I'm seeing a lot of FUD about the recent AlphaBay and Hansa takedowns, so I thought I should write this. Law enforcement hasn't compromised Tor, nor PGP encryption algorithms, nor cryptocurrency mixing services (AFAIK). The usual opsec advices will still keep you safe should you decide to use alternative DNMs. That being said, here's some obvious things you should already be doing:
- don't reuse usernames and passwords, specially if you use them on clearnet services (that includes Reddit)
- don't use personal e-mails on the darknet (actually, avoid using any e-mail on the darknet whenever possible) <- this is how Silk Road and AlphaBay were compromised
- use 2FA tied to your private PGP key (even if your account info is compromised, as long as you are the only one in possession of your private key, no one will be able to access your account)
- access the hidden services through Tails, not a Tor add-on on your regular browser on Windows, or some ridiculous shit like that (even if the connection between browser and Tor is sound, there's still room for human error or software bug. Tails was specifically designed to keep you as anonymous as possible)
- mix your bitcoins. It may seem like a waste of resource, but it will at the very least give you the peace of mind that, should LE decide to track them back, they won't lead to your name (assuming you trust mixing services. Alternatively, you could use Monero to buy stuff, or to manually mix your coins)
- when buying "things" on DNMs, take the extra fucking 10 seconds and manually PGP encrypt your address (i.e. don't use the autoencrypt option some markets have) <- this is probably how the Dutch LE managed to capture encrypted info, by bypassing the autoencrypt function or simply by switching the vendor's PGP with their own, which brings me to the next item:
- double check the vendor's PGP, compare them with the keys available on Grams search (assuming you trust the vendor hasn't been compromised, but a good rule of thumb is to see whether recent purchases are reaching their buyers or not. LE most likely won't keep selling you drugs just to gather info)
By following these extremely simple tips, even if a market is clearly compromised by LE, as long as the vendor is still active you will get your stuff and avoid being v&. Feel free to suggest further opsec, I'll edit them in.
Edit: I forgot to include something, learn how to use multisig and never fear losing your coins due to vendor or market scams, or LE shutdown. Also included a bit about 2FA to log into your account. Using 2FA to confirm purchases wouldn't hurt either.
Tell that to all those that lost money on Hansa despite using multisig...