The History of Coinjoins

In the early years of bitcoin, users often thought that the system was anonymous. This couldn't have been further from the truth, as most used single address wallets before the introduction of HD (BIP32) wallets.

However, as early as 2011, some enthusiasts began to explore the idea of privacy on bitcoin. Or rather, the lack thereof. Custodial mixers made their appearance around this time, but the trust requirement made them an unviable solution.

On July 2nd 2011, the Bitcointalk user Hashcoin first described a coinjoin, a collaborative transaction to achieve privacy. Blockchain analysts could easily infer that each input to a transaction was owned by the same entity.

On January 28 2013, Gregory Maxwell (a renowned and now retired bitcoin developer) posted on Bitcointalk.org an idea on how to break this heuristic. He suggested that the forum community join him in what he described as 'raw transaction fun' to break taint analysis. On March 8, 2013, Killerstorm proposed the use of Chaum blind signatures to protect user’s privacy from the coordinator.

Later that year, Maxwell made the legendary post Coinjoin: Bitcoin privacy for the real world (Peter Todd coined the term), in which he introduces the foundations of the game-changing privacy technique. He mentions the need for same-denomination outputs, Tor or a similar anonymity network to obfuscate IP addresses, the use of coordinators and Chaum blind signatures, distributed coordinator markets, anonymity set, and DOS protection.

He simply laid out the ideas and set up a developer bounty to make them a reality. This was easier said than done.

It took only 4 days after Maxwell’s post for someone to try to claim the bounty with the first coinjoin coordinator implementation. In the months that followed, more projects were released with the goal of correctly implementing the coinjoin protocol: Bitprivacy, Sharedcoin, Coinmux, Darkwallet, CoinJumble and CoinShuffle.

They all had one thing in common: they failed to provide guaranteed privacy to the user. Different problems were identified: in some implementations it was difficult but possible to deanonymize coins, in others the incentive system wasn’t set up right and there was no liquidity, and finally in most of them the coordinators had full knowledge of the user's transaction data.

On that day, Chris Belcher announced Joinmarket to the world. It was the first non-broken implementation of a coinjoin protocol. The idea was simple: set the incentives right by creating a market of takers and makers, allowing the latter to earn a fee for providing liquidity. To learn more about how Joinmarket works, read our review here.

Joinmarket was a success. It attracted a lot of liquidity and users gained a lot of privacy from using it. However, it wasn't perfect: the inherent nature of the system made it difficult to use, created sybil attack risks (later solved by fidelity bonds), and also the lack of blind coordination made participants aware of their peers' input and output linkages.

On Tumblebit, introduced in late 2016, users create two fixed-amount payment channels to a Tumbler (coordinator) who can't steal their coins or deanonymize them. The coins get sent back to a user from payment channels of other users. It takes a total of 4 transactions to complete, but you get a very high anonymity rate. The wallets Breeze and Hidden Wallet (now Wasabi Wallet) were the main clients to use this privacy technique.

Compared to the original version of Joinmarket, Tumblebit was theoretically presented as superior because it allowed you to get a very high anonymity set, the user experience was better, and the coordinator couldn't deanonymize you. However, the high liquidity requirements and lack of incentives made it extremely long in practice (a few hours) and very high in fees. It had very few participants and as of 2023, every Tumbler service seems to have shut down.

The Zerolink paper was led by the Hidden Wallet (now Wasabi Wallet) teams. The research paper was authored by Adam Ficsor (Nopara73) with some support from TDev.

It provided a framework not only for a coinjoin protocol, but for privacy wallets in general. It included everything that Gregory Maxwell had originally envisioned, such as the Chaumian blind coordinator, Tor (with identity updates), and DOS protection.

In addition, a good user experience, block filtering as a network privacy solution, high anonymity gains, and the right coordinator fee incentive system were all part of this major innovation.

A new golden era of coinjoins had just begun.

Wasabi Wallet changed the game. It provided an efficient alternative to Joinmarket for less technical users and a full zero-link coinjoin implementation. Like Tumblebit, there was no need to trust the central coordinator. Unlike Tumblebit, you could get anonymity very quickly and for a low fee.

Although it took a few years of R&D for Adam Ficsor to release Wasabi, once it was done it was an overnight success and attracted a lot of liquidity. Now that many of the problems inherent in the initial implementations had been solved, it was time to solve the remaining inherent caveats of the Zerolink protocol. Wasabi Wallet transactions created far too many toxic non-private change coinjoin outputs due to the fact that the output amounts were fixed.

Another team had an idea to address this, but it wasn't a real fix.

From 2020, there were many open discussions on the development of a third-generation coinjoin protocol that would solve the predecessor issues. Finally, Ádám Ficsór, Yuval Kogman, Lucas Ontivero, and István András Seres published the academic paper WabiSabi: Centrally Coordinated Coinjoins with Variable Amounts. By introducing cryptographic methods, the fixed coinjoin output limit was removed and it was now possible to decompose the total bitcoin into variable output amounts.

This massively reduced the occurrence of toxic change and made WabiSabi the most efficient coinjoin protocol ever invented.

It was time to get this innovation into the hands of users.

Wasabi Wallet's initial user experience wasn't the best. You had to manually select your coins to mix and click on the queue for a coinjoin, and this had to be done for each coinjoin remix transaction. The Wasabi Wallet 2.0 release implemented the WabiSabi protocol and also improved the user experience by automating the coinjoin process.

Simply send bitcoin to your wallet and watch the magic happen without any effort. Once your anonymity score reaches your desired level of privacy, you can effortlessly spend your coins without the need for coin checks. The anonymity score of your UTXOs is so high that the privacy impact of consolidation doesn't destroy your privacy.

As of August 31st, 2023, we're now on version 2.0.4 with many new improvements such as faster loading times on wallet initialization, RBF and CPFP to speed up or cancel unconfirmed transactions, and better decomposition to further prevent the creation of toxic change outputs.

It should be noted that you can now use Joinmarket with an alternative GUI application called Jam, which significantly improves the usability with great design and the accessibility through its distribution on many bitcoin node projects like Umbrel.

In addition, the Trezor and BTCPay Server teams have implemented coinjoin features in their wallets, implementing the WabiSabi protocol and using the zkSNACKs coordinator, the default coordinator on Wasabi.

Also, the zkSNACKs coordinator for Wasabi Wallet 1.0 (Zerolink) has now been sunset (RIP).