Security

Operational Security (OPSEC) Complete Guide

A structured, comprehensive guide to maintaining operational security when using the Tor network. Covers threat models, essential tools, procedural best practices, and common mistakes that lead to deanonymisation.

Why Operational Security Matters

Operational security (OPSEC) is the discipline of protecting sensitive information and behaviour patterns from adversaries who would use them against you. In the context of darknet marketplace access, OPSEC failures — not cryptographic weaknesses in Tor — are the primary documented cause of user identification and arrest.

Law enforcement investigations documented in court filings consistently reveal the same pattern: users correctly deployed Tor and encryption, but disclosed identifying information through behaviour — real email addresses, shipping to home addresses, discussing activity online, or making purchases from KYC-linked bank accounts.

The core principle of OPSEC is compartmentalisation: keeping all darknet-related activity completely separated from your real identity, devices, accounts, and purchasing patterns.

Threat Model: Who Are You Protecting Against?

Before implementing security measures, understand your threat model:

  • Passive network surveillance: ISPs, backbone operators observing traffic patterns. Addressed by Tor's onion routing.
  • Active network attacks: Traffic correlation attacks requiring observation of both ends of the circuit. Addressed by using Tails/Whonix and avoiding predictable usage patterns.
  • Platform-level compromise: Marketplace servers seized or compromised. Addressed by never providing real information to any platform.
  • Endpoint compromise: Malware on your device. Addressed by using amnesic OS (Tails) and disabling JavaScript.
  • Physical surveillance: Package delivery, in-person observation. Addressed by not shipping to home addresses and maintaining strict operational separation.

Essential Tools

1. Tails OS — Recommended Primary Environment

Tails (The Amnesic Incognito Live System) is a security-focused operating system that boots from a USB drive and routes all traffic through Tor. When shut down, Tails leaves no trace of your session on the host computer's hard drive.

  • Download only from tails.boum.org — verify the PGP signature before use
  • Use a dedicated USB drive (at least 8GB) for Tails — never use a drive for other purposes
  • Enable the Persistent Storage only for items you need between sessions (Tor Browser bookmarks, PGP keys)
  • Use a computer you control physically — avoid using workplace or public computers

2. Whonix — VM-Based Alternative

Whonix is a Tor-based OS running as two virtual machines: a Gateway VM that connects to Tor, and a Workstation VM that routes all traffic through the Gateway. Even if the Workstation is compromised by malware, the attacker cannot bypass Tor to learn your real IP.

  • Download from whonix.org
  • Requires VirtualBox or KVM on a host OS
  • Unlike Tails, Whonix is not amnesic — files persist between sessions unless configured otherwise

3. Tor Browser — Minimum Requirement

If Tails or Whonix is not available, use only the official Tor Browser from torproject.org. Always set security level to "Safest".

  • Never install extensions — they can break anonymity through additional fingerprinting
  • Never maximise the browser window — window size is a fingerprinting vector
  • Never open files downloaded through Tor with external applications — they can call out to the network, bypassing Tor

4. GnuPG (GPG) — Message Encryption

GPG is the standard implementation of PGP encryption. Use it to encrypt all marketplace communications containing sensitive content. Generate a new key pair that contains no identifying information.

  • Key generation: gpg --gen-key — use a pseudonymous name and never a real email
  • Encrypt message: gpg --encrypt --recipient [key_id] message.txt
  • Sign message: gpg --sign message.txt

Procedural Best Practices

Identity Compartmentalisation

  • Use unique usernames for every platform — never reuse names from clearnet accounts
  • Use a unique writing style — avoid distinctive vocabulary, phrases, or punctuation patterns you use in real life
  • Never reference real-world events, locations, or personal details in any messages
  • Maintain strict separation between all pseudonymous identities — never let them interact

Device Hygiene

  • Use a dedicated device for sensitive browsing if possible — not a family or work computer
  • Disable Bluetooth, Wi-Fi (when not needed), and any unnecessary hardware
  • Keep the operating system and all software fully updated to patch known vulnerabilities
  • Use full-disk encryption (LUKS on Linux, BitLocker on Windows, FileVault on macOS)

Network Hygiene

  • Avoid using Tor from your home internet connection if you have reason to believe your ISP reports Tor usage
  • Public Wi-Fi can be used with Tails/Tor for additional separation but introduces physical exposure risks
  • Never use a VPN in combination with Tor unless you have a specific, well-understood reason — it can reduce rather than increase anonymity in many configurations

Red Flags: What Gets People Caught

The following are documented failure patterns from publicly available court records and security research:

  • Using the same username across darknet markets and clearnet forums
  • Shipping to a home address or a location linkable to identity
  • Withdrawing cryptocurrency to an exchange with KYC verification
  • Discussing specific transactions or marketplace activity on social media
  • Making operational security mistakes while under time pressure or intoxicated
  • Accessing darknet platforms from clearnet without Tor (IP logging)
  • Storing unencrypted operational information on internet-connected devices
  • Using real email addresses for marketplace account recovery
  • Posting photos from deliveries or packages on any platform

What Doesn't Work (Common Misconceptions)

  • VPN alone: VPNs do not provide anonymity — they move trust from your ISP to the VPN provider. Many VPN providers log and comply with law enforcement requests.
  • Incognito mode: Incognito prevents local browser history but does not hide your IP address or traffic from your ISP or network observers.
  • Tor + VPN without understanding: Adding a VPN to Tor can create a fixed entry or exit point that simplifies correlation attacks rather than preventing them.
  • I2P instead of Tor for clearnet markets: I2P is designed for internal network services — it does not anonymise access to regular internet sites.

Advanced Topics

Traffic Analysis Resistance

Tor protects against traffic analysis by encrypting traffic through three relays. However, global passive adversaries observing both Tor entry and exit can potentially correlate timing patterns. Practical mitigations include: using Tor bridges, varying usage times, and using onion services (v3) which eliminate the exit relay and make traffic analysis much harder.

Metadata Leakage

File metadata (EXIF data in photos, document properties in PDFs) can reveal device information, location, and creation time. Before sharing any files, strip metadata using tools like ExifTool or Tails' built-in metadata cleaner.

External Resources