Security Experts:

Connect with us

Hi, what are you looking for?



Top 6 Mistakes That Will Blow Your Online Cover

Perfect Operational Security (OPSEC) Needs to Start From Day One

Perfect Operational Security (OPSEC) Needs to Start From Day One

There are many legitimate reasons to hide your identity when operating online. Among these are anti-fraud investigations, threat intelligence gathering, criminal investigations, and sensitive research. But, you are only protected so long as you maintain your cover. Based on over 20 years of experience with online anonymity, I’ve identified the top 6 mistakes that will blow your cover.

1. Forgetting to Use Your Tools

Failing to consistently use identity hiding technologies is the most common way to blow your online cover. Just one failure to use your misattribution tools can instantly connect your alias to your real identity. Guccifer 2.0, Sabu, and many more aliases have been exposed by this kind of mistake. The hardest part is that the perfect operational security (OPSEC) needs to start from day one — far before you know how important it is to protect this particular alias.

2. Incomplete Separation

Our online identities are made up of many different accounts, including social media, email, chat, and others. Each of these may have account names, recovery email addresses, physical addresses, full names, phone numbers, and passwords. The mistake occurs when the line between alias accounts and real-name accounts starts to blur — you create some alias account that shares a recovery email account with a real-name account, or re-use a phone number, or re-use any other identifying information. There might not even be a single link, but rather a chain of accounts which together can connect your alias with your true identity. This appears to be how Ross William Ulbricht was connected to his criminal alias “Dread Pirate Roberts.”

3. Using the Wrong Account

Once you start managing more than one identity, accounts proliferate like weeds. It quickly becomes possible or even likely that you will accidently use an account associated with one identity to send communications associated with another. If there is someone you only communicate with from your “Joe” alias, then it will cause problems if “Joe” sends an email from “Sarah’s” account. Of course, the worst case scenario is if that other account is under a true name. I know of one example where two law enforcement officers shared a single computer. One configured it to send email in alias, then went to lunch. The other re-configured it to send some internal emails. When the first returned, he did not check the settings and proceeded to email their criminal target from the second officer’s official email account. This, as you can imagine, completely compromised the mission, fortunately without loss of life. 

4. Fake Photos

The common availability of reverse photo searches and facial recognition has caused major problem for many people trying to set up alias social media accounts. To look authentic, accounts need to have activity, including personal pictures. Too often these pictures are lifted from other real social media accounts or from stock photography websites. Unfortunately, social media sites may detect and tag photos with the identity of the person whose photo was “borrowed”. If the picture is posted anywhere on the public web, a reverse image search, like, will quickly discover the original. I have discovered several fake LinkedIn profiles trying to connect with me using profile pictures from GettyImages.

5. Writing Style

The way you write is like a fingerprint. No two people use language in the exact same way. Word choice, common phrases, sentence structures, and idiosyncrasies all allow programs to recognize samples of your writing. And, it is a surprisingly difficult fingerprint to hide. We are largely blind to what aspects of our writing identify us, so it is hard to know what to change, and it is a tremendous effort to do so consistently. If your alias only writes one paragraph in its whole existence, you can do it almost effortlessly. If it writes frequent or long posts, the problem becomes much worse.

6. Behavior and Location

Finally, you might expose your alias as being fake and reveal your true location and interests simply by the patterns of your online activities. I have seen entire blocks of anonymous IP addresses burned through user activity and improper OPSEC. In one case, a group of users had a block of IP addresses in another country. Because they used those IP addresses for personal purposes in addition to their operational activities, Google quickly started identifying their true location: where the users actually worked. It turns out that Google used their search and mapping activities to learn where they were probably located, and they were right. Sports, politics, news, and other content can similarly reflect your actual identity and location, underlying the realism of your alias.

If you can avoid these top 6 mistakes, you are far more likely to be successful with any online undercover activity. You will access the threat intelligence you need from that hacker IRC room, catch those fraudsters in the act, or make your case against some nefarious criminals.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.