Financial anonymity narrowed sharply between 2024 and 2026. The EU’s Anti-Money Laundering Regulation (AMLR) sets a hard 2027 deadline ending privacy-coin support and anonymous crypto accounts at regulated service providers. The U.S. IRS Form 1099-DA reporting regime came into force for the 2025 tax year, pulling broker-side crypto activity into the same surveillance frame as brokerage accounts. Monero alone weathered roughly 73 exchange delistings in 2025 and still cleared an $8 billion market cap by early 2026 — a survival story that says more about determined users than about regulator tolerance.
Three paths still exist for a person who wants to pay without leaving a name attached: Monero, cash through the mail, and the dwindling category of prepaid cards sold without identity verification. Each works under sharply different threat models, fails in different ways, and has a different shelf life. This piece walks through what each one actually buys you in 2026, where the seams are, and what someone serious about payment privacy should expect over the next eighteen months.
Why Anonymous Payment Got Harder
Two regulatory shifts collapsed most of the easy options. In Europe, the Markets in Crypto-Assets Regulation (MiCA) — the EU’s unified crypto rulebook — combined with AMLR to require crypto-asset service providers to identify counterparties on every transfer above €1,000 and to phase out support for any asset that resists the Travel Rule. MiCA does not explicitly ban privacy coins, but its requirements for asset traceability and identity verification in transactions over €1,000 effectively marginalize them. Coupled with AMLR, MiCA prohibits CASPs from handling privacy coins by mid-2027. Kraken pulled Monero from the European Economic Area in late 2024. Binance dropped XMR globally in February 2024 on similar compliance grounds.
In the United States, the IRS Form 1099-DA rolled out for the 2025 tax year, requiring brokers to report crypto proceeds the way equity brokers report stock sales. The Office of Foreign Assets Control (OFAC) sanctions on tools like Tornado Cash in 2022 — and follow-on enforcement against mixer operators — pushed risk-averse exchanges to delist anything that complicates compliance, even where federal law permits the asset. Crypto exchange OKX announced a delisting of XMR and other privacy-focused tokens including dash and ZCash at the end of 2023, and the trend continued steadily.
The pattern is consistent: regulators are not banning private payment for individuals. They are removing the on-ramps and off-ramps used by regulated intermediaries. The result is the same in practice — the average person has fewer ways to pay anonymously than they did three years ago — but the legal framing matters when assessing what is still viable.
Monero: The Strongest On-Chain Privacy, the Weakest Liquidity
Monero (XMR) remains the only major cryptocurrency with privacy enabled by default at the protocol layer. Three primitives do the work: stealth addresses (which generate a new one-time destination for every payment so balances cannot be aggregated by address), Ring Confidential Transactions (RingCT) (which hide the amount sent), and ring signatures (which mix the real spender among decoys so the source input is ambiguous). The forthcoming FCMP++ (Full-Chain Membership Proofs) upgrade is intended to replace the current ring-signature approach with a membership proof spanning the entire chain, eliminating the residual statistical attacks that researchers have used to narrow down likely true spenders in small ring sets.
The U.S. Commodity Futures Trading Commission (CFTC) would likely classify XMR as a commodity, and indeed, regulators have not treated Monero transactions (aside from illicit uses) as securities offerings. No enforcement actions against Monero for securities law violations are known. Holding and transacting XMR remains legal in the U.S., the U.K., and most of the EU. The constraint is access. XMR crypto survived 73 exchange delistings in 2025 and was still trading at $447 with an $8.2 billion market cap in early 2026, but that survival happened on decentralized rails, not at Coinbase.
The practical workflow for a 2026 user looks like this:
- Acquire XMR through an atomic swap (BTC→XMR via BasicSwap, Haveno, or similar non-custodial venues), a no-KYC instant swapper, or peer-to-peer.
- Hold in a self-custodial wallet — the official Monero GUI, Cake Wallet, or Feather Wallet for desktop.
- Spend directly to merchants who accept XMR, or convert back to fiat through a non-KYC swap when needed.
The privacy is real on-chain. There is no public evidence that Monero’s core privacy mechanisms have been compromised, despite years of contracts and bounties from chain-analytics firms and the IRS. But on-chain privacy is not the whole privacy story. If you withdraw from a KYC exchange directly to your XMR wallet, you’ve created an identifiable entry point. If you cash out the same way, you’ve created an identifiable exit point. The chain itself is opaque; the edges are not.
What XMR Costs in Convenience
Acquisition is the bottleneck. Major centralized exchanges in the U.S. either don’t list Monero (Coinbase has refused on policy grounds) or have delisted it. Kraken still serves U.S. customers but pulled XMR from the EEA. That leaves atomic swaps and instant-swap services. Atomic swaps now allow users to exchange BTC or ETH for XMR directly from their wallets, without intermediaries or custody risk, but liquidity is thinner and spreads wider than centralized order books.
Off-ramping back to fiat is the harder direction. Selling XMR for dollars typically means routing through BTC or USDT first, which means picking up the chain-analysis surface those assets carry. Fiat off-ramps become scarce, complicating cash-outs. Users who care about end-to-end privacy increasingly spend Monero directly — through gift-card brokers like Bitrefill or merchant integrations — rather than converting back.
Volatility is the other tax. XMR ran above $700 in mid-January 2026 before correcting hard, then settled near $315–$352 through Q1. If you’re holding privacy-coin balances as a savings vehicle rather than passing through them, you’re absorbing currency risk that fiat-denominated alternatives don’t impose.
Cash by Mail: Legal, but Less Anonymous Than People Think
Mailing currency is legal in the United States. Sending cash via the United States Postal Service may not be advisable, but no law prohibits that activity. The cash itself carries no identifier — Federal Reserve notes are bearer instruments and tracking serial numbers across consumer transactions is impractical at scale. As a payment medium between two parties who trust each other and don’t need a paper trail, currency in an envelope is unmatched.
The envelope, however, is heavily instrumented. The USPS operates two relevant programs:
Mail Isolation Control and Tracking (MICT) photographs the exterior of every piece of mail processed in the United States. It was created in the aftermath of the 2001 anthrax attacks that killed five people, including two postal workers. The Postmaster General has stated that the system is primarily used for mail sorting, though it also enables the USPS to retroactively track mail correspondence at the request of law enforcement. Retention varies — the USPS has stated images are kept for roughly a week to 30 days, though investigators have used archived images well beyond that window in specific cases.
Mail covers are a separate, targeted program. The Postal Service grants mail cover surveillance requests for about 30 days and may extend them for up to 120 days. Mail covers can be requested to investigate criminal activity or to protect national security. The 2014 USPS audit revealed roughly 50,000 approved requests in a single year, and the program has continued to expand. Mail covers do not require a warrant — only an internal Postal Inspection Service approval — because the exterior of mail has long been treated as non-private metadata under existing case law.
Then there is iCOP (Internet Covert Operations Program), the USPIS unit that monitors online activity tied to mail-facilitated commerce. iCOP has used a suite of surveillance tools, including facial recognition and social media monitoring services, to monitor individuals and produce intelligence products distributed across the federal government. Its mandate explicitly covers black-market and illicit-trade investigations that touch the postal system.
The practical implication: cash in an envelope is anonymous. The envelope is photographed, the addresses are recorded, and the metadata can be pulled retroactively. If both ends of a correspondence are addresses an investigator can already associate with a person of interest, the cash inside doesn’t restore privacy — it just makes the value invisible while the relationship stays visible.
There’s also the recovery problem. Cash sent through regular mail is insured for only $15, with Registered Mail raising the cap to $50,000 but requiring identification at the counter and creating a stronger paper trail than standard First-Class. The choice is asymmetric: cheap and untraceable but unrecoverable if it goes missing, or recoverable but identified.
Cash-by-mail makes sense for irregular, low-stakes payments between people who already know each other and prefer no electronic record — paying back a friend, anonymous donations, settling small debts. It is poor infrastructure for ongoing commercial activity, and treating it as such draws attention.
Prepaid Cards: A Narrowing Window
The prepaid-card category sits in the middle of three regulatory regimes: AML rules, payment-network rules, and state-level retail laws. Each layer has tightened.
In the U.S., FinCEN classifies reloadable prepaid cards as prepaid accounts subject to KYC. Under FinCEN rules, reloadable prepaid cards are classified as prepaid accounts. That means KYC requirements apply. Non-reloadable, fixed-balance Visa or Mastercard gift cards still fall below regulatory thresholds in many states and can be purchased with cash without ID — but with low load limits, no ATM access, and typically blocked from online use until the card is registered with a name and address.
In the EU, the Fifth Anti-Money Laundering Directive (AMLD5) capped anonymous prepaid card balances at €150 monthly, with stricter limits for online or remote use. In Poland, for instance, our legal framework permits the issuance of anonymous cards under strict conditions: The total value of monthly transactions cannot exceed €150. The maximum value stored on the card is capped at €150. AMLR will tighten this further by 2027.
The card networks themselves enforce identity rules independent of jurisdiction. Visa and Mastercard do not allow anonymous card issuance in regulated markets. Issuers who want their products to clear the network must implement KYC — even if local law would technically permit lighter checks. This is why offshore “no-KYC crypto cards” routinely appear, get traction, then disappear: they survive only as long as a sponsor bank tolerates the network risk, which is rarely long.
What still works for low-value, in-person anonymous spending in the United States in 2026:
- A fixed-balance Visa or Mastercard gift card, bought with cash at retail, kept under the $500 threshold per purchase, used in physical stores without registration.
- Closed-loop merchant gift cards (Amazon, Starbucks, etc.) bought with cash, used only at the issuing merchant.
What does not work the way users often assume:
- Online use without registering a name and address. Most issuers block AVS-required transactions until the card is registered.
- Stacking multiple low-value cards to reach a higher purchase amount. The system is built to detect evasion patterns. Not just large transactions. Structuring is itself a flagged behavior.
- ATM withdrawal. General-purpose reloadable cards require identity verification before cash access is enabled.
The category is best understood as pseudonymous, not anonymous. The card itself doesn’t have your name on it, but every swipe creates a transaction record tied to a card number that an investigator can associate with a person if any registered touchpoint exists. If a card becomes part of an investigation, tracing is procedural: The card number is identified.
The “No-KYC Crypto Card” Problem
A parallel category — crypto-funded prepaid cards advertised as no-KYC — proliferated through 2024–2025 and has thinned out significantly by 2026. Most so-called no-KYC crypto cards are not fully anonymous, and most do not stay no-KYC for long. A provider may offer a lighter entry while signing up, then ask for ID when you want higher limits, mobile wallet support, refunds, or help releasing a stuck balance.
The pattern is consistent: a virtual card with low limits issues without verification, but every meaningful upgrade (higher caps, physical card, mobile-wallet provisioning, dispute resolution) triggers full KYC. Users who load significant balances expecting anonymity often discover the verification requirement only when trying to retrieve frozen funds. Treat any product in this category as a short-term tool for narrowly scoped transactions, not a banking replacement.
Choosing Among the Three
These methods aren’t interchangeable. They serve different threat models and pair badly when forced into the wrong job.
Monero is the right tool when the privacy goal is concealing the existence, amount, and counterparty of a digital payment between two parties who can both transact in XMR. It is the wrong tool for casual fiat-denominated commerce where the recipient doesn’t accept it and the user has no efficient off-ramp.
Cash by mail is the right tool when both parties are physical people, the amount is small enough to risk losing, and the relationship doesn’t need to be hidden — only the amount and the timing. It fails when the metadata of who-mails-whom is itself the sensitive information.
Prepaid cards are the right tool when the goal is preventing a specific merchant from learning your real identity or banking information for a one-off purchase. They fail as a general-purpose privacy substitute because the network logs every transaction and the issuer’s compliance flow is a single subpoena away from de-anonymization.
A practical observation: most people who say they want anonymous payment actually want unlinkable payment — they want this transaction not to be tied to that one, or to their identity, in a database that follows them. That’s a different and more achievable goal. Compartmentalization (a different card per merchant, a different XMR wallet per use case, a different mailing address per relationship) handles unlinkability better than chasing pure anonymity, which is increasingly only available at significant cost in convenience and legal complexity.
Frequently Asked Questions
Is Monero illegal in the United States in 2026? No. Monero is legal to own, buy, sell, and use. There is no federal ban. Tax obligations apply normally. The constraint is that most major U.S. exchanges have voluntarily delisted it.
Can the IRS or law enforcement break Monero’s privacy? There is no public evidence that they can break the cryptography. They can, however, link a Monero wallet to a person if that person used a KYC service to acquire or dispose of XMR, or if they leaked metadata through their own behavior (reusing addresses across pseudonymous services, synchronizing without Tor, etc.).
Is mailing cash actually traceable? The cash itself isn’t. The envelope is photographed under MICT, and the sender and recipient addresses are queryable through mail covers. If anonymity of the sender-recipient relationship matters, plain mail does not provide it.
What’s the highest-value prepaid card I can buy without ID in the U.S.? This varies by state and retailer. Fixed-balance Visa and Mastercard gift cards up to $500 are commonly available without ID, but registration is typically required for online use, and structuring multiple cards to evade thresholds is itself flagged.
Are there any payment methods that combine the anonymity of cash with the convenience of digital? Not really, in 2026. Every approach involves a tradeoff: protocol-level anonymity (Monero) costs liquidity; physical anonymity (cash) costs convenience and recovery; pseudonymous instruments (prepaid cards) cost online utility. The combinations that briefly approximated all three — anonymous reloadable cards, mixers — have been the primary targets of recent enforcement.
Where This Goes Next
The 2026–2027 transition is the inflection point. AMLR’s full effect, the FATF Travel Rule’s continued global rollout, and CBDC pilots in major economies all push in the same direction: more identity, less anonymity, fewer regulatory exemptions. Privacy coins have been the best-performing crypto sector since the last quarter of 2025, which suggests demand is rising even as supply of compliant on-ramps shrinks. That gap gets filled by decentralized exchanges, atomic swaps, and peer-to-peer liquidity — all functional, all friction-heavy compared with what existed in 2022.
For most readers, the realistic plan in 2026 is not “achieve anonymity” but “decide which signals you actually need to hide and pick the smallest, simplest tool that hides them.” A privacy practice built on three or four narrow, well-understood tools beats one built on the assumption that any single method gives you full coverage. None of them does.
