Take this with a grain of salt. I'm not a DNM scholar like /u/gwern.
But based upon what I have seen, this is the list of things people are worried about:
- OS security, using TAILS
- IP address masking / VPN / TOR
- Potential blockchain analysis
- Handwriting/printed text on packages
- Drops/houses/PO boxes
- Use of real/fake names
- Stealth / decoys
- Vendors being LE
- Markets being LE
- Encrypting addresses
- Rotation of return addresses
- Whether you go to a counter or not
- Ordering domestic vs international
(and maybe a few more I have missed)
I can see how all of these things COULD be important.
However, as far as I can tell, these are the things that have been confirmed to lead to arrests:
- People selling DNM drugs on the street and having buyers inform on them
- People buying to their house and having roommates inform on them
- Kids buying to their house and having their mom inform on them
Am I missing a lot of arrests due to failures in the "non-talking" OPSEC factors? I don't really put too much stock into the arrest reports that have no confirming factors at all. But it seems like we are are worrying about a bunch of stuff that doesn't matter much, and 99% of OPSEC is just keeping your mouth shut.
Edit1: /u/gwern has a great summary on this:
"No single theme emerges reading through the many arrests."
- many buyers go down to CDs and the subsequent searches turning up additional illegal goods, suggesting 2 major mitigations: never signing, and cleaning house to the extent possible when expecting a new delivery
- international deliveries are highly risky for both the seller and the buyer, and Australia/NZ more so
- sellers should be assumed to keep records & addresses; many have turned out to do so
but simple addresses seem minimally useful to LE as there are few known busts despite the many thousands of captured transaction records with addresses - with a few exceptions:
- if the address is from an account which is itself a seller (an argument for single-role accounts)
- the seller has been infiltrated but not yet busted, and there are orders 'in flight' which can be turned into quick & easy CDs
- the products being sold are guns or poisons, in which case, retrospective arrests may be tried
- if the address is from an account which is itself a seller (an argument for single-role accounts)
- Bitcoin works as a payment method: sellers using any other method (Paypal, bank deposits, Western Union) invariably come to grief, and attempted use of such methods may be a red flag for a LE-controlled account
- guns and poisons seem to bring grief to everyone around them: despite being the minutest of categories (sometimes with zero sellers on the markets which permit them), busts of buyers & sellers are well-represented.
Most of what people on /r/darknetmarkets call "OpSec" is really Security Theatre. It gives them a sense of control and makes them feel safer but that's about it. The guy buying a quarter-ounce of bud every month can get away with a 1024-bit PGP key and a Windows machine: if history is any indication so can the guy selling quarter-ounces of bud. Personal use buyers (and arguably small sellers) don't have to worry about tumblers, VPN-to-TOR-to-Cracked Wireless Connection schemes or any of the other schemes you see waved around on Reddit like somebody's penis substitute.
Unfortunately, a lot of our Rusty Shacklefords will make 256k PGP keys and keep all their computer stuff stored on a well lubed flash drive ready to be kiestered at the first sign of a policeman -- then tell their friends all about their adventures in great detail. Or they'll take the drugs they bought using Sooper OpSec and sell them out of their college dorm, or send them to their parents' house. And those are the cases when Security Theatre stops being a joke and starts being a real problem.
The last three points you highlighted are the ones that matter for just about everybody reading this. Real OpSec begins at home -- and that starts with not dealing out of your home and extends to "don't share your felonies with your friends."