Story

It has been nearly five years since Ruan Xiaohuan (https://en.wikipedia.org/wiki/Ruan_Xiaohuan) was arrested by Chinese authorities in May 2021. For those unfamiliar, he ran the legendary anonymous blog Program-Think (https://program-think.blogspot.com/) for over a decade.

What haunts me is that his identity was compromised despite his elite background. He was the chief engineer for the 2008 Beijing Olympics network security system. His OPSEC was rigorous: he operated on a cash-only basis, avoided all e-commerce, and never discussed his digital life with anyone, including his wife, who only learned of his "second life" after his disappearance.

Despite his expertise, it's still a mystery how his anonymous persona was deanonymized.

As a hacker in China, I’m interested in your thoughts on the feasibility of maintaining a truly anonymous identity long-term. Is it even possible to win a "battle" where you have to be perfect 100% of the time, while the adversary only needs to find one leak?

What are the most likely failure points in a high-level threat model like this?