xmr.club
EN 中文 ES RU
← all guides
guide · long-form explainer

Privacy for journalists and activists

Journalists, activists, and dissidents face a different threat model from the average user. The adversary may be well-funded, persistent, and willing to pivot from one identifier to another. The defense isn't a single magic tool — it's compartmentalisation across four pillars: identity-protective email, untraceable funding, source-side contact, and hosting that can't be unmasked under subpoena. Below: a concrete stack with picks from the directory and the operational habits that hold it together.

Threat model assumptions

This guide assumes you face one or more of:

  • State or quasi-state actors with legal-process access to centralised providers (your bank, your domain registrar, your email host).
  • Persistent harassment networks capable of pivoting from one identifier to the next — your email gets your wallet gets your IP gets your address.
  • Employer or institutional pressure on the platforms hosting your work (Twitter ban, Stripe deplatform, Substack pressure).

If your threat model is gentler — just nosy advertisers, casual ISP logging — see privacy without paranoia instead. This guide deliberately over-provisions for actors who don't give up.

Pillar 1 — identity-protective email

Every workflow ties back to email. If your email provider can be served a subpoena and your messages aren't end-to-end encrypted at rest, your entire investigation is on a timer. The rule:

  • No-KYC signup. Don't hand your real-name phone number to your work email host. See pick a no-KYC email for the criteria.
  • E2E-encrypted at rest. The host can't decrypt your inbox even if compelled. Tuta and Proton both meet this bar with caveats; Mailfence + Disroot fall short on encryption posture but win on jurisdiction.
  • Aliases for source contact. Anonaddy / SimpleLogin / addy.io. One alias per investigation. Burn the alias when the story closes.
  • Separate identity for source intake. Public-facing tip address (PGP keyed) must be different from your day-to-day mail.

Pillar 2 — money flow

Following the money is the most reliable de-anonymisation method. The pillars:

  • Monero for source payments + sensitive purchases. If you ever need to pay a source, a domain registrar, a VPS provider, or anything else where the trail matters — XMR is the only chain where unrelated transactions don't link. See how to buy Monero without KYC.
  • Two-hop swaps when going from KYC fiat → on-chain spend. Buy XMR with a no-KYC P2P (RoboSats / Bisq / Haveno), use kyc.rip/ghost for the XMR-detour rotation when you need to land in USDT/USDC for a vendor that doesn't accept XMR. The two hops break chain-analysis link reliably.
  • Cash for the easy ones. Not everything needs crypto. If you can pay in cash for a USB stick, do.
  • Prepaid card from XMR for online purchases that need a "card". See no-KYC prepaid card.

Pillar 3 — source-side contact

Your sources may be more at risk than you are. Build the stack from their side, not yours:

  • SecureDrop or Hush Line for source-side anonymous tips. Standard journalism tooling; runs as a hidden service.
  • Signal-with-username for ongoing contact once a source has chosen to identify (no phone number required since 2024).
  • OnionShare for file transfer that doesn't touch a cloud — peer-to-peer over Tor hidden service. Both sides keep deniability.
  • Burn the channel when the story publishes. Aliases retired, Signal username rotated, SecureDrop landing page taken down.

Pillar 4 — hosting that can't be unmasked

Where you publish matters as much as how. The rule: assume your hosting provider receives a subpoena and acts on it.

  • No-KYC VPS for any infrastructure you control. See /hosting — A-grade picks accept XMR + don't require a name.
  • Domain registered anonymously. See buy a domain anonymously. Pick a registrar that supports WHOIS privacy + accepts XMR.
  • Tor hidden service mirror. Both for reader-side circumvention and as a fallback if your clearnet domain gets pulled. See host a Tor hidden service.
  • Backups outside your jurisdiction. Encrypted with a key you control, not a provider-managed key.
  • Static publishing where possible. Less surface area for a forced shutdown than a CMS with login.

Operational habits that tie it together

  • Compartmentalisation. One identity per investigation. Don't reuse aliases, wallets, or hosting across topics. The work isn't to be "anonymous"; it's to keep adjacent identities unlinked.
  • Threat-model review when the story changes. Stories grow. If your low-stakes corruption story turns into national-security territory, the stack you built for the original threat is no longer enough.
  • Practice the failure modes. If your laptop is seized, what's on it? If your VPS is compromised, what's there? Rehearse the "what now?" — see recover from a privacy mistake.
  • Don't reinvent OPSEC norms. SecureDrop, Freedom of the Press Foundation, and EFF publish playbooks specific to investigative work. Read those first; this guide is the directory-of-tools layer underneath.

Picks

  • Tuta Mail — No-phone signup + E2E inbox. Pair with aliases for source contact.
  • kyc.rip / ghost — Two-hop XMR detour for clean source payments + sensitive on-chain spend.
  • Mullvad — Account number, not email. Cash-by-mail accepted. Doesn't know who you are.
  • Incognet — No-KYC VPS that accepts XMR. Reasonable jurisdiction.
  • Feather — Offline-signing capable Monero wallet for source payment workflows.
  • Tor Browser — Default browser for investigation work. Compartmentalise via separate profiles.