Security research, red team engagements, OSINT work, and penetration testing all have moments where your real identity should not be the one making the connection. This is not about concealment for its own sake — it is about operational discipline, not contaminating target environments with your actual infrastructure, and protecting your personal accounts from blowback when you are probing things that push back.
Here is a practical framework for disposable research identities that holds up to actual use.
—
*Note: Everything described here is for authorized security research, penetration testing engagements, and defensive analysis. Apply within the scope of authorized work.*
—
## The Threat Model First
A burner identity is only as good as its definition. Before building one, decide what you need it to protect against:
**Casual attribution.** Someone notices activity and Googles the source. Your real name does not appear. A basic burner handles this.
**OSINT attribution.** Someone actively tries to trace the activity back to a real person using open-source tools — IP correlation, username clustering, account registration data. Requires more careful construction.
**Legal process attribution.** A subpoena to a service provider. Most commercial VPNs and email providers in the US will comply. This requires provider selection that accounts for jurisdiction and logging policy.
**Technical forensic attribution.** Device fingerprinting, browser fingerprinting, metadata in files, timing correlation. Requires disciplined tooling and operational habits, not just account setup.
Most security research scenarios sit at the first two levels. Design accordingly.
## The Core Stack
**Email.** Do not use Gmail, Outlook, or any provider that ties to a phone number, real name, or existing account. Proton Mail and Tutanota both offer free accounts with no phone requirement — Proton asks for a recovery email or phone, but you can skip both and accept that recovery is impossible. SimpleLogin and AnonAddy offer email aliasing without account creation on the alias side.
For higher isolation: a self-hosted mail server is the gold standard, but operational overhead is significant. For most research purposes, Proton without recovery information is sufficient.
**Phone number.** Avoid providing a real number wherever possible. Google Voice numbers are linked to your Google account — not useful. Twilio provides programmable numbers but requires a payment method. TextVerified and similar SMS verification services provide one-time numbers for service registration. JMP.chat provides SIP-based numbers that work without a real phone and accept payment via cryptocurrency.
**VPN/IP.** Mullvad is the current best choice for research use — no account email required (account numbers only), accepts cash and cryptocurrency, WireGuard-only, strong no-log audit history. Use exit nodes in jurisdictions where you want activity attributed. Do not reuse exit nodes across different burner identities if cross-identity correlation matters.
For higher isolation: Tor provides better technical anonymity than any VPN, at the cost of speed and some operational friction. Whonix routes all traffic through Tor by design and is worth the setup time for sensitive research.
**Browser.** Firefox with uBlock Origin and strict privacy settings handles most cases. The Tor Browser provides the strongest fingerprint normalization if you are worried about browser-based attribution. Do not use Chrome or Chromium for burner-identity work — Google’s telemetry is extensive.
**Payment.** Cash is the only truly anonymous payment method. For online services: Monero provides stronger privacy than Bitcoin (transaction graph is obfuscated vs. pseudonymous). Privacy.com generates virtual card numbers tied to your real bank but can add a separation layer for services that do not require perfect anonymity.
## Account Construction
The sequencing matters. A clean build looks like:
1. Connect to Mullvad VPN from a device that has not been used for your real identity recently (or use a dedicated VM)
2. Create Proton Mail account from that connection, no recovery info
3. Use that email + TextVerified number to register any service accounts you need
4. Do not link accounts to each other, do not reuse usernames, do not use the same IP across different burner identities
Username selection matters more than people expect. Unique usernames are cross-searchable. Use a random generator rather than variations of a handle you use elsewhere. The same applies to passwords — unique, randomly generated, stored in KeePassXC (local) rather than any cloud password manager.
Profile construction: fill in enough to be plausible for the platform you are on. A completely blank account with no activity is sometimes more conspicuous than a lightly populated one, depending on the platform.
## VM Isolation
Each burner identity should run from a dedicated VM snapshot where possible. Whonix provides the strongest default isolation. Tails is good for one-off sessions where you want no persistence at all. A standard Kali VM with Mullvad installed is adequate for most research purposes if you are careful about what else runs in that environment.
The principle: activities from burner identity A should never touch the same VM or browser profile as burner identity B, and neither should touch your real identity’s environment.
## Common Mistakes
**Logging into real accounts from the burner IP.** One check of personal email from a Mullvad exit node the burner uses ties your real identity to that infrastructure.
**Reusing usernames.** Even a partial match — firstname123 on one service, firstname_sec on another — is a correlation vector.
**Phone number registered to you.** SMS verification via your real number ties the account to your carrier records.
**Metadata in files.** Exiftool strips metadata from images and documents before you share them from a research context. Run it. EXIF data in a screenshot can contain device model, sometimes location.
**Time zone correlation.** Your activity timing leaks information about your real location and schedule. For high-sensitivity operations, be aware of when you are active.
## Operational Maintenance
Burner identities decay. Email providers deactivate dormant accounts. VPN providers change logging policies. Service terms change. A research identity you set up a year ago may not have the properties you assumed when you built it.
Audit your active research identities periodically. Know which services log what. Know your provider’s jurisdiction and legal assistance treaty situation. Assume that anything you have is potentially one legal request away from exposure if you used any provider with a real payment method tied to your identity.
—
**Sources:**
1. Grugq, “OPSEC: Because Jail is for Wuftpd” — classic operational security reference
2. Mullvad privacy policy and audit reports — https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant/
3. EFF Surveillance Self-Defense guide — https://ssd.eff.org/
4. Whonix documentation — https://www.whonix.org/wiki/Documentation