What Is a Stealth Address in Crypto? Monero Explained
What Is a Stealth Address in Crypto? Monero Explained
If you have ever pasted a Bitcoin address into a block explorer and watched your entire payment history light up on a public dashboard, you already understand the problem stealth addresses were invented to solve. By late 2025, on-chain analytics firms publicly tracked more than 1.2 billion clustered wallets, and exchanges routinely freeze deposits that pass within "two hops" of a flagged address. Stealth addresses break that chain by giving every incoming payment its own fresh, unlinkable destination on the blockchain — even when the sender only sees a single public identity for the receiver. This guide walks through how the mechanism actually works, where it shines, where it breaks, and why Monero made it a non-optional part of every transaction. We will use Monero as the running example because it is the only major chain that enforces stealth addresses by default, but the same primitives now appear in Ethereum's ERC-5564 draft, in Zcash's diversified payment addresses, and in privacy add-ons like Umbra. At the end you will see how MoneroSwapper uses stealth-address mechanics to keep no-KYC swaps unlinkable from start to finish.
Why Blockchain Addresses Leak So Much Information
Public blockchains were designed to be auditable. Every transaction is broadcast, every balance is computable, and every address is a permanent label that anyone — your employer, your landlord, a chain-analysis vendor, a hostile state — can crawl backward through time. When you share a single receiving address with five people, all five of them can see what the other four sent, what your running balance is, and where you spend the money next. That is not a bug in Bitcoin or Ethereum; it is the explicit design.
The privacy industry has spent a decade trying to bolt opacity onto this transparent foundation. Mixers, CoinJoin coordinators, layer-two rollups, and zero-knowledge "shielded pools" all attempt to break the deterministic link between sender, receiver, and amount. Stealth addresses take a different tack: instead of obscuring the link after the fact, they ensure that the on-chain address you see in the ledger was never the address the recipient advertised in the first place.
- Address clustering: Heuristics like common-input ownership and change-address detection let analysts merge thousands of UTXOs into a single behavioral profile within minutes of a transaction confirming.
- Cross-chain leakage: Bridges and centralized swap services log the pairing between a deposit address on chain A and a withdrawal address on chain B, creating dossier-grade evidence even when each chain is studied in isolation.
- Reused-address visibility: A donation address posted on a personal homepage, a Twitter bio, or a GitHub README becomes a permanent honeypot — every payment ever sent to it, plus every spend out of it, is forever attributable to that identity.
- Long memory: Unlike credit-card statements, which roll off after seven years, the blockchain remembers forever. A 2017 payment is just as readable in 2026 as it was the day it confirmed.
Stealth addresses do not erase any of these problems for legacy chains, but they neutralize the most damaging one: they make the receiving address itself a single-use, cryptographically unlinkable artifact that exists only inside a specific transaction.
How a Stealth Address Actually Works
The core idea was sketched out by Bytecoin developers in 2012, formalized by Nicolas van Saberhagen in the CryptoNote whitepaper, and refined in Monero from 2014 onward. Modern stealth addresses combine elliptic-curve cryptography with a clever use of the Diffie–Hellman key exchange so that the sender can compute a one-time public key the recipient — and nobody else — can claim.
The Three Keys You Never See
A Monero account does not have one private key; it has three. There is a private spend key that signs outgoing transactions, a private view key that scans the chain for incoming payments, and a public address that bundles the corresponding public spend key and public view key together. When you give someone your address, you are handing over two public points on the ed25519 curve, plus a network byte and a checksum, all base58-encoded into the familiar 95-character string starting with a "4" or "8".
The private spend key is the crown jewel — it authorizes every outgoing payment. The private view key is a deliberately weaker secret: it can see incoming funds but cannot spend them. This split lets you hand the view key to an accountant, an auditor, or your own watch-only wallet on a phone without exposing the spend authority. That asymmetry is what makes stealth addresses practical for everyday use rather than a purely academic construction.
What Happens Inside a Single Payment
When Alice wants to pay Bob, her wallet does not simply hash Bob's public address into the transaction. Instead, it generates a fresh random number, called the transaction private key, and uses it together with Bob's public view key to derive a shared secret via elliptic-curve Diffie–Hellman. That shared secret is then hashed and added to Bob's public spend key, producing a brand-new public key that exists only in this one transaction. Alice writes that one-time public key into the transaction as the output destination and broadcasts the corresponding transaction public key inside the transaction's extra field so Bob can reconstruct the secret on his end.
To the rest of the network, the output looks like a random elliptic-curve point with no obvious connection to Bob. Even if Alice pays Bob a hundred times from the same wallet on the same evening, every single output will land at a different, unlinkable on-chain address. The blockchain's history shows a stream of payments going to a long string of fresh keys, none of which can be clustered together by an outside observer.
How the Recipient Finds the Money
Here is the part that surprises people the first time they hear it: Bob's wallet has to scan every single transaction on the chain to find the ones meant for him. For each transaction, it grabs the broadcast transaction public key, multiplies it by Bob's private view key, hashes the result, and compares the derived point against the output destinations listed in the transaction. If anything matches, the wallet knows that output belongs to Bob and computes the matching one-time private key — which only Bob can do, because only he holds the private spend key needed to finish the derivation.
Stealth addresses turn the blockchain into a haystack where every needle is invisible to everyone except the one person who already knows the magnet's shape.
This scanning workload is the price of unlinkability. It is also why view-key servers, light-wallet daemons, and the upcoming FCMP++ proof system matter so much: they let mobile devices and embedded wallets check a chain that adds roughly 720 blocks a day without downloading the whole thing.
Stealth Addresses Versus Other Privacy Tools
Stealth addresses are one ingredient in a larger privacy stack. They hide the recipient, but on their own they do nothing to hide the sender or the amount. Real-world privacy systems pair stealth addresses with ring signatures (to hide the sender), with confidential transactions or Bulletproofs+ (to hide the amount), and with network-layer protections like Dandelion++ or Tor (to hide the IP). Comparing the major approaches helps clarify what each one actually buys you.
| Privacy approach | Hides recipient? | Hides sender? | Hides amount? | Default-on? |
|---|---|---|---|---|
| Bitcoin reused address | No | No | No | N/A |
| Bitcoin HD wallet (BIP-32) | Partially (per-payment address) | No | No | Yes, in modern wallets |
| CoinJoin (Wasabi, JoinMarket) | No | Set anonymity | No (equal-output design) | No, opt-in per round |
| Zcash shielded address | Yes (via zk-SNARK) | Yes | Yes | No, opt-in pool |
| Monero stealth address + RingCT | Yes | Yes (ring signature) | Yes (RingCT) | Yes, every transaction |
| Ethereum ERC-5564 (draft) | Yes | No | No | No, opt-in standard |
The "default-on" column is the one most people underestimate. Privacy that is optional becomes a flag in itself: when a Zcash transaction moves between transparent and shielded pools, that movement is publicly visible and chain-analysis firms specifically watch for it. Monero's choice to mandate stealth addresses, ring signatures, and RingCT for every transaction means there is no transparent baseline against which a "private" choice could stand out. That uniformity is what gives the system its fungibility.
Why HD Wallets Are Not Stealth Addresses
People sometimes assume that Bitcoin's hierarchical-deterministic (BIP-32) wallets already solve the problem because they generate a fresh address for every payment. They do not. With a BIP-32 wallet, the sender must request a new address from the recipient — or the recipient must publish a new one in advance — for every payment. If you put a static donation address on your blog, BIP-32 buys you nothing. Stealth addresses, in contrast, let the recipient publish a single permanent address and still receive an unlimited number of unlinkable payments without any further communication.
A Concrete Walk-Through Using Monero and MoneroSwapper
The easiest way to internalize how stealth addresses behave is to actually use them. Here is a realistic scenario: a freelance illustrator in Argentina wants to accept payment from a German client without exposing the full payment history attached to her Monero address. She uses MoneroSwapper to convert the incoming Monero to a different asset for a one-off purchase, and she wants the swap itself to leave no breadcrumb tying the original payment to the final withdrawal address.
- The illustrator generates a fresh Monero address inside Feather Wallet or the official GUI. Because Monero uses subaddresses by default, she creates one specifically for this client — the subaddress is itself a deterministic offset of her main address, so she can manage thousands of them without ever exporting a new private key.
- She shares the subaddress with the German client over Signal. The client opens his own Monero wallet, pastes the address into the "Send" field, and confirms the payment. His wallet derives a one-time public key from the subaddress and writes it into the transaction.
- Roughly two minutes later the transaction confirms on the Monero blockchain. The illustrator's wallet, scanning the chain in the background, recognizes the output as hers and updates the balance. To any outside observer, the output destination is a fresh elliptic-curve point with no visible connection to her address.
- She opens MoneroSwapper, picks the destination asset (say, Litecoin), and pastes a freshly generated Litecoin address from her hardware wallet. The swap engine quotes a rate, she sends the Monero from her wallet to the one-time address MoneroSwapper provides, and the Litecoin arrives at her hardware wallet a few blocks later.
- Because every step used a stealth address — the client's payment, MoneroSwapper's deposit address, and the freshly generated Litecoin receive address — there is no chain-analysis path that links the German client's wallet to the Argentine illustrator's hardware wallet without access to the private view keys involved.
This is the kind of workflow that stealth addresses make routine rather than exotic. The illustrator did not run a mixer, did not configure Tor manually, did not deal with timing analysis. The default cryptographic behavior of the system delivered the privacy guarantee for free.
Common Misconceptions and Real-World Limits
Stealth addresses are powerful, but they are not magic. Several persistent misconceptions deserve correcting before you rely on them for anything important.
First, stealth addresses do not hide transaction amounts on their own. On a chain like Bitcoin or Ethereum that lacks confidential transactions, a stealth address could still leak how much you received because the value is visible in the output. Monero solves this by pairing stealth addresses with RingCT, which encrypts the amount using a Pedersen commitment and proves with a Bulletproofs+ range proof that no money was created from nothing.
Second, stealth addresses do not hide the sender. The original public key that signed the transaction is still on chain in most designs. Monero hides the sender separately using ring signatures (now CLSAG, soon to be replaced by FCMP++), which mix the real spender's key image with decoys drawn from the chain's existing outputs. Without that companion mechanism, a stealth address would only obscure half the equation.
Third, stealth addresses do not protect against off-chain leakage. If you tell your friend "I just sent you the payment for the laptop" over WhatsApp, and law enforcement subpoenas WhatsApp, the cryptographic privacy of the on-chain hop is irrelevant. The same is true for IP-level leaks: a wallet that broadcasts a transaction over an unprotected internet connection leaks the originating IP to any node listening, regardless of how unlinkable the on-chain output is. Run your wallet over Tor or pair it with Dandelion++ to close that gap.
Fourth, view-key disclosure is irreversible. Once you hand a private view key to an exchange, an auditor, or a tax authority, they can scan every past and future incoming payment to that address. The view key cannot be rotated without rotating the underlying account, which is one reason Monero is working on the Jamtis address format — it splits the view capability into finer-grained roles so you can grant "saw this one payment" rights without granting "see everything I ever receive again" rights.
FAQ
Is a stealth address the same as a one-time address?
Effectively yes, from the chain's perspective. The recipient publishes a single long-term address, but the cryptographic destination written into each transaction is a freshly derived one-time public key. The term "stealth address" usually refers to the long-term, shareable identity, while "one-time public key" refers to the per-payment artifact that actually appears on chain.
Does Bitcoin have stealth addresses?
Not natively. There was a BIP-47 "reusable payment codes" proposal and an older "stealth address" draft by Peter Todd, but neither shipped in Bitcoin Core. Some wallets (Samourai, Sparrow) support PayNyms based on BIP-47, which give similar receiver-privacy properties at the cost of an initial on-chain notification transaction. It is a usable workaround, not a built-in feature.
Can the police trace a stealth address?
Not from the address alone. To link a stealth address back to an identity, an investigator typically needs either the private view key (handed over voluntarily, subpoenaed from a service, or extracted from a seized device), an off-chain correlation such as an exchange KYC record tied to a deposit, or a network-level leak such as an unprotected wallet broadcasting its first transaction over a logged IP. The cryptographic primitive itself is unbroken as of 2026.
Why does my Monero wallet take so long to sync?
Because of the scanning workload stealth addresses impose. Your wallet downloads every block and tests every output against your private view key. On a fresh phone install this can take hours. View-key servers and the upcoming FCMP++ proof system shorten this drastically by letting the wallet outsource the scan or verify a succinct proof instead of trial-and-error matching.
Can I use a stealth address on Ethereum?
Eventually, yes, but the standard is still in draft. ERC-5564 specifies a stealth-address scheme using secp256k1 keys, and ERC-6538 adds a public registry that maps regular Ethereum addresses to stealth meta-addresses so senders can look up the right key. Vitalik Buterin has advocated for the approach in several 2024 and 2025 posts, but adoption depends on wallet support and the willingness of users to pay slightly higher gas for the extra computation.
Are stealth addresses legal?
In every jurisdiction we are aware of as of 2026, yes. Using a privacy-preserving cryptographic primitive is not itself illegal anywhere; it is the underlying activity that may or may not be regulated. Several exchanges and custodial services in restrictive jurisdictions decline to support stealth-address-based coins, but that is a business choice, not a legal prohibition on the user side.
Putting It All Together
A stealth address is a deceptively simple idea: instead of writing the recipient's permanent address into the blockchain, write a fresh, single-use public key that only the recipient can recognize and claim. Layered with ring signatures, confidential amounts, and network-level protection, it forms the backbone of every modern fungible cryptocurrency and is the reason Monero outputs cannot be selectively frozen, blacklisted, or clustered the way Bitcoin outputs routinely are. Whether you are an illustrator accepting freelance payments, a journalist receiving tips, a small business that wants its supplier prices to stay confidential, or simply someone who believes financial privacy is a normal feature of money, stealth addresses are the primitive that makes the rest of the privacy stack believable. MoneroSwapper builds on that primitive end to end: every deposit address we generate is a one-time stealth output, every swap leaves no on-chain link between the input and the withdrawal, and no account is required to use the service. If you want to see the mechanism work in real time, send a small test swap through MoneroSwapper and watch how the deposit address never appears anywhere else on the chain — that is a stealth address doing its job.