Extended public keys (xpubs) are one of Bitcoin’s most useful features—and one of its most misunderstood.
Can someone steal your Bitcoin with just an xpub? No.
Can they see your entire financial history? Yes.
This distinction matters. Whether you’re considering sharing your xpub for proof of reserves, connecting to a portfolio tracker, or setting up a watch-only wallet, understanding the trade-offs is essential.
What is an Extended Public Key (xpub)?
An extended public key is part of the BIP32 hierarchical deterministic (HD) wallet standard, introduced in 2012. It allows a single “master” key to derive an unlimited number of child public keys and addresses.
Think of your xpub as a “read-only master key” to your wallet. It can:
- Generate all your receiving addresses
- Track all incoming and outgoing transactions
- Calculate your total balance across all addresses
What it cannot do is sign transactions. Only your private key (or seed phrase) can do that.
The xpub format looks like this:
xpub661MyMwAqRbcFtXgS5sYJABqqG9YLmC4Q1Rdap9gSE8NqtwybGhe...
Different address types use different prefixes: xpub for legacy, ypub for SegWit-compatible, and zpub for native SegWit.
The Short Answer: Your Funds Are Safe, Your Privacy Is Not
Let’s be clear about the security model:
Your funds are safe. An xpub cannot derive private keys. Even with your xpub, an attacker cannot move your Bitcoin. The mathematics of elliptic curve cryptography make this computationally impossible.
Your privacy is compromised. Anyone with your xpub can derive every address your wallet has ever used or will ever use. They can see:
- Every transaction you’ve ever made
- Your current balance
- All future transactions
- Who you’ve transacted with (if those addresses are identified)
This isn’t a theoretical concern. If you share your xpub with a service that gets hacked, or with a company that sells data, or even with a friend who gets curious—they have permanent visibility into your financial life.
The Privacy Risks of Sharing Your xpub
Understanding the specific privacy implications helps you make informed decisions:
Complete Transaction History Exposure
Unlike sharing a single address (which only reveals that one address’s activity), an xpub reveals your entire wallet. Past transactions from five years ago, transactions you make next week—all visible.
Total Balance Visibility
Your net worth in Bitcoin becomes known. Combined with your real-world identity, this creates significant risks:
- Social engineering attacks — Scammers know exactly how much you hold
- Physical threats — Wealthy targets attract attention
- Legal exposure — In some jurisdictions, visible holdings may attract unwanted scrutiny
Address Clustering
Chain analysis companies already work to cluster addresses to single entities. An xpub hands them the answer on a silver platter. All your addresses are instantly and permanently linked.
Counterparty Exposure
If you pay someone from an xpub-derived address, and someone else knows both your xpub and that person’s identity, they can deduce your relationship and transaction details.
The Critical Security Edge Case: xpub + Child Private Key
There’s one scenario where fund security actually is at risk, and it’s worth understanding even though it’s unlikely to affect most users.
The BIP32 specification has a known property: if an attacker has your xpub AND a single child private key, they can derive your master private key and steal all funds.
Here’s why this exists: In non-hardened derivation, child keys are derived by combining the parent public key with a chain code. If you know both the parent public key (from the xpub) and a child private key, you can reverse-engineer the parent private key.
Why this usually doesn’t matter:
BIP44 (the standard derivation path) uses hardened derivation at the first three levels: m/44'/0'/0'. The apostrophe (‘) indicates hardened derivation, which cannot be reversed even with a child private key.
The vulnerability only applies if: 1. Someone has your xpub 2. AND they obtain a child private key from a non-hardened path
In practice, this means: keep your private keys secure, and this isn’t a concern.
Legitimate Use Cases for Sharing xpubs
Despite the privacy trade-offs, there are valid reasons to share your xpub:
Watch-Only Wallets
Monitor your cold storage balance from a hot device without exposing private keys. This is one of the most common and valuable uses of xpubs.
Proof of Reserves
Companies demonstrating Bitcoin holdings—like those on Bitcoin Companies—use xpubs to prove their reserves are real and on-chain. Transparency requires some privacy sacrifice.
Payment Processors
Services like BTCPay Server use xpubs to generate fresh addresses for each customer payment. This improves privacy for the merchant while enabling non-custodial payment processing.
Accounting and Tax Software
Tools like CoinTracker or Koinly need xpubs to automatically track your complete transaction history for tax reporting.
Multisig Coordination
When setting up a 2-of-3 multisig wallet, each participant shares their xpub so all parties can generate the same receiving addresses.
Advanced: Blind xpubs for Enhanced Privacy
For sophisticated users who need to share xpubs while preserving privacy, Michael Flaxman proposed the “blind xpub” technique.
The problem: In a multisig setup where you’re one of three key holders (like using Unchained or Casa), each party needs your xpub. But you might not want your collaborative custody provider to know your total Bitcoin holdings.
The solution: Instead of sharing your root xpub, derive a child xpub at a random BIP32 path and share that instead.
For example, instead of sharing m/48'/0'/0'/2' (a standard multisig path), you might share m/48'/0'/0'/2'/random'/random'. The recipient can still derive all the addresses needed for your shared multisig, but they can’t see any other addresses from your wallet.
This technique is particularly valuable in the “Uncle Jim” scenario—where one person holds hardware wallets for multiple family members or clients. Each person can have a derived xpub that reveals only their portion of holdings.
Best Practices for xpub Security
Given the trade-offs, here’s how to handle xpubs responsibly:
For Individuals
Treat your xpub as sensitive information. It’s not as critical as your seed phrase, but it’s not something to share casually.
Never post your xpub publicly. This includes forums, social media, or support tickets (even with “trusted” companies).
Use separate wallets for different privacy levels. A wallet connected to KYC exchanges might be acceptable to share with a tax tool. Your private savings wallet should stay private.
Verify privacy policies before sharing with any service. Understand who has access to your data and under what circumstances they might share it.
Consider using single addresses for one-time uses instead of full xpubs when possible.
For Companies
Proof of reserves is valuable. Publicly verifiable Bitcoin holdings build trust with customers and stakeholders.
Document what’s shared. Maintain clear records of which xpubs are public and for what purpose.
Use dedicated treasury addresses. Separate corporate holdings from operational wallets.
Consider attestation services. Combine xpub transparency with third-party auditing for maximum credibility.
FAQ
Can someone steal my Bitcoin with my xpub?
No. An xpub can only derive public keys and addresses—never private keys. Your funds remain secure even if your xpub is leaked.
Can someone see all my transactions with my xpub?
Yes. Anyone with your xpub can derive every address your wallet uses and track all associated transactions—past, present, and future.
Is an xpub the same as a public address?
No. A public address is a single receiving location. An xpub can generate unlimited addresses. Sharing an address reveals only that address’s activity; sharing an xpub reveals your entire wallet.
Should I share my xpub for proof of reserves?
If you’re a company seeking transparency, yes. This is one of the most legitimate uses of xpub sharing. The privacy trade-off is acceptable when the goal is public accountability.
What’s the difference between xpub, ypub, and zpub?
They all serve the same function but for different address types. xpub generates legacy addresses starting with “1”. ypub generates SegWit-compatible (wrapped SegWit) addresses starting with “3”. zpub generates native SegWit/bech32 addresses starting with “bc1”.
Modern wallets typically use zpub for lower transaction fees.
How do I check if my xpub has been leaked?
You can’t easily know if someone has your xpub unless they reveal themselves. However, if you notice unexpected chain analysis accuracy about your holdings, assume your xpub may be compromised.
Should I use a different wallet if my xpub is leaked?
For privacy reasons, yes. If your xpub becomes public and you want to restore privacy, you’ll need to generate a new wallet and transfer funds—incurring transaction fees and potentially revealing the link between old and new wallets.
Further Reading
For those wanting to dive deeper into xpub security and Bitcoin privacy:
Technical Resources - Learn Me a Bitcoin: Extended Keys — Comprehensive technical explanation of how extended keys work - Unchained: The Ticket to Understanding Extended Public Keys — Practical guide from a collaborative custody provider - Michael Flaxman’s Blind xpub Proposal — GitHub repository for the blind xpub privacy technique - BitBox: What is an Extended Public Key? — Hardware wallet manufacturer’s explanation
Security Guides - Jameson Lopp’s Bitcoin Security Guide — Comprehensive security resources from Casa’s CTO - Stephan Livera Podcast: 10x Your Bitcoin Security With Multisig — Deep dive into multisig with Michael Flaxman
Want to see which companies demonstrate Bitcoin treasury transparency? Check our Bitcoin Companies Leaderboard to see verified on-chain proof of reserves.