Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
1. There will be no pictures, no code either.
2. Where you studied, we taught.
3. Security is never convenient.
VOLUME ONE: LOGICAL (there may be a second, technical one, if I don’t get pelted with tomatoes for this one)
INTRO
I don’t want to stand out from the crowd, advertise myself, try to seem higher or lower than I am — if it seemed that way to you because of my rather specific style of presentation — then it just seemed that way to you. I have over 30 years of work experience, I was charged under Articles 272 Part 2, 273 Part 2, 165 Part 2, so I have some experience and I’m telling you about it not for the sake of showing off, but so that it would be a little clearer to you that big things can be seen from afar and over time. I do not claim to have the ultimate truth, but I hope that this material will be useful to someone (and, most importantly, will be able to save some of you from prison; although it is customary to never say never).
Security is a delicious layered cake. None of the layers work without the other. This thing works ONLY IN A COMPREHENSIVE WAY, and your approach to ensuring it should be COMPREHENSIVE. Otherwise, what is the point of installing an armored (like in a bank) door and keeping the window open? Let's taste this pie)
PART ONE: SOCIETY
Gold or blood?
Golden rule number 1: don't talk.
Golden rule number 2: showing off is your enemy.
Golden rule number 3: live and work in big cities.
Money, as we know, loves silence. And big money loves dead silence (you can talk about this in more detail in the article about crypto millionaires who kicked the bucket prematurely). I remember a couple of cases from life that will clearly show you what not to do.
Case 1. Once upon a time there lived Vasya. He got C's in school, skipped classes at the university, in a word, he was a typical slacker. However, Vasya was not alien to the attractive world of IT, which was just forming at that time, and he hastened to take advantage of it. It must be said that Vasya was not deprived of intelligence and all this computer crap came quite easily to him. I will deliberately omit the details and particulars of what exactly he did, but from a financial point of view, everything was fine for him. At least, while most people barely scraped together an A to "pass" the most difficult exams at the university, Vasya easily entered 30k right in the dean's record book. Service, yeah. Time passed and Vasya instantly realized that there was no point in sitting at home if you can "master" the city. And off we went, clubs, restaurants... Just like everyone else. Vasya got carried away, because the city always had enough rich kids and other "friends" ready to be with anyone, as long as the latter had money. Vasily had money. Lots of it. Drinking, partying, carousing... Girls were added. Vasya decided that he had become a superstar of the local underground and... started chatting, telling the blue case what an incredible hacker he was and describing in detail his latest digital exploits. The company, which happily joined in hanging out with Vasya at his expense, was under investigation by the relevant services, and there were agents inside the group who were no less happy to use Vasya to advance their careers. Vasya went to jail.
Case two, around 2004. A small group of other enterprising students found a "topic" and began to exploit it quite actively. Minted coins started to fall into the guys' pockets with a clang (who among you doesn't remember that sound from the WM app?). And then... Then everything is simple - crazy with money, the students started to actively buy things, making their first and last, most fatal mistake. Everything was used, starting from high-quality clothes and expensive accessories, continuing with chicks in the most expensive pubs in the city, ending with cars and apartments. If my memory serves me right, at least three new Cayennes were bought. The situation with apartments was approximately the same. Everything ended quite naturally: FSB officers found out about the group almost immediately, it happened in a relatively small (a couple of million population) city, and the students were not exactly taken into circulation, no. They were simply pulled straight from their classes at the university, put in cars and brought to the regional FSB department for one of the regions, where all the friends and comrades, first of all, cross-referenced each other, and secondly, gave up everything they knew. The main actors were jailed, some were bailed out by their parents.
Moral. What is moral? It is put in the golden rules at the beginning of this part. Or, perhaps, it would be more correct to say — bloody rules. No need to chat left and right, no need to stand out from the crowd with expensive toys, and especially do not do all this in small towns, where not only does every dog know each other, but also the threshold for that very show-off is extremely low. I deliberately omitted a couple of technical points from the detention of these fools, I will tell you about them later. Live two different lives, just like superheroes in the movies. No one, I repeat, no one should know about your work (by work we mean your gray or black activity on the Internet) — not mom and dad, not brother and sister, absolutely no one. And we will also return to this point a little further, literally in the next part.
PART TWO: MONEY
Golden rule number 1: "greed ruined the sucker."
Golden rule number 2: think like your opponent.
Golden rule number 3: KYC is your enemy.
I deliberately divided the first volume into parts in descending order of importance. And, surprise, in second place are not your VPNs. In second place is money, because it is what will most likely expose you. How? I'll tell you now. Imagine some ideal world in which your ass is reliably covered by a technological virtual armor plate and it is absolutely impossible to track you online. Can you imagine it? Great, it happens, I'll even tell you how to do it later. What do you think your three-letter opponents will do? "The eye sees, but the tooth does not", yeah. They will try to: a) gain your trust under any pretext, b) lead you to an IRL meeting, c) try to buy something from you or, conversely, sell you. And why is that? That's right, because money HAS TRACES. Any, both fiat candy wrappers and crypto.
So, you earned money and got paid in crypto. Question one - where did they pay it? The worst thing you can do is keep your money in hot wallets (i.e. on the exchange), this wallet does not belong to you (even though you have its seed phrase). A little more optimal is to store it in a cold wallet (it does not matter which one; it can be Ledger, Trezor or a virtual wallet with some Exodus), it is up to you. Even better - do not store it in crypto at all. For a number of reasons. First: if it is crypto, then it is subject to volatility (exchange rate fluctuations), you should not play this game, believe me. Many of you were little and do not remember, but we somehow woke up, and the dollar is no longer 6 rubles ... So there are stablecoins, you say? Yeah, there are. But there is also a problem with them - the same USDT, which was mentioned at night, is blocked left and right (ask the admin). What to do, what to do... Well, what to do, output to cache. But this is not the end, this is only the beginning.
Since these same digital candy wrappers (crypto) don't give a damn in real life (that's right, you need US dollars, or Russian rubles, or whatever you use in your area), you need to cash them. And here the exciting action begins. There are three main ways to get into cash - exchanges, automated exchangers and specially trained people (I'll explain later why I separate them). And so that your ass, God forbid, doesn't burst into flames with nuclear fire, it would not be superfluous to describe how to work with all three. Let's go.
= EXCHANGES.
These centralized bastards have a phenomenon called KYC (Know Your Customer). This is an extremely nasty thing, which consists in the fact that the exchange will not work with you until it begins to almost literally "recognize you by face". Upload documents, shine your face in the camera, link your bank account, and so on. Only good for white themes (and don't forget about the tax office!) OR if this whole structure is designed for a drop (and even then, I don't recommend playing such a game either; especially if you don't know how to work with drops). Not your way, exchanges are going to hell.
= AUTOMATED EXCHANGERS.
This is where the main danger lies for you. I won't dare say what part of these exchangers is under the cops or faces. Some of them play a tight game with them, some even belong to them. It is enough for you to know that you have a completely non-zero chance of getting into such an exchanger. And now, back to your opponents' desire to catch you. If the transfer goes through any friendly and/or controlled by them exchanger, they will know where exactly the cash went. Here you have two options.
1. You withdrew to your card, or to the card of your mom, dad, brother, sister, friend, it doesn't matter. That's it - you're fucked.
2. You withdrew to a drop's card. There may be options here. If you showed your face to the ATM camera, you're fucked. If you didn't show your face to the ATM camera, but withdrew cash more than 2-3 times, while in development and having your mobile phone on and/or moving by car, you're fucked.
3. The drop itself withdrew to the card. If you and the drop are not idiots, this is a fairly safe option. But ONLY if you know how to work with drops, don't show them your face/voice, etc.
= SPECIALLY TRAINED PEOPLE (HELLO, LANDROMAT
)
Disclaimer: the following is a necessity, hard-won by my own and others' experience, when working with amounts from 100K and in order to sleep peacefully. You can skip any parts of this scheme that seem excessive or unnecessary to you, but when modifying the scheme, don't cry later that something went wrong and in the wrong direction.
I already wrote on the forum that crypto should be torn into cash. But there was not much room to expand in the comments, so I will go into more detail here.
So, what does "rip to cash" mean? Usually, your typical transaction looks like this: crypto — exchanger — cash. You shouldn't do it like this. You should do it like this: crypto — exchanger1 — cash1 ((mix)) cash2 — exchanger2 — crypto. You MUST rip to cash taking into account GEOPOLITICS! Yes, that's exactly it and no other way. If you live in Russia, then rip to cash when working with people in Europe or the USA. If you live in Europe or the USA, work through Russia. And so on, I think the principle is clear. The worse the relations between the country of the break to cash and the country of destination of the laundered crypto — the more intact your ass will be. However, nothing ends there. In the chain "you should do it like this" the final point (if you paid attention) is NOT cash, but crypto again. This means that the crypto has made a circle, cleaned itself up, cut off the "tail" in the form of operatives and other AML wankers and should return to you on a SEPARATE COLD WALLET created ONLY for these purposes. Then, you have two options: a) withdraw to your account on the exchange (and sit for 20 years, if there was no laundering, and you were fucked (hello to the guys who traded SSN / DOB for $ 19M)), or finally withdraw to the cash already on your territory.
Since my recommendation to you is not to trust anyone AT ALL, then an extra layer of protection is never superfluous. And therefore, you do this. Find people on the ground who are ready to cash (I emphasize, people, not automated garbage shit). Then, alas, you will need your own drop, which will take the cash. How and where you will find it - I will not teach within the framework of this article. Let's say you have one. You exchange pure crypto, you are given either the address of the stash (usually storage cells at the train station) or the address of the meeting. If you are working with people for the first time, then regardless of the type of meeting, you go to it with a support group (otherwise there is a risk of saying goodbye to the money). Next. If this is a stash, then you instruct the drop to take the stash and follow your instructions (disposable phone with a left SIM card, only SMS, no voice). The drop must drive away from the stash location, you must drive away with him (at a short distance). The task of the support group is to try to identify tails (if any) and inform you about it. Next, you take the package from the drop. If this is a meeting - similarly, the drop takes the package, you move from there, if everything is ok, you take the money. It is advisable to change the drops periodically, if the drop is detected - you are fucked.
P.S. It is useful to have portable electronic scales with you on the spot to weigh the cash (you need to ask in advance what bills they will give you).
In fact, you can tell a separate article about this, you can’t remember everything at once. But my task is to give you the basics, I gave you the basics, use them correctly.
Oh, you thought the story with the money was over and now you can buy a Porsche? No fucking way. Read on.
And so, you have laundered cash in your hands. I will not touch on the beggars, may they forgive me. Therefore, the logic of reasoning will be slightly different. In our area, with our income and our currency, $100k is usually given in 10 packs of $10k and the bag weighs about a kilogram. Giving it out "at random", in bills of different denominations is punishable by anally and is usually not done, but it is better to clarify in advance and estimate the weight; because you will definitely not be counting it on the street. Hooray, the coveted dough. What's next? And then - you can't spend it. Not at all. No, well, if you have balls of steel and an iron will, you (of course) can go to a restaurant, eat well, buy yourself a suit, a not too expensive watch, or, say, an iPhone. You will run out of expenses of this kind VERY quickly and you will want more. Namely - expensive cars and expensive real estate. And here lies the final danger for you, which I will now tell you how to overcome.
The fact is that in no country in the world does the tax office sleep, and it is not for nothing that it eats its bread and butter. As soon as you show expenses higher than income, you are fucked. Further I will tell you using the example of the USA, but I am sure that in Russia the story is approximately similar. In our States, if you come to a car dealership with a bag of cash, it is an emergency, everyone there will be shocked. Because a) no one has that much cash, b) it is not customary to make large purchases with cash, and c) cash in the context of large purchases is generally understood as a BANK TRANSFER, i.e. NOT A LOAN. No, of course, they will happily take this cash from you, sweetly smile, process everything, give you your new Porsche and you will drive away. But IMMEDIATELY this information will go to the IRS and in the near future you will have a forced conversation on the topic of "where did you get the money, Zina?"
In order not to sit with your bare ass on a tax bottle, you have to be smarter. Taram-pam-pam, on comes... all in white, BUSINESS. Oh, this is my favorite moment! The question is not what these freaks suspect, the question is what they can prove. And they can't prove anything. Let's say you have a friend, brother, matchmaker, son-in-law, wife, courtier, who knows who. This wonderful person opens absolutely any type of business, in a large city (this is a mandatory condition). The main thing is that the nature of this business allows accepting cash. Then begins the most banal money laundering. For example, a boy Ashot provides mobile cleaning services (again, using our area as an example). The average bill for one such trip is $200. Ashot can make 6 trips a day. In practice, due to his idiocy, he will make 5, and in the reporting we will write 8. Thus, $600 is laundered. We have 20 of these Ashots working for us, who launder $12,000 a day. It seems like a little, but it seems like a lot... It's not clear. My task is to show you the logic. And there could be 38 such businesses in different states/regions/directions. There are two points here - firstly, the cash flow is not controlled, secondly, this cash develops the business, thirdly, this business ultimately feeds you. So you end up, this gray cardinal... In a Porsche. Where did you get the Porsche? Of course, I'm a pauper, my wife gave it to me (it was issued on credit to the company), and she's so successful.
The main moral of this part: don't skimp on commissions and losses; don't be rude with the ratio of honest/laundered cash in business. I know of at least a few cases in the spirit of "oh, why pay X for a break, it's too expensive, I'll pay Y on the next forum." And hello ass, everyone sat down. Your freedom is worth these expenses, and everyone wants to eat.
P.S. A spoonful of shit in a barrel of honey: you'll have to pay taxes. That's the price of a good night's sleep in freedom.
P.S. Cash can accumulate faster than you can wash it out, that's normal. In that case, you'll need an industrial vacuum sealer and some imagination to come up with a place to store the cash. Don't keep all your eggs in one basket! Hide $10K bags in DIFFERENT places. A couple of your own mortgaged apartments with false walls and other hiding places work great. Storage units work well in the States, and garages in Russia.
Let's move on.
PART THREE: PERSONALITY AND HARDWARE.
Golden rule number 1: separate hardware.
Remember how I said above that no dog should know what you do? Now let's touch on the hardware side of this issue. So, the most popular tool of the cops is fingerprinting (let's not touch communication for now). I'm already tired of pressing buttons, you know what it is (if you don't, go to Google). From this follows a banal conclusion: the separation of your personality number 1 (the one everyone knows) and your personality number 2 (the one you WORK AS ONLINE) should happen at the HARDWARE LEVEL. In other words, for you, as Ivan Ivanov with social networks, mail and other crap - hardware set number 1 (desktop, laptop, mobile phones); for you, as darkcoder_io - hardware set number 2 (one or two laptops).
PART FOUR: COMMUNICATION
Golden rule #1: don't work from home; Do not work via home Internet.
Golden rule #2: Do not have a work mobile phone.
Well, kids, aren't you tired yet? We finally got to your favorite hallucinations that a VPN will help you and no one will catch you. It won't help. They will. And now in order. Pay attention! There are no mobile phones in the second set of hardware. Why? Because if you, like stupid lawyers, move around with two mobile phones at the same time, tying you together, into one "profile" is a five-minute task. No fucking virtual machines or other savings. Different hardware! Only this way and no other way. And this hardware should NEVER intersect IN ANY WAY, and NEVER be connected to the same network. Moreover, DO NOT TURN ON the work machine at home! If you turn it on, it should have its Wi-Fi OFF in advance (at the setup stage) — the set of Wi-Fi networks surrounding you will anonymize you before you get home in a heartbeat.
== NETWORK ACCESS.
But how the f#ck do you go online, you ask? There are two options.
1. For trips to the city — ALFA AWUS1900 + KALI in a virtual machine. Basic usage scenario: we are in a cafe, we must check for cameras (they should not be there). We break off the Wi-Fi not of the cafe itself, because people can come there and remember you — don’t ask why, it always works this way, according to Murphy’s law — but of the neighbors. Finding and/or creating such access points is your curse and your main job. The more of them there are, the less likely it is that someone will recognize you somewhere.
2. For working from home - any router with LTE/5G support (I recommend GL-XE300 or similar). Connection from a work machine to the router - ONLY via Ethernet (remember about the waffle that exposes you). The SIM card is left. The SIM card + router kit lasts a month, then the SIM card is thrown away, and the router is sold on Avito/iBay from the LEFT account! If you don't have money to change routers, look for a router/modem/router-with-modem with the ability to change IMEI, but I advise changing the hardware. A hundred bucks a month is pennies, and the safety of your ass is priceless.
So, that's it? No, not everything.
== WORK ONLINE.
The next layer of protection for me personally is a separate class of routers based on OpenWRT with modified firmware (all unnecessary things are thrown out), Yggdrasil + WireGuard is added. There are two types of these routers, either the above-mentioned GL-XE300 (if a SIM card is needed), or a simpler version GL-MT300N-V2 (if only Ethernet is enough). I also have drop-installers from among network installers. They are usually extremely hungry and are ready to stick this router very technically where it is needed for a modest fee, so that the client will never find it (they select such clients themselves). In most cases, these routers are stuck where no one climbs and are equipped with a camera. This is the last bastion of protection, I do not bring it to the "coming home" scenario.
Next, we return to the working machine and draw a traffic routing diagram:
machine (TunSafe, in) - router with the left SIM card at home (YGG, in) - left router with a camera I don't know where (YGG out, TOR in) - TOR (out) - VPS (TunSafe, out)
Routing scenarios, technologies and protocols are actually different, I often experiment with them, constantly trying to find some kind of ideal (which probably does not exist). The speed is stably 1-3 Mbit / s, for work purposes this is quite enough. Sometimes it all works crookedly, sometimes it drops, in general, I'm still searching. But, in general, it works. Yes, if necessary, I sell these firmware / routers, yes, if necessary, I configure networks this way. EXPENSIVE.
Compared to your various double-triple-zalupipl VPNs, the question is not in the number of hops; the question is in the location and controllability of these hops. Of course, you CANNOT use commercial and free VPNs that you DIDN'T make yourself - they all STORE LOGS, no matter how much they would like to convince you otherwise. Yes, I know about connection timings and port mirroring if necessary at the uplink level, don't tell me about it. This is an entry point for them (running-shoulder), and then let them figure it out. So far, no one has figured it out, because I built a ton of such routes with my router at home. And different ones are used every day. Yes, I'm paranoid in my thoughts, not in my feelings. I sleep soundly)
Of course, all the servers and so on - all on the left data, in different countries.
There are tons of options here, I'm ready to discuss, help, etc. I'm not saying that my option is the coolest.
PART FIVE: ENCRYPTION
Well, here we have reached the working machine and the content on it. Horror, horror takes over. I said it and I'll repeat it again - I continue to believe that if they came and grabbed you by the ass - then there is ALREADY an evidence base on you (schoolchildren with versions in the spirit of "well, you never know, what if your router was hacked") are sent to do their homework. I remember very well my experience of meeting with the task force and how they tried to get that very evidence from my computer (spoiler: they didn't). But that was a long time ago, the operatives didn't really know how to do anything (just like the FACES didn't know how to do anything), and I don't want to check what they have there now. Therefore...
I have done everything extremely simply and I did not bother with it at all. The working machine is based on Ubuntu (why you can't use Tails, Whonix, Qubes and other crap - look on the forum, I already wrote), the system SSD EXT4 + LUKS, the password of the fucking length on Yubikey + login to the system, sudo and tty - also a hardware key, except for the password. Further, the caching of working files is disabled inside. Working files are on two SSD drives (so far FIPS 140-2, with hardware encryption) + also EXT4 + LUKS inside. I tried to put a VeraCrypt container inside, it did not take off, hinting that this is enough. One drive is the main one, the second is a backup.
===
ADDITIONS:
1. BY SENKA SHAPKA.
This world is arranged in such a way that everything in it tries to strive for balance. If you are messing with the government and playing a digital terrorist, then if not all, then at least quite significant resources will be used to catch you. At the same time, if you are doing some petty nonsense for a couple of kilobacks a month, then you are most likely Elusive Joe, whom (as we know) no one catches, because no one gives a damn about him. The moral here is that you need to be aware of the impact your actions have on the world and clearly understand who will be dealing with you - absolutely ALL your strategies and tactics will depend on this. After all, playing cat and mouse with the Ministry of Internal Affairs/FSB is not the same as playing the same game with the FBI/NSA.
2. PARANOID SCHIZOPHASIA.
I'm not sure that this is really schizophasia - I'm not a doctor. But it sounds cool, although in reality there is nothing cool about it. Sooner or later, paranoia covers everyone. If you haven't been hit yet, it's either too early or you're a careless idiot. Fear is a great helper for every normal person. And fear multiplied by intelligence is a generally explosive mixture - after all, it's the only thing that will help you calculate everything and not make a mistake. Your only task is to make sure that fear does not cover you completely and does not paralyze your ability to think. Otherwise, as I said earlier, it is a great helper.
===
Most likely, I screwed up something somewhere in the description, the article was written in one go and I finish it at 3 am.
Let's stop there for now.
Good luck to everyone!
2. Where you studied, we taught.
3. Security is never convenient.
VOLUME ONE: LOGICAL (there may be a second, technical one, if I don’t get pelted with tomatoes for this one)
INTRO
I don’t want to stand out from the crowd, advertise myself, try to seem higher or lower than I am — if it seemed that way to you because of my rather specific style of presentation — then it just seemed that way to you. I have over 30 years of work experience, I was charged under Articles 272 Part 2, 273 Part 2, 165 Part 2, so I have some experience and I’m telling you about it not for the sake of showing off, but so that it would be a little clearer to you that big things can be seen from afar and over time. I do not claim to have the ultimate truth, but I hope that this material will be useful to someone (and, most importantly, will be able to save some of you from prison; although it is customary to never say never).
Security is a delicious layered cake. None of the layers work without the other. This thing works ONLY IN A COMPREHENSIVE WAY, and your approach to ensuring it should be COMPREHENSIVE. Otherwise, what is the point of installing an armored (like in a bank) door and keeping the window open? Let's taste this pie)
PART ONE: SOCIETY
Gold or blood?
Golden rule number 1: don't talk.
Golden rule number 2: showing off is your enemy.
Golden rule number 3: live and work in big cities.
Money, as we know, loves silence. And big money loves dead silence (you can talk about this in more detail in the article about crypto millionaires who kicked the bucket prematurely). I remember a couple of cases from life that will clearly show you what not to do.
Case 1. Once upon a time there lived Vasya. He got C's in school, skipped classes at the university, in a word, he was a typical slacker. However, Vasya was not alien to the attractive world of IT, which was just forming at that time, and he hastened to take advantage of it. It must be said that Vasya was not deprived of intelligence and all this computer crap came quite easily to him. I will deliberately omit the details and particulars of what exactly he did, but from a financial point of view, everything was fine for him. At least, while most people barely scraped together an A to "pass" the most difficult exams at the university, Vasya easily entered 30k right in the dean's record book. Service, yeah. Time passed and Vasya instantly realized that there was no point in sitting at home if you can "master" the city. And off we went, clubs, restaurants... Just like everyone else. Vasya got carried away, because the city always had enough rich kids and other "friends" ready to be with anyone, as long as the latter had money. Vasily had money. Lots of it. Drinking, partying, carousing... Girls were added. Vasya decided that he had become a superstar of the local underground and... started chatting, telling the blue case what an incredible hacker he was and describing in detail his latest digital exploits. The company, which happily joined in hanging out with Vasya at his expense, was under investigation by the relevant services, and there were agents inside the group who were no less happy to use Vasya to advance their careers. Vasya went to jail.
Case two, around 2004. A small group of other enterprising students found a "topic" and began to exploit it quite actively. Minted coins started to fall into the guys' pockets with a clang (who among you doesn't remember that sound from the WM app?). And then... Then everything is simple - crazy with money, the students started to actively buy things, making their first and last, most fatal mistake. Everything was used, starting from high-quality clothes and expensive accessories, continuing with chicks in the most expensive pubs in the city, ending with cars and apartments. If my memory serves me right, at least three new Cayennes were bought. The situation with apartments was approximately the same. Everything ended quite naturally: FSB officers found out about the group almost immediately, it happened in a relatively small (a couple of million population) city, and the students were not exactly taken into circulation, no. They were simply pulled straight from their classes at the university, put in cars and brought to the regional FSB department for one of the regions, where all the friends and comrades, first of all, cross-referenced each other, and secondly, gave up everything they knew. The main actors were jailed, some were bailed out by their parents.
Moral. What is moral? It is put in the golden rules at the beginning of this part. Or, perhaps, it would be more correct to say — bloody rules. No need to chat left and right, no need to stand out from the crowd with expensive toys, and especially do not do all this in small towns, where not only does every dog know each other, but also the threshold for that very show-off is extremely low. I deliberately omitted a couple of technical points from the detention of these fools, I will tell you about them later. Live two different lives, just like superheroes in the movies. No one, I repeat, no one should know about your work (by work we mean your gray or black activity on the Internet) — not mom and dad, not brother and sister, absolutely no one. And we will also return to this point a little further, literally in the next part.
PART TWO: MONEY
Golden rule number 1: "greed ruined the sucker."
Golden rule number 2: think like your opponent.
Golden rule number 3: KYC is your enemy.
I deliberately divided the first volume into parts in descending order of importance. And, surprise, in second place are not your VPNs. In second place is money, because it is what will most likely expose you. How? I'll tell you now. Imagine some ideal world in which your ass is reliably covered by a technological virtual armor plate and it is absolutely impossible to track you online. Can you imagine it? Great, it happens, I'll even tell you how to do it later. What do you think your three-letter opponents will do? "The eye sees, but the tooth does not", yeah. They will try to: a) gain your trust under any pretext, b) lead you to an IRL meeting, c) try to buy something from you or, conversely, sell you. And why is that? That's right, because money HAS TRACES. Any, both fiat candy wrappers and crypto.
So, you earned money and got paid in crypto. Question one - where did they pay it? The worst thing you can do is keep your money in hot wallets (i.e. on the exchange), this wallet does not belong to you (even though you have its seed phrase). A little more optimal is to store it in a cold wallet (it does not matter which one; it can be Ledger, Trezor or a virtual wallet with some Exodus), it is up to you. Even better - do not store it in crypto at all. For a number of reasons. First: if it is crypto, then it is subject to volatility (exchange rate fluctuations), you should not play this game, believe me. Many of you were little and do not remember, but we somehow woke up, and the dollar is no longer 6 rubles ... So there are stablecoins, you say? Yeah, there are. But there is also a problem with them - the same USDT, which was mentioned at night, is blocked left and right (ask the admin). What to do, what to do... Well, what to do, output to cache. But this is not the end, this is only the beginning.
Since these same digital candy wrappers (crypto) don't give a damn in real life (that's right, you need US dollars, or Russian rubles, or whatever you use in your area), you need to cash them. And here the exciting action begins. There are three main ways to get into cash - exchanges, automated exchangers and specially trained people (I'll explain later why I separate them). And so that your ass, God forbid, doesn't burst into flames with nuclear fire, it would not be superfluous to describe how to work with all three. Let's go.
= EXCHANGES.
These centralized bastards have a phenomenon called KYC (Know Your Customer). This is an extremely nasty thing, which consists in the fact that the exchange will not work with you until it begins to almost literally "recognize you by face". Upload documents, shine your face in the camera, link your bank account, and so on. Only good for white themes (and don't forget about the tax office!) OR if this whole structure is designed for a drop (and even then, I don't recommend playing such a game either; especially if you don't know how to work with drops). Not your way, exchanges are going to hell.
= AUTOMATED EXCHANGERS.
This is where the main danger lies for you. I won't dare say what part of these exchangers is under the cops or faces. Some of them play a tight game with them, some even belong to them. It is enough for you to know that you have a completely non-zero chance of getting into such an exchanger. And now, back to your opponents' desire to catch you. If the transfer goes through any friendly and/or controlled by them exchanger, they will know where exactly the cash went. Here you have two options.
1. You withdrew to your card, or to the card of your mom, dad, brother, sister, friend, it doesn't matter. That's it - you're fucked.
2. You withdrew to a drop's card. There may be options here. If you showed your face to the ATM camera, you're fucked. If you didn't show your face to the ATM camera, but withdrew cash more than 2-3 times, while in development and having your mobile phone on and/or moving by car, you're fucked.
3. The drop itself withdrew to the card. If you and the drop are not idiots, this is a fairly safe option. But ONLY if you know how to work with drops, don't show them your face/voice, etc.
= SPECIALLY TRAINED PEOPLE (HELLO, LANDROMAT
)Disclaimer: the following is a necessity, hard-won by my own and others' experience, when working with amounts from 100K and in order to sleep peacefully. You can skip any parts of this scheme that seem excessive or unnecessary to you, but when modifying the scheme, don't cry later that something went wrong and in the wrong direction.
I already wrote on the forum that crypto should be torn into cash. But there was not much room to expand in the comments, so I will go into more detail here.
So, what does "rip to cash" mean? Usually, your typical transaction looks like this: crypto — exchanger — cash. You shouldn't do it like this. You should do it like this: crypto — exchanger1 — cash1 ((mix)) cash2 — exchanger2 — crypto. You MUST rip to cash taking into account GEOPOLITICS! Yes, that's exactly it and no other way. If you live in Russia, then rip to cash when working with people in Europe or the USA. If you live in Europe or the USA, work through Russia. And so on, I think the principle is clear. The worse the relations between the country of the break to cash and the country of destination of the laundered crypto — the more intact your ass will be. However, nothing ends there. In the chain "you should do it like this" the final point (if you paid attention) is NOT cash, but crypto again. This means that the crypto has made a circle, cleaned itself up, cut off the "tail" in the form of operatives and other AML wankers and should return to you on a SEPARATE COLD WALLET created ONLY for these purposes. Then, you have two options: a) withdraw to your account on the exchange (and sit for 20 years, if there was no laundering, and you were fucked (hello to the guys who traded SSN / DOB for $ 19M)), or finally withdraw to the cash already on your territory.
Since my recommendation to you is not to trust anyone AT ALL, then an extra layer of protection is never superfluous. And therefore, you do this. Find people on the ground who are ready to cash (I emphasize, people, not automated garbage shit). Then, alas, you will need your own drop, which will take the cash. How and where you will find it - I will not teach within the framework of this article. Let's say you have one. You exchange pure crypto, you are given either the address of the stash (usually storage cells at the train station) or the address of the meeting. If you are working with people for the first time, then regardless of the type of meeting, you go to it with a support group (otherwise there is a risk of saying goodbye to the money). Next. If this is a stash, then you instruct the drop to take the stash and follow your instructions (disposable phone with a left SIM card, only SMS, no voice). The drop must drive away from the stash location, you must drive away with him (at a short distance). The task of the support group is to try to identify tails (if any) and inform you about it. Next, you take the package from the drop. If this is a meeting - similarly, the drop takes the package, you move from there, if everything is ok, you take the money. It is advisable to change the drops periodically, if the drop is detected - you are fucked.
P.S. It is useful to have portable electronic scales with you on the spot to weigh the cash (you need to ask in advance what bills they will give you).
In fact, you can tell a separate article about this, you can’t remember everything at once. But my task is to give you the basics, I gave you the basics, use them correctly.
Oh, you thought the story with the money was over and now you can buy a Porsche? No fucking way. Read on.
And so, you have laundered cash in your hands. I will not touch on the beggars, may they forgive me. Therefore, the logic of reasoning will be slightly different. In our area, with our income and our currency, $100k is usually given in 10 packs of $10k and the bag weighs about a kilogram. Giving it out "at random", in bills of different denominations is punishable by anally and is usually not done, but it is better to clarify in advance and estimate the weight; because you will definitely not be counting it on the street. Hooray, the coveted dough. What's next? And then - you can't spend it. Not at all. No, well, if you have balls of steel and an iron will, you (of course) can go to a restaurant, eat well, buy yourself a suit, a not too expensive watch, or, say, an iPhone. You will run out of expenses of this kind VERY quickly and you will want more. Namely - expensive cars and expensive real estate. And here lies the final danger for you, which I will now tell you how to overcome.
The fact is that in no country in the world does the tax office sleep, and it is not for nothing that it eats its bread and butter. As soon as you show expenses higher than income, you are fucked. Further I will tell you using the example of the USA, but I am sure that in Russia the story is approximately similar. In our States, if you come to a car dealership with a bag of cash, it is an emergency, everyone there will be shocked. Because a) no one has that much cash, b) it is not customary to make large purchases with cash, and c) cash in the context of large purchases is generally understood as a BANK TRANSFER, i.e. NOT A LOAN. No, of course, they will happily take this cash from you, sweetly smile, process everything, give you your new Porsche and you will drive away. But IMMEDIATELY this information will go to the IRS and in the near future you will have a forced conversation on the topic of "where did you get the money, Zina?"
In order not to sit with your bare ass on a tax bottle, you have to be smarter. Taram-pam-pam, on comes... all in white, BUSINESS. Oh, this is my favorite moment! The question is not what these freaks suspect, the question is what they can prove. And they can't prove anything. Let's say you have a friend, brother, matchmaker, son-in-law, wife, courtier, who knows who. This wonderful person opens absolutely any type of business, in a large city (this is a mandatory condition). The main thing is that the nature of this business allows accepting cash. Then begins the most banal money laundering. For example, a boy Ashot provides mobile cleaning services (again, using our area as an example). The average bill for one such trip is $200. Ashot can make 6 trips a day. In practice, due to his idiocy, he will make 5, and in the reporting we will write 8. Thus, $600 is laundered. We have 20 of these Ashots working for us, who launder $12,000 a day. It seems like a little, but it seems like a lot... It's not clear. My task is to show you the logic. And there could be 38 such businesses in different states/regions/directions. There are two points here - firstly, the cash flow is not controlled, secondly, this cash develops the business, thirdly, this business ultimately feeds you. So you end up, this gray cardinal... In a Porsche. Where did you get the Porsche? Of course, I'm a pauper, my wife gave it to me (it was issued on credit to the company), and she's so successful.
The main moral of this part: don't skimp on commissions and losses; don't be rude with the ratio of honest/laundered cash in business. I know of at least a few cases in the spirit of "oh, why pay X for a break, it's too expensive, I'll pay Y on the next forum." And hello ass, everyone sat down. Your freedom is worth these expenses, and everyone wants to eat.
P.S. A spoonful of shit in a barrel of honey: you'll have to pay taxes. That's the price of a good night's sleep in freedom.
P.S. Cash can accumulate faster than you can wash it out, that's normal. In that case, you'll need an industrial vacuum sealer and some imagination to come up with a place to store the cash. Don't keep all your eggs in one basket! Hide $10K bags in DIFFERENT places. A couple of your own mortgaged apartments with false walls and other hiding places work great. Storage units work well in the States, and garages in Russia.
Let's move on.
PART THREE: PERSONALITY AND HARDWARE.
Golden rule number 1: separate hardware.
Remember how I said above that no dog should know what you do? Now let's touch on the hardware side of this issue. So, the most popular tool of the cops is fingerprinting (let's not touch communication for now). I'm already tired of pressing buttons, you know what it is (if you don't, go to Google). From this follows a banal conclusion: the separation of your personality number 1 (the one everyone knows) and your personality number 2 (the one you WORK AS ONLINE) should happen at the HARDWARE LEVEL. In other words, for you, as Ivan Ivanov with social networks, mail and other crap - hardware set number 1 (desktop, laptop, mobile phones); for you, as darkcoder_io - hardware set number 2 (one or two laptops).
PART FOUR: COMMUNICATION
Golden rule #1: don't work from home; Do not work via home Internet.
Golden rule #2: Do not have a work mobile phone.
Well, kids, aren't you tired yet? We finally got to your favorite hallucinations that a VPN will help you and no one will catch you. It won't help. They will. And now in order. Pay attention! There are no mobile phones in the second set of hardware. Why? Because if you, like stupid lawyers, move around with two mobile phones at the same time, tying you together, into one "profile" is a five-minute task. No fucking virtual machines or other savings. Different hardware! Only this way and no other way. And this hardware should NEVER intersect IN ANY WAY, and NEVER be connected to the same network. Moreover, DO NOT TURN ON the work machine at home! If you turn it on, it should have its Wi-Fi OFF in advance (at the setup stage) — the set of Wi-Fi networks surrounding you will anonymize you before you get home in a heartbeat.
== NETWORK ACCESS.
But how the f#ck do you go online, you ask? There are two options.
1. For trips to the city — ALFA AWUS1900 + KALI in a virtual machine. Basic usage scenario: we are in a cafe, we must check for cameras (they should not be there). We break off the Wi-Fi not of the cafe itself, because people can come there and remember you — don’t ask why, it always works this way, according to Murphy’s law — but of the neighbors. Finding and/or creating such access points is your curse and your main job. The more of them there are, the less likely it is that someone will recognize you somewhere.
2. For working from home - any router with LTE/5G support (I recommend GL-XE300 or similar). Connection from a work machine to the router - ONLY via Ethernet (remember about the waffle that exposes you). The SIM card is left. The SIM card + router kit lasts a month, then the SIM card is thrown away, and the router is sold on Avito/iBay from the LEFT account! If you don't have money to change routers, look for a router/modem/router-with-modem with the ability to change IMEI, but I advise changing the hardware. A hundred bucks a month is pennies, and the safety of your ass is priceless.
So, that's it? No, not everything.
== WORK ONLINE.
The next layer of protection for me personally is a separate class of routers based on OpenWRT with modified firmware (all unnecessary things are thrown out), Yggdrasil + WireGuard is added. There are two types of these routers, either the above-mentioned GL-XE300 (if a SIM card is needed), or a simpler version GL-MT300N-V2 (if only Ethernet is enough). I also have drop-installers from among network installers. They are usually extremely hungry and are ready to stick this router very technically where it is needed for a modest fee, so that the client will never find it (they select such clients themselves). In most cases, these routers are stuck where no one climbs and are equipped with a camera. This is the last bastion of protection, I do not bring it to the "coming home" scenario.
Next, we return to the working machine and draw a traffic routing diagram:
machine (TunSafe, in) - router with the left SIM card at home (YGG, in) - left router with a camera I don't know where (YGG out, TOR in) - TOR (out) - VPS (TunSafe, out)
Routing scenarios, technologies and protocols are actually different, I often experiment with them, constantly trying to find some kind of ideal (which probably does not exist). The speed is stably 1-3 Mbit / s, for work purposes this is quite enough. Sometimes it all works crookedly, sometimes it drops, in general, I'm still searching. But, in general, it works. Yes, if necessary, I sell these firmware / routers, yes, if necessary, I configure networks this way. EXPENSIVE.
Compared to your various double-triple-zalupipl VPNs, the question is not in the number of hops; the question is in the location and controllability of these hops. Of course, you CANNOT use commercial and free VPNs that you DIDN'T make yourself - they all STORE LOGS, no matter how much they would like to convince you otherwise. Yes, I know about connection timings and port mirroring if necessary at the uplink level, don't tell me about it. This is an entry point for them (running-shoulder), and then let them figure it out. So far, no one has figured it out, because I built a ton of such routes with my router at home. And different ones are used every day. Yes, I'm paranoid in my thoughts, not in my feelings. I sleep soundly)
Of course, all the servers and so on - all on the left data, in different countries.
There are tons of options here, I'm ready to discuss, help, etc. I'm not saying that my option is the coolest.
PART FIVE: ENCRYPTION
Well, here we have reached the working machine and the content on it. Horror, horror takes over. I said it and I'll repeat it again - I continue to believe that if they came and grabbed you by the ass - then there is ALREADY an evidence base on you (schoolchildren with versions in the spirit of "well, you never know, what if your router was hacked") are sent to do their homework. I remember very well my experience of meeting with the task force and how they tried to get that very evidence from my computer (spoiler: they didn't). But that was a long time ago, the operatives didn't really know how to do anything (just like the FACES didn't know how to do anything), and I don't want to check what they have there now. Therefore...
I have done everything extremely simply and I did not bother with it at all. The working machine is based on Ubuntu (why you can't use Tails, Whonix, Qubes and other crap - look on the forum, I already wrote), the system SSD EXT4 + LUKS, the password of the fucking length on Yubikey + login to the system, sudo and tty - also a hardware key, except for the password. Further, the caching of working files is disabled inside. Working files are on two SSD drives (so far FIPS 140-2, with hardware encryption) + also EXT4 + LUKS inside. I tried to put a VeraCrypt container inside, it did not take off, hinting that this is enough. One drive is the main one, the second is a backup.
===
ADDITIONS:
1. BY SENKA SHAPKA.
This world is arranged in such a way that everything in it tries to strive for balance. If you are messing with the government and playing a digital terrorist, then if not all, then at least quite significant resources will be used to catch you. At the same time, if you are doing some petty nonsense for a couple of kilobacks a month, then you are most likely Elusive Joe, whom (as we know) no one catches, because no one gives a damn about him. The moral here is that you need to be aware of the impact your actions have on the world and clearly understand who will be dealing with you - absolutely ALL your strategies and tactics will depend on this. After all, playing cat and mouse with the Ministry of Internal Affairs/FSB is not the same as playing the same game with the FBI/NSA.
2. PARANOID SCHIZOPHASIA.
I'm not sure that this is really schizophasia - I'm not a doctor. But it sounds cool, although in reality there is nothing cool about it. Sooner or later, paranoia covers everyone. If you haven't been hit yet, it's either too early or you're a careless idiot. Fear is a great helper for every normal person. And fear multiplied by intelligence is a generally explosive mixture - after all, it's the only thing that will help you calculate everything and not make a mistake. Your only task is to make sure that fear does not cover you completely and does not paralyze your ability to think. Otherwise, as I said earlier, it is a great helper.
===
Most likely, I screwed up something somewhere in the description, the article was written in one go and I finish it at 3 am.
Let's stop there for now.
Good luck to everyone!
