Operational Security
Operational security (OPSEC) is the practice of identifying and protecting sensitive information from adversaries. This guide covers everything from basic Tor usage to advanced threat modelling — the tools, the red flags, and the mistakes that get people caught.
Every digital action generates metadata. Your Internet Service Provider (ISP) logs every connection you make. Your browser fingerprint — a combination of your screen resolution, installed fonts, language settings, and hardware specs — is often unique enough to identify you across sessions, even without cookies. Payment systems create permanent financial trails. Mobile phones broadcast your location continuously.
Tor provides network anonymity, but Tor alone is insufficient if you make mistakes at the application layer. The vast majority of darknet market arrests have not been the result of Tor being "cracked" — they were the result of operational security failures: reusing usernames, shipping to home addresses, posting on clearnet forums, using personal crypto wallets, or making careless purchases traceable to real identities.
Strong OPSEC is not one big secure decision — it is a consistent practice of many small secure decisions. Every shortcut is a potential attack surface. The adversary does not need to defeat your entire security posture; they only need to find one mistake.
Before applying any OPSEC measure, understand who you are protecting against:
Tier 1 — ISP & Passive Surveillance
Mitigated by: Tor Browser, VPN, Tails OS
Tier 2 — Marketplace Operators
Mitigated by: PGP encryption, unique identities, XMR payments
Tier 3 — Law Enforcement
Mitigated by: Full anonymity stack, no physical connection to orders
The foundation of darknet anonymity. Routes traffic through three encrypted relays, hiding your IP address and location. Download only from torproject.org. Never modify security settings below "Safest" mode for darknet activity. Never install browser extensions.
A live operating system that runs from a USB drive and leaves no trace on the host computer. Routes ALL traffic through Tor by default — including DNS. Amnesic by design: everything is wiped on shutdown. Recommended for all darknet activity. Download from tails.boum.org.
GNU Privacy Guard (GPG) is the open-source implementation of PGP. Use it to encrypt all sensitive communications, verify vendor identities, and sign your own messages. Download from gnupg.org. Kleopatra (Windows/Mac) provides a GUI frontend. Never send unencrypted delivery addresses.
Private-by-default cryptocurrency. Every transaction uses ring signatures, stealth addresses, and RingCT to make the sender, receiver, and amount untraceable. XMR is the only cryptocurrency that provides genuine privacy by default without additional mixing steps. See our XMR guide.
A VPN adds an additional layer between your ISP and Tor. Choose a provider with a verified no-logs policy and ideally based outside of 14-Eyes surveillance sharing agreements. Mullvad VPN (mullvad.net) accepts XMR and requires no account — considered the gold standard for privacy. ProtonVPN and IVPN are also reputable.
Bitwarden (open-source, free) or KeePassXC (offline, local) for generating and storing strong unique passwords. Never reuse passwords across any platforms. Use a passphrase-derived master password that you can memorise — never write it down in plaintext. Enable 2FA on the password manager itself.
These are the most common OPSEC failures that lead to identification. Avoid all of them without exception:
Digital security is only half the picture. Physical OPSEC covers how you handle orders, packages, and the physical environment in which you conduct activities.
Never sign for suspicious packages. Controlled delivery is a real law enforcement technique. If in doubt, deny knowledge ("not for me, wrong address"). Packages can be opened outside your home. Do not photograph packages and post online.
Use full-disk encryption on all devices (BitLocker for Windows, FileVault for Mac, LUKS for Linux). Use strong passphrases, not PINs. Power off completely — not just sleep — when not in use. Device encryption does not protect a running device.
Maintain strict separation between your darknet identity and your clearnet identity. Use a dedicated device (even a cheap second-hand laptop) exclusively for darknet activity. Never cross the streams — no clearnet activity on the darknet device, ever.