Threat model

How the Whir mixer keeps you safe.

A close look at what the Whir Bitcoin mixer protects against, how its custody window is structured, and where the limits of any privacy tool inevitably lie.

Concentric yellow hexagonal rings on dark background with a padlock at the center, illustrating the layered security model of the Whir Bitcoin mixer.
Layered security: short custody, zero logs, Tor-only access.

Three security pillars

Any Bitcoin mixer is only as private as its weakest layer. The Whir BTC mixer reduces risk along three independent axes: how long it holds your money, what it writes down about you, and how easy it is to observe the connection between you and the service.

Short custody window

Funds remain under operator control only for the few minutes between receiving the deposit and broadcasting the payout. There is no long-term pool of user balances waiting to be cycled. A short window limits both the impact of any operator incident and the legal-liability surface that has historically hurt centralized BTC tumblers.

No-log policy

The session identifier exists in memory for the lifetime of a single mix. When the payout transaction is broadcast, the session record is dropped. There is no historical database of past mixes, deposit addresses, or payout addresses for an adversary or a subpoena to reach.

Tor-only access

The Whir BTC mixer is reachable through a Tor hidden service. As a Tor Bitcoin mixer, it removes the network-layer link between your IP address and your session, even from the operator's vantage point.

Yellow table of session records on dark background fading from solid to empty placeholder boxes, illustrating how the Whir mixer drops session data after payout.
Session records exist only for the mix lifetime.

What this is not. No Bitcoin anonymizer, the Whir mixer included, can retroactively clean coins that were already deanonymized off-chain — for example, coins linked to your identity at a regulated exchange that retains records. Privacy starts at the deposit.

What the mixer protects against

  • On-chain clustering. The deposit and payout transactions share no input ancestry, so heuristic clustering breaks down.
  • Amount matching. Payout amounts include a small randomized component, frustrating naive value-matching heuristics.
  • Operator-side seizure of historical data. Logs that do not exist cannot be seized.
  • IP-layer exposure to the operator. Tor access keeps the network identity off the operator's records.
Three onion-style relay nodes on dark background connected by yellow arrows, showing the Tor routing path used to access the Whir Bitcoin mixer.
Tor hidden service: no IP-layer link to the operator.

What it does not protect against

Honest security pages name the limits. The Whir Bitcoin mixer cannot remove information you have already published — KYC documents, social-media posts that announce your wallet, or behavioral patterns that match a unique fingerprint. It also cannot help if you reuse a payout address with a wallet that is already known to be yours.

Best practice

  1. Generate the payout address in a wallet that has never held identity-linked coins.
  2. Wait some confirmations before spending the payout, then spend it like any other UTXO.
  3. Avoid linking the payout wallet to KYC services in the same session.
  4. Always access the no-KYC BTC mixer interface over Tor when possible.
Next: the fee structure