5 Opsec Errors That Caused Cryptocurrency Users to Lose Everything
Maintaining good operational security is imperative for all web users, but it’s particularly important in the cryptocurrency space. Prying eyes are everywhere on the internet, from law enforcement to hackers and from blockchain forensics firms to data resellers. Examining the opsec errors that got several notorious bitcoiners robbed or busted yields valuable lessons we should all heed.
Opsec Is a Scale Not a Switch
There’s no such thing as optimum opsec or perfect privacy. Just because the internet’s heavily backdoored and broken doesn’t mean you should concede defeat. It’s possible to enhance your online security without adding complexity. The most memorable opsec lessons come from studying those who let their guard down or got sloppy and were duly punished. You don’t have to be a darknet market boss or a bitcoin whale to benefit from keeping your crypto, data and browsing habits locked down. The following figures all paid the price for opsec errors that could have been easily avoided.
Silk Road operator Dread Pirate Roberts (DPR), later to be identified as Ross Ulbricht, made a string of mistakes that ultimately led to his dox and arrest. Ulbricht remains a visionary and a hero to many bitcoiners, but even his greatest advocates will concede that he was the architect of his own downfall. The key takeaway from DPR’s takedown is this: Don’t retain unencrypted documents that would be damaging to you if they fell into the wrong hands.
In addition to keeping passport scans of Silk Road employees and chat logs, DPR kept a diary in which he confessed to ordering assassinations and all manner of other nefarious deeds. When feds seized Ulbricht’s laptop while he was logged in to Silk Road, they got the lot. Don’t store incriminating information on your phone or laptop, particularly not private keys or 2FA backup codes. If your device is stolen, seized or injected with malware, you’re screwed.
Former darknet market vendor Gal “Oxymonster” Vallerius is serving a 20-year jail term in America for drug offences. While the manner in which he was detained — at a Texan airport after flying in to attend a beard contest — caught the headlines, the way he was unmasked is where the focus should be. One of the primary tells that connected the Oxymonster pseudonym with Gal Vallerius was writing analysis. Language, punctuation, cadence and other stylistic tells such as capitalization are highly individualistic. Even something as simple as typing a trademark phrase to submit vendor feedback on the deep web — “Banging!” — can be enough for a dox.
If your pseudonymous persona is doing something that could deleteriously affect your real-life identity, be very careful what you write and how you write it. Even law-abiding citizens like Tether critic “Bitfinexed” have allegedly been doxed through writing analysis.
Not everyone on this list is a major criminal, but deep web kingpins are ripe for analysis. Not only is their fall from grace monumental, but court records provide precise details of how they were caught. Alphabay boss Alexandre Cazes made plenty of mistakes, the crux of which can be distilled into two words: don’t recycle. Recycled usernames, email addresses and, most critically, passwords are an opsec accident waiting to happen.
Cazes used his old Hotmail address as the source address for Alphabay’s welcome emails and adopted a pseudonym on the site he’d previously used elsewhere on the web. Like Ross Ulbricht, Cazes didn’t encrypt his laptop, enabling law enforcement to access all his records and seize millions of dollars in cryptocurrency. And all because he was too lazy to think up a new pseudonym or create a new email address. The fact that the Canadian citizen went on to commit suicide in a Thai jail cell after his arrest makes his case even more tragic.
Messari founder Ryan Selkis, aka “Twobitidiot,” is a law-abiding citizen who holds the dubious achievement of having been SIM-swapped twice. Also known as SIM jacking, the scam involves an attacker porting the victim’s phone number over to a new handset through social engineering. Selkis’ second jacking occurred only this month, despite the tech-savvy entrepreneur having taken robust measures to thwart a repeat attack.
“I a) flagged my account as high-risk, b) added a pin, and c) demanded account changes only take place in store with a photo ID,” he explained, but all to no avail. Mercifully, the attackers were unable to access his cryptocurrency on this occasion. His advice for others includes removing SMS verification for email, and using 2FA only through an app such as Google Authenticator. Selkis encouraged his readers to follow the guides that others have written on preventing the likelihood of SIM jacking. Unfortunately, even with numerous precautions in place, cellphone network staffers remain an Achilles’ heel.
Solid gold Ledger Nano
Opsec is generally thought of in technical terms: using strong passwords, connecting via a VPN and other good practices. But one of the biggest ways in which cryptocurrency users make themselves a target is by running their mouth and revealing the size of their digital wealth. Most people aren’t as careless as Pavel Nyashin, a Russian Youtuber who was robbed of $425K of crypto by masked assailants after boasting about his wealth in a series of videos.
Balancing your desire to tell the world about bitcoin without revealing the size of your bitcoin holdings can be tricky. But as case after case has shown, even gossiping to friends about the size of your stack or how it’s secured can make you a target. Keep that business to yourself: Don’t show off your portfolio or your hardware wallet, no matter how flashy the device might look.
Whether you’ve got a lot to hide or a little, opsec isn’t optional: It’s essential. Be diligent, be vigilant and be safe.