Guide to Monero Churning: Best Practices 2026
Guide to Monero Churning: Best Practices 2026
If you withdrew XMR from a centralized exchange last week, that exchange knows exactly which output it sent you — and so does anyone who later subpoenas its records. Churning is the practice of spending Monero back to yourself one or more times to bury that known output under fresh rings of decoys, breaking the clean line between "this exchange paid this address" and "this address later paid a merchant." It is not magic, and done carelessly it can actually make you easier to track.
This guide covers how churning works in 2026, how many times you should realistically do it, the timing and amount mistakes that leak metadata, and why the upcoming FCMP++ upgrade is about to change the calculus entirely. Throughout, we assume you control your own wallet keys — if you bought your XMR through a no-KYC service like MoneroSwapper, you already skipped the worst linkability problem, but on-chain hygiene still matters once coins are moving.
What Churning Actually Does
Every Monero transaction hides the real spent output inside a ring of 16 outputs (1 real, 15 decoys) using CLSAG ring signatures, conceals amounts with RingCT and Bulletproofs+, and sends funds to a one-time stealth address. A passive observer cannot tell which ring member was actually spent — but they can build a probability graph, and known starting points (like an exchange withdrawal) anchor that graph.
Churning means sending coins from your wallet back to your own wallet. Each self-spend creates a brand-new output with a brand-new ring, so the link to your original "tainted" output now has to survive being one of 16 candidates, then one of 16 again, and so on. The point is to maximize uncertainty for the most damaging heuristics.
- Defeats the EAE attack: the "exchange-address-exchange" pattern, where analysts link a withdrawal from Exchange A to a later deposit at Exchange B, gets far weaker when self-spends sit in between.
- Grows your anonymity set over time: nominally each churn multiplies your candidate set by 16, so two churns puts your real output among roughly 256 plausible histories before timing analysis even begins.
- Dilutes poisoned or dust outputs: if someone sends you a tiny tracking output, churning it together with other funds frustrates attempts to flag where it lands.
- Resets the spend timer cleanly: fresh outputs age normally and get selected as decoys for other users, which is good for the whole network's fungibility — and yours.
How Many Times Should You Churn?
The honest answer is: fewer times than the forums imply. There is a strong diminishing return, because the decoy selection algorithm already does most of the privacy work, and every extra hop adds timing metadata and another fee.
The diminishing-returns math
With a ring size of 16, one churn already puts the real link at roughly 1-in-16 odds for a naive observer. A second churn compounds that toward 1-in-256. A third pushes nominal uncertainty past 1-in-4000. Beyond two or three hops, the marginal anonymity gain is tiny, while the chance you introduce a recognizable pattern keeps rising. For the overwhelming majority of users, two churns is the sweet spot, and three is the practical ceiling.
The black-marble caveat
Those clean "16, 256, 4096" numbers assume your 15 decoys are all innocent strangers. The black-marble (or "flooding") attack — heavily discussed across 2024 and 2025 — describes an adversary who creates a large fraction of recent outputs themselves. They can statistically subtract their own known decoys, shrinking your effective ring. Churning more does not fix this; if anything, more hops give a well-resourced flooder more junctions to analyze. Quality of timing beats quantity of hops.
The 10-block lock
Newly received outputs are locked for 10 confirmations — about 20 minutes at Monero's 2-minute block target — before they can be spent again. This sets a hard floor on how fast you can churn, and it is also a reason not to chain churns back-to-back the instant each one unlocks: that "spend exactly 20 minutes later, every time" rhythm is itself a fingerprint.
Churning Strategy Comparison
Not every situation calls for the same approach. The table below maps common scenarios to a sensible number of churns and the dominant risk to watch.
| Scenario | Recommended churns | Main risk to manage |
|---|---|---|
| KYC exchange withdrawal you want to spend privately | 2 | EAE linkage; randomize timing before spending |
| Coins already acquired no-KYC (e.g. via MoneroSwapper) | 0–1 | Usually unnecessary; churn only if consolidating |
| Suspected dust / poisoned output received | 1–2 | Mix the dust with other funds, never spend it alone |
| Long-term cold storage with no spend planned | 0 | Idle outputs leak nothing; don't manufacture activity |
| Consolidating many small outputs before a large payment | 1 | Output-count fingerprinting; avoid 1-input-1-output txs |
Notice the pattern: churning is a tool for tainted or about-to-be-spent coins, not a ritual you perform on everything. Idle XMR sitting in your wallet reveals nothing on-chain, so generating extra transactions only burns fees and adds timing data points for no benefit.
How to Churn Monero Safely, Step by Step
The mechanics are simple; the discipline is in the timing and the network layer. Here is a clean procedure for the most common case — laundering the metadata trail of an exchange withdrawal before you actually spend.
- Route your wallet over Tor or I2P. Run your own node if you can, or point your wallet at a remote node through Tor. Dandelion++ already obscures which node first broadcast a transaction, but hiding your IP at the connection layer closes the most obvious gap.
- Send the full balance to your own address. Use a fresh subaddress in the same wallet. This first hop sweeps the exchange output into a new stealth address with a new ring.
- Wait a randomized interval. Let the output age well past the 10-block lock — anything from a few hours to a couple of days, chosen unevenly. The decoy selection algorithm uses a gamma distribution that favors recent outputs, so a little aging makes your output a more natural decoy candidate and your spend less conspicuous.
- Perform the second churn. Send to your own wallet again. Two hops is enough for almost everyone; stop here unless you have a specific threat model that justifies a third.
- Wait again, then make your real payment. Never churn and immediately spend in the same minute — the back-to-back timing reattaches the very link you spent two transactions breaking.
The single biggest churning mistake is predictable timing: an adversary who can't break your rings can still spot a metronome. Randomize the gaps, and never let "withdraw, churn, churn, pay" happen inside one tight window.
A Real-World Example: Cleaning an Exchange Withdrawal
Say you bought 5 XMR on a KYC exchange in March 2026 and want to pay a privacy-respecting VPS host without that host's payment being trivially tied back to your verified identity. The exchange's compliance team has a record: "user #48213 withdrew output X to address Y." Output X is your anchor, and it is the one thing on-chain that an investigator starts from.
You send all 5 XMR to a fresh subaddress in your own wallet over Tor. That output is now spent into a ring of 16; the exchange's record points at a transaction whose real destination is one of sixteen stealth addresses. The next evening, you churn again. Two days later — not two hours, not a round number — you pay the VPS host from the resulting output.
An analyst tracing forward from output X now faces a branching tree: 16 candidates at the first hop, 256 by the second, with timing gaps that don't form a tidy chain. Combine that with the fact that your real payment amount is hidden by RingCT, and the link from "verified exchange account" to "VPS payment" has gone from a straight line to a statistical guess. That is exactly the fungibility property churning is meant to reinforce. Had you instead acquired the coins through a no-KYC swap on MoneroSwapper, output X would never have carried your identity in the first place — which is why source matters more than any amount of after-the-fact churning.
What Churning Does Not Hide
Churning operates only at the on-chain ring level, so it is easy to overestimate. Knowing its blind spots keeps you from a false sense of security.
- Network metadata: if you broadcast from your home IP without Tor or I2P, an observer can tie the transaction's origin to you regardless of how many rings sit in front of it.
- The KYC anchor itself: churning obscures the path forward, but the exchange still recorded that it paid you. It raises the cost of tracing, it does not erase the starting record.
- Wallet-level correlation: if you reuse the same view key with a third-party service or expose your transaction history, churning on-chain does nothing to undo that voluntary disclosure.
- Spending behavior: paying a unique, identifying amount or always transacting at the same hour reintroduces patterns the rings can't cover.
FAQ
Does churning cost a lot in fees?
No. Monero fees are dynamic but tiny — typically a fraction of a US cent per transaction even at normal priority, thanks to Bulletproofs+ keeping transaction size and verification cost low. Two churns will cost you well under a cent in 2026 conditions, so fees are essentially never the limiting factor.
Will FCMP++ make churning obsolete?
Largely, yes, for anonymity-set purposes. Full-Chain Membership Proofs (FCMP++) replace the 16-member ring with a zero-knowledge proof against every eligible output on the chain — an anonymity set of tens of millions rather than fifteen decoys. Once it activates on mainnet, expected around 2026 alongside the Carrot/Jamtis addressing work, the black-marble attack and decoy-quality concerns mostly evaporate, and routine multi-hop churning for ring expansion stops being necessary. Self-spends to break timing or consolidate may still have niche value.
Can churning ever make my privacy worse?
It can. Excessive hops, perfectly regular timing, or churning then spending within the same short window all create patterns an analyst can latch onto. There is also the black-marble risk, where extra junctions give a chain-flooding adversary more to work with. More transactions are not automatically more private — disciplined, randomized, minimal churning beats compulsive churning.
Should I churn coins I bought without KYC?
Usually not. If there is no identity-linked anchor on your original output — for example, you acquired the XMR through a no-KYC swap — there is little for churning to obscure. Churn in that situation only when you have a concrete reason, such as consolidating many small outputs or diluting a suspicious received output.
How long should I wait between churns?
At minimum, past the 10-block lock (~20 minutes), but in practice you want hours to a few days, chosen irregularly. The goal is to avoid a uniform rhythm and to let outputs age into the range the gamma-based decoy selector favors. Round, repeated intervals are a fingerprint; uneven gaps are not.
Conclusion
Churning is a precision tool, not a cleansing ritual. Used on genuinely tainted coins — an exchange withdrawal, a suspicious dust output — two well-timed self-spends over Tor meaningfully break the heuristics that anchor your funds to a known identity. Used compulsively on everything, with metronomic timing, it wastes fees and hands analysts extra metadata. And with FCMP++ on the horizon, the whole technique is about to become a footnote rather than a daily chore.
The most reliable privacy gain still comes earlier in the pipeline: never let your coins carry an identity in the first place. Acquiring XMR through a no-KYC swap on MoneroSwapper removes the very anchor that churning exists to bury — and that is a much cheaper line of defense than any number of on-chain hops.
🌍 Read in