Tor is a powerful tool for online anonymity, but it's not foolproof. Several cases demonstrate how poor operational security (OPSEC) can lead to the unmasking of Tor users, even when engaging in illegal activities. Here are some notable examples of bad Tor OPSEC:
A high school student in Florida used Tor to access a dark web marketplace and purchase bomb threat services. His OPSEC failures included:
- Bragging about his actions to friends
- Repeating the offense multiple times
- Leaving evidence of dark web access on his phone
- Confessing to the police when confronted
Eldo Kim, a Harvard student, emailed bomb threats over Tor to avoid taking exams. His OPSEC mistakes were:
- Using the school network to access Tor
- Being the only Tor user on the network at the time of the threat
- Admitting to the crime when questioned by police
Ross Ulbricht, alleged operator of the Silk Road dark web marketplace, made several OPSEC blunders:
- Using his real name email ([email protected]) in forum posts seeking IT help
- Posting on Stack Overflow about Tor hidden services under a username later linked to Silk Road
- Mentioning Tor and Silk Road to customs officials when caught with fake IDs
- Failing to protect the real IP address of Silk Road servers
Members of the LulzSec hacking group made various OPSEC mistakes:
- Discussing operational activities in IRC channels
- Revealing personal information, allowing profiling
- Using stolen credit cards for purchases shipped to their own addresses
- Trusting individuals who were working with the FBI
Other examples of poor OPSEC when using Tor include:
- Contaminating identities by not maintaining compartmentalization
- Failing to keep sensitive information confidential
- Using predictable naming conventions for usernames, code, and passwords
- Maintaining consistent working hours that can be traced to a specific time zone
- Leaving command-and-control servers unsecured, exposing sensitive data
A few lists I found on github:
https://github.com/jermanuts/bad-opsec
Another one I'd like to add is mullvad and it's features:
Mullvad VPN offers several features that prioritize user privacy and security:
-
Anonymous account numbers: Mullvad generates random 16-digit account numbers, eliminating the need for personal information like email addresses or usernames.
-
Strong encryption: Mullvad uses AES-256 encryption for OpenVPN and ChaCha20 for WireGuard connections.
-
No-logs policy: Mullvad has a strict no-logs policy, verified by independent audits.
-
Lockdown mode: This feature blocks internet connections not secured by Mullvad's servers.
-
DNS content blockers: Users can restrict access to ads, adult content, malware, and more.
-
Open-source software: Mullvad's commitment to transparency includes making their software open-source.
-
Use of cryptocurrency such as monero: Mullvad can use monero which is a private cryptocurrency that can be mined on a persons node, they also take in cash payments or deposits in mail.
However I'd like to point out that even with services like mullvad you'd still get caught on some circumstances even with a no log policy. Humans can deduce and figure stuff out on their own machines cannot and have to be guided. None of these tools are fullproof and the issue will exist between user and keyboard.