Blog
The Art Of Opsec
Â
Dark Web Opsec guide is an essential resource for anyone interested in exploring the dark web safely and securely. In this article, we provide a comprehensive guide to opsec (operations security) on the dark web, including the best practices and tools for protecting your identity and privacy.
Â
Â
Table of Contents
Â
1.1 - Who Am I?
Â
"I'm just another echo in the void."
Â
1.2 - Definition Of Operational Security
Â
By definition operational security was derived from military term procedural security, originated as a term that described strategies to prevent potential adversaries from discovering critical operations-related data. Which is an analytical process that classifies information assets and determines the control required to provide these assets.
You might wonder why I choose to write about both physical and digital operational security? Simplest answer is that they are intertwined and cant be separated in my opinion. If you have one but not the other it's just like you don't have any.
Â
2 - Misinformation Warfare
Â
2.1 - Ancient Misinformation
Â
Since the dawn of men, misinformation has been used as a weapon and the most effective at that. If you are a bookworm like me I suggest you read The Art of War by Sun Tzu, that book even after thousands of years since it was written has theories and practices that can be applied in the modern world. Why am I telling you this? Because we will kick this off with one of his quotes.
Â
Quote: Sun Tzu
Â
"All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near."
One of the most egregious examples of this takes us back to ancient Rome and to the very end of the Republic, when almost a century of civil war, chaos and political assassinations had led the Roman government to the brink of collapse. It was the time of the so-called Second Triumvirate. Around 2000 years ago, the Roman Republic was facing a civil war between Octavian, the adopted son of the great general Julius Caesar, and Mark Anthony, one of Caesar's most trusted commanders. To win the war, Octavian knew he had to have the public on his side, winning important battles helped, but if the people didn't like him, he would not be a successful ruler.
To get public backing, Octavian launched a fake news war against Mark Anthony. He claimed Anthony, who was having an affair with Cleopatra, the Egyptian Queen, did not respect traditional Roman values like faithfulness and respect. Octavian also said he was unfit to hold office because he was always drunk. Octavian got his message to the public through poetry and short, snappy slogans printed on to coins. Octavian eventually won the war and became the first Emperor of Rome, ruling for over 50 years. But, I digress so let's get back to what you came here for.
Today it's much easier to conduct misinformation warfare than 2000 years ago, obviously. Now, to skip history lessons and move to the modern era here is an example of misinformation. Markets that want to conduct exit-scam will usually disable withdrawals due to some technical problems on their end meanwhile keeping deposits working while they siphon funds to some off-site wallet.
Â
2.2 - How Are You Being Tracked
Â
In the dystopian society we live today, surveillance is a major part of how governments keep the common folk in line. To understand how we can use misinformation against them we first must understand how we are being tracked.
Entities that track us (government agencies, tech conglomerates and data mining companies) rely on you to leak little pieces of data which they use to profile you online and match the user-name to the actual user. It's a simple matter to match content in databases if there is some sort of index to the content. Most common pieces of data used to track you on clear-net and dark-net are:
- Names (both real and user-names)
- IP addresses
- Browser fingerprint
- E-mail address
- Location (exact or approximate)
- Phone numbers
- Date of birth (or any other PII)
- Stylometry
- Facial recognition
Â
It's important to understand that just by using two elements out of all of these is enough for them to track you. So your job is to deny them from getting two pieces of real data if you wish to stay anonymous.
Â
2.3 - How To Use Misinformation In Your Favor
Â
Okay, we know how we're being tracked. Let's briefly talk about how we can use misinformation to make it much harder for these entities to track you.
Â
- Names: Don't use your real name anywhere on the internet and avoid websites that require one. Relying on aliases, pseudo anonymous is better than being caught with your pants down.
Â
- IP Address: Mask your IP address by using Tor, VPN, VPS, RDP or proxies. Depending on what you're actually doing you might want to combine some of these. The point being use what's at your disposal to make their lives harder.
Â
- Browser fingerprint: This one is probably hardest to conceal if you are not a tech-wizard. But, you can always use several browsers with different plug-ins to make it appear as if you are several people.
Â
- Phone Numbers: Stop linking your personal phone number to services such as instant messengers, social media applications and two-factor authentication on services. Either go ahead and purchase a VOIP number with Crypto or use things such as YubiKey for-two factor authentication.
Â
- E-mail Addresses: Probably the easiest, use several emails under different names for different purposes. Keep things separate!
Â
- Stylometry: Is the application of the study of linguistic style. For example I can say 10% or 10 percent or ten percent. Each of these are different and can be used to mask your true identity. Also, when I wrote this post, I could have easily gone to some translation service and done this. Translate from English to Russian, Russian to Spanish, Spanish to Finnish, Finnish to English. This will tumble the text and make it very different (Stylometry wise) from what you originally wrote, you just have to spell-check it.
Â
- Deception and lies: Not the kind you're expecting. So let's say you're a Dread user and you want to mention a pet you have for making some point in a discussion. Now, it considered bad OPSEC to say Hey, I have a black cat!, instead say you have a white dog. That way you can still say my pet has done X, Y or Z. But without divulging actual Intel about you. Making such subtle changes to details is crucial if you want to stay hidden.
Â
Quote: Sun Tzu
Â
"Engage people with what they expect; it is what they are able to discern and confirm their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment that which they cannot anticipate."
Â
Everything I said here is a type of misinformation in one way or another. Using these techniques makes you appear as several individuals instead of just one. But all of these won’t help you if you don't make proper use of compartmentalization.
Â
2.4 Compartmentalization
Â
Why is Qubes OS considered one of the most secure operating systems available today? Because it makes use of compartmentalization. Keeping things separate is probably the best way to avoid anyone from tracking you.
What do I mean by that? Let's say you bought a burner phone and a SIM card, with cash, at a location with no security cameras and you plan to use it as a trap-phone. You can safely assume that the phone is anonymous as far as you're concerned. But, if you called your mother, spouse or child with that phone it instantly burnt. There is a log somewhere out there about that call and you can rest assured that it's going to be found by law enforcement.
Doesn't matter if you're a hacker, market admin, forum admin, regular user or just a privacy conscious individual, because this goes for everyone. Same way you dont tell your family you're selling cocaine online, apply that to every aspect of your digital life.
Â
Quote: Sun Tzu
Â
"If your enemy is secure at all points, be prepared for him. If he is in superior strength, evade him. If your opponent is temperamental, seek to irritate him. Pretend to be weak, that he may grow arrogant. If he is taking his ease, give him no rest. If his forces are united, separate them. If sovereign and subject are in accord, put division between them. Attack him where he is unprepared, appear where you are not expected."
Â
Another example of compartmentalization is this. We all know all kinds of people, from junkies to guys with PhDs and even everything in-between. Everyone has a friend who they smoke weed with, friends they go out drinking with, friends who they can bring home to meet your parents, etc. This is how it's done. Some things in life simply don't mix. So don't mix your online identities, because if you do, sooner or later they will be tied together and back to you.
Â
2.5 Security Is Not Convenient
Â
As you could have deducted from everything I wrote, security is not convenient and you can't have it both ways. But applying these or similar patterns to your digital life will exponentially improve your operational security.
Keep in mind I haven't even scratched the surface, but said enough to get you thinking on your own OPSEC. Evade single point of failure, enforce the usage of PGP when transmitting important information, use full-disk encryption, change your passwords on regular basis, dont mix crime and personal life, use open-source software opposed to closed-source and most important thing keep your fucking mouth shut!
Nobody needs to know what you have done, what are you going to do, where your stash-house is, how much money or drugs you have and so on. A wise man once said, A fish with its mouth closed never gets caught.
Â
Â
3. D.U.M.B.
Â
This part is about physical operational security and you might wonder what D.U.M.B. stand for? It's quite simple, Deep Underground Military Bases. I used the as a reference of impenetrable building that your OPSEC should be. Because, it doesn't matter how good your digital OPSEC is if you physically are horrendous and vice versa.
Before I dive into this section anyone who has love for safe-cracking and lock-picking like me should definitely check out books written by Jayson Street called Dissecting the Hack: F0rb1dd3n Network and Dissecting the Hack: STARS (Security Threats Are Real) he does quite good job of explaining the importance of both digital and physical security and consequences disregarding any of the carries. Also, The Complete Book of Locks and Locksmithing, Seventh Edition and Master Locksmithing: An Experts Guide are fun reads filled with troves of information.
What is physical OPSEC (commonly referred to as analog) and why is it so important? Well, analog OPSEC is like when you're using markets to order some drugs, you don't leave that device logged in, and unattended, you don't leave your doors unlocked when you leave the house, all of that is analog OPSEC. People usually tend to disregard it as less important, but make no mistake it's as important as digital one.
Just like in digital, I can only give you suggestions and make you think, as every situation and threat model is different.
Let's make an assumption you're a dealer, you don't do markets, prefer the old fashioned way. Ill list some advices you might find usable:
Â
- Don't talk too much where your safe-house is, how much weight you have, are you armed or not, etc. All of these things can be a reason why you'll be abducted, tortured or killed.
Â
- Don't shit where you eat, don't slang dope in your own hood. That's just bad practice overall, move your business across town.
Â
- Don't be friends with clients, you can't be friends with addicts. They can be one or another, not both. Because addicts will roll over and sing if they are caught. Having an addict as a friend is a great way to ensure a long vacation at any correctional facility worldwide.
Â
- Knowing when to give up this is probably the most important, if something feels wrong, that's because it probably is. Trust your gut, know that stepping back isn't always a bad thing. As Frank Lucas was told by his supplier; Giving up and giving up while you're ahead is not the same Frank.
Â
- Don't work with a friend of a friend of a friend, they're probably undercover cops.
Â
- Think ahead Always, and I mean always have an exit plan. Whether it's a forged passport, 50k in cash and a ticket to some South African island that doesn't have an extradition treaty with anyone. Or a down-payment of a couple hundred thousands to the most expensive lawyer in the city. Just make sure you have a plan.
Â
These are just several things, to keep an eye out for. There is literally tons of more advice for various professions, but if I keep this up, I wont get to post it in time. Just keep in mind that anything can be broken into, hacked, lock-picked or exploited.
Â
3.1 Prime Examples Of OPSEC Fails
Â
Let's talk about some OPSEC failures. Because smart people learn from others' mistakes, not their own. Due to the fact that in lines of work on dark-net that might be your first and last one.
Â
3.1.1 DreadPirateRoberts (Ross Ulbricht) was a revolutionary, extremely intelligent but not necessarily smart at all. Among many stupid things he did are; using a miss configured CAPTCHA server extensive period of time, shipping contraband to his home address, advertising Silk Road on Shroomery using his own gmail address, befriending former undercover (corrupt) DEA agent (who later extorted him for money), keeping logs of all of his conversations and down to detail diary of this Silk Road adventures. But, the most fatal one was him not being aware of his surroundings. For the most part he operated Silk Road from the comfort of San Forensics Public Library, where he went wrong, sitting at a table with his back turned to the room. While two FBI agents staged a couple fighting, their colleagues swooped in from behind and grabbed the laptop before he could shut it off and trigger the encryption process. He basically documented all of his crimes among others so don't be DPR.
Â
3.1.2 Shiny Flakes (German Vendor) 20 years old who created one of the biggest cocaine trafficking operations in Germany at the time. Police confiscated more than half a million in various currencies and an ungodly amount of drugs, all stored in his bedroom. And his biggest OPSEC failure was he sent all his shipments from the same DHL outpost. He also stored everything in plain-text (orders, customers, financials, login credentials, etc.) on an unencrypted drive.
Â
3.1.3 Sabu (Hector Xavier Monsegur) LulzSEC forgot to use TOR to connect to an IRC server monitored by the FBI. They got his IP address from his ISP, one correlation attack later he was cuffed and gave up his friends in exchange for a plea deal. Dont be a snitch, own up to your fuck-ups.
Â
3.1.4 nCux / BulbaCC / Track2 (Roman Seleznev, Russian Carder) among many stupid things he did, was renting servers with e-mail addresses he used to open PayPal accounts, then used that PayPal to pay for his wifes flowers. But, that's not all. He traveled with his work laptop which contained hundreds of thousands credit cards, but that's not bad since he had encryption. Unfortunately, his password Ochko123 was guessed by law enforcement as it was the same on his e-mail I believe. So, dont carry your work when you travel, dont mix crime and love life, dont fucking re-use passwords. Dont be BulbaCC.
Â
3.1.5 Willy Clock (Ryan Gustefson, Ugandan Counterfeiter) reused personal email he used to apply for a US citizenship for a Face-book account he used to sell fake notes from. Also, uploaded his own picture to that account. I don't even have anything to say for this one.
Â
3.1.6 FrecnhMaid aka nob (DEA Agent from DRP case) used his work laptop to extort Ross Ulbricht, you can guess how that went. Among other things he moved that money to bank accounts under his own name, in countries with non-strict banking secrecy laws. He got what was coming to him.
Â
3.1.7 Alexandre Cazes (AlphaBay Admin) used a personal email address for AlphaBay password reset emails, kept all data stored in un-encrypted format on his device, and hosted Alphabay servers in Quebec, Canada under his own name.
Â
3.2 - Inevitable Fuck Up, Aftermath And Clean-Up
Â
This is the last chapter of this post touching the inevitable fuck up and what to do after. We are all human, which means sooner or later you will make a mistake. Will it be the end of you? It depends, but the main thing is knowing how to clean up your own mess.
Here is a recurring example of fuck up and how you may proceed afterwards, but keep in mind this is speculated situation and you must know I cant predict every possible outcome.
Controlled Delivery - is the situation when law enforcement seizes your order, but allows the post to go ahead with delivering your parcel in order to catch you in the act. Usually, to try and force you to flip. There are usually two outcomes to such a situation, if you have a couple of orders under your belt, it's taking suspiciously long for the parcel to be delivered and it was stationed for days at the same place.
You can either not know, sign for the package and get busted within seconds. Or you can deny receiving the package in which case they have nothing. Now, if you think it's a controlled delivery the best course of action is to remove any evidence of such activity from your devices and your home. Because, you can be certain that address is burnt and so are you.
What do I mean by purging evidence? Good old data shredders are always the way to go, but if you have some critical information that must never fall in enemy hands, the best course of action is always getting rid of the SSD/HDD in question. First, shred the data (recommended is at least 7 passes), then shred the disk. Usually, burning it crisp will do the job. It's always best to destroy devices so nobody can do forensics and dig up the data. Because no new shiny device (laptop, computer, hdd, ssd, etc.) is worth more than your freedom.
The point being, if something feels wrong it's because it probably is! Be vigilant, don't order to your home address, play the game don't let the game play you.
Published at : 03/04/2023