Operational Security (OpSec)

Operational security (OpSec) is the practice of protecting sensitive information by identifying vulnerabilities and eliminating them before an adversary can exploit them. Originally a military concept, OpSec has become essential for anyone holding significant value in cryptocurrency.

In crypto, OpSec spans three interconnected domains:

• Digital security — protecting your devices, accounts, and online identity from hacking, malware, and phishing
• Physical security — protecting your seed phrase backup, hardware wallet, and physical environment from theft, fire, and natural disaster
• Social security — controlling what information you reveal about your holdings, habits, and identity to prevent targeted attacks

The question is not just "is my wallet secure?" but "who might want my keys, how might they attempt to get them, and what am I doing to make their job harder?"

Good OpSec is not about being paranoid — it is about being methodical. You systematically identify what you're protecting, who you're protecting it from, and what practical steps reduce your risk surface.

Before implementing security measures, you need to understand what you're protecting against. A threat model is a structured way of thinking about risk. Ask yourself:

1. What am I protecting? — seed phrases, private keys, hardware wallets, account access
2. Who might want to steal it? — hackers, scammers, criminals, insiders
3. What methods would they use? — phishing, malware, physical theft, coercion
4. What is the impact if they succeed? — total loss, partial loss, privacy breach
5. What am I willing to invest in prevention? — time, money, convenience trade-offs

Common Threat Actors

• Opportunistic hackers — automated scanning for weak passwords, exposed keys, and phishing victims. They cast a wide net and rely on volume.
• Targeted attackers — individuals or groups who know (or suspect) you hold significant crypto. They invest time in reconnaissance and custom attacks.
• Phishers and scammers — impersonating exchanges, wallet providers, or support staff to trick you into revealing credentials or seed phrases.
• Physical attackers — may resort to coercion, extortion, or the "$5 wrench attack" (physical violence to force compliance). This is why you should never publicly disclose your holdings.
• Insiders — family members, roommates, or colleagues who may have physical access to your backup material.

Most crypto theft happens through digital attack vectors. Building strong habits here provides the highest return on security investment.

Authentication

• Use a password manager to generate and store unique, random passwords for every account
• Enable two-factor authentication (2FA) on every crypto-related account — exchange, email, cloud storage
• Use hardware security keys (FIDO2/WebAuthn) instead of SMS or TOTP codes whenever possible — hardware keys are phishing-resistant
• Never use SMS-based 2FA for high-value accounts — SIM-swap attacks can bypass it trivially

Device Security

• Keep operating systems and wallet software up to date — security patches are released for a reason
• Use full-disk encryption on all devices (FileVault on macOS, BitLocker on Windows, LUKS on Linux)
• Avoid installing unnecessary software, browser extensions, or mobile apps — each is a potential attack surface
• Use a dedicated browser profile (or separate browser) for crypto activities — isolated from your general browsing

Your seed phrase backup is the most critical physical item in your crypto setup. If it is lost, stolen, or destroyed, your funds may be permanently inaccessible.

Storage Best Practices

• Record your seed on a durable medium — stamped or engraved metal plates resist fire (up to 1,500°C), water, and corrosion far better than paper
• Store in a fireproof, waterproof safe that you control
• Maintain geographically separated copies to protect against localized disasters (fire, flood, earthquake)
• Consider a safety deposit box or trusted second location for one backup copy
• If using a BIP39 passphrase, store it separately from the seed phrase — an attacker who finds both can access your funds

Hardware Wallet Physical Security

• Store your hardware wallet in a location separate from your seed backup (so a single burglary doesn't compromise both)
• Use the device PIN to protect against casual physical access
• Enable the auto-wipe feature (if available) that erases the device after a set number of incorrect PIN attempts
• Check packaging integrity when receiving a new device — look for signs of tampering, broken seals, or pre-initialized state

Social engineering is the manipulation of people to divulge confidential information or perform actions that compromise security. In crypto, it is one of the most effective and common attack vectors.

Key Rules

• Never disclose your holdings publicly — on social media, forums, in-person conversations, or anywhere that could reach an attacker. You become a target the moment someone knows you have significant crypto.
• Verify before trusting — always independently verify the identity of anyone requesting sensitive information. Don't trust caller ID, email addresses, or display names.
• Be skeptical of urgency — scammers create artificial time pressure ("your account is compromised, act now!") to bypass your critical thinking.
• Never share your screen during wallet operations, and never allow "remote support" to access your device.

Common Social Engineering Tactics

• Impersonation — pretending to be exchange support, wallet developers, or government officials
• Fake giveaways — "send 0.1 BTC, receive 1.0 BTC back" scams are ubiquitous and always fraudulent
• Compromised accounts — a friend's hacked social media sends you a malicious link or seed phrase request
• Fake wallet apps — cloned apps in app stores that look identical to legitimate wallets but steal your keys

The best defense against social engineering is a simple rule: if anyone asks for your seed phrase, private key, or password for any reason whatsoever, the answer is always "no."

Before you even plug in your hardware wallet, the software you use to interact with it must be authentic and uncompromised. Fake wallet software is one of the most common and effective attack vectors in crypto theft.

Download Only From Verified Official Sources

Applications like Trezor Suite, Ledger Live, Sparrow Wallet, or Electrum must only be downloaded from the manufacturer's or developer's official website. Verify the source every time:

• Type the URL manually or use a bookmarked link — never click download links from emails, social media, search ads, or messaging apps
• Check the domain carefully — attackers register lookalike domains (e.g., trezor.io vs. trez0r.io, ledger.com vs. 1edger.com)
• Look for HTTPS and verify the certificate — though note that attackers can also obtain valid HTTPS certificates for fraudulent domains
• Cross-reference the download URL against multiple independent sources (GitHub repository, official documentation, manufacturer's social media)

Verify Checksums and Digital Signatures

After downloading, verify that the file has not been tampered with:

• SHA-256 checksum — compute the hash of the downloaded file and compare it character-by-character against the checksum published on the developer's signed release page
• GPG signature verification — import the developer's public GPG key and verify the release signature. This proves the file was produced by someone who holds the corresponding private key.
• Do not skip this step — a compromised download mirror could serve a modified binary that looks identical but contains a backdoor

Phishing, Fake Sites, and Interface Spoofing

Phishing is the most common method of stealing crypto. Attackers create pixel-perfect replicas of wallet interfaces, exchange login pages, and support portals to trick users into entering their credentials or seed phrases.

Common attack vectors:

• Search engine ads — paid ads for "Trezor Suite download" or "MetaMask extension" that link to malicious clones
• Homograph attacks — domains using Unicode characters that visually resemble legitimate URLs (e.g., using Cyrillic "a" instead of Latin "a")
• Browser extension impersonation — fake wallet extensions in app stores that mimic the real extension's name, icon, and interface
• Fake firmware update prompts — emails or pop-ups claiming your device needs an urgent update, directing you to a malicious download
• Social media impersonation — fake accounts posing as official support, directing users to phishing sites in DMs

Why an Infected Computer Makes Even Hardware Wallets Dangerous

A hardware wallet protects your private keys — but it does not protect against manipulation of what you see on your computer screen. On a compromised computer:

• Address replacement — malware can silently swap the recipient address displayed in your wallet software. You think you're sending to your exchange, but the address has been replaced with the attacker's.
• Amount manipulation — the displayed amount and the actual transaction amount could differ
• Fake confirmation screens — malware can overlay a fake "transaction confirmed" message while the real transaction failed or went elsewhere

This is why you must always verify the recipient address and amount on your hardware wallet's trusted display before confirming. The hardware wallet's screen is the only display you can trust.

Behavioral Errors: Laziness, Haste, and Misplaced Trust

Most security breaches are not caused by sophisticated attacks but by human behavior:

• Laziness — skipping checksum verification, reusing passwords, not updating firmware because "it still works"
• Haste — confirming transactions without verifying addresses, rushing through wallet setup, skipping backup verification
• Misplaced trust — trusting a link from a "friend" without verification, trusting a website because it looks professional, trusting someone who claims to be support staff
• Ignoring warning signs — dismissing unexpected prompts, ignoring browser security warnings, overlooking unusual behavior from your device or software
• Normalization of risk — "I've done it this way for years and nothing happened" — past luck does not guarantee future safety

Security is a habit, not an event. The moment you start cutting corners because nothing bad has happened yet is the moment you become most vulnerable.

Use this checklist every time you set up a new hardware wallet. Each step exists for a specific security reason — skipping any of them creates a gap that an attacker can exploit.

1. Purchase directly from the manufacturer's official website — never from Amazon, eBay, or any third-party seller
2. Inspect the packaging upon arrival — check for signs of tampering: broken seals, replaced shrink wrap, re-glued stickers, scratches on the device
3. Verify the device initializes as new — the device should have no pre-configured PIN, no existing seed phrase, and no pre-installed accounts. If it arrives pre-initialized, it has been tampered with.
4. Download the companion software from the official source — type the URL manually, verify the download checksum
5. Update firmware before generating a seed — install the latest firmware to ensure all known vulnerabilities are patched
6. Run the manufacturer's authenticity check — most modern hardware wallets include a cryptographic attestation that verifies the device is genuine
7. Generate the seed phrase in a private environment — no cameras, no other people watching, no screen recording or screen sharing active
8. Write down the seed phrase on paper or stamp it on metal immediately — never type it into any device, never take a photo
9. Verify the seed backup — most devices offer a "check recovery phrase" feature. Use it to confirm every word was recorded correctly.
10. Set a strong PIN — at least 6 digits, not a common pattern (not 123456, not your birthday)
11. Send a small test transaction — send a tiny amount to the wallet, then send it back. Confirm the full round trip works before loading significant funds.
12. Perform a full recovery test on a separate device (optional but recommended) — reset a second device or use a software wallet to restore from the seed phrase and verify the same addresses appear
13. Store the seed backup in a secure, separate location — not in the same room as the hardware wallet

This checklist covers the ongoing security practices for managing your seed phrase backup and your crypto funds. These are not one-time actions — they are habits to maintain as long as you hold crypto.

Seed Phrase Storage

1. Store on durable physical media only — stamped or engraved metal plates (steel, titanium) are the gold standard. Paper degrades from water, fire, humidity, and time.
2. Zero digital copies — no photos, no screenshots, no text files, no notes apps, no password managers, no cloud storage. No exceptions.
3. Geographically separate backups — maintain at least two physical copies in different secure locations (home safe + safety deposit box, or two different trusted locations)
4. Store the seed separately from the hardware wallet — if both are in the same place, a single theft or disaster compromises everything
5. If using a BIP39 passphrase, store it separately from the seed — an attacker who finds both can access your hidden wallets
6. Test your backup at least once a year — restore the seed on a separate device and verify the derived addresses match your known addresses
7. Create inheritance documentation — a sealed letter of instruction stored with your will, explaining where backups are and how to use them

Fund Management

1. Never keep all assets in a single wallet — distribute across multiple seeds and storage schemes proportional to your holdings
2. Always verify the recipient address on the hardware wallet's screen before confirming — check first 6 and last 6 characters at minimum
3. Send a small test transaction before large transfers — confirm receipt before sending the full amount
4. Keep firmware up to date — install updates promptly, but only from the official manufacturer's source
5. Use a fresh receiving address for every transaction — address reuse degrades privacy and enables tracking
6. Never share your screen during wallet operations — not with "support," not with friends, not on a video call
7. Be suspicious of urgency — any message pressuring you to act immediately on your crypto is almost certainly a scam
8. Review your security setup periodically — as your holdings grow, your security should scale. What was sufficient for $1,000 may not be sufficient for $100,000.