Threat Modeling¶
A threat model is a simple plan for thinking about privacy. It helps you answer three questions:
- What am I trying to protect?
- Who am I trying to protect it from?
- What trade-offs am I willing to make?
You do not need to hide from everyone in the world. You need to understand your own situation and choose tools that match it.
Privacy Is Personal
A journalist, a shop owner, a teenager saving sats, a public donation project, and a long-term holder all have different privacy needs.
The right privacy setup is the one that fits your real life, not the one that looks most extreme.
Why Threat Modeling Matters¶
Bitcoin privacy can feel overwhelming because there are many tools: CoinJoin, PayJoin, Stonewall, Lightning, Tor, BIP47, and Silent Payments.
A threat model helps you avoid two common mistakes:
- Doing too little because you do not know where to start
- Trying to do everything and making mistakes because the setup is too complex
Good privacy is built in layers. Start with the biggest risks first.
Step 1: What Are You Protecting?¶
First, decide what information you want to keep private.
-
Your Balance
You may not want others to know how much bitcoin you own.
-
Your Identity
You may not want your real name linked to your addresses or transactions.
-
Your Payments
You may not want others to know who you pay or who pays you.
-
Your Location
You may not want your IP address or physical location connected to your Bitcoin activity.
-
Your Business Activity
If you accept payments publicly, you may not want competitors or strangers to see your income.
-
Your Safety
If people know you own a lot of bitcoin, you may become a target for theft or coercion.
Step 2: Who Are You Protecting Against?¶
Different adversaries have different powers. You do not defend against all of them in the same way.
| Adversary | What they may see | Main defenses |
|---|---|---|
| A stranger using a block explorer | Public addresses and transactions | Avoid address reuse, use fresh addresses, use public receiving tools |
| A KYC exchange | Your identity, withdrawals, deposits | Avoid unnecessary KYC, separate KYC and non-KYC funds |
| A wallet server | Your IP address and queried addresses | Run your own node, use Tor |
| Chain analysis companies | Transaction graph patterns and heuristics | Use coin control, CoinJoin, PayJoin |
| A payment recipient | The UTXO you spent and sometimes your change | Use good coin control, PayJoin, Stonewall, or Lightning |
| A public observer of your donation page | All payments to a reused address | Use BIP47, Silent Payments, BOLT12, or fresh invoices |
You Cannot Defend Against What You Do Not Notice
Most Bitcoin privacy leaks happen quietly. You may not feel like anything went wrong when you reuse an address, consolidate UTXOs, or query your wallet through a third-party server.
The damage appears later when those links are combined.
Step 3: Choose Your Privacy Level¶
Most people fit into one of these levels.
This is for people who want better privacy without making Bitcoin difficult to use.
Do this:
- Use a non-custodial wallet like sparrow
- Never reuse addresses
- Label your UTXOs
- Do not mix KYC and non-KYC funds
- Ideally run your own node
- Use coin control before spending
This is for people who want stronger privacy and are willing to learn more.
Add this:
- Run your own node
- Use Tor for wallet connections
- Use BIP47 or Silent Payments for public receiving
- Use PayJoin when available
- Use CoinJoin before privacy-sensitive spending
- Learn post-mix best practices
This is for people with higher-risk situations or strong privacy requirements.
Add this only after understanding the basics:
- Separate wallets by identity and purpose
- Use dedicated privacy wallets
- Self-host more infrastructure
- Use CoinJoin with strict post-mix discipline
- Use collaborative spending tools when possible
- Avoid linking public identities, IP addresses, and on-chain activity
Step 4: Match Tools to Problems¶
Use the simplest tool that solves the problem you actually have.
| Problem | Tool to consider |
|---|---|
| You need to receive publicly | Public Receiving |
| You keep accidentally linking UTXOs | Coin Control |
| You want to break historical links | CoinJoin |
| You are spending to a competent business | PayJoin |
| You are spending post-mix | Post-Mix Best Practices |
| You need small payments | Lightning |
| You need help choosing | Privacy Tools Decision Tree |
Step 5: Think About Trade-Offs¶
Every privacy tool has trade-offs.
| Trade-off | What it means |
|---|---|
| Privacy vs convenience | Stronger privacy often requires more steps |
| Privacy vs fees | Some tools create larger or extra transactions |
| Privacy vs speed | Waiting can improve privacy, but slows you down |
| Privacy vs complexity | Complex setups can cause mistakes if you do not understand them |
| Privacy vs liquidity | Some tools need other users or available routing capacity |
Do Not Let Perfect Stop Good
You do not need perfect privacy to improve. Never reusing addresses, using coin control, and keeping funds separated already puts you ahead of most users.
Example Threat Models¶
Main risks:
- KYC exchange knows purchases
- Wallet leaks addresses to third-party servers
- Accidental UTXO consolidation
Good first steps:
- Move funds to a wallet you control
- Label UTXOs
- Avoid address reuse
- Connect to your own node when ready
Main risks:
- Reused donation address reveals all income
- Public funds get linked to private savings
- Donor activity becomes visible
Good first steps:
- Use BIP47, Silent Payments, BOLT12, or fresh invoices
- Keep donation funds in a separate wallet
- Label incoming payments
- Avoid sweeping everything into personal savings
Main risks:
- Recipient sees too much wallet history
- Change output is identified
- Post-mix UTXOs get consolidated
Good first steps:
- Use coin control
- Use PayJoin when available
- Use Stonewall if PayJoin is not available
- Spend post-mix UTXOs independently
Key Takeaways¶
- A threat model helps you choose the right privacy tools
- Start by deciding what you want to protect
- Identify who you are protecting it from
- Use the simplest tool that solves your real problem
- Strong privacy is built slowly, with good habits
What Comes Next¶
Now that you understand how to think about your own privacy needs, the next step is to understand UTXOs - the individual pieces of bitcoin your wallet spends.