xmr.club
EN 中文 ES RU
← all guides
guide · long-form explainer

Privacy threat models — pick the tools to match

Privacy without a threat model is shopping. People install Tor + Monero + a VPN + a no-KYC SIM and still post receipts on Twitter. The mistake is treating privacy as a checklist instead of a model: who am I hiding from, what can they actually do, what's the minimum-viable defense, where's the diminishing return? Below: six common models, what they imply, and the directory stack that matches each.

Why threat-modeling first

Every privacy tool trades something — money, friction, dependability, performance. The right amount of trade depends on who can do what to you. Defending against your ISP is one tool and one habit; defending against a nation-state is a lifestyle. Most users sit in the middle and pick the wrong axis.

Model 1 — Casual ISP / employer / network admin

Who: the people who route your packets but don't know you personally. Includes your home ISP, your employer's IT team, public WiFi operators.

What they can do: see destination IPs and TLS-SNI; correlate visits to known sites by timing; log DNS queries. Cannot read TLS content.

Defense: a paid no-KYC VPN (VPN picks) is enough. DoH / DoT for DNS if the VPN doesn't already cover it. Tor is overkill and slower.

Model 2 — Service-provider correlation

Who: the services you use — exchanges, payment processors, email providers, the wallets you trust with view-keys.

What they can do: link your account/email to your transaction history. Sell that to data brokers or hand it to law enforcement.

Defense: no-KYC stack — no-KYC exchanges, email-without-identity, non-KYC SMS. Don't log into KYC'd accounts in the same session as no-KYC ones (staggered fingerprints).

Model 3 — Stalker / personal-relationship adversary

Who: ex-partner, family member, acquaintance who knows your real identity already and is trying to find you online.

What they can do: reverse-search public posts, photos, usernames. Cross-reference dating profiles, social media, leaked databases.

Defense: compartmentalized identities — separate email + phone + username for the relationship you want hidden. Non-KYC SMS for signup, never reuse a number that's been linked publicly. Scrub data brokers (separate effort outside this directory). Tor + VPN don't help here directly; the problem is the data you produce, not the network you produce it on.

Model 4 — Chain-analysis / on-chain forensics

Who: Chainalysis-class firms, IRS Cyber Crime Unit, ransomware-tracking nonprofits, sanctions-enforcement bodies.

What they can do: cluster wallets by behavioral heuristics; subpoena exchanges for KYC behind addresses; trace stablecoin paths through DEXs and bridges.

Defense: native Monero where possible — chain-level privacy is the protocol's job, not yours. For BTC/USDT exposure: a two-hop XMR detour to break correlation, or use kyc.rip / ghost which bundles that detour into a single flow. Subaddress hygiene. Cold storage on a hardware wallet you bought without an account.

Model 5 — Compliance / state-level monitoring (not targeted)

Who: regulators + state agencies running broad surveillance dragnets. NSA-style passive collection, EU GDPR-compliant data hoarders, financial-intelligence units.

What they can do: bulk-collect everything that passes a major IXP; correlate metadata across services; subpoena large platforms for retrospective data. Tor traffic gets flagged but not necessarily deanonymized; Monero is on most agencies' "can't trace" list as of 2026 but the meta-question (do you use it?) is observable.

Defense: the full no-KYC stack + Tor over a privacy VPN + bridges if Tor itself is observable in your jurisdiction. Compartmentalize: don't mix KYC'd accounts with the no-KYC stack. The goal is not to be invisible; it's to be uninteresting.

Model 6 — Targeted state adversary

Who: a state agency actively investigating you specifically. Journalist with a leaked-source archive, dissident in an authoritarian regime, suspected high-value target.

What they can do: almost anything — endpoint malware on your devices, supply-chain attacks on hardware, compelled cooperation from your service providers, physical access. Network-level adversary on every major path between you and any service.

Defense: outside the scope of this directory. Read EFF's Surveillance Self-Defense, talk to Freedom of the Press Foundation, use Tails / Qubes, multisig everything, treat every device as compromised. The privacy-services directory helps with the substrate but cannot substitute for proper operational security.

The biggest mistake

Most users either over-buy (full Tor + multisig hardware wallet + offshore VPN for casual ISP-evasion) or under-buy (no-KYC swap but then KYC at withdrawal, fresh email reused across all signups). The fix is to start with the model: write down on paper who you're trying to hide from and what they can actually do. Then pick the minimum stack that addresses it. Add layers only if the cost is acceptable and the gain is real.

Re-evaluate yearly. A model that fit two years ago when you were a hobbyist may not fit now that you publish under your name, or vice versa.

Stack picks by tier

Each tier builds on the one before it. Stop where your model fits; don't pay for the next tier unless the cost is acceptable and the gain is real.

Tier 0 — Pre-stack hygiene (everyone). Unique passwords, a password manager, 2FA via TOTP (not SMS), keep your OS patched. Free, mandatory. None of the tiers below substitute for this layer.

Tier 1 — Casual ISP / employer (Model 1). A single paid no-KYC VPNMullvad, IVPN, or AzireVPN. Pay in cash by post or XMR. DoH / DoT in the browser for DNS. Tor is overkill here.

Tier 2 — Service-provider correlation (Model 2). Add an alias-email service so every signup gets a unique address. Move custodial balances into a non-KYC wallet (Cake, Feather, Monerujo for XMR). Swap via a no-KYC instant-swap (SageSwap, ETZ-Swap, Sideshift) instead of a registered exchange.

Tier 3 — Stalker / personal-relationship adversary (Model 3). Add identity compartmentalisation: a separate alias-email + wallet + (where it matters) a no-KYC SIM / eSIM per role (Silent.link, walls.eSIM). Never reuse handles across roles. Lock down social profiles you don't actively need. Use recover-from-a-privacy-mistake as your run-book if a leak happens.

Tier 4 — Chain-analysis / on-chain forensics (Model 4). Move into native XMR for the part of your stack that matters. Bridge with atomic-swap protocols (RetoSwap, Bisq) where source and destination chains both need to be trust-minimised. kyc.rip / ghost for bundled chain-break flows when you must route across mismatched chains. Avoid view-key-custodial wallets; pick view-key-free clients (Feather, Cake, Monero CLI).

Tier 5 — Compliance / state mass monitoring (Model 5). Add Tor over your privacy VPN; bridges if Tor is censored locally. No-account access to every service that allows it. Cold storage for balances you don't need today — hardware wallet + multisig for the actually-large amounts. Avoid KYC at every step; consider migrating identifiers (email, handles, phone, wallet seeds) so the pre-compliance identity isn't linked to the post-compliance one.

Tier 6 — Targeted state adversary (Model 6). Out of scope of this directory. Read EFF's Surveillance Self-Defense, talk to Freedom of the Press Foundation, consider Tails or Qubes OS, treat every device as compromised, get trained operational-security help. The privacy-services directory helps with the substrate but cannot substitute for actively-targeted defence.

One last thing: re-evaluate yearly. The model that fit two years ago when you were a hobbyist may not fit now that you publish under your name — or vice versa.

Picks

  • Mullvad — Casual ISP / employer threat-model. No-KYC VPN with the longest no-logs track record. Pay in XMR.
  • Tor Browser — Service-provider + compliance models. Network-layer anonymity, fingerprint-padded browser.
  • Feather — Chain-analysis model. Native XMR + view-only + Tor + reproducible build.
  • kyc.rip aggregator — Service-provider + chain-analysis. No-KYC routing across multiple engines, no markup.