Privacy, in any system, is not a problem that can be solved once and for all; it is a continuous game.

Written by: Fortune

Origin

At the beginning of June 2026, two events collided, like a live demonstration prepared by the crypto community specifically for the topic of "privacy."

One was the revelation that Zcash's (ZEC) Orchard privacy pool had a nearly four-year-old zero-knowledge proof circuit vulnerability, theoretically allowing attackers to double-spend hidden ZEC in the shielded pool infinitely. The most fatal aspect was not the vulnerability itself, but rather: no one could prove whether anyone had quietly exploited it over these four years. An emergency patch (NU6.2) was deployed within 48 hours, and on-chain analysis found no signs of actual exploitation—but the matter of "unable to prove that it did not happen" was already enough to destroy the narrative. Once the news broke, Arthur Hayes publicly liquidated his holdings, and ZEC plummeted by about fifty percent within 48 hours. This person's every public action likely followed the completion of what it needed to accomplish.

The other was the freezing of the cUSDC contract of the Zama protocol by Circle based on a temporary restraining order (TRO) from a U.S. federal court, involving approximately 12.6 million dollars. The starting point of this incident was a governance dispute of another project, Overnight Finance—funds involved were transferred to Zama's confidential wrap contract to evade tracking, and upon receiving the order, Circle directly blacklisted the entire contract address. Zama did not receive any prior notice, and innocent users' funds were locked as well, since cUSDC was a pooled structure where everyone's money shared the same address. Zama's core technology is fully homomorphic encryption (FHE), which theoretically allows computation to be performed even on ciphertext—making it one of the most cutting-edge privacy technologies today. As a result, it was completely frozen by a court order. Cryptography can deceive mathematics, but the law does not need decryption.

These two events hinted at a larger issue. This article begins with the original privacy design of Bitcoin, discusses the rise and fall of three major legacy privacy coins, moves on to the flourishing of a new generation of privacy protocols, and finally concludes at a place rarely discussed openly: how privacy is wielded as a weapon in real situations and how it is countered by weapons.

Bitcoin is Actually a Love Letter to Privacy

In 2008, Satoshi Nakamoto released a white paper, addressing two intertwined problems from the start: financial independence and privacy anonymity.

Financial independence is straightforward—no reliance on banks, no reliance on governments; value transfers are completed directly between two people. In the tenth section of the white paper, he specifically discussed privacy, offering a clever design at the time: public key anonymity. Your Bitcoin address is a hash of a public key, without any real identity information. Anyone can see "how much was transferred from one address to another," but cannot see who is behind those addresses. He also suggested using a brand new address for each transaction, discarding the old address after use. The UTXO model itself provides a bit of natural privacy—change addresses look the same on-chain as the receiving address, making it theoretically unclear to outsiders which transaction was meant for someone else and which was change for oneself.

This design has a core implicit logic: protecting the individual by expanding the anonymity set. The larger the anonymity set, the higher the cost of tracking an individual address. The early Bitcoin community was infused with a hacker romance: using digital identities instead of real ones, cryptography replacing trust, and peer-to-peer networks standing in for banks. People believed that Bitcoin was "untraceable."

Then in 2013, this belief was punctured by a paper. Sarah Meiklejohn from UC San Diego published "A Fistful of Bitcoins," combining two heuristic rules: the multiple-input unification rule (multiple addresses used as inputs in a single transaction must belong to the same person) and the change address identification rule (change amounts are not typically whole numbers; change addresses are usually newly appearing addresses). She tagged over 1000 known entity address clusters, proving that even strict adherence to the principle of "using a new address for each transaction" still allows for the complete reconstruction of on-chain activity—the anonymity set collapsed in the face of statistical techniques. This paper directly gave rise to Chainalysis and Elliptic, which later won the "Time-Tested Award" at the 2024 ACM Internet Measurement Conference, being recognized as foundational work in blockchain forensics.

Bitcoin has never been anonymous; it is pseudonymous. The difference between these two terms is like the difference between someone wearing a mask and someone without a face at all.

The Golden Era and Twilight of the Three Old Giants

After the myth of Bitcoin's privacy was punctured, the market needed true privacy coins. Around 2017, three projects took the stage with different approaches.

Monero (XMR), the privacy fundamentalist. Launched in 2014, it technically utilized a three-piece suite: ring signatures to conceal the sender, stealth addresses to hide the receiver, and RingCT to obliterate amounts. Most importantly, Monero has no "transparent mode"—all transactions are by default completely hidden, with no options and no compromises. This also means its anonymity set is all users rather than a minority who choose to use privacy features. It peaked close to 480 dollars during the 2017 bull market.

Zcash (ZEC), the academic pioneer of compliance. Launched by the Zcash Foundation in 2016, it used zk-SNARKs zero-knowledge proof, theoretically representing the most sophisticated privacy design at the time. It offers both transparent addresses and shielded addresses (z-addresses), allowing users to choose, and also provides viewing keys for audit parties to disclose transactions. ZEC had extremely low liquidity in its initial online phase in 2016, at one point peaking unrealistically at about 5900 dollars; after entering the official bull market in 2017, it reached a high of about 744 dollars.

Dash, a project that started blurring its identity from its name. Initially called XCoin, later renamed Darkcoin, and in 2015 renamed Dash, which stands for "digital cash." Its privacy feature, PrivateSend, is essentially an on-chain mixer, the weakest among the three, taking a utilitarian approach to payments.

After the massive surge in 2017, the regulatory winter came swiftly but not overnight. Japan was the first to act—in 2018, the Japanese exchange Coincheck suffered the largest hacking attack in history, prompting authorities to request all exchanges in the country to delist privacy coins under the guise of AML. South Korea followed suit, with OKEx Korea delisting XMR, DASH, and ZEC in 2019. Australia joined in 2020. But the true global delisting surge did not peak until the EU's MiCA regulation began to advance—by 2024, nearly 60 exchanges worldwide had executed delisting of privacy coins, the highest in history. Binance announced the global delisting of XMR in February 2024, OKX followed in January 2024, and Kraken delisted in April 2024 from Ireland and Belgium, expanding to the entire European Economic Area in October of the same year. From 2018 to 2024, this was a net closing that took six years to complete.

Then, in the second half of 2025, the story took a turn.

The narrative for privacy returned, institutional funds entered the game, and the entire sector rebounded collectively. Monero set a historical high on January 14, 2026, nearing 800 dollars. ZEC surged from a low of 16 dollars to a peak of about 744 dollars, an increase of over four thousand five hundred percent. Binance re-listed the ZEC/USDC perpetual contract, Grayscale submitted an application for a ZEC ETF, and the SEC officially announced in January 2026 that it would take no enforcement action against the Zcash Foundation. What had been collectively delisted a year ago was now collectively welcomed back.

There are a few details worth noting about this round of ZEC's return. The actual use ratio of shielded transactions did not rise in parallel with prices, and the institutional disclosure actions were highly correlated with price points; the narrative for institutional entry was "compliant privacy" rather than a true demand for privacy. One might argue it's a positive development, but it can also be considered simply a performance.

As for Dash, it is still selling coffee in Latin America and is occasionally used as a case of a "regulation-friendly privacy coin," but in essence, it has already become a payment project, with privacy merely a label in its history.

New Generation: Privacy has Shifted from Coin to Protocol (Infrastructure)

The logic of the old privacy coins was to embed privacy into the currency itself. The new generation's thinking has flipped this: making privacy a pluggable protocol layer that the entire Web3 can utilize.

This shift is backed by the large-scale engineering of zero-knowledge proofs (ZK-SNARKs / ZK-STARKs) around 2020: the maturity of Ethereum's ZK Rollup ecosystem has compressed proof generation speeds from minutes to seconds, reducing costs by several orders of magnitude. Fully homomorphic encryption (FHE) also began its transition from pure theory to deployable stages. The commercialization of these technologies has made "privacy as a service" possible.

Aztec Network is a representative of Ethereum's privacy L2, utilizing its self-developed Noir privacy programming language and efficient PLONK proof system, allowing developers to write privacy lending, privacy DAOs, and privacy NFTs, not just privacy transfers.

Railgun has taken another path: it adds a privacy layer directly to existing ERC-20 and NFT assets on Ethereum without needing to migrate assets. In 2025, it began introducing mechanisms to restrict sanctioned addresses from entering the privacy pool, which can be considered a proactive compliance stance.

Namada and Penumbra each build cross-chain privacy layers in the Cosmos ecosystem; the former supports shielded transfers of any type of asset, while the latter has created a cross-chain DEX with default privacy across the entire chain. Namada launched its mainnet's first phase in May 2026.

Midnight Network, a project incubated by the Cardano team, went live on the mainnet in March 2026, with Google Cloud and MoneyGram already developing on it. Its design philosophy is "programmable selective disclosure," transforming privacy from a binary switch into finely controlled infrastructure, making it far more friendly to enterprises and institutions than Monero.

Then there is Zama—the project that was frozen by Circle's order earlier in this article. Its technological route is fully homomorphic encryption (TFHE), allowing computations to be performed directly on encrypted data without any decryption throughout the process. While the technology is sound, the issue lies in that it is dependent on a centralized stablecoin contract tied to Circle, which was later put under scrutiny by the court.

There is also a project called Interfold, which focuses on anti-coercion voting protocols (CRISP), layering ZK-SNARKs, FHE, and distributed threshold cryptography. Launched in May 2026, it received public endorsement from Vitalik Buterin.

The overall trend of the new generation of privacy protocols is moving from "absolute anonymity" to "programmable selective privacy." Regulatory friendliness is increasing, but the proportion of users genuinely employing privacy features has not proportionately risen.

The Dilemma of Anonymity Sets

2013 was a peculiar year: in the same year, a paper proved that Bitcoin's privacy was an illusion, while Snowden revealed the scale of surveillance was far greater than anyone had imagined. Together, these two events form the core foundation of the privacy narrative in Web3 (post-Snowden network).

Web2's privacy relies on platform self-regulation—you trust Google not to sell your search history to your employer, trust WeChat not to hand over chat records to third parties, even if they could at any time. This is a form of contractual privacy, built on service agreements and regulatory deterrents, essentially an outsourcing of trust in institutions. Proponents of Web3 put forth a different claim: replacing trust with cryptography, using verifiable mathematical commitments to substitute for the moral promises of platforms. An on-chain encrypted transaction is not "the bank said it wouldn't leak," but "mathematically it cannot be read." This represents a difference at the architectural level, not merely at the product design level.

However, what cryptography protects is the portion that has chosen to be protected.

Here lies a counterintuitive dilemma, known as the anonymity set paradox. The actual strength of privacy protection does not depend on the quality of the encryption algorithm, but on how many people are simultaneously using this feature. If ZEC's shielded addresses are only utilized by a few users—even at the peak price in 2026, the proportion of shielded transactions had not reached a majority. This means that on-chain, "I choose to use a shielded address" itself is a visible signal; the content is encrypted, but the intent is exposed. A person in a crowd wearing a mask is much more conspicuous than an ordinary member within a masked crowd. Monero solved this problem with enforced privacy—every transaction is hidden, and no one can narrow down candidate ranges based on the fact that "he used a privacy feature." This is the most thorough design of XMR in terms of privacy philosophy, and precisely the reason it was collectively delisted by global exchanges: regulators cannot tolerate an asset that inherently lacks a transparent mode.

The new generation's "programmable selective privacy" attempts to walk a middle path: hidden most of the time, able to be proven when needed, with user-controlled granularity of disclosure. This is clever from an engineering standpoint and practical in regulatory games. However, it consistently faces the same structural contradiction: flexibility and anonymity sets are inversely proportional. The more people choose "transparent mode," the fewer are in the "privacy pool," which makes those remaining in the privacy pool increasingly conspicuous. Selective privacy might degrade into a signal in extreme cases—"I turned on the privacy feature, so I have something worth hiding." This is not a failure of cryptography, but the logic of human behavior.

The Paradox of Scenarios

First, let’s mention a fact that is rarely taken seriously: Blockchain is inherently a public ledger, with all transaction records permanently on-chain, globally traceable, and technically impossible to delete. Anyone holding a wallet address means that every single expense and income—from amounts, times, to counterparties—can be fully traced by anyone using a blockchain explorer. An average user buying a cup of coffee with an on-chain address, once that address is linked to a real identity, their entire financial trajectory over the past years becomes public. For addresses with considerable funds, this presents a continuous security threat: on-chain whale positions are visible in real-time, and each significant inflow or outflow prompts tracking and following. Maxim Ermilov from Overnight Finance stated during an interview that he transferred funds into Zama's confidential contracts to "prevent the public from seeing the balance and reduce personal security risks"—because kidnapping cases in the crypto sphere are not uncommon. This is not an extreme reason; it reflects the reality faced by those holding on-chain assets in 2026.

However, this demand for privacy often ends up going in another direction when implemented, becoming less important.

Governance Voting: The original intention of introducing anonymous voting in DAOs is good: to prevent bribery and pressure from whales. But there is a scale paradox here: in large DAOs, governance representatives actively disclose their voting intentions to accumulate influence, which can be directly exchanged for money—transparency is an asset for them, not a burden. Even more interestingly, large holders may express their stance before voting to guide sentiment and then engage in various trades in the market after retail investors follow suit. In small-scale DAOs or internal voting within organizations, the situation flips again—voting at this magnitude does not require the use of on-chain privacy protocols at all; a credible TEE black box or off-chain multi-party computation can solve it, and there’s no economic justification to deploy an FHE contract for this. Interfold’s anti-coercion voting protocol (CRISP) attempts to mathematically sever the possibility of voting results leaking beforehand—but can it prevent someone from tweeting, "I intend to vote against" before voting? Privacy protects the ciphertext, not the mouth.

Dark Pool Trading: The ideal of on-chain dark pools is to ensure large orders aren’t front-run and strategies are not exposed. However, entirely transparent on-chain perpetual DEXs like Hyperliquid create a radically different effect through their all-transparent design: all positions, entry prices, leverage, and unrealized gains/losses are visible in real-time, forming a natural social layer—top traders' positions become anchors of market sentiment; large long and short positions are publicly disclosed, triggering follow-ups and discussions, with traffic and narrative reinforcing their influence. Here, transparency is not a weakness; it is advertisement. What dark pools protect is what one does not want seen; however, the public ledger can sometimes be a more potent weapon.

Wallet as Resume and Proof: Many Web3 job opportunities now recommend using on-chain records for background checks—participation in various projects, any history of rug pulls, and governance voting participation rate. Increasingly, protocols require users to provide wallet addresses to substantiate transaction histories, making this public and traceable on-chain history a substitute for credit. However, by providing a wallet address, one is giving up not only their professional resume but their complete financial life: asset scale, entry times, failed trades, and daily operation patterns and emotional fluctuations. An ENS domain permanently binds on-chain history to off-chain identity, and this binding is irrevocable. Meanwhile, zero-knowledge proofs theoretically allow for proving "I have more than X in assets without disclosing how much or where they came from"—but financial institutions' AML/KYC requires not just that you have money, but that the source of your money is traceable. ZK proofs cannot satisfy this because "untraceable" is precisely its design goal. The contradiction between the two has no technical solution in the short term.

Anonymous Attacks: This aspect is the least talked about positively. MEV bots use anonymous contracts to eat price differences, hackers use mixers to wash funds, and the dark web settles in Monero. The developer of Tornado Cash, Roman Storm, was sued by the U.S. Department of Justice, not because he stole funds but because he wrote code that enabled others to transfer money anonymously. Regulators have never believed that "tools are innocent." There’s also a more covert method: Sybil attacks. Attackers create a large number of wallet addresses early in the project, each maintaining normal interaction frequencies and cash flow, nurturing a group of "historically normal" accounts on-chain, and then take advantage of airdrop snapshots en masse. These addresses, even if not anonymous, can hardly be distinguished from real users—because they were originally simulating real users. The pseudonymity of the blockchain is not privacy protection here; it is an attacking infrastructure.

These paradoxes share a common structure: people call for privacy protection when they need to protect themselves, while endorsing transparency when they can use it to attack others. Privacy and transparency have never been two philosophical stances; rather, they are two strategic tools that switch according to the scenario.

What Technology Can and Cannot Do

The crypto community often discusses privacy as a technical issue: cryptography isn’t strong enough, protocol design isn’t good enough, the anonymity set is too small, and on-chain data is too transparent. This diagnosis isn't wrong, but it only tells half the story.

The new generation of protocols is seriously addressing the question of "what technology can do," offering answers that are far more pragmatic than those from the 2017 projects.

Confidential Settlements and Corporate Payments are currently the most viable direction for implementation. Companies do not want competitors to see through their supplier relationships, fund scales, and settlement rhythms through on-chain records. SWIFT messages and bank accounts in traditional finance have always been confidential; if on-chain settlements are to replace them, they must provide equivalent confidentiality. FHE and ZK payment layers are permeating into this scenario—Zama's incident just indicates that the direction is not wrong; it’s just that the underlying infrastructure relying on centralized stablecoins is still lacking.

Institutional-Level Auditable Privacy is another direction with genuine buyers. Traditional financial institutions do not need complete opacity; they need "only allow the right people to see"—auditors check accounts via viewing keys, and regulators gain decryption rights only under legal proceedings while remaining encrypted to the outside. Projects such as Canton Network, Aztec, and Midnight are heading in this direction, with enterprise adoption rates far exceeding those of systems that are entirely opaque. The ultimate logic of this is to transform "compliance" from the opposite of privacy into an internal feature of privacy protocols.

On-chain Identity and Credentials are the most direct application for selective disclosure. Using ZK proofs to show "I am a qualified investor" without disclosing net assets, proving "I passed KYC" without submitting a passport copy, and showing "my funds do not come from sanction lists" without publicizing complete transaction histories. This is the path regulators are most willing to accept and currently the battleground for Web3 identity protocols.

Mixed Privacy Architectures are the pragmatic choice at the engineering level. No single technology can simultaneously satisfy speed, trust minimization, and flexibility: the generation cost of ZK proofs is still non-trivial, FHE’s computation costs remain high in general scenarios, and TEE's security assumptions rely on the trustworthiness of hardware vendors. After 2025, mixed solutions like ZK+TEE or ZK+MPC began to become mainstream—TEE handles real-time computing, ZK provides verifiable proof, and MPC distributes keys to avoid single points of failure. Projects such as Mind Network and Nillion are pushing this suite of solutions into production environments; it is more of a compromise of engineering rather than a cryptographic holy grail.

However, the Zama incident illustrates another point: no matter how powerful fully homomorphic encryption is, contracts dependent on centralized stablecoins being frozen by temporary court orders have nothing to do with cryptography. The Orchard vulnerability of Zcash revealed another point: a critical flaw in the zero-knowledge proof circuit for nearly four years, which could not be proven to have been exploited through any on-chain analysis—this is precisely the side effect brought about by the characteristic of "privacy." You protected honest users while also protecting potential attackers who may have already committed crimes.

The real problem with privacy is never just a technical problem, but rather who demands privacy from whom, when, and why.

Bitcoin originally sought to solve the transfer of value between two people without relying on third parties and without monitoring the process. This goal itself is not problematic. However, this goal collides with things in real society such as AML, KYC, tax declarations, jurisdiction, and asset freezes. No amount of cryptography can allow you to possess a "compliance" card while remaining anonymous.

"Selective disclosure" and "programmable compliance" are currently the most pragmatic directions—but they imply that the limits of "privacy rights" in the real world depend on how much your jurisdiction is willing to recognize. Cryptography gives you a lock, but which door it is installed on and what country the door opens onto is determined by law.

The crypto community harbors a unique belief: code is law. But the day code is frozen by the court, law remains law, and code is just code.

Conclusion

In 2009, Satoshi Nakamoto created a tool aimed at allowing people to transfer value without being monitored.

In 2013, a paper proved that the privacy of this tool was an illusion. In the same year, Snowden revealed to the world that the scale of surveillance was far greater than anyone had imagined.

In 2017, a batch of projects took the stage, promoting "true privacy." In 2018, Japan took the lead in delisting, and the regulatory net began its spread from Asia to the entire globe over six years.

In 2025, the same batch of projects re-emerged under the new narrative of "compliant privacy," with prices soaring many times over.

In June 2026, a privacy protocol that employed fully homomorphic encryption saw all its users' assets frozen by a court order; a privacy coin using zero-knowledge proofs discovered that its privacy pool might harbor an unproven crime.

This is not failure; this is a textbook case. Privacy, in any system, is not a problem that can be solved once and for all. It is a continual game: between technology and power, between individuals and institutions, between "I don’t want you to see" and "I must let you see."

The crypto community now has sufficiently good cryptographic tools, increasingly mature engineering implementations, and regulatory response strategies that are much smarter than those in 2017.

What is lacking is simply a bit more honesty regarding the question of "why privacy is needed."