Private on-chain exposure scanning

See what your Bitcoin gives away.We see none of it.

BTC Medusa scans every coin in your wallet against 31 open-source privacy heuristics, including address reuse, change leaks, exchange links and transaction entropy, then shows you exactly how exposed you are. The scan runs blind: we never learn which coins you hold, what you ask, or who you are. No node required.

Download for Sparrow See how it stays private
client-side & blind Heuristics powered by the open-source am-i.exposed engine
31privacy heuristics
30M+labelled entity addresses
0queries we can read
Toron by default
BTC Medusa scanning UTXOs inside Sparrow Wallet
Per-UTXO privacy report
scanning · server sees nothing
The problem

Your transaction history is already being read.

Bitcoin is public and permanent. Every payment leaves structure behind, and surveillance firms have spent a decade learning to read it. They cluster your addresses, spot your change outputs, and tie your coins back to the exchange that touched them. Most people have no idea what their wallet is already saying about them out loud.

reuse

Address reuse

The single biggest privacy killer. Every reuse merges your activity into one identity.

CIOH

Common-input ownership

Spending two coins together tells the world they belong to the same person.

change

Change detection

Address-type mismatches and round amounts quietly reveal which output is your change.

entity

Exchange & entity links

Coins are matched against 364 known services and 30M+ labelled addresses.

entropy

Transaction entropy

Boltzmann analysis measures how many interpretations of a transaction actually exist.

fingerprint

Wallet fingerprint

Version flags, input ordering and signature quirks can identify the software you use.

The scan

A privacy score for every coin you hold.

BTC Medusa runs the same battle-tested heuristics behind am-i.exposed against your UTXOs and returns a plain 0–100 score, a letter grade, and a list of exactly what's leaking, and how to fix it.

D
38 / 100
example wallet
A+ 90+C 50–74F <25
01

Address reused 4 times

Three of your receive addresses appear in more than one transaction, collapsing them into one cluster.

critical
02

Change linked to a KYC exchange

A change output traces two hops back to a deposit address at a major exchange.

critical
03

Low transaction entropy

The deterministic link between inputs and outputs is unambiguous. Entropy ≈ 0 bits.

medium
04

Round-amount change

A round-number output makes the payment-vs-change split obvious to any observer.

medium
31 heuristics Transactions · addresses · xpubs · pre-broadcast PSBTs, all checked, all on your device.
31
privacy heuristics, from reuse to Boltzmann entropy
364
known entities: exchanges, mixers, darknet, gambling
30M+
labelled addresses for entity matching
0–100
a score anyone can read, with fixes for each finding
The breakthrough

Private scanning used to require your own node.

The open-source engine is brilliant, but to use it privately you had a hard choice: leak every address you look up to a third-party API, or run a full node and self-host the whole stack. Most people can't, or won't. BTC Medusa removes the choice.

Scanning on your own

  • Every lookup tells a remote API which coins are yours.
  • Your IP is logged alongside the addresses you query.
  • True privacy means running and maintaining a full node.

Scanning with BTC Medusa

  • Heuristic results are encrypted into compact block filters.
  • Your wallet matches them locally, so the lookup never leaves your device in the clear.
  • Node-grade privacy, with no node to run.

We take the open-source heuristic data, encrypt it, and pack it into the block filters your wallet downloads. You get the full privacy analysis without ever broadcasting what you're looking at.

Trust model

Assume we're malicious. The math still protects you.

We don't ask you to trust our server. We designed the whole protocol around the strongest possible assumption: that the operator, us, is actively hostile, colluding, and trying to deanonymize you. Under that assumption, here's what an attacker is up against.

A malicious server

Full control of our own software, database and network, and it still can't see your coins or your queries.

Network observers

ISPs and state actors watching the wire see Tor traffic: no IP, no payload, no link to you.

Colluding parties

Even if we hand everything to an exchange or chain-analysis firm, there's nothing in our logs to hand over.

Timing correlation

A growing anonymity set plus per-request Tor circuits leave only a guess that decays as the user base grows.

How it stays private

The double-blind query.

You want to ask one question: "how exposed is this coin?" without anyone, including us, seeing what you asked. So your wallet scrambles the question before sending it. We answer the scrambled version without ever being able to unscramble it. Your wallet then removes the scramble and reads the answer.

on your device

Your wallet

1Takes the coin you're checking and multiplies it by a secret random value only your wallet knows.
2Sends us the result, α = k · H(input), which looks like pure noise.
5Divides out the secret k and reads the answer. We never saw the question.
our server

BTC Medusa

3Applies its secret key to the noise, β = v · α, without ever learning your input.
4Returns the result with a DLEQ proof that proves we used the real key and didn't cheat.
·Sees only a meaningless point. Cannot recover the coin, the query, or you.
This is a Verifiable Oblivious Pseudorandom Function (VOPRF). The server computes f(x) without ever seeing x, and proves it did so honestly.
Zero-knowledge by default

What our server actually learns.

After the blinding, the zero-knowledge proofs and the Tor transport, our entire view of you reduces to this. Almost every meaningful fact is simply never knowable to us.

About youCan we see it?Why not
Which coin you're scanningNoblinded before it ever leaves your device
What the result saysNounblinded only inside your wallet
How many coins you holdNotokens are spent without a counter we can read
Your IP addressNoTor hidden service, traffic never exits the network
Your identityNono accounts, no email, no sign-up
Whether two scans came from youNoeach request is cryptographically unlinkable
That some valid scan happenedYesby design, it's all we need to keep the system running
The elephant in the room

But didn't a zero-knowledge bug just cause an infinite inflation bug in Zcash?

It's the first thing a careful Bitcoiner is thinking right now, and it's a fair question. Just days ago a soundness flaw in Zcash's Orchard shielded pool, hidden for nearly four years, could have allowed the undetectable creation of unlimited counterfeit ZEC, forcing an emergency hard fork. But notice what it put at risk: the money supply, not anyone's privacy. So it's worth being precise about what zero-knowledge proofs actually do here, because in BTC Medusa they are not what protects you.

What guards your privacy

The VOPRF, not a proof

Your query is blinded on your device before it leaves, and unblinded only after it returns. That blinding is plain, well-understood elliptic-curve math: k · H(x). A completely broken proof system could not reverse it. Tor hides your network identity on a separate layer. Your privacy never rests on a circuit being bug-free.

What the ZK proof does

It runs the meter

Our zero-knowledge proofs do one mundane job: prove a query was paid for and hasn't already been spent, so customers can't cheat the meter or replay tokens. It's a billing and anti-fraud tool. Its worst-case failure is an accounting headache for us.

Zcash put zero-knowledge proofs in charge of money. We put them in charge of billing. Your privacy is guarded by math that doesn't depend on them.

Don't trust, verify

The code is the proof.

Every cryptographic primitive, every circuit constraint, every protocol flow is open and auditable. You don't have to take our word that we can't see your data. You can read exactly why we can't.

Read the technical specs View the open-source engine
Get started

Download the Sparrow plugin.

Our launch release runs as a plugin for Sparrow Wallet on desktop. We choose Sparrow since it's one of the most popular and robust desktop wallets around. However, it has not been endorsed by its creator. In the future, we hope to have all wallets, including Sparrow, bundle our plugin natively, since a percentage of every subscription will go straight to the open-source development team.

Trial
sats
≈ $0.25 USD · live rate
Run a single scan and pay with your favorite Lightning wallet. About the cost of a quarter, no account needed.
  • One private scan
  • Full 31-heuristic engine
  • Pay over Lightning
One-Time · most popular
sats
≈ $10 USD · one-time, live rate
A full bundle of scans to audit your whole wallet. Pay once, no subscription.
  • Bundle of private scans
  • Whole-wallet & xpub auditing
  • Pre-broadcast PSBT checks
Yearly / Monthly
sats / mo
≈ $8/mo · or sats yearly (≈ $80)
Ongoing access for power users who scan regularly. Cancel anytime.
  • Unlimited private scans
  • Everything in One-Time
  • Priority filter updates
Pay over Lightning or on-chain. No account, no email. Download the plugin
Get in touch

Questions about the protocol or integrating your wallet?

Send us a message below. We're happy to walk through the cryptography, the threat model, or wallet integration, and your note reaches both of us directly.