation is becoming more and more friendly, but the proportion of users who actually use privacy features has not increased proportionally.

The Dilemma of Anonymous Sets

2013 was a strange year: in the same year a paper proved that Bitcoin’s privacy was an illusion, Snowden proved that surveillance was far larger than anyone imagined. These two things together form the core foundation of the privacy narrative of Web3 (post-Snowden network).

Web2's privacy relies on platform self-discipline - you trust Google not to sell your search records to your employer, and you trust WeChat not to hand over chat records to third parties, although technically they can at any time. This is a form ofcontractual privacy, built on service agreements and regulatory deterrence, essentially outsourcing trust in institutions. Web3 proponents propose a different proposition: replacing trust with cryptography and the platform’s ethical commitments with verifiable mathematical commitments. A transaction that is encrypted on the chain is not "the bank says it will not be leaked", but "mathematically unreadable". This is a difference at the architectural level, not at the product design level.

But what cryptography protects is the part that is chosen to be protected.

There is a counter-intuitive dilemma here called Anonymous set paradox. The actual strength of privacy protection does not depend on how good the encryption algorithm is, but on how many people use this feature at the same time. ZEC’s blocked addresses are only used by a small number of users—even at the peak of the price increase in 2026, the proportion of blocked transactions is far from reaching the majority. This means that on the chain, "I choose to use a shielded address" itself is a visible signal; what is encrypted is the content, and what is exposed is the intention. A person wearing a mask in a crowd is much more conspicuous than an ordinary member of the crowd wearing a mask. Monero solves this problem with forced privacy - all transactions are hidden, and no one can narrow down the candidates by the fact that "he used the privacy feature." This is the most thorough design of XMR in terms of privacy philosophy, and it is precisely the fundamental reason why it was collectively removed from the shelves by global exchanges: regulation cannot tolerate an asset that inherently has no transparent model.

The new generation of "programmable selective privacy" attempts to take a middle path: usually hidden, proven when needed, and the user controls the disclosure granularity. This is smart in engineering and pragmatic in regulatory gaming. But it always faces the same contradiction in structure: flexibility and anonymity sets are in a trade-off relationship. The more people choose "transparent mode" and the fewer people are in the "privacy pool", the more conspicuous the remaining people in the privacy pool will be. Selective privacy in extreme cases will degenerate into a signal - "I have the privacy function turned on, so I have something worth hiding." This is not a failure of cryptography, this is the logic of human behavior.

The paradox of the scene

Let me start with a fact that is rarely taken seriously: Blockchain is inherently a public ledger, and all transaction records are permanently on the chain, globally searchable, and technically cannot be deleted. Anyone holding a wallet address means that every one of his receipts and payments - amount, time, counterparty - can be completely traced back by anyone using a blockchain browser. An ordinary user uses an on-chain address to buy a cup of coffee. As long as the address is linked to his real identity, his entire financial trajectory over the past few years will be public. For addresses with considerable funds, this is a continuous security threat: the positions of whales on the chain are visible in real time, and every large transfer in and out will trigger tracking and follow-up orders. Maxim Ermilov of Overnight Finance said in an interview that he transferred funds to Zama's confidentiality contract in order to "not let the public see the balance and reduce personal security risks" - because kidnapping cases are common in the crypto community. This is not an extreme reason, it is the reality of holding on-chain assets in 2026.

However, this demand for privacy often goes in another direction when it is implemented, and it turns into not caring so much.

Governance Voting: The original intention of DAO introducing anonymous voting is good: to prevent vote buying and whale pressure. But there is a scale paradox here: in large DAOs, governance representatives will actively disclose their voting intentions to accumulate influence, and influence can be directly converted into money - transparency is an asset rather than a burden for them. What's even more interesting is that large investors will publicly express their opinions to guide their emotions before voting, and then wait for retail investors to follow suit and then perform various tricks in the market. In small-scale DAO or internal voting within an organization, the situation is reversed - voting of this magnitude does not require the use of on-chain privacy protocols at all, and can be solved by a trusted TEE black box or off-chain multi-party calculation. There is no economic reason to deploy a set of FHE contracts for this purpose. Interfold’s Coercion-Resistant Voting Protocol (CRISP) attempts to cryptographically cut off the possibility of vote results being leaked early – but will it stop a person from tweeting “I’m going to vote no” before a vote is cast? Privacy is protected by the cipher text, not the mouth.

Dark pool trading: The ideal of the on-chain dark pool is to prevent large orders from being front-running and not exposing strategies. But at the same time, the fully transparent design of a fully public on-chain sustainable DEX like Hyperliquid itself has a completely different effect: all positions, entry prices, leverage, and unrealized profits and losses can all be checked in real time, forming a natural social layer - the positions of top traders become the anchor of market sentiment. The disclosure of large long and short orders triggers follow-up orders and discussions, and traffic and narratives in turn strengthen their influence. Transparency isn't a weakness here, it's advertising. Dark pools protect the side that doesn’t want to be seen; but open ledgers are sometimes a more powerful weapon.

Wallet is resume and certificate: Nowadays, many Web3 recruitments recommend starting to use on-chain records for background checks - which projects have you participated in, whether you have been ruged, whether you have been ruged, and your participation in governance voting. More and more protocols require wallet addresses to prove transaction records when inviting users. This publicly available on-chain history has become a substitute for credit. But when you hand over a wallet address, you hand over not only your professional resume, but also your complete financial life: asset size, entry time, failed transactions, as well as what time you operate every day and how your emotions fluctuate. An ENS domain name binds on-chain history and off-chain identity, and this binding is permanent and irrevocable. At the same time, zero-knowledge proof can theoretically achieve "I prove that I have more than ZK proves that it cannot meet this point, because "untraceability" is exactly its design goal. There is no technical solution to the contradiction between the two in the short term.

Anonymous attacks: This is the aspect that is least talked about positively. MEV robots use anonymous contracts to eat price differences, hackers use coin mixers to loot funds, and darknets use Monero for settlement. Roman Storm, the developer of Tornado Cash, was sued by the U.S. Department of Justice not for stealing money, but for writing code that allowed others to transfer money anonymously. Regulators never believe in the saying "the tools are not guilty." There is also a more subtle method: Sybil Attack. The attacker created a large number of wallet addresses in the early stages of the project. Each address maintained normal interaction frequency and fund flow direction, and cultivated a batch of "historically normal" accounts on the chain, and harvested them in batches when the airdrop snapshot was taken. Even if these addresses are not anonymous, they are almost indistinguishable from real users - because they are inherently simulating real users. The pseudo-anonymity of blockchain is not about privacy protection here, but about attacking the infrastructure.

These paradoxes have a common structure: people call for privacy when they need privacy to protect themselves, and embrace transparency when they can use transparency to attack others. Privacy and transparency are never two philosophical positions, but two strategic tools, switched according to scenarios.

What technology can and cannot do

Privacy is often discussed in the crypto community as a technical issue: the cryptography is not strong enough, the protocol design is not good enough, the anonymity set is too small, and the data on the chain is too transparent. This diagnosis is not wrong, but it only tells half the story.

The new generation of protocols is already seriously answering the question "What can technology do?" and the answer given is much more pragmatic than the 2017 batch of projects.

Private settlement and enterprise payment are currently the directions closest to implementation. Enterprises do not want competitors to see through their supplier relationships, funding scale, and settlement rhythm through on-chain records. SWIFT messages and bank accounts in traditional finance are inherently confidential. If on-chain settlement wants to replace them, it must provide the same confidentiality. FHE and ZK payment layers are penetrating into this scene - Zama's accident just shows that the direction is correct, but the underlying infrastructure relies on centralized stablecoins.

Institutional-grade auditable privacy is another direction with real buyers. Traditional financial institutions do not need to be completely opaque. What is needed is "only visible to those who should see it" - the auditor checks the accounts through the viewing key, and the supervisory party obtains decryption authority only under judicial procedures, and the entire process is usually encrypted to the outside world. Projects such as Canton Network, Aztec, Midnight, etc. are all moving in this direction, with enterprise adoption rates being much higher compared to completely opaque systems. The end point of this logic is to turn "compliance" from the opposite of privacy into a built-in function of privacy protocols.

On-chain identities and credentials are the most direct application exit for selective disclosure. Use ZK to prove "I am a qualified investor" without revealing your net worth, prove "I passed KYC" without submitting the original passport, and prove "my funds do not come from the sanctions list" without disclosing the complete transaction history. This is the path that regulators are most willing to accept, and it is currently the most intensive battlefield for Web3 identity protocols.

Hybrid privacy architecture is a realistic choice at the engineering level. No single technology can simultaneously satisfy speed, trust minimization and flexibility: the generation overhead of ZK proof is still not small, the computational cost of FHE is still high in general scenarios, and the security assumption of TEE relies on the credibility of the hardware manufacturer. After 2025, hybrid solutions of ZK+TEE and ZK+MPC begin to become mainstream - TEE handles real-time calculations, ZK provides verifiable proofs, and MPC disperses keys to avoid single points of failure. Projects such as Mind Network and Nillion are pushing this combo into production, and it's more the product of engineering compromise than the holy grail of cryptography.

But the Zama incident illustrates another thing: no matter how powerful fully homomorphic encryption is, contracts that rely on centralized stablecoins are frozen by a temporary injunction by the court and have nothing to do with cryptography. Zcash's Orchard vulnerability illustrates another thing: the zero-knowledge proof circuit has had a fatal vulnerability for nearly four years, and it cannot be proven through any on-chain analysis whether it has been exploited - this is precisely a side effect of the "privacy" feature. You protect honest users and also protect attackers who may have committed crimes.

The real issue of privacy is never just a technical issue, but who demands privacy from whom, when, and why.

What Bitcoin originally wanted to solve was to complete the transfer of value between two people without relying on a third party, and the process was not monitored. There is nothing wrong with the goal itself. However, when this goal is implemented in the real society, it will inevitably collide with things such as AML, KYC, tax declaration, jurisdiction, and asset freezing. No amount of cryptography can allow you to maintain anonymity while also having the "compliance" card.

"Selective disclosure" and "programmable compliance" are currently the most pragmatic directions - but it means that the upper limit of "privacy rights" in the real world depends on how much your jurisdiction is willing to admit. Cryptometry gives you a lock, but the law has the final say on whose door the lock is installed and in which country the door is opened.

The crypto community has a unique belief: Code is Law. But the day the code is frozen by the court, the law is still the law, and the code is just code.

End

In 2009, Satoshi Nakamoto created a tool that allowed people to transfer value without being monitored.

In 2013, a paper proved that the privacy of this tool was an illusion. That same year, Snowden told the world that surveillance was far greater than anyone had imagined.

In 2017, a number of projects took the stage with "true privacy" as their selling point. In 2018, Japan took the lead in taking it off the shelves. The regulatory tightening started in Asia and spread to the world in six years.

In 2025, the same batch of projects reappeared under the new narrative of "compliance and privacy", with prices increasing dozens of times.

In June 2026, a privacy protocol that used fully homomorphic encryption was ordered by a court to freeze the assets of all users; a privacy coin that used zero-knowledge proof discovered that there might be a crime hidden in its privacy pool that could not be verified.

This is not failure, this is teaching material. Privacy, in any system, is not a problem that can be solved once and for all. It is an ongoing game: between technology and power, between individuals and institutions, between "I don't want you to see it" and "I have to let you see it."

The crypto community now has good enough cryptographic tools, increasingly mature engineering implementations, and much smarter regulatory response strategies than in 2017.

What is missing is just a little more honesty on the question "Why do we need privacy?"