Being a cybercriminal is hard. Once you reach a level of notoriety, any number of well-funded agencies may be hot on your tail. Some people might think that the power of encryption and anonymity technology like Tor could be enough to hold the cops off. But they would be wrong.
The real "professionals" also rely on a high standard of operational security, or "OPSEC" for short. This is essentially the practice of keeping your sensitive work safe, and often boils down to having smarts and being disciplined, rather than anything specifically technological.
One alleged dark web veteran has laid out his own OPSEC advice for the hacker zine 2600.
The writer claims to be "Nachash," the screenname of the former administrator of Doxbin, a site where the personal details of tens, perhaps hundreds, of thousands of people were hosted. This included the social security numbers of celebrities, and the dox—slang for personally identifying documents—of hackers, gamers, and pretty much anyone who ever pissed off a member of 4chan, the infamous internet message board cum troll hub.
Doxbin was shut down as part of Operation Onymous, a law enforcement effort that targeted a few dozen dark web sites including the successor to the Silk Road drug market, whose alleged operator at the time was arrested.
"Because I managed to not get raided, I'm one of the few qualified to instruct others on hidden services and security, simply because I have more real-world experience operating hidden services [dark web sites] than the average tor user," Nachash writes.
Although I have interacted with Nachash previously, at the time of writing he hadn't responded to messages asking to confirm that he had indeed written this advice. A Twitter account that has previously been associated with Nachash tweeted the guide.
Nachash starts the OPSEC section of his guide with a stark warning. "This section is critical, especially when things start to break down. If everything else goes bad, following this section closely or not could be the difference between freedom and imprisonment," he writes.
"If you rely only on Tor to protect yourself, you're going to get owned and people like me are going to laugh at you."
The first tip is to not mix your dark web identity with your real one. You shouldn't work "from your mother's basement, or any location normally associated with you," and "don't talk about the same subjects across identities and take counter-measures to alter your writing style," Nachash writes.
This practice of keeping identities separate is known as "compartmentation", and is often where cybercriminals fail. The alleged Silk Road 2 creator arrested as part of Operation Onymous registered the server space of his site with his personal email address. This is similar to a mistake that Ross Ulbricht, the recently convicted owner of the first Silk Road made: he signed off a message advertising the site with a Gmail address which included his real name.
Next, Nachash writes, "Don't log any communications, ever. If you get busted and have logs of conversations, the feds will use them to bust other people." It's also likely that these logs, if incriminating, could be used against you in court. This is exactly what happened to Ulbricht: he had reams of chat logs between him and his associates stored on his laptop, and he also kept a diary of many of his illegal actions.
When chatting, try to give out snippets of disinformation, Nachash continues. "Make sure that if you're caught making small talk, you inject false details about yourself and your life." This is so a profile cannot be constructed of you, and help to track you down.
This is advice that hacktivist Jeremy Hammond didn't follow: while talking to "Sabu," a member of hacker group LulzSec who at this point was working as an FBI informant, Hammond gave indications on his lifestyle, such as that he went dumpster diving. Records suggest this information helped the FBI to track him down.
Even if you get this far, and happen to start actually making money on the dark web, you shouldn't then start flaunting your cash. "Living beyond your means is a key red flag that triggers financial and fraud investigations," Nachash writes.
In all, "If you rely only on Tor to protect yourself, you're going to get owned and people like me are going to laugh at you."
Or in other words, technology is not a fail-safe: if you want to remain pseudonymous online, you have to separate your multiple lives entirely, and follow some other, non-technical rules too. If you don't do that, you are going to get caught, no matter how much fancy encryption you layer on your communications.