A lot of people I know who do security research use a pseudonym for part of their work. Most of them do it wrong. "Different username and a VPN" is not identity separation; it's a thin costume that survives a single mistake. Real separation is a discipline that extends into hardware, habits, and writing style, and most people underestimate how much of it is habit.
Threat Model Per Identity
Before you build a second identity, write down the threat model for each one.
- Clearnet identity — usually corporate. Threat: reputational damage if linked to controversial research, even legitimate research.
- Research identity — pseudonymous. Threat: deanonymization by adversaries whose services you study; harassment from their affiliates; occasionally, legal attention if law enforcement wants to understand who's been scraping.
The separation you need is exactly what defends the weaker identity against the adversary of the stronger one. If your research adversary is a ransomware crew, you defend against forum-based OSINT and IP correlation. If your adversary is a nation-state, the bar is much, much higher and honestly beyond what most individuals can meet.
Dedicated Hardware and VMs
The sanitary arrangement looks like this:
- A dedicated laptop, bought with cash if your threat model warrants it, that never joins your home Wi-Fi under its MAC and never logs into any account tied to your real identity.
- Or, more commonly, a Whonix-Workstation VM on a host that itself only ever talks to Tor from a specific network segment.
- A time-of-day discipline: research identity only during certain hours, so behavior patterns don't line up with your corporate Slack activity.
VirtualBox snapshots are your friend. Compromise in the Workstation? Revert. New identity phase? Fresh VM from base image.
Browser Fingerprinting and Writing Style
Tor Browser normalizes a huge amount of the browser-level fingerprint — screen size, fonts, user agent, timezone. Using anything else to access your research identity erodes that. Don't check your pseudonym's forum with Chrome "just to see." You leak a fingerprint that sits next to your clearnet fingerprint forever.
More subtly, stylometry is real. Your sentence rhythm, punctuation choices, favorite words, and mistakes cluster together. Academic work on authorship attribution (see the JStylo / Anonymouth line of research) can distinguish authors with meaningful accuracy on samples as short as 5,000 words. Countermeasures: write short, avoid your idioms, don't reuse jokes, run drafts through a paraphraser only as a sanity check, and never paste content between identities.
Communications Hygiene and Lessons from Failures
Email: separate provider, separate password manager vault, accessed only from the separate VM. PGP keys never overlap. Signal or XMPP+OTR for real-time if needed, on separate phones or separate VMs.
The cautionary tales are worth reading carefully:
- Ross Ulbricht was linked to Silk Road partly because he used the same early-stage pseudonym ("altoid") across a Bitcoin forum and Stack Overflow, and partly because he asked a coding question on SO under his real name that mirrored work done on the market. A single account crossover was enough.
- Alexandre Cazes (AlphaBay) was found partly because his personal Hotmail address appeared in the welcome-email headers sent by the marketplace. One configuration mistake.
Identity separation is mostly about refusing small conveniences a thousand times. It's tedious. It's also the only thing that works. If you're not willing to be tedious about it, don't run the pseudonym — it's a liability pretending to be a shield.