{ Return Home }

Operations Security (OPSEC) is the serious act of hiding the details of your operation and avoiding links between identities. Here are Cybertoolbanks' best general OPSEC rules, split into eight zones. Remember that, in most cases, good OPSEC means using common sense. We always encourage you to do your own research instead of only relying on our advice and recommendations. Do not use this information for illegal purposes! We support freedom, not immoral activities!


Social OPSEC

Stop using social media and delete all of your remaining accounts. Data collected on social media can be used to identify and even dox you. Even your typing speed can be tracked across different social media platforms. In the future, any active social media user could be deanonymized instantly through behavior analysis! So, at all costs, avoid social media!


Do not use email for important communication. If you must communicate using email, remember to use PGP encryption. We recommend using a trustworthy email provider for account activations only. We do not recommend that you use any of the onion email providers for account verifications. Check out our recommended email provider list here!


We recommend that you only use end-to-end encryption (E2EE) supporting communication tools. Do not use services such as Discord, Snapchat, Instagram, or Twitter for communication. All communication on these platforms is basically public and stored as plain text. Three letter agencies have access to all of it using their various programs exposed by Edward Snowden, like x-keyscore and purism, for example. Check out the communication tools we recommend here!


It is not recommended to register anywhere online with your real phone number. Use sms-activate.ru to verify your accounts; it is cheap and reliable! However, remember that temporary SMS and emails can be malicious sometimes and try to access your accounts. This is why enabling 2FA is very important when temp solutions are used!


Turn on 2FA everywhere where it's possible. We recommend FreeOTP+ for Android. We do not recommend Google Authenticator. Also, never use SMS 2-Factor Authentication! SMS 2FA will link your real identity to your accounts, and it is very insecure.


Your voice is a very easy way to identify you. Never use your real voice anywhere online. We recommend using voice changers! Your voice can be turned into something called a "voice fingerprint," which is a unique hash generated from your voice. It is known that the police use voice comparison technology.


Visit haveibeenpwned.com to see if your personal information has been compromised as a result of a database breach. But keep in mind that you don't want to contaminate your identities by searching for both your personal and hacker emails during the same session! You can also use our free leakcheck to see what exactly is leaked (your passwords in plain text). As a side note, keep in mind that websites might log every letter you type, even if you do not press search/submit.


Avoid being unique in any way! Experiment with various writing styles—your writing style can be used to identify you online! This is part of behavioral analysis, which is a massive OPSEC concern that could link your dark web activities to your clear web activities in the future. We recommend translating your text through translators to avoid the analysis of your writing style. You could translate your text to Arabic, then translate it to some other language, and finally back to English. As a side note, even your typing speed could be tracked. You can prevent the tracking of your typing speed by typing offline and then pasting your text online.


Never reuse a password, email address, profile picture, or username. Also, do not link old aliases with new ones in any way. If someone is tracking you, they will notice that you have changed your alias.


Use simple aliases/handles like the names of colors, like red or blue, for example. The more complicated your alias is, easier it is to track your doings on the internet, and as said do not reuse aliases. Grinding online ego on an alias is one of the easiest ways to get caught. We also recommend changing your alias very frequently. The more you change it, the harder it is to track your doings on the internet.


Do not contaminate identities. For example, by sharing videos, music, opinions, or social media posts with your real contacts that are similar to those you share with other people on the internet! Do not connect your aliases to each other in any way!


You can generate and use fake identities online. It's very important to act like a totally different person online than you are in real life. Different hobbies, different interests, different nationality, different age, different political opinions, etc., the list goes on.


Never, ever, ever reveal your operational details to anyone, such as whether or not you use Tor. Never tell anyone anything they don't need to know! Be paranoid, trust no one, and shut the fuck up! We cannot encourage this enough.


Lie about yourself online. When it comes to OPSEC, disinformation is your best friend! Distract people after you, fake dox yourself, "accidentally" leak disinformation like your "address", but do not make it obvious.


Never brag about or discuss your online activities with anyone! Bragging is one of the easiest ways to get caught.


We highly recommend that you follow the most recent cybersecurity and privacy news. Your OPSEC could easily be compromised by recently found exploits or services found to be malicious. You can also check out our media category for good news sources and education.


Remove all the metadata from photos before sending them anywhere online. We recommend the Scrambled EXIF app for Android. EXIF data can be used to get your exact location and many more identifying metadata, like your exact device model. Check out the metadata OPSEC category on Cybertoolbank for more information!


Look through pictures very carefully before sending them anywhere online. Based on the car's movements compared to the time you sent the picture, even a random car-register-plate in a picture that is not related to you in any way could be used to identify you! Also, never post pictures of your pets on the internet; unique pets can be traced back to you!


Mobile Device OPSEC

Make sure that your mobile phone is up-to-date and using the latest security patch available. We do not recommend using old mobile phones that do not get security updates anymore. The minimum version of Android that should still be used is Android 10. Anything below this Android version can be easily hacked by governments, and spyware like NSO Pegasus can be installed on your device without your knowledge or physical access. Also, avoid using Chinese mobile phones; they have been found with spyware preinstalled and are usually more vulnerable to firmware exploits.


We recommend buying your mobile devices with cash locally without providing any of your personal information. Supply chain attacks are a major risk. Phones bought online have been found with malware preinstalled. In some cases, police have noticed that a suspect has ordered a phone and, in customs, tampered with the phone and installed malware on it.


Use a privacy-friendly phone. Your phone knows the most about you. We recommend a Google Pixel with a de-googled custom ROM called Graphene OS. Graphene OS is one of the most secure and private Android OSes currently available. But remember, if your phone has a sim card and it connects to the internet, it can still be tracked and hacked by the government!


Do not discuss sensitive topics in phone calls or SMS! The police are experienced with spying on these simple protocols. They could even log into your personal accounts by stealing the SMS verification codes from your SMS. This is one of the reasons why we do not recommend using SMS 2FA. Police can also easily forward your calls and listen to them. 


Google collects a lot of data that could be used to identify you based on other data that connects you to your Google data. This is why you should use Google alternatives. For example, use the Aurora Store instead of the Google Play Store. And use NewPipe of YouTube! For the whole Google alternative list, check out our FOSS apps category.


Turn off your phone's Wi-Fi and Bluetooth scanning, as these can be used to track you and drain your battery. Also, always turn off Bluetooth, location, and Wi-Fi when not in use. Also, never share the internet of your mobile phone using Bluetooth; it is extremely insecure!


Consider removing your phone's microphone and camera. The feds have busted people with extreme OPSEC by using honeypot websites that would send beep sounds that your mobile phone would catch and then link your computer identity with your phone identity. This is one of the reasons why we recommend using a custom ROM like Graphene OS on your phone. Attacks like this are not possible when using a hardened mobile phone setup with the microphone disabled.


Make sure your phone is encrypted and uses a strong password or passphrase, not a pin code or anything else! There is a company based in Israel called Cellebrite. They crack phones. Cellebrite software, Ufed, is widely used by governments and police across the world. There are not as many exploits for phones in BFU state as there are for phones in AFU state. This is why shutting down your phone for the night is important (the phone is in a BFU state when it has not been unlocked after restart).


Another thing to consider is making your phone auto-reboot after a certain time. Graphene OS has a feature for this. This will make sure your phone is in a BFU state when it is obtained by an unwanted party.


Track changes in your phone's battery usage, data usage, storage usage, heat, and RAM usage to find out if your phone is being spied on. However, advanced spyware like NSO Pegasus manages to hide itself very well and even masks its traffic as normal unsuspicious traffic.


Never give apps unnecessary permissions. If you are using Android, we recommend that you also go through the special access permission settings and disable all unused special access permissions for apps. Uninstall any unused apps or software from your phone and computer; these collect and sell your data and may be exploited!


Do not use the Tor Browser on your phone. If you do, disable JavaScript and make sure that your phone is de-googled!


Do not allow any software or applications to run in the background! These waste your resources and can spy on you without your knowledge.


Network OPSEC

We do not recommend making your own VPN. There are more cons than pros to making your own VPN. For example, bad security, bad host, wrong configuration, and one IP address. If you really want to build your own VPN, you need to be a cybersecurity expert and really know what you are doing. Check out the VPN services we recommend here! Even though VPNs are a good tool for privacy, Tor is always a better choice for anonymity. Check out Orbot for Android. Also, do not use free VPN services.


We recommend the use of Tor for more anonymity, but even with Tor, do not get a false sense of security. There are many attacks against the Tor network, and many people have been caught because of their own mistakes, or sometimes even because of malicious guard and exit nodes. We do not recommend the use of VPNs or other tunnels with Tor! Always keep JavaScript disabled when using the Tor Browser!


Always use HTTPS when possible; this is critical! For example, the Tor exit node, which could be owned by the NSA (many nodes are), sees all your traffic in plaintext if no encryption is used.


Never choose wireless over wired! Wired solutions are almost always more secure and private than wireless solutions. However, keep in mind that malicious USB cables exist that could be spying on you. This is why it is important to purchase your USB cables from official stores, not just some random cables from China.


Never purchase any Internet of Things (IoT) devices. If you do, keep them on their own network, separate from other devices. Also avoid devices like Alexa or any other smart device, like a Samsung smart fridge. Also avoid Chinese products, software, and technology; it's usually spyware. The more you go digital, the more vulnerable you will become.


Browser OPSEC

To avoid browser fingerprinting, use separate browsers for personal, work, and private matters. Isolate your browsers. Browsers inside virtual machines are a good choice when it comes to avoiding browser fingerprinting. Be aware that your browser could be fingerprinted even if JavaScript is disabled!


On your main operating system, we do not recommend opening file attachments or clicking links. Open new links in disposable virtual machines instead. For example, NSO Pegasus is spread via malicious links sent through SMS! However, there is a lot of misinformation spread about clicking links. Most malware that comes through links is manually installed by the user. Exploits that do not require any user action are very rare.


Never make your browser save browser history. Your browser history is probably the best evidence against you. Make your browser delete all saved cookies, browser history, and cache when the browser is closed. Cookies saved in your browser could easily deanonymize you, even if VPNs or TOR are used. Also, never save passwords in your browser or any other auto-fill information. These can be stolen by simple exploits and log stealers.


Use tracker and ad blockers to reduce your footprint online. We recommend uBlock Origin. Do not use too many extensions; they make your browser's fingerprint more unique!


Use a trustworthy browser instead of Chrome with your personal Google account logged in. Also, never full screen your browsers! Your screen size can be used to identify you! We recommend the use of the Tor browser on Qubes OS disposable Whonix VM for maximum security. Check out the browsers and search engines we recommended here!


Avoid downloading anything using the Tor browser! Downloaded apps and software can be used to deanonymize you. There are known cases where Tor exit nodes were able to change the downloaded contents to infect Tor users. This is one of the multiple reasons why verifying software signatures is so important.


When planning your threat model, check if your browser fingerprint is unique at amiunique.org. If it's unique, bad for you. If it's not unique, good for you. However, it is very likely that your browser fingerprint is unique. To defeat this, use the Tor Browser and disable JavaScript. JavaScript is one of the most dangerous identifiers on the internet. Be aware that even when you are using the Tor Browser, you could be deanonymized by JavaScript. This is why we recommend using the Tor Browser with the strictest settings, which will disable JavaScript.


System OPSEC

Overwrite all the deleted data. When a file is deleted from a device, it does not actually get deleted; the device just forgets where the file is stored and frees space on the disk. This is why overwriting all deleted files and data is extremely important. We recommend Bleachbit on your computer and Extirpater on Android devices for easily overwriting deleted data. For full disk wipes, we recommend the DBAN tool provided by dban.org. Check out the Cybertoolbank forensic tools and diskwiping tools categories for more information on the subject!


Keep your operating system up-to-date. Linux operating systems usually get security patches every week. We recommend that you update your operating system as soon as possible after a new update is released. If you are not using Qubes OS, which we highly recommend you use, it is a good idea to harden your Linux distro using Lynis.


Use different VMs and devices for everything you can to ensure maximum security and privacy. This is very easy with our favorite OS, Qubes OS! Use your password manager only within an isolated virtual machine that is fully encrypted and does not have internet access. We recommend using KeePassXC as a password manager.


It goes without saying that you should encrypt your hard drives and mobile devices fully. But remember that the encryption is useless if your devices are open when someone blasts through your door. Always close your phone for the night, keep your phone with you, and never leave your PC open when you leave the room where it is located. Do not use your laptop that has sensitive data on it in public places! Check out the encryption category on Cybertoolbank for the best FDE software!


Do not store anything illegal on your PC. It is very likely that in the future, most encryption algorithms currently used will be cracked by quantum computers. Imagine a case where the police save a clone of your SSDs and archive them, pulling them out of their ass many years later and cracking the encryption with a quantum computer when you just thought you could retire peacefully, but you end up spending the rest of your life in jail!


Removing logs can be a crime sometimes, so the best practice to do is to stop all logging before there are even any logs. No logs, no crimes. For example, configure your browser to stop saving search history (it's easy)! Keep in mind that cookies and cache in your browser could deanonymize you even if you are using a VPN or TOR and you have logged into your personal accounts during the same session.


We recommend formatting all your devices at least once a year and overwriting the data on them with zeroes using a tool like DBAN. This is a very good security and privacy practice to protect you from malware and digital forensics! However, we do not recommend reselling your SSDs or HDDs because the data on them may be recoverable.


Do not store any personal files like pictures on your PC. Always store your personal files offline, not even in your phone gallery. If you have to store images on your phone, store them encrypted away from other apps, we recommend Photok for this purpose. Consider buying and encrypting an external hard drive for your photos and important files and always having it unplugged from your computer when not in use.


We recommend running system cleanup software on your PC once in a while. This will make sure all browsing data and systemfiles like thumbnails are deleted in case someone is going to forensically inspect your device. Bleachbit is a good open-source system cleaning tool, which we recommend. This tool can also overwrite deleted system files after deletion to ensure permanent deletion.


It is important that you know if you are being targeted by a government entity, the best thing to do is destroy all your device storage units. Do not ever underestimate them. This is why it's better to stay low-key online. We cannot encourage you enough to not brag about things you have done.


Crypto OPSEC

Don't use Bitcoin if you don't have to. If you do not know how to use Bitcoin correctly, it is not private and not anonymous. We recommend converting your Bitcoin to the anonymous and more private cryptocurrency Monero (XMR). Monero also has lower fees than BTC and is easily the best cryptocurrency for anonymity and OPSEC.


Learn how to safely use your cryptocurrencies. A Twitter hacker got caught because he didn't know how to. More about cryptocurrencies in the cryptocurrencies category!


Software OPSEC

Do not use antivirus software. Antiviruses waste your resources, sell your data, and may even spy on you; antivirus software can even create new attack surfaces on you! For older people who do not understand anything about cybersecurity, we recommend Malwarebytes antivirus.


Do not use crappy operating systems. If you must use Windows, debloat it. OOSU10 is a good and reliable program for debloating Windows, and other similar programs can be found on github. However, we highly recommend against using Windows. There are so many alternatives to Windows that are way better for your OPSEC. Check out the Operating Systems category! If you actually care about your security, privacy, and OPSEC, you should be using something like Qubes OS.


Discord should not be installed on your device; instead, it should only be used in a trusted browser! Discord can see all your messages and does not have E2EE (end-to-end encryption). Discord is the FBI's honeypot! Discord is known to work with law enforcement but protects child groomers and furries. Stay away from discord at all cost. Nothing good comes out of discord. It's full of degenerate people and skids. The same goes for Reddit!


Keep your software and applications up-to-date. There are unlimited amounts of explotis for software that is not up to date. You will leave yourself extremely vulnerable if you do not update your applications. For example, an outdated version of the Tor Browser could easily be exploited and used to deanonymize you!


Avoid using closed-source software. If you cannot find open-source alternatives, try to find clients for closed-source software. For example, if you must use Discord, we recommend using it only in your browser.


Never install cracked software or cheats. These contain malware in most cases. Also, do not run random GitHub projects just because they are open-source. Learn to read the code and check that it does not connect to random servers or URLs. Open-source does not mean not malicious!


Do not grant UAC or SUDO (admin) permissions to your default user; doing so leaves you extremely vulnerable. The default user on Windows usually has UAC permissions, which is why you should create an admin user and a normal user for daily use. The admin user should not be touched, and you will need to enter its password when using UAC permissions (for example, when installing software). Also use a good and strong firewall like UFW on Linux (simplifies iptables).


Always verify software signatures. This way, you will know if your download has been tampered with or if the website is hosting a malicious version of its software. Decent websites usually have one website dedicated exclusively to software hashes, so if the main website is hacked and hosting a malicious version of a program, the hash won't match with the hash of the software signature list website.


Physical OPSEC

Always turn off your PC fully and never put your PC into sleep mode, or you might be vulnerable to cold boot attacks. Police have recovered critical data such as images and passwords from RAM using cold boot attacks. To turn off your computer fully, you need to either take the laptop battery out if possible, or turn off your PC power supply using the on/off button behind it. The best and most reliable way is to fully unplug your PC from its power source after shutting it down. As long as power is supplied to the RAM, the RAM will retain the contents of whatever was last in it. A Wikipedia article about cold boot attacks can be found here. Also disable your firewire port this can be used to directly access the contents of your RAM when your computer is on!


Always keep your microphone hardware muted if not in use. You could build your own microphone hardware mute button if your microphone does not have one. You could also block your microphones with tape, like Mark Zuckerberg does. Block all your cameras with tape if you can not remove them! Also, turn off your computer speakers. This is extremely important because the police use beep sounds to catch freedom advocates. These sounds are sent by a malicious honeypot website and then caught by your mobile phone or other devices with microphones.


Make sure that the security of the people around you and the people you talk to is good, or you could compromise yourself! For example, do not let anyone save you by your real name in their contact book (contact tracing). Their apps fetch and sell this information! This data can then be used to track who you talk to.


Do not have your address publicly listed. Mad skids might try to dox you and harass you, maybe even do their skid actions like swatting and sending pizzas to your house. These people are very depressed and seek online attention for their stupid actions. Check out the avoid getting doxed category on Cybertoolbank!


If you do not want to lose your freedom for ever, we HIGHLY recommend against traveling to the USA. Usually, when FBI agents find you guilty of something, they will wait for you to travel to the USA and then arrest you there. You will end up facing the United States court, which could lead to decades of jail time!


Use a face mask and sunglasses in public places to avoid facial recognition. Even this might not be enough to protect your face from facial recognition.


Use privacy screens to keep people and cameras in your vicinity from seeing what you're doing on your device!


Keep your keyboard clean. Any fingerprints on key caps could be used to guess your passwords or passphrases.


Do not take a DNA test. DNA testing companies will sell your data. Police find this data very useful and many people have been caught because of it. For example, the Golden State Killer!


Be prepared to run. Make a survival kit, have a backpack with all your survival gear ready to go, and be ready to leave your house within 10 minutes if needed.


Do not leave your house for too long. The police love to install all kinds of spy equipment in your house while you are away.


Do not do anything secret in public, such as chatting in your hacking telegram group while at school! Also be aware of the surrounding cameras! Cameras are always watching!


Do not use your real keyboard layout on your PC or phone; instead, search for a keyboard layout that is similar to yours and use that.