xmr.club
EN 中文 ES RU
← all guides
guide · long-form explainer

How to use Tor for crypto safely

Tor + crypto is the standard privacy stack, but configuration mistakes are common enough that the second-most popular post on every privacy forum is "why is my wallet leaking my IP". Below: the right way to set it up, what each layer actually protects, and the failure modes to avoid.

What Tor protects (and what it doesn't)

  • Protects: your IP from the destination, the destination IP from your ISP. Hides which sites you visit. Hides timing/volume from passive network observers.
  • Doesn't protect: what you submit on a form, your browser fingerprint, login cookies, anything tied to a previously KYC'd identity. Doesn't hide that you use Tor from your ISP — they see encrypted Tor traffic. Use a bridge if the latter matters.
  • Doesn't protect from exit-node TLS strip on non-HTTPS sites — always check the lock icon.

Setup checklist (safest → easiest)

  1. Tor Browser. Download from torproject.org. Don't install plugins, don't resize the window, leave the Security Level at "Standard" unless you know why you'd change it.
  2. Bridge if your ISP blocks Tor. Use obfs4 / WebTunnel / Snowflake bridges from bridges.torproject.org.
  3. Onion mirrors when offered. Use the .onion address of services you're visiting — keeps the entire circuit inside the Tor network and avoids exit-node trust. xmr.club's onion audit verifies operator-published mirrors.
  4. Stagger fingerprints. Don't log in to KYC'd accounts in the same session as no-KYC ones. Use a separate Tor Browser instance (different data directory) per identity.

Wallets + Tor

  • Cake / Monerujo / Feather all have a "use Tor" toggle that routes wallet RPC through your local Tor daemon. Use it.
  • Remote node over Tor — pair the wallet with a public XMR remote node on its .onion address. /nodes lists vetted options with Tor mirrors.
  • Don't run your wallet alongside a clearnet browser session on the same machine if you care about correlation — VMs / different devices for serious threat models.

Common pitfalls

  • Enabling JavaScript everywhere. JS expands fingerprint surface enormously. Tor Browser Safest disables it; flip categories on per site as needed.
  • Login = identity link. Logging into the same email/X/GitHub via Tor and clearnet over time links the two. Use single-purpose accounts.
  • Browser window resize. Tor Browser pads window size to a common bucket; resizing breaks that. Don't.
  • Bookmarking onion URLs without verification. Verify each onion with the verification guide before relying on it.
  • Trusting an exit node. An exit node sees plaintext to the destination over HTTP. Always HTTPS, or always onion-only.

When you actually want a VPN instead

Tor isn't the only privacy tool. If your threat model is "ISP / employer / coffee-shop network", a no-KYC VPN may be enough and is much faster. If it's "state-level adversary" or "publisher's identity protection", Tor is the floor. Many users run Tor over a VPN; that hides Tor usage from the ISP at the cost of trusting the VPN. VPN picks →

Picks

  • Tor Browser — Hardened, fingerprint-padded browser. Free.
  • Feather — Desktop XMR wallet with Tor built in.
  • Cake Wallet — Mobile wallet with Tor toggle.
  • Mullvad — No-KYC VPN to run alongside Tor (Tor-over-VPN setup).