xmr.club
EN 中文 ES RU
← all guides
guide · long-form explainer

How to use Bitcoin Lightning anonymously

Lightning fixed Bitcoin's UX. It did not fix the privacy story by default — most users today are on Wallet of Satoshi or Strike, both of which KYC. The non-custodial path is a real privacy upgrade, but it requires a couple of decisions most onboarding flows don't surface. This is the playbook.

The default is worse than people think

  • Custodial wallets (Wallet of Satoshi, Strike, Cash App) — your sats sit on their books. They see every payment, can freeze the account, and most KYC at signup or before first withdrawal. Convenient, not private.
  • Non-custodial mobile (Phoenix, Breez, Mutiny, Zeus) — you hold the keys; the LSP routes for you. Some metadata leaks to the LSP, but you can swap LSPs or run your own.
  • Self-hosted node (LND / Core Lightning) — full sovereignty. Highest privacy ceiling, real ongoing operational cost.

Mobile wallets that actually preserve privacy

  • Phoenix: the gold standard for non-custodial mobile LN. Splicing means you don't open/close channels manually. ACINQ acts as LSP — they see your channel partner, not your full payment graph. Open-source.
  • Mutiny: browser-first, non-custodial, Nostr-integrated. Pluggable LSP. Open-source.
  • Zeus: mobile front-end for a remote LND/CLN node you control. Best privacy + flexibility, requires running the backend.
  • Breez: non-custodial with native lightning + Liquid + boltz swaps built in. Open-source.

LSP choice matters

Your Lightning Service Provider sees every channel-open with you. Some LSPs additionally sniff payment patterns. Defenses:

  • Rotate LSPs. Don't open every channel against the same operator.
  • Splice rather than open new channels. Reuses existing UTXOs and avoids new onchain fingerprints. Phoenix does this by default.
  • Wallet-of-Satoshi → non-custodial migration: move sats to a non-custodial wallet via a swap-out, not a direct withdrawal — direct withdrawals leave a clear LN audit trail.

Onboarding without KYC

Getting sats into a non-custodial Lightning wallet without going through a KYC'd exchange:

  1. XMR → LN swap. Use a no-KYC swap engine (SideShift, kyc.rip) to send XMR and receive Lightning to your invoice. Cleanest non-onchain-fingerprint path. If your input is USDT/USDC or onchain BTC and you want a single-flow XMR-detour into LN, kyc.rip / ghost handles both legs in one submission.
  2. P2P at a meetup. Trade cash for sats with a real person; have them pay your LN invoice. RoboSats supports this for arbitrary counterparties.
  3. RoboSats / Bisq Lightning. P2P fiat→LN. Some account-friction; counterparties are pseudonymous.
  4. Earned sats. Get paid in LN for work / content. Avoids the onboarding problem entirely.

Receiving sats without exposing yourself

  • LN invoices are one-shot. Generate a fresh invoice per payment; never reuse.
  • Lightning Address (user@domain) is a fixed identifier. Convenient for tips, but reveals a relationship to the domain operator. Use a privacy-respecting host (e.g. zeusln.app, your own).
  • LNURL-Pay behaves like a Lightning Address — same caveat. Run your own LNURL endpoint for full privacy.
  • Bolt12 offers — newer protocol, supports onion-routed responses. Better privacy than LNURL once your wallet supports it.

Sending sats — what leaks

  1. Sender: your routing nodes see (route prefix, amount, payment hash). Sphinx routing hides the destination from intermediate hops.
  2. Receiver: their routing nodes see the same backwards. They learn the amount and hash but not the sender.
  3. Probing attacks: well-funded analysts probe channels to deanonymize routes. Larger channels + more hops = better privacy.
  4. JIT (just-in-time) channel opens reveal you to the LSP at open time. Splice over open whenever possible.

When Lightning is wrong

Lightning is excellent for small, frequent payments. It's a poor savings vehicle (channel risk, online keys). Treat it as a checking account, native Monero or onchain BTC as savings. Bridge between them via the XMR↔LN swap engines listed below.

Picks

  • SideShift — No-KYC XMR ↔ LN. Best on-ramp to non-custodial Lightning from native Monero.
  • kyc.rip aggregator — Best-quote routing across no-KYC engines including XMR ↔ LN pairs.
  • RoboSats — P2P fiat ↔ LN, pseudonymous, Tor-friendly. The cash-to-Lightning path.
  • Bisq Easy — P2P fiat ↔ BTC/LN with reputation. No central operator.