Stealth Pay

Compliance & Regulation

⚠

This page reflects our current understanding of the regulatory landscape as of mid-2026. It is not legal advice. If you are operating in a regulated jurisdiction, consult a qualified attorney.

Our honest position

Stealth Pay is a privacy protocol. Privacy and compliance are not opposites, but we will not pretend the tension doesn't exist. This page explains what we have built in, what we have not, and why.

What is built into the protocol

Permissioned token list

Only tokens explicitly whitelisted by the OPERATOR_ROLE can be shielded. The operator can delist a token at any time. This means if a token is associated with a sanctioned issuer or flagged by regulators, it can be removed from the pool without a contract upgrade.

Shield and unshield are visible on-chain

When you shield tokens, the chain records the depositor address, token, and amount. When you unshield, the chain records the recipient address, token, and amount. Only the link between a specific shield and a specific unshield is hidden. Blockchain analytics firms can and do apply heuristics to privacy pools — we do not claim otherwise.

Admin emergency controls

The contract has a pause() function and an emergencyWithdraw() function restricted to admin roles. In the event of a regulatory order or exploit, the protocol can be frozen and funds can be returned. This is a deliberate design choice that introduces admin trust — documented honestly in the Security Report.

Upgradeable contracts

The PrivacyPool proxy is UUPS upgradeable. If regulators require compliance changes — for example, mandatory on-chain screening or modified withdrawal flows — we can respond without redeploying. This is a trade-off: upgradeability means users must trust the upgrade key holder.

What is not built in

OFAC screening

There is no on-chain OFAC or sanctions list check at the smart contract level. The contract does not block deposits or withdrawals from specific addresses. Implementing this on-chain is technically complex, privacy-reducing, and not yet a settled legal requirement for non-custodial protocols. We are watching how courts and regulators rule on this.

Travel Rule compliance

Private transfers between spending keys do not record the sender or receiver on-chain. The Travel Rule (FATF Recommendation 16) applies to virtual asset service providers, not to self-custodied protocol use. If you are a VASP integrating Stealth Pay, you are responsible for your own Travel Rule obligations at the application layer.

KYC / identity

The protocol has no identity layer. Anyone with a wallet and whitelisted tokens can use it. We do not think a KYC layer belongs at the base protocol level — that is an application concern.

Regulatory landscape

As of 2026, there is no settled global framework for on-chain privacy protocols. The most relevant precedent is the OFAC sanctioning of Tornado Cash smart contract addresses in August 2022 and the subsequent criminal prosecution of its developers. Key points from that case that inform our design:

1OFAC sanctioned specific immutable contract addresses, not the concept of privacy. The legal theory was that the contracts themselves were "property" of a sanctioned entity (Lazarus Group) because North Korean hackers had used them extensively.

2The Fifth Circuit partially overturned the immutable pool sanctions in November 2024, ruling that immutable smart contracts are not "property" under IEEPA. The mutable contracts and the Tornado Cash DAO token remained sanctioned.

3The developer prosecutions proceeded separately under money transmission and sanctions violation charges, not purely for writing privacy software.

How we differ from Tornado Cash

This is the question most people actually want answered. Here is a direct comparison.

	Tornado Cash	Stealth Pay
Model	Fixed-denomination mixer. Deposits are fungible — 1 ETH from any depositor is indistinguishable from any other.	UTXO note model. Private transfers create individual note paths. Not a mixer.
Token list	Any ERC-20, no restrictions.	Operator-controlled whitelist. Tokens can be delisted.
Admin controls	Immutable contracts. No admin. No pause. No emergency withdraw.	Upgradeable (UUPS). Admin can pause and emergency-withdraw.
Chain	Ethereum mainnet — directly subject to US regulatory jurisdiction.	0G Chain — a separate EVM L1. Different regulatory exposure.
Sanctioned use	Lazarus Group (North Korea) laundered ~$455M through it, making every pool deposit commingled with sanctioned funds.	Not sanctioned. No known use by sanctioned entities.
Developer posture	Developers operated anonymously, marketed it as a censorship-resistant mixer.	Open team, open source, this compliance page exists.
Regulatory response capability	None — immutable.	Can pause, delist tokens, upgrade logic, or comply with a court order.
Fifth Circuit ruling	Partially applies — immutable pool contracts ruled not "property".	Not subject to the Tornado Cash sanctions.

ℹ

The core privacy mechanism (ZK proofs hiding the shield-to-unshield link) is the same class of technology used by Zcash, which has operated without sanctions since 2016. The UTXO note model is closer to Zcash sapling than to Tornado Cash.

What we cannot promise

We cannot guarantee that regulators in any jurisdiction will not take action against this protocol or its users. Privacy technology is under active legal scrutiny worldwide. If you are transacting in large amounts or in jurisdictions with strict crypto regulation, you should take legal advice specific to your situation.

What we can say: we have built a protocol that can respond to regulatory requirements, we have not designed it to be ungovernable, and we are not trying to help anyone launder money.

←AI Security Report