noKYCme

Case file · Exchange

Bisq

A decentralized exchange that is software, not a company. No account, no KYC, funds in 2-of-2 multisig you control.

Never KYC
Based
No company — the Bisq DAO (BSQ token governance)
Price
Trading fees paid in BTC/BSQ; Bisq Easy has zero trade fees
Reviewed
2026-07-15
Audited by
The noKYCme Bureau

The systematized overview

The bureau vs the internet.

What the bureau found

7.5/10 · Guaranteed no-KYC

On identity, Bisq is close to flawless: no account, no email, no KYC, funds held in multisig you co-control. The serious asterisk is security - the Bisq 1 trade protocol has a repeated pattern of logic exploits, including 11.59 BTC stolen in May 2026, and as of our review Bisq 1 trading remains halted for security remediation with critical audit findings outstanding. Past victims were reimbursed via the DAO, but the risk is real and current - treat this as a live, provisional verdict.

What the internet says

3 recurring praises · 3 recurring gripes

Most praised: genuinely non-custodial and no-kyc, with strong privacy. Most cited downside: app is sluggish with a steep learning curve.

We track our editorial score and community sentiment separately — neither moves the other. Read together, they're the systematized overview.


The facts

Custody & jurisdiction.

Jurisdiction
No legal entity; the Bisq DAO (BSQ token governance)
Custody
Non-custodial - 2-of-2 multisig controlled by the two traders
Escrow
2-of-2 multisig + refundable 15%-50% security deposit (Bisq 1)
Traded
BTC + fiat, plus altcoins incl. XMR/BTC (Bisq 1)
Fiat rails
No - fiat moves directly between traders
Payment methods
Many; full list on the Bisq payment-methods wiki
Payment privacy
Tor by default; XMR/BTC market exists; payment details shared peer-to-peer only
Disputes
Chat, then mediation, then arbitration - agents hold no multisig key
KYC trigger
None - no account and no identity requirement exists
Open source
Yes - AGPLv3, github.com/bisq-network
Audited
A 2026 audit surfaced critical findings (remediation ongoing); no earlier named report found
Operating since
2016 (Bisq 1); Bisq 2 / Bisq Easy newer

The full read

Our analysis, in plain words.

Bisq answers the "what if the exchange itself is the threat" question by removing the company entirely. It is open-source software run by a DAO, with no signup, no email and no KYC, and funds held in a 2-of-2 multisig that only you and your trading partner can move - not Bisq, not a mediator. On privacy and custody design it is about as strong as this category gets, and a specialist no-KYC directory (kycnot.me) scores its privacy 99/100.

The problem is not identity or custody betrayal - it is code. The Bisq 1 trade protocol has been exploited more than once through logic bugs: the 2020 donation-address attack (~3 BTC + 4,000 XMR) and, more seriously, a May 2026 negative-miner-fee bug that let an attacker drain 11.59 BTC from ten users. Following a mid-2026 security audit, Bisq 1 trading was halted for remediation, which remained the live status as we reviewed it.

Two things keep Bisq respectable despite that: the DAO moved to make victims whole rather than disappearing (fully reimbursing the 2026 losses, and proposing repayment for 2020), and the newer Bisq 2 / Bisq Easy path avoids the vulnerable v1 protocol (at the cost of small trade limits and a seller-reputation system). Our verdict reflects the split honestly - privacy near the top of the category, reliability near the bottom because the core product is halted mid-remediation - which is exactly the kind of trade-off a buyer deserves to see before trusting a platform with a transfer. Treat the Bisq score as provisional until trading resumes and the critical findings are patched.


The score, broken down

How the 7.5 is built.

Privacy 4.6Trust 2.2Reliability 0.7 Headroom 2.5

Privacy

weight 50%

What identity, data and metadata the service can demand or collect.

92/100

92 × 50% = 4.6 of 10

Trust

weight 30%

Whether it can technically deliver what it claims — code, audits, age.

74/100

74 × 30% = 2.2 of 10

Reliability

weight 20%

Whether the no-KYC claim holds under real-world pressure.

35/100

35 × 20% = 0.7 of 10

Weighted total 7.5 / 10 · no reliability rule triggered, so the score stands. See the rubric →


Every point, sourced

What earned the score.

Privacy

  • +10No registration, no email, no account of any kind
  • +6All P2P traffic over Tor; payment data stored locally
  • +4Specialist no-KYC directory (kycnot.me) rates it 10/10, Privacy 99/100

Trust

  • +6Fully open source (AGPLv3), transparent DAO governance
  • +4Reimbursed exploit victims via DAO both times
  • +2No company/CEO — stakeholders own the project

The fine print, read for you

The clause they bury.

Verbatim — the honest version
“Bisq requires no registration or KYC, protecting your privacy.”

What it meansThere is no signup step at all - no email, no account. Combined with 2-of-2 multisig that even Bisq mediators cannot unilaterally move, the no-KYC posture is structural, not a revocable promise.

Read the source →
Verbatim — the trapdoor
“The taker defines the miner fee for the trade transactions and passes that value to the maker. This value was not validated against negative numbers, allowing the attacker to cause the maker to calculate an incorrect output value for the multisig output.”

What it meansThis is the May 2026 exploit in Bisq’s own words - a logic bug in the Bisq 1 trade protocol that let an attacker drain 11.59 BTC from 10 users. It was not a KYC or custody betrayal, but it shows the v1 protocol is the risky surface. Prefer Bisq 2 / Bisq Easy for smaller trades.

Read the source →
KYC trigger threshold

None. Bisq never asks for identity - there is no account, no email, and fiat moves directly between traders. The constraints are economic (a refundable 15%-50% security deposit on Bisq 1) and, on Bisq 2 / Bisq Easy, a seller reputation score - not identity verification.

Policy review — point by point

  • No identity clause anywhere

    There is no account and no terms surface that reserves a right to demand ID; the FAQ confirms no registration or KYC.

  • Mediators cannot seize funds

    Since v1.2, trade funds sit in 2-of-2 multisig controlled only by the two traders; dispute agents hold no key.

  • Repeated trade-protocol exploits

    The v1 protocol was exploited in 2020 and again in May 2026 (11.59 BTC), with a 2026 audit-driven trading halt following.

Jurisdiction analysis

Bisq is explicitly "not a company or legal entity of any kind" - it is governed by the Bisq DAO through the BSQ token. That makes it extremely resistant to being shut down or compelled, but it also means there is no incorporated entity, no stated jurisdiction, and your recourse after an incident is a DAO reimbursement vote rather than a legal claim.


We keep watching

Incident & policy timeline.

  1. Apr 2020

    Donation-address exploit: ~3 BTC + 4,000 XMR stolen

    An attacker abused the v1 fallback "donation address" mechanism in the XMR/BTC market, taking roughly 3 BTC and 4,000 XMR from 7 victims. Trading was disabled via the alert key and fixed in v1.3.0; the DAO proposed to repay the 7 victims from future trading revenue.

    source ↗
  2. May 2026

    Negative-miner-fee exploit: 11.59 BTC stolen

    A second Bisq 1 protocol logic bug (an unvalidated negative miner fee) let an attacker drain 11.59 BTC from 10 users on altcoin trades. Bisq noted the vulnerability was found using AI-assisted analysis. Affected users were fully reimbursed in BTC (completed June 2026) via "Refund Angels" advancing funds subject to a DAO vote.

    source ↗
  3. Jun–Jul 2026

    Precautionary Bisq 1 trading halt after audit

    Following a security audit that surfaced critical findings, Bisq 1 trading was halted to remediate and, as of our review, remains paused. Existing trades could complete; Bisq 2 and the Haveno fork were reported unaffected. Re-check current status before trading.

    source ↗

The verdict

Where it stands.

Strengths

  • No account, no email, no KYC - among the strongest privacy profiles anywhere
  • Non-custodial: funds sit in 2-of-2 multisig you co-control, not with Bisq
  • Fully open source (AGPLv3) with transparent DAO governance
  • Reimbursed exploit victims through the DAO rather than walking away

Trade-offs

  • The Bisq 1 trade protocol has a repeated pattern of logic exploits (2020, 2026)
  • Bisq 1 trading remained halted for security remediation as of our review
  • No named independent audit report exists prior to 2026
  • Sluggish app, steep learning curve, and thin liquidity in many markets
  • High security deposits (15%-50%) to open a Bisq 1 trade
Visit Bisq No affiliate relationship. We link to the official site directly.

Across the internet

What reviewers report.

Consistently praised

  • Genuinely non-custodial and no-KYC, with strong privacy
  • DAO reimbursed exploit victims rather than vanishing
  • Reliable core P2P functionality for patient users

Recurring complaints

  • App is sluggish with a steep learning curve
  • Thin liquidity in many markets; high security deposits
  • Repeated Bisq 1 security incidents shake confidence

Sentiment is a mix of deep respect for the privacy model and frustration with UX, liquidity and - increasingly - security incidents. Reddit threads were not directly reachable during research; this synthesis leans on the independent kycnot.me listing and Bisq’s own post-mortems and should be refreshed with a manual forum pass.


Ask the bureau

Bisq, common questions.

Does Bisq require KYC or an account?

No. Bisq is software, not a company - there is no registration, no email, and no identity check. Funds are held in a 2-of-2 multisig that only you and your counterparty can move, which is why we rate it KYC level 0.

Is my money safe on Bisq?

Custodially, yes - Bisq cannot touch your funds. But the Bisq 1 trade protocol has suffered repeated logic exploits (11.59 BTC was stolen in May 2026), and trading was halted for audit remediation during our review. Victims have been reimbursed by the DAO, but treat Bisq 1 as higher-risk and prefer Bisq 2 / Bisq Easy for small trades.

What is the difference between Bisq 1 and Bisq 2?

Bisq 1 is the classic 2-of-2 multisig protocol - flexible and higher-limit, but the surface that suffered every exploit. Bisq 2 / Bisq Easy is newer, reputation-based, has zero trade fees and no security deposit, but caps trades small (roughly $6-$600).

Why is reliability scored so low if it is non-custodial?

Because reliability measures whether the service holds up under real-world pressure, and Bisq 1 has been exploited more than once with a live trading halt during our review. Non-custodial protects you from Bisq stealing funds; it does not protect you from a protocol bug an attacker can exploit.

Your exact case not covered? The live Ask the bureau answers it and turns it into a public FAQ.