You probably already know the basics of digital privacy: use a password manager, enable 2FA, don’t click weird links. It’s good advice for the average person. But what if you’re not average?

What if someone smart, well-resourced, and quietly obsessed decided you were worth breaking?

This guide isn’t about spam emails or ad tracking. It’s about targeted intrusion. When a capable attacker makes you their project. Maybe it’s a jealous ex, a political adversary, a stalker, a state actor, or a black-hat operator with a grudge and time to burn.

Let’s assume they’re technically competent, patient, and have a budget.

Let’s assume they want in. In to your accounts, your devices, your conversations, your life.

How would you know?

Most people aren’t targeted. But some are. Here are some signs you might be:

• You receive password reset emails you didn’t request.
• Your contacts report getting weird messages from you.
• Your phone battery is draining faster than normal.
• You get push MFA requests at strange times.
• Your camera or mic indicator flickers when you’re not using it.
• You notice unknown logins or new devices on your accounts.
• Your internet connection starts behaving strangely (slow, unstable, intermittent).
• You find Bluetooth or WiFi connections you don’t recognize.

Any one of these could be benign. But more than one, or recurring patterns? That’s a red flag. Trust your gut.

Threat modeling the problem

Here’s what a serious attacker might do.

Data harvesting

• Purchase breached credentials and personal data from dark web marketplaces.
• Scrape your public posts, comments, photos, metadata, and domain registrations.
• Map out your connections, habits, routines, and favorite coffee shop WiFi.

Device compromise

• Email you a poisoned PDF or doc with malware.
• Compromise a USB device or charger you trust.
• Hack your router or IoT devices to pivot into your network.

Account takeover

• Launch phishing attacks using lookalike domains or fake apps.
• Clone your login sessions via reverse proxy tools like Evilginx2.
• Abuse fallback systems: password resets, backup codes, recovery emails.
• Spam push notifications until you accept one without thinking.

Network surveillance

• Intercept traffic at your ISP, coffee shop, or shared office.
• Exploit DNS weaknesses to redirect you to false login portals.

Behavioral exploits

• Time your posts and responses to understand your sleep/work cycle.
• Harvest biometric patterns like typing cadence, voice ID from calls or videos.
• Track you using camera or microphone vulnerabilities.

Defense in Depth: Protecting yourself when you’re the target

Basic defense (everyone should do this)

1. Use a password manager

Install a trusted password manager like Bitwarden or 1Password. These tools remember your logins and generate long, unique passwords so you don’t have to. Never reuse passwords. If one gets leaked, it shouldn’t compromise anything else.

2. Enable TOTP-based MFA

Two-factor authentication is critical. Use an authenticator all like Aegis, Raivo, or Authy instead of SMS. Most online services support this under “Security” settings. Turn it on, scan a QR code, and store backup codes securely.

3. Use a hardware key

Hardware keys like YubiKey or SoloKey plug into your device and act as a physical second factor. Once registered with services like Google, ProtonMail, or GitHub, even a stolen password won’t be enough without the key.

4. Browse through a VPN

VPNs mask your IP address and prevent local networks (like coffee shops or hotels) from tracking you. Mullvad is recommended for its no-logs policy. Use the app, connect to a server, and browse normally.

5. Use secure DNS

DNS is like the internet’s phonebook. Use a private DNS provider like NextDNS or Control D to block trackers and malicious sites. You can change this in your device’s network settings.

6. Keep devices up to date

Turn on automatic updates for your operating system, browser, and apps. Updates often contain security fixes for real vulnerabilities that attackers use in the wild.

Intermediate defense (if you’re getting paranoid)

1. Segregate identities

Create different user accounts or browser profiles for different activities (work, personal, anonymous). Don’t log into your real email while pretending to be anonymous. For more separation, use different physical devices.

2. Harden your browser

Use Firefox with Multi-Account Containers to isolate sites into color-coded tabs. Or use Brave, which blocks ads and fingerprints by default. Add privacy extensions like uBlock Origin and Privacy Badger.

3. Isolate Andriod apps

Install the Shelter app (F-Droid) to create a work profile on your Android phone. Risky apps go there. They can’t access your contacts, SMS, or clipboard from the main profile.

4. Encrypt your system

If your device is lost or stolen, encryption keeps your files safe. macOS: enable FileVault. Windows: use BitLocker. Linux: install with full disk encryption (LUKS). use a strong passphrase, not just your laptop password.

5. Avoid biometric unlocking

Fingerprints and facial recognition are convenient, but if someone wants in badly enough, they can force you. Use a long password or PIN instead. You can disable biometrics in your system settings.

6. Minimize data sharing

Turn off sync features in browsers and apps that share history, clipboard, or passwords across devices. On Android, disable usage reporting. On iOS, limit ad tracking and Siri suggestions. Fewer features = fewer leaks.

Extreme defense (if you’re hunted)

1. Use a Live OS (Tails/Whonix)

Tails is a portable operating system that you can boot from a USB stick. It routes all traffic through Tor and leaves no trace on your computer. Download from tails.net, flash it to a USB using Balena Etcher, and boot into it when needed. Whonix is a privacy-focused Linux distro that runs in a virtual machine. It’s harder to set up, but great for persistent use.

2. Work on an airgapped system

Set up a laptop that’s never connected to the internet. You can transfer files using one-way USB drives (write-once or locked). Great for decrypting messages, opening suspicious files, or managing sensitive keys.

3. Deploy physical countermeasures

If you suspect physical tampering, use tamper-evident stickers on your laptop ports or screws. Store phones and laptops in Faraday bags to block wireless signals. Consider physical locks and alarms.

4. Self-host when possible

Run your own encrypted services isntead of relying on big tech. Examples: host your own Nextcloud for files and calendar, or use Standard Notes with local sync. Raspberry Pi or old laptops work fine as home servers.

5. Mask your voice and style

If you publish content or communicate with untrusted parties, use a voice changer or text-to-speech to avoid vocal identification. Vary your writing style (punctuation, grammar, tone) so stylometry tools can’t profile you. Running your own writing through a free AI with instructions to change the tone works well here.

6. Rotate and compartmentalize identities

Have distinct personas for different contexts (ex: activist, hobbyist, public-facing). Use separate browsers, emails, and even devices. Never mix data. Don’t email your real self from your pseudonymous identity.

7. Metadata hygiene

Before sharring any files (images, documents, videos), assume they’re leaking information. Strip metadata to avoid exposing location, timestamps, device info, and more.

What to do if you’ve already been attacked

Maybe you’re not just worried, but you know you’ve been compromised. Whether it’s one account, or your entire digital footprint, here’s how to take back control without making things worse.

1. Go offline

Disconnect from WiFi and unplug Ethernet. If you’re using a phone, switch on airplane mode. This prevents further exfiltration or remote access while you triage.

2. Use a clean device

Find a device you believe is uncompromised. Ideally, it’s one you’ve never used to log into any of your known accounts, like a friend’s computer or a newly-reset laptop. Avoid using your primary phone or computer until you’ve cleaned them.

3. Change critical passwords

Start with:

• Primary email(s)
• Password manager
• Banking/financial accounts

Use your clean device to change passwords. Enable 2FA with an authenticator app or hardware key if possible. Locate and use the “log out of everywhere” button. Don’t reuse passwords. Don’t save them in browsers.

4. Scan for malware

Run a malware scan on your primary device. Tools like Malwarebytes, Emsisoft, or Windows Defender are decent starts. Better yet, reinstall the operating system from trusted installation media for a clean restart.

5. Notify contacts

If your email or social accounts were compromised, let people know. Warn them not to click on strange messages from you. A short, calm heads-up helps prevent further damage.

6. Lock down recovery options

Audit all recover emails, backup codes, security questions, and trusted devices. Remove anything unfamiliar. Replace recovery addresses with ones not tied to your public identity.

7. Rebuild from a hardened baseline

Once you’ve contained the breach, start fresh with privacy and segmentation in mind:

• Reinstall your OS or move to a clean device
• Use different browsers/profiles for different roles
• Don’t sync logins, bookmarks, or history

If the compromise was severe, consider adopting some of the “Extreme defense” strategies in the previous section.

The human tradeoff

This level of caution comes at a cost:

• More friction.
• Less convenience.
• Constant mindfullness.

But if you’re being targeted - really targeted - that friction is your shield. If they want you, make them regret the effort.

You don’t need to be perfect. You just need to be expensive.