Security & OpSec Guide

Mandatory technical protocols for maintaining anonymity and operational security on the Tor network. Failure to adhere to these principles may result in catastrophic compromise of identity and digital assets.

01 Identity Isolation

The foundation of operational security resides in maintaining an absolute firewall between your real-life identity (clearnet) and your network identity (Tor). Overlap is the primary vector for exposure.

  • No Reuse: Never reuse usernames, passwords, or handles that you have previously utilized on clearnet websites, forums, or social media.
  • Strict Compartmentalization: Do not access personal clearnet accounts (email, banking) while simultaneously utilizing the Tor browser for darknet research.
  • Zero Disclosure: Under no circumstances should you distribute personal contact information, location data, or clearnet connection nodes to any entity.

02 Connection Verification

Man-in-the-Middle (MitM) attacks present a substantial threat to network integrity. Third-party actors frequently attempt to intercept credentials and hijack sessions by deploying spoofed routing nodes.

  • The PGP Mandate: Verifying the PGP signature of an .onion link against the platform's known public key is the ONLY definitive method to ensure host authenticity.
  • Untrusted Vectors: Never trust routing links acquired from unprotected wikis, social media platforms (like Reddit), or unverified forums.
  • 2FA Enforcement: Utilizing PGP-based 2-Factor Authentication renders credential interception useless to third parties.

03 Tor Browser Hardening

Security Slider

Navigate to Tor Browser settings and elevate the security slider to "Safer" or "Safest". This inherently disables high-risk features and restricts exploitable protocols.

JavaScript Execution

Ensure JavaScript is permanently disabled (via NoScript configuration) on untrusted hidden services. JS engines are the primary vector for zero-day de-anonymization exploits.

Window Fingerprinting

Never maximize or manually resize the Tor Browser window. Retaining the default resolution prevents host metrics from profiling your exact screen dimensions.

04 Financial Hygiene

Cryptocurrency ledgers are permanently public (with specific exceptions). Direct transmission of funds from regulated entities establishes a permanent mathematical link to your identity.

Protocol Directives:
  • Never initiate a transfer directly from centralized exchanges (e.g., Coinbase, Binance, Kraken) to a hidden service.
  • Establish an isolated intermediary wallet (e.g., Electrum for BTC, Monero GUI for XMR) to break direct transmission tracking.
  • XMR Superiority: The utilization of Monero (XMR) over Bitcoin (BTC) is strictly advised. Monero's native ring signatures and stealth addresses provide default cryptographic obfuscation.

05 PGP Encryption (The Golden Rule)

"If you don't encrypt, you don't care."

Client-side encryption is the absolute last line of defense against database seizures and data retention policies.

  • Client-Side Only: All sensitive instructions and addresses must be encrypted locally on your machine before pasting them into any web interface.
  • Never Auto-Encrypt: Utilizing a marketplace's "Auto-Encrypt" feature requires transmitting raw, plaintext data to remote servers. This is a critical operational failure.

Verified Routing Data

Signature verified against administrative PGP block. Local decryption required for secondary hosts.