Operation Security Handbook v1.

This is what our OPSEC will look like:

Laptop with Linux Mint 18.3 as a host OS (HDD encrypted) with an automatic MAC changer →
Mullvad VPN, protocol set to TCP → Virtualbox → Veracrypt volume on USB 3.0 Flash Drive →
Whonix Gateway w/ 9 obfs4 bridges → Windows 7 VM

Burner Laptop Requirements:

At least a 4-Core Processor with Virtualization Support (make sure it is enabled in BIOS).
8-16 GB of RAM
SSD for Host OS
At least 1 USB 3.0 port or better
At least one 64-128GB USB 3.0 Flash Drive

Part 1. Host OS
We will be getting Linux Mint 18.3 64 bit, a slightly older build. I recommend getting KDE version,
because it performs best and doesn't look too bad. Only reason for this is: Mullvad VPN app currently
doesn't work on 18.4 and up, however they are reportedly working on fixing this issue, but for now
we're stuck with 18.3. As you're installing, make sure you enable full disk encryption, as well as
encrypt the Home folder. Set a strong password, 32 symbols is recommended. Don't store any of your
passwords digitally, write them down with a pen in a small notebook somewhere. When you're done
installing it, boot it up, go to Update Manager and install all updates.

Step 1. Installing Mullvad

1. Got to www.mullvad.net. No instructions needed really, it's a simple .deb install. Just double click it
and Install.
2. Once logged in, go to Settings tab, click on Advanced and find a line with "protocol = any" and
change "any" to "tcp". It should look like "protocol = tcp", without quotes.
3. Click on OK and you're done.

Step 2. Installing and setting up Veracrypt

1. Go to www.veracrypt.fr.
2. Downloaded file will look something like this: veracrypt-1.22-setup.tar.bz2, version may/will be
different. Right click on the archive and select Extract → Extract archive here, autodetect subfolder.
3. Go to the extracted folder and double click on veracrypt-1.22-setup-gui-x64. The dialog will pop up,
click on Execute.
4. Then, Install Veracrypt and you're done.
5. Next, insert your USB 3.0 Flash Drive into your laptop.
6. Run Veracrypt and click on Create Volume button.
7. VeraCrypt Volume creation Wizard will open, there select Create an encrypted file container and
click Next >
8. Standard Veracrypt Volume, Next >
9. Select your USB 3.0 Drive in Volume Location and create a file with any name and with or without a
file extension. Next >
10. Encryption Options. In Encryption Algorithm select: AES(Twofish(Serpent)). Leave Hash
Algorithm set to SHA-512. Next >
11. Volume Size, set it to a few GBs less than available on your Flash drive. So if it's, let's say, 111GB -
set it to 106GB. If it's 58GB, set it to 55GB. Next >
12. Volume Password, set a strong one, 32 symbols recommended. Again, don't store it digitally - pen
and paper. Next >
13. Format Options, set the Filesystem Type to NTFS. Next >
14. Cross-Platform support. Any choice will do, it's is up to you. Next >
15. Volume Format. Move your mouse cursor randomly until the bar is full. Then click Format and let
it do it's magic.
16. Volume created. Click on Exit.
17. In the Veracrypt main window click on Select File... and navigate to your newly created encrypted
volume on your Flash Drive.
18. Select drive called "1", never change to another drive from now on. Point is, once you chose the
drive you'll mount on, always stick to it. Make sure "Never save history" checkbox is ticked. Click
Mount button and enter your password.
19. Minimize the Veracrypt window and leave it for now.

Step 3. Installing and setting up Virtualbox

1. Go to www.virtualbox.org.
2. Make sure you've downloaded the latest Linux Virtualbox Distribution for Ubuntu 16.04 ("Xenial") -
AMD64.
3. It's a .deb installer, so if you already installed Mullvad, you won't have any problems here.
4. Run Virtualbox, go to File → Preferences. In General in Default Machine Folder and VRDP
Authentication Library type in the same thing for both (without quotes): "/media/veracrypt1". Click
OK.
5. Open Terminal and run the following command: sudo usermod -a -G vboxusers
<username>. Where <username> is the name of your Linux username you chose during installation.
This will enable you to mount any external USB devices inside your Virtual Machines.
6. Download the latest VirtualBox Extension Pack and install it.
7. Done for now, we'll discuss what Virtual Machines you will need to install on it in Part 2.

Step 4. Installing BleachBit

1. Don't get the latest version of BleachBit, it'll give you problems. Instead, go to Start → Install New
Applications (aka Software Manager).
2. Search for BleachBit and install it.
3. Done.

Step 5. Installing Macchanger

1. Open Terminal and type: sudo apt-get install macchanger.
2. Choose No to automatic MAC changer. It doesn't work for some reason, so we will do it manually.
3. Done.
Step 6. Replacing NetworkManager with Wicd
NetworkManager, the default network manager that comes with Mint will not let us to change MAC
address, so we will have to replace it with an different network manager called Wicd. It's a bit shitty
looking, but it does the job pretty well, so no complaining ;).

1. Again, go to Start → Software manager.

2. Search for Wicd and install it.
3. Now we need to remove the NetworkManager. To do that, open Terminal and type: sudo apt-get
purge network-manager.
4. Now close every application, except Mullvad and restart your computer.
5. When you're logged back in, you should see that in the taskbar, where the Wifi icon was, now there

is an uglier icon with two monitor screens . That's Wicd, your new network manager.
6. Right click on the icon → Not connected. In the window click Refresh and it should find your wifi
connection, connect to your wifi and we're ready to set up a MAC changer.
7. Done.

Step 7. Setting up an automatic MAC changer.

Thanks to this trick, your MAC will change automatically every time you will restart your computer.

1. Open Terminal and type sudo su. Enter your password.

2. Type: nano /etc/init.d/macc.sh. This will create a script file called macc.sh and will open it
in Terminal.
3. Open another terminal window and type: ifconfig. This will show all available network interfaces.
You will need to get the name of your wifi, it usually starts with "w". Typically it's called wlan0, but it
could be something else, this is why we need to make sure with ifconfig.
4. Once you get your wifi name, copy and Paste the following lines (in Terminal you Paste by pressing
CTRL+SHIFT+V). Don't dorget to replace YOUR_WIFI_NAME with an actual name of your wifi you
got just now. Just to clarify, not the name of your wifi router on the network, but the name of the
network interface you got from ifconfig. Example: wlan0. Just wanted to stress this point.

#!/bin/bash
ifconfig YOUR_WIFI_NAME down
macchanger -r YOUR_WIFI_NAME
ifconfig YOUR_WIFI_NAME up

5. Save the file by pressing CTRL+X, then press Y and hit Enter.
6. Type: chmod +x /etc/init.d/macc.sh.
7. Type: update-rc.d macc.sh defaults 100
8. Type: macchanger -s YOUR_WIFI_NAME. Write down the MAC on a piece of paper, it should be
the same for both Current and Permanent MAC.
9. Restart your computer.
10. Open terminal and type macchanger -s YOUR_WIFI_NAME again. Now your Current MAC
should be changed to a random one.
11. Done, you've successfully set up an automatic MAC address changer!

Step 8. Downloading and installing the Tor Browser

1. Make sure you have your Mullvad VPN running and connected. NOTE: It's not advised to use Tor
without VPN.
2. Go to www.torproject.org and download the latest Tor Browser. Extract it somewhere.
3. Run start-tor-browser.desktop.
4. The window will open, just click Connect.
5. The browser will open. On the upper right you will see a "S?" icon , click on and make sure
everything looks like this:

6. On the upper left, click on the Onion icon and select Security Settings. In the window that will
open move the slider up to the Safest setting and click OK.
7. Done!
Part 2. Guest OSes in Virtualbox
You will need 2 Operating Systems: Whonix Gateway and Windows 7 (64-bit). Windows 7 needs to be
an untouched original version, no modified Game Editions and such. I won't tell you where to get
Windows 7, that's up to you. but here's what you need to do to set up Whonix Gateway.

Step 1. Downloading and Verifying Whonix Gateway

1. Start Tor Browser with VPN and go to www.whonix.org → Download → Linux.
2. Scroll down a little and you will see a table with Whonix-Gateway and Whonix-Workstation.
3. Under Whonix-Gateway click on both links: "Download (v3 Onion)" and "OpenPGP Signature (v3
Onion) (SHA-512, sig)". This will download the Whonix Workstation itself and and .asc file we will
verify the download with.
4. Open Software Manager, search for Gnupg and make sure it is installed. It should be installed by
default, but it doesn't hurt to verify.
5. Open Terminal and type: sudo su
6. Type: gpg --fingerprint
7. Type: chmod --recursive og-rwx ~/.gnupg . Don't close the Terminal.
8. Download: www.whonix.org/patrick.asc . Save it to your Downloads folder (this folder should be set
as default unless you've changed it).
9. Go back to the Terminal and type: gpg --keyid-format long --with-fingerprint
~/Downloads/patrick.asc
10. Verify that it shows the following:

pub 4096R/8D66066A2EEACCDA 2014-01-16 Patrick Schleizer

<adrelanos@riseup.net>
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
sub 4096R/3B1E6942CE998547 2014-01-16 [expires: 2021-04-17]
sub 4096R/10FDAC53119B3FD6 2014-01-16 [expires: 2021-04-17]
sub 4096R/CB8D50BB77BB3C48 2014-01-16 [expires: 2021-04-17]

11. Type: gpg --import ~/Downloads/patrick.asc

12. Type: gpg --verify ~/Downloads/Whonix-Gateway-14.0.0.7.4.ova.asc
~/Downloads/Whonix-Gateway-14.0.0.7.4.ova
NOTE: In this case the version is 14.0.0.7.4, your version may/will be different, so pay attention to
that and look it up before running this command.

It will think a bit and will come back with response. If the second line says Good signature from
"Patrick Schleizer <adrelanos@riseup.net>", then it's all good, you have a legit copy of
Whonix Gateway now. Pay no attention to all the warnings that follow. If it says BAD signature
from "Patrick Schleizer <adrelanos@riseup.net>", then something's wrong DO NOT use
this Whonix Workstation for anything, it has been tampered with! But I'm sure in your case, everything
will check out just fine :).

Step 2. Installing Whonix Gateway and getting obfs4 bridges

1. Open Virtualbox.
2. Go to File → Import Appliance, window will open, just click the folder button and navigate to your
Whonix Workstation .ova file you've downloaded. Next >
3. Appliance settings - DO NOT change anything here. Click Import.
4. When it's done importing, start your new Whonix Gateway.
5. While Whonix is booting up, go to your Tor Browser (Your VPN is always on at this point).
6. We will have to make a temporary exception here - click on Onion icon → Security Settings and
move the slider to Standard.
7. Open 2 tabs: bridges.torproject.org and metrics.torproject.org/rs.html#search. Bookmark both.
8. On bridges.torproject.org click "Get Bridges", then Advanced Options. Make sure that in "Do you
need a Pluggable Transport? " is set to "obfs4" and "Do you need IPv6 addresses?" checkbox is NOT
ticked. Click on Get Bridges Button and solve the annoyingly difficult capcha. You will get a result that
will look something like this:

bridge obfs4 127.0.0.1:1337 ################### cert=*********** iat-mode=0

bridge obfs4 127.0.0.1:1337 ################### cert=*********** iat-mode=0
bridge obfs4 127.0.0.1:1337 ################### cert=*********** iat-mode=0

9. Select all 3 bridges and copy them into a text file. Go to Start (on your host OS), type Kate and run
it, this is a simple text editor. DO NOT save the file.
10. Select the ################### part of the first bridge and copy it. It's called a fingerprint, by
the way.
11. Go to tab you already opened: metrics.torproject.org/rs.html#search tab, paste the fingerprint into
the search field and hit Enter. It will either come back with "No Results found!", which means that this
bridge is no good or with "Details for: <Relay name> ●", which means that the bridge is potentially
good. What to look for in a good bridge:

a) Green dot next to Relay Name, it means it's online.

b) Speed: preferably should be over 1 MiB/s.
c) Very important: Additional Flags should say "none", that means it's all good. If it says "Not
Recommended", then the bridge is no good and you should throw it away.

Check fingerprints of all 3 bridges like this, cut and paste good bridge/s into another instance of Kate
(don't save).
12. In Tor browser click on the Onion icon and select New Identity. The browser will restart.
13. Press CTRL+B and open these two sites again, you've bookmarked them earlier.
14. Start again from 8. Rinse and repeat until you got at least 3 good bridges. The more you have, the
better. I myself always get 9 bridges.
15. Remember to renew bridges every week. Set a reminder somewhere, I just asked my phone to
remind me to "Get beer" every week ;)
16. With your bridges ready, go back to your Whonix Gateway.

Step 3. Configuring Whonix Gateway

1. You will be greeted with the window called Anon Connection Wizard. If not, then you can run it
manually: Start → Anon Connection Wizard.
2. Which of the following best describes your situation? Select "Configure" radio button. Next >.
3. Tor bridges configuration. Tick the checkbox called "I need Tor bridges to bypass the Tor
censorship". Select "Enter custom bridges" radio button and paste the good bridges you already have in
Kate from Step 2 into the text field below. Next >
4. Local Proxy configuration. Leave "Use proxy before connecting to the Tor network" checkbox
unticked. Next >
5. Summary. Verify that it says: "Status: Tor will be enabled", "Bridges: Custom obfs4" and "Proxy:
None selected". Next >
6. It will think for a bit and should come back with a message: "Tor bootstrapping is done. Bootstrap
phase: Connected to the Tor network!". Click Finish.
7. WhonixCheck will run. If not, then run it manually: Start → System Check. When it's done, it will
show you a "!" and a bunch of red messages. Don't close this window.
8. Go to Start → Terminal and type: sudo passwd user . It will promt you for your current
password, which is changeme by default. After that enter a new password that only you know and
retype it to confirm it. from now on, this is the password you will use in Whonix Gateway.
9. Next, copy and paste from a previous WhonixCheck dialog the following: sudo apt-get update
&& sudo apt-get dist-upgrade . Remember, that in Linux Terminal you have to press
CTRL+SHIFT+V to paste. You can click OK on the WhonixCheck window to close it now. Once the
command is running, say Yes when it asks you to and wait until the updates are done.
10. Run WhonixCheck again, this time all the messages should be green. If not, then run sudo apt-
get update && sudo apt-get dist-upgrade in the Terminal again, then restart Whonix
Gateway and run WhonixCheck again until the messages are all green.

11. Make sure that in the taskbar on the right there's a little green globe icon with a little clock

(and not just the big orange clock icon ). That means that the time is synchronized and you're good
to go.
12. Done! Shut down Whonix Gateway for now.

Step 3. Installing Windows 7 VM and Configuring Network

1. Go back to Virtualbox and click on New.
2. Name and operating System. Name: Windows 7 64 VM. Type: Microsoft Windows. Windows 7 (64-
bit). Next >
3. Memory size. Now you should go for at least 2048 MB, but I recommend 4096 MB. Next >
4. Hard disk. Select "Create a virtual hard disk now" radio button. Click Create.
5. Hard disk file type. Select "VDI (Virtualbox Disk Image)" radio button. Next >
6. Storage on a physical hard disk. Make sure "Dynamically allocated" radio button is selected. Next >
7. File location and size. Make it at least 40 GB. Next >
8. Hit Create.
9. A new Windows VM will appear just under your Whonix Gateway in Virtualbox. Right click on it
and select Settings.
10. In a Settings window go to System and click on Processor tab. Here, drag the "Processor(s)" slider
right to make it 2 cores. Also, tick "Enable PAE/NX" checkbox.
11. Next, go to Display. Increase Video Memory to 64-128 MB.
12. Next, go to Storage. Click on the [CD icon ] Empty, make sure it's selected. Next, in the right
panel, in Attributes, Optical drive, click on a little CD Icon and navigate to your Windows 7 ISO
that you already got earlier.
13. Next, go to Network. "Enable network adapter" checkbox should be ticked. In "Attached to" select
"Internal Network" and in "Name" select "Whonix".
14. Next, go to USB. "Enable USB Controller" checkbox should be ticked. Select "USB 2.0 (ECHI)
controller" or "USB 3.0 (xCHI) controller", depending on what kind of USB ports you have available
on your laptop.
15. We're done with Settings, click OK.
16. Start you new Windows VM and install Windows.
17. Once your Windows is installed and you're on your desktop, go to Start → Control Panel →
Network and Internet → Network and Sharing Center → Change adapter settings. Right click on your
Local Area Connection and select Properties. Select "Internet Protocol Version 4 (TCP/IPv4)" and click
on Properties button.

Select "Use the following IP address" radio button and put in the following IP addresses:
IP address: 10.152.152.XX Instead of XX, put in any number from 1 to 99
Subnet mask: 255.255.192.0
Default gateway: 10.152.152.10

For “Use the following DNS server addresses:”:

Preferred DNS Server: 10.152.152.10

Click OK to close the window. OK again in the previous window.

18. Small thing you should do: open any folder and press Alt, this will reveal context menus. Go to
Tools → Folder Options → View and untick "Hide extensions for known file types" checkbox. Click
OK.
19. Shutdown Windows.
20. Done.

Step 4. Updating Windows and Installing software you'll need

1. Make sure your Mullvad VPN is running and connected like it always should be.
2. Start Whonix Gateway and do a WhonixCheck, if everything is green, start your Windows VM. You
should have internet on it now.
3. Fully update your Windows. This will take a long time and many-many restarts.
4. Once you made sure that there's no more Updates left, download and install Firefox. Don't use IE
anymore.

Step 5. Installing Software and Creating a Veracrypt Volume Again

1. Download and install Tor Browser.
2. Download and install Avast Free Antivirus. Don't install Chrome that comes with it, do a custom
installation and only install the essentials.
3. Download and install Veracrypt.
4. Get another USB Flash Drive for your portable software and illegal files.
5. Create an encrypted volume on it. The process is almost identical to what we did in Part 1, Step 2.
6. Mount your new encrypted volume and create 2 folders in it: Software and Notes.
7. Download the following portable apps and put them in the Software folder: Electrum Bitcoin Wallet,
CCleaner and BleachBit.
8. Download and install Paint.NET from www.getpaint.net. This is where you will be doing all your
image editing, because it's fast, free and easy to learn. Alternatively you can get GIMP, it is way more
powerful, but it's UI is quite dated and confusing.

Step 6. Installing and Configuring Pidgin, the Jabber client

1. Go to www.pidgin.im and download Pidgin. Insatll it.
2. Go to otr.cypherpunks.ca and download OTR Plugin for Pidgin. Install it.
3. Launch Pidgin and let's configure it. In Accounts window click Add.
4. "Basic" tab: Set "Protocol:" to "XMPP". Come up with your Username. In "Domain:" type
"exploit.im". Leave "Resource" field empty. Come up with a good password.
5. "Advanced" tab: "Connection security:" set it to "Require encryption". Tick the "Allow plaintext
auth over unencrypted streams". In "Connect port:" put in "5222". In "Connect server:" type
"exploit.im". For "File transfer proxies:" type "proxy.eu.jabber.org".
6. "Proxy" tab: make sure it's set to "Use global settings".
7. Click on Add button.
8. Next, in the Buddy List window go to Tools → Plugins. Find Off-the-Record Messaging, select it
and tick the checkbox. Now click on Configure Plugin. In a window that will open click on Generate
Key button and then make sure that every checkbox you see there is ticked.
9. Done.

Step 7. Installing and Configuring Riot, Joining Fraud Squad

1. Contact 6Lack via Pidgin and get your username and password (as well as Room info).
2. Go to www.riot.im, donnload and install Riot.
3. Run it and you will be greeted with a login window. Below the "Sign in" button select the "Custom
server" radio button. In both "Home server URL" and "Identity server URL" field put in the same
address: "http://dcxclnewvkrcxotl.onion:8008/".
4. Above the login and password fields, check if the dropdown menu called "Sign in with" is set to
"Matrix ID".
5. Put in your username and password click Sign In.
6. Now when you're signed in, above you will see a message: "Please help improve riot.im by sending
anonymous usage data. This will use a cookie (Please see our Cookie Policy).". Do not send any usage
data or accept cookies. Just click on X to dismiss it.
7. Now look to the lower left and click on "Room directory":

8. By now you should have a list of rooms you got from 6Lack. This is how you join a room, in this
example it's "Lounge" . In Room Directory type in: #lounge:Fraud_Squad and click on Join or
simply hit Enter. You will see a message: "You are trying to access a room. Click here to join the
discussion!". Needless to say, you just click on "Click here" Do this for all of the rooms 6Lack gave
you.
9. NOTE: Pay no attention to this little warning:

10. Done!
Part 3. Practice
Checklist
Booting up your computer
1. You turn on your laptop and enter your 32 symbol password to your encrypted disk. Then enter your
Linux user password.
2. Start Mullvad.
3. Insert your USB 3.0 Flash Drive with your encrypted Virtual Machines.
4. Start Veracrypt and mount the encrypted volume.
5. Start Virtualbox.
6. Start Whonix Gateway. Make sure in the lower right, on the taskbar, there's a little green globe with

even smaller clock icon . Go to Start → WhonixCheck. Make sure every message is green. Click
OK.
7. Start Windows VM.
8. Open Notepad and type the following: ipconfig /flushdns. Save it on your desktop as
Flush_DNS.bat. Run it as an Administrator every time you start your Windows VM.
9. Do your business.

Shutting down your computer.

1. In Windows VM, close all of the programs and unmount all encrypted volumes.
2. Run Flush_DNS.bat
3. Run CCleaner.
4. Run BeachBit.
5. Shut down Windows VM.
6. Shut down Whonix Gateway.
7. Close Virtualbox.
8. Unmount your encrypted volume in Veracrypt and close the program.
9. Run BleachBit and after it's done run BleachBit as an Administrator.
10. Do not close Mullvad, this way it will start automatically on the next system start.
11. Shut down Linux Mint.

Working With Images

For any image you will upload on the internet, you will only use the JPG format and you will need to
delete EXIF (Exchangeable Image File Format) data from it.

1. Download Easy EXIF Delete from www.easyexifdelete.com. It's a portable app.

2. Run it and in the program window click on "Select Images" and load the images you want to delete
the EXIF data from.
3. Once all the images are loaded, see what it says under "Exif Data" for each image. It will either say
"Exif Found" or "Not Found". If it's the latter, then you don't need to delete EXIF data, cause this
image has none. If it says the former, then simply select an image and click on "Delete Exif". Do this
for every image that needs it. Verify that under "Exif Data" in now says "Not Found" for all images.
4. Done, you can now safely upload your images.
Configuring and Using CCleaner
1. Run CCleaner. In Cleaner → Windows tab. Tick every checkbox, except the last one: "Wipe Free
Space". In the Applications tab tick every checkbox as well.
2. Go to Options → Settings → Secure Deletion, select the "Secure file deletion (Slower)" radio button
and select "Very Complex Overwrite (35 passes)" from the dropdown menu.
3. In Options → Settings → Privacy and untick every checkbox.
4. Run CCleaner by going to Cleaner and click on the "Run Cleaner" buton.
5. Wait for it to do it's business and you're done!

Configuring and Using BleachBit on Windows

1. Run BleachBit and go to Edit → Preferences.
2. In the General tab untick "Check periodically for software updates via the internet".
3. Here are the checkboxes that must be ticked: "Hide irrelevant cleaners", "Overwrite contents of files
to prevent recovery" and "Confirm before delete". Leave every other checkbox unticked.
4. In the Drives tab remove everything, then click on Add and select C:\. You can close the Preferences
window.
5. In the main window tick every last one of the checkboxes.
6. Run BleachBit by clicking on Clean.
7. Wait for it to do it's business and you're done!

Configuring and Using BleachBit on Linux

In Linux you will have to run BleachBit twice. First, you just run regular BleachBit and that will clean
your user stuff. Then you need to run BleachBit as Administrator to clean all of the root stuff. Let's go
through the process in order:

Step 1. BleachBit
1. Run BleachBit and go to Edit → Preferences.
2. In the General tab untick "Check periodically for software updates via the internet".
3. Here are the checkboxes that must be ticked: "Hide irrelevant cleaners", "Overwrite contents of files
to prevent recovery" and "Confirm before delete". Leave every other checkbox unticked. Close
Preferences.
4. In the main window make sure the following checkboxes are unticked in the "System" category:
"Custom", "Localizations" and "Memory". All the other checkboxes must be ticked.
5. Click on the red trash can icon and wait until it finishes the cleaning.
6. Close BleachBit and now run Bleachbit as Administrator.

Step 2. BleachBit as Administrator

1. Repeat 1-6 from Step 1 in this instance now.
2. Done!
The Do's and Don'ts with this OPSEC setup
Besides the obvious stuff, you can:
◦ Safely use this setup on your home wifi
◦ Use Riot.
◦ Use Jabber (Pidgin)
◦ Use DNM's
◦ Buy with BTC using Electrum, don't forget to tumble
◦ Do carding activities (with additional security measures we won't discuss here)
◦ etc

Besides the obvious stuff, you can't:

◦ Download torrents

---
And that's about it for this guide, I hope you find it useful!
If you have any feedback, PM me @t3nd3r