{
  "version": "v1",
  "slug": "recover-from-privacy-mistake",
  "title": "How to recover from a privacy mistake",
  "description": "You logged into the wrong account on the wrong session, or sent funds from a labelled wallet, or shared a screenshot with extra context. Triage in priority order: which leaks are recoverable, which are permanent, and what damage-control actually works.",
  "intro": "Most privacy advice is preventive. Eventually, everybody makes a mistake — links a KYC'd identity to a no-KYC stack, sends from the wrong wallet, posts a screenshot with the URL bar visible. The question becomes: what do you do now? Below: triage by leak type, what's recoverable, what isn't, and the operational pattern that contains the blast radius.",
  "body_plain": "First — what type of leak? The recovery strategy depends entirely on which axis you compromised. Identify the leak class before deciding action. Identity-to-wallet leak. Your real name + address now linked to a specific crypto wallet (via KYC at an exchange you used, a doxx, a screenshot). Wallet-to-wallet linkage. Two of your wallets that were supposed to be unlinked are now tied together (co-spent UTXO, common destination, common timing). Account-to-account linkage. Two services you used pseudonymously are now linked (reused email, same IP from same Tor circuit, shared username). Network-level leak. Your real IP was captured by a service you intended to access only over Tor (mis-configured browser, Tor escape, DNS leak). Behavioral leak. Public post / screenshot / unintentional disclosure linking your real identity to a stance, action, or holding. Triage: recoverable vs permanent Recoverable means future damage can be contained. Permanent means the leak itself can't be undone but you can prevent it from getting worse. Identity-to-wallet: partly permanent . The link is now in chain-analysis databases forever. Recovery is to use a XMR-detour rotation, then never use the leaked wallet again. Wallet-to-wallet linkage: permanent at the chain level . Recovery is to retire both wallets in favor of fresh ones, ideally bridged through XMR. Account-to-account linkage: recoverable . Stop using both. Create new accounts on new providers. Don't try to \"clean up\" the linked accounts; deletion requests draw attention. Network-level leak: partly recoverable . The service that captured your IP now knows it; nothing changes that. Stop using the service. Switch network position (new IP block, fresh Tor circuit). Behavioral leak: permanent . Streisand-effect is real; deletion attempts often expand the audience. Best move is usually no move, paired with not repeating the leak. The 30-minute incident response Stop the bleed. Close the offending session, log out of the service, disconnect the wallet from any UI it's currently connected to. Inventory. Write down (on paper, not on a synced note) what was leaked: which identifiers, to which services, what the service can now correlate. Pull the leaked identifier from active use. If a wallet is compromised, move balance to a fresh wallet via XMR detour. If an account is compromised, stop using it but don't delete — deletion-then-recreation patterns are correlatable too. Wait. Don't take corrective action on the leaked surfaces for at least 24 hours. Most damage-control actions create their own metadata trail. Rebuild the upstream. If the root cause was a config issue (Tor escape, DNS leak), fix it before reconnecting any related service. Audit downstream. What else does this leak touch? An exchange knowing your name now potentially links to every address you ever withdrew to from there. The mistakes to NOT make during recovery Don't try to \"clean up\" by deleting old posts. Edit history exists. Archive sites have cached copies. Wayback Machine. Streisand-effect. Don't immediately rotate every wallet. Bulk action at one moment creates a pattern that correlates them more clearly than they were before. Don't email the service to ask them to forget you. The email itself creates a record. GDPR-style requests can work but expect them to extract residual data along the way. Don't tell anyone what happened in the same channels you use for unrelated identity. Don't post about your operational mistake from your real-name account. Don't blame the tool. Most leaks are user-side; the tool worked, the config or the habit didn't. Specific recovery playbooks Logged into KYC'd account through Tor: the service now has your Tor circuit IP + your KYC. Recovery: stop using the service via Tor; consider whether to keep using it at all. Future Tor sessions need to never touch this provider. Posted a screenshot with a wallet address visible: the address is now public. Recovery: stop using it; receive future deposits at a fresh subaddress. Existing balance can be moved via XMR detour to a clean wallet. Used a no-KYC service with a KYC'd email: the no-KYC service now has the email; if it's breached or compelled, the linkage surfaces. Recovery: register a new no-KYC email + start fresh; don't tell the original service. Browser dropped Tor for an outbound request: the destination saw your real IP. Recovery: assume the destination logged it; check whether the destination is privacy-respecting (per methodology ); decide based on what it can do with the IP. When to escalate Threat-to-physical-safety leak: address / location / family. Different problem — get off the affected platforms entirely + consider professional help (counter-surveillance, threat-monitoring). This guide isn't enough. Compromise of a wallet you can't migrate from in time: if attackers have the key, race to move funds. If they have only metadata, the migration can wait. Legal-process disclosure: talk to a lawyer before doing anything irreversible. Tools for the post-leak rebuild",
  "body_html": "\n      <section>\n        <h2 class=\"section-h\">First — what type of leak?</h2>\n        <p>The recovery strategy depends entirely on which axis you compromised. Identify the leak class before deciding action.</p>\n        <ul class=\"bullet-list\">\n          <li><strong>Identity-to-wallet leak.</strong> Your real name + address now linked to a specific crypto wallet (via KYC at an exchange you used, a doxx, a screenshot).</li>\n          <li><strong>Wallet-to-wallet linkage.</strong> Two of your wallets that were supposed to be unlinked are now tied together (co-spent UTXO, common destination, common timing).</li>\n          <li><strong>Account-to-account linkage.</strong> Two services you used pseudonymously are now linked (reused email, same IP from same Tor circuit, shared username).</li>\n          <li><strong>Network-level leak.</strong> Your real IP was captured by a service you intended to access only over Tor (mis-configured browser, Tor escape, DNS leak).</li>\n          <li><strong>Behavioral leak.</strong> Public post / screenshot / unintentional disclosure linking your real identity to a stance, action, or holding.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Triage: recoverable vs permanent</h2>\n        <p class=\"dim small\">Recoverable means future damage can be contained. Permanent means the leak itself can't be undone but you can prevent it from getting worse.</p>\n        <ul class=\"bullet-list\">\n          <li><strong>Identity-to-wallet:</strong> <em>partly permanent</em>. The link is now in chain-analysis databases forever. Recovery is to use a <a href=\"/guides/break-chain-analysis-link\">XMR-detour</a> rotation, then never use the leaked wallet again.</li>\n          <li><strong>Wallet-to-wallet linkage:</strong> <em>permanent at the chain level</em>. Recovery is to retire both wallets in favor of fresh ones, ideally bridged through XMR.</li>\n          <li><strong>Account-to-account linkage:</strong> <em>recoverable</em>. Stop using both. Create new accounts on new providers. Don't try to \"clean up\" the linked accounts; deletion requests draw attention.</li>\n          <li><strong>Network-level leak:</strong> <em>partly recoverable</em>. The service that captured your IP now knows it; nothing changes that. Stop using the service. Switch network position (new IP block, fresh Tor circuit).</li>\n          <li><strong>Behavioral leak:</strong> <em>permanent</em>. Streisand-effect is real; deletion attempts often expand the audience. Best move is usually no move, paired with not repeating the leak.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">The 30-minute incident response</h2>\n        <ol class=\"bullet-list\">\n          <li><strong>Stop the bleed.</strong> Close the offending session, log out of the service, disconnect the wallet from any UI it's currently connected to.</li>\n          <li><strong>Inventory.</strong> Write down (on paper, not on a synced note) what was leaked: which identifiers, to which services, what the service can now correlate.</li>\n          <li><strong>Pull the leaked identifier from active use.</strong> If a wallet is compromised, move balance to a fresh wallet via XMR detour. If an account is compromised, stop using it but don't delete — deletion-then-recreation patterns are correlatable too.</li>\n          <li><strong>Wait.</strong> Don't take corrective action on the leaked surfaces for at least 24 hours. Most damage-control actions create their own metadata trail.</li>\n          <li><strong>Rebuild the upstream.</strong> If the root cause was a config issue (Tor escape, DNS leak), fix it before reconnecting any related service.</li>\n          <li><strong>Audit downstream.</strong> What else does this leak touch? An exchange knowing your name now potentially links to every address you ever withdrew to from there.</li>\n        </ol>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">The mistakes to NOT make during recovery</h2>\n        <ul class=\"bullet-list\">\n          <li><strong>Don't try to \"clean up\" by deleting old posts.</strong> Edit history exists. Archive sites have cached copies. Wayback Machine. Streisand-effect.</li>\n          <li><strong>Don't immediately rotate every wallet.</strong> Bulk action at one moment creates a pattern that correlates them more clearly than they were before.</li>\n          <li><strong>Don't email the service to ask them to forget you.</strong> The email itself creates a record. GDPR-style requests can work but expect them to extract residual data along the way.</li>\n          <li><strong>Don't tell anyone what happened in the same channels you use for unrelated identity.</strong> Don't post about your operational mistake from your real-name account.</li>\n          <li><strong>Don't blame the tool.</strong> Most leaks are user-side; the tool worked, the config or the habit didn't.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Specific recovery playbooks</h2>\n        <ul class=\"bullet-list\">\n          <li><strong>Logged into KYC'd account through Tor:</strong> the service now has your Tor circuit IP + your KYC. Recovery: stop using the service via Tor; consider whether to keep using it at all. Future Tor sessions need to never touch this provider.</li>\n          <li><strong>Posted a screenshot with a wallet address visible:</strong> the address is now public. Recovery: stop using it; receive future deposits at a fresh subaddress. Existing balance can be moved via XMR detour to a clean wallet.</li>\n          <li><strong>Used a no-KYC service with a KYC'd email:</strong> the no-KYC service now has the email; if it's breached or compelled, the linkage surfaces. Recovery: register a new no-KYC email + start fresh; don't tell the original service.</li>\n          <li><strong>Browser dropped Tor for an outbound request:</strong> the destination saw your real IP. Recovery: assume the destination logged it; check whether the destination is privacy-respecting (per <a href=\"/methodology\">methodology</a>); decide based on what it can do with the IP.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">When to escalate</h2>\n        <ul class=\"bullet-list\">\n          <li><strong>Threat-to-physical-safety leak:</strong> address / location / family. Different problem — get off the affected platforms entirely + consider professional help (counter-surveillance, threat-monitoring). This guide isn't enough.</li>\n          <li><strong>Compromise of a wallet you can't migrate from in time:</strong> if attackers have the key, race to move funds. If they have only metadata, the migration can wait.</li>\n          <li><strong>Legal-process disclosure:</strong> talk to a lawyer before doing anything irreversible.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Tools for the post-leak rebuild</h2>\n      </section>\n    ",
  "picks": [
    {
      "category": "exchanges",
      "id": "kyc-rip-ghost",
      "name": "kyc.rip / ghost",
      "url": "https://xmr.club/exchanges/kyc-rip-ghost",
      "markdown_twin": "https://xmr.club/llm/exchanges/kyc-rip-ghost.txt",
      "why": "Two-hop XMR detour for rotating funds out of a leaked wallet in one flow."
    },
    {
      "category": "wallets",
      "id": "feather",
      "name": "Feather",
      "url": "https://xmr.club/wallets/feather",
      "markdown_twin": "https://xmr.club/llm/wallets/feather.txt",
      "why": "Fresh wallet creation + offline signing for the rebuild."
    },
    {
      "category": "email",
      "id": "tutanota",
      "name": "Tuta Mail",
      "url": "https://xmr.club/email/tutanota",
      "markdown_twin": "https://xmr.club/llm/email/tutanota.txt",
      "why": "Spin up a new identity-clean email if signup leak is the root cause."
    },
    {
      "category": "tools",
      "id": "tor-browser",
      "name": "Tor Browser",
      "url": "https://xmr.club/tools/tor-browser",
      "markdown_twin": "https://xmr.club/llm/tools/tor-browser.txt",
      "why": "Compartmentalise the new identity in a separate Tor Browser instance."
    }
  ],
  "url": "https://xmr.club/guides/recover-from-privacy-mistake",
  "markdown_twin": "https://xmr.club/llm/guides/recover-from-privacy-mistake.txt"
}