Privacy for journalists and activists

Threat model assumptions

This guide assumes you face one or more of:

• State or quasi-state actors with legal-process access to centralised providers (your bank, your domain registrar, your email host).
• Persistent harassment networks capable of pivoting from one identifier to the next — your email gets your wallet gets your IP gets your address.
• Employer or institutional pressure on the platforms hosting your work (Twitter ban, Stripe deplatform, Substack pressure).

If your threat model is gentler — just nosy advertisers, casual ISP logging — see privacy without paranoia instead. This guide deliberately over-provisions for actors who don't give up.

Pillar 1 — identity-protective email

Every workflow ties back to email. If your email provider can be served a subpoena and your messages aren't end-to-end encrypted at rest, your entire investigation is on a timer. The rule:

• No-KYC signup. Don't hand your real-name phone number to your work email host. See pick a no-KYC email for the criteria.
• E2E-encrypted at rest. The host can't decrypt your inbox even if compelled. Tuta and Proton both meet this bar with caveats; Mailfence + Disroot fall short on encryption posture but win on jurisdiction.
• Aliases for source contact. Anonaddy / SimpleLogin / addy.io. One alias per investigation. Burn the alias when the story closes.
• Separate identity for source intake. Public-facing tip address (PGP keyed) must be different from your day-to-day mail.

Pillar 2 — money flow

Following the money is the most reliable de-anonymisation method. The pillars:

• Monero for source payments + sensitive purchases. If you ever need to pay a source, a domain registrar, a VPS provider, or anything else where the trail matters — XMR is the only chain where unrelated transactions don't link. See how to buy Monero without KYC.
• Two-hop swaps when going from KYC fiat → on-chain spend. Buy XMR with a no-KYC P2P (RoboSats / Bisq / Haveno), use kyc.rip/ghost for the XMR-detour rotation when you need to land in USDT/USDC for a vendor that doesn't accept XMR. The two hops break chain-analysis link reliably.
• Cash for the easy ones. Not everything needs crypto. If you can pay in cash for a USB stick, do.
• Prepaid card from XMR for online purchases that need a "card". See no-KYC prepaid card.

Pillar 3 — source-side contact

Your sources may be more at risk than you are. Build the stack from their side, not yours:

• SecureDrop or Hush Line for source-side anonymous tips. Standard journalism tooling; runs as a hidden service.
• Signal-with-username for ongoing contact once a source has chosen to identify (no phone number required since 2024).
• OnionShare for file transfer that doesn't touch a cloud — peer-to-peer over Tor hidden service. Both sides keep deniability.
• Burn the channel when the story publishes. Aliases retired, Signal username rotated, SecureDrop landing page taken down.

Pillar 4 — hosting that can't be unmasked

Where you publish matters as much as how. The rule: assume your hosting provider receives a subpoena and acts on it.

• No-KYC VPS for any infrastructure you control. See /hosting — A-grade picks accept XMR + don't require a name.
• Domain registered anonymously. See buy a domain anonymously. Pick a registrar that supports WHOIS privacy + accepts XMR.
• Tor hidden service mirror. Both for reader-side circumvention and as a fallback if your clearnet domain gets pulled. See host a Tor hidden service.
• Backups outside your jurisdiction. Encrypted with a key you control, not a provider-managed key.
• Static publishing where possible. Less surface area for a forced shutdown than a CMS with login.

Operational habits that tie it together

• Compartmentalisation. One identity per investigation. Don't reuse aliases, wallets, or hosting across topics. The work isn't to be "anonymous"; it's to keep adjacent identities unlinked.
• Threat-model review when the story changes. Stories grow. If your low-stakes corruption story turns into national-security territory, the stack you built for the original threat is no longer enough.
• Practice the failure modes. If your laptop is seized, what's on it? If your VPS is compromised, what's there? Rehearse the "what now?" — see recover from a privacy mistake.
• Don't reinvent OPSEC norms. SecureDrop, Freedom of the Press Foundation, and EFF publish playbooks specific to investigative work. Read those first; this guide is the directory-of-tools layer underneath.

The directory stack at a glance

More guides