OpSec Manual

Security & OpSec Guide

Mandatory protocols to ensure absolute anonymity, asset protection, and safe traversal of encrypted networks. Any deviation from these practices risks exposure.

1. Identity Isolation

Complete separation of your clearnet (real world) identity and your Tor identity is the foundation of operational security. Any overlapping data serves as a critical point of failure.

  • Never mix identities: Do not use usernames, handles, or passwords associated with your clearnet email, banking, or social media accounts.
  • Password hygiene: Generate unique, complex passphrases (30+ characters) using a reliable offline generator. Do not reuse credentials across different hidden services.
  • Information leaks: Never provide identifying personal contact information, cleartext email addresses, or unencrypted data to any party. Assume all communications are continuously monitored by hostile entities.

2. Defense & Verification

Unverified connection gateways commonly execute "Man-in-the-Middle" (MitM) attacks. By silently intercepting your traffic, malicious mirrors can replace deposit addresses and capture credentials.

  • The ONLY Verification Method: Cryptographically verifying the platform's PGP signature is the only secure way to confirm network authenticity. Verify the signed message containing the onion address against the vendor's known public key.
  • Zero Trust Environment: Never trust links aggregators, public forums, chat groups, or wikis. Assume every unverified URL is hostile.
  • 2FA Authentication: Always enable PGP 2-Factor Authentication. This ensures that even if credentials are intercepted, unauthorized access is cryptographically impossible without your private key.

3. Tor Browser Hardening

The standard installation of the Tor Browser provides a baseline of anonymity, but advanced fingerprinting techniques require further configuration adjustments.

about:config -> javascript.enabled -> false
  • Security Level: Always adjust the Tor Browser security slider to "Safer" or "Safest". This inherently disables dangerous scripts that can compromise your IP address.
  • NoScript: Disable JavaScript entirely when traversing hidden services. Active content execution is a leading cause of de-anonymization.
  • Window Size: Never maximize or manually resize the Tor Browser window. Custom dimensions create a unique fingerprint that can track you across separate sessions.

4. Financial Hygiene

Traceable ledger analytics can retroactively expose all transactions. Proper financial routing is necessary to maintain operational solvency.

  • No Direct Exchange Transfers: Never send cryptocurrency directly from a centralized, KYC-compliant exchange (like Coinbase, Kraken, or Binance) to a hidden service wallet.
  • Intermediary Wallets: Always route funds through a personal, non-custodial wallet (such as Electrum for BTC or the official Monero GUI wallet) over Tor.
  • Privacy Coins: Whenever supported, utilize Monero (XMR) instead of Bitcoin (BTC). Monero utilizes stealth addresses and ring signatures to obfuscate sender, receiver, and transaction amounts by default.

5. PGP Encryption

"If you don't encrypt, you don't care."

PGP (Pretty Good Privacy) is non-negotiable. It is the core cryptographic pillar protecting communications from server seizures, hostile administrators, and automated interception.

  • Client-Side Only: All sensitive communication and addresses MUST be encrypted on your own local machine using software like Kleopatra or Gpg4win before ever pasting them into a browser.
  • No Auto-Encryption: Never rely on a marketplace's "Auto-Encrypt" checkbox. Server-side encryption requires you to transmit plaintext over the network to the server, inherently exposing the data.
  • Key Management: Import verified vendor keys, verify the fingerprints, and never upload your own private key to any online service.