Threats, Leaks, and Tradecraft: OPSEC

14 Dec 2023

OPSEC is all about keeping control of your information making sure you only reveal what you want, how you act online, and where your data goes. It’s not a secret guide to vanish; it’s more of a chat on how to stay off the radar without going overboard.

In short, it’s about:

Spotting the things that give you away and understanding how small leaks can lead to big exposures. Keeping your life clean by managing your habits, using encryption wisely, and blending in with everyday joe.

The goal isn’t to be invisible it’s to be unremarkable. By keeping your routine normal and your online actions regular, you avoid drawing attention. Essentially, if you act like everyone else, there’s less reason for anyone to zero in on you.

Let’s go over a few key intel disciplines. These are the core methods used to gather and analyze intelligence, and I’ll be referring to them throughout. understand the tools hunters use.

HUMINT

Human Intelligence. The oldest game in the book. People think HUMINT is all spies in the shadows, covert drops, and dead-letter boxes, but the reality? Most of it happens in broad daylight. Diplomats, military attachés, defectors, interrogations this is where the bulk of HUMINT plays out.

Long before SIGINT and electronic surveillance took over, HUMINT was the foundation of intelligence work. Even now, for nation-states and agencies, human sources remain a critical asset. Why? Because at the end of the day, all intelligence comes back to people leak.

Which brings us to SIGINT.

SIGINT

Now, switching gears to SIGINT Signals Intelligence. While HUMINT gathers insights from people, SIGINT deals with data. It’s about intercepting communications, whether they’re voice transmissions, encrypted radio signals, emails, instant messages, Morse code, or even legacy systems like fax and teleprinter signals. SIGINT isn’t some mysterious art it’s a practice grounded in recognizing patterns, such as repeated logins from new IPs or metadata that links your “anonymous” presence back to your real identity. If you’re curious, branches like COMINT, FISINT, and ELINT offer even more nuance, but the key takeaway is that SIGINT is all about the digital trails we leave behind.

And then there’s the one everyone knows…

OSINT

Open Source Intelligence.

OSINT is about pulling intel from publicly available sources. Mapping targets, identifying vulnerabilities, tracking individual operators - all without touching a classified system.

People love to post all kinds of shit online, The lazy goldmine.

Social media, research papers, forums, public databases all of it is a goldmine for those who know where to look. In today’s digital age, data is everywhere, and adversaries know how to weaponize it.

Done right, OSINT can:

OSINT kills OPSEC when:

The beauty of OSINT? Cheap, low-risk, and often the first layer of intelligence gathering in any operation.

The downside? Misinformation, deception campaigns, and censorship muddy the waters. Not everything in the open-source world is reality. 

Passive/A Exposure

Threat Mapping

What level of adversary are you dealing with random script kiddies, or maybe someone sitting in a SIGINT unit upstream, Identifying exposure points across every layer physical access, network traffic, your devices, your infrastructure.

OPSEC is tricky because it’s not a one-size-fits-all checklist it’s a process. It adapts to whatever operation you’re running, built to protect what matters most. Everyone’s working with a specific threat model, so the approach shifts. But generally, it boils down to five steps:

  1. CALI Model
    CALI: Capabilities, Activities, Limitations, Intentions. You need a crystal-clear understanding of what absolutely needs protecting to keep the op in play. What gets burned if it leaks? Is it your source IP, your tools, C2 infrastructure, or your physical location? No guesswork. Define it, and define it sharp.

  2. Threat Analysis Map out who’s out there and what they want. This is where threat intel and your red team mentality collide. What actors are in your environment? If you’re running malware collection or exploitation for intel, exposing your source IP or fingerprint can kill the whole operation. One slip, and you’ve just tipped off a target or exposed your entire network.

  3. Vulnerability Analysis Threats are mapped now look for your weak spots. Where’s the real exposure? What’s the easiest target for the adversary to exploit? Maybe your automated sample collection is leaking metadata. Maybe someone inexperienced detonates malware from an unprotected sandbox. This is where you list out every flaw that could be exploited to compromise your operation.

  4. Risk Assessment Take everything you’ve gathered and build out your risk matrix. How likely are each of these vulnerabilities to be exploited, and what’s the impact if they are? What happens if an adversary compromises your C2 infrastructure or traces your source IP? Identify what breaks if something goes wrong.

  5. Apply OPSEC Measures Now it’s time to plug the holes but do it realistically. Implement what makes sense for the op. Don’t get caught up in generic OPSEC advice from random forums this isn’t a one-size-fits-all. The goal is to mitigate your specific risks and protect what matters. Keep it targeted. Keep it effective.

Source :

Where the Hunt Begins

So you connect to the internet.
From that moment, your device starts bleeding identifiers quiet, passive, constant. Not because you’ve made a mistake, but because that’s how the internet was designed to work. Open protocols, efficiency over privacy, everything built to connect not protect.

Most people think tossing a VPN into the mix or firing up Tor turns them invisible. But all that really happens is the attack surface shifts. Instead of your ISP seeing the traffic, it’s now your VPN provider or the Tor entry node watching the door. Someone always has a vantage point.

The moment your device makes that first outbound connection, layers of metadata start leaking before encryption even kicks in. It’s not just what you send, it’s how you reach out.

_It’s a full stack of exposure points none of it reliant on content, all of it metadata.

[foo's Device]
      |
      |--- DNS Request ---> [ISP DNS]
      |                        |
      |<-- IP Address ---------|
      |
      |--- TCP Connection ---> [Web Server]
      |                        |
      |<-- Response ------------

Then there’s DNS. The quiet backend translator turning example.com into an IP address. Most people never think about it, but DNS is one of the loudest leaks in your entire stack. By default, your ISP controls your resolver. That means every domain you hit, every search, every link—it’s logged, profiled, stored.

And worse? Traditional DNS queries move in plaintext. VPN or Tor might hide your IP, but your DNS requests could still be whispering your entire browsing history to whoever’s upstream.

_So, how do you choke off that leak?

Alright, now that we’ve got a solid grip on the fundamentals, let’s dig into something you’ve probably heard tossed around VPN over Tor.

This isn’t beginner territory, so I’m gonna assume you’ve got some baseline knowledge if you’re here reading this. You didn’t just stumble into this by accident. But if this is all new to you or you wanna brush up, I’m dropping a couple of solid sources below start there:

Sources:

Let’s Clear a Few Things About VPNs

All your traffic is exposed — Wrong. Most of the internet runs on HTTPS now. Unless you’re on sketchy sites still using HTTP, your data’s already encrypted.

VPNs don’t give up your data — Cap. If law enforcement knocks, most VPNs will fold fast. More on that later.

No logs, we swear — Marketing fluff. Nearly all VPNs log something, even if it’s connection timestamps or bandwidth. You’re just shifting trust from your ISP to the VPN.

Military-grade encryption — Meaningless buzzword. It’s the same encryption your browser uses (TLS), not some black-budget cipher. Strong? Yes. Special? No.

So What Does a VPN Actually _Do_?

It changes your location — This is the real purpose. VPNs were made to access internal networks remotely, not to make you “anonymous.

It masks your IP — Websites see the VPN’s IP, not yours. That’s the main privacy gain.

Networks know you’re on a VPN — They can’t see inside your traffic, but they know you’re tunneling. VPN traffic is obvious to anyone monitoring.

It encrypts traffic? kinda — Yes, but mostly useful on sketchy public Wi-Fi or if you’re hitting sites without HTTPS. Otherwise, you’re double-wrapping encryption for no reason.

Alright, back to it

So you’re running a Tor ➔ VPN chain. That means your connection hits the Tor network first, bouncing through multiple relays. From inside that circuit usually isolated in something like a Whonix Workstation you fire up a VPN tunnel. Now your traffic exits the Tor network wrapped in VPN encryption.

Whonix by the way is an OS designed to route all traffic through Tor by default. It’s split into two VMs: Gateway (Tor-GW) and Workstation (Tor-WS)

Sources:

What’s the gain?

But here’s the trade-off:

The flip side people mention VPN ➔ Tor is a whole different game. You hit the VPN first, then the Tor network. That hides Tor usage from your ISP but kills your ability to blend in with normal Tor traffic. Whonix wasn’t designed for this route either. Useful for niche threat models, but not general use.

Now let’s get real about VPNs. Yeah, I clown on commercial VPNs for a reason they’re glorified proxies half the time. But sometimes, you need one. Not for trust for compartmentalization.

Best case? Roll your own. Spin up a VPS in a random jurisdiction, control the stack, log nothing. ProPrivacy and this guide break that down. But there are ops where that’s not clean maybe you need zero financial trace. That’s where cash-paid VPNs come into play. Bought in person, never from your real connection. Not because you trust them, but because they’re a disposable tool.

Golden rule:

Why? Because both your ISP is logging and your VPN is probably lying about theirs.
Tor traffic? Still “fingerprintable”. Even wrapped in a VPN tunnel, bad timing analysis or packet behavior will give you away if someone’s really watching.

The endgame here?

I know this might sound extreme and yeah, it is. But if you’re a journalist, a whistleblower, or operating in a high-risk environment, it’s worth understanding.

That said, Tor alone is still a solid tool. Just be careful and move smart. I usually tell people to keep it simple Tor by itself is enough to maintain privacy if you use it correctly.

Tor works, but it’s not magic. The biggest mistakes aren’t technical they’re operational. If you’re using Tor but making the same moves you always do, you’re still trackable.

Sources:

Fingerprint

Before we dive into the hardware side of things, let’s talk about something that often flies under the radar but plays a huge role in your privacy: _fingerprints.

“Fingerprinting” isn’t just about metadata it’s a combination of various identifying elements that can uniquely trace back to you, even if you’re hiding behind encryption or a VPN. We’re talking about things like your OS fingerprint, browser fingerprint, and even how you type or interact with websites.

Your OS fingerprint can reveal what operating system you’re using, what version, and sometimes even your specific hardware. This is a huge giveaway because many systems have unique patterns that can be tracked over time.

Then there’s your browser fingerprint: the way your browser behaves, what extensions are installed, the fonts you have, your screen resolution, and even the language settings. Combine all this, and it becomes a near-unique identifier for your system.

Even your writing style can be a clue. Think about how you phrase things, the rhythm of your typing, or the vocabulary you use. All of this is part of your “digital fingerprint.”

And let’s not forget things like device identifiers, or even the way you move your mouse. These all contribute to creating a unique profile of you that can track your behavior across different sites or activities.

So, before we get into the hardware mechanics, understand that fingerprints whether through your browser, device, or even writing are constantly being created and can easily betray your anonymity.

Sources :

The MAC

Every network-enabled device has a Media Access Control (MAC) address a unique identifier assigned to its network interface. This address is used to communicate with routers switches and other devices on a network. However it also serves as a hardware fingerprint that can be used to track you.

When your device connects to a Wi-Fi network its MAC address is broadcasted. This allows routers and access points to identify your device. But it also means that anyone passively scanning the network can log your MAC address. This technique is often used in:

For example as you move between Wi-Fi hotspots your consistent MAC address allows network operators to trace your path. Over time this data can be used to build a detailed profile of your habits and locations.

Lucky for us there’s an easy solution Linux users can use tools like macchanger to randomize their MAC address:

sudo apt install macchanger  # Install macchanger
sudo macchanger -r wlan0     # Randomize MAC address for wlan0

Windows users can disable the network adapter via Device Manager to force the system to generate a new MAC address, Bluetooth is another hardware-level tracking vector. Like MAC addresses Bluetooth devices have unique identifiers that can be logged and tracked. These identifiers are often tied to purchase records and user accounts making them a valuable tool for corporations and attackers alike.

  1. Disable Bluetooth in BIOS/UEFI Settings: This prevents Bluetooth from being enabled at the hardware level.
  2. Shut Down Bluetooth Drivers: Disable Bluetooth in your operating system or physically remove the Bluetooth module if possible. Use tools like bluetoothctl to completely kill the Bluetooth stack:
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth

IMEI and IMSI Tracking?

The IMEI is your phone’s unique fingerprint embedded in the hardware, it’s logged by the carrier every time your device connects to a tower. Can you change it? Sure, but it requires advanced RF skills and custom baseband firmware. Most people, though, think they’re off-grid when they grab a burner from a random store. The moment you power it on near familiar spots or, worse, with your personal phone in your pocket, boomyour usual IMEI and the new burner’s IMEI are now linked in the carrier logs.

Then there’s the IMSI, which is tied to your SIM card. Whether it’s a prepaid or cash-purchased SIM, it doesn’t matter. The network knows which tower you’re connected to, who’s nearby, and where you bought that SIM card. In some countries, there are databases that directly link your IMSI to your IMEI. Even in places where this isn’t a standard, tower triangulation and metadata analysis will cook you anyway.

Here’s the real kicker: IMSI catchers. Law enforcement and intelligence agencies deploy these devices to trick your phone into connecting to a fake cell tower. They strip away encryption, log your IMSI, and can even inject malware. Basic models like Stingrays can do this, but more sophisticated adversaries use passive GSM interceptors that gather everything quietly in the background, no notice required.

And then there’s Bluetooth Low Energy (BLE) tracking. You might think turning off GPS and switching to airplane mode makes you invisible. Nope. Your device still emits BLE beacons, even when powered off. Companies like Apple and Google maintain a global database of Bluetooth and Wi-Fi access points, and your phone is constantly scanning for them, helping to pinpoint your location. Even if you’re avoiding cell towers, nearby devices and routers are still giving away your position. For law enforcement, this is a goldmine they can request these logs or deploy sniffers in public to track you in real-time.

Here’s where most operators mess up: They grab a burner, slap in a SIM, and turn it on in their apartment or at Starbucks. Instant exposure. The network logs that tower interaction and the Wi-Fi data is captured too. Or they use apps like Signal or Telegram, thinking they’re safe—but these apps log device fingerprints and metadata. Even with a clean number, contact graph analysis will give you up faster than you can blink.

So, how do you avoid this?

  1. “Buy the burner in a dead zone” no nearby towers or cameras. Cash only, with no phone in sight.
  2. “Power it on miles away from any known locations”—keep it off the grid.
  3. “Avoid using Google accounts”—ditch Signal and Telegram for something truly anonymous.
  4. “Use raw SMS or encrypted XMPP over Tor bridges”.
  5. “Rotate SIMs and devices like clockwork”, and never reuse infrastructure.
  6. “Physically remove the BLE module” or at least throw the phone in a Faraday bag when not in use.

For the truly paranoid? Just remember, you’re delaying the inevitable, but you can make it a little harder.

Sources:

Now that we’ve covered the passive stuff those everyday actions you may or may not be aware of, but that can still burn you or your organization let’s shift gears. We’ve touched on a few points, but we haven’t even scratched the surface of everything that can get you into trouble, like habits and routines. I’m 27,500 characters deep so far, and we’ve only tackled passive exposure. Now, let’s dive into the operational side the stuff you intentionally do, the actions that can directly compromise your security if not done right.

These are the decisions you make on purpose: the tools you use, the services you trust, the information you share, and the methods you employ to execute your operations. Whether it’s how you communicate with others, the kind of infrastructure you deploy, or the way you handle sensitive data, every operational move you make has the potential to expose you.

So, let’s break this down and explore what you actually do that can blow your cover, starting with the bigger, intentional mistakes that most overlook when they’re focused solely on passive threats.

Sources:

Intel in Action

Imagine you’re chatting online, sharing your thoughts, or interacting on forums. Over time, you may leak small, seemingly insignificant details about your personal life: your location, your routines, your interests. These are all HUMINT data points human intelligence gathered through your behavior and shared information. While each piece of data might seem harmless, skilled adversaries can collect and analyze these fragments, connecting the dots to create a profile that leads right back to you.

The bottom line: Never share personal experiences or real-life details when operating under an anonymous identity. What might seem like an innocent comment is often just another data point for someone collecting HUMINT.

Also Walk through a crowded area, and you’re likely in someone’s selfie within minutes. That image is uploaded to platforms like Instagram or Google Photos, where face recognition algorithms run, often without your consent. This is a form of OSINT—open-source intelligence—because these platforms passively collect data for their own purposes, but it can be easily repurposed by adversaries for surveillance.

These photos carry metadata: timestamp, location, and even unique camera details. Even if that metadata is stripped, AI systems can still pinpoint your location based on landmarks in the background. Remember metadata? That’s the kind of data that gets parsed and cross-referenced in OSINT operations.

_The Adversary’s View

We haven’t even touched on one of the most common ways people get exposed: data breaches. These breaches give attackers access to everything from your email and passwords to your real IP address. And these leaks don’t just go away they get indexed, scraped, and used for OSINT and HUMINT profiling.

Consider these major breaches:

Sources:

Once these details are exposed, adversaries use OSINT tools like Have I Been Pwned, Dehashed, and IntelX to gather more information. Your username, email, and even your IP address can be easily cross-referenced across various platforms and forums. In other words, your alias, say “Ph00,” starts appearing in multiple places, revealing more about your true identity over time.

Let’s consider an example where you’re using an alias, like Ph00. One day, the platform you use gets hacked. It happens all the time, right? When threat actors scrape this data, it becomes available for further OSINT analysis. They cross-reference your username, email, and IP address with other public databases and platforms, often scraping personal details like your location or associated accounts. These threads link together, giving them insights into your activities and affiliations.

Your alias now appears in multiple places:

By gathering all this OSINT, an adversary can map out your digital presence, your habits, and, over time, connect it back to your real identity.

The takeaway: These exposures aren’t just theoretical they happen constantly. Each leak adds to your adversary’s HUMINT and OSINT profile, and once your data is out there, it’s like trying to put toothpaste back in the tube. Everything you share, every vulnerability you expose, is a piece of information that can be linked together through OSINT, SIGINT, or HUMINT.

_What You Can Do About It?

Use a password manager to generate and store unique, strong passwords for every account, with 2FA, Separate your digital identities by using different email addresses and passwords for different services and regularly check if your information has been compromised using tools like Have I Been PwnedDehashed, or IntelX.

Not “good”. Nevergood”. After all, I’m only human.

Tradecraft | The Adversary’s Playbook

And this isn’t where you start. If you’re here, the game’s already active. You don’t build counter-intel after you’re targeted by then, it’s too late. The play is simple: start early or don’t play at all.

At this level, you’re not dodging randoms on Telegram. You’re evading SIGINT collectors, OSINT profilers, and targeted infrastructure tracking ops.

The adversary doesn’t care about your VPN or your burner phone. They’re past tools.
They’re tracking human patterns, infrastructure chains, behavioral anomalies—at scale, globally.

Many operators make the mistake of thinking that OPSEC is all about tools VPN chains, Tor, burner VMs, and proxies. That’s only half the picture.

Remember the three core intelligence disciplines:

Discipline Focus
COMINT Intercepts communications (VoIP, encrypted chats, burner SIM activity). Profiles your encrypted traffic and device signatures.

The only way to counter this level of surveillance is to disrupt the collection cycle and that starts with understanding how SIGINT works at scale. For example, the NSA’s Tailored Access Operations (TAO) runs a global SIGINT network, intercepting traffic at the fiber optic level, Tier-1 ISPs, and satellite uplinks. They correlate traffic flows between your entry and exit nodes by:

This allows them to trace your origin IP even when you stack multiple VPN layers over Tor.
Sources:

When operating on darknet forums, you’re not just avoiding law enforcement takedowns you’re stepping into the realm of FBI LOVINT units. They use sock puppet accounts and OSINT to profile your writing patterns, posting habits, and time zones. They monitor:

They link your forum handle to your real identity through these patterns. For instance, the Empire Market admin was exposed through simple time zone analysis and forum posting behavior.
 DOJ Press Release

What do we learn from this?

Common pitfalls include:

Scenario What Went Wrong How They Got Burned Vector
Silk Road Admin “Dread Pirate Roberts” (Ross Ulbricht) searched his own alias from his personal IP Googled “Dread Pirate Roberts” on a real connection Feds pulled his search history during the investigation, placing him behind the keyboard OSINT / SIGINT
Hansa Market Seizure - Dutch Police took over Vendors kept using the same PGP keys across dark markets Law enforcement scraped PGP fingerprints and linked profiles OSINT / SIGINT
Twitter user “bhabha” bragged about exploits while reusing the same username elsewhere Reused the alias on personal and hacking forums OSINT linked his GitHub, StackOverflow, and personal accounts to his blackhat activity OSINT
Narcotics trafficker used the same burner phone for multiple deals Lazy OPSEC, same phone number touched several ops Encrypted phone cracked, and cell tower triangulation placed him at every major drop SIGINT / HUMINT
Operation Bayonet (AlphaBay Takedown) AlphaBay admin used personal email pimp_alex_91@yahoo.comto register servers Real identity (Alexandre Cazes) linked instantly when the hosting company leaked server registration OSINT / SIGINT
Boogaloo Boi - Telegram to Facebook Slip Radical Telegram chatter posted similar content under real identity on Facebook FBI cross-matched timestamps and language OSINT / HUMINT
LulzSec (Hector Monsegur / Sabu) left IRC and connected to a personal IP for minutes VPN crashed, connected bare for less than 5 minutes FBI caught the IP, traced it back to his apartment SIGINT
Bitcoin fog mixing service—admin used re-used blockchain wallet addresses Same wallet was linked to personal BTC purchases on Coinbase Blockchain analysis by Chainalysis exposed him SIGINT / OSINT
Marriott Breach (500M guests exposed) Internal employee reused weak passwords across systems HUMINT (internal ops) + OSINT leaks gave entry points to Chinese APT actors HUMINT / OSINT
Gab.com Data Dump Users used real emails, even work ones, to register accounts Hackers dumped full user data—emails, hashed passwords, DMs—exposing alt accounts of journalists, police, politicians OSINT / HUMINT

Additional risks:

The reality is simple: to operate against advanced adversaries, you must assume every action you take is being observed. Build your threat model, tighten your OPSEC, and remember the adversary is always one step ahead if you let your guard down.

Alright, here’s the simple truth  perfect OPSEC doesn’t exist. No matter what you do, there’s always a risk. You can’t avoid it completely, but what you can do is make it harder for anyone to track you.

It all comes down to how much effort and discipline you’re willing to put in. The more careful you are, the less likely you’ll get exposed. What I’ll do next is break down everything we’ve talked about so far and show you how to build your own threat model and OPSEC plan.

This isn’t some high-level guide for hacking government agencies it’s for everyday privacy. Stuff that helps you stay low, protect yourself, and avoid dumb mistakes. It won’t stop a nation-state if they’re really after you nothing will but it will make you a much harder target.

Category Rule / Action
Identity Management - Never mix identities or reuse handles.
- Don’t repeat OPSEC patterns across platforms.
Device Handling - Never power a burner near home or work.
- Keep devices in sight at all times.
- Never leave systems unattended (hotel rooms, etc.).
- Never plug unknown media (USB, SD) into your system.
- Power off and remove the battery after use.
Network & IP Hygiene - Never register accounts with your real IP.
- Use TAILS + Tor Bridge + VPN Hop for accounts.
- Disable Wi-Fi; avoid public Wi-Fi unless auto-connecting to a VPN.
- Keep Bluetooth off — no need to increase your attack surface.
SIM & Phone Hygiene - Rotate SIMs every 2-3 weeks.
- Never use the same SIM across platforms.
- Use burner phones for OTPs only.
Communication - Use Session or Briar over Tor for encrypted chats.
- For darknet, use TAILS with bridge relays.
- For general browsing, use Whonix inside QubesOS with isolated VMs.
System Maintenance - Wipe burner machines and re-image regularly.
- Assume compromise — always.
Behavioral Discipline - Stay focused — avoid drama or clout-chasing.
- Mix coins or use privacy-focused cryptocurrencies.
- Assume every post is logged and analyzed — obfuscate patterns.

Some of these DO NOTs fit directly into an OPSEC framework, while others can be adapted to protect your privacy in everyday life.

It might seem simple on paper, but reality is different. Most of us can’t just walk away from jobs, contacts, or social circles and vanish completely that’s not realistic. What we can do is understand the techniques used against us, recognize the patterns, and adapt our actions based on our personal threat model and OPSEC strategy.

That’s it for now. There’s a lot more to this intel game, but I kept it focused on what matters to us right now. The truth is we can use the same tradecraft and counter-intel tactics in our own ops to design a tailored threat model and build a solid OPSEC process. ___

opsec Analysis