![Aeon Flex, Elriel Assoc. 2133 [NEON MAXIMA]](https://miro.medium.com/v2/resize:fill:88:88/1*ewo3-1c0qY57bCDWa3tdUA.png)
The truth is boring. Tor works. Your OpSec does not. The FBI does not have a magic "unmask Tor" button. What they do have is a highlight reel of your own mistakes, lovingly packaged by you, timestamped, and left in three different jurisdictions.
I have watched good hackers, activists, and paranoid nerds burn because they thought "running Tor Browser" was a personality. It is not. It is a tool. You can use a hammer to build a house or to smash your thumb. Most people choose the thumb.
This is the field guide I wish someone had shoved in my face before I learned things the hard way. Read it. Get mad. Then fix your setup.
1. Tor is not your invisibility cloak
Let's kill the main fantasy first. Tor does not make you invisible. It makes you one of 2 million people per day. That is its power. You are not hidden. You are hidden in a crowd.
The second you act different from the crowd, you stand out. Use Tor Browser at its default window size and you are one dot among millions. Resize it to your weird ultrawide and you are now the only person on the network with that exact canvas fingerprint.
Congrats. You played yourself.
Rule: If Tor Browser yells at you for changing something, believe it. Those warnings were written in the blood of people who clicked "don't show this again."
2. Your biggest threat has a first name
It is you.
Not the NSA. Not some zero day. You.
Every major Tor bust I have studied in the last ten years came down to correlation. Not crypto breaks. Not magic. Just someone doing something dumb outside Tor that matched something they did inside Tor.
The pattern is always the same. People treat Tor like a switch they flip. "I am anonymous now" click. Then they flip it off and go back to posting on Reddit with the same writing style, same interests, same 3am sleep schedule.
Rule: OpSec is not a tool. It is a lifestyle. If your anonymous self and your real self can be linked by behavior, you have already failed. Tor just delays the inevitable.
3. The browser is the easy part
Download Tor Browser. Use it. Done. That was the easy 5 percent.
The other 95 percent is everything you do around it. Your habits. Your hygiene. Your unwillingness to admit that convenience is the mind killer.
Here is the threat model nobody wants to hear:
…you are probably not fighting a nation state.
You are fighting your own laziness, your hosting provider's billing department, and a detective who has 200 open cases and really wants to close yours before lunch.
They win by waiting for you to slip. You will.
The Core Sins
I see these constantly. If you do any of these, you are cosplaying as private, not practicing it.
Sin 1: Mixing identities You check your personal Gmail. Then you open Tor to do your "secret thing."
On the same machine. On the same network….Within ten minutes of each other.
Congrats. You just gave an analyst a timing correlation gift. Your ISP, the VPN company, and Google all know when you are awake. Now they know when your "anon self" is awake too.
Fix: Airgap your lives. Different hardware for sensitive work. If you cannot afford that, use Tails or Whonix on a USB. Qubes if you like pain. Never mix streams. Your meme account and your revolution account should not share a keyboard.
Sin 2: DNS leaks and time leaks Tor handles your TCP traffic. It does not fix your OS blurting out DNS requests because your Discord client auto updated. It does not fix your system clock being 3 hours off because you dual boot and Windows is drunk.
Tor exit nodes see your traffic. If your clock is skewed, your TLS handshakes look weird. Weird is identifiable.
Fix: Use Tor Browser in Tails or Whonix. They force all traffic, including DNS and UDP, through Tor. They also sync your clock safely. If you raw dog Tor on Windows, you are asking for a correlation attack.
Sin 3: Browser fingerprinting You installed three extensions. You set a custom theme. You run at 144Hz so you turned off letterboxing. You are now a snowflake.
Tor Browser ships with a specific fingerprint that millions share. Every change you make reduces that anonymity set. JavaScript is the worst offender, but even CSS can rat on you.
Fix: Default settings. Default window size. No extensions. No extra fonts. If you need to read something, copy the text into a local editor. If a site breaks with NoScript, decide if you need that site more than you need freedom.
Sin 4: The exit node problem Exit nodes can see your traffic. If you send http:// instead of https://, the exit can read everything. Even with https, the exit knows what domain you visited.
Malicious exits are real. They inject ads, steal passwords, and run sslstrip attacks. In 2020, one actor ran 23 percent of exits.
Fix: Onion services. When a site has a .onion, use it. Traffic never leaves the Tor network. No exit node involved. No DNS. No TLS CA nonsense. End to end encryption by default.
Also, HTTPS Everywhere is dead because browsers do it now, but the principle stands.
If a site does not have HTTPS in 2026, do not log into it. Ever.
Sin 5: You talk too much Your writing style is a fingerprint. Your vocabulary, your emoji choices, your line breaks. Stylometry tools are scary good now.
Fix:If you need serious compartmentation, change how you type. Use different slang. Different punctuation. Or better, do not post publicly on both accounts. The best OpSec is shutting up.
4. Bridges, VPNs, and other religious wars
"Should I use a VPN with Tor?" This question starts fistfights at DEF CON. Here is the boring answer: it depends on your threat.
Tor only Your ISP sees you are using Tor. In most countries, that is legal and not interesting. The Tor guard sees your IP but not your destination. The exit sees your destination but not your IP. This is the default and it works.
VPN then Tor
You → VPN → Tor.
Your ISP sees VPN traffic. The VPN sees your IP. Tor guard sees VPN IP. This hides Tor use from your ISP, which matters if you live somewhere that arrests people for Tor. Downside: you just added a permanent "please subpoena me" company to your path. Pick a VPN that actually fights warrants. Most do not.
Tor then VPN
You → Tor → VPN.
Terrible for anonymity. The VPN now sees your traffic and you paid them with your credit card. The exit node still exists, you just changed who runs it. Do not do this unless you deeply understand why.
Bridges If Tor is blocked, use a bridge. Obfs4 or snowflake make your traffic look like something else.
Request bridges from https://bridges.torproject.org and do not share them. If you reuse the same bridge for years, it becomes a fingerprint.
Rule: Do not stack tools because a YouTube video told you to. Every hop adds latency and complexity. Complexity breaks. Draw your threat model. If you cannot explain why each hop exists, delete it.
5. Your phone is a narc
You installed Tor Browser on Android. You feel safe. Then Google Play Services uploads your location, your WiFi names, and your app list to Mountain View.
Mobile OSes are hostile to privacy. They have radios you cannot turn off. They have baseband chips with proprietary blobs. They back up your clipboard to the cloud.
Rule: Sensitive work happens on a laptop running Tails. Period. Your phone is for calling your mom and ordering pizza. If you must use mobile, use GrapheneOS with Orbot and never log into anything that touches your real identity. Even then, assume it leaks.
6. Money is the death of OpSec
Bitcoin is not anonymous. It is a public ledger with your crimes written in permanent ink. Chainalysis exists because of this.
Every "anonymous marketplace" bust worked the same way. They followed the money. DPR reused addresses. AlphaBay's admin reused a personal email for the welcome messages and cashed out to a bank account.
If your OpSec plan involves crypto, you need to understand UTXOs, coin control, and why exchanges do KYC.
If you do not, you are just pre filing your evidence.
Rule: Monero is better but not magic. If you convert BTC to XMR on a KYC exchange, you are still linked. If you need to handle money anonymously, that is a whole separate field guide. Assume you will mess it up.
7. The physical world wins
You can have perfect digital OpSec and still get vanned because your camera has EXIF GPS. Or because you logged into your secret XMPP account from the airport WiFi and the camera caught your face.
Ross Ulbricht was arrested on October 1, 2013 at the Glen Park branch of the San Francisco Public Library while he was logged into Silk Road as "Dread Pirate Roberts". FBI agents staged a distraction with two agents pretending to argue, then grabbed his open laptop before he could close it or encrypt it.
Rule: Look around you. Cameras are everywhere. Microphones are everywhere. Your laptop has a serial number and that serial number was on your Amazon receipt. Buy used, with cash, from a person who does not know you. Or accept that your hardware is dirty and act accordingly.
8. A realistic threat model for 2026
You are not Snowden.
Your adversaries are:
1. Corporate ad tech: They want to link your Tor session to your real identity to sell you shoes. They use cookies, fingerprinting, and data brokers. Defense: Tor Browser defaults, uBlock in normal browsing, separate devices. 2. Local law enforcement: They want to close cases. They use subpoenas, IP logs, and your mistakes. Defense: compartmentation, no mixing, no talking, no logs. 3. Random criminals: Exit node operators, malware, phishing. Defense: onion services, HTTPS, verify signatures, Qubes or Tails.
Nation states are in the mix, but if the NSA is personally targeting you, you already lost. Sorry. Go read the Grugq and prepare for a long vacation somewhere without extradition.
9. The actual field checklist
Stop reading guides. Start doing this. Tonight.
Hardware - Buy a used ThinkPad. Old T480s are fine. - Pull the battery and SSD. Flash a new os/firmware if you are paranoid. - Never connect it to your home WiFi.
Software - Install Tails on a USB. Verify the GPG signature on a clean machine. - Boot Tails. Set a strong admin passphrase and write it down physically. - Use Tor Browser at default settings. Never maximize.
Network - Use public WiFi you have no link to. Libraries. Coffee shops without cameras. - Never use the same place twice. - Wear a mask and a hat if your country is like that. I am not joking.
Behavior - One identity per machine. - Write your posts in a text editor first. Check for slang. - Never check personal accounts. Never check the weather. - Set time zones to UTC. Speak in UTC. Sleep schedule should be random. - Pay for nothing. If you must, use prebought cash vouchers and Monero, and accept the risk.
Exit plan - Have a way to nuke the USB in 2 seconds. - Memorize nothing. Write passwords on paper and eat them if needed. - Assume every op is burned. Rotate identities every few months.
If that list sounds exhausting, good. OpSec is. That is why people fail at it. It is not a script you run.
It is a second job.
10. Tor is fine. You are the problem.
Tor had issues.
V3 onion services fixed a lot of them.
The network is faster. The DDoS attacks got mitigated. The 2021 deanonymization paper required an adversary who controlled huge chunks of the network and a user who made mistakes.
The tools are not what they were in 2013. But the users are.
We still reuse passwords. We still log into Facebook to "just check one thing." We still think we are smarter than the detectives who do this for a living.
You do not beat a surveillance state with software. You beat it by being boring. By being consistent. By being so disciplined that watching you is a waste of their budget.
Most people cannot do that. That is fine. Not everyone needs to. But if you are going to play this game, play it for real.
Because Tor isn't dead.
It is just tired of getting blamed for your OpSec.
Get your house in order. Or get a lawyer on retainer. Your call. ❤
-::- Further reading for people who actually want to learn:
- Tails documentation. Read it all. Twice. - Whonix wiki. Especially the "Do Not" list. - The Grugq's OpSec posts. Old but gold. ❤ - EFF's Surveillance Self Defense. - The Tor Project blog. Real updates, not drama.
And if you ignored everything else: never mix identities. That one rule would prevent 80 percent of burns.
If you made it this far, then check these out. My latest guides on… Well, you'll just have to see for yourself. This week's release has quite a few… Questionable… *mumble mumble*… *grumble grumble*……
…..Stay safe. Or at least… stay interesting.
