Ethereum Pivots To Privacy: Buterin Unleashes Kohaku At ECC2

At Ethereum Cypherpunk Congress 2 on November 16, 2025, Vitalik Buterin used his keynote “Kohaku: Wallet Privacy On Ethereum” to deliver a sharp verdict on the state of Ethereum privacy: the cryptography works, but the user experience is failing.

He began by reminding the audience that Ethereum has spent a decade investing in privacy and security infrastructure. He pointed to the elliptic-curve precompiles added in 2018—“EC-add, EC-mul, EC-pairing”—as the foundation for protocols such as Tornado Cash and Railgun, and cited the Privacy & Scaling Explorations team’s work on zkSNARK protocols, developer tooling and application-layer experiments.

On the security side, he called the 2016 DAO hack an event that “really catalyzed the ecosystem,” leading to stronger auditing, teams like SEAL, safer Solidity and Vyper, and multisig wallets that were “mostly a dream back in 2015” but are “very mainstream today.”

Vitalik Pushes Ethereum Toward True Wallet Privacy

Despite that progress, Buterin argued that everyday users still struggle to access meaningful privacy and safety. “On real-world privacy and security delivered to users, we’re still behind where we could be,” he said. “And that is the thing that could change, and that is the thing that this year can change.”

Technically, he insisted, the core privacy stack is mature. “The base layer technology, it’s all great. You can generate a proof within less than one second on a laptop, two seconds on a phone. It’s easy to develop. It’s very well understood. There’s a lot of well-tested circuits.” The breakdown happens at the wallet layer.

“Using a privacy protocol requires a separate seed phrase. There’s no multi-sig option. So, if you have your coins in a private pool, your coins have to be controlled by one single key,” he explained. Users generally must open a separate privacy wallet, and “it takes like five clicks to do a private send and withdraw.” Even the infrastructure for broadcasting transactions is fragile. “Last week, I had to fight against public broadcasters. It took about ten tries until eventually I figured out that it works after you turn on a VPN.”

“We’re in this very last mile stage,” he concluded. “It’s exactly at that last mile stage where we need to put a lot of really concerted effort into doing better.”

Buterin framed Kohaku within a broader defense of privacy that he developed in an April essay. On stage he summarized it in three lines: “Privacy is freedom… Privacy is order… And privacy is progress.” Privacy, he said, “gives us space to live our lives in the ways that meet our needs,” underpins basic social mechanisms that assume not everyone sees everything, and is essential for using data in fields like medicine and science without creating “a dystopian nightmare.” With modern cryptography, “it can be designed to be privacy first.” For users, “privacy is not an abstraction. It is a concrete benefit to users. We can show that we have now.”

Security, in his view, is similarly dominated by tail risk. Referencing a meme, he contrasted DeFi yields with catastrophic loss. Put assets into DeFi and “you get some APY.” Do nothing and “you get 0% APY.” But if you lose your private keys, your APY is “minus 100.” The same applies “if Lazarus discovers your private keys” or “if the wrong people discover how much money you have, who you donate to, and where you live.”

Buterin argued that Ethereum’s privacy conversation has focused too narrowly on “what can you ZK-proof on-chain.” He expanded the scope to UX (making it easy to keep wallet identities separate), privacy of reads (via better RPCs, “E3T, E+ORAM,” or “the really cryptographically pure approach, PIR”), network-level privacy through mixnets, and non-financial operations that also need protection.

On security, he called for “risk-based access control”: “You should have to press more buttons and get more authorization to move $100,000 than to move $10.” He emphasized account recovery, UI-level security, and “on-chain version control… of software dependencies and of UIs,” arguing “we should have a world where UIs live on-chain” so attackers cannot silently swap front-ends by hacking a server.

Summing up Ethereum in 2025, Buterin said it has “strong security and privacy research,” “strong security on the L1,” and privacy tooling that has “improved by miles” since “the very first version of Zcash” where “it took two minutes to sign a transaction.” What remains, he insisted, is to “level up the last mile,” especially “the application and wallet layer, the parts of this whole problem that are closest to the user.”

Kohaku was announced on October 9 by the Ethereum Foundation via X: “The Ethereum Foundation is proud to build Kohaku, a set of primitives that enables wallets to be secure and to process private transactions while minimizing dependencies on trusted third parties. Privacy is normal. Privacy is for everyone.”

At press time, ETH traded at $3,194.