Bitcoin Privacy Tooling — Final Ranking & Scoring

A locked-in scoring model and ranking for a curated set of privacy tools that already passed two filters: (1) strict Bitcoin/FOSS/privacy maximalism, and (2) sovereign, anti-capture, anti-synthetic-stack telos alignment.

Model: 0–100 per criterion Composite: Σ(score × weight) / 100 Last audited: 2026-02-27

Method (What the numbers mean)

Scores reflect a synthesis of protocol design, deployment reality, ecosystem maturity, and adversarial history. “Privacy” includes effective anonymity (liquidity, sybil-resistance in practice) and stealth (fingerprintability on-chain).

Scope
JoinMarket, JAM, BTCPay Server Payjoin, JoinStr, Whirlpool (Ashigaru), Wasabi/WabiSabi ecosystem
Primary sources
Official documentation, repos, and protocol specs: JoinMarket, JoinMarket docs, JoinMarket code; JAM docs, JAM code; BTCPay Server, BTCPay Payjoin guide; Payjoin.org, BIP78, BIP77; JoinStr, JoinStr FAQ, JoinStr code; Ashigaru, Whirlpool release notes; Wasabi Wallet, Wasabi docs, WalletWasabi code, WabiSabi paper, OpenCoordinator, Wabisator.
Adversarial history inputs
Enforcement and policy pressure data points are explicitly included where directly relevant: Samourai arrest (DOJ), Samourai sentencing (DOJ), Wasabi blacklisting coverage, Wasabi censorship discussion, zkSNACKs coordinator shutdown.
Interpretation discipline: numbers represent “risk-adjusted sovereign utility,” not marketing claims. Centralized coordinators receive structural penalties. “Stealth” transactions (e.g., payjoin) receive explicit credit.

Criteria & Weights (Final)

Each criterion is scored 0–100. Composite score uses the weighted average: Σ(score × weight) / 100.

1) Sovereign Architecture & Decentralization
22% — P2P vs coordinator; chokepoints; self-hostability; substrate risk (IRC/Nostr). JoinMarket, JoinStr
2) FOSS Purity & Independence
13% — licensing, forkability, independence from surveillance/AML capture. JM code, Wasabi code
3) On-chain Privacy & Heuristic Resistance
22% — anonymity sets, sybil resistance, heuristic breaks, and fingerprintability. BIP78, WabiSabi
4) Censorship & Regulatory Resistance
15% — seizure/pressure susceptibility; behavioral response under pressure; ability to route around bans. DOJ Samourai
5) Operational Resilience & Maturity
12% — production stability, liquidity, integrations, docs, maintainership. JAM releases, BTCPay code
6) UX & Adoption Potential
8% — usability for competent sovereign operators; friction and correctness. JAM docs, BTCPay Payjoin
7) Telos Alignment
8% — structural opposition to capture; refusal of “acceptable privacy”; composability with Bitcoin-only, FOSS stacks. Wasabi censorship
Composite = Σ(score×weight)/100 Scale = 0–100 per criterion Penalty for coordinator chokepoints Credit for stealth (indistinguishable) transactions

Final Ranking (Definitive)

Ordering is by composite score. Tool names are linked to primary upstream sources and live documentation.

1
JoinMarket
P2P CoinJoin market; no coordinator; fidelity bonds; deep sovereign architecture.
90.2
2
JAM (JoinMarket Web UI)
JoinMarket front-end: major UX gains; small ops/attack-surface tradeoff (beta note).
89.5
3
BTCPay Server — Payjoin
Stealth privacy embedded in payments; BIP78/BIP77; self-hosted merchant infrastructure.
86.0
4
JoinStr
Nostr-routed coordination; no dedicated coordinator; strong telos, early-stage maturity.
81.5
5
Whirlpool (Ashigaru ecosystem)
Coordinator-centric; Tor-only hardening; strong UX; high regulatory salience from legacy precedent.
69.8
6
Wasabi / WabiSabi ecosystem
Strong protocol + UX; multi-coordinator reality now exists; telos penalty persists from blacklisting & shutdown era.
63.5
Note: “Whirlpool” here references the current Ashigaru-maintained deployment ecosystem and the Whirlpool design lineage, not a single legacy operator.

Scoreboard (All Criteria)

Weights: Arch 22%, FOSS 13%, Privacy 22%, Censor 15%, Ops 12%, UX 8%, Telos 8%.
Composite = Σ(score×weight)/100
Tool Arch FOSS Priv Censor Ops UX Telos Composite
JoinMarket 93958897906098 90.2
JAM 89928895828695 89.5
BTCPay — Payjoin 88858093907888 86.0
JoinStr 92938693454096 81.5
Whirlpool (Ashigaru) 58887650828460 69.8
Wasabi / WabiSabi 62558555608225 63.5
Abbreviations: Arch = Sovereign Architecture & Decentralization; Priv = On-chain Privacy & Heuristic Resistance; Ops = Operational Resilience & Maturity.

Tool Profiles (Full Detail)

Each profile contains: score breakdown, composite, and the decisive considerations with embedded primary links (no link-dump appendix).

1) JoinMarket

P2P maker–taker CoinJoin market with an incentive structure; no central coordinator. Primary sources: site, docs, code.
90.2/100 composite
Core idea: P2P market, not a service coordinator Sybil cost: fidelity bonds + market economics Substrate note: IRC messaging is a non-zero pressure point
Architecture (22%)
93
FOSS (13%)
95
Privacy (22%)
88
Censor/Reg (15%)
97
Ops (12%)
90
UX (8%)
60
Telos (8%)
98

Decisive considerations

  • Coordinator elimination: JoinMarket uses a marketplace orderbook; takers choose makers rather than trusting a coordinator. Background: JoinMarket vs ZeroLink.
  • High censorship resistance: no single operator to subpoena, seize, or force into blocklists; P2P structure reduces “kill-switch” risk. Reference: JoinMarket docs.
  • Sybil mitigation: fidelity bonds raise the cost of dominating maker liquidity over time; maker economics disincentivize cheap flooding. (Implementation and ongoing discussions visible via upstream maintenance activity: JM discussions.)
  • Substrate risk (penalty driver): IRC-based coordination and messaging layers remain a soft pressure point (availability / metadata / DoS surface), keeping architecture below a perfect score. Example operational friction: onion directory issue.
  • UX constraint: operational overhead (node, config, coin control discipline) remains high without a mature front-end. GUI-layer mitigation exists via JAM.

2) JAM (JoinMarket Web UI)

Local web interface for JoinMarket with sensible defaults and a smoother operational workflow. Primary sources: docs, code, releases (beta note).
89.5/100 composite
Inheritance: JoinMarket protocol strength UX leap: web UI, flows, defaults Ops caveat: explicitly beta in releases
Architecture (22%)
89
FOSS (13%)
92
Privacy (22%)
88
Censor/Reg (15%)
95
Ops (12%)
82
UX (8%)
86
Telos (8%)
95

Decisive considerations

  • Protocol unchanged: JAM does not introduce a new coordinator; it drives JoinMarket locally via UI/API. See: project README.
  • UX improvement: coin control, flow visibility, and operational ergonomics are dramatically improved relative to raw JoinMarket usage. Installation pathways include RaspiBlitz integration.
  • Ops/attack surface tradeoff: web stack adds complexity and expands the bug surface; upstream explicitly flags beta status. Reference: release notes.
  • Telos alignment remains high: still self-hosted, no trusted third party coordinator, and explicitly privacy-first. Reference: About JAM.

3) BTCPay Server — Payjoin (BIP78 / BIP77)

Self-hosted payment processor with Payjoin support (two-party CoinJoin during payment). Primary sources: BTCPay, Payjoin guide, protocol: BIP78, BIP77, ecosystem: payjoin.org, overview: Bitcoin Optech.
86.0/100 composite
Stealth: looks like normal payments Heuristics: breaks common-input-ownership Infra: self-hosted merchant endpoint / directory models
Architecture (22%)
88
FOSS (13%)
85
Privacy (22%)
80
Censor/Reg (15%)
93
Ops (12%)
90
UX (8%)
78
Telos (8%)
88

Decisive considerations

  • Stealth advantage: Payjoin transactions are intentionally “ordinary-looking,” avoiding the obvious on-chain fingerprint of equal-output CoinJoin. Reference: Payjoin v1.
  • Protocol basis: BIP78 defines synchronous payjoin negotiation; BIP77 defines async payjoin using a directory + OHTTP relay. References: BIP78, BIP77, Payjoin v2 explainer.
  • Operational maturity: BTCPay is a long-running production system; Payjoin is integrated and documented for merchant deployments. References: BTCPay site, BTCPay docs.
  • Ecosystem visibility: active adoption cataloging exists (wallets/processors). Reference: PayJoin adoption list.
  • Privacy tradeoff (explicit penalty): anonymity set per transaction is inherently small (two-party); privacy comes from heuristic breakage + blending into the global payment graph rather than classic large-set mixing. Technical overview: Bitcoin Optech Payjoin.

4) JoinStr

CoinJoin coordination over Nostr relays (decentralized messaging substrate). Primary sources: site, FAQ, code.
81.5/100 composite
Architecture: no dedicated coordinator server Substrate: Nostr relays Maturity: early and still stabilizing
Architecture (22%)
92
FOSS (13%)
93
Privacy (22%)
86
Censor/Reg (15%)
93
Ops (12%)
45
UX (8%)
40
Telos (8%)
96

Decisive considerations

  • Mainnet usability claims (mixed signals): the public FAQ states mainnet usage is supported, while the GitHub README contains a cautionary note about bugs. References: JoinStr FAQ, JoinStr README.
  • Censorship resistance: coordination via generic Nostr relays reduces the classic “single coordinator server” pressure point. Entry point: joinstr.xyz.
  • Operational penalty driver: limited long-term track record and smaller current liquidity relative to decade-class tooling. Codebase and integrations are still consolidating: repository.
  • Privacy dependency note: electrum-plugin usage can reduce privacy if paired with untrusted servers (explicitly acknowledged). Reference: FAQ on Electrum servers.

5) Whirlpool (Ashigaru ecosystem)

Whirlpool (ZeroLink-style equal-output CoinJoin) operated via Ashigaru’s Tor-only coordinator infrastructure and clients. Primary sources: Ashigaru, Whirlpool/Terminal v1.0.0 notes, background enforcement salience: DOJ 2024, DOJ 2025.
69.8/100 composite
Model: coordinator-centric CoinJoin Hardening: Tor-only deployments (GPLv3) Reg risk: high salience due to legacy precedent
Architecture (22%)
58
FOSS (13%)
88
Privacy (22%)
76
Censor/Reg (15%)
50
Ops (12%)
82
UX (8%)
84
Telos (8%)
60

Decisive considerations

  • Structural penalty: central coordinator remains an unavoidable chokepoint and metadata sink (even with Tor-only deployment). Operational hardening overview: nobsbitcoin release notes.
  • Strong UX and practical workflows: Ashigaru clients and terminal tooling are optimized for operational mixing flows. High-level overview: Ashigaru Whirlpool walkthrough.
  • Regulatory salience (major penalty driver): the “mixer” framing and enforcement precedent materially increases long-run pressure and targeting risk. References: DOJ arrest announcement, DOJ sentencing.
  • Privacy profile: equal-output CoinJoin and remixes provide meaningful on-chain ambiguity, but the pattern is more fingerprintable than stealth approaches. Comparative context: JoinMarket vs ZeroLink.
  • FOSS credit: Ashigaru explicitly publishes code under GPLv3 and aims to reduce centralized dependencies. Reference: Ashigaru FOSS statement.

6) Wasabi / WabiSabi ecosystem

WabiSabi (credential-based CoinJoin with a centralized coordinator per round) implemented in Wasabi and an emerging multi-coordinator landscape. Primary sources: Wasabi, docs, code, WabiSabi paper, coordinator discovery: Wabisator, independent coordinator example: OpenCoordinator.
63.5/100 composite
Protocol: WabiSabi credentials (paper) UX: polished desktop wallet Telos penalty: blacklist + shutdown legacy
Architecture (22%)
62
FOSS (13%)
55
Privacy (22%)
85
Censor/Reg (15%)
55
Ops (12%)
60
UX (8%)
82
Telos (8%)
25

Decisive considerations

  • Cryptographic strength (credit driver): WabiSabi’s credential scheme improves flexibility vs fixed-denomination equal-output CoinJoin. References: WabiSabi paper, protocol explainer.
  • Multi-coordinator reality (partial recovery): independent coordinators exist and are discoverable (e.g., via Nostr-indexed listings). References: Wabisator, OpenCoordinator, context: Delving Bitcoin thread.
  • Historical censorship behavior (major telos penalty): the zkSNACKs coordinator implemented UTXO blacklisting and later suspended coordination under regulatory pressure. References: blacklisting coverage, censorship discussion, shutdown report.
  • Operational nuance: Wasabi remains a usable wallet and CoinJoin is possible via non-default coordinators, but the post-shutdown ecosystem is less unified than a single default path. References: Wasabi FAQ, Wasabi docs.

Export Notes

This file is self-contained (single HTML with embedded CSS). All external references are embedded inline throughout the document as live links.

Jump: Top Jump: Final Ranking Jump: Scoreboard Jump: Tool Profiles
Keep in mind: some upstream materials include marketing phrasing; scoring decisions rely on structural properties, protocol specs, and documented behavior under pressure.