🔐 Introduction

Modern cyber threat intelligence often demands access to the darker corners of the internet—ransomware leak sites, illicit marketplaces, and criminal forums. These resources can contain early indicators of compromise (IOCs), adversary tooling, or chatter that points to impending attacks. But without proper operational security (OPSEC), analysts risk exposing themselves, their organizations, or even their personal machines.

This blog post explores a hardened setup using ProtonVPN on both the host and VM, plus Tor, to access the dark web securely. This layered design ensures your real IP remains hidden, activity is compartmentalized, and investigative work doesn’t bleed into your personal environment.

🧠 Why Layered Access Matters in Threat Intel

Tor alone is not enough. Combining ProtonVPN on your host with a second ProtonVPN instance inside a virtual machine, and launching Tor from within that VM, adds critical depth to your anonymity model. Here’s why this setup is ideal for analysts and researchers:

• ISP Obfuscation: ProtonVPN on your host encrypts all traffic, hiding Tor usage from your internet provider.
• IP Chain Separation: The Tor network sees only the IP address of the VM’s ProtonVPN connection.
• VM Isolation: Malware or scripts from shady .onion sites can’t touch your host OS.
• Compartmentalized Environments: Each layer can be independently wiped, audited, or reset.

Real IP → ProtonVPN (Host) → Kali VM (or Ubuntu/Windows) → ProtonVPN (VM) → Tor Browser → .onion

🧰 Tools You’ll Need

• ProtonVPN account: Paid plan required for multi-device and multi-hop use
• Virtualization software: VirtualBox or VMware
• Guest OS: Kali Linux, Ubuntu, or Windows 10+ VM
• Tor Browser: Installed and run only inside the VM

🛠️ Full Setup: Step-by-Step

🔹 1. Configure ProtonVPN on Your Host (Linux or Windows)

1. Download and install the ProtonVPN app from protonvpn.com.
2. Enable the following settings:
   • Kill Switch: Ensures no traffic leaks outside VPN
   • Secure Core (optional): Routes traffic through hardened privacy jurisdictions
3. Connect to a server in a location outside your country (e.g., Sweden or Iceland).

# Linux (host) external IP check after VPN connection
curl ifconfig.me

# Windows (PowerShell)
Invoke-RestMethod ifconfig.me

🔹 2. Build and Harden Your Virtual Machine

This works with either a Linux VM (preferred) or a Windows VM. For Linux users, Kali and Ubuntu are easy to harden. For Windows users, extra firewall rules are recommended.

1. Create a new VM (4GB RAM+, 2 vCPU+).
2. Disable in VirtualBox: Shared clipboard, drag-drop, USB passthrough.
3. Install your OS of choice:
   • Linux: Kali, Ubuntu, or Whonix Workstation
   • Windows: Windows 10 or 11 (use an ISO with telemetry stripped, if possible)

Linux VM Setup:

# Install ProtonVPN CLI
sudo apt update && sudo apt install -y protonvpn-cli
protonvpn init
protonvpn connect --fastest

Windows VM Setup:

1. Download and install ProtonVPN desktop client.
2. Enable “Always-On VPN” and “Kill Switch” under Settings.
3. Connect to a different country than the host VPN server.

# Windows VM: Check VM's VPN IP
Invoke-RestMethod ifconfig.me

🔹 3. Launch Tor Browser Inside the VM

1. Download from torproject.org only.
2. Set Security Level to “Safest.”
3. Disable JavaScript and avoid changing screen resolution.

# Tor-safe IP check
curl --socks5 127.0.0.1:9050 https://check.torproject.org/

📜 IP Chain Validation Script (Linux + Windows)

Linux Script:

#!/bin/bash
echo "[1] Host IP:"
curl ifconfig.me

echo "[2] Inside VM after ProtonVPN:"
curl ifconfig.me

echo "[3] Open Tor Browser and visit:"
echo "https://check.torproject.org/"

Windows Batch Alternative:

Write-Output "[1] Host IP:"
Invoke-RestMethod ifconfig.me

Write-Output "[2] Inside VM after ProtonVPN:"
Invoke-RestMethod ifconfig.me

Write-Output "[3] Visit in Tor Browser:"
Write-Output "https://check.torproject.org/"

🧯 Threat Intel Use Cases

• Monitor ransomware sites (e.g., LockBit, BlackBasta, ALPHV leak blogs)
• Collect IOCs (IP addresses, hashes, domains, malware family references)
• Track threat actor aliases across forums
• Observe data dumps (employee credentials, PII, confidential files)
• Correlate dark web findings with MITRE ATT&CK and threat feeds

Example: ProtonVPN (Host) → Windows VM → ProtonVPN → Tor Browser → .onion

🔐 OPSEC Tips for Analysts

🛡 Identity Separation

• Use unique aliases for each investigation campaign.
• Never reuse names, emails, or avatars across research cases.
• Leverage encrypted email (e.g., ProtonMail) for persona registration.

💻 System Hygiene

• Run your VM in full isolation mode. Disable clipboard, shared folders, and drag-drop.
• Use encrypted external drives for logging IOCs and screenshots.
• For Linux: Use LUKS encryption. For Windows: Use VeraCrypt containers.

📡 Network Security

• Always enable ProtonVPN kill switch and DNS leak prevention.
• For Linux, block all non-Tor traffic in the VM:

sudo iptables -F
sudo iptables -P OUTPUT DROP
sudo iptables -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

📁 Evidence Handling

• Never open files from .onion sites directly—use sandboxes (like Cuckoo or CAPEv2).
• Use exiftool to strip metadata from screenshots and logs.
• Keep a changelog of what was accessed, when, and for what purpose.

🧪 Bonus: Simulated Multi-Hop with ProtonVPN

While ProtonVPN doesn’t allow manual chaining of servers inside the client UI, using one ProtonVPN server on the host and another inside the VM simulates a double-hop model:

Host: ProtonVPN → Iceland
VM: ProtonVPN → Switzerland
Tor → Ransomware leak site

🎯 Final Thoughts

In threat intelligence, access to dark web infrastructure is sometimes unavoidable. But so is the risk. Using ProtonVPN across both host and VM environments with Tor browser inside that VM adds strong privacy controls and forensic containment. Whether you’re collecting ransomware IOCs, researching actor TTPs, or validating chatter, this setup allows for safe observation without sacrificing compartmentalization.

Don’t just peek into the shadows—study them safely.