This work addresses the privacy risks inherent in existing fiat-cryptocurrency exchange platforms, which often leak linkages between user identities and on-chain addresses, thereby compromising anonymity. To reconcile privacy protection with regulatory compliance, the paper proposes a novel exchange system that operates under a “default anonymity, auditable on demand” paradigm. By decoupling user identities from blockchain addresses while supporting lawful de-anonymization for KYC and tax auditing purposes, the system leverages verifiable credentials and zero-knowledge proofs to conceal users’ identities and fiat account details. Authorized entities can nevertheless audit suspicious or non-compliant activities when necessary. A functional prototype has been implemented on both desktop and mobile platforms, and experimental evaluation demonstrates the system’s practical feasibility in simultaneously achieving strong privacy guarantees and regulatory compliance.

With the rise of decentralized finance, fiat-to-cryptocurrency exchange platforms have become popular entry points into the cryptocurrency ecosystem. However, these platforms frequently fail to ensure adequate privacy protection, as evidenced by real-world breaches that exposed personally identifiable information (PII) and crypto addresses. Such leaks enable adversaries to link real-world identities to cryptocurrency transactions, undermining the presumed anonymity of cryptocurrency use. We propose FC-GUARD, a privacy-preserving exchange system designed to preserve user anonymity without compromising regulatory compliance in the exchange of fiat currency for cryptocurrencies. Leveraging verifiable credentials and zero-knowledge proof techniques, FC-GUARD enables fiat-to-cryptocurrency exchanges without revealing users'PII or fiat account details. This breaks the linkage between users'real-world identities and their cryptocurrency addresses, thereby upholding anonymity, a fundamental expectation in the cryptocurrency ecosystem. In addition, FC-GUARD complies with key regulations over cryptocurrency usage, such as know-your-customer requirements and auditability for tax reporting obligations by integrating a lawful de-anonymization mechanism that allows the auditing authority to identify misbehaving users. This ensures regulatory compliance while defaulting to privacy protection. We implement our system on both desktop and mobile platforms, and our evaluation shows its feasibility for practical deployment.