I see a common misconception relating to how blockchain analysis works on privacy coins that I want to clear up.
UTXOs (unspent transaction outputs) come from Bitcoin and are used by many cryptocoins. They are equivalent to having physical bills and coins in your pocket that can be spent. The structure of a UTXO relies on knowing the transaction which created the output. By spending a UTXO you are saying "there is an output X in transaction Y that is unspent and I would like to spend it now." This is public blockchain data and anybody can verify it. This is different from an account-based model, such as used in Ethereum, which has no UTXOs. ETH has keeps track of how much funds exist in each address, there is no equivalent of having physical bills and coins in your pocket. In that sense ETH is more like a checking or savings account, with an account balance.
Many people apply the ideas above to shielded addresses (zaddrs) but zaddrs do not have UTXOs. I will take my part of the blame for this confusion, as I seem to be the first person to use the term "zutxo" to mean "shielded utxo". If you do an internet search for "zutxo" you will likely find this github gist from 5 years ago where I use the term. It was born as slang to avoid having to type "shielded unspent output". The internals of Zcash Protocol as written by Zcash never use the term utxo for unspent zaddr funds, they have various other ambiguous names such as an "output" or "commitment" or "note" or "SaplingNote". This is for good reason, because when you spend zaddr funds you do not say where the funds came from!. This means that when you spend zaddr funds, you do not specify the transaction where they were created. Instead, you create a zero knowledge proof which proves that you are indeed the owner of said funds and also that the amount you are attempting to spend is actually correct. This means that blockchain analysis cannot see the "flow of funds" via the transaction graph, which is one of the most powerful techniques used to study Bitcoin and all other UTXO-based cryptocoins. There is no way to tell which funds you are spending, it could be any currently existing unspent output, which is why the anonymity set of a shielded transaction is the entire set of unspent outputs on the entire blockchain.
Monero *does* use a UTXO based model, which is why the flow of funds can be studied if/when the real spend among the decoys is identified. This is precisely why Monero is migrating to a zero knowledge based system via FCMP++'s. UTXO-based models leak too much metadata via the transaction graph. You can see funds coming in and going out and you can follow their flow. That simply is not possible with zaddrs because zaddrs don't use UTXOs. If you want to learn more about how this kind of stuff works in various different privacy coins then I recommend these talk slides from MoneroKon 2025 by Aaron Feickert called Rings and Trees: How to prove coin ownership.
When zaddr funds are spent there is something called a "nullifier" created. A nullifier is a zero knowledge proof that funds have become spent, but because of zk goodness, no knowledge of where the funds came from is leaked. Nullifiers are used by the system to prevent double spends, since every node on the network knows the list of all nullifiers ever used. If a new transaction attempts to use an already existing nullifier, that is an attempted double spend of zaddr funds and nodes reject it. Only the owner of the private key of a zaddr is able to come up with a valid nullifier which is exactly why only the actual owner of zaddr funds can successfully spend them.
In conclusion, Bitcoin, Monero and all forks of Bitcoin and Monero use UTXOs to store value and blockchain analysis companies can use "UTXO analysis" to follow the flow of funds on chain. Things are slightly harder to follow on Monero but it becomes trivial once the real spend is identified. Zcash Protocol coins such as ZEC, HUSH, DRAGONX, ARRR and YEC are immune to UTXO analysis of zaddrs because zaddrs don't have UTXOs. But ZEC+YEC don't require the use of zaddrs and most funds *are* stored inside of transparent UTXOs. HUSH, DRAGONX and ARRR require the use of zaddrs to spend funds and avoid that problem completely.
-- Duke
June 25 2025