Security & OpSec Guide

The foundation of operational security begins with absolute separation. You must never mix your real-life identity (clearnet presence) with your Tor identity.

• Zero Reuse: Do not reuse usernames, passwords, or aliases from clearnet websites across darknet services.
• Data Sanitization: Never transmit personal contact information, cleartext emails, or identifiers through internal market messages.
• Dedicated Environment: Using dedicated operating systems such as Tails or Whonix is recommended. Isolation prevents local malware from establishing a bridge to your real identity.

The darknet is replete with "Man-in-the-Middle" (MITM) instances designed to intercept credentials and cryptocurrency deposits.

• PGP Verification is Mandatory: Verifying the PGP signature of the onion link against the market's master public key is the ONLY way to be absolutely certain you are communicating with the authentic infrastructure.
• Source Diligence: Do not trust links sourced from random clearnet wikis, unverified forums, or Reddit threads. Always cross-reference multiple independent verifiable archives.
• Credential Interception: A MITM attack silently proxies your connection, altering deposit addresses to point to an attacker's wallet. Without offline cryptographic verification, detection is improbable.

Default configurations are insufficient for elevated threat models. Modifying software parameters correctly prevents advanced fingerprinting.

• Security Level: Adjust the Tor Browser security slider to "Safer" or "Safest". This inherently disables features commonly exploited via 0-day vulnerabilities.
• JavaScript Execution: Rely on extensions like NoScript to disable JavaScript globally. If a market heavily relies on client-side scripts, weigh the risk carefully before enabling execution temporarily.
• Viewport Fingerprinting: Never resize your browser window. Maximizing the Tor Browser exposes your precise screen resolution, generating a unique hardware identifier.

Blockchain ledgers represent a permanent record. Tracing techniques are advanced and automated.

• Exchange Isolation: Never send cryptocurrency directly from a KYC-compliant exchange (e.g., Coinbase, Binance, Kraken) to a hidden service address.
• Intermediary Wallets: Always route funds through a personal, self-custodied wallet (such as Electrum for BTC or Monero GUI/Feather) before further disbursement.
• Asset Selection: The recommended standard protocol uses Monero (XMR) over Bitcoin (BTC). Monero's ring signatures and stealth addresses provide privacy by default, whereas Bitcoin is a transparent surveillance ledger.

"If you don't encrypt, you don't care."

Trustless infrastructure means assuming the server itself is compromised, monitored, or actively logging cleartext data.

• Client-Side Mandatory: All sensitive instructions, such as shipping addresses or personal notes, must be encrypted offline on your local machine using a trusted GPG application before ever pasting the ciphertext into the browser.
• Never Auto-Encrypt: Do not rely on server-side "Auto-Encrypt" checkboxes provided by basic market platforms. Using this feature transmits your data in plaintext across the network to the server, invalidating the purpose of asymmetric encryption.
• Key Rotation: Regularly rotate your own public PGP keys and routinely verify the vendor's key signatures independent of the marketplace interface.