Operational Security (OpSec) Manual

The Torzon Market architecture is designed to be resilient against external attacks, but the weakest link in the security chain is always the user. This document outlines the mandatory Operational Security (OpSec) standards required to trade safely on the darknet in 2025.

Unlike clear-net e-commerce, where the platform protects you, on the darknet, you are your own bank and your own security team. Ignorance is not an excuse. Follow these protocols strictly.

Protocol 1: Operating Environment (Tails OS)

Never access Torzon using Windows, macOS, or standard Linux distributions (Ubuntu/Mint) directly installed on your hard drive. These operating systems are designed to log user activity, cache thumbnails, and leak metadata.

The only authorized environment for Torzon is Tails OS (The Amnesic Incognito Live System).

user@tails:~$ why_use_tails
> Forces all outgoing connections through Tor network. > Blocks all non-anonymous connections by default. > Leaves no digital footprint on the computer (runs in RAM). > Includes PGP tools (Kleopatra) and KeePassXC pre-installed.
user@tails:~$ status
System: AMNESIC. All data wiped on shutdown.

The "Clean" Workflow:
1. Flash Tails onto a USB stick (minimum 8GB).
2. Boot your computer from the USB stick.
3. Configure "Persistent Storage" if you need to save PGP keys and passwords.
4. When finished, shut down. The RAM is cleared, and no forensic evidence remains on the host machine.

Protocol 2: PGP Encryption (No Exceptions)

Pretty Good Privacy (PGP) is non-negotiable. Torzon enforces PGP 2FA (Two-Factor Authentication) for account logins, but you must also use it for all communication.

Sending your shipping address in plain text is the equivalent of shouting your home address in a police station. Even if the market database is encrypted, you should assume that "Server Seizure" is always a possibility. If you encrypt your address with the Vendor's Public Key, only the vendor can read it. Not the market admins, and not law enforcement.

How to Verify a Torzon Mirror with PGP

Phishing is the #1 threat. Before logging in, you must verify that the onion URL belongs to Torzon.

🔑

Import the Key: Import the official Torzon Public Key (found on Dread or our Links page) into your PGP software (Kleopatra/GPG).
📝

Copy the Message: On the login page, find the message signed by the server. It usually begins with -----BEGIN PGP SIGNED MESSAGE-----.
✅

Verify Signature: Paste the text into Kleopatra and click "Decrypt/Verify". If it says "Valid Signature", the site is real. If it says "Bad Signature" or "No Key," you are on a phishing site. CLOSE THE TAB IMMEDIATELY.

Protocol 3: Tor Browser Configuration

The Tor Browser bundle included in Tails is pre-configured, but additional hardening is recommended for high-value targets.

Security Levels

Click the Shield icon in the Tor Browser URL bar.

Standard: NOT RECOMMENDED. Allows JavaScript. Exploits can de-anonymize you.
Safer: Disables JavaScript on non-HTTPS sites. Acceptable for browsing.
Safest (MANDATORY): Disables JavaScript completely. Torzon is built to function 100% without JavaScript. This eliminates 99% of browser-based exploits.

CRITICAL: Never resize the Tor Browser window. Keep it at default size to prevent "Browser Fingerprinting" based on your screen resolution.

Protocol 4: Cryptocurrency Hygiene (Monero)

Bitcoin (BTC) is a transparent public ledger. Every transaction you make is permanently recorded. Blockchain analysis firms (Chainalysis, Elliptic) track these flows to identify darknet users.

Monero (XMR) is the only safe currency for Torzon Market.

The Laundering Process (BTC to XMR)

If you only have Bitcoin, you must break the link between your identity (Exchange) and the Market.

Step 1: Buy BTC on a clear-net exchange (Coinbase/Kraken).
Step 2: Send BTC to a non-custodial wallet (Electrum). NEVER send from Exchange directly to Market.
Step 3: Use a swap service (e.g., ChangeNow, SimpleSwap) to convert BTC to XMR.
Step 4: Send XMR to your local Monero Wallet (GUI or Feather Wallet on Tails).
Step 5: Send XMR from your local wallet to the Torzon Deposit Address.

This process ensures that the Exchange only sees you sending money to a random address (the swap), and the Market only sees XMR arriving from a stealth address. The link is broken.

Protocol 5: Physical Delivery (Drop Security)

Digital security is useless if you compromise your physical location.

Real Name: Always use the real name associated with the delivery address. Using a fake name (e.g., "John Doe" at a house where no John Doe lives) is a red flag for the mailman.
Informed Delivery: Do not check tracking numbers constantly. Tor is slow and exits from foreign IPs. Checking USPS/DHL tracking via Tor flags the package. Use a clean clear-net device (VPN recommended) or, ideally, don't check tracking at all unless the package is late.
CD (Controlled Delivery): If a package arrives requiring a signature when it normally wouldn't, or if the mailman acts strangely, DO NOT ACCEPT IT. Deny knowledge of the package.
Clean House: While an order is inbound, ensure your house is free of any other contraband. If a CD happens, a raid follows immediately.

The Zero Trust Mindset

Assume every link is phishing until verified. Assume every device is compromised until wiped. Assume Bitcoin is traceable. By adopting a "Zero Trust" mindset, you mitigate risks significantly.

Torzon provides the platform, but YOU provide the security. Stay safe, stay anonymous.