How it works
Bisq is a desktop application that connects buyers and sellers of bitcoin without an order book on a server somewhere. Trades sit on a flooded peer-to-peer network routed through Tor by default. When two users match, they fund a 2-of-2 multisig address on the Bitcoin base layer; the seller waits for the fiat or altcoin transfer, and the satoshis only move when both parties sign. A small posted security deposit, denominated in BTC, gives both sides skin in the game and discourages walk-aways.
The classic protocol still settles most volume, but in March 2024 the network shipped Bisq 2 alongside it. The flagship Bisq 2 trade type, Bisq Easy, drops the multisig deposit in favour of a reputation score carried over from Bisq 1, lowering the on-ramp for users who do not yet hold any bitcoin. Both versions install side by side.
KYC & privacy
There is nothing to KYC. Bisq does not host an account database; the desktop client generates a local wallet and connects out over Tor. Counterparties exchange the bare minimum needed to settle their chosen rail — an IBAN for a SEPA leg, a Monero subaddress for an XMR swap, a cash drop for an in-person trade. The Bisq DAO and contributors never see any of it.
Funds are held in 2-of-2 multisig the moment a trade opens, so even the protocol cannot move bitcoin without the buyer's or seller's signature. The Bisq team and the DAO have no key, no logs, and no kill switch — a posture confirmed by KYCnot.me, which scores Bisq 10/10 for KYC stance.
Strengths and limits
The strengths are structural rather than promotional. Bisq is licensed AGPLv3, the codebase is on GitHub, and funding flows through an on-chain DAO that pays contributors in BSQ rather than through a corporate balance sheet. Ten years on the network and roughly six years since its only major incident is unusual longevity for a non-custodial exchange.
The limits are honest. Liquidity is thin compared to centralized desks, settlement on the classic protocol typically takes hours rather than minutes, and the Java desktop client feels its age. Bisq has never commissioned a public third-party audit; the code reviews itself in the open. And the April 2020 exploit that drained roughly 3 BTC and 4,000 XMR from seven traders is part of the project's history. The bug — a manipulated donation-address field — was patched in v1.3.0, but repayment to victims runs out of future DAO trading revenue and is therefore inherently slow.
Verdict
Bisq remains the gold standard for trading bitcoin without telling anyone you did. Newer entrants offer slicker UX, but none replicate the architectural guarantee: there is no server, no operator key, and no compliance team to call. Patient, technical traders are the audience. Anyone wanting a one-tap mobile experience should wait for Bisq Easy Mobile, or look elsewhere.
Bisq's protocol-level privacy and ten-year track record are unmatched for traders who can stomach a desktop app and a learning curve. The unaudited codebase and unfinished 2020 victim repayment are real caveats, but they do not undo a decade of clean, non-custodial operation. Grade: A- (8.7/10). Trust: TRUSTED.
