It's not that hard to do this kind of thing without leaving any solid trace at all.
A way to do it for example would be to use a stolen credit card to subscribe to a few VPN with hops on Tor in between and use that to set up a VPS that puts this up after a few weeks
The devil is in the details, but if you're careful you can leave absolutely no trace.
Although, the more they interact with the internet, the more clues they leave behind. Things like Tor can be deanonymized, and even Tor has a warning. Quote:
"Generally it is impossible to have perfect anonymity, even with Tor."
> Although, the more they interact with the internet, the more clues they leave behind
Interacting with a tor browser would be amateurish at this point. Just connect to tor (not on a browser, tor directly), use a script to upload to some random pastebin, disconnect from tor.
Note that, for example, your isp can see whenever you are using tor or a VPN. From there, they can inspect the packets to work out what pastebin you have visited. Eg. simply by measuring how many bytes you have uploaded and then finding the paste and comparing the length of the paste with the number of uploaded bytes. (Just a basic example, there are more advanced methods). See https://witestlab.poly.edu/blog/de-anonymizing-tor-traffic-w...
This is why you don't actually post anything on pastebin yourself.
Rather, you SSH into a VPS (via multiple VPNs and Tor/I2P), then program the VPS to post your message to pastebin in a week.
And of course, you're not doing this from your home, you're doing this from the parking lot of a Starbucks in a car with tinted windows and fake plates, using a device with a spoofed MAC address.
There are many ways of pulling this off so that no one will ever be able to pin you down. You just need to pay attention to detail.
You're of course using some sort of obfuscated bridge too, so that packet sizes become meaningless.
Allright, good point. I'll concede the argument - there's fairly decent anonymity for those who use a combination of tools and know how to operate them. It's still not 100% perfect, but good enough.
Some examples where it could go wrong: what if the VPS was a honeypot? What if the VPN logged everything? What if Tor or other piece of software they are using has a 0-day? The more complexity, the more chance for a bug or mistake... and so on...
Yes, it's absolutely true that you must be very careful, and of course it's not 100% but it's 99.9999...% perfect.
That said, a VPN logging everything, or Tor being compromised, or the VPS being a honeypot wouldn't be enough to compromise you, you'd need all of them to be true simultaneously.
even better: throw away a raspberry pi that automatically connects to the McDonald's WiFi at night from the trash can. the evidence is disposed of, and surveillance captures many people throwing away trash. whose happy meal had the toy?
A way to do it for example would be to use a stolen credit card to subscribe to a few VPN with hops on Tor in between and use that to set up a VPS that puts this up after a few weeks
The devil is in the details, but if you're careful you can leave absolutely no trace.