3.8 Operational Security: Staying Off the Target List

Most Bitcoin thefts don't involve cracking cryptography — they involve tricking, threatening, or social-engineering the person who holds the keys. Good operational security ('opsec') is about not being an easy target.

Rules of the road:

• Don't brag. Posting your portfolio online, telling friends at parties, or even casually mentioning amounts can put you on a target list. Wealthy Bitcoin holders have been kidnapped because of public disclosures.

• Treat KYC exchanges as leak risks. Every exchange that knows your real name and balance has been hacked at some point in history. Withdraw to self-custody promptly and don't leave large balances on any platform.

• Use strong, unique passphrases on each wallet. A 'plausible deniability' setup — a decoy wallet with a small balance accessible without your passphrase — can save your life under physical coercion, since you have something real to hand over.

• Verify, then verify again. Always confirm a receive address on your hardware wallet's screen, not just on the computer. Always check a Lightning invoice's amount before paying.

• Beware of phishing. Scammers send fake 'firmware updates', 'wallet recovery' emails, and DMs from people impersonating support staff. Real wallet companies will never DM you asking for your seed. There is literally no situation where you should ever type your seed phrase to verify anything.

• If anyone — anyone — asks for your 12 or 24 words, the answer is no. There is no legitimate reason. Tax authorities don't need it. Customer support doesn't need it. Your wallet app doesn't need it.

Privacy is the other half of opsec: combine self-custody with running your own node, using Tor, and avoiding address reuse, and you become a much harder target than the average user.