Some businesses or individuals need to have an "unidentified" web presence and collect payment "anonymously".
I recently had to create something similar for one of my customers. She's an investigative journalist.
I decided to share because I believe that there are many other legal use cases where making the real name and identity of the owner unreachable is vital.
I hope that what I'm about to share won't be used for ill intentions :)
Let's build a use case for another investigative journalist, let's call her Jane Backer, to clarify the steps needed to achieve an untraceable web presence.
Jane is an investigative journalist. She goes undercover and tackles pressing matters that doesn't make her targets happy.
She can't use her name simply because she fears for herself.
Through her career, she has seen collaborators and peers getting stalked, intimidated, being objects of lawsuits for defamation, and even have physical harm in some extreme cases.
Jane knows the risks of what she does but sharing the truth is her top priority. At the same time, she would love to avoid anything that can hurt her life in any way as much as possible.
So, Jane decided to go by the pen name of "Juliette Truth."
Her goal is to run a branded website where she can share her thoughs and eventually collect donations to help cover her investigations' expenses.
To make that happen, we need:
- A domain name
- An email service
- A good web hosting
- A way to collect payment anonymously
The problem is that every single resource needed for the project can be traced back to Jane using free tools.
Our goal is to give her an anonymous way to run a web property and collect payment without having to reveal her identity.
I will lay down the problem and give the set of solution depending on how much protection is needed or paranoia level :)
Domain name
The problem
Domain name registrars request identifiable information to process the domain purchase order. This information needs:
- To match the payment information you use (real name revealed)
- To be submitted to the whois database (real name made public)
The solution
The domain name is the easiest to protect.
Most registrars have a "privacy protection" service.
It hides any information related to the domain's owner to the public, so, requests on the Whois database won't return or reveal any identifiable information.
Some service providers bill the "privacy protection," while others will offer it for free for a defined period (one year in most cases) or indefinitely.
NameSilo has cheap domain names fees and a free for life privacy feature. Plus they activate the privacy protection out of the box. So, the domain owner's information will never be shared at any point.
Some registrars are pushing the concept a bit further, like Njalla.
Your personal information will never be submitted to the Whois records because Njalla buys the domain name as their own and not on your behalf.
It costs double the regular price, though.
For extreme cases, it's possible not to give your personal information at all. This is what Anonymously.io offers.
You need a generic email and to pay using Bitcoin.
The cost is a bit high, about 3 times the regular pricing, but for what it gives as protection, it's totally worth it.
Tip:
The privacy protection needs to be activated at the earliest convenience.
Some web services can record Whois data history. So, there is a risk that a domain's owner data is recorded before they have a chance to enable the privacy protection.
Jane has successfully registered her branded pen name - juliettetruth.com
She's a bit paranoid, so, we had to go with the 2nd option of the list.
Email service
Here are our requirements for the email service provider:
- Allow custom domain names
- Not require any identity validation
The problem
Most free email services, like Google Gmail, won't allow a custom domain name.
And most commercial email services need payment processing, and therefore, identifiable information might slip through.
The solution
Yandex Mail is the answer.
It's a free email service based in Russia that meets our requirements and has an overall good user experience and service uptime.
Anyone can quickly create an email account and link it to a domain.
They require a phone number at some point for security purposes, so you can recover your password easily if you forget about it. It's safe to share your phone number as it won't be visible to the public. But it's not mandatory.
There are other services similar to Yandex, like Zoho Mail, or other paid services like MailFence.
The reason why I favor Yandex is that no identifiable information can be leaked by accident.
Tip:
Yandex can be a bit too quick to flag potential hack, so, it's preferable to log in on your usual browser and store the password there, and at the same time install their messenger app on your favorite Android or Apple phone.
Website and Web hosting
The website by itself is not an issue.
My personal pick for Jane is WordPress for the following reasons:
- We can design a good looking and functional website using it.
- We can protect it from getting hacked like crazy.
- It will help us with the anonymous payment processing later.
The web hosting is the problematic part.
The problem
With some digging, anyone can find some identifiable data about the hosting platform and potentially expose the owner's identity.
To link a domain name to a website, we need to point the DNS records to the hosting service IP.
Using the right tool, like - securitytrails.com - we can easily find these A records and check out neighboring sites.
If the website's owner is not careful, they might host their supposed-to-be anonymous site with their real blog or business, which will make their identity revealed by association.
The solution
Use Cloudflare as the middleman.
Cloudflare is a caching reverse-proxy.
CF can be directed to handle all the website's traffic by switching the cloud icon to orange on each DNS record.
When used with an A record, results returned by any DNS tools or even Traceroute command will only find IPs pointing to Cloudflare.
So, the real hosting A records are fully hidden.
But it's not perfect.
Like Whois, DNS record has history archives. If a domain name point to a hosting service before putting CloudFlare in the middle, the A records are stored on the historical data of that particular domain.
Tools like SecurityTrails can make these historical data easily retrievable.
Tips
Never document the A records on your domain before enabling CloudFlare.
Don't use a Cname for the www subdomain. CloudFlare can't protect Cnames.
Instead, use an A record to make sure all requests are obfuscated by Cloudflare first.
Another option is to use a completely anonymous web hosting, like Anonymously.io
They don't ask for any identifiable information from their customers. All you need is an email and to pay using Bitcoin.
A way to collect payment anonymously
Collecting payments without revealing Jane's real name is the most challenging part of the job.
The problem
Known payment processors, like Paypal and Stripe, ask for KYC (know your customer) validation before letting you use their services, including receiving and withdrawing money.
So, you can't create an account using a fake name.
The most annoying part is that they share your real name with whoever is paying you, and that's a deal breaker for Jane.
The solution
After thorough research and experimenting, I found that crypto-currencies are the only way to have a 100% identity protection for the receiver.
It's not easy to setup, and it's far from being user-friendly for donors or sponsors, but it fulfills the most critical requirement: "keeping Jane's true identity unknown."
Even if the website ends up getting compromised or hacked, Jane's true identity will remain out of reach.
There's a learning curve to understand how crypto-currencies work. So, anyone venturing that road needs to take time first to learn how to create a crypto-currency wallet, how to use it to send and receive money, and how to find a way to cash out this crypto-asset if needed.
Here are a couple of definitions to get started:
Dealing with crypto is kinda hard to get, though. So, I would strongly advise looking around for family and friends with crypto experience. It's way better when you have someone explaining and setting up things to you face-to-face.
Another detail about this solution is that it's built using WooCommerce. And e-commerce plugin for WordPress.
Here is the official documentation of WooCommerce to get you started:
I'll assume you have already enough knowledge about crypto and how to use WordPress and WooCommerce.
With that said, now that we know the medium to process payments, we still need to set a process to guarantee a maximum level of anonymity.
Because even if someone uses crypto-currencies, it doesn't mean that they are safe.
We are looking for:
- A convenient way to accept and verify payments
- Not involving any 3rd party where KYC or validation is needed
- We need to have full control over our wallet
Before settling on the solution I will lay down in a minute, I tested a couple of services allowing to collect payment through WordPress.
Gourl and CoinPayments were both candidates as a payment processing system for WordPress.
Both are fairly easy to setup and work properly.
Both are centralized payment processing system:
- Collect the payment first
- Add up to a balance
- Allow you to withdraw your fund once you reach a threshold
The workflow is similar, theoretically, to what we find at Paypal or Stripe.
It has a major issue, though.
Both platforms reserve themselves the right to close your account if they judge that your activity is illegal or if they receive any complaint against you (saw lots of cases on Reddit and BitcoinTalks where accounts were closed and their balance not sent to their owners - stolen per their words).
This limit, if we should call it so, is a no for Jane because she will likely receive complains about her investigations.
Ideally, we should receive funds in a controlled wallet.
Luckily, it's possible using WordPress, WooCommerce, and a plugin.
I won't be able to describe the full set up in this article, but I will share what is needed and how things work overall.
First thing, we need a controlled wallet we can trust.
The Ledger Nano S is one of the best hardware wallets out there.
It costs a hefty 79eur ($95) but it's totally worth it.
Second thing, we need WordPress and WooCommerce installed and set up correctly.
Note
We didn't use any personally identifiable data. For the business address, for example, we've set a fake address in a remote country to make sure nothing leads back to Jane.
The third component, probably the most important of the lot, is a specific plugin and one of its add-ons:
- CryptoWoo ($34)
- CryptoWoo HD Wallet Addon ($29)
CryptoWoo enables a hosted crypto-currency gateway for WooCommerce. It means that payments are processed from within WordPress instead of relying on a 3rd party service like GoURL or CoinPayments.
The CryptoWoo HD Wallet Add-on allows us to receive the payment directly on Ledger Wallet address. So, we have full control accessing the wallet and the balance.
Currently, the plugin supports the following native currencies: Bitcoin, Litecoin, Dogecoin, and Blackcoin. Ethereum is in work (as reported by the plugin developer) and will be released later this year.
After doing the necessary setup, we will find ourselves with a default crypto-currency to process payment, and optionally other cryptos if needed.
For Jane, we use LTC as default coin and BTC as an alternative.
Tip
We needed to disable all the other gateways added by default to WooCommerce when installing the plugin.
So, now, all we need is to set up support packages with defined pricing using WooCommerce.
Let's say that our first package does cost $30.
The donor will go through the regular purchasing process:
- Adding the product to a cart
- Check out and pay the order
On the checkout page, CryptoWoo will convert the $30 for the equivalent value on your checkout crypto-currencies.
After placing the order, a crypto-payment processing form will show up.
It has:
- The payment crypto wallet address
- A QR code - handy for people who have smartphone wallets
- Confirmations
- And a timer
Anyone dealing with cryptos will be familiar with that particular way of collecting payments.
Extending the payment options to other Altcoins is possible.
To do so, all we need is to add support to ShapeShift.
ShapeShift is a real-time coin converter, and CryptoWoo supports this service natively.
When paired with CryptoWoo, it allows you to convert your base currency, LTC in our case, to process the payment with any of ShapeShift's +35 crypto including ETH, ETC, XRP, and other popular ones.
What makes the mix even better is that Jane will receive the amount of the purchase directly and immediately to her LTC address located in the Ledger wallet.
So:
- No balance holding and no pretext from the middleman
- No way to steal Jane's balance by claiming fraud or illegal activity
Now that our selling process is set up, we need some way to help potential donors and sponsors to quickly buy and send crypto-currency to use on Jane's website.
Jane's hope is that her donors and sponsors will find a way to pay with crypto. It's not always the case.
We've covered a couple of alternative if there people willing to help but are crypto-illiterate.
Alternative #1
The easiest way in that case is using Changelly.
Changelly is a real-time coin converter too like ShapeShift.
One of the differences between the two is that Changelly allows paying for BTC, BHC, and ETH using Credit Cards!
So, anyone can purchase cryptos anywhere from $50 to $10000.
The only blow is that they charge 10% on each order payable by the customer.
Using Changelly is straightforward. But we needed to make sure that her donors will do it the right way.
We needed to educate them about how they need to take Jane's BTC address, go to Changelly, and buy the BTC using their credit card while documenting Jane's BTC address as the receipient.
It took a 2-minute video describing the process from A to Z. We again resorted to an an anonymous service to host the video for us - streamable.com
Alternative #2
Our second option is to tell the donor or the sponsor to purchase a crypto-currency voucher from a reputable place and send it over as payment.
We are still dealing with crypto, so, Jane's ID won't be traceable.
To do so, we need an additional plugin to build customizable gateways for WooCommerce:
Using the plugin is relatively easy.
We needed to do the following:
- Set up a custom payment gateway
- Give some instructions on the gateway description
- Add a field to receive the voucher code
Again, a short video did a better job describing the process.
CryptoVoucher.io is a reputable company selling BTC vouchers.
You can find where you can purchase their vouchers right here
That's pretty much it.
Hope it wasn't too long and annoying.
And I hope that this share will help anyone wanting to build an anonymous website and receive fonds anonymously for the right reasons :)