Privacy Lab

Prime Market Privacy Lab: Tools, Research & Tutorials

Deep dives into the privacy stack that keeps anonymous commerce possible.

Network Anonymity

The Onion Router: How It Actually Works

Most people know Tor as "the anonymous browser." But Tor is fundamentally a network protocol — the browser is just one application built on top of it. Understanding the difference matters because it changes how you think about what Tor can and cannot protect.

When you connect through Tor, your traffic passes through three relay nodes: a guard (entry) node, a middle relay, and an exit node. Each node only knows the identity of the node directly before and after it in the chain. The guard knows your IP but not your destination. The exit knows the destination but not your IP. The middle node knows neither.

This is achieved through layered encryption — hence the "onion" metaphor. Your client encrypts the payload three times, once for each relay. As traffic passes through each node, one layer is stripped. By the time it reaches the exit, only the innermost layer remains.

"Tor doesn't make you invisible. It makes your traffic indistinguishable from everyone else's traffic on the network. That distinction is everything."

Hidden Services (.onion)

When accessing a .onion address like Prime Market, traffic never leaves the Tor network. There's no exit node involved — both client and server operate within Tor's overlay network. This is called a "rendezvous" connection: the client and the hidden service each build a three-hop circuit to a common rendezvous point, resulting in six hops total.

This architecture provides mutual anonymity: neither party needs to know the other's real IP address. It also eliminates the exit-node vulnerability — a significant concern for clearnet browsing over Tor, where malicious exit nodes can intercept unencrypted traffic.

Video: Onion Routing explained by Computerphile

Bridge Relays and Censorship Resistance

In countries that actively block Tor, users rely on bridge relays — unlisted entry points that aren't in the public Tor directory. Bridges can be further obfuscated using pluggable transports like obfs4 or Snowflake, which disguise Tor traffic as ordinary HTTPS or WebRTC connections.

Resources

🌐
Tor Browser Download
Official download page — always verify signatures
📖
Tor Browser Manual
Official usage documentation from the Tor Project
🔒
EFF: How to Use Tor
Surveillance Self-Defense guide by the EFF
Cryptocurrency

Monero vs Bitcoin: Understanding the Privacy Gap

Bitcoin was designed as a transparent ledger. Every transaction — sender address, receiver address, amount — is permanently recorded on the blockchain and viewable by anyone. While Bitcoin addresses are pseudonymous, they're not anonymous. Chain analysis firms like Chainalysis have built an entire industry around linking Bitcoin addresses to real-world identities.

Monero takes the opposite approach. Three technologies work in concert to make every transaction private by default:

  • Ring Signatures — when you send XMR, your transaction is grouped with decoy outputs from the blockchain, making it computationally infeasible to determine the true sender.
  • Stealth Addresses — each transaction generates a one-time destination address. Even if someone knows your public Monero address, they cannot link incoming transactions to it.
  • RingCT (Ring Confidential Transactions) — the amount transferred is cryptographically hidden while still allowing the network to verify that no coins were created from nothing.
"With Bitcoin, privacy is a feature you add on top. With Monero, privacy is the default state you'd have to work to break."
Cryptocurrency
Monero's privacy layer ensures transaction details remain opaque to outside observers.

When Bitcoin Still Makes Sense

Despite the privacy advantages, Monero isn't universally superior. BTC has broader exchange support, more liquidity, and is accepted by a wider range of services. For users who already hold BTC and prefer not to swap to XMR, Prime Market offers coin-join mixing services and supports Wasabi Wallet deposits for added privacy.

GitHub Repositories

💻
monero-project/monero
Monero core — C++ implementation of the XMR protocol
💻
spesmilo/electrum
Lightweight Bitcoin wallet with Tor proxy support
Encryption

PGP in Practice: Why It Still Matters

PGP (Pretty Good Privacy) was invented in 1991, and its core cryptographic principles remain unbroken. In the context of anonymous marketplaces, PGP serves two critical functions: encrypting messages so only the intended recipient can read them, and signing messages to prove authenticity.

Every communication with a vendor — shipping addresses, order details, questions — should be PGP-encrypted. This ensures that even if the marketplace's servers are seized, the content of your messages remains unreadable without the vendor's private key.

Key Management Basics

Your PGP key pair consists of a public key (shared freely) and a private key (never shared, stored locally). When you encrypt a message with someone's public key, only their private key can decrypt it. Conversely, when they sign a message with their private key, anyone with their public key can verify it's authentic.

# Generate a new PGP key pair
gpg --full-generate-key

# Export your public key
gpg --armor --export your@email > pubkey.asc

# Encrypt a message for a recipient
gpg --encrypt --armor -r recipient@key message.txt

# Decrypt a received message
gpg --decrypt message.txt.asc

Video: PGP encryption practical tutorial

Tools by Platform

💻
gpg/gnupg
GnuPG — free implementation of the OpenPGP standard
💻
keepassxreboot/keepassxc
Cross-platform password manager — store PGP passphrases securely
Operational Security

Building Your Security Stack

Individual tools are useful, but real security comes from layering them correctly. Here's a practical stack ordered from essential to advanced:

Layer 1: Tor Browser (Essential)

The non-negotiable foundation. Tor Browser routes traffic through the onion network and includes built-in protections against browser fingerprinting, WebRTC leaks, and JavaScript-based tracking. Always use the official download from torproject.org and verify the GPG signature.

Layer 2: VPN (Situational)

A VPN before Tor (VPN → Tor) hides the fact that you're using Tor from your ISP. This matters in jurisdictions where Tor usage itself is monitored or flagged. However, a VPN is not a substitute for Tor, and using a VPN alone provides far less anonymity than Tor alone.

Important: Never use Tor → VPN (Tor then VPN). This configuration sends your traffic to a VPN server after the Tor exit node, which can actually reduce your anonymity by giving the VPN provider a fixed endpoint to monitor.

Layer 3: Tails OS (Recommended)

Tails is a live operating system that boots from a USB drive and routes all traffic through Tor. When you shut down, Tails wipes all session data from RAM. Nothing is stored on disk unless you explicitly configure a persistent encrypted partition. This is the gold standard for leaving no forensic traces.

Layer 4: PGP Everywhere

Encrypt all marketplace communications. Verify vendor PGP keys before sending sensitive data. Use a dedicated key pair that isn't linked to any real-world identity.

Layer 5: Dedicated Hardware (Advanced)

The most cautious users maintain a separate device — a cheap laptop purchased with cash — used exclusively for anonymous activities. This device never connects to personal accounts, home WiFi (without VPN), or any service tied to a real identity.

Video: TOR Hidden Services explained by Computerphile

Further Reading

📖
Privacy Guides
Community-driven recommendations for privacy tools
💻
veracrypt/VeraCrypt
Disk encryption software — protect local data at rest
💻
mullvad/mullvadvpn-app
Open-source VPN client — no accounts, accepts cash & crypto