Bitcoin OPSEC is Crucial

The first rule is you do not talk about fight club. The second rule is you do not talk about fight club. What is OPSEC? OPSEC stands for…

Bitcoin OPSEC is Crucial

The first rule is you do not talk about fight club. The second rule is you do not talk about fight club. What is OPSEC? OPSEC stands for Operational Security. This is a military term that is often used in bitcoin and throughout information security. It is a process that is used to protect the identity, security, and information of individuals. There are differing opinions as to what constitutes proper OPSEC; however, this information can be used to gain a better idea of the different areas to think about and apply. There are always exceptions to every rule. Everyone has a different threat model based on their own risk assessments, and determines what they are comfortable sharing with the world both in public and in private. Growing up on the internet, I have been exposed to the importance of this topic and how it can have real world implications if not taken seriously. In the past, we used to write “AFK,” or away from keyboard, when we were not at our terminals, but the internet has since intertwined into everyone’s lives that this term no longer applies. If someone does not reply back to your message, they are essentially ignoring you. Everyone is connected 24/7/365. There is no more divide between the internet and the real world, it is all the real world.

Actions that occur online have the nasty habit of following you around in the physical world, and are hard if not impossible to remediate afterwards. Coming from a message board background where pseudonymity was the norm rather than the exception, I quickly learned the value that this option provided towards long term consequences. Users could freely speak their minds without fear of having these posts come back to haunt them in the future tied towards their government issued identities. Adolescents that grew up on social media tied to their full identities have had their immature thoughts stored forever on the internet with a quick internet search. This also comes back to improper guidance and parenting with the lack of knowledge about how the internet worked, and why internet privacy and discretion is so important. While some individuals prefer full anonymity such as on popular message boards where everyone has the same name or to purely lurk without contributing behind any specific account and staying off social media entirely, mediums such as twitter offer pseudonymous capabilities where users can post behind relatively private usernames that are not tied directly to their real identities.

Humans are ultimately social creatures, and building relationships with others is a core function of what it means to be alive, but this must be balanced against the risks of potentially oversharing private information that may unexpectedly put us in harms way. It can get lonely when humans have no one to talk to, and if you are deep down the rabbit hole of bitcoin, not discussing it seems like an impossibility. Relationships are able to form through pseudonymity, especially in the bitcoin culture. I have many friends on bitcoin twitter that I have never met physically, who I relate to better than virtually anyone that I know in real life. In an increasingly trust minimized world, establishing and maintaining trust becomes much more important. It takes a lifetime to build trust and a reputation, and only an instant to lose it forever. Proper vetting of the individuals in our lives has never been more crucial to thriving in the information age. There must be a balance struck between building and maintaining proper OPSEC with living our lives.

With the recent charitable donations from around the world to a very fortunate Latin American bitcoiner, Atlas, turning him into a wholecoiner, it occurred to me that this topic may not be discussed as thoroughly related to how important it is, especially for newly minted bitcoiners. It also illustrates how much wealth inequality exists between western and third world countries, and how privileged the majority of bitcoiners are simply by having been born in the first world, especially having the privilege of natively using the world reserve currency and the English language. A lot of the world lives in such poor conditions that are unimaginable to most westerners, so it is important to understand that their perspective on life and the daily struggle is different, and money can sometimes make humans do very dark things. Life is cheap in the third world, and it is not unreasonable to understand that owning a lot of bitcoin when others around you are struggling just to survive puts a target on you. Atlas did not need to be warned of the security risk involved with hodling this new found wealth, and inherently knew that people would kill over far lesser amounts. There is a reason why there are iron bars on windows in the third world and nice neighborhoods are in gated communities. What seems unfathomable to a privileged westerner is just the daily reality to a third world citizen.

I have traveled throughout the third world and the poverty is eye opening. I just got back from a country where Caucasians are targeted for kidnappings by unregulated taxi cabs, and contract killers perform hits for as little as $200. I clearly did not talk about bitcoin once to anyone, I was already a big enough target without exposing that information. While westerners are comparing each others stacks and entry dates with envy, we do not realize just how good we have it relative to the rest of the world. Just by reading this article you are inherently plugged in as an early adopter tuned into the right signal. What may seem like a relatively small amount of bitcoin now will be a life changing amount in the near future. As Marty Bent has popularized, we are trying to build wealth for seven generations, so all of our actions should be in line with this mentality. This includes proper OPSEC. You cannot build for seven generations if the first generation gets wiped out of the gene pool. While there is a much better functioning justice system in the first world with less corruption, the current economic times surrounding COVID19 and the failing legacy financial system are unprecedented, and the probability of civil unrest and increased tension between social classes appears to be increasing. It is starting to feel like Mr. Robot where the “eat the rich” mentality is becoming much more popular, as well as all out socialism and communism that previous generations gave their lives to protect us against. It seems like a timely opportunity to write an article on this topic.

Bitcoin is a true bearer asset. No central authority can control it and overturn any potential losses due to theft, hacking, malware, wrench attacks, negligence, extortion, blackmail, or other various threats. Whoever controls the private keys owns that bitcoin, and no one can do anything about it. This is a feature, not a bug. Bitcoin is not a new idea, and it is the result of the continued efforts of the cypherpunks. Cypherpunks understand OPSEC inherently, as they helped build this culture. Using pseudonyms, encryption, and not over-sharing are core ethos of these pioneers. If you have not yet already read “The Crypto Anarchist Manifesto” by Timothy C. May, I strongly urge you to do so. While digital cash was always a goal of the cypherpunks, the early attempts failed due to requiring a central authority to make the systems work, which the governments were able to take down. Bitcoin is the first digital cash that succeeded, because Satoshi was able to fix the double spend problem in a decentralized fashion, and now the world has a way out of government totalitarianism. While the early innovations of cypherpunks such as PGP encryption were very important to addressing humanities struggle, bitcoin is even more important. Bitcoin directly takes on central banking, the biggest cartel in the world that funds evil deeds such as war, the cantillon effect, theft through taxation, inflation, and overall the root cause of all of the problems society faces. Bitcoin is likely to become the most valuable asset in the world due to its unique monetary properties, so individual’s protecting it from bad actors is of critical importance. As Bitcoin includes both online and physical risks, ensuring proper OPSEC is important in both areas to help ensure bitcoiner’s privacy and security.

Discussing how much bitcoin you own, or when you first got into bitcoin may be the biggest OPSEC mistake a bitcoiner can make. It can be difficult to not want to brag about this information, especially when a big price increase is occurring due to the pure euphoria that occurs during this process, but just take a deep breath and try to understand what a target that makes you. It is never a good idea to shake the hornets nest just for the fun of it. The Golden Rule always applies: “Do unto others as you would have them do unto you.” No one likes a braggart, and snitching on yourself now may effect your family decades or generations in the future. This is the first provably scarce digital asset ever created, and we are still in the very early days of its adoption. The first step adversaries generally perform is called “Recon,” short for reconnaissance, and it is only natural for them to focus their attention on known higher value targets. The amount of bitcoin most future adopters, sans the ultra wealthy, will be able to obtain will be much less than anyone involved in the space today. This is not an opinion, this is a fact based on the monetary supply schedule Satoshi programmed with the block rewards getting cut in half every four years. The stock-to-flow ratio will keep getting higher, soon making bitcoin the scarcest resource on earth, more scarce than gold, as well as being superior in every other aspect. For more information about bitcoin’s stock to flow check out Saifedean’s “The Bitcoin Standard” and PlanB’s quant work on twitter. The shear amount of high IQ individuals that have entered this space in the last couple of years has made me more bullish than ever. Bitcoin will keep attracting the best and the brightest minds to work on it to build a better future for everyone.

The internet can be a scary place, and you never really know who is on the other side of the connection. “Don’t trust, verify” is a core bitcoin ethos that also applies to OPSEC. The internet is written in ink, not pencil, and is distributed across decentralized computers around the world instantaneously and stored forever. Data is cheap, connectivity is plentiful, and adoption is continually growing. Once something is written on the internet, there is a good chance that it will be there forever, and it cannot be deleted. It can be stored in the cache of various computers that have already loaded it prior to deletion, it can be picked up by search engines crawling the internet, adversaries can take screenshots of it, and the internet archives can capture it in the wayback machine. Images posted on the internet can be reverse image searched, identified based on their exif data, and further analyzed based on the content in them. A screenshot of an image is always a safer option to the original as it does not contain the exif data and cannot be reverse image searched. The internet is mature enough at this point that these mistakes have occurred over and over again in various sectors, we should learn from the lessons from the past and avoid making the same mistakes in the present and future. Internet adoption is mainstream, even most developing countries have internet connectivity, and can access the same information as anyone. This is also a feature, not a bug.

When creating a bitcoin online identity, it is crucial to not use your real full name and easily identifiable picture. This can generally be inferred by just looking around bitcoin twitter and seeing how the majority of users follow this basic practice. The reason for this is obvious, you would essentially be “doxing” yourself, and making it trivially easy for malicious adversaries to determine your real identity. The idea behind online OPSEC is to make it as difficult as possible for anyone to know who you really are. The username should not be able to easily attribute it back to your real identity, and should not give away other personal information such as your birth year or location. If an adversary can simply DuckDuckGo your username and on the first page of results obtain your full name, that username should be considered salvaged, and a new username should be created that cannot be easily traced back to your real identity. Really giving away any pertinent information about yourself, such as your birthday, your location, your IP address, your address, what college you went to, where you work, what your occupation is, or really any unique identifiable characteristics can allow an adversary to figure out who is behind the avatar. No single piece of information may necessarily ruin one’s OPSEC, but combined together they might. Also, remember Google is keeping a record of everything we ever search on their website. It is always best to be on the side of caution rather than get specific, the key is to make their job as difficult as possible and seem low value so they will move on to higher value potential targets.

Think of it like the famous book “The Art of War” by Sun Tzu, do not give the enemy any information that can be used to help take you down and lose the battle. That is another book that every bitcoiner should read. The key is to study your opponent, get inside of their heads, put yourselves in their shoes, and play chess when they are playing checkers. Always try to be one step ahead. Know their tactics, see what they see, and pivot first rather than last. While there are inherent related risks to internet OPSEC, discussing bitcoin online offers individuals an effective medium to discuss ideas, strategies, and ask questions. The internet allows users to find the signal and tune out the noise to an extent that is purely not possible in the physical world. In my entire state there may be a handful of other bitcoiners that I could connect with, but on twitter I am able to connect with like-minded individuals and experts from across the world and communicate in real time without self-censorship or having to retort the same old tired arguments that do not hold water. Technology has flattened the world, and physical location simply does not matter very much anymore as long as there is internet access. In addition, the internet allows a level of anonymity that is much harder to achieve in the physical world.

Third parties are a security vulnerability and should be chosen with caution. While we can sit here and argue which one we like best, and which one is least likely to expose our personal information unexpectedly, the fact is that any organization that collects and stores our personal information has the potential to hurt our OPSEC. While data breaches have become somewhat normalized in the past decade since they have happened so frequently, there is an elevated risk related to bitcoin data. Simply by being involved in bitcoin in the first decade means the user is an early adopter of the biggest wealth transfer and paradigm shift of all time. It is a little different scenario than you liked shopping at Target over Walmart because the stores were nicer and the customers are better looking. Last year Binance got hacked and the know your customer (KYC) data of many of its users was posted online. While we would assume that these third parties would be employing proper encryption best practices that are readily available, we cannot assume that this is always the case. This breach would have been mitigated if Binance treated this sensitive data with the respect it deserved and encrypted with with at least 128 bit AES encryption that would have turned this data useless to the adversaries even if they obtained it. KYC breaches have an added identity theft risk for bitcoiner as hackers can obtain this information and open accounts in these hacked identities and pass the KYC requirements, as they would have their ID, full name, address, and other fraudulent information that was stored by the exchange.

Most businesses still get encryption wrong, such as the major Equifax breach that exposed many American’s social security numbers online forever, so we cannot necessarily pick on bitcoin businesses specifically, but we should also hold them to a higher standard as we are trying to build a new system and move away from the errors of the legacy world. As bitcoiners, we need to ensure that we vote with our wallets, and only support businesses that take our privacy and security seriously; the risks are simply too substantial. We are nothing without our principles. Moving forward, before we voluntarily give up our personal information, we must ensure that the third parties that are collecting our data are trustworthy and capable of protecting this information from unauthorized access. The technical solutions have been in place for longer than bitcoin has existed, there is no reason why we need to just accept incompetence anymore. Bitcoin is still the wild west. Penetration tests, third party audits, and continuous oversight requirements that exist in the legacy world do not appear to have made it towards the bitcoin ecosystem yet, but there is no reason why we should not demand them as minimum requirements. Bitcoin businesses still have a lot of room to grow up. I do see this improving, with entrants such as Square that already understand how to run mature financial businesses at scale leading the way.

BitMEX was also negligent in the past, and CC’d instead of BCC’ing on a mass email, which doxed their customer email list to the world. It only takes one careless employee that has access to too much information to ruin it for everyone. This is a good example of why it is important to compartmentalize the email addresses we use with anything bitcoin related. Ideally it should follow good OPSEC procedures, such as not using our real names, birth year, or come from any formal institutions where it is easier to pinpoint us (such as businesses, @edu’s or @gov’s). An anonymous one time use throwaway account would have pulled a premium for all BitMEX users that were doxed with personally identifiable emails. While we can argue that third parties should have better security and operating procedures, it is reasonable to assume everyone will get hacked or be otherwise negligent at one point, and to try to keep our digital footprints as small as possible. If we have accounts at several exchanges, but only really use one, it makes sense to delete our accounts on the ones we do not use just in case they suffer a data breach and our information gets leaked online. Periodic personal account audits can be beneficial to keep track of what personal information of ours is out there, where it is stored, and whether this is absolutely necessary to exist. Anything that cannot be justified should be deleted with confirmation, if possible. Do not trust, verify. Individuals should think twice before they give up their personal information for any new good or service. Are they to be trusted? It is unlikely that someone that we have built trust with for years will be willing to ruin their reputation for some small exit scam, but we have seen crazier things happen in this space before. Remain vigilant. As Bitstein said, “everyone’s a scammer!”

During the LatAm donation event on 4/19/20, while user’s meant well, we did not follow a common OPSEC practice of avoiding static address reuse. Address reuse makes it possible for adversaries and chain analysis companies to track user money flows, and potentially determine the identities of any specific users using other heuristics that is outside the scope of this article. Not only did we reuse a static address, several bitcoiners also attached screenshots tying their transactions to their online identities. Sending bitcoin from previously coinjoined addresses or even two hops away from a KYC’d exchange provides additional OPSEC advantages as it will provide some plausible deniability if chain analysis was performed trying to identify more information about the senders. While this was all in good faith, it is still on the internet forever, and who knows who is watching. This is why after the LatAm charity event was over, we heard certain bitcoin twitter influencer’s get on their soapboxes condemning the act as demonstrating poor OPSEC by reusing a static address.

A better, but more technical solution is to use BTCPay server, which is essentially an open source payment merchant application that creates unique invoices (receiving addresses) for users to send bitcoin to. The receiving member could have set up a BTCPay server account and directed all donations towards that node. BTCPay Server has also recently released Payjoin functionality which adds additional privacy capabilities. Other more private solutions would be to use unique addresses shared privately, or Paynyms for Samourai wallet users, which is only available on Android. For example, my PayNyms name is “wispyrain9Da” and other users can send bitcoin to me via that PayNyms name without having to share actual bitcoin address strings. Samourai developers have cleverly abstracted that information away from the end users. This adds inherent OPSEC advantages as senders and receivers will not know the actual transaction ID, sending address, or receiving address of each parties, and cannot perform any snooping related activities. In addition, it is generally not advisable for our OPSEC to publicly broadcast how we are storing our bitcoin long term, such as what hardware wallets or applications we use, which also occurred during this event on the receiving end.

The advantage of using a shared static reusable address for the LatAm charity event was that everyone was able to independently track the total bitcoin count. The goal increased from .1 bitcoin in the morning to a whole bitcoin by the end of the day since everyone was tracking this address and building the hype up. This was done by searching for the static address on a block explorer. Generally block explorers, such as, should not be used to track your own transactions, as this can leak information such as your IP address to the third party hosting the explorer, and potentially allow adversaries that may have access to that information to determine who the address belongs to. A generally accepted best practice is to run our own full nodes, and use a block explorer running on it directly, such as the BTC RPC Explorer, so that this information never leaves our local networks. Nodes simply mean computers, and full nodes mean a computer that is running the entire bitcoin blockchain independently. Full nodes main use case is to be able to determine that when we receive bitcoin, that we actually own it and it is legitimate. They also do not expose our public keys to any third party servers, such as those related to our hardware wallets. The less people that know our business, the better for our OPSEC.

Many users consider running a full node as a fundamental aspect of being a bitcoiner, but there are only around 10,000 reachable nodes currently running in the world, so that may be somewhat of an exaggeration; however, it is a solid goal for any bitcoin enthusiast to have. It helps the overall bitcoin network resiliency, and helps the user out in their individual sovereignty and overall OPSEC. Like many things within bitcoin, there is a positive feedback loop that exists for user incentives of running a node, it benefits the overall network as well as the individual. Running a full node in 2020 is as easy as it has ever been, and there are several companies and individuals out there that offer solutions. In addition, one thing about the bitcoin community is that most people are very willing to help newer users out for free if they come with the right attitude. If a bitcoiner is not yet running a full node, it is still a better idea to access a public block explorer through Tor or a VPN to not leak their personal IP addresses.

From someone keeping score on the sidelines, it is hard to dismiss Samourai’s advances related to OPSEC and privacy. In addition to their Paynyms feature previously mentioned, they created a Payjoin capability in 2018, prior to BTCPay Server’s implementation. Also, their coinjoin solution, whirlpool, appears to be the best option currently available. Samourai employees were even able to deanonymize Wasabi’s coinjoins upstream, and figure out where a coinjoined transaction initially came from, which is not possible with whirlpool. The Binance Singapore KYC coinjoin drama on bitcoin twitter was from a Wasabi coinjoin based on their prior coinjoin implementation that they have since remediated. While it is possible for chain analysis companies to identify and flag users from any coinjoin solution (Wasabi, Samourai, or Join Market), the take away is that if an account is flagged as using coinjoins, if the coinjoin was performed with 100% entropy, there is nothing to find through analysis, there is no evidence of wrongdoing or linking the user to any potentially “tainted” coins. For bitcoin to be fungible, the idea of tainted coins is an oxymoron in the first place, that is like saying that a retail store would not accept cash because it had drug residue on it.

Bitcoin is trying to evolve past this broken legacy mindset in the first place, and it is inherently politically charged. For bitcoin to succeed, it must be fungible on the base layer. All 21 million coins must be valid. The more users that take their OPSEC and privacy seriously, and start to use these solutions, the harder it will be for chain analysis companies to do their jobs and the entire industry could be wiped out. Ultimately it will benefit all bitcoiners as it will increase everyone’s privacy. Free men do not ask for permission. Bitcoiners can again vote with their wallets and only support businesses that allow their customers to take their privacy seriously. At the end of the day, this is a rapidly evolving space, and we are likely to see enhanced privacy functionality both on chain, layer 1, as well as increased adoption of the lightning network and other various layer 2 and above solutions. I am psyched watching how many smart people are working in this area, and know that bitcoin’s future is in good hands as all of these developers are insanely gifted.

Anytime the online world converges with the physical world is another potential OPSEC vulnerability. The physical world can also instill great fear, pain, and misery. Many bitcoiners are naive to these realities even during bullish times, let alone during a global depression where many people do not know where their next meal will come from. For better or worse, the first decade of bitcoin adoption has largely attracted relatively privileged Caucasian males with computing, economics, and/or financial backgrounds, as the interdisciplinary nature of the topic requires a certain skillset to understand and adopt in the face of immense noise surrounding it. If we look into lottery winners, it is not much of a reach to assume that most people will view early bitcoin adopters as “lucky” and that they won the lottery. Most lottery winners have the unfortunate outcome of being publicly doxed in order to claim their winnings, which attracts the worst kind of attention. Beggars, thieves, robbers, and other unsavory characters will instantly appear out of the woodwork once they know the winners are now rich based on random chance. While we know this is clearly not the case with bitcoin, and that luck had very little if anything to do with it, that does not change the threat model from how the adversaries may perceive it. Unfortunately, I foresee many parallels between lottery winners and early bitcoin adopters with poor OPSEC.

It does not take much to challenge one’s personal world view, especially if they have not had much experience with poverty related security risks in sheltered environments. One armed robbery is all it takes to lose everything, including potentially our lives. There is a major difference between stickup men and common thieves, as stickup men are ready and willing to kill in the event that they do not get what they want. Many bitcoiners have a false sense of security inherently with multisig solutions, thinking that it will keep them safe from violent criminals, but they are missing the point. A stickup man is not going to be in the mood for hearing about how it is impossible for us to give them our bitcoin because of some technical limitation, they will just get further enraged. Can you even imagine trying to explain a 3 of 5 multisig solution while held at gun point to someone with an 80 IQ? This is why OPSEC again is so important, better to give them something and have them be on their way, such as a duress wallet, than relying on a technical solution for a physical problem. Bitcoin will do us and our families no good if we are dead and there is no inheritance plan in place, besides the added deflation to the money supply.

Regardless of what any liberal hippies believe, violent criminals are deterred by physical violence themselves, this is why they go after “soft targets” or known anti-gun idealists. In the real world, while the pen may be mightier than the sword, firearms can act as the judge, jury, and executioner. When seconds matter, cops are minutes away. Being vocally anti-gun, as well as a bitcoiner is not great OPSEC. Think of the message that that sends adversaries. Most thieves want to avoid confrontation at all costs, and that is why they do their due diligence scouting locations to help ensure that their victims are not present when they are committing their acts of crime. This is why it is important to not publicly discuss how we store our bitcoin, including where we store our seed phrases. With the current economic struggles around the world, the risk related to bitcoin ownership is likely to increase exponentially as the world wakes up to its true value as it enters its next halving and resulting bull market and the moon being programmed in. Bitcoiners are likely to be blamed and vilified for the events that are occurring, rather than the solution to these problems. Remember, while this information may be known to us, it is still not known the the vast majority of the world. This is the biggest information asymmetry that has ever existed for any asset.

Bitcoin conferences are another example of a potential physical OPSEC fail. Many conferences use legacy payment systems, such as credit cards to sell tickets in advance so they can pay for expenses. This is a clear OPSEC issue as it ties the user’s personal identity to the conference. A government agency can simply subpoena this information, or a hacker can obtain it, and expose everyone that attended. There is a much better way to do this, however. The popular hacking conference DEFCON has figured this out over 20 years ago, and in the spirit of maintaining proper OPSEC, they do not take any prepayments, they do not maintain any user lists, and they only accept cash at the door. It is impossible to subpoena them for this information, or for it to get hacked because they simply do not collect this data. Playing chess instead of checkers. Many bitcoiners will outright refuse to go to any bitcoin conferences regardless of their operating procedures, because it inherently implies they at least have an interest in bitcoin by simply being there. The OPSEC risk is simply too high, and the value add is minimal at best. There is a plethora of information already available about bitcoin online, and may of these conferences are streamed online anyways.

We have all made OPSEC mistakes. If I could go back in time, I would not openly talk about bitcoin with most of my friends and colleagues in the physical world. Baring my mom and a couple close friends, I would be indifferent on the topic when it was brought up. At this point, it would be hard for me to try to claim complete ignorance on the topic when I was discussing it years ago with a relatively strong understanding by trying to retort silly arguments from the critics. I have learned that bitcoin does not need to be shilled to anyone, very rarely do any true bitcoiners get involved this way anyways. Bitcoin’s killer app is its number go up tech, and that appeals to everyone. Regardless of what anyone says, none of us would be here without this. We stay for the revolution, but we came for the gains. Bitcoin adoption is inevitable regardless of our evangelism, the better money always wins. Physical world OPSEC is more important than the need to try to win an argument with a non-believer. It is not our job to try to convince anyone, and they will likely hold resentment towards us regardless. If we try to shill it too heavily, they will get upset with us and confirm their preconceptions that it is nothing more than a pyramid scheme. If we do not shill it enough, they will get upset that we did not make a strong enough argument for it and they missed out on gains. If they do achieve gains, they may even resent us for adopting it earlier. Or worse they may buy some, lose money, and blame us. Money ruins friendships. If you must discuss bitcoin, never discuss how much you actually own, when you first got involved, or anything else related that may draw resentment and envy. Keep the personal information to yourself. Normie’s have a strange sense of what is “fair” and what constitutes “luck.” It is always better for our OPSEC that they think we are fronting, rather than they think we are holding a large stack. There are already plenty of stories of early whales getting robbed by their supposed friends, and this would not have even been possible if their OPSEC was tighter. “With friends like that, who needs enemies. ”

This next part is going to make me sound jaded, but physical OPSEC also includes new relationships with the opposite sex, including marriage. Marriage in the west is a risky proposition for anyone that brings assets to the table, especially when the other party does not. The current no fault divorce incentives are such that a wife can cheat on her husband, file for divorce, and still obtain child support and alimony from the courts by force. Bitcoin is not within the court’s jurisdiction, and no judge would be able to take half of someone’s bitcoin and send it to the other partner as terms of the divorce, both technically and legally. This has already become a reality, where an unfortunate early adopter on Reddit had poor OPSEC, and his wife knew he had a lot of bitcoin. She wanted a divorce, but her lawyer instructed her that she would not be able to take his bitcoin in court. So what she did was get him to convert his bitcoin into fiat, use that money to buy a bigger house, and then filed for divorce and took the house in the settlement. While no one wants to go into any relationship with this mindset that their significant other could be so cruel, this is a clear possibility. This is why police almost always investigate the significant other first in any criminal case. It is better to be safe than sorry; no one wants to get fed alive to a tiger. I expect these horror stories to continue as bitcoin adoption grows, and newly minted males now have the attention of beautiful women for the first time in their lives. If they already know we have bitcoin, they do not need to know our total count, and it can be spread out over multiple wallets. The point is that while we never want to think of worst case scenarios, developing our OPSEC models must entail thinking of all potential unfortunate scenarios. Also, there are obviously exceptions to this rule such as already being married and buying bitcoin as a mutually agreed upon investment, but I am referring to the general rule where this is primarily still a male dominated industry where women simply do not “get” it, and actively try to steer their significant others away from buying magic internet money. OPSEC threat modeling is all about considering probabilities, and this area may score the highest for most likely to occur as well as their biggest blind spot, yet I never see it discussed anywhere. Note, this is not legal advice. Do your own research.

Physical world OPSEC also includes strangers. It may seem like a good idea to go to a bar and discuss it with a stranger once we are feeling warm and fuzzy watching number go up, but we never know their true intentions or even who they really are. I live next to someone with the worst physical OPSEC, they drive a Bentley with “bitcoin” on their custom license plate. They might as well ask thieves to come rob them directly. There was also a local example of a Lamborghini owner that recorded himself doing 200mph on the freeway and posted it on youtube, and was arrested soon after. The unique color in that model was so rare that there were only three of them registered in the entire state, it did not exactly take a lot of experts to find him. I see this in bitcoin in general, posting about their fancy cars in exotic colors which damages their OPSEC, even if their license plate is redacted. It ties their identity to their vehicle and makes it easier to identify them in the physical world than if this information stayed off the internet, or if they drove less flashy cars. It is better to go gray man and purchase a more generic car and blend in with the rest of society rather than peacocking to the world both online and off. I am not saying that we cannot buy nice things, but there is no need to out ourselves as to how these nice things were paid for. There is a reason why old money views it as crass to discuss money in general. Take a page out of their play book. We cannot build generational wealth if we cannot protect it from adversaries. This also includes wearing blatant bitcoin apparel, jewelry, basically anything that openly identifies us as a bitcoiner in public. The bearer nature of bitcoin exposes hodling bitcoin to different risks than fiat, as it opens it up to physical attacks that cannot be overturned. It is hard to rob a bank. The bank could also insert blue ink packets in the stolen cash bag which would ruin the money, or they could overturn the transaction afterwards if it was a digital hack. Bitcoin is fungible and irreversible. Stolen bitcoin is accepted everywhere on chain, especially with the advanced coinjoin technology available. If a thief obtains our private keys, they own our bitcoin forever, can spend it however they want, and there is nothing anyone can do about it. This is both a feature and a risk, as these characteristics are needed to dismantle the current status quo.

In information and physical security, defense in depth is often practiced. This essentially means that there are multiple layers of security that must be breached before the adversary can obtain their goal, such as obtaining an individual’s bitcoin. A practical defense in depth strategy also depends on a their threat model and risk assessment. For example, if they only have $50 worth of bitcoin, it may not even make sense to buy a hardware wallet as the cost of the hardware wallet is higher than the actual bitcoin being stored. For whales where money is not an issue, they may want to build a citadel with moat around it, 20 foot high walls, guards, watch dogs, CCTV, hidden safes, various guns, have dedicated security guards, and create their bitcoin seeds in a Faraday cage with a throwaway secure computer. It all depends on the risk appetite and exposure. If the bitcoiners practice strong OPSEC, they would have the ability to go under the radar much easier. For example, if they are able to explain their wealth away from legacy means such as a high paying career or inheritance, or to simply by being mysterious and saying came from tech investments, less defense mechanisms may be necessary. No one may even be the wiser that they are holding a large stack of bitcoin. It all depends, and every situation is different. It is better to get ahead of these risks when bitcoin is still largely undervalued than when it is top of mind to all hackers and criminals. When in doubt, it is best to stay on the side of caution rather than exuberance. No one can take what they do not know is there. One of bitcoin’s best characteristics is its anonymity, but that does not matter if the owner voluntarily gives up that privacy.

If your OPSEC has been damaged, fear not, all hope is not lost. It is possible to regain some of it. Individual’s can spread disinformation, such as they were trolling, they lost their bitcoin from leveraged trading, misplaced their backups, or other realistic potential scenarios. When bitcoin is brought up in the physical world, you can act disgruntled about its success like the salty ex-coiners from the early days. It’s almost impossible to prove a negative, that we no longer have any bitcoin or a sizable amount. It’s much easier to prove a positive, such as signing a message from a wallet. It may not be of a high moral compass to lie, but this might be more appealing than the alternative. I would not be surprised to learn that several of the high profile influencer’s that left the space were simply attempting to regain their OPSEC. Individuals can also delete their accounts and create new ones in hopes that they become forgotten, though the internet never really forgets. No one has to know your current situation. The current meme for this is that you lost your keys in a boating accident, but that basically means you are still hodling and it’s a joke. OPSEC is not a joke. The disinformation has to be realistic, or else it is not worth our time or energy. It is popular for people to rant about how social media takes away their privacy, and at the same time they voluntarily give up their private data for free. As they say, if you do not know what the product is, it is probably you. Facebook has been more effective at obtaining personal data from users than any government agency. Professional individuals also over share their specific job functions and personal takes on Linkedin, which is often used to identify users for phishing attacks. Everyone has free will, and it is up to the individual whether they want to take advantage of the privacy that the internet and bitcoin offer, or if they want to give it away as if it has no inherent value. The choice is yours.

This article is not meant to fear monger. I know this topic is dark, and that is probably why people do not want to think about it. I’m not calling anyone out for being public in this space, especially if their livelihood is based on it. I understand that it can add some credibility. This is meant to try to provide a baseline for important information that is sometimes learned the hard way. From my perspective, it is better to be safe than sorry, and if bitcoin becomes the multi-trillion or even quadrillion dollar asset class that we believe it will, it’s probably best to proceed with caution in regards to what audience you discuss this with and how. Bitcoin requires immense foresight to see the forest for the trees, and every topic is fair game. Bitcoin is a truly wonderful invention that will free humanity from the evils of central banking, but with great power comes great responsibility. New users should understand what they are getting into when they enter this space. Bitcoin is a rabbit hole that goes deep, and very few people actually understand everything, but that’s okay because it motivates users to keep learning and contributing to the ecosystem. There is always another level, and no one starts by understanding all of this at once. In risk management, it is always more effective to focus on prevention, rather than detection and correction of activities. All of these areas can be covered individually in depth; this was just meant to provide an overview. It is a gradual process and eventually before we know it we are running a full node, tweeting all day, and cannot focus on anything else with as much passion. Bitcoin provides the opportunity to be as secretive or blatant as the user wishes, and ultimately it is on them to determine their plan of action. We are in the middle of a revolution, and we are all playing our part to build a better world for future generations based on a higher moral compass. Be vigilant, stay safe, and hodl on.