Most Bitcoin privacy content focuses on the sending side. How to spend privately. How to mix. How to break the transaction graph before moving funds. Almost nobody talks about the receiving side — which is odd, because every privacy leak in Bitcoin starts with an address that somebody, somewhere, can associate with you. If your receiving setup is careless, everything downstream is compromised before you even touch it.
This walkthrough fixes that. It’s a practical, step-by-step procedure for receiving Bitcoin in a way that doesn’t quietly destroy your privacy the moment the first transaction lands. Follow it literally the first time. After a few weeks, the steps become habit and you stop needing the checklist.
Before You Start: What You’ll Need
A wallet that generates fresh addresses automatically. This rules out older wallet software and anything that shows you “your Bitcoin address” as a single persistent string. Good options as of 2026: Sparrow (desktop), BlueWallet (mobile), Electrum (desktop, with Tor configured), or a hardware wallet paired with Sparrow or Electrum.
A Bitcoin node, ideally. Running your own node eliminates a class of privacy leaks where your wallet software queries public servers for balance information. If you can’t run one, the next-best option is connecting your wallet to a trusted node over Tor. The default “light wallet” configuration where your software queries random public servers is the weakest choice.
Tor configured on the device where your wallet runs. Most modern wallets support this as a single toggle in settings.
A password manager or secure notes system. You’ll be tracking which address was used for which purpose, and keeping this organized is non-optional.
Step 1 — Set Up Your Receiving Structure
Open your wallet and create at least two separate accounts from your seed. Most modern wallets let you do this without creating a new seed phrase — they derive multiple accounts from one backup.
Account A — High-sensitivity receiving. This is for payments where privacy matters most. Client payments, business revenue, income you don’t want mapped to your broader financial life.
Account B — Low-sensitivity receiving. For payments where privacy matters less. Gifts from friends, trivial amounts, coins you’re willing to leave exposed.
The point of the split is that the two accounts should never appear together in any transaction. Never. If you maintain this discipline, a leak in Account B does not propagate to Account A.
Checkpoint: Verify that your wallet software treats these as separate accounts with separate address trees. Derive a test address from each and confirm they’re different.
Step 2 — Generate a Fresh Address for Every Single Payment
This is the most important habit. Every time someone is going to pay you, generate a brand new receiving address from the appropriate account. Never reuse an address. Never give out “your Bitcoin address” as a standing string.
Your wallet has a function for this, usually labeled “Receive” or “Generate new address.” Click it. Copy the address. That’s the address you give to the payer. That address is now used up — even if the payment is small, even if you think reuse would be harmless, even if the payer seems trustworthy.
Why this matters so much: Every reuse creates a public connection between two or more parties who paid you. Every non-reuse keeps those payers invisible to each other on the blockchain. This one habit, applied consistently, prevents roughly 80% of casual privacy leaks.
Checkpoint: Before sending an address to anyone, ask yourself: “Have I used this address before, for any purpose, with any person?” If the answer is yes — or if you’re unsure — generate a new one.
Step 3 — Deliver the Address Through a Private Channel
The address you just generated is only as private as the channel you send it through. A few rules:
Never paste a Bitcoin address into a public place. Not a tweet. Not a public Slack channel. Not a forum post. Not a screenshot. Not a website. Not an email signature. Anywhere the address can be scraped, indexed, or forwarded, it should not appear.
Use end-to-end encrypted channels where possible. Signal. A direct email where both sides use proper encryption. A private DM on a platform you trust not to log or leak.
If you must communicate the address through a less-private channel (SMS, unencrypted email), accept that the address is now semi-public and treat the resulting UTXO accordingly — as lower-sensitivity, regardless of which account it lives in.
The screenshot trap: Screenshots are the most common accidental leak. Someone takes a screenshot of their wallet to confirm an address with a client, and the screenshot ends up on a shared drive, in an email thread that gets forwarded, in a cloud backup. Assume any screenshot containing an address will eventually be seen by someone you didn’t intend.
Step 4 — Track What Each Address Was For
This sounds bureaucratic but it’s essential. For every address you generate, record: the date, the purpose, and the expected sender. Keep this in your password manager, a private encrypted note, or your wallet’s built-in labeling feature if it has one.
Why? Because six months from now, you’ll be looking at a UTXO in your wallet and need to remember what its history is before deciding how to spend it. Without labels, every UTXO becomes indistinguishable, and you lose the ability to make informed decisions about which ones can safely touch which others.
Example labeling: “2026-04-15 — client invoice — Acme Corp — 0.04 BTC expected.” A few months later, when you’re consolidating, you know immediately that this UTXO is from client work and belongs only with other client work UTXOs — not with exchange withdrawals or P2P trades.
Step 5 — Receive the Payment, Then Stop
Once the payment lands in the fresh address, your active involvement is done for now. Resist the urge to immediately move the funds elsewhere. Resist the urge to “organize” by sweeping small incoming payments into a single consolidated address. Every movement you make is a new on-chain event, and every such event is a new opportunity to leak information.
Leave the UTXO where it is. It’s safe. It’s in a fresh address that nobody except the specific payer has any reason to know about. The privacy is intact as long as you don’t do something to break it.
When to move it: When you actually need to spend it, or when you’re doing a planned, deliberate consolidation that has been thought through (see Step 7). Not before.
Step 6 — Handle Change Outputs Carefully
When you do eventually spend a UTXO, your wallet creates a change output — leftover coins returned to a new address you control. This change output inherits the history of the UTXO that produced it. A fresh-looking address does not reset that history.
Treat change outputs as belonging to the same sensitivity category as the spent UTXO. A change output from a high-sensitivity spend is itself high-sensitivity, and needs to be handled with the same care. Your wallet should send change to a fresh address automatically — verify that this is configured, because a few wallets have options that can send change back to the sending address (a serious privacy bug).
Checkpoint: Send a small test transaction and check where the change landed. If it went to a new unused address in your wallet, good. If it went back to the original sending address, find the setting and fix it before doing anything real.
Step 7 — Plan Consolidation Deliberately
Eventually you’ll want to combine multiple small UTXOs into larger ones — either for fee efficiency on future spends, or to move funds to cold storage. This is the step where most of the careful privacy work from the previous steps gets either preserved or destroyed.
The common-input ownership heuristic means that every UTXO spent together in one transaction gets clustered as belonging to one entity. If you consolidate UTXOs from different senders, different months, different purposes — all into one transaction — you’ve just created a single public graph linking every one of those payments to every other one. Everything you worked to keep separate is now visibly connected forever.
The correct approach:
Option A — Consolidate only UTXOs that are already linked. If multiple UTXOs all came from the same client, across multiple invoices, they’re already connected from that client’s perspective. Combining them doesn’t leak new information. Safe to consolidate together.
Option B — Break the history before consolidating unrelated UTXOs. If you want to combine UTXOs from different sources, run them through a graph-breaking step first. This means either CoinJoin rounds or a centralized mixing service like a transparent option that generates unique deposit addresses per transaction, so the output coins have no on-chain relationship to the original inputs. Once the histories are broken, combining the mixed outputs doesn’t expose the original sources. This is the step that most users skip, and it’s the most common reason careful address hygiene gets undone.
Option C — Don’t consolidate. If you can afford slightly higher fees on future spends, leaving UTXOs separate is always an option. The “inefficiency” of unconsolidated UTXOs is minor compared to the privacy cost of consolidating wrong.
Step 8 — Audit Yourself Quarterly
Every few months, spend an hour looking at your wallet the way an outsider might. Open a block explorer. Plug in a recent address from your receiving account. See what’s visible. Trace a few transactions forward. Check whether any of your consolidations ended up connecting things you intended to keep separate.
This audit is uncomfortable the first few times. You’ll almost certainly find mistakes. That’s the point — finding them now lets you correct course before they compound.
Common findings in first audits:
- Reused addresses you forgot about.
- Consolidations that linked unrelated senders.
- A UTXO that can be traced back to a KYC’d exchange deposit you’d forgotten.
- Change outputs that went to addresses you’d used for something else.
Each finding is a lesson for how to do better next quarter. Privacy is a practice, not a setup.
The Checklist, Compressed
If you want the whole thing in one paragraph to tape to your monitor: Generate a fresh address for every single payment, from the appropriate sensitivity account. Deliver the address through a private channel only. Label what it was for. Leave the incoming UTXO alone until you actually need to spend it. Handle change outputs as carrying the history of their inputs. Never combine UTXOs from different sources without breaking their histories first. Audit your setup quarterly to catch mistakes before they compound.
That’s the entire receiving-side discipline. None of it is difficult individually. All of it has to happen, every time, or the chain breaks at whichever step you skipped.
One Last Observation
The reason this guide is longer than most is that the receiving side is where privacy is built. Everything downstream — mixing, spending, consolidation — is either preserving or undoing the work that happened at receipt. A careless receiving setup can’t be rescued by sophisticated spending discipline later. A careful receiving setup, on the other hand, gives you a clean foundation that makes every subsequent step easier.
Start at the beginning. The rest of your Bitcoin privacy depends on it.