Attacking Zcash

Anonymity Sets in Zcash Protocol Cryptocoins


Zcash Privacy in 5 Acts

What is an anonymity set?

An anonymity set, also called a “shielded pool” in Zcash Protocol is the set of potential funds that could be part of a transaction. The anonymity set is exactly the feature which adds privacy to a privacy coin. When a Zcash Protocol transaction is made, and shielded funds are spent from a shielded address (zaddr), zero-knowledge mathematics is used to spend the funds without leaking the metadata of which funds are being spent or where they came from.

Cryptocoins with very small anonymity sets seem like they have privacy, but in practice, they are like a football stadium with only a few dozen people in the seats. All of them are very easy to identify because there is no “crowd to hide in”. After four years, Zcash mainnet has a very small anonymity set and because they do not publish correct statistics about it, nor provide tools to measure it in real-time.

Anonymity sets of various coins

According to the latest data which can be seen on or verified by running a Hush full node with -zindex=1 ...

HUSH Has The Largest Anonset Of Any Privacy Coin!

We are very proud of this fact, and worked hard to get here. Here are the exact stats:

RankCoinBlock HeightAnonset Size

NOTE: The above stats only track Sapling anonset data. Pirate has two anonsets (Sprout and Sapling) and Zcash currently has three anonsets (Sprout, Sapling, Orchard) which hurts each coin, since it's anonset stats are split across different sets. The latest Pirate anonset stats can be seen on, which Duke Leto helped design while he still worked on Pirate. Unfortunately this website provides no source code for 3rd parties to verify the numbers, you must trust it on faith.

In the past this place was held by Pirate (ARRR) but Hush quickly surpassed them because of our Sietch technology. This is because Sietch gives z2z transactions 8 outputs on average, which means our anonset velocity is much larger. Hush adds to it's anonset at a much greater speed than Pirate adds to it's anonset. This can also be seen from the fact that the current HUSH mainnet is much younger than Pirate mainnet, but our anonset is 29% larger than the Pirate anonset!!! Another way to look at this is per block. Hush has added, on average, 0.8945 to it's anonset per block, while Pirate has added only 0.3858 to it's anonset per block, on average. Pirate's low number is also related to the fact that all early transactions where in the Sprout anonset which is currently locke, unspendable, and trivially distinguishable to a blockchain analyst from their Sapling anonset data. Zcash added just 0.1378 to it's anonset per block, on average, which is directly related to it spreading out across three anonsets, and possibly a fourth soon.

Since no other coins can measure theirs in real-time, we implore Zcash, Pirate, Arrow and all Zcash Protocol coins to port the Hush Shielded Index -zindex so that we can have industry-wide comparison of our privacy, in real-time. If we cannot give our users and investors real-time detailed data about our privacy metrics, what kind of technology are we really creating?

Zcash + Hush Anonymity Sets

The anonymity set is a set, not a count! Josh Swihart, Head of Growth at Zcash Company does not seem to understand the difference between a daily count of transactions and the current set of privacy. They are completely different, yet he talks as if they are the same. All graphics from Swihart and Zcash Company related to transaction counts are NOT anonymity sets counts. They are transaction counts, which is not related directly to anonsets at all. It’s possible to have very high transaction counts and very small anonset sizes.

Zcash Company does not seem to understand that the anonset can change with every block, and go up and down. For instance, if Alice uses 10 shielded spends but creates 2 shielded outputs (the default transcation with change), that transaction will reduce the size of the anonset by 9, since 10 - 1 = 9. This is what happens on both Zcash and Pirate. But on Hush, we have Sietch, which gives the default transaction 8 outputs, and so the same transaction would only reduce the Hush anonset size by 1. This is one of the reasons why Hush has the largest anonset size: We add more outputs than any other coin in an average transaction and we subtract the least from the anonset in transactions that reduce the anonset size.

They show graphs of counts monotonically going up, attempting to lie (badly) with statistics. Additionally, Zcash Company is running test scripts behind the scenes to massage their incorrectly-defined data. For about 17 months, the blue bars of Sprout shielded transactions have not increased or decreased noticeably but stay under 0.5% deviation month to month. This is almost certainly automated software by Zcash Sprout fund owners to increase shielded statistics.

In the 30 days leading up to July 19th 2020, Hush had 40,180 Sapling shielded transactions, just over the amount Zcash claims, of 38,016. We remind users that Hush was the very first Zcash Protocol coin to remove the old Sprout addresses, which had a severe inflation bug CVE-2019-7167. Hush has no Sprout transactions in it’s history and in fact almost all Sprout code has been deleted from the Hush codebase, to reduce potential attack surface of future bugs. It is the only coin which is able to claim these feats.

Anonymity Set Size

The size of the anonset is a count, and we can measure it at every block with a very simple equation:

    size(anonset) = size(outputs) - size(spends)

at a given block height H. It’s good to remember, anonsets are functions of block height! They go up and down with time. They go up when more outputs are created then inputs spent. The opposite happens, the anonymity set goes down when more spends are consumed and sent to a smaller number of outputs. Both of these types of shielded transactions happen normally in plain Zcash Protocol.

At every block, the Hush full node keeps track of all shielded spends and outputs, so it can calculate the size of the anonset at any block height. To our knowledge, Hush is the first cryptocoin to ever have this ability. Additionally, the custom Sietch technology by Hush Developers ensures that no Hush transaction can reduce the size of the anonset. On Hush mainnet, the size of our anonset can only stay the same, or increase.

Hush details

When the -zindex CLI argument is enabled, the Shielded Index keeps tracks of many statistics, two of which are shielded_spends and shielded_outputs. This data can be retrieved via:

    hush-cli getchaintxstats

This will return a large amount of JSON data where the current anonset size will be returned as shielded_pool_size and can be verified as the differece between shielded_outputs and shielded_spends .

Historical Stats

As of Hush Block Height 263573 on 19th July 2020:

What this means, is that every time you do a shielded Hush transaction, it’s “hiding” in the “anonymity set” of about 100,000 others, which gives us privacy. The larger the anonset, the more privacy. If our anonset was just a small number, most privacy properties are lost. It's like "Where's Waldo?". The larger the group he is hiding in, the better his privacy.

Comparing to Monero/CryptoNote coins

The way privacy works in Monero/CryptoNote coins is different and the way anonymity set is defined is different. With Monero, about 10 or so “mixins” are added to each transaction, so that it’s unclear exactly which funds are being spent. So the anonymity set of every Monero transaction is a different small set of about 10, which constantly changes.

The author believes that Zcash Protocol anonymity sets are stronger, but concedes that Monero has a much stronger dedication to privacy than Zcash and has better GUI wallets with great UI/UX.

For these reasons, Hush considers Monero to be it’s main competition, as Zcash mainnet is now supported by Chainanlysis, Elliptic and most likely Ciphertrace.


The author proposes they realize it would bad for marketing to broadcast how small their anonset is, after four years. This is why Josh Swihart lies with statistics and tells investors whatever they want to hear, including only showing some statistics which put Zcash in a positive light.

The author believes Electric Coin Company is purposefully misrepresenting numbers, grossly inept, or both.


Zcash investors are being grossly lied to, with cooked statistics that border on outright lies, as well as lies of omission about how the surveillance tech of ChainAnalysis, Elliptic and Ciphertrace actually work.

Electric Coin Company is part of the Military-Industrial-Surveillance complex, which involves all blockchain analysis companies and the Law Enforcement/Government entities which pay them like an IT department. If the agency has an acronym, it is involved.

As proof of this, we have documented a video which was deleted from YouTube and describes how Zcash Company works with these organizations. It is a presentation from ChainAnalysis and Ciphertrace to Law Enforcement agencies, describing their technology for de-anonymizing privacy coins.