Operational Security

The Complete OPSEC Guide
for Darknet Users

Operational Security (OPSEC) is the practice of protecting information that could identify you. On the darknet, anonymity is not guaranteed by technology alone — it requires deliberate, consistent behaviour. This guide covers everything you need to know.

Foundation

Why OPSEC Matters

Tor hides your IP address. PGP encrypts your messages. Monero obscures your transactions. But technology is only as strong as the human using it. The most common cause of darknet user identification is not a technical exploit — it is an OPSEC mistake made by the user themselves.

Historical law enforcement operations (Silk Road, Hansa, Wall Street Market) succeeded not by breaking cryptography but by exploiting OPSEC failures: vendors reusing usernames from clearnet accounts, buyers using real postal addresses, administrators connecting from identifiable IP addresses, and cryptocurrency that was traced back to KYC exchanges.

Understanding OPSEC is about understanding how you can be identified — then systematically eliminating each vector. Your threat model depends on your activities, but the principles below apply to anyone who values online privacy.

Your Toolkit

Essential OPSEC Tools

Tor Browser for anonymous browsing

Tor Browser

The foundation of darknet anonymity. Tor routes your traffic through three relays, masking your real IP. Always use Tor Browser at Safest security level — this disables JavaScript, preventing the most dangerous browser-based attacks.

torproject.org/download

PGP encryption for secure communications

PGP Encryption

GNU Privacy Guard (GPG) is the tool for generating PGP keys, encrypting messages, and verifying signatures. All sensitive communications (shipping addresses, sensitive discussions) must be PGP-encrypted — never send plaintext.

gnupg.org

Monero XMR cryptocurrency privacy

Monero (XMR)

Use Monero for all financial transactions. It provides mandatory privacy at the protocol level — no configuration required. Every XMR transaction hides sender, recipient, and amount from chain analysis.

Full XMR Guide →

Two factor authentication security

Tails OS

Tails is a live operating system on a USB drive that routes all traffic through Tor, leaves no trace on the host computer, and has no persistent storage by default. Ideal for maximum compartmentalisation.

tails.boum.org

Virtual machine isolation security

Whonix / Qubes OS

Whonix provides a two-VM setup: a Gateway VM that handles all Tor connections and a Workstation VM for user activity. Even if the Workstation is compromised, the real IP cannot leak. Qubes OS adds hardware-level isolation.

whonix.org · qubes-os.org

VPN network privacy tool

VPN (Supplementary)

A VPN before Tor (VPN → Tor) hides Tor usage from your ISP and provides an additional IP layer. Use a reputable, no-log VPN paid with Monero. Remember: a VPN does not replace Tor — it is a supplement. Recommended research: privacyguides.org/vpn

Core Principles

How to Remain Anonymous

Compartmentalisation

Keep all darknet activity completely separate from your real identity. Use dedicated hardware or virtual machines. Never access darknet resources from the same device you use for personal accounts, banking, or social media. The two worlds must never overlap.

Username Hygiene

Use unique usernames on every platform — never reuse a name you've used on Reddit, gaming platforms, forums, or any clearnet service. Law enforcement regularly cross-references darknet usernames against clearnet databases. A single match can unravel an entire OPSEC setup.

Metadata Awareness

Metadata reveals more than content. File metadata (EXIF data in photos) can embed GPS coordinates, device information, and timestamps. Always strip metadata from files before sending. Use tools like MAT2 or ExifTool to clean files.

Writing Style

Stylometric analysis — comparing writing patterns — is a real forensic technique. Unique turns of phrase, punctuation habits, and vocabulary can be matched across pseudonymous accounts. Be aware of distinctive writing patterns in sensitive communications.

Time Zones and Activity Patterns

Your online activity patterns can reveal your time zone and therefore narrow your geographic location. Consistent activity during a specific timezone's waking hours is a data point. Using randomised activity windows or accessing through Tails reduces this vector.

Physical Security

Digital security means nothing if someone can physically access your device. Use full-disk encryption (LUKS on Linux, VeraCrypt on Windows). Use strong unique passwords. Never leave devices unlocked and unattended. Consider using Tails OS, which leaves nothing on disk.

Warning Signs

Red Flags — What to Avoid

Platform Red Flags

  • Requesting JavaScript to be enabled — Legitimate darknet platforms work without JS. If a site demands JavaScript, leave immediately.
  • Unusual login requests — Unexpected requests for additional verification outside the PGP/2FA system may indicate a phishing page or a compromised platform.
  • HTTP instead of HTTPS on clearnet-facing resources — Any platform encouraging unencrypted connections should be treated with extreme suspicion.
  • New admin announcements not signed with PGP — Important notices from market admins are always PGP-signed. Unsigned notices claiming administrative authority are a red flag.
  • Unusual withdrawal delays without explanation — Prolonged unexplained withdrawal holds may precede an exit scam. Move funds once delays become suspicious.

Counterparty Red Flags

  • Vendors pushing to finalise early (FE) — especially from accounts with few reviews
  • Unusually low prices compared to market average — a classic honeypot/scam indicator
  • Requests to communicate outside the encrypted platform messaging system
  • Vendors claiming to need your full name for a "package label" — professional vendors never need this
  • Pressure or urgency tactics around payment or finalisation

Personal OPSEC Mistakes

  • Browsing .onion sites without Tor (using a clearnet proxy or VPN alone)
  • Using a residential IP address — even through VPN — for any darknet activity
  • Reusing email addresses, usernames, or passwords across contexts
  • Storing marketplace logins, keys, or credentials in a cloud service (Dropbox, Google Drive, iCloud)
  • Discussing darknet activity with anyone in person or over unencrypted channels
  • Using KYC-linked cryptocurrency for marketplace deposits
  • Sending unencrypted shipping addresses in plaintext messages
  • Accessing the marketplace from a work or school network
Advanced Level

Advanced OPSEC Practices

Air-Gapped Systems

For PGP key generation and storage of highly sensitive information, an air-gapped computer (one that has never been connected to the internet) provides the highest security level. Generate keys on the air-gapped machine, transfer public keys via USB (write-only), and never allow the private key to touch a networked system.

Tor Bridge Nodes

In jurisdictions where Tor is blocked or monitored, bridge nodes (unlisted relays) allow Tor access. Pluggable transports like obfs4 and Snowflake disguise Tor traffic to look like regular HTTPS. Get bridges at: bridges.torproject.org

Secure Drop Addresses

When receiving physical deliveries, use a drop address not linked to your real identity: a PO Box, mail forwarding service, or a trusted intermediary address. The address should have no connection to your legal identity, billing history, or regular activity patterns.

Further Reading

Anti-Phishing Guide → Verified Access Page →