Operational Security for Bitcoiners
Your behavior matters as much as your technical setup.
Operational Security (OpSec) is about protecting sensitive information through careful behavior. The best hardware wallet in the world won't help if you tell everyone about your Bitcoin or fall for a phishing attack.
The Human Element
Most Bitcoin losses aren't from sophisticated hacks—they're from human error:
- Clicking phishing links
- Sharing too much information
- Trusting the wrong people
- Not verifying before acting
- Social engineering attacks
Your security is only as strong as your weakest moment.
Core OpSec Principles
1. Don't Talk About Your Holdings
The single most important OpSec rule: don't tell people you own Bitcoin.
Every person who knows is a potential:
- Social engineering vector
- Physical threat source
- Gossip chain starting point
What to avoid:
- Posting about Bitcoin on social media with your real identity
- Telling coworkers, acquaintances, or extended family
- Wearing Bitcoin merchandise
- Having Bitcoin stickers on your laptop/car
- Discussing specific amounts with anyone
What's acceptable:
- Discussing Bitcoin conceptually without revealing ownership
- Talking with close, trusted family who need to know (inheritance)
- Anonymous participation in Bitcoin communities
2. Verify Everything
Trust no one. Verify everything.
| Scenario | What to Verify |
|---|---|
| Receiving address | Confirm on hardware wallet screen |
| Software download | Check official website, verify signatures |
| Firmware update | Verify on manufacturer's website first |
| "Support" contact | Companies never DM you first |
| Investment opportunity | If it sounds too good, it's a scam |
Common verification failures:
- Trusting addresses shown only on computer screen
- Downloading wallet software from Google ads
- Responding to "support" messages on social media
- Clicking links in emails claiming to be from exchanges
3. Assume Compromise
Operate as if every device could be compromised:
- Your computer — Could have malware showing fake addresses
- Your phone — Could be SIM-swapped or have spyware
- Your email — Could be accessed by attackers
- Public WiFi — Could be monitored
- Cloud storage — Could be breached
Mitigations:
- Verify addresses on hardware wallet, not computer
- Use hardware security keys for important accounts
- Don't store seeds digitally anywhere
- Use a VPN on public networks
- Enable 2FA everywhere (preferably hardware-based)
4. Compartmentalize
Don't put all your eggs in one basket:
- Multiple wallets for different purposes
- Separate email for Bitcoin-related accounts
- Different identities for Bitcoin vs. personal life
- Geographic distribution of backups
- Multiple devices — dedicated Bitcoin computer if possible
5. Minimize Your Attack Surface
Every connection is a potential vulnerability:
- Fewer accounts = fewer breach points
- Fewer people who know = fewer social engineering vectors
- Fewer devices = fewer compromise points
- Less public presence = less targeting
Practical OpSec Checklist
Daily Habits
- Never discuss specific holdings
- Verify addresses on hardware device before sending
- Don't click links in emails—navigate directly to sites
- Use unique passwords for every account
- Be suspicious of unsolicited contact
Communication Security
- Use encrypted messaging (Signal) for sensitive discussions
- Don't discuss Bitcoin on SMS or regular email
- Be vague if asked about Bitcoin ownership
- Never share your seed phrase with anyone for any reason
Device Security
- Keep operating systems updated
- Use reputable antivirus/anti-malware
- Don't install unnecessary software
- Consider a dedicated Bitcoin-only device
- Use hardware security keys where possible
Account Security
- Enable 2FA on all accounts (hardware key > authenticator app > SMS)
- Use unique, strong passwords (password manager)
- Separate email for financial/Bitcoin accounts
- Monitor accounts for unauthorized access
- Use privacy-focused email provider
Social Engineering Awareness
Social engineering is manipulating people into giving up information or access. It's the most common attack vector.
Common Attacks
Phishing
- Fake emails/websites that look legitimate
- "Your account has been compromised, click here"
- Fake wallet software or browser extensions
Impersonation
- "Tech support" reaching out to help
- Someone claiming to be from your exchange
- "Moderators" in Telegram/Discord groups
Romance/Trust Scams
- Building relationship to eventually request funds
- "Investment opportunities" from new friends
- Fake job offers requiring Bitcoin transactions
Urgency/Fear
- "Act now or lose your funds"
- "Your account will be locked"
- Pressure to make quick decisions
Defense
- Slow down — Urgency is a red flag
- Verify independently — Don't use links provided; navigate directly
- Question everything — Why would they contact you?
- Never share seeds — No legitimate entity ever needs this
- Confirm through other channels — Call the company directly
OpSec for Different Threat Levels
Casual Holder
- Don't discuss holdings publicly
- Use hardware wallet
- Strong passwords + 2FA
- Basic verification habits
Serious Holder
- All of above, plus:
- Dedicated email for Bitcoin
- More careful about who knows
- Run your own node
- Consider VPN usage
High-Value Holder
- All of above, plus:
- Dedicated Bitcoin device
- Strict compartmentalization
- Geographic distribution
- Consider legal structures
- Professional security review
Red Flags Checklist
Immediate danger signs:
🚩 Anyone asking for your seed phrase 🚩 "Support" contacting you first 🚩 Urgency pressure ("act now!") 🚩 Requests for remote access 🚩 Investment opportunities that seem too good 🚩 Links in emails or DMs 🚩 Requests to "verify" your wallet 🚩 Anyone claiming they can "recover" lost Bitcoin
Summary
Good OpSec is about:
- Silence — Don't reveal you own Bitcoin
- Verification — Confirm everything independently
- Assumption — Treat all devices as potentially compromised
- Compartmentalization — Separate concerns and identities
- Minimization — Reduce your attack surface
- Skepticism — Question unsolicited contact
The technical security of Bitcoin is excellent. The weak point is always human behavior.
Related Guides
- Physical Security — Real-world threat protection
- Threat Model Assessment — What level do you need?
- Recovery Scam Warning — Common fraud tactics