Monero Stealth Addresses Explained: How They Work

If you paste your Monero wallet address into a block explorer, you will not see your incoming transactions. That is not a bug or a missing index — the explorer genuinely cannot link the address to the outputs that belong to you. Behind this counter-intuitive behavior sits one of the most elegant pieces of applied cryptography in any cryptocurrency: the stealth address. In 2026, with chain-surveillance firms like Chainalysis and TRM Labs publicly admitting they still cannot consistently trace Monero receivers, stealth addresses remain the silent workhorse that protects every XMR user, from a retail buyer using MoneroSwapper to a journalist receiving donations. This article unpacks exactly what stealth addresses are, how they are derived, why each transaction generates a unique one-time output, and what they do and do not protect against.

Why Receiver Privacy Is the Hardest Problem in Crypto

Bitcoin solved the problem of decentralized consensus, but it left receiver privacy almost entirely unsolved. When Alice sends Bob 0.1 BTC, the entire world sees Bob's address gaining 0.1 BTC. If Bob ever reuses that address, every past and future payment is linked. Heuristics like common-input-ownership and address clustering have made Bitcoin one of the most surveillable financial systems ever built — a 2025 paper from the IMDEA Networks Institute showed that more than 71% of mainstream Bitcoin wallets can be deanonymized through public on-chain data alone, without any KYC leak.

Monero takes the opposite stance: every output must be unlinkable to the public address that received it. Three pillars enforce this:

• Stealth addresses hide the receiver — no observer can tell which output belongs to which public address.
• Ring signatures and CLSAG hide the sender — the true spender is buried among 15 decoys.
• RingCT and Bulletproofs+ hide the amount — only sender and receiver know how much moved.

Stealth addresses are the receiver-side leg of this tripod. Without them, ring signatures alone would still leak the destination, and the privacy guarantee would collapse. They are also the reason your Monero public address can be safely posted on a website, printed on a business card, or shared with thousands of donors: no matter how many payments land on it, each one creates a fresh, mathematically unrelated output on the blockchain.

The Math: How a Stealth Address Is Generated

A Monero public address is not a hash like in Bitcoin. It is the concatenation of two elliptic-curve public keys on the Ed25519 curve: a public spend key (capital B) and a public view key (capital A). The corresponding private keys are little-b and little-a. When someone wants to send you XMR, their wallet does not put your address into the transaction — that would defeat the whole point. Instead it performs the following computation.

Step 1: The sender generates a random transaction key

The sending wallet picks a fresh random scalar r for every transaction. From it, it derives the transaction public key R = r·G, where G is the Ed25519 base point. R is published in plaintext in the transaction's extra field, but on its own it reveals nothing about the recipient.

Step 2: The sender computes a shared secret

Using your public view key A from your wallet address, the sender calculates the shared secret r·A. This is a classic Diffie-Hellman exchange on the curve. Because of the symmetry of the operation, you — and only you — can recompute the same value as a·R using your private view key. Nobody else on the network can, because nobody else holds a.

Step 3: The sender derives a one-time output key

The one-time public key P that actually appears on the blockchain is computed as:

P = H_s(r·A || i)·G + B

Here H_s is a keccak-based scalar hash, i is the output index inside the transaction (so multi-output transactions still produce unique keys), and B is your public spend key. The output P is what gets recorded on-chain as the destination. It looks like a perfectly ordinary 32-byte key, indistinguishable from any other output in any other transaction. Crucially, P is a fresh, never-before-seen point on the curve — even if the same sender pays the same recipient a thousand times, every single output will be different.

Step 4: The receiver scans and detects ownership

Your wallet downloads every block and, for each output, computes H_s(a·R || i)·G + B and checks whether the result equals the on-chain P. If yes, the output belongs to you. This is why Monero wallet sync can feel slow on mobile devices: the wallet has to test every recent output against your view key. It is also why the view key alone is sufficient to detect incoming transactions without granting any spending power — it can compute the shared secret but cannot derive the one-time private key needed to spend.

To actually spend the output, you combine your private spend key b with the same hash to produce the one-time private key x = H_s(a·R || i) + b, which corresponds to P. Without b, no amount of view-key data lets anyone move the funds. This clean separation is what allows auditors, accountants, or tax software to be granted read-only access to a Monero wallet without any spending risk.

Stealth Addresses vs Subaddresses vs Integrated Addresses

Monero actually ships three related receiver-side constructs. They are often confused, even by experienced users, so it helps to put them side by side.

The important point: stealth address generation happens at the protocol level, automatically, for every output, regardless of whether the destination was a main address, a subaddress, or an integrated address. You never type a stealth address by hand because you never see one — the wallet derives it from whatever address the sender pasted in.

Step-by-Step: A Real Payment From Sender to Receiver

Suppose you are buying privacy-respecting hosting from a vendor that accepts XMR. Here is exactly what happens between the moment you hit "send" and the moment the merchant sees the balance.

1. You paste the merchant's main address or subaddress (the long string starting with 4 or 8) into your wallet's send dialog and enter the amount.
2. Your wallet generates a random transaction private key r and computes R = r·G. R is the transaction public key that will accompany the transaction.
3. For each recipient output, the wallet derives the one-time stealth address P = H_s(r·A || i)·G + B using the recipient's view and spend public keys. A change output back to yourself is generated the same way using your own keys.
4. The wallet selects 15 decoy outputs of the same denomination class from previous blocks and constructs a CLSAG ring signature so that any one of the 16 candidates could be the true spender.
5. Amounts are encrypted with the Diffie-Hellman shared secret, and Bulletproofs+ range proofs prove that all amounts are positive without revealing them.
6. The transaction is broadcast through Dandelion++ to obscure its origin IP from network observers.
7. Once mined, the merchant's wallet scans the block, computes the shared secret a·R for every transaction's R value, tests whether any of the derived P values match outputs in that transaction, and credits the balance silently.

The whole cycle takes roughly 20 seconds of computation plus the 2-minute average block time. From the outside, the transaction looks identical to every other Monero transaction on the chain: same size class, same ring size, same proof structure. There is no way for a third party — exchange, ISP, blockchain analyst — to look at the chain and determine that the merchant received funds, let alone how much.

The merchant can publish the same Monero address on every page of their website for ten years and never compromise their privacy — every payment lands on a fresh, unlinkable one-time output that the blockchain does not associate with the public address.

What Stealth Addresses Do Not Protect

Cryptographic privacy is necessary but not sufficient. Stealth addresses protect on-chain linkability, but they cannot protect against mistakes or out-of-band leaks. Knowing the limits is part of using the tool correctly.

• KYC at the on-ramp: If you buy XMR from a centralized exchange that performed identity verification, the exchange knows your withdrawal transaction's R value. They cannot see where you sent the coins next, but they have a strong starting point. Using a no-KYC swap service like MoneroSwapper avoids planting that root in the first place.
• Address reuse off-chain: Stealth addresses prevent on-chain linkage, but if you publish the same main address on Twitter, your GitHub, and a forum post, anyone can correlate your real-world identities even if they cannot correlate your transactions.
• View-key leaks: If you share a view key for auditing and that auditor's machine is later compromised, every past and future incoming transaction to that wallet becomes visible to the attacker. Use a dedicated wallet for any view-key audit.
• Timing and amount inference: A surveillance entity that controls both an exchange and a merchant cannot link the on-chain output, but they can correlate the timing and approximate amount of a withdrawal with a subsequent payment. This is why Monero recommends waiting at least 10 confirmations (about 20 minutes) before treating funds as final, and why payment amounts should not be unique fingerprints (avoid sending 0.12345678 XMR if the merchant invoice was 0.12345678 EUR).
• IP-level metadata: Stealth addresses live at the cryptographic layer. Network-level privacy is provided by Dandelion++ and is strongly improved by running your own node over Tor or I2P. A wallet that defaults to a remote node operated by a third party leaks your IP-to-wallet linkage to that node operator.

Practical Example: Receiving Donations Anonymously

Consider an independent journalist publishing on a leak-disclosure blog in late 2025. She wants to accept reader donations without doxxing her donors or herself. Her workflow:

She publishes a single Monero main address in her website footer, in her PGP-signed bio, and at the bottom of each article. Over six months she receives 412 donations ranging from 0.001 to 4.3 XMR. On the blockchain, none of these payments is linkable to her published address. None is linkable to each other. Block explorers like xmrchain.net show 412 transactions to 412 distinct one-time outputs scattered across thousands of blocks, with no clustering possible.

When she wants to convert a portion to fiat for living expenses, she does not send the coins to a KYC exchange — that would create a paper trail linking her wallet activity to her identity. Instead she uses a no-KYC swap to convert XMR to a privacy-respecting stablecoin or to BTC that she then spends through a non-custodial channel. From start to finish, no centralized intermediary holds a record of the relationship between her published address and her real-world identity. This is the threat model stealth addresses were designed for, and it is the threat model that MoneroSwapper's no-account-required swap flow is designed to extend, by ensuring that the entry and exit points to Monero do not themselves become deanonymization vectors.

The Future: FCMP++ and What Changes for Stealth Addresses

Stealth address derivation has been part of Monero since CryptoNote's original 2014 paper and has not fundamentally changed in over a decade. What is changing in 2026 and beyond is the sender-side privacy layer. Full-Chain Membership Proofs (FCMP++), expected to activate in a hard fork during 2026, will replace the current 16-member ring signature with a zero-knowledge proof that the spent output is one of every eligible output ever created on the chain — effectively an anonymity set of tens of millions rather than 16.

For stealth addresses, the math stays the same. A one-time output is still derived as P = H_s(r·A || i)·G + B. The receiver still scans by computing a·R. What changes is that when the receiver later spends that output, the proof that they own it no longer needs to point to 15 specific decoys. Combined with Seraphis and the Jamtis address format on the longer roadmap, stealth addresses will become even more flexible: Jamtis introduces address tags that let lightweight wallets scan more efficiently without weakening the unlinkability guarantee. The pattern of mathematical research turning into deployed privacy is one of the reasons Monero remains the reference implementation for receiver privacy in 2026.

FAQ

Can someone see how much XMR my address has received?

No. Unlike Bitcoin, where any address's balance is publicly visible, a Monero main address has no on-chain balance at all. Balances are computed by the owner's wallet scanning for outputs that match the stealth address derivation. A third party with only your public address cannot determine how many transactions you have received, how much, or when.

Is it safe to reuse the same Monero address?

Yes, technically. Every payment to the same address still produces a unique on-chain stealth address, so transactions are not linkable. That said, for accounting and operational privacy, it is good practice to generate a subaddress per counterparty so that, if you ever share a view key or one counterparty is compromised, the exposure is limited to that subaddress.

What is the difference between a view key and a stealth address?

A view key is a private key that belongs to your wallet and lets the holder detect incoming payments by recomputing stealth address derivations. A stealth address is the on-chain one-time output that the view key helps you find. The view key reads them; it does not generate them.

Do stealth addresses make Monero quantum-resistant?

No. Stealth addresses rely on the discrete-log assumption on the Ed25519 curve, which a sufficiently large quantum computer could break with Shor's algorithm. Monero's research lab has multiple post-quantum proposals on the long-term roadmap, including lattice-based replacements for the current scheme, but none are deployed in 2026. For threat models that include credible quantum adversaries, stealth addresses do not help.

If I send myself XMR, does my own wallet generate a stealth address?

Yes. Every output — even change going back to the sender — is a stealth address derived from your own view and spend keys. This is why your change outputs are also unlinkable to your main address, and why a fresh wallet that has only ever made one self-send still looks like two independent recipients on the blockchain.

Can a court or subpoena force a stealth address to reveal its owner?

No party in possession of only on-chain data can map a stealth address back to a public address without the view key. A subpoena could compel the owner of a wallet (if known) to disclose their view key, but it cannot compel the network or any third party to perform the reverse derivation, because mathematically no such derivation exists.

Conclusion

Stealth addresses are the quiet half of Monero's privacy. Ring signatures and RingCT get most of the press because they protect the sender and the amount, but without per-transaction one-time output keys, those defenses would be hollow — the destination would still leak, and chain analysis would still cluster receivers. What CryptoNote got right in 2014, and what Monero has carried forward through ten years of upgrades, is the recognition that receiver privacy is structural, not optional: it has to be baked into every single transaction, automatically, without requiring users to opt in. That structural choice is why posting an XMR donation address is safe in a way that posting a BTC donation address simply is not.

If you are coming from Bitcoin and want to put this property to work, the cleanest first step is to acquire some XMR without creating an identity-linked entry point. MoneroSwapper lets you swap BTC, ETH, LTC, USDT, and a dozen other assets to Monero without an account, without KYC, and without storing logs that would later defeat the very privacy guarantees described above. Once your coins land in your own wallet, stealth addresses do the rest of the work automatically — every payment you ever receive will be unlinkable to every other, and the only person who can prove ownership of any of them is you.