We have learnt from the cases of Playpen and SR2 that deanoning tor is unlikely but not impossible. For many users that's good enough but for some users (vendors and market staff in particular) unlikely is still too much of a risk. My aim here is to give you a guide to understanding the tactics LE can use and explain how to protect yourself as a DNM user.
There are 2 main vectors LE can utilise to deanon a tor user:
- Market takeover and JS code to discover your IP
- Tor exploit
To prevent yourself from falling foul of JS code such as that used on Playpen (and potentially Hansa), you need to disable JS. The easiest way of doing this is to simply set your security slider to "high". If you are using Tails you need to do this every single time you boot up as Tails does not save the security settings. There is a hack to make these settings persistent which can be found on the reddit tailswiki here:
https://www.reddit.com/r/tailswiki/wiki/index/browser-persistent
I can confirm it still works as of Tails 3.0.1 but I would test it on a backup Tails USB before using it on your production USB. With the hack you will always have your security settings set to high even after a reboot. You would have to manually move the slider down to reenable JS. There are some privacy related side effects of having persistent settings such as persisting cookies, but IMO the trade off is well worth it. I implore all markets to make their sites completely compatible with Tor browser running on high security settings. Nobody wants fancy icons and menus if they're potentially going to put people in jail (I'm talking to you CGMC, Dream and DHL... you all have code which doesn't run completely on under High security settings. Unsure about other markets as I haven't tested them on lower settings).
Protecting yourself from a Tor exploit such as that used on SR2 is more difficult but can still be done. You have to assume your browser will tell the LE DNM site exactly what your IP is... so you need to ensure your browser has no idea what it's actual IP is. There are 2 ways to achieve this:
Use Qubes/Whonix as your OS. Under Whonix Tor browser is sandboxed from the host OS. It doesn't know what it's IP actually is so it can't give you up. Whonix is safer than Tails, there is absolutely no doubt about this. Sandboxing is something Tails/Tor are working on themselves but the current version is not sandboxed so is vulnerable.
Use a VPN running on a router with a killswitch and connect your Tor machine directly to that. That is not completely foolproof as it still puts your anonymity in the hands of the VPN provider but IMO it is better than exposing your bare IP if a Tor exploit is used against you. I posted a guide on how to do this a while back but all the images disappeared with sli.mg so I deleted it. If there is demand I'll write another one.
Now your hardware/browser setup is secure you need to be sure you don't expose yourself due to sloppiness. Never use a site's PGP implementation to encrypt sensitive information. Always, always always encrypt your address yourself. No, ifs, and or buts... always fucking encrypt your own address. On an LE infiltrated server the information may be mirrored in an unencrypted state in their database even though everything looks fine and dandy to your eyes. It is not safe to use.
You should also tumble your BTC or use XMR. If your BTC movements can be linked to a real life account on LBC/coinbase/whatever you are exposing yourself.
If you understand these basic principles you should be able to use a DNM run by LE without compromising yourself. None of this is new information but I have laid it all out for you here, so there are no excuses now motherfuckers... get your shit together.
Why do people think VPNs will help you? You are tunneling through the VPN network with tor which means you are still directly connected to tor. Browser exploits happen in your browser to return your real ip, VPNs do not stop this from happening. This technology does not work how you think it does.