Since the inception of blockchain technology, decentralization and transparency have been its foundational principles. However, this same transparency has sparked controversy. Because every on-chain transaction is publicly traceable, users’ financial activities are fully exposed—raising concerns about the right to individual privacy. To address this tension, protocols like Tornado Cash emerged, enabling transaction anonymity through fund mixing. But in 2022, the U.S. Treasury sanctioned Tornado Cash, marking a major shift as regulators began taking a hard stance against blockchain-based privacy solutions. This event propelled the ongoing debate between privacy and regulatory compliance to the forefront of the crypto conversation.

The U.S. Treasury Adds Tornado Cash to Sanctions List. Source: OFAC website, 08.22.2022
In response, Vitalik Buterin and others proposed a new approach: Privacy Pools—a mechanism designed to protect user privacy while leveraging cryptographic methods to distinguish between lawful and illicit funds, potentially paving the way for more regulatory-friendly privacy solutions.

Source: 0xbow website
Privacy Pools is a smart contract protocol combining zero-knowledge proofs with compliance-friendly filtering to give users finer control over their privacy. Vitalik Buterin and a team of researchers and engineers proposed it in 2023, after which the 0xbow team developed and launched it on Ethereum mainnet in April 2025.
In contrast to Tornado Cash’s “black-box” anonymity approach, Privacy Pools introduces[1] two key innovations: Association Sets and Association Set Providers (ASPs).
Vitalik calls this design a “Separating Equilibrium”: honest users can prove their funds are unlinked to illicit activity, while bad actors cannot produce the same proof.
In 2023, Vitalik Buterin, along with Jacob Illum (Chief Scientist at Chainalysis) and Professor Fabian Schär from the University of Basel, co-authored a research paper titled Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium. The paper explored how Association Set Providers (ASPs) can help guide on-chain privacy toward a compliance-friendly model.
The authors argued that privacy protocols don’t inherently conflict with regulation. On the contrary, cryptographic tools can enable privacy while limiting the scope for illegal activity. The key takeaways from the paper include:
This research laid the academic foundation for the design and development of Privacy Pools.
The real-world deployment of Privacy Pools has been led by the team at 0xbow, a pioneering group focused on building privacy technologies that align with regulatory standards. The team includes experienced developers, researchers, and community coordinators—such as Zak Cole (author of EIP-6968 and co-founder of the corn project) and Ameen Soleimani (co-founder of Reflexer Finance). Advisors and supporters of the project include Vitalik Buterin, Number Group, BanklessVC, and Public Works.

Source: 0xbow Website
From the start, the team has emphasized open-source development and community involvement. All code is fully available on GitHub, allowing anyone to review it, suggest improvements, or even launch their own front-end integrations. Unlike traditional closed development models, this transparent approach fosters collaboration and drives ongoing innovation—both technically and in terms of compliance.

Source: Privacy Pools official site
Privacy Pools operates through three key stages — Deposit, Verification, and Withdrawal — each designed to balance privacy with regulatory compliance:

Privacy Pools Workflow diagram. Source: Gate Learn contributor Max
The architecture[2] of Privacy Pools is built on three core layers:
Key functions: Asset custody, state recording, transaction execution
This is the foundational layer of the system, deployed on the Ethereum mainnet. It handles all logic related to asset interactions and can be seen as the “ledger and executor” of Privacy Pools.
Its main responsibilities include:
Example:
When User A deposits 0.5 ETH, the contract logs the transaction and generates a unique “anonymous token ID” that joins the anonymity set. When A initiates a withdrawal, they generate a zero-knowledge proof and submit it to the contract. After verification, the contract releases the funds. This layer doesn’t evaluate whether funds are “clean” or “dirty”, it simply executes rules, much like a bank’s back-office system that follows procedures without making judgments.
Key functions: Privacy protection, unlinkability, self-proving compliance
This layer serves as the privacy engine of the system. It uses zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) technology, enabling users to prove their membership in a legitimate deposit group without revealing their identity or transaction history.
In simple terms, it’s a cryptographic tool that lets you prove a statement is true without revealing any underlying data.
In the context of Privacy Pools, zk-SNARKs allow a user to say:
“I’m withdrawing funds from this pool, and the money I’m withdrawing comes from a legitimate deposit group… But I won’t tell you who I am, how much I deposited, or who I’m connected to.”
The ZKP process works like this:
A real-world analogy: Imagine Employee A wants to enter an office building but doesn’t want to reveal who they are. Instead of showing an ID, they present a cryptographic proof that says: “I’m a verified employee.” The receptionist accepts the proof, lets them in, but never sees their name, badge number, or department.

How ASPs Operate. Source: 0xbow.io
Key functions: Compliance assessment, group definition, risk filtering
This layer is the core component that enables Privacy Pools to offer regulator-friendly privacy.
Association Set Providers (ASPs) act as neutral, on-chain reputation systems. They do not control user funds or access personal identities—instead, they provide trusted sets of deposit addresses based on behavior analysis and compliance criteria.
Think of ASPs like airport security checkpoints. They don’t need to know a passenger’s identity, but they can determine who to let through based on whether someone carries prohibited items or displays suspicious behavior.

Three-Layer Architecture Builds a Bridge Between Privacy and Compliance. Source: Gate Learn Contributor Max
While Privacy Pools introduces a framework for regulatory compliance, several risks remain from a regulatory standpoint:
As a result, future governance models for privacy protocols must consider a hybrid approach that emphasizes decentralization, auditability, and accountability.

Regulatory Perspective Flowchart. Source: Gate Learn Contributor Max
The launch of Privacy Pools is widely seen as marking the beginning of “Privacy Protocols 2.0.” Its significance lies not only in technical innovation but also in reshaping the stereotype that “privacy equals illegality.”

Privacy Protocol Comparison. Source: Gate Learn contributor Max
Among existing solutions, Privacy Pools is currently the only protocol that explicitly integrates a compliance module at the design level. Its positioning is closer to an on-chain privacy middleware, rather than a traditional coin mixer.
Short-term challenges:
Long-term challenges:
Privacy Pools represents a revolutionary reimagining of blockchain privacy philosophy. Rather than emphasizing “absolute anonymity,” it builds upon the principle of “controllable privacy + self-proving compliance.” Vitalik Buterin’s investment in this project is no coincidence - it aligns with his vision for Web3’s long-term evolution [3]: Without privacy, everything becomes a constant battle of “what will other people (and bots) think of what I’m doing”.
If Tornado Cash was the stronghold for privacy purists, Privacy Pools is the proving ground for realists. While it’s not a perfect solution, it offers a pragmatic path forward, which may help privacy protocols finally emerge from regulatory limbo and take a step toward mainstream adoption.





