Anonymity How to save Anonymity? Vectors of Attacks.

[Fixxx]

In this article I will consider specific levels of danger and implement different approaches depending on your level of paranoia and your work device.

Technical Part​

What do we have in terms of various software and hardware solutions? There's a great variety. I will briefly mention them now and then we will put together different usage scenarios like Lego blocks. Let's look at the pros and cons of technology combinations.

Operating Systems:
Regular - Ubuntu, Kali, Windows, Kodachi
Basic anonymous - Tails, Subgraph OS, GrapheneOS
Secure - Whonix, Qubes OS

Hardware: Librem Purism, Pixel, Alfa Awus network adapter, simple laptops and phones

Specific software: GPG, Virtualbox, KVM, Xen, Jabber, Matrix, Session, Veracrypt, Luks, Remmina, MAT, Signal, Telegram, Tox, Bitmessage, Juggernaut, Conversations, Tor Browser, Firefox, Rdesktop, Linphone

Tunneling Protocols: OpenVPN, Wireguard, Shadowsocks, V2ray, Vless, Vmess, Trojan, Cloak, IKEv2, SSH

Anonymous Networks: Tor, I2P, Zeronet, Freenet

Cryptocurrencies:
Basic - Bitcoin, Litecoin, Ethereum, USDT (TRC-20), Solana
Partially anonymous - Zcash, Verge, Dash
Anonymous - Monero

Encryption Types: AES-256, ChaCha20, TwoFish, Serpent, ZRTP (VOIP)

Let's consider setups from the most dangerous to the safest.

Setup 1​

Windows with BitLocker encryption and Tor, and an iOS phone with a Tor browser. This setup is suitable only for office workers who have a curiosity about the darknet. Windows leaks tons of data about user activity, as does iOS. Using these systems in parallel with your main activities compromises your overall security.

Verdict: Not recommended for general use. Only suitable for elderly individuals exploring the darknet.

​

Setup 2​

Windows with VeraCrypt + VirtualBox with Whonix using encrypted containers and an Android device without Google services with full system Torification or obfuscated protocols like Shadowsocks. If you are simply planning to purchase something illegal or explore certain activities, this setup may be acceptable at a basic level. However, relying on anonymity in Windows even in a virtual environment is quite challenging. The primary OS itself, along with constant user breaches, poses a threat. The phone should only be used for messaging apps and browsing sites in the Tor browser without opening files, mainly for quick connections. The primary work should be done in the PC virtual machines.

Verdict: Not recommended.

Setup 3​

Using Tails from a flash drive + Bitcoin + Telegram/Jabber

Verdict: This setup is acceptable for basic tasks. Remember that Bitcoin is a traceable cryptocurrency, so always launder any received funds.

Setup 4​

Encrypted Ubuntu Linux via LUKS + VirtualBox with Whonix in Veracrypt containers + Monero. Configured VPN on the primary system via Wireguard + V2ray for obfuscation. Tor is used in the virtual machines. Within the Workstation virtual machine, an additional separate VPN or clean proxies are set up for browsers.

Verdict: This setup is suitable for maintaining anonymity. You can engage in risky activities and have a relatively clean IP address for websites. Just remember that the second VPN within Whonix is necessary to protect against dangerous Tor exit nodes. Therefore, choose a highly anonymous provider. Use torsocks to route specific applications through Tor streams if you need to separate activities.

Setup 5​

Encrypted Linux (or Qubes OS) + Whonix on KVM (or Xen) + I2P and Monero for cryptocurrencies. This setup is detailed in the Whonix guide on their wiki, especially for the part involving I2P. You can run an anonymous network within another one and also work with the Monero through onion domains.

Verdict: A very secure setup if you need to establish a closed communication network among members of a risky organization. With built-in services within I2P, such as email, messengers and torrents, you can remain completely anonymous.

Setup 6​

On a fully encrypted Linux system with Qubes OS in Whonix virtual machines connected via VPN+Tor, you install Remmina or Remote Viewer and connect to the Whonix system on your server through SSH tunneled over Tor. The main work occurs there.

Verdict: It might be slow but extremely effective. No system breaches or traffic analysis will compromise your anonymity. Even after a compromise, an attacker will only have access to the Tor virtual machine on the server.

Attack Vectors​

In this chapter, we will discuss where attacks may come from and how to de-anonymize you.
Knowing the potential sources can help determine the methods needed to maintain anonymity.

Firstly, let me briefly mention the tools available for identifying you:

Vulnerabilities: In the operating system, messenger apps, devices, protocol implementations, websites, browsers, encryption.
Social Engineering: Calls, messages, fake websites, colleagues, customers.
Embedded Backdoors: In the OS, hardware, applications.
Personal Connections: Your colleagues, employees, friends, acquaintances.
Identifiers and Fingerprints: MAC address, IMEI, phone number, IP address, browser fingerprint, canvas fingerprint, voice print.
Global Technologies: Facial recognition using neural networks, traffic and delay analysis, the "14 Eyes" countries and their mass surveillance.
Human Factor: Errors leading to de-anonymization.
Financial Trail: Cards, transfers, cryptocurrencies with public blockchains, taxation.

Examples of Attacks:​

Attack 1
A colleague from the networking team contacts you, sending a link to important information. You open the link and are prompted to download a document. After downloading and opening it on your system, your information is leaked or a backdoor is installed. The document may appear legitimate and antivirus software may not detect anything.

Precautionary Measures:
Open any files or links in a virtual machine, especially if the sender is associated with risky activities, even if they are familiar to you.

Attack 2
You are involved in an anonymous illegal project. However, you also use popular banking apps in your daily life and consent to their collection of voice prints. While communicating with clients, you occasionally use voice messages. Later, when someone tries to identify you, an individual downloads your voice and, using administrative resources, matches your voice print.

Precautionary Measures:
Never engage in voice communication in risky network activities.

Attack 3
You have admired a particular singer and create nicknames based on their name and a few numbers. Your competitor decides to expose you and hires a professional online detective. The detective uncovers publicly available information about you and searches through various bots. They find your old nickname on a music streaming service and gradually trace your real name through the chain.

Precautionary Measures:
Avoid any overlap between email addresses, names and titles with your real interests.

Attack 4
A new vulnerability is discovered in the Jabber client you use. You believed you were very clever and used an excellent messenger with encryption. However, you were hacked, compromising your system.

Precautionary Measures:
Always update your software as frequently as possible. Additionally, use risky programs related to your activities only through a virtual machine. This way, at least you are not risking de-anonymization.

Attack 5
You bought yourself a new VPN server for risky activities. The provider seems reputable, and payment was made with cryptocurrency. However, the police unexpectedly show up at your door. Where did you go wrong?

Precautionary Measures:
You failed to verify the location of this server, who owns it and in which jurisdiction it operates.

 

[Fixxx]

Professional Threat Levels​

Let's consider how determined your potential de-anonymizers will be to identify you. Based on this, we will evaluate the adequacy of certain security measures for you. Different individuals will face identification attempts in various ways and with different resources.

Level 1 - You are essentially an average individual. Your profession might include roles like operator, journalist or manager in an illicit project. You should be prepared for basic network attacks, social engineering and know when to keep quiet. It's acceptable for you to use a mobile device but with strict separation (one device, one identity). This means that for secure and anonymous work, you either use a PC with an anonymous OS or a separate phone that is rooted, encrypted, clean, without a SIM card, connected through anonymous networks and VPN. Encrypted messengers like Jabber, Matrix and Session are recommended. Ideally, your phone should have a second space configured via Shelter or Insular. In this space, have an app for quickly deleting information with a panic button like Wasted. Avoid using apps from major companies such as social networks or geo-tagging apps. Use only open-source alternatives from F-Droid. Using Tails for quick work instead of a mobile device is recommended. Whonix is possible if you need more advanced setups.

Level 2 - You are involved in some illicit business or have committed a serious crime, operating on a more substantial scale. This could include being an administrator of an onion forum, hacker or part of an organization. Discipline and strict adherence to anonymity and security protocols are crucial in this scenario. For you, accessing the internet is only permissible from a separate encrypted full-disk PC, ideally with a "nuke" password in case of unforeseen circumstances. The PC can have two systems - one for diverting attention on Windows in a separate partition, with a hidden Linux system in the bootloader. Within the encrypted system, work should be done using Whonix virtual machines ideally on Qubes OS or KVM. The main system should have a separate VPN paid for with Monero from TOR. Inside the virtual machines, use TOR correspondingly. Use separate means of payment ideally with Monero or Bitcoin, unassociated with your identity and obtained solely through your activities. Communication with others should only be done anonymously using encrypted messengers like Jabber, Matrix, Tox, unconnected to you and never intersecting with real friends or acquaintances. This means that your trusted friends cannot be involved in your activities and could potentially be a point of failure if needed. Avoid mobile phones and numbers. Use VOIP telephony with ZRTP encryption at most, acquired anonymously. Withdrawals of funds should be done independently without using BTC exchanges that could link back to your identity, utilizing Monero instead. Information about your project should be stored either locally with complete encryption and no recorded passwords or on verified offshore remote servers also encrypted. Evaluate the level of access to specific sensitive information for all your employees and regularly conduct loyalty checks.

Level 3 - You are the number one threat. This could be a terrorist, powerful opposition figure, politician or leader of a major hacking group. In such a scenario, you must understand that all the forces of the state, sometimes even more than one, will be directed towards tracking you. In the face of such a threat, you must excel in all areas of your life and avoid any mistakes. Only then do you have a chance of maintaining your anonymity. Imagine that every move you make is being watched by a thousand eyes. I won't mention physical security at this moment. Regarding your network setup, you need to maximize security. The ideal setup involves using a network modem with a disposable SIM for access, with periodic changing of IMEI and SIM or complete replacement. Change your location periodically at certain intervals (at your discretion). On a clean PC free of hardware backdoors, install Qubes OS and set up encrypted separate virtual machines like Whonix + a VPN virtual machine (you can double up on different countries if your network speed allows) as a gateway. Connect through Whonix via TOR to an anonymous desktop on your personal or rented offshore server from a trusted provider. In the event of server compromise, nobody has access to even your virtual machine. You can store passwords locally in an encrypted KeePass in a locally encrypted system on your PC. The remote system should also only operate through TOR or I2P for your activities, coordinating people or whatever it's you do. Your software should be constantly updated and be open source only. Remember that global resources are involved in your calculations. Any newly discovered vulnerability or big data from a large corporation can de-anonymize you. That is why it's important to use multi-layered chains of technologies and systems. So that one error doesn't compromise the security of the entire system. All links should be separated. Financial flows should only be anonymous in Monero. Ideally, separate individuals not directly connected to you should initially receive funds through the network and convert them to Monero for you. Make your wallets for receiving funds disposable. For physical purchases, you will need real money laundering and separate organizations for legal, supposedly business ideally through intermediaries. Of course, they should not know where the funds come from and who you are. Ideally, when writing texts, use solutions to simplify texts or local neural networks to remove your specific style. Voice communication within your projects is not allowed. Therefore, no one should know your location. Ideally, it should be a country with perfect laws and maximum inability to extradite you in case of anything.

Conclusion​

First of all, I advise you to understand that there is no specific detailed solution from start to finish here. But there are many options that, with minimal experience, you can use in different situations. The process of setting up your security is always highly individual. Secondly, without knowledge any written manual will never help you. So always when you see new methods, unusual solutions, terms - Google them, study them and you will be happy!