Operational Security

Mandatory protocols for safe navigation of encrypted platforms. Mistakes in operational security directly result in compromised identities and loss of funds. Read and implement these directives before proceeding.

1. Identity Isolation

Complete segregation between your real-life identity (clearnet) and your Tor identity is the foundation of operational security. Cross-contamination is the primary vector for deanonymization.

  • Zero Reuse: Never reuse usernames, passwords, or PGP keys from clearnet sites, forums, or previous darknet accounts.
  • Information Blackout: Absolutely strictly prohibit the sharing of personal contact info, real names, geographical hints, or social media handles.
  • Dedicated Environment: Conduct all research and platform interaction strictly within the Tor Browser or a dedicated TailsOS environment. Never open downloaded files while connected to the internet.

2. PGP Encryption (The Golden Rule)

"If you don't encrypt, you don't care."

PGP (Pretty Good Privacy) is non-negotiable. It ensures that only the intended recipient can read your communications.

  • Client-Side Only: All sensitive data (such as shipping addresses) MUST be encrypted client-side (on your own local computer using Kleopatra or similar software) BEFORE pasting into any website.
  • Never Use Auto-Encrypt: Do not use the "Auto-Encrypt" checkbox provided by any marketplace interface. Server-side encryption requires you to trust the server with plain-text data, defeating the purpose of PGP.
  • Key Management: Backup your private key securely. Treat your private key passphrase as highly sensitive material.

3. MitM Defense & URL Verification

Man-in-the-Middle (MitM) attacks occur when an attacker intercepts your connection by providing a deceptive URL that mirrors the target platform. They serve as malicious proxies to capture your credentials and funds.

  • Signature Verification: Verifying the PGP signature of the `.onion` link against the platform's known public key is the ONLY secure method to confirm authenticity.
  • Zero Trust Policy: Do not trust links sourced from unverified wikis, public forums, chat groups, or Reddit communities.
  • 2FA Requirement: Always enable PGP Two-Factor Authentication (2FA) for your account. This prevents an attacker from logging in even if they capture your password.

Example Verifiable Link Format:

nexusacbesqtn3yorsycg27ivjn37qu7laqgkzutd3m5njqmaxpdiqid.onion

Always cross-reference the URL in your address bar with your verified local records.