Private on-chain exposure scanning

See what your Bitcoin gives away.We see none of it.

BTC Medusa scans every coin in your wallet against 17 privacy heuristics, including address reuse, change leaks, exchange links and transaction entropy, then shows you exactly how exposed you are. The scan runs blind: we never learn which coins you hold, what you ask, or who you are. No node required.

Download for Sparrow See how it stays private
client-side & blind Built on open-source privacy heuristics
17privacy heuristics
5risk categories
0queries we can read
Toron by default
BTC Medusa scanning UTXOs inside Sparrow Wallet
Per-UTXO privacy report
scanning · server sees nothing
The problem

Your transaction history is already being analyzed.

Bitcoin is public and permanent. Every payment leaves a trail. Surveillance firms use that trail to cluster your addresses, identify your change outputs, and connect your coins back to the exchanges that touched them. Most people have no idea how much of their financial history is already exposed.

reuse

Address reuse

The single biggest privacy killer. Every reuse merges your activity into one identity.

CIOH

Common-input ownership

Spending two coins together tells the world they belong to the same person.

change

Change detection

Address-type mismatches and round amounts quietly reveal which output is your change.

entity

Exchange & entity links

Coins are flagged when their ancestry links to an exchange, a sanctioned entity, or a darknet market.

entropy

Transaction entropy

Boltzmann analysis measures how many interpretations of a transaction actually exist.

fingerprint

Wallet fingerprint

Version flags, input ordering and signature quirks can identify the software you use.

The scan

A privacy score for every coin you hold.

BTC Medusa runs the same battle-tested privacy heuristics that the open-source community has refined over years against your UTXOs, and returns a plain 0–100 score, a letter grade, and a list of exactly what's leaking, and how to fix it.

D
38 / 100
example wallet
A+ 90+C 50–74F <25
01

Address reused 4 times

Three of your receive addresses appear in more than one transaction, collapsing them into one cluster.

critical
02

Change linked to a KYC exchange

A change output traces two hops back to a deposit address at a major exchange.

critical
03

Low transaction entropy

The deterministic link between inputs and outputs is unambiguous. Entropy ≈ 0 bits.

medium
04

Round-amount change

A round-number output makes the payment-vs-change split obvious to any observer.

medium
17 heuristics Transactions · addresses · xpubs · pre-broadcast PSBTs, all checked, all on your device.
17
privacy heuristics, from reuse to transaction entropy
5
risk categories, deterministic leaks to wallet fingerprint
A–F
letter grade, with a concrete fix for every finding
0
queries, coins or identities we can read
What we check

17 heuristics. Five ways your coins can talk.

Every UTXO is run through the same set of checks, grouped by how much they give away, from deterministic leaks that collapse your privacy outright down to subtle wallet fingerprints. Each finding comes with a plain explanation and a fix.

Group 01

Deterministic leaks

Critical
01

Address reuse

Change returned to an address that was also an input, merging your activity into one identity.

02

Deterministic change leak

The input → output link is unambiguous, so the observer knows exactly which output is yours.

03

Chain taint / toxic merge

Tainted coins merged into the ancestry, dragging their history onto your funds.

Group 02

Clustering & linkage

High
04

Common-input ownership

Multiple inputs spent together reveal that one entity controls them all.

05

Peel chain

A consecutive single-hop payment chain, a classic signature of one wallet spending down.

06

Consolidation pattern

Fan-in, fan-out and cross-wallet merging that ties separate stashes together.

07

Multisig / escrow detection

Script structure that exposes a multi-party or escrow arrangement.

Group 03

Entity & taint

High
08

Sanctioned / OFAC match

Ancestry that links to a sanctioned entity, a serious compliance exposure.

09

Darknet-market link

History that touches a known darknet market, a strong deanonymization vector.

10

Exchange / service link

Coins that trace back to a known exchange or service, often a KYC chokepoint.

11

Dust attack / co-spend

Flagged dust used to bait you into co-spending and revealing your wallet.

Group 04

Structural & entropy

Medium
12

Transaction entropy

Low, zero, or zero-sweep entropy (Boltzmann-style) where only one interpretation exists.

13

OP_RETURN metadata

Arbitrary data attached to the transaction that can carry identifying breadcrumbs.

14

Dust outputs present

Uneconomical outputs that linger and quietly link future spends together.

Group 05

Wallet fingerprint

Low
15

RBF signaling

nSequence flags that reveal fee-bumping behavior and narrow down your software.

16

No anti-fee-sniping

nLockTime = 0 plus a legacy transaction version that shrinks the set of wallets you could be using.

17

No anonymity set

All output amounts unique, with no equal-value ambiguity to hide behind.

The breakthrough

Private scanning used to require your own node.

The open-source engine is brilliant, but using it privately meant making a hard choice: leak every address you look up to a third-party API, or run a full node and self-host the stack. Most people can't, or won't, do that. BTC Medusa removes that requirement.

Scanning on your own

  • Every lookup tells a remote API which coins are yours.
  • Your IP is logged alongside the addresses you query.
  • True privacy means running and maintaining a full node.

Scanning with BTC Medusa

  • Heuristic results are encrypted into compact block filters.
  • Your wallet matches them locally, so the lookup never leaves your device in the clear.
  • Node-grade privacy, with no node to run.

We take the open-source heuristic data, encrypt it, and pack it into the block filters your wallet downloads. You get the full privacy analysis without ever broadcasting what you're looking at.

Trust model

Assume we're malicious. The math still protects you.

We don't ask you to trust our server. We designed the whole protocol around the strongest possible assumption: that the operator, us, is actively hostile, colluding, and trying to deanonymize you. Under that assumption, here's what an attacker is up against.

A malicious server

Full control of our own software, database and network, and it still can't see your coins or your queries.

Network observers

ISPs and state actors watching the wire see Tor traffic: no IP, no payload, no link to you.

Colluding parties

Even if we hand everything to an exchange or chain-analysis firm, there's nothing in our logs to hand over.

Timing correlation

A growing anonymity set plus per-request Tor circuits leave only a guess that decays as the user base grows.

How it stays private

The double-blind query.

You want to ask one question: "How exposed is this coin?" without anyone, including us, seeing what you asked. Your wallet blinds the query before sending it. We answer the blinded version without being able to read the original. Your wallet then unblinds the result and shows you the answer.

on your device

Your wallet

1Takes the coin you're checking and multiplies it by a secret random value only your wallet knows.
2Sends us the result, α = k · H(input), which looks like pure noise.
5Divides out the secret k and reads the answer. We never saw the question.
our server

BTC Medusa

3Applies its secret key to the noise, β = v · α, without ever learning your input.
4Returns the result with a DLEQ proof that proves we used the real key and didn't cheat.
·Sees only a meaningless point. Cannot recover the coin, the query, or you.
This is a Verifiable Oblivious Pseudorandom Function (VOPRF). The server computes f(x) without ever seeing x, and proves it did so honestly.
Zero-knowledge by default

What our server actually learns.

After the blinding, the zero-knowledge proofs and the Tor transport, our entire view of you reduces to this. Almost every meaningful fact is simply never knowable to us.

About youCan we see it?Why not
Which coin you're scanningNoblinded before it ever leaves your device
What the result saysNounblinded only inside your wallet
How many coins you holdNotokens are spent without a counter we can read
Your IP addressNoTor hidden service, traffic never exits the network
Your identityNono accounts, no email, no sign-up
Whether two scans came from youNoeach request is cryptographically unlinkable
That some valid scan happenedYesby design, it's all we need to keep the system running
Don't trust, verify

The code is the proof.

Every cryptographic primitive, every circuit constraint, every protocol flow is open and auditable. You don't have to take our word that we can't see your data. You can read exactly why we can't.

Read the technical specs View the source on GitHub
Get started

Download the Sparrow plugin.

Our launch release runs as a plugin for Sparrow Wallet on desktop. We choose Sparrow since it's one of the most popular and robust desktop wallets around. However, it has not been endorsed by its creator. In the future, we hope to have all wallets, including Sparrow, bundle our plugin natively, since a percentage of every subscription will go straight to the open-source development team.

Trial
sats
≈ $0.25 USD · live rate
Run a single scan and pay with your favorite Lightning wallet. About the cost of a quarter, no account needed.
  • One private scan
  • Full 17-heuristic engine
  • Pay over Lightning
One-Time · most popular
sats
≈ $10 USD · one-time, live rate
A full bundle of scans to audit your whole wallet. Pay once, no subscription.
  • Bundle of private scans
  • Whole-wallet & xpub auditing
  • Pre-broadcast PSBT checks
Yearly / Monthly
sats / mo
≈ $8/mo · or sats yearly (≈ $80)
Ongoing access for power users who scan regularly. Cancel anytime.
  • Unlimited private scans
  • Everything in One-Time
  • Priority filter updates
Pay over Lightning or on-chain. No account, no email. Download the plugin
Get in touch

Questions about the protocol or integrating your wallet?

Send us a message below. We're happy to walk through the cryptography, the threat model, or wallet integration, and your note reaches both of us directly.