Blog

How to Stay Anonymous as a Developer in Crypto

How to Stay Anonymous as a Developer in Crypto

This article is based on a collaborative document on HackMD, just add anything you feel like it's missing or improve the current advice. Editing is open to everyone.

Operations

  • Take some time to come up with an online persona you'd want to be perceived as, since that will be what you will be recognized as and remembered by as an anon.
  • The best would be to use a completely different phone and computer for each identity.
  • If you can't use a different computer, use a different user account or browser for your anon identity, as it makes account separation much easier.
  • If you are using browsers to separate accounts be careful when opening links from anywhere other than the browser since they'll open with your default browser, and if that's your non-anon one you could easily doxx yourself.
  • A separate virtual machine per identity can also work.
  • Set up your anon browser as the default.
  • Be careful about Bluetooth headphones and system-level usernames - if you're screensharing the names of these devices / accounts can doxx you.
  • Be careful sharing screenshots of your desktop / dev environment, especially if not on a separate computer/vm. User profile names in the terminal, thumbnails of images, folder names etc can give info.
  • Also applies when sharing your screen on a call, avoid that at all costs.
  • Remove EXIF data from any images/screenshots you post. Some websites automatically remove EXIF data for you when you upload an image, but others like Discord don't. https://www.verexif.com/en/ works well for this. (should recommend a local solution imo)
  • (NB: unclear if Discord does not - from a support tix it looks like photo exif is removed but video is not)
  • Alternatively, don't upload images, just grab a screenshot of your image then paste it
  • When setting up your anon accounts for the first time, don't follow friends/small accounts initially, it's possible to sort someones followed by date and if the first few were all small accounts it's likely main account follows them as well, reduces anonymity set.
  • Use a VPN or Tor to mask your IP (you can get a VPN included with a protonmail account)
  • Some tracking scripts use system-level properties such as fonts installed or screen size to identify you across sessions, linking your identities. Test how unique is your footprint through EFF's**** website and minimize it by either using brave, installing privacy extensions such as Privacy Badger or disabling javascript. Brave browser, unlike firefox, does a decent job at spoofing finger
  • Don't share links with yourself by DMing or emailing between your anon and IRL accounts.

Friends

  • going anon may be a lonely journey at start, but once you leak a few alpha or make some good memes to prove worthiness, you'll be very welcomed to most communities

Speech

  • You probably have some speech patterns and vocabulary that are unique to you. Try to avoid these, and replace them with something else. Write as simply and generically as possible.
  • You can also go the paranoid route and completely change your speech like @AnteBear
  • This also includes the emojis you use, try to change them since these tend to be quite personal.

Funds

  • Send all money through Tornado Cash before sending it to your anon account
  • When sending through tornado cash wait some time between each operation to make sure it's not easy to link them through temporal proximity
  • Tornado cash tracks time difference between deposit and withdrawal on each note separately, but actually all the notes are in the same anonymity pool, so you should treat them all the same. Avoid behaviours like depositing a new note and withdrawing another one at the same time, Tornado's app will say everything is ok since the other note was deposited a long time ago, but actually it's like depositing a note and immediately withdrawing it.
  • Use a different seed for your anon crypto addresses, you likely have bigger things to worry about if your seed gets leaked but if your keys are generated from same seed they are linked, even if not reversibly.
  • OPTIONAL: To avoid relying 100% on only one service and for extra privacy, your tokens can be transferred to another chain such as Monero and then back to your desired chain to further break the link between source and destination.
  • when transferring between chains switch service each way (if you go to monero with simpleswap go back with changenow)

Timezone

  • It's really hard to properly hide your timezone since it leaks through the time when you are active (interact with people on twitter, make commits, respond to messages).
  • You can try to switch that up by changing your sleep patterns but then the anonymity set becomes even smaller so I'm not sure if that's an improvement.
  • I've given up on fully masking it but I try keep some ambiguity between the timezones around me and avoid making it really easy to guess.
  • When people ask me for my timezone to schedule a call I give them a random timezone that's somewhat close to me and then pick an hour that works for my timezone.
  • Be careful when posting screenshots of chats (eg: discord) since these include timestamps in your local time, which allow anyone to find out your timezone.
  • Websites can also get your timezone through your browser. If you live in a unique timezone, this can narrow down who you are. If you're paranoid, just change your computer time zone and use a physical clock to track the time. (This can be a surprising amount of work, since it means you might end up with Daylight Savings kicking on and off at unexpected times, and it can even affect default lang and what packages your computer tries to download, though.)

Calls/voice

  • Eventually you will want to go on calls because you might be missing opportunities such as:

    • A podcast asks you to join
    • Everyone is on a call and you want to join too
    • People keep asking you to call them
  • The solution here is to use a voice anonymizer.

    • Windows - Voicemod

      Note:

  • I spent a lot of time trying to get voice anonymizers working on linux, and the gist of it is that they are a pain in the ass to setup (I had to tweak alsa to get them to work) and they are all variations of a pitch changer, which doesn't anonymize your voice that well since it just changes the pitch.

  • After trying a lot of things I gave up and started using voicemod on a Windows virtual machine, I suggest you do the same.

    Warning:

  • If you are not masking your IP be careful around call software that establishes P2P connections, those leak your IP to other people on the call.

Vtuber

  • For those not familiar with it, this is an animated avatar that you can use to replace your video feed on calls
  • It's not needed at all since you can just turn video off but the upside is that:
    • It's fun
    • Hand gestures and facial expressions are critical to social bonding, vtubers solves this without doxing
    • Other people love it
    • It's awkward when you have to explain that you can't turn video on because you are anon
    • Alternatively, you can just say your webcam broke or something. Lying goes a long way in hiding your identity.

Warning:

  • Make sure your webcam is active for face tracking to work, so if something goes wrong you may dox yourself completely, thus the risk is much higher compared to having no video.
  • You can commission an artist to make a custom model for around 50$, but you can also get free models online.
  • I suggest using a native Windows machine for this, since:
    • all the programs for vtubing are windows-only, I've managed to run one of them on wine but running it inside a VM is a pain since it's too slow and getting the webcam to work is hard
    • My voice software is windows-only
    • I only managed to get hand tracking working on windows
    • The software I use is VSeeFace. I also bought a LeapMotion device for hand tracking.

Vtubing on linux

  • I did manage to get my vtuber set-up running on linux after a lot of tinkering, but ended up switching to a windows computer at the end, which is what I would if if I were to start again.
  • Still, if you want to get it running on linux here are the instructions:
    • Get VSeeFace running inside wine.
    • There's some instructions for this on vseeface's website but expect to do some tinkering.
    • Use Lutris to avoid extra tinkering with wine. You might find some instructions telling you to run a python program outside wine for the face recognition but you can ignore that since the latest versions of wine handle webcams properly.
    • Use OBS to create a fake webcam and redirect VSeeFace's output into it. You will need to change some kernel modules to get OBS' fake webcam feature to work.
    • Set the call software you are using to pull video from OBS' fake webcam
    • With this I managed to get it working, but I never managed to get LeapMotion hand tracking to work on linux.

Github

  • If you have a doxxed github set up a bot that creates some commits on it. Otherwise it may be possible to connect identities by linking anon and doxxed github activity graphs (you'd see an activity graph that suddenly had a drop in activity and another account that had a spike at the same time)
  • When using a different github account remember to also change your git and email locally. You can set this at the per-repo level to avoid having to keep changing identities, run this script inside the repo to set it:
    git config user.email "[email protected]"
    git config user.name "0xngmi"
    
  • To avoid having to constantly change github accounts you can set different ssh connections to github, each associated with a different account, and link them with each repo.
  • To do this you'll need to add the following lines to ~/.ssh/config:
    Host github.com-ngmi
          HostName github.com
          User git
          IdentityFile ~/.ssh/id_ed25519_ngmi
          IdentitiesOnly yes
    
  • Then modify the file .git/config within your repo to set its remote through the new ssh host you created:
    [remote "origin"]
          url = [email protected]:DefiLlama/DefiLlama-Adapters.git
    

Avoid repeating code patterns

  • You might come across problems that you've already solved before and it might be tempting to copy code you've previously written but it's important to avoid that.
  • Even if you avoid copying code it's easy to repeat the code patterns you've used before. Avoid that by using libraries you haven't used before or structuring solutions in new ways.
  • Pick the most mainstream libraries available to maximize the anonimity set.

Phone

  • It's really easy to make mistakes with the account separation options available on phones.
  • For example, it's easy to send a telegram message from a different account, especially when you contact a person for the first time.
  • When adding somebody as a contact in Telegram, the default is to share your phone number, double check you are not sharing this before you add a new contact.
  • You can do that through Settings>Privacy and Security>Set Phone number to "Nobody".
  • Get a second phone and use that to separate identities across phones.
  • If you don't want a second phone and you use android you can use an app called Island to set up a second workspace and replicate all your apps, then you can separate your identities across workspaces. This lets you have two discords, each with it's own account.
  • Another phone is recommended, even if you only use the second phone for Two-Factor Authentication purposes (to avoid SIM-swap attacks or other compromises)
  • Be careful when opening links since these could be opened under the incorrect app. Be especially careful around joining discord servers, since when you click on the invite link discord doesn't show you which account you are on until you've entered the server, so if the link was opened under your other account you'll be doxxed.
  • There are multiple services that let you pay bitcoin in exchange for a phone number, on which you can see the SMS received. However, this is risky since phone access makes it possible to steal your account and these services tend to be shady.

-- https://mysudo.com/

OS

From most private to least private desktop OSs:

  1. Tails OS
  2. Privacy focused Linux distros (Qubes, Whonix etc)
  3. Desktop Linux distros (Arch, Ubuntu, Fedora etc)
  4. Mac
  5. Windows

Email

  • Use protonmail
  • Mailfence is another good private email provider. Easy to make multiple accounts if you have a private email to add to this one. Tutanota is another suggestion

    Discord Nitro

  • Send someone crypto in exchange for gifting you discord nitro.

VPN

  • Mullvad (forget NordVPN). your account is a number. thats it. no email or password. you can mail them cash as well.
  • or even better: set up your own VPN server via algo https://github.com/trailofbits/algo

Twitter

  • Twitter logs the IP you used when you created your account, so be sure to use VPN
  • At some point they'll want both email and phone verification. The phone number needs to be one you can use to verify in the future too. Using a US IP and a freshly created gmail, you can register for googleVoice by linking a phone number to your google account. Here's a good place for single-use non-VoIP phone numbers (to link to your google acct so you can get a gVoice number) and you can pay with crypto.
  • If possible, avoid logging in to your anon account and personal one in the same browser.
  • Don't DM yourself links or tweets between accounts.

Domain names

  • Ensure your domains have the whois records set to private, and check before you publicise any websites.
  • Provide fake information when registering a domain name, usually only the email is checked.
  • Set your fake information as the default in your account if you register multiple domains.
  • If you use Cloudflare, make sure to use separate accounts. Domains under the same account can be linked together.
  • good host for obtaining domains anonymously with crypto would be njal.la

Real life

Some suggestions from that discussion include the following:

  • Create a fake job for yourself and stick to that story
  • Tell them that you are a freelancer, this allows you to be very vague about what you do exactly
  • Tell them that you have a very boring job, such as accountant, so they won't ask for more info
  • Say you are unemployed
  • Backstories that don't match your lifestyle/means draw more attention to yourself, best to not have people thinking you're a drug dealer and looking into you for that reason

Other resources

  • https://privacytools.io/
  • Consider using Tails Linux distro on a Live USB if using TOR. Tails on a live USB can be booted to separately from your computer's main OS, but will share the same hardware. By default Tails is non-persistent (erases all files and data on each shutdown), all network traffic is routed through TOR, and the OS has a built-in MAC address changer to spoof your hardware MAC addresses. Check out the distro here: https://tails.boum.org/
  • https://bowtiedsilverback- https://bowtiedsilverback.substack.com/ .substack.com/
  • check for alternatives to your closed source application and services via https://prism-break.org/en
  • there is nothing wrong with being pseudonymous either, there are probably more pseudonymous CT accounts than fully anonymous ones
  • No copy pasta from accounts you graviate towards

    To other anons: Just add more sections if you feel like something is missing