Whonix - the best protection against active de-anonymization

AM
FörfattareAleksei Morozov
Uppdaterad: 14 februari 2026
03 min

Let's start with our old good game of being a special services agent and a hacker that needs to be identified. The hacker, of course, is smart and uses Tor. You probably know that special services widely use active de-anonymization to identify hackers by sending a file that, when opened, discreetly transmits data about the IP address to the servers. We will teach you to create such files as part of the course.

How does it work? There’s no magic; each file has its own ID and connects to the server after being opened. As a result, the server receives data with the file ID and that’s it, while the address from which the data comes is the hacker's IP address. If there is only one file, the ID is not even needed.

The file will not raise any suspicions from the victim; it will be the most ordinary image, Word, or PDF document. Of course, it is necessary to somehow motivate the hacker to open this file, but that is already a question of social engineering skills.

Why does this work? This function is not easy to track and block, as outgoing requests to the server are completely legitimate and do not pose a threat to ordinary users... Ordinary users, but not to the hacker whose identity is being sought.

So, you send the hacker a file, he downloads it through the Tor browser, checks it on Virustotal, opens it in a virtual system, and ... for him, the game is over, he has been caught. Of course, the file will secretly send data bypassing the Tor network, and the hacker will likely never know where he went wrong and how he was identified. All that remains for us is to check by IP address where the hacker is currently located.

The hacker can be saved from such a fate by completely blocking all internet connections in the sandbox, as in this case the file will not be able to send anything, a "strict" firewall with a VPN, or using Whonix – a virtual operating system that will be discussed in this chapter.

It is probably correct to say "virtual operating systems," as Whonix consists of two virtual systems: Whonix-Workstation, the desktop – the system from which work is conducted, and Whonix-Gateway, the gateway through which all internet traffic goes. They are connected by a "bridge" connection.

A bit of dry theory. A "bridge" connection is a way to connect two or more network segments at the data link layer without using higher-level protocols such as IP addresses. Packets are transmitted based on Ethernet addresses, without using IP.

Hjälpsamt?

Föregående artikelTails - the most private operating systemNästa artikelInstalling Whonix

Håll dig uppdaterad

Prenumerera på våra uppdateringar så att du aldrig missar något.