Hi mchain,
You are right, just remember what happened to the clean-mx repositories,
this because they came under continuous (Ddos- & other) attack,
you can now only query their repositories being registered and through an account.
Through beacons responding to them, bad guys will find out where the good guys (researchers, anti-malware folks) are,
and often will be able to identify them, even when researchers visit anonymously (via tails, tor, VPN, proxy, whonix, pi-hole etc.)
That is why malcreants are spreading so many documents around, because these documents (pdf etc.),
when opened up call back home to the cybercriminal base, and tell about you, maybe your printer info, etc.)
This all makes it easier for the bad folks to identify you, when you aren’t in their darkweb familiar circle,
you are standing out like a shining angel of sorts.
You even have to alter your wordings and comment style, the linguistics that sets you out to them,
so many ways that prevent you to go under the radar of cybercrime & Co.
This because they want to do their ill deeds silently and privately and not hindered,
still they, the bad guys, now also switch to one on one contacts on hardened encrypted messengers.
It is much more secure for them than being on the dark web,
where loads of servers are being brought down now every now and again.
They even use AI now to hunt us good guys down.
Keeping the Interwebz a bit more secure isn’t an easy task these days, not by far it is.
polonus (volunteer 3rd party cold reconnaissance wbesite security analyst and website error-hunter)