# Privacy threat models — pick the tools to match

> Six common threat models from "casual ISP / employer" to "state-level adversary", and which xmr.club stack actually addresses each. Avoid the most common mistake: over-buying for a problem you don't have, or under-buying for one you do.

Canonical URL: https://xmr.club/guides/privacy-threat-models

## Overview

Privacy without a threat model is shopping. People install Tor + Monero + a VPN + a no-KYC SIM and still post receipts on Twitter. The mistake is treating privacy as a checklist instead of a model: who am I hiding from, what can they actually do, what's the minimum-viable defense, where's the diminishing return? Below: six common models, what they imply, and the directory stack that matches each.

## Body

Why threat-modeling first Every privacy tool trades something — money, friction, dependability, performance. The right amount of trade depends on who can do what to you. Defending against your ISP is one tool and one habit; defending against a nation-state is a lifestyle. Most users sit in the middle and pick the wrong axis. Model 1 — Casual ISP / employer / network admin Who: the people who route your packets but don't know you personally. Includes your home ISP, your employer's IT team, public WiFi operators. What they can do: see destination IPs and TLS-SNI; correlate visits to known sites by timing; log DNS queries. Cannot read TLS content. Defense: a paid no-KYC VPN ( VPN picks ) is enough. DoH / DoT for DNS if the VPN doesn't already cover it. Tor is overkill and slower. Model 2 — Service-provider correlation Who: the services you use — exchanges, payment processors, email providers, the wallets you trust with view-keys. What they can do: link your account/email to your transaction history. Sell that to data brokers or hand it to law enforcement. Defense: no-KYC stack — no-KYC exchanges , email-without-identity , non-KYC SMS . Don't log into KYC'd accounts in the same session as no-KYC ones ( staggered fingerprints ). Model 3 — Stalker / personal-relationship adversary Who: ex-partner, family member, acquaintance who knows your real identity already and is trying to find you online. What they can do: reverse-search public posts, photos, usernames. Cross-reference dating profiles, social media, leaked databases. Defense: compartmentalized identities — separate email + phone + username for the relationship you want hidden. Non-KYC SMS for signup, never reuse a number that's been linked publicly. Scrub data brokers (separate effort outside this directory). Tor + VPN don't help here directly; the problem is the data you produce, not the network you produce it on. Model 4 — Chain-analysis / on-chain forensics Who: Chainalysis-class firms, IRS Cyber Crime Unit, ransomware-tracking nonprofits, sanctions-enforcement bodies. What they can do: cluster wallets by behavioral heuristics; subpoena exchanges for KYC behind addresses; trace stablecoin paths through DEXs and bridges. Defense: native Monero where possible — chain-level privacy is the protocol's job, not yours. For BTC/USDT exposure: a two-hop XMR detour to break correlation, or use kyc.rip / ghost which bundles that detour into a single flow. Subaddress hygiene . Cold storage on a hardware wallet you bought without an account. Model 5 — Compliance / state-level monitoring (not targeted) Who: regulators + state agencies running broad surveillance dragnets. NSA-style passive collection, EU GDPR-compliant data hoarders, financial-intelligence units. What they can do: bulk-collect everything that passes a major IXP; correlate metadata across services; subpoena large platforms for retrospective data. Tor traffic gets flagged but not necessarily deanonymized; Monero is on most agencies' "can't trace" list as of 2026 but the meta-question (do you use it?) is observable. Defense: the full no-KYC stack + Tor over a privacy VPN + bridges if Tor itself is observable in your jurisdiction. Compartmentalize: don't mix KYC'd accounts with the no-KYC stack. The goal is not to be invisible; it's to be uninteresting. Model 6 — Targeted state adversary Who: a state agency actively investigating you specifically. Journalist with a leaked-source archive, dissident in an authoritarian regime, suspected high-value target. What they can do: almost anything — endpoint malware on your devices, supply-chain attacks on hardware, compelled cooperation from your service providers, physical access. Network-level adversary on every major path between you and any service. Defense: outside the scope of this directory. Read EFF's Surveillance Self-Defense , talk to Freedom of the Press Foundation, use Tails / Qubes, multisig everything, treat every device as compromised. The privacy-services directory helps with the substrate but cannot substitute for proper operational security. The biggest mistake Most users either over-buy (full Tor + multisig hardware wallet + offshore VPN for casual ISP-evasion) or under-buy (no-KYC swap but then KYC at withdrawal, fresh email reused across all signups). The fix is to start with the model: write down on paper who you're trying to hide from and what they can actually do. Then pick the minimum stack that addresses it. Add layers only if the cost is acceptable and the gain is real. Re-evaluate yearly. A model that fit two years ago when you were a hobbyist may not fit now that you publish under your name, or vice versa. Stack picks by tier

## Recommended picks

- [Mullvad](https://xmr.club/vpns/mullvad) · /llm/vpns/mullvad.txt — Casual ISP / employer threat-model. No-KYC VPN with the longest no-logs track record. Pay in XMR.
- [Tor Browser](https://xmr.club/tools/tor-browser) · /llm/tools/tor-browser.txt — Service-provider + compliance models. Network-layer anonymity, fingerprint-padded browser.
- [Feather](https://xmr.club/wallets/feather) · /llm/wallets/feather.txt — Chain-analysis model. Native XMR + view-only + Tor + reproducible build.
- [kyc.rip aggregator](https://xmr.club/exchanges/kyc-rip-aggregator) · /llm/exchanges/kyc-rip-aggregator.txt — Service-provider + chain-analysis. No-KYC routing across multiple engines, no markup.

## License

CC-BY-4.0. Attribute "xmr.club".