I’ve got a question that's been bothering me.
Let’s say you’re using a non-custodial wallet like Trust Wallet or Exodus. They claim to be fully non-custodial, and they say your seed phrases are only stored locally. But here’s the thing: these "light" wallet apps still connect to specific or self-hosted nodes. So, can they still track your IP? And when you check your balance for a certain seed or wallet, can they see the amount linked to that address?
How private are these wallets if a surveillance company can trace a transaction back to the wallet provider because they’re using their own nodes?
Also, can the app or wallet provider connect different generated seed phrases on the same device back to the user? Or are those seeds completely separate, even if you used the same app for all of them on the same device?
What’s the best way for a mobile app to handle this?
Are Light Wallets Really Private?
19 replies 134 views
stack_2017Senior Member
Posts: 201 · Reputation: 1389
#2May 30, 2025, 11:27 AM
If you are worried about the nodes you're connected to, you should run your own and use a wallet that allows you to connect to it, preferably also an open source one. Electrum, or Bluewallet for example.
I would imagine they can tell that yes. Using the master public key which derives all of your addresses.
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#3May 30, 2025, 08:59 PM
I've seen far too many topics about frozen funds in that wallet to believe they're non-custodial.
If you want an SVP wallet, use Electrum.
If you don't want anyone to know your IP address, use a VPN or Tor. If you don't want anyone to know which addresses belong to the same wallet, don't use an SVP wallet.
If you're concerned about privacy, it's better to use Bitcoin Core (through Tor).
If you use those wallets from the same IP address, it's not that hard to link them together. But it's very easy to avoid all this: don't do it.
Mobile wallets are hot wallets, you shouldn't trust them with any amounts larger than what you can afford to lose in the first place. I'd go for Mycelium or BlueWallet on mobile, but much of this depends on personal preference. Phones are designed to spy on you, so if you want privacy, it's better to get a(n old) laptop (with Linux).
paul.stakeHero Member
Posts: 651 · Reputation: 3798
#4May 31, 2025, 02:06 AM
Most light wallets can see both your IP address and your list of Bitcoin addresses. Wasabi Wallet is the only one I know that has implemented a feature called "compact block filters", which hides the Bitcoin address list from the SPV server, and it also uses Tor by default on every activity, so it genuinely keeps you private. It also comes with built-in coinjoin, that can make your coins private on-chain.
From some very basic online search only core parts of Trust wallet are open-source but not its user interface of mobile apps. I don't like this and I wouldn't want to trust a wallet that has or needs "Trust" in its name.
And Exodus wallet isn't any better, definitely not fully open-source.
Do I want to use a non-fully open-source wallet? Not really, though I make an exception (only for small amounts) with Wallet of Satoshi as one of my Lightning wallets.
To maintain the privacy of my wallet's addresses I have an own full Bitcoin Core node and as Electrum server I use Fulcrum. My SPV (Simplified Payment Verification) wallets only connect to my own Fulcrum Electrum server. As blockchain explorers and if I want to use it privately, I use a local self-hosted copy of mempool.space. My Bitcoin node and wallets use a Tor proxy for communication outside my local network. Privacy doesn't come for free.
My mobile hot wallets, Electrum, Phoenix and Wallet of Satoshi, two of them are Lightning wallets, only hold pocket money amounts of coins. I don't consider a mobile phone a particularly safe environment. I prefer desktop wallets and I mostly operate my wallets on a dedicated Linux device which is not my daily driver. A hardware wallet secures my private keys.
If they intend to track you, they may send unique device ID, where changing IP or connection won't help.
Find ones that have privacy feature, such as only connect to your own Bitcoin node or server. Electrum is one wallet that have such feature. And if you take privacy very seriously, you would need to use modified Android OS/ROM that have good privacy feature and reputation.
These are some bad examples to use because they arent private at all. Trust wallet only gives you a single static receiving address for every transaction. Exodus website says that by default your receiving address is the same as your change address. It is the same as Trust, but at least there is an option to enable using multiple addresses.
Use a wallet with your own node. If thats not an option, wallets using compact block filters give you better privacy by not leaking your addresses and balance to third party observers. Theres only about four wallets implementing this on mobile.
If you have Android & about 13 GB of free space/the ability to pop in a MicroSD for adopted external storage, help us work on Mandacaru's development, which works with the stable Electrum Android app! Or wait a bit until they finally get Mandacaru's storage requirement way down.
As far as I know, neither the developers of Trust nor the developers of Exodus have ever stated anywhere that their wallets are privacy-focused. Trust Wallet has a security page on its website that mentions privacy issues as a top priority. But that page is the most horrifying thing I have seen on that website. Take a look for yourself and be horrified: https://trustwallet.com/security
It is immediately clear that this is far from a priority.
I did not make up the link, I took it from the Trust's homepage.
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#10Jun 2, 2025, 02:02 AM
If you can't create your personal server and you don't have a choice...
By using Electrum or other open-source light clients that can connect to Electrum servers,
You may choose from the two public Electrum servers that our two reputable members have created:
LoyceV's: [BACK ON NEW SERVER] LoyceV's 0.1 sat/vbyte Electrum Server AdventureDireWolfM14's: DireWolfM14's Electrum SPV Server
Loyce claimed that he's using the default settings but not accessing the logged IP in this post, but logging might have been disabled now (needs confirmation)
On the other hand, DireWolf disabled logging right off the bat as you can see in his thread.
Of course, there's no way to verify it, so it involves trust.
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#11Jun 2, 2025, 07:27 AM
I haven't changed anything:
I just checked: it still writes logs to disk, but a quick check doesn't show IP addresses. I'm not sure what it's logging, so I don't want to change the default. I just know the IPs it spits out on console disappear into the void the moment I exit that console.
I get these logs:
It would be great if you tell us list of such wallets, because it's not trivial to find with google search. I probably simply forget it, but i remember Blixt wallet that support compact block filter.
I don't remember where i read it, but Sparrow wallet also list few public electrum server that may be trustable/reputable enough. OP and other reader can check it on https://github.com/sparrowwallet/sparrow/blob/2.5.2/src/main/java/com/sparrowwallet/sparrow/net/PublicElectrumServer.java. I don't vouch any of those, but it can be considered as alternative.
The ones I know of are Blixt, Zeus, Breez, and BitKit.
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#14Jun 2, 2025, 09:21 PM
Oh, at least you're not using the displayed IP for anything.
But if you want to get rid of that, you can uncomment and enable "anon_logs = true" in your fulcrum config.
Those lines will change from (client connection and broadcast containing IP and TXID):
To (anonymous connection and broadcast message):
Seems to be logs of its databases since the debug log is disabled by default.
Light wallets for bitcoin have their place but I would suggest using them together with Tor.
Some wallet already have Tor option available in settings and users can enable or disable it manually.
That way you are not going to reveal your real IP address for bitcoin transactions, but it's still better to run your own node.
john.cobraHero Member
Posts: 408 · Reputation: 2145
#16Jun 3, 2025, 02:10 AM
I've been meaning to try that wallet for a long time, and now I've read that for the wallet to function, it needs to download block filters from block 481824, which they say can take more than 1 hour. Does anyone know how much data is actually involved here?
2GBs
diamond365Full Member
Posts: 136 · Reputation: 744
#18Jun 3, 2025, 08:07 AM
You can not simply trust what wallet softwares advertise about themselves.
Verify, don't trust. It's a very important principle.
Both Trust wallet and Exodus wallet are not open source, and they're close source wallets.
You don't have to trust me, you have to verify these wallets with http://walletscrutiny.com/
Trust wallet
https://walletscrutiny.com/?platform=allPlatforms&page=0&query-string=trust
Exodus wallet
https://walletscrutiny.com/?platform=allPlatforms&page=0&query-string=Exodus
A small advice. Stop relying on their statements and at least look up whether they are fully Open Source or not. If they are not then any statement can be real or it can be complete bogus as no one can verify whether they are telling the truth. Considering you are storing and using a valuable Asset, it would be safer to assume that any statement offered by a non fully Open Source project is complete bogus.
silentchainHero Member
Posts: 473 · Reputation: 2317
#20Jun 3, 2025, 04:45 PM
According to "Prometheus" release Wasabi has to connect directly to your own node which supports BIP 158 filters to retrieve them. In contrast, when obtaining them from indexer (backend) server, the filters are Wasabi-specific (optimized and lightweight) and are not standard BIP 158 filters".
By above, I just want to highlight thatbitcoin-safe wallet discussed here is probably the better example of true BIP 157/158 wallet, as it is genuinely P2P, not centralized, meaning wallet is capable to fetch relevant blockchain data privately from multiple Bitcoin nodes providing they allow to without relying on specific server
Related topics
- Are outgoing connections to clearnet peers via Tor really less secure? 5
- Where to trade BTC and XMR for cash in person in the USA? 14
- Bitcoin and Monero Privacy in a Dystopian World 19
- Questions about signature mixers 19
- Understanding anonymous transactions in Europe 7
- Is it possible to trace Coinjoin transactions? Debunking Bitcoin privacy misconceptions 19