# Modelos de amenaza de privacidad — usa la herramienta adecuada

> Seis modelos de amenaza, de «ISP / empleador cotidiano» a «adversario estatal», y a qué parte del stack de xmr.club corresponde cada uno. Evita los dos errores más comunes: sobreprotegerte para un problema que no tienes o subprotegerte para uno real.

Canonical URL: https://www.xmr.club/es/guides/privacy-threat-models

## Overview

Privacidad sin modelo de amenaza es ir de compras. Hay quien instala Tor + Monero + VPN + SIM sin KYC y publica el recibo en Twitter. El error es tratar la privacidad como una lista de la compra en vez de un modelo: ¿de quién me escondo, qué puede hacer realmente, cuál es la defensa mínima viable, a partir de dónde retorna decreciente? Abajo: seis modelos comunes, qué implica cada uno y el stack correspondiente del directorio.

## Body

Why threat-modeling first Every privacy tool trades something — money, friction, dependability, performance. The right amount of trade depends on who can do what to you. Defending against your ISP is one tool and one habit; defending against a nation-state is a lifestyle. Most users sit in the middle and pick the wrong axis. Model 1 — Casual ISP / employer / network admin Who: the people who route your packets but don't know you personally. Includes your home ISP, your employer's IT team, public WiFi operators. What they can do: see destination IPs and TLS-SNI; correlate visits to known sites by timing; log DNS queries. Cannot read TLS content. Defense: a paid no-KYC VPN ( VPN picks ) is enough. DoH / DoT for DNS if the VPN doesn't already cover it. Tor is overkill and slower. Model 2 — Service-provider correlation Who: the services you use — exchanges, payment processors, email providers, the wallets you trust with view-keys. What they can do: link your account/email to your transaction history. Sell that to data brokers or hand it to law enforcement. Defense: no-KYC stack — no-KYC exchanges , email-without-identity , non-KYC SMS . Don't log into KYC'd accounts in the same session as no-KYC ones ( staggered fingerprints ). Model 3 — Stalker / personal-relationship adversary Who: ex-partner, family member, acquaintance who knows your real identity already and is trying to find you online. What they can do: reverse-search public posts, photos, usernames. Cross-reference dating profiles, social media, leaked databases. Defense: compartmentalized identities — separate email + phone + username for the relationship you want hidden. Non-KYC SMS for signup, never reuse a number that's been linked publicly. Scrub data brokers (separate effort outside this directory). Tor + VPN don't help here directly; the problem is the data you produce, not the network you produce it on. Model 4 — Chain-analysis / on-chain forensics Who: Chainalysis-class firms, IRS Cyber Crime Unit, ransomware-tracking nonprofits, sanctions-enforcement bodies. What they can do: cluster wallets by behavioral heuristics; subpoena exchanges for KYC behind addresses; trace stablecoin paths through DEXs and bridges. Defense: native Monero where possible — chain-level privacy is the protocol's job, not yours. For BTC/USDT exposure: a two-hop XMR detour to break correlation, or use kyc.rip / ghost which bundles that detour into a single flow. Subaddress hygiene . Cold storage on a hardware wallet you bought without an account. Model 5 — Compliance / state-level monitoring (not targeted) Who: regulators + state agencies running broad surveillance dragnets. NSA-style passive collection, EU GDPR-compliant data hoarders, financial-intelligence units. What they can do: bulk-collect everything that passes a major IXP; correlate metadata across services; subpoena large platforms for retrospective data. Tor traffic gets flagged but not necessarily deanonymized; Monero is on most agencies' "can't trace" list as of 2026 but the meta-question (do you use it?) is observable. Defense: the full no-KYC stack + Tor over a privacy VPN + bridges if Tor itself is observable in your jurisdiction. Compartmentalize: don't mix KYC'd accounts with the no-KYC stack. The goal is not to be invisible; it's to be uninteresting. Model 6 — Targeted state adversary Who: a state agency actively investigating you specifically. Journalist with a leaked-source archive, dissident in an authoritarian regime, suspected high-value target. What they can do: almost anything — endpoint malware on your devices, supply-chain attacks on hardware, compelled cooperation from your service providers, physical access. Network-level adversary on every major path between you and any service. Defense: outside the scope of this directory. Read EFF's Surveillance Self-Defense , talk to Freedom of the Press Foundation, use Tails / Qubes, multisig everything, treat every device as compromised. The privacy-services directory helps with the substrate but cannot substitute for proper operational security. The biggest mistake Most users either over-buy (full Tor + multisig hardware wallet + offshore VPN for casual ISP-evasion) or under-buy (no-KYC swap but then KYC at withdrawal, fresh email reused across all signups). The fix is to start with the model: write down on paper who you're trying to hide from and what they can actually do. Then pick the minimum stack that addresses it. Add layers only if the cost is acceptable and the gain is real. Re-evaluate yearly. A model that fit two years ago when you were a hobbyist may not fit now that you publish under your name, or vice versa. Stack picks by tier

## Recommended picks

- [Mullvad](https://www.xmr.club/vpns/mullvad) · /llm/vpns/mullvad.txt — Casual ISP / employer threat-model. No-KYC VPN with the longest no-logs track record. Pay in XMR.
- [Tor Browser](https://www.xmr.club/tools/tor-browser) · /llm/tools/tor-browser.txt — Service-provider + compliance models. Network-layer anonymity, fingerprint-padded browser.
- [Feather](https://www.xmr.club/wallets/feather) · /llm/wallets/feather.txt — Chain-analysis model. Native XMR + view-only + Tor + reproducible build.
- [kyc.rip aggregator](https://www.xmr.club/exchanges/kyc-rip-aggregator) · /llm/exchanges/kyc-rip-aggregator.txt — Service-provider + chain-analysis. No-KYC routing across multiple engines, no markup.

## License

CC-BY-4.0. Attribute "xmr.club".