part 1: how to start an anonymous website anonymously

• ... operational security
• ... anonymous signup email
• ... anonymous money
• ... anonymous domain name
• ... anonymous web hosting
• ... congratulations (!), but...

It is quite easy to set up a blog where you don't disclose your real identity to your website's visitors. You only have to register a domain, setup a website with a hosting provider - and then use a pseudonym to distribute your content. If that is anonymous enough for you, you can stop to read this post now.

We said it already: it is quite easy to set up a website where your real identity is unknown to your website's visitors. However, the downside is that your hosting provider most of the time still knows your real identity, because it is almost impossible to register a domain without disclosing information that is linked to your identity. How closely do you think is your email address connected to your real identity? Furthermore, most of the time you have to pay for your domain and your server space with money from your bank account, which is even more closely linked to your real identity than your email address.

Yes, Bitcoin payments become more and more common now, but as long as you are registered with an exchange like Coinbase or Binance, where you have to verify your real identity in oder to buy Bitcoin, it won't make you much more anonymous because every Bitcoin you buy through the exchange will inevitably be tied to your identity as well. Bitcoin is based on an open ledger. Wallet addresses are public and every single transaction that ever happened on the blockchain can always be viewed by anyone.

Furthermore, did you consider that every time you visit a website, it knows the IP-address from where you visit? Your ISP can log your entire browsing history and big tech companies like Google have invented sophisticated ways to identify you based on your browsing habits.

As you can see, if you want to start an anonymous website anonymously there are a lot more things to consider than just which pseudonym you want to use. This post is a summary of the steps we have taken to start term7.info. We won't go into the details of all of these steps, because if you want to start an anonymous website anyonymously yourself, it depends on your own preferences and the choices you want to make. Furthermore, proceed at your own risk. We can only offer advice and how do you know you can trust us? You should always inform yourself and verify any information that is given...

Opsec is short for Operational Security. If your goal is to anonymously start an anonymous website you have to stay in the shadows:

1. Before you start, make sure your computer is hardened for security and respects your privacy: If possible get a dedicated laptop only for your sensititve anonymous activity, either use QubesOS, a hardened Linux system with Whonix, or a portable OS like Tails. If you have to use MacOS instead you can install Whonix as well (unless you have a newer M1 Mac - which is not compatible). However, always improve its security and privacy settings to the maximum: enable full disk-encryption and the internal firewall, disable iCLoud, Siri and Spotlight Suggestions and set up a firmware password - just to name a few practical measures. If you need more detailed information on how to secure you Mac, check out this macOS-Security-and-Privacy-Guide on Github. Also this tool may be useful: PrivacySexy. Please don't use Windows (it is a privacy nightmare).
2. Don't browse the internet without precautions. Always hide your actual IP-address, but don't use a VPN (unless you have set up your own VPN and unless you payed for the service in cash or with Monero so that your real identity is unknown to your VPN provider). Better use Tor instead. If you decide to use Tails or Whonix, you will already use Tor by default. If you are on Linux or MacOS, at least download and use the Tor Browser Bundle, even it it is more slow than other browsers. If you want to combine a VPN with Tor (VPN over Tor - Tor over VPN) you should first make yourself familiar with both setups and inform yourself about risks and benefits of each configuration.
3. Be careful and don't give away information that can be used to identify you. This means while you are using Tor to work on your anonymous website, you should never log into your social media accounts because it will de-anonymize you: your anonymous activity can then easily be correlated with your social media login. Don't use your personal email address to sign up for services you intend to use for your anonymous website. Create an anonymous identity that is separate from your real identity and use it only in this context. Needless to say: never mix the two of them...
4. Learn as much as you can about online anonymity, privacy and digital self-defence. Please visit our link collection and look up other resources and tutorials. We highly recommend The Hitchhiker’s Guide to Online Anonymity. This guide is also available as a Tor v3 Onion Service: http://thgtoallkcxrdv37u6knsc3pumk6cq6lqmcqlw3j5vkmyahkxive4jyd.onion/guide.html
5. OPSEC does not only include what you do on your computer, but your offline activity as well. Are you aware of the metadata that your physical presence (cameras and other sensors in shops and public buildings) generate? Do you use smart devices in public? Which Wifi networks do you connect to? Are you aware of the geolocation data that your smartphone, bluetooth headphones, any other smart devices and even RFID enabled credit cards generate while you are in public space, even if you are not using them and sometimes even when they are switched off? Are you aware that you can be tracked in other peoples photographs if they post them on social media? All of this data is collected and stored by companies (i.e. by Clearview AI) and governments (i.e. law enforcement in the US). It can be used to identify and track you. As a general word of advide: if you conduct sensitive activities in public, leave your smart devices and RFID enabled cards at home and always be aware of your environment.

To continue reading this post anonymously on our hidden Tor v3 onion page, open this link in your Tor Browser:

http://3fyrg6hmejbgz6akff3nxhapoptywvmra6obz5e2u6wcfdgzd42542yd.onion/how-to-start-an-anonymous-website-anonymously

You do need an email address to sign up for almost every service online. However, if you use your personal email address, you won't be anonymous anymore. To mitigate this problem you can use an anonymous temporary email address instead. In our example we use anonbox, which is made available and maintained by the Chaos Computer Club. Use it to register an account. It will expire within a day and you won't be able to use it to send emails.

In this example we make use of a temporary email address to set up an anonymous email account with ProtonMail, which we will then use to set up other accounts with a hosting company. That way we will be able to receive support emails in an encrypted inbox. Furthermore ProtonMail is based in Switzerland and protected by strong Swiss privacy laws.

... how to create a free anonymous ProtonMail account:

1. Open your Tor Browser and visit ProtonMail's hidden Tor v3 onion site.
2. Create a free account: Proton Free / CHF 0 and pick username and password for your anonymous identity. During the next step Proton requires to send you an email or an SMS to be used for one-time verification. Don't reveal your personal email or phone number! You also might have to complete a CAPTCHA to confirm that you are human.
3. Visit anonbox, generate your temporary email address and open your temporary mailbox. Until you receive your first mail, this will be just an empty page.
4. Back at the Proton Signup Page, enter your temporary as your one-time verification method and wait for Proton to send you a verification code.
5. Next, refresh you temporary mailbox. The email sent by Proton will look something like this:

           
   From no-reply@verify.proton.me Sat Aug 06 12:01:55 2022
   Return-Path: <no-reply@verify.proton.me>
   Delivered-To: kxngp-bt7iioagw7@kxngp.anonbox.net
   Received: (qmail 99905 invoked by uid 0); 6 Aug 2022 12:01:55 -0000
   Received: from unknown (HELO mail-4320.protonmail.ch) (185.70.43.20)
     by anonbox.net with ESMTPS (TLS_AES_256_GCM_SHA384 encrypted); 6 Aug 2022 12:01:55 -0000
   Date: Sat, 06 Aug 2022 12:01:46 +0000
   DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verify.proton.me;
       s=protonmail; t=1659787314; x=1660046514;
       bh=u9SqrCK2B+QW7OUOo2zUYRo8k8xmSYYoPyFMRkO5kDU=;
       h=Date:To:From:Reply-To:Subject:Message-ID:Feedback-ID:From:To:Cc:
        Date:Subject:Reply-To:Feedback-ID:Message-ID;
       b=eqgb47wK3Z3/tYSFFZVj+IvrNYLD77A/RQNRqLarS7j0+mVe5g6qihDy60IBcsC7N
        JxX62ZaqFCerZtsBCklpCMdS3BDYIxfsODiPMUwjXp2MGsvBCqE/HSVPICYd1j5YIQ
        669ikJFvBGanqZtUGISDZsnxWogCBbREhMrjUwDYLrlAitiJUJOcLAPbIjud6pPRMi
        0KUpLR1sZL1P201jw9XzKmFF0wdCkL0vXF2EIPUEFQGav2XLatGCXpGTUh2klmLWFG
        RPY7HHlEX39dgF0tZAevaQvTSZ+iASf/ycyDyqHpoMWG6L2xCUPNP4Ym8j4CFAu37n
        F5OQSDEzZUH3A==
   To: bt7iioagw7@kxngp.anonbox.net
   From: Proton <no-reply@verify.proton.me>
   Reply-To: Proton <no-reply@verify.proton.me>
   Subject: Proton Verification Code
   Message-ID: <545VT83GFJ5DRJH3V2GKDQPZN4@verify.proton.me>
   Auto-Submitted: auto-generated
   Feedback-ID: 47414585:system:proton
   MIME-Version: 1.0
   Content-Type: multipart/alternative;
    boundary="b1_DlWAFRSzw2dQysylJcaUa3au55XZM2OIjBOE4o6g"
    
   This is a multi-part message in MIME format.
   
   --b1_DlWAFRSzw2dQysylJcaUa3au55XZM2OIjBOE4o6g
   Content-Type: text/plain; charset=utf-8
   Content-Transfer-Encoding: base64
   
   WW91ciBQcm90b24gdmVyaWZpY2F0aW9uIGNvZGUgaXM6CjMwNjU5Mw==
   
   --b1_DlWAFRSzw2dQysylJcaUa3au55XZM2OIjBOE4o6g
   Content-Type: text/html; charset=utf-8
   Content-Transfer-Encoding: base64
   
   PGh0bWw+DQo8Ym9keT4NCjxwPllvdXIgUHJvdG9uIHZlcmlmaWNhdGlvbiBjb2RlIGlzOiA8YnI+
   PGNvZGUgc3R5bGU9J2ZvbnQtc2l6ZToyLjVlbTsgbGluZS1oZWlnaHQ6MmVtJz4zMDY1OTM8L2Nv
   ZGU+PC9wPg0KPC9ib2R5Pg0KPC9odG1sPg0K
   
   
   --b1_DlWAFRSzw2dQysylJcaUa3au55XZM2OIjBOE4o6g--
   
   

6. The content of this email will contain your verification code encoded in base64. To decode your verification code, visit base64decode, copy and paste the string of numbers and letters that contains your verification code from the email into the data field and click on <DECODE> to be able to read it. In this particular example, WW91cBQ[...]jU5Mw== decodes to:

   Your Proton verification code is:
   306593
   

7. Afterwards, enter the code into the required field to complete your verification with ProtonMail and wait for your account to be set up. Don't set up a recovery email. You can generate a recovery phrase in your email settings later.

Please note: this method can fail and you may have to repeat it once or twice until you succeed. But as soon as you manage, you will have access to an anonymous email address that is protected by strong Swiss privacy laws.

If you use your bank account or PayPal to pay for your domain name and your server, you are not anonymous. Also if you use cryptocurrencies like Bitcoin (BTC) or Ethereum (ETH) you are not anonymous, because in most cases you have to buy these currencies on a crypto exchange and any reputable exchange requires their customers to verify their identity before they can trade crypto. Remember: cryptocurrencies like BTC are based on an open ledger, which means every wallet address and every transaction that has ever been made is stored on a public ledger that can be viewed by anyone.

Please read also this article on Anonymity and the Challenge of Payment Methods by privacytools.io.

But there also are privacy coins, for example Monero (XMR). Privacy coins are cryptocurrencies that enable private and anonymous blockchain transactions because they obscure the origin and the destination of every transaction. There are hosting companies like Njala and 1984 that accept XMR, which is why we use XMR as an example.

1. First you need to get a Monero wallet. Please visit GetMonero, the official Monero website to find out what works best for you. The website is available as a hidden Tor v3 onion site too.
2. LocalMonero is a peer-to-peer marketplace where you can buy and sell XMR directly.  This is our preferred option. LocalMonero operates a hidden Tor v3 onion site as well.
3. If want to buy XMR, but the peer-to-peer solution does not work for you, you will still need to find a way to convert cash into crypto to pay for your website anonymously. The easiest and safest way is to register with one of the big exchanges. However, this means that you are required to go through a thorough identity verification process for which you will need your passport and you definitely won't be anonymous. The most famous exhange is Coinbase. There also is Binance, or if you prefer European jusrisdiction, you can choose for example Bitpanda. Yet while you can buy XMR on Binance, you cannot buy XMR on Coinbase or Bitpanda. Here you invest in crypto and you pay for it via bank transfer or your credit card.
4. The next step then is to sign up with an anonymous identity at another exchange where you can trade XMR without identity verification, for example at Kraken. You don't want to use this account to buy crypto, which is why you do not need to get verified. Many exchanges allow you to trade, send and receive crypto - but they do require you to get verified as soon as you invest in crypto with fiat money like USD, GBP or EUR. You want to use this account as a buffer to obscure your money trail. It may be a good idea to get yet another anonymous email address to sign up for this account.
5. Next you transfer your purchases from LocalMonero, or for example BTC from your personal crypto account at a big exchange, maybe even XMR if you are registered on Binance, to your anonymous crypto account and exchange it for XMR. From here you can then transfer XMR to your Monero Wallet.

To our knowledge there only is one company that enables anonymous domain name registrations: Njalla

This is only possible because if you register with Njalla, you do not own your domain name, but Njalla owns it on your behalf. However, Njalla also makes sure that you have full control over it. In their own words:

"We're not actually a domain name registration service, we're a customer to these. We sit in between the domain name registration service and you, acting as a privacy shield.

When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain. Whenever you want to, you can transfer the ownership to yourself or some other party.

For instance, when you register a domain name in our system, we can register with our own data. We will be the actual registrant of the domain -- it's not an ownership by proxy as found with all other providers. However, you will still have the full control over the domain name. You can either use our information (and our nameservers) or you can go with your custom data. And you can move at any time. Simple, flexible."

This also means that you have to trust Njalla with your domain and that Njalla won't give away your customer information if somebody, for example law enforcement, requests your data. However, there is no evidence that njal.la has ever handed over customer data. We believe the main reason is, that Njalla cares about privacy: Some members of Njalla started the PirateBay as well. Also take a look at their blog.  Furthermore, if they gave away their customer's data and it became public, Njalla would loose its credibility.

To register a domain with Njalla, open your Tor Browser and visit Njalla's Tor V3 onion site. Use your anonymous ProtonMail account to register. Njalla supports encrypted email. All emails from Njalla you receive on ProtonMail will be encrypted.

Transfer XMR from your Monero Wallet to Njalla to pay for your domain. A domain with Njalla costs between €15 and €75 per year.

You can rent a Virtual Private Server (VPS) from Njalla too, but you will have to be the admin of your own VPS. Njalla's servers are located somewhere in Sweden. A VPS with Njalla costs between €15 and €45 per month. You can pay with XMR.

Another great option is 1984. 1984 is based in Iceland and its servers run on 100% green energy. They accept XMR too and you can sign up with your anonymous ProtonMail address. Here you can install for example a WordPress site right away (for as little as €27.42 for the first year and a renewal price of €77 for the next year), which will be managed by 1984. Yet we do recommend you stay in control and learn to be the admin of your own VPS, which will cost you between €4.50 and €72 per month.

We do recommend you learn how to be the admin of your own VPS because it gives you the highest level of control and potentially the highest level of anonymity and privacy.

At this point you should have access to your own anonymous VPS (or your own anonymous Wordpress Site, i.e. on 1984). Provided you have managed to pay for both your domain name and your VPS anonymously and you managed to keep your personal identity separate from your anonymous identity without making mistakes, you are now in a good position to setup and run your own anonymous website.

Please keep in mind that this tutorial does not go into depth about online anonymity. It only outlines some of the most important steps we took to start term7. The topic of anonymity is big enough to fill a guide of several hundred pages. If you want to get in deep (JUST DO IT!) and learn how to be anonymous (WE THINK YOU SHOULD!), visit The Hitchhiker's Guide to Online Anonymity.

The The Hitchhiker’s Guide to Online Anonymity also is available as a Tor v3 Onion Page: http://thgtoallkcxrdv37u6knsc3pumk6cq6lqmcqlw3j5vkmyahkxive4jyd.onion/guide.html

The Hitchhiker’s Guide to Online Anonymity

The Hitchhiker’s Guide to Online Anonymity

The Hitchhiker’s Guide to Online AnonymityAnonymousPlanet

part 2: how to run an anonymous website anonymously...

If you want to run an anonymous website, just ask yourself this question: how much effort are you willing to go through in order to stay anonymous?

term7term7