Wiki / Security & OPSEC Guide

🔐 Security & OPSEC Guide

Important ⏱️ 20-25 minutes Critical Updated: November 2025

Complete security guide covering Tor setup, VPN usage, operational security best practices, and privacy protection for DrugHub Market users.

🎯 Introduction to Operational Security (OPSEC)

OPSEC (Operational Security) is the practice of protecting your identity, location, and activities from adversaries. In the context of darknet markets, proper OPSEC is the difference between anonymity and exposure.

⚠️ Critical Understanding: Law enforcement, hackers, and malicious actors actively target darknet market users. One mistake can compromise years of careful operation. This guide will help you avoid those mistakes.

Threat Model

Understand who you're protecting yourself against:

🚔 Law Enforcement

  • Traffic analysis
  • Endpoint surveillance
  • Supply chain attacks
  • Undercover operations

🏴‍☠️ Hackers & Scammers

  • Phishing attacks
  • Man-in-the-middle
  • Malware distribution
  • Social engineering

🕵️ ISP & Network Admins

  • Traffic monitoring
  • DNS queries logging
  • Connection patterns
  • Metadata collection

👥 Exit Scammers

  • Fake markets
  • Compromised vendors
  • Fund theft
  • Information leaks

🌐 Tor Browser: Your Gateway to Anonymity

Rule #1: NEVER access darknet markets without Tor Browser. This is non-negotiable.

Installing Tor Browser (Proper Method)

1

Download from Official Source ONLY

Visit: torproject.org (clearnet official site)

  • Verify HTTPS certificate
  • Check domain spelling carefully
  • Never download from third-party sites
  • Verify PGP signature after download
🚨 Phishing Warning: Fake "Tor Browser" sites distribute malware. Always verify you're on the real torproject.org
2

Verify Download Integrity

Advanced users: Verify the GPG signature

# Import Tor signing key
gpg --keyserver keys.openpgp.org --recv-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

# Verify signature
gpg --verify tor-browser-*.asc tor-browser-*.exe
3

Install and Configure

  • Install to a standard location (don't hide it)
  • Launch Tor Browser
  • Wait for connection to establish
  • Test at check.torproject.org

Tor Browser Security Settings

Security Level: Standard → Safest

Click the shield icon → Change to "Safest"

What this does:

  • Disables JavaScript on all sites
  • Disables automatic media playback
  • Disables fonts and icons
  • Reduces fingerprinting vectors
💡 Note: Some market features may not work with "Safest" setting. Use "Safer" as minimum acceptable level.

Tor Browser Best Practices

✅ DO

  • Use Tor Browser ONLY for darknet activity
  • Keep Tor Browser updated
  • Use "New Identity" between sessions
  • Close all tabs before exiting
  • Use built-in search engines
  • Bookmark verified .onion addresses

❌ DON'T

  • Login to personal accounts
  • Download files directly
  • Resize browser window
  • Install extensions or plugins
  • Enable location services
  • Max/minimize browser (use default size)

🔒 VPN + Tor: The Debate

The combination of VPN and Tor is controversial. Here's what you need to know:

VPN → Tor (Recommended for Most Users)

Setup: VPN Connection → Tor Browser → DrugHub

Advantages:

  • Hides Tor usage from ISP
  • Adds extra encryption layer
  • Protects if Tor entry node is compromised
  • Useful in countries that block Tor

Disadvantages:

  • VPN provider sees you're using Tor
  • Must trust VPN provider
  • Slower connection speed
  • VPN keeps logs (choose no-logs provider)

Tor → VPN (Advanced Users Only)

Setup: Tor Connection → VPN → DrugHub

Advantages:

  • Hides Tor exit node from destination
  • Can access clearnet sites that block Tor

Disadvantages:

  • Complex setup (requires Whonix or custom config)
  • VPN sees your real traffic
  • ISP still sees Tor usage
  • Single point of failure (VPN)
⚠️ Not Recommended: This setup is complex and provides minimal additional security for marketplace use. Stick with VPN → Tor.

Recommended VPN Providers

Mullvad VPN

  • ✅ No logs policy (audited)
  • ✅ Anonymous account creation
  • ✅ Accepts Monero/Bitcoin
  • ✅ No email required
  • ✅ Open source clients

ProtonVPN

  • ✅ Strong privacy laws (Switzerland)
  • ✅ No logs policy
  • ✅ Secure Core servers
  • ✅ Accepts Bitcoin
  • ⚠️ Email required

IVPN

  • ✅ No logs (audited)
  • ✅ Anonymous accounts
  • ✅ Accepts Monero
  • ✅ Multi-hop connections
  • ✅ Open source
❌ NEVER Use These VPNs:
  • Free VPNs (sell your data)
  • VPNs based in Five/Nine/Fourteen Eyes countries without strong privacy stance
  • VPNs that require personal information
  • VPNs owned by data-mining companies

💻 Device Security & Compartmentalization

Operating System Recommendations

🥇 Best: Tails OS

Tails (The Amnesic Incognito Live System)

  • Live OS - runs from USB, leaves no trace
  • Routes all traffic through Tor automatically
  • Includes PGP, Bitcoin wallet, and security tools
  • Amnesia feature - wipes RAM on shutdown
  • Persistent storage option for encrypted data
✅ Ideal for: Maximum security, highest-risk activities, paranoid users

🥈 Good: Whonix

Whonix (VM-based isolated environment)

  • Two VMs: Gateway (Tor) + Workstation (isolated)
  • IP leaks are impossible by design
  • Can run inside VirtualBox/KVM
  • Persistent system with encryption
💡 Ideal for: Daily use, advanced users, multi-account management

🥉 Acceptable: Hardened Linux

QubesOS, Debian, or Arch with full disk encryption

  • Full disk encryption mandatory
  • Dedicated user account for darknet activity
  • Firewall rules to block non-Tor traffic
  • Regular security updates

⚠️ Risky: Windows/macOS

  • Telemetry sends data to Microsoft/Apple
  • Closed source - unknown backdoors
  • More vulnerable to malware
  • If you must use: Disable all telemetry, use full disk encryption
Minimum Requirements for Windows/Mac:
  • Full disk encryption (BitLocker/FileVault)
  • All telemetry disabled
  • Dedicated account for darknet
  • Antivirus disabled when using Tor

Hardware Security

🖥️ Dedicated Device (Recommended)

Use a separate laptop/PC exclusively for darknet activity:

  • Bought with cash (no paper trail)
  • Never used for personal activities
  • Never connected to home network with real identity
  • Full disk encryption enabled
  • Camera and microphone physically disabled

📱 Mobile Devices

❌ DO NOT use smartphones for marketplace access:
  • Constant GPS tracking
  • IMEI/device identifiers
  • Biometric data
  • Carrier surveillance
  • App store tracking

🎭 Operational Security Practices

Identity Compartmentalization

Separate Your Identities

Never mix your real identity with darknet activities:

Activity Real Identity Darknet Identity
Email yourname@gmail.com Never use email (PGP only)
Username JohnDoe1985 RandomUser7392 (unique)
Timezone Your real timezone Random timezone in posting patterns
Writing Style Your natural style Altered (different punctuation, grammar)
Device Personal laptop/phone Dedicated device ONLY
Network Home WiFi Public WiFi (with VPN+Tor)

Communication Security

Secure Communication Rules

1. PGP Encryption Always
  • Encrypt all addresses and sensitive information
  • Verify vendor PGP keys
  • Never send unencrypted personal data
2. No Personal Information
  • Never mention: real name, location, workplace, school
  • Avoid unique identifiers (rare medical conditions, specific events)
  • Don't discuss local news or weather
  • Never post photos or media from personal devices
3. Timing Analysis Protection
  • Vary your login times randomly
  • Don't establish patterns (e.g., "always online at 8 PM")
  • Use different timezones in forum posts
  • Delay messages instead of instant replies
4. Writing Style Obfuscation
  • Alter your natural writing patterns
  • Use different vocabulary than normal
  • Change punctuation habits
  • Avoid phrases you commonly use

Financial OPSEC

Cryptocurrency Best Practices

✅ Use Monero (XMR) Exclusively

DrugHub only accepts Monero for good reason:

  • Untraceable transactions by default
  • Hidden amounts
  • Ring signatures obscure sender
  • Stealth addresses protect receiver
🔄 Transaction Hygiene
  • Never send XMR directly from exchange to market
  • Use intermediary wallet (your own Monero wallet)
  • Wait 10+ confirmations before spending
  • Use subaddresses for different vendors/orders
🏦 Acquisition Methods
  • Best: Cash → Bitcoin ATM → Exchange to XMR
  • Good: P2P exchanges (LocalMonero/Bisq)
  • Acceptable: No-KYC exchanges
  • Risky: KYC exchanges (Coinbase, Kraken, Binance)

🛠️ Essential Privacy Tools

🔐 Kleopatra / GPG Suite

PGP Encryption

  • Essential for DrugHub login
  • Encrypt addresses and messages
  • Verify vendor signatures
→ Read PGP Guide

🗝️ KeePassXC

Password Manager

  • Offline, open source
  • Store all credentials securely
  • Generate strong passwords
  • AES-256 encryption

💎 Monero GUI Wallet

Official Monero Wallet

  • Full node or remote node
  • Complete transaction privacy
  • Subaddress support
  • Open source and audited
→ Read Monero Guide

🔥 BleachBit

Secure File Deletion

  • Shred files securely
  • Clean system traces
  • Wipe free space
  • Delete temporary files

📦 VeraCrypt

Disk Encryption

  • Create encrypted volumes
  • Hidden volumes (plausible deniability)
  • Full disk encryption
  • Multiple encryption algorithms

🖼️ ExifTool / MAT2

Metadata Removal

  • Strip EXIF data from photos
  • Remove GPS coordinates
  • Clean document metadata
  • Prevent information leakage

⚠️ Common OPSEC Mistakes to Avoid

🔴 CRITICAL MISTAKES (Will Get You Caught)

  • Accessing market without Tor
  • Using real name/address unencrypted
  • Logging into personal accounts via Tor
  • Taking photos of products with phone (EXIF GPS data)
  • Discussing orders on clearnet social media
  • Using Bitcoin instead of Monero
  • Reusing usernames from clearnet

🟠 SERIOUS MISTAKES (High Risk)

  • Not using VPN with Tor
  • Accessing market from home WiFi only
  • Keeping plaintext records of orders
  • Not verifying .onion addresses
  • Using Windows without proper hardening
  • Downloading files over Tor
  • Not rotating Tor circuits regularly

🟡 MODERATE MISTAKES (Should Fix)

  • Not using full disk encryption
  • Predictable login patterns
  • Using same writing style everywhere
  • Not clearing browser data between sessions
  • Keeping Tor Browser open with personal browsing
  • Not backing up PGP keys securely

🚨 Emergency Procedures

If You Suspect Compromise

Step 1: STOP ALL ACTIVITY
  • Immediately stop using the compromised account/device
  • Don't try to "clean up" - you may make it worse
  • Don't login to check status
Step 2: Secure Offline Backups
  • If safe to do so, copy critical data to encrypted USB
  • PGP private keys
  • Cryptocurrency wallet seeds
  • Important contacts (encrypted)
Step 3: Burn the Bridge
  • Withdraw all funds from market
  • Delete account if possible
  • Destroy compromised device (physically)
  • Never use those credentials again
Step 4: Legal Preparation
  • Consult with lawyer (use encrypted communication)
  • Know your rights
  • Never talk to law enforcement without lawyer present
  • Exercise your right to remain silent
⚖️ Legal Reminder: This guide is for educational purposes. Understand the laws in your jurisdiction. If law enforcement contacts you, invoke your right to silence and immediately contact a lawyer specialized in cyber law.

✅ OPSEC Checklist

← Back to Wiki Hub Next: Safety Tips →