At the 2nd Ethereum Cypherpunk Congress on November 16, 2025, Vitalik Buterin used his talk “Kohaku: Wallet Privacy On Ethereum” to deliver a harsh verdict on the state of Ethereum privacy: the cryptography works, but the user experience fails.
He began by reminding the audience that Ethereum has spent a decade investing in privacy and security infrastructure. He highlighted the elliptic curve precompilations added in 2018 – “EC-add, EC-mul, EC-pairing” – as the basis for protocols such as Tornado Cash and Railgun, and cited the Privacy & Scaling Explorations team’s work on zkSNARK protocols, development tools and application layer experiments.
On the security side, he called the 2016 DAO hack an event that “really catalyzed the ecosystem,” leading to stricter auditing, teams like SEALs, more secure Solidity and Vyper, and multisig wallets that were “mostly a dream in 2015” but are “very common today.”
Vitalik pushes Ethereum towards true wallet privacy
Despite this progress, Buterin argued that everyday users still struggle to access meaningful privacy and security. “When it comes to the actual privacy and security offered to users, we’re still behind where we could be,” he said. “And that’s the thing that could change, and that’s the thing that this year can change.”
Technically, he insisted, the core privacy stack is mature. “Base layer technology is great. You can generate a proof in less than a second on a laptop, in two seconds on a phone. It’s easy to develop. It’s very well understood. There are lots of well-tested circuits.” The breakdown occurs at the wallet level.
“Using a privacy protocol requires a separate seed phrase. There is no multi-signature option. So if you have your coins in a private pool, your coins must be controlled by a single key,” he explained. Users typically have to open a separate privacy wallet, and “it takes about five clicks to send and withdraw privately.” Even the infrastructure for distributing transactions is fragile. “Last week I had to fight against public channels. It took me about ten tries to finally figure out that it worked after enabling a VPN.”
“We are in this very last kilometer stage,” he concluded. “It’s exactly at this point in the last mile that we need to make a lot of really concerted effort to do better.”
Buterin framed Kohaku as part of a broader defense of privacy that he expanded on in an April essay. On stage, he summed it up in three lines: “Privacy is freedom…Privacy is order…And privacy is progress.” Privacy, he said, “gives us the space to live our lives in ways that meet our needs,” underpins basic social mechanisms that assume not everyone sees everything, and is essential for using data in fields like medicine and science without creating “a dystopian nightmare.” With modern cryptography, “it can be designed to prioritize privacy.” For users, “privacy is not an abstraction. It is a concrete benefit for users. We can show that we have it now.”
According to him, security is also dominated by extreme risk. Referencing a meme, he compared DeFi returns to a catastrophic loss. Put assets into DeFi and “you get APY”. Do nothing and “you get 0% APY”. But if you lose your private keys, your APY is “minus 100”. The same applies “if Lazarus finds out your private keys” or “if the wrong people find out how much money you have, who you donate to, and where you live.”
Buterin argued that the Ethereum privacy conversation has focused too narrowly on “what can be protected against on-chain ZK.” It has expanded the scope to UX (making it easier to separate wallet identities), read privacy (via better RPCs, “E3T, E+ORAM” or “the truly cryptographically pure approach, PIR”), network-level privacy via mixnets, and non-financial operations that also require protection.
Regarding security, he called for “risk-based access control”: “You should have to press more buttons and get more permissions to move $100,000 than to move $10.” » He emphasized account recovery, UI-level security, and “on-chain version control…of software dependencies and user interfaces,” saying that “we should have a world where user interfaces live on-chain” so attackers can’t silently swap front-ends by hacking a server.
Today during @web3privacymaster @VitalikButerin highlighted #Kohakua new Ethereum framework aimed at bringing real privacy to wallets. $eth
Every 8 minutes here: pic.twitter.com/W9qeUZcipR
– Tommy B. 🇺🇸 (@realtommybibi) November 16, 2025
Summing up Ethereum in 2025, Buterin said it has “robust security and privacy research,” “strong security on L1,” and privacy tools that have “miles improved” since “the very first version of Zcash” where “it took two minutes to sign a transaction.” What remains, he insisted, is to “level up the last mile,” particularly “the application and wallet layer, the parts of this whole thing that are closest to the user.”
Kohaku was announced on October 9 by the Ethereum Foundation via
At press time, ETH was trading at $3,194.
Featured image created with DALL.E, chart from TradingView.com
Editorial process as Bitcoinist focuses on providing thoroughly researched, accurate and unbiased content. We follow strict sourcing standards and every page undergoes careful review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance and value of our content to our readers.
