Threat Modeling

Before you download a single privacy tool, ask a more important question: who, exactly, are you protecting yourself from? Privacy is not a product you install — it is a set of decisions that only make sense in the context of a specific adversary. A teenager hiding a gift purchase from a sibling, a journalist protecting a source, and a business shielding supplier payments face wildly different risks. Threat modeling is the discipline of naming those risks before you choose your defenses.

What a Threat Model Actually Is

A threat model is a structured answer to four questions:

• What are you protecting? Your balance, your transaction history, the link between your identity and your coins, your physical location, or simply your IP address.
• Who wants it? A curious exchange, a chain-analysis firm, an abusive ex-partner, a thief, or a well-resourced state actor.
• What can that adversary do? Read public blockchains, subpoena an exchange, run a malicious node, watch your network traffic, or physically seize your hardware.
• What happens if they succeed, and how much effort is it worth to stop them?

The point is not paranoia. The point is proportion. Defenses cost time, money, and convenience, and spending those resources on the wrong threat leaves you both inconvenienced and exposed.

Why Monero Changes the Calculation

On a transparent chain like Bitcoin, your threat model has to account for the fact that anyone can read every amount and trace every coin forever. Monero flips the default: amounts, recipients, and senders are hidden on-chain by design, which we cover in RingCT and Hidden Amounts and Stealth Addresses. That means many threats that dominate Bitcoin privacy planning simply do not apply.

But Monero does not protect against everything. It hides what happens on the chain; it does not hide what happens around it. Your IP address when you broadcast a transaction, the KYC records an exchange holds, the metadata you leak in a chat with a seller, or malware on your device are all outside the protocol's reach. A good threat model is what tells you which of these matter for you.

Identifying Your Adversaries

It helps to sort adversaries by capability, because each tier calls for different tools:

• Passive on-chain observers — anyone reading the blockchain. Monero's base protocol already defeats most of what they could do on a transparent chain.
• Network observers — your ISP, your home network, or a node operator who can see that an IP sent a transaction. Defeated by hiding the network layer with Tor or I2P; see Network Privacy with Tor and I2P.
• Custodians and counterparties — exchanges with your KYC, or sellers who know your name. Defeated by limiting what you hand over in the first place.
• Endpoint attackers — malware, phishing, or someone with physical access to your device. Defeated by good operational security and offline key storage.

Turning the Model Into Choices

Once you know your adversary, the tool selection almost writes itself. If you only fear casual on-chain snooping, default Monero use may be enough. If you fear network-level observation, you route through Tor. If you fear endpoint compromise of large holdings, you move to hardware and cold storage. Crucially, a realistic model also tells you what you can safely ignore — refusing to defend against a nation-state when your real risk is a nosy roommate just wastes effort you could spend on the threat that's actually present.

Revisit your model whenever your situation changes: a larger balance, a more sensitive use, or a new jurisdiction can all shift who you should worry about.

Threat modeling is the foundation every other lesson in this course builds on. With your adversary named, you are ready to start closing the gaps — beginning with the network layer, then the subtle metadata leaks that can undo good on-chain privacy. When you have worked through the course, check your understanding with the privacy best practices quiz.