Tor is relatively safer for users, much less safe for hidden services. An attacker can easily link users to the sites they are visiting, but he will only identify a small random sample of users. To get most users or a specific user costs a lot of money and may take a long time (on the order of months). It's not worth doing for most Tor users. It's notable that LE served an application layer exploit to FH visitors, which means they weren't performing network layer attacks to identify them. You'd think it would be, although I haven't heard of anyone getting arrested after cashing out bitcoins. I guess there will be a first time for that eventually. Best way to do it is have trusted associates that want to cash in and trade with them, that way the coins never touch an exchange. The second best way would be to sell coins for cash on an OTC market, but that's not feasible for large amounts. Dropping off packages isn't as risky as picking them up. This is by far the biggest risk for buyers. Vendors should change drop locations and packaging methods often to avoid getting profiled, and never bring a mobile phone when mailing packages (so your travel patterns are not recorded. Even without GPS your location can be triangulated from phone towers fairly accurately. This becomes a risk if a seized package can be identified as coming from a specific drop location). Certainly there's a risk of revealing too much info in messages, but that's what PGP is for. For buyers it's receiving packages in the mail. For vendor it's unclear. To my knowledge, no SR vendor has been busted through an attack on Tor or an investigation of SR. The vendors I've heard about were busted either because they were receiving drugs in the mail themselves, or through IRL dealing.