How to buy a domain name anonymously

Why domains are different

• ICANN policy requires registrants to provide accurate name, email, address, phone. Registries enforce via the registrar.
• WHOIS was historically a public lookup; GDPR redaction applies in EU + a few jurisdictions; outside that, registrant data is sometimes searchable.
• Privacy services (the registrar's own "WHOIS privacy") proxy the public record but the registrar still holds the underlying identity.
• Payment is often the strongest deanon vector — the registrar saw your card or wallet; that record persists even if WHOIS is private.
• Court-compelled disclosure can compel the registrar to reveal the underlying registrant data on legal request.

The three privacy levers

1. Registrar choice. Pick one that doesn't KYC payment + accepts crypto and explicitly markets privacy-respecting service.
2. TLD choice. Some TLDs are more privacy-tolerant. .is, .ch, .li, .com in Iceland-friendly registrars > .uk, .de, .us for sensitive use.
3. Payment. XMR > cash by mail > BTC > prepaid card > regular credit card.

Privacy-respecting registrars

• Njalla: Sweden-based, registers the domain in their name on your behalf, hands over operational control. Accepts XMR. The reference no-KYC registrar.
• 1984 Hosting: Iceland. Accepts crypto. Long-running, privacy-friendly jurisdiction.
• Orangewebsite: Iceland reseller. Crypto-accepted.
• Caveat: Njalla owns the domain. If they go out of business or revoke service, you lose the domain. The trade-off for the privacy.

The operational checklist

1. Buy from Tor session on a fresh wallet. Pay in XMR.
2. Use a throwaway email dedicated to the registration. Never link to your real identity.
3. Set DNS to a privacy-respecting nameserver (e.g. 1984 or a self-hosted authoritative server). Cloudflare's nameservers are convenient but Cloudflare sees every query going through them.
4. Don't host content that links to your real identity from this domain. Email handles, X usernames, GitHub repos under your real name all link back trivially.
5. Don't pay your hosting provider with the same wallet you used for the registrar. Chain analysis joins them.
6. Renew on time, ideally a year ahead. Lapsed domains get auctioned or sniped; a privacy-respecting domain in someone else's hands is worse than no domain.

Common de-anonymization mistakes

1. Reusing your real-name email anywhere on the domain. Even a "Contact us" page leaks if the mailto is your real address.
2. Setting Cloudflare in front. The TLS termination + cache + analytics surface = Cloudflare sees your traffic + can be compelled to disclose. (Yes, we use Cloudflare for this directory; we accept the trade because we're not hiding the operator. If you are, route differently.)
3. Letting Whois leak through DNS. Some registries publish nameserver assignment publicly even when WHOIS is private. Use generic nameservers.
4. Domain age vs. account age. A 1-month-old domain registered to a 1-month-old account at a privacy registrar is a thin alibi if pressed.
5. Reverse-image / favicon cross-correlation. Tools index favicons across the web; an identical favicon between your "anonymous" domain and your real-name domain links them.

When you actually want a hidden service instead

If the domain's only purpose is to host a service that's already privacy-sensitive, skip the clearnet domain entirely and run a Tor hidden service. No registrar to subpoena, no WHOIS, no payment trail. Trade-off: most users won't reach a .onion casually.

Recommended stack

More guides