The History of Coinjoins

Coinjoins make Bitcoin truly fungible. When were coinjoins first invented? With whom? What were the first coinjoin protocols like in the early days? Let's go down memory lane.
Hashcoin invents the Coinjoin technique
July 2nd 2011
Hashcoin invents the Coinjoin technique
In the early years of bitcoin, users often thought that the system was anonymous. This couldn't have been further from the truth, as most used single address wallets before the introduction of HD (BIP32) wallets.

However, as early as 2011, some enthusiasts began to explore the idea of privacy on bitcoin. Or rather, the lack thereof. Custodial mixers made their appearance around this time, but the trust requirement made them an unviable solution.

On July 2nd 2011, the Bitcointalk user Hashcoin first described a coinjoin, a collaborative transaction to achieve privacy. Blockchain analysts could easily infer that each input to a transaction was owned by the same entity.
Coinjoin Foundations Set by Gregory Maxwell
August 22 2013
Coinjoin Foundations Set by Gregory Maxwell
On January 28 2013, Gregory Maxwell (a renowned and now retired bitcoin developer) posted on Bitcointalk.org an idea on how to break this heuristic. He suggested that the forum community join him in what he described as 'raw transaction fun' to break taint analysis. On March 8, 2013, Killerstorm proposed the use of Chaum blind signatures to protect user’s privacy from the coordinator.

Later that year, Maxwell made the legendary post Coinjoin: Bitcoin privacy for the real world (Peter Todd coined the term), in which he introduces the foundations of the game-changing privacy technique. He mentions the need for same-denomination outputs, Tor or a similar anonymity network to obfuscate IP addresses, the use of coordinators and Chaum blind signatures, distributed coordinator markets, anonymity set, and DOS protection.

He simply laid out the ideas and set up a developer bounty to make them a reality. This was easier said than done.
First Efforts and Why They Failed
2013-2014
First Efforts and Why They Failed
It took only 4 days after Maxwell’s post for someone to try to claim the bounty with the first coinjoin coordinator implementation. In the months that followed, more projects were released with the goal of correctly implementing the coinjoin protocol: Bitprivacy, Sharedcoin, Coinmux, Darkwallet, CoinJumble and CoinShuffle.

They all had one thing in common: they failed to provide guaranteed privacy to the user. Different problems were identified: in some implementations it was difficult but possible to deanonymize coins, in others the incentive system wasn’t set up right and there was no liquidity, and finally in most of them the coordinators had full knowledge of the user's transaction data.
Joinmarket Launch
January 9th 2015
Joinmarket Launch
On that day, Chris Belcher announced Joinmarket to the world. It was the first non-broken implementation of a coinjoin protocol. The idea was simple: set the incentives right by creating a market of takers and makers, allowing the latter to earn a fee for providing liquidity. To learn more about how Joinmarket works, read our review here.

Joinmarket was a success. It attracted a lot of liquidity and users gained a lot of privacy from using it. However, it wasn't perfect: the inherent nature of the system made it difficult to use, created sybil attack risks (later solved by fidelity bonds), and also the lack of blind coordination made participants aware of their peers' input and output linkages.
An Alternative To Coinjoins: Tumblebit
November 2016
An Alternative To Coinjoins: Tumblebit
On Tumblebit, introduced in late 2016, users create two fixed-amount payment channels to a Tumbler (coordinator) who can't steal their coins or deanonymize them. The coins get sent back to a user from payment channels of other users. It takes a total of 4 transactions to complete, but you get a very high anonymity rate. The wallets Breeze and Hidden Wallet (now Wasabi Wallet) were the main clients to use this privacy technique.

Compared to the original version of Joinmarket, Tumblebit was theoretically presented as superior because it allowed you to get a very high anonymity set, the user experience was better, and the coordinator couldn't deanonymize you. However, the high liquidity requirements and lack of incentives made it extremely long in practice (a few hours) and very high in fees. It had very few participants and as of 2023, every Tumbler service seems to have shut down.
Wasabi Wallet 1.0 Official Release
October 31st 2018
Wasabi Wallet 1.0 Official Release
Wasabi Wallet changed the game. It provided an efficient alternative to Joinmarket for less technical users and a full zero-link coinjoin implementation. Like Tumblebit, there was no need to trust the central coordinator. Unlike Tumblebit, you could get anonymity very quickly and for a low fee.

Although it took a few years of R&D for Adam Ficsor to release Wasabi, once it was done it was an overnight success and attracted a lot of liquidity. Now that many of the problems inherent in the initial implementations had been solved, it was time to solve the remaining inherent caveats of the Zerolink protocol. Wasabi Wallet transactions created far too many toxic non-private change coinjoin outputs due to the fact that the output amounts were fixed.

Another team had an idea to address this, but it wasn't a real fix.
Whirlpool Release: Attempts to Address Toxic Change
June 25th 2019
Whirlpool Release: Attempts to Address Toxic Change
On that day, the Samourai Wallet team added a coinjoin feature called Whirlpool, which implements the Zerolink protocol with one major change.

Instead of registering your non-private UTXOs as inputs in a coinjoin transaction and getting the exceeding change as a non-private output, a premixing transaction takes place beforehand. In it, you separate your excess change from your UTXOs to mix and from the coordinator fee. Subsequently, your UTXOs to mix would form a coinjoin transaction that produces no toxic change outputs.

This alternative mechanism gives the impression that coinjoin transactions are fully efficient, but one must consider the entire experience from premixing to final mix to properly compare it to Wasabi. In the end, the non-private toxic change stays in your wallet, it's just segregated into a separate account.

How does the WabiSabi protocol solve the problem of toxic change?
WabiSabi To The Rescue (Paper Release)
February 2021
WabiSabi To The Rescue (Paper Release)
From 2020, there were many open discussions on the development of a third-generation coinjoin protocol that would solve the predecessor issues. Finally, Ádám Ficsór, Yuval Kogman, Lucas Ontivero, and István András Seres published the academic paper WabiSabi: Centrally Coordinated Coinjoins with Variable Amounts. By introducing cryptographic methods, the fixed coinjoin output limit was removed and it was now possible to decompose the total bitcoin into variable output amounts.

This massively reduced the occurrence of toxic change and made WabiSabi the most efficient coinjoin protocol ever invented.

It was time to get this innovation into the hands of users.
Wasabi Wallet 2.0 Released
June 15th 2022
Wasabi Wallet 2.0 Released
Wasabi Wallet's initial user experience wasn't the best. You had to manually select your coins to mix and click on the queue for a coinjoin, and this had to be done for each coinjoin remix transaction. The Wasabi Wallet 2.0 release implemented the WabiSabi protocol and also improved the user experience by automating the coinjoin process.

Simply send bitcoin to your wallet and watch the magic happen without any effort. Once your anonymity score reaches your desired level of privacy, you can effortlessly spend your coins without the need for coin checks. The anonymity score of your UTXOs is so high that the privacy impact of consolidation doesn't destroy your privacy.

As of August 31st, 2023, we're now on version 2.0.4 with many new improvements such as faster loading times on wallet initialization, RBF and CPFP to speed up or cancel unconfirmed transactions, and better decomposition to further prevent the creation of toxic change outputs.
Additional Wallets implement coinjoin
Recently
Additional Wallets implement coinjoin
It should be noted that you can now use Joinmarket with an alternative GUI application called Jam, which significantly improves the usability with great design and the accessibility through its distribution on many bitcoin node projects like Umbrel.

In addition, the Trezor and BTCPay Server teams have implemented coinjoin features in their wallets, implementing the WabiSabi protocol and using the zkSNACKs coordinator, the default coordinator on Wasabi. On the other hand, wallets like Sparrow and Bitcoin Keeper have decided to implement the Whirlpool protocol and use the Samourai Wallet coordinator.

Also, the zkSNACKs coordinator for Wasabi Wallet 1.0 (Zerolink) has now been sunset (RIP).

Who knows what's next...
In the Future
Who knows what's next...
It's unknown what the future of coinjoins holds, but some believe that it will include interoperability with the Lightning network. If you want to take a closer look at how this might happen in some implementations, you can read Gustavo's article on the topic.

Bitcoin privacy is constantly evolving, and coinjoin implementations are an essential part of its past, present, and future.

Have More Questions?

If you have any comments or suggestions, please reach out to coinjoins@protonmail.com or open an issue on the GitHub repository. Thank you!

Intro
Wallets
History
Coinjoins.org