PROTOCOL: MANDATORY_READ

Operational Security

Security is not a product; it is a process. This guide outlines the critical operational security (OpSec) standards required to safely navigate the Dark Matter ecosystem. Failure to adhere to these protocols may result in the compromise of your digital identity, loss of funds, or deanonymization.

Threat Model

Phishing Risk CRITICAL

Javascript DISABLED

PGP Decryption CLIENT-SIDE

Network TOR / I2P

01 Identity Isolation

Complete compartmentalization involves creating a digital identity that has zero intersection with your real-life persona (RL). This barrier must never be crossed.

✖ NEVER use a username, password, or handle that you have used on the clearnet (Reddit, Twitter, Steam).
✖ NEVER discuss your location, time zone, age, or profession, even in "private" messages.
✔ ALWAYS assume the platform acts as a compromised node. Treat all data as public until encrypted.

IDENTITY LEAK VECTOR EXAMPLE

User: "Hey, shipping is delayed. The snowstorm in Buffalo is crazy right now."

OpSec Analysis: User just narrowed their location to a specific city during a specific timeframe. This data point is permanent.

02 Phishing Defense & Verification

Phishing sites are exact visual replicas of the Dark Matter market designed to steal your credentials. They often dominate search results on Tor.

The Golden Rule of Trust

Do not trust links from Reddit, Hidden Wikis, or random forums. The ONLY way to verify you are on the real site is by verifying the PGP signature of the onion address.

VERIFICATION WORKFLOW

Import the official Dark Matter public key into your PGP software.
Navigate to the market login page.
Copy the PGP-signed message provided on the login page.
Verify the signature in Kleopatra / GPG Keychain.
IF VALID: The site is genuine. Proceed.
IF INVALID: You are being phished. CLOSE IMMEDIATELY.

03 Tor Browser Hardening

Security Slider

Set to "Safer" or "Safest". This disables non-HTTPS content and some scripts.

Window Size

Never maximize the Tor window. This prevents fingerprinting based on your screen resolution.

JavaScript

Disable JavaScript via NoScript settings wherever possible. Attacks often use JS to decloak IP addresses.

04 Financial Hygiene

Blockchain analysis companies have mapped the majority of the Bitcoin network. Bitcoin is NOT anonymous; it is pseudonymous.

Direct Exchange Transfers

NEVER send crypto directly from an exchange (Coinbase, Binance, Kraken) to a market wallet. Exchanges track withdrawals and comply with law enforcement subpoenas.

Intermediary Wallets

Always withdraw to a personal wallet you control (e.g., Cake Wallet, Feather, Electrum) before sending to any service.

Use Monero (XMR)

Whenever possible, use Monero. XMR uses Ring Signatures and Stealth Addresses to obscure the sender, receiver, and amount transaction.

05 PGP Encryption

"If you don't encrypt, you don't care." PGP (Pretty Good Privacy) is the backbone of darknet communication.

Dangerous Practice

Do not use the "Auto-Encrypt" checkbox found on some market messaging systems.

Why? This performs encryption on the server side. If the server is compromised or seized, the admin has the plaintext message before it was encrypted.

Correct Practice

Encrypt everything LOCALLY on your own machine using Kleopatra or GPG Keychain.

Why? Only the encrypted ciphertext is sent over the network. Even if the server is seized, your message remains unreadable.

Read Full PGP Tutorial →