Operational Security (OPSEC) Guide

Master operational security practices to protect your identity and activities. OPSEC is about controlling information that could be used against you.

What is OPSEC?

Operational Security (OPSEC) is a risk management process that prevents adversaries from accessing critical information. Originally developed by the U.S. military, OPSEC principles apply to anyone seeking to maintain privacy and anonymity online.

Core OPSEC Principles

1. Compartmentalization

• Separate Identities: Never link your marketplace activities with personal accounts or real identity
• Use Different Devices: Consider dedicated hardware for sensitive activities
• Isolate Communications: Use separate email addresses, usernames, and passwords for each identity
• Physical Separation: Store sensitive materials in secure, separate locations

2. Threat Modeling

Understand who might target you and what they're capable of:

• Adversaries: Identify potential threats (law enforcement, hackers, scammers, competitors)
• Capabilities: What technical resources and legal powers do they have?
• Motivations: What would they gain by compromising you?
• Attack Vectors: How might they attempt to identify or locate you?

3. Principle of Least Privilege

• Only share information on a need-to-know basis
• Minimize personal details in communications
• Never volunteer identifying information
• Question every data request - is it truly necessary?

4. Behavior Patterns

Avoid creating identifiable patterns:

• Timing: Don't access at predictable times that match your timezone or schedule
• Language: Avoid unique phrases, grammar patterns, or native language tells
• Technical: Change your operational patterns regularly
• Metadata: Be aware that how you do something reveals as much as what you do

Critical OPSEC Mistakes to Avoid

Technical OPSEC Practices

Network Security

• Always connect through Tor for marketplace access
• Consider using VPN before Tor (Tor over VPN) to hide Tor usage from ISP
• Use public WiFi or a dedicated connection that can't be traced to you
• Disable WebRTC, JavaScript, and plugins that can leak real IP

Device Security

• Full Disk Encryption: Encrypt all storage devices (VeraCrypt, LUKS, BitLocker)
• Secure Boot: Use Tails OS or Whonix for temporary, amnesic sessions
• Physical Security: Never leave devices unattended or accessible
• Anti-Forensics: Understand data recovery risks; use secure deletion tools

Communication Security

• Use PGP encryption for all sensitive communications
• Verify PGP signatures before trusting messages
• Use Signal or Jabber+OTR for real-time encrypted chat
• Never discuss sensitive topics over unencrypted channels

OPSEC Checklist for Marketplace Users

Information Security Hygiene

What NOT to Share

• Real name, age, gender, or physical characteristics
• Location details (city, country, timezone, landmarks)
• Occupation, education, or professional background
• Family information or relationship details
• Device specifications or software versions
• Internet service provider or connection type
• Other online accounts or activities

Metadata Awareness

Metadata reveals information about information. Common metadata leaks include:

• Documents: Author name, creation date, editing history, software version
• Images: GPS coordinates, camera model, editing software, original filename
• Communications: Timestamps, IP addresses, routing information, device identifiers
• Behavior: Login patterns, purchasing habits, response times, language preferences

Advanced OPSEC: Deniability

Plausible Deniability Strategies

• Hidden Volumes: Use VeraCrypt hidden volumes within encrypted containers
• Duress Passwords: Create decoy accounts with believable but false content
• Dead Man's Switch: Automated data deletion if you don't check in regularly
• Cover Stories: Prepare explanations for legitimate Tor/encryption usage

Incident Response

If You Suspect Compromise

1. Stop All Activity: Immediately cease using compromised accounts or devices
2. Assess Damage: Determine what information may have been exposed
3. Burn Identity: Abandon compromised personas completely
4. Secure Evidence: Securely delete sensitive data
5. Create New Identity: Start fresh with improved OPSEC practices
6. Learn From Mistakes: Identify how compromise occurred to prevent repetition

Continuous Improvement

OPSEC is not a one-time setup but an ongoing practice. Regularly review and update your security measures:

• Stay informed about new threats and vulnerabilities
• Periodically audit your operational procedures
• Test your security measures against realistic scenarios
• Assume adversaries evolve - your defenses must too

Understanding Your Adversaries

Threat Modeling in Practice

Effective OPSEC requires understanding who might target you and what capabilities they possess. Different adversaries require different defenses. A scammer looking for easy targets requires different countermeasures than a well-resourced organization with legal authority and technical expertise.

Ask yourself: Who would want to identify me? What resources do they have? What information would they need? How might they obtain it? Your answers shape which OPSEC measures are essential versus optional for your situation.

Common Adversary Categories

Opportunistic attackers: Scammers, phishers, and hackers looking for easy targets. They cast wide nets and move on when they encounter resistance. Basic security practices defeat most opportunistic attacks.

Targeted attackers: Individuals with personal motivation - competitors, grudge-holders, or those you've interacted with. They may have some information about you already and specifically want to identify or harm you.

Sophisticated attackers: Organizations with significant resources - technical capabilities, legal authority, time, and funding. They can correlate information across multiple sources and persist in investigations over extended periods.

Physical Security Considerations

Device Access Control

Physical security often receives less attention than technical security, but it's equally important. Someone with physical access to your device can potentially extract data, install monitoring software, or simply observe your activities.

Secure your devices when not in use. Enable screen locks with strong passwords. Consider the risks of device seizure - full disk encryption helps, but only if the device is powered off. A running device with an unlocked screen provides complete access to everything.

Environmental Awareness

Be aware of your physical environment when accessing sensitive platforms. Shoulder surfing is a real threat - someone looking over your shoulder can observe passwords, addresses, and transaction details. Use privacy screens on laptops. Position monitors away from windows and doorways.

Consider where you access platforms. Public WiFi networks may log connection metadata. Home networks link your activity to your physical address. Each location has different risks and benefits for your threat model.

Long-term OPSEC Maintenance

Discipline Over Time

The biggest OPSEC failures often come from complacency. Initial security practices gradually erode as users become comfortable. "Just this once" exceptions accumulate into patterns. Information shared across years of activity creates comprehensive profiles even if individual disclosures seem harmless.

Maintain discipline through routine. Security checklists before each session, regular practice verifying signatures and encrypting messages, periodic reviews of your operational patterns. When security becomes habit, maintaining it requires less conscious effort.

Learning and Adapting

The security landscape evolves constantly. New attack techniques emerge, tools improve, and adversary capabilities grow. Yesterday's best practices may be insufficient today. Allocate time to stay informed about developments in privacy and security.

When you learn about new threats or vulnerabilities, assess how they affect your practices. When major incidents become public, study what went wrong. The failures of others provide valuable lessons without personal cost.

Documentation and Memory

OPSEC creates tension between security and usability. You need to remember passwords, procedures, and protocols while avoiding documentation that could be discovered. Finding the right balance requires thought.

Use password managers for credential storage - offline, encrypted, on dedicated devices. Develop mental models and procedures rather than written checklists when possible. What must be written should be encrypted and stored carefully. Consider what documentation would reveal if discovered and whether that risk is acceptable.

Social Engineering Defense

Recognizing Manipulation Attempts

Technical security measures mean nothing if you can be manipulated into bypassing them. Social engineering attacks target the human element - the weakest link in any security chain. Understanding these attacks helps you recognize and resist them.

Urgency pressure: Attackers create artificial time pressure to prevent careful thinking. Messages claiming "your account will be deleted in 24 hours" or "respond immediately to avoid losing funds" aim to trigger panic responses that bypass rational evaluation. Legitimate platforms rarely impose such sudden deadlines.

Authority claims: Impersonating administrators, moderators, or established community members lends false credibility. Anyone can claim to be staff in a message. Verify through official channels - check the platform's verified staff list, look for cryptographic signatures, and never trust authority claims without verification.

Reciprocity exploitation: Offering something free or helpful creates social obligation to reciprocate. "I'll share this insider information, just need your login to verify your account first." Legitimate help never requires your credentials or private information.

Consistency manipulation: Getting you to agree to small requests builds toward larger ones. "Just confirm your username" leads to "now confirm your email" leads to "now confirm your password." Each step seems reasonable in isolation while the overall pattern is clearly malicious.

Information Gathering Awareness

Sophisticated attackers don't ask directly for what they want. Instead, they gather fragments from multiple interactions that together reveal critical information.

Casual questions about your timezone, sleep schedule, or posting patterns help narrow your location. Questions about your technical setup, software preferences, or device types help build your fingerprint. Discussions about your background, interests, or expertise help identify you across platforms.

Every piece of information you share potentially contributes to a profile. Ask yourself: why does this person need to know this? What could they do with this information combined with other things they might learn?

Recovery and Resilience

Preparing for Compromise

Despite best efforts, compromise happens. Accounts get breached, devices get stolen, and mistakes occur. Preparation determines whether an incident becomes a minor setback or a catastrophe.

Maintain backup identities with established reputation before you need them. Having an alternative ready means you can continue operating immediately rather than starting from zero with no credibility.

Keep funds distributed across multiple wallets and platforms. A single compromise shouldn't threaten everything you have. Consider what you could afford to lose and structure accordingly.

Practice your recovery procedures periodically. Can you restore your encrypted backups? Do you remember all your passwords? Is your recovery documentation current? Finding problems during practice is far better than discovering them during an actual emergency.

Post-Incident Analysis

After any security incident, conduct thorough analysis. What happened? How did it happen? What allowed it to happen? What will you change to prevent recurrence?

Be honest in this analysis. The temptation to blame external factors or bad luck obscures the real lessons. Most incidents involve some OPSEC failure - understanding exactly what failed is essential for improvement.

Document your analysis securely for future reference. The same mistakes tend to recur if lessons aren't remembered and applied. Building a personal knowledge base of security incidents and their causes improves your practices over time.

OPSEC Culture and Mindset

Thinking Like Your Adversary

Effective OPSEC requires understanding your adversaries' perspective. What information would they want? How would they try to obtain it? What would they do with it?

Periodically audit your own activities from an adversarial viewpoint. Look at your post history, your transaction patterns, your communication style. What could an analyst learn? What correlations could they make? The answer often surprises even security-conscious individuals.

Sustainable Security

Perfect security that burns you out after a month provides less protection than good security maintained consistently for years. Design your OPSEC practices for long-term sustainability.

Automate what you can. Use tools that handle routine security tasks without requiring constant attention. Build habits that don't feel burdensome. The practices you'll maintain are the ones that matter - not the ones you'll abandon after initial enthusiasm fades.

Remember that security is a journey, not a destination. Threats evolve, technologies change, and your own circumstances shift. What worked last year may be inadequate today. Stay curious, keep learning, and adapt your practices as needed. The goal isn't perfection - it's continuous improvement toward better protection of what matters to you.

Further Reading

• EFF: Operational Security Guide
• EFF: Surveillance Self-Defense
• Whonix Documentation
• Tails Security Warnings