Reader threat model, what the Bureau assumes
The assumptions the Bureau makes about the reader environment, and why they matter for the material here.
Every piece of advice on this site is calibrated for a specific reader threat model. This report spells out that model so you know when Bureau advice applies to you and when your situation calls for something different.
The default reader
The Bureau assumes the default reader is an adult using Nexus Market for personal reasons in a jurisdiction where such use may or may not be legal. The reader has access to Tor Browser and understands enough about the internet to install it correctly. The reader is not a security professional, not a journalist under threat, not a state-level target.
The reader wants to reach the storefront, transact, and leave without their real identity being linked to their market account or their host operating system being compromised.
Adversaries we assume
Phishing operators. The most common adversary. Their goal is to capture credentials and drain wallets. Defence covered in the phishing report.
Casual chain surveillance. Someone with public chain-analysis tools who might link a market deposit address to a KYC exchange withdrawal. Defence: Monero, or Bitcoin routed through a fresh wallet or swap first.
Storefront database seizure. Historical pattern where a market operator's infrastructure is seized and the reader database is examined. Defence: no reused identifiers, no long-term wallet balance, PGP encryption over anything sensitive.
Compromised Tor Browser install. Reader downloaded Tor Browser from a fake source, or installed extensions that fingerprint them uniquely. Defence: torproject.org only, no extensions, security slider on Safest.
Adversaries we do not model
State-level targeted attack. If a national security agency specifically wants your identity linked to your Nexus account, the defences described here are not sufficient. Do not use the Bureau's material as a threat model for that adversary. Consult specialists.
Physical compromise. If someone with physical access to your device is your adversary, the compromise is already complete before you open Tor Browser. Defences in that scenario are hardware-encrypted disks, boot-from-USB systems like Tails, and habits well outside the scope of this Bureau.
Insider Nexus operator. We assume the operator is not actively adversarial. If the operator is compromised or turns adversarial, the 2 of 3 multisig closes one class of attacks (wallet drainage), but the reader database is still at risk.
Trade-offs we accept
Convenience versus privacy. The Bureau consistently recommends the more private option (Monero over Bitcoin, PGP over plaintext, Tor Browser over a regular browser with a VPN). This costs the reader minutes of setup and workflow friction. We think the trade is worth it. Not everyone will.
Operational sophistication versus reader onboarding cost. The strongest defences (Tails on USB, dedicated hardware, own-node Monero) are more effort than most readers will accept. The Bureau recommends the strongest defences a typical reader will actually implement, not the theoretically strongest defences that no one implements.
When to escalate beyond Bureau recommendations
If your threat model includes a state-level adversary, use Tails on dedicated hardware, never touch the storefront from your host operating system, and consult a security specialist for anything beyond that.
If your threat model includes physical compromise of your device, do not use the storefront at all from that device.
If your threat model includes needing plausible deniability about ever having accessed the storefront, use Tails, do not enable persistent storage, and reboot after every session.