OPSEC52 / Week 2 — Identity compartmentalization
Reusing a username, an email, or a recovery number across contexts is how separate identities collapse into one. Build a wall per purpose and never let them touch.
Threat model: an adversary doing identity correlation — a chain analyst, a data broker, an account-recovery social-engineer, or just a curious stranger — trying to link your pseudonymous activity back to your real name, or to link two of your personas to each other, through a single reused detail.
The core rule: one persona per purpose
A “persona” is the bundle of identifiers tied to one context: a username, an email, a phone/number, a payment method, a browser profile. Compartmentalization means each context gets its own bundle, and the bundles never share a single field. Your no-KYC swap activity, your forum account, your day-job login, and your real-name banking should have nothing in common — not a handle, not an email fragment, not a recovery phone.
The reason is asymmetry: you have to keep the walls up every single time, but the adversary only needs one crossing. One reused username on a forum you joined in 2019 is enough to collapse a “private” identity into your real one. Identity correlation is patient and automated; it does not forget.
What actually leaks the link
Most de-anonymizations aren’t exotic. They’re a shared field:
- Reused username/handle. The same clever name on Reddit, a DNM forum, and GitHub ties all three together — and one of them probably has your real email.
- Reused email. Even a “throwaway” reused across two contexts bridges them. Worse: the recovery email behind a pseudonymous account is often your real one.
- Reused phone / SMS number. Your real number on a “private” signup links it to your carrier identity instantly. SMS recovery is a silent bridge.
- Password reuse. A breach on a junk site exposes a password you also used on a sensitive one — credential-stuffing does the linking for free.
- Same browser / same session. Logging into persona A and persona B in the same browser shares cookies, fingerprint, and IP. Tab A can see Tab B’s world.
- Same payment rail. The same card (or even the same KYC’d exchange withdrawal address) behind two contexts merges them on-chain or in a billing database.
Building the walls (practical)
You don’t need a spy budget — you need discipline and a few free tools:
- Email per context. A fresh address for each persona (a no-KYC provider, or per-context aliases). Never let one context’s recovery email point at another’s identity.
- Never reuse a handle. Generate a new, unmemorable username per context. The “brand name” you like is a tracking beacon — retire it.
- Numbers per context. Use a per-context throwaway number (temp-SMS) for any signup that demands one. Your real SIM is for nobody you’re compartmentalizing from.
- Separate browser profiles / containers / VMs. One profile per persona; never cross-login. Container tabs or separate browser profiles at minimum; separate VMs or devices for the highest-stakes walls.
- Separate payment rails. XMR (or a fresh no-KYC card) for private contexts; never the card or exchange tied to your real name. Don’t withdraw from a KYC’d exchange straight into a “private” address.
- Unique passwords, always. A password manager per-vault (or per-context) so a breach in one context can never stuff into another.
The recovery trap
The single most common silent cross-link is the recovery path. A pseudonymous account whose “forgot password” falls back to your real email or real phone is already linked — you just can’t see it until someone pulls the thread (a breach, a subpoena, a support-desk social-engineer). Audit every sensitive account: what’s the recovery email? The recovery phone? If either points outside that persona’s wall, the wall is already breached.
Discipline beats tools
Tools build the walls; discipline keeps them up. The walls only work if you never cross them once — one slip (replying to the wrong account from the wrong session, reusing one handle “just this time”) links the personas permanently and retroactively. Decide your contexts up front, write down which identifiers belong to which, and treat crossing a wall as the actual emergency it is.
This week’s checklist
- List your contexts (e.g. real-name, work, private-finance, forums) and the identifiers each one uses.
- Find every reused username, email, or number across contexts — pick the worst one and break it this week.
- Audit recovery email/phone on your sensitive accounts; move any that point across a wall.
- Set up one browser profile per persona; stop cross-logging-in.
- Confirm no single payment rail sits behind two contexts.
Compartmentalization isn’t paranoia — it’s just refusing to do the adversary’s correlation work for them.
Curated by Cyber Satoshi