xmr.club
EN 中文 ES RU
← all #OPSEC52
#OPSEC52 · week 01 / 52 · Network / VPN / Tor stack

VPN exit discipline — stop using one exit for everything

If your exchange login and your Tor session share an endpoint, you've built the bridge yourself. Rotate servers, separate contexts, assume everything connects eventually.

Network / VPN / Tor stack beginner $0 (with the VPN you already have) 2026-06-02

OPSEC52 / Week 1 — VPN exit discipline

If your exchange login and your Tor session share an endpoint, you’ve built the bridge yourself. Rotate servers, separate contexts, assume everything connects eventually.

Threat model: a correlator (chain analyst, ISP-level adversary, exchange compliance team) trying to link otherwise-unconnected accounts via shared exit IP. Difficulty: beginner · Cost: $0 (with the VPN you already have) · Published: 2026-06-02


The practice

A VPN does two things, and most users only think about the first one. It hides your real IP from the destination, and it gives the destination a consistent exit IP for every connection you make through that tunnel. If you don’t rotate, that second property leaks more than the first one protects.

Concrete example: you log into your KYC exchange (Bybit, Kraken, whoever) from VPN exit 199.21.x.y on a Tuesday. On Wednesday you open Tor Browser, also egressing the same VPN exit (because you’re tunneling Tor over VPN for the “extra hop”). You sign into a privacy forum, send a Monero address to a buyer, do whatever you do in your private context. Exchange compliance + forum operator + your VPN provider’s logs (if any) now share a partial timeline: same exit IP, two different identity contexts, hours apart. Correlation is trivially possible — even if the VPN provider itself never sees you. The adversary doesn’t need to see you; they need to see the pattern.

A VPN exit is a fingerprint. Re-using it across identity contexts is no different from re-using a username.

The fix is operational, not technical. Most modern VPN clients let you select an exit server (or country) per profile. You don’t need a different VPN provider for each context — you need a different exit per context.

How to apply it today

  1. Map your identity contexts. Three minimum: KYC stack (exchanges, banks, anything tied to your real name), pseudonymous stack (forums, X account, GitHub if pseudonymous), no-identity stack (Tor, privacy services, Monero swaps). Some users add a fourth for research stack (just reading, no logins).

  2. Assign an exit (or country) per context. Mullvad, IVPN, Proton all let you bookmark a city or specific server. Pick three or four cities you’ll consistently use. Don’t share cities across contexts.

  3. Build the habit of switching when the context switches. Easiest pattern: dedicated browser profiles tied to each context, each with the VPN profile pre-selected. Firefox containers, Brave profiles, even separate browser apps (Tor Browser for no-identity, Brave for pseudonymous, regular Chrome for KYC — the trust boundary doubles as the visual cue).

  4. Rotate within each context periodically. Even within your pseudonymous stack, swap city every few weeks. Avoids long-term static fingerprinting.

  5. For Tor over VPN, pick a VPN exit you don’t use anywhere else. Tor’s exit-IP rotation already handles destination-side; what matters is the entry-side (the IP your VPN gives Tor). That entry should never appear in any non-Tor connection.

Common mistakes

See also

xmr.club listings (where these picks live):

Cited sources:

Adjacent #OPSEC52 weeks (forthcoming):


#OPSEC52 is xmr.club’s weekly OPSEC series. Curated by Cyber Satoshi. Series index: /opsec. Built as a complement to (not replacement for) Sam Bent’s daily #OPSEC365 — both worth following.

Share on X: twitter.com/intent/tweet