Have thoughts on this topic? Join the conversation on X.

• Overview
• The Mindset: Be Paranoid
• Know Your Enemy
• Phishing
  • Brief Note on AI Phishing
  • Phishing Examples + References
• General Advice
• 3rd Party Platforms
  • X / Twitter Security
  • Telegram
  • Discord
  • Slack
  • Google Workspace
  • Github
  • Cloud
  • Multisig
• Physical Security
  • Piggybacking and Tailgating
  • Unattended Devices
  • Don't Connect to Anything you Don't Know
  • Personal / Kidnapping
• Conclusion

Overview

I'm writing this due to a long-standing personal frustration with the negligence of basic security awareness by projects and users alike in crypto. A frustration I feel was very well-captured by @pcaversaccio from @_SEAL_Org - whose post was the inspiration for putting pen to paper to write this guide along with @tayvano_'s legendary Crypto Security Guide for Dummies.

To put it lightly, as @pcaversaccio highlights above, we're doing a shit job. 95%, seriously? The majority if not all of these tickets are preventable:

• Poor DevOps practices (running code locally, pushing secrets, etc)
• Getting phished from KNOWN tactics and campaigns
• Bad device and key / secrets management
• Malware / RATs

It is absolutely mind-boggling the sheer amount of compromises occurring on a daily basis that are preventable with a healthy dose of paranoia + security education.

A great visual resource to illustrate the size of this problem is @ChainLight_io 's Lumos.

Of the tracked exploits from January 2023 till now, Control Hijacking (social engineering, private key leakage, unauthorized access, supply chain attacks, and other web2 security attack vectors) accounted for $3.31B in exploited value.

In comparison, tracked Smart Contract Vulnerabilities accounted for only $983M in exploited value (Web2 security exploits accounted for over triple the exploited value of Web3 contract exploits).

There is a clear imbalance in the security priorities of crypto organizations that I believe is contributing to the ever-increasing value exploited from the industry as a whole.

I urge you, let this be your wake-up call to start caring about your project's operational security posture before you become the target of DPRK or another threat actor (P.S - you probably already are).

The Mindset: Be Paranoid

Crypto is the the world’s most attractive destination for bad actors. You have an entire industry of individuals and projects with plenty of loot ripe for the taking. It is for this reason that the tried and true mantra from the Bitcoin ethos still rings clear:

Don’t Trust, Verify

This means no user, entity, device, or application that is trusted by default, regardless of its context. Every request must be verified before permission is granted.

@tayvano_ sums the ideal security mindset perfectly in her Crypto Security Guide for Dummies as shown below (shortened for brevity):

I understand that crypto is ruthless and terrifying.

• I take security seriously.
• I hold others accountable when I think we can do better.
• I understand that my employment, my personal security, my financial well-being, and my family are all threatened when I don’t take security seriously.
• I understand that my company’s viability is threatened when I don’t take security seriously.
• I will never be lazy or dismissive. I will not skim this or skip items. I will take the time to properly secure myself to ensure my company stays secure today and tomorrow.

I will walk through this industry’s graveyard.

• I understand that cryptocurrency companies are global anomaly to the security industry.
• I understand that these companies are hacked into deletion at a far greater rate than any industry.
• I understand that simply being involved with the cryptocurrency industry and/or holding cryptocurrency makes my company and me a target for teenage script kiddies, sophisticated hackers, and nation-states
• I understand that a compromise or hack can result in the loss of our business, our funds, and/or our users’ funds.
• I will look constantly research and educate myself of current and new exploits to deeply understand the scale of this problem and learn from others’ mistakes.

I understand my personal accounts may be the target of an attack.

• I see that this space has an unusual mixture of personal identities and professional identities.
• My identity, reputation, or personal accounts may be used to create confusion, panic, send phishing messages, or scam friends or strangers.
• For this reason I choose to be diligent about the security of my personal accounts, not just professional ones.

Credit to @tayvano_

Know Your Enemy

There are many different threat actors across the crypto landscape from script kiddies to nation-states. One thing stands true for protecting yourself against these threats is that you must understand what attackers want from you.

Once you understand what attackers want, you can begin to do everything in your power to prevent them from getting it - or at the very least prevent yourself from giving it to them.

In general, attackers want to compromise 3 things:

• Your funds
• Your access
• Your data

From a non-technical security standpoint - one of the best things you can do is to cultivate a strong sense of awareness regarding your digital footprint. You should conduct an internal audit. Here are some questions to ask yourself:

• What are my critical accounts?
• What devices or people have access to my critical accounts?
• How do I authenticate to my critical accounts?
• How do I access and manage my funds?
• Where do I have sensitive data stored?
• What personal information can someone glean on me publicly?
• Which third-party services have permission to access my accounts?
• What sensitive data is stored on my mobile devices?
• What is my plan if my accounts, funds, or sensitive data is compromised?

Phishing

Phishing is running rampant in our industry and its prevention boils down to one thing - education. There's a slew of reasons as to why people will fall for social engineering tactics but the following are the most common:

• Overconfidence makes people think they can easily spot scams, leading to reduced caution.
• Confirmation bias causes people to accept messages that match their expectations (think an expected email from your employer that's actually malicious) while missing warning signs.
• Your mental state matters. Stress and fatigue significantly reduce ability to spot phishing . When you're on tilt you're more likely to mess up.
• People tend to follow what others are doing (social proof), which threat actors exploit by claiming others have already complied.
• Artificial urgency pushes people to act quickly without proper verification

I'll dive into a slew of different examples below that are relevant for the crypto landscape but I can't recommend @tinchoabbate and @theredguild's The Phishing Dojo assessment enough. If you're serious about stepping up your phishing awareness in crypto - this is an excellent resource.

Another good resource is @SlowMist_Team's article on Web3 Phishing Techniques of which are included in some of the below examples.

Brief Note on AI Phishing

AI phishing tactics are getting more and more sophisticated. With live deepfakes becoming more realistic, tonality + voice-matching vishing, or even optimizing phishing emails and texts with stylometry modeling via feeding a target's writing style into a model - we're in some serious trouble.

It's even more important now than ever before to be on your toes. Always verify that someone is who they say they are especially if establishing first contact. Regardless if they look, sound, or type like you expect them too.

Phishing Examples + References

Coinbase / Exchange Support Scam

Signature Phishing

Hidden Malicious Links

Malicious Bot Verification

Bot Compromise → Email Phishing

Sophisticated Google Support Email

Fake Docusign Link

Malicious Ads

Homoglyph Attacks - DNSTwist

Fake Platform Integrations

Impersonation Attempts (frequent these days)

Recruitment Phishing

Frontend Exploits -XSS

Dusting Attacks / Address Poisoning

General Advice

This section will cover tips in no structured manner that you should implement. Before getting started, I would highly recommend watching @_iphelix and @PabloSabbatella's talk at on OpSec in Web3 as well as @andrewmohawk's Web3 Security is Embarassing.

Some tips for navigating crypto securely

• Just use a security key wherever you can for your 2FA. This is the only phishing resistant means to protect an account. Get 2 for redundancy if you lose one. Store the 2nd in a secure hidden place.
• Don't reuse passwords. Use cold emails for important accounts. Use a password manager. Separate your 2FA from your password manager. Make sure your passwords are sufficiently complex.
• Never ever use SMS 2FA. Like I mentioned above, just use a security key if you can - otherwise, TOTP 2FA will do just remember to remove any cloud syncing.
• Never store, transmit, or send credentials in cleartext.
• Avoid storing credentials in your browsers.
• Have a dedicated 2nd device for 2FA that is clean if you're using TOTP. It should only connect online when you need to use 2FA.
• Stop blindly signing transactions / signatures - please verify the transaction data is as expected before signing. You can use tools like to help simulate transactions before they go through. Be especially wary of permit signatures. @realScamSniffer to help simulate transactions before they go through. Be especially wary of permit signatures.
• Never click a link via email, message, web browser search, social media, etc to conduct an action you could otherwise do by going directly to the source. Have a password reset email from your bank that looks legit? Want to make a transaction on Uniswap for a token with a swap link on X? Type the url directly in your web browser and conduct the action manually.
• Whitelist addresses on your walletsand bookmark your frequently visited or mission-critical sites to reduce chances of human error
• Be vigilant and aware of your attack surface. Understand you are a target and you are susceptible to messing up or getting phished. Be wary of calls to urgency, familiarity, or anything that gives you a sense of suspicion. Trust your gut - if it feels suspicious it probably is.
• Be wary of any third-party connections or apps on your platforms that you use. The same goes for chrome extension on your web browser.
• Always update your browser, OS, and apps that you use. Best to keep automatic updates on.
• Use a VPN for browsing
• Avoid downloading files at all times from external parties. There is no excuse. If you need to view or use a file - ask the party to send it over in google drive link so you can interact without it being local on your device. If you need to vet a file for malicious contents you can use dangerzone.rocks
• Avoid using calendar links you don't know. Only use calendar links for meeting requests you have verified to be legitimate. Better yet, insist for others to use your own calendar link instead.
• If at a crypto organization, ensure that there is a direct line to someone with security expertise that can handle an incident if it occurs. Understand who to report the incident to and how to report it.
• Do not do any personal actions / activity on work devices and vice versa.
• You should have a separate browser/pc for any crypto activities that is clean and exclusively used for crypto.
• Have EDR for your employee's devices to protect against malware if you are a crypto organization. Have an AV as well. Even the free ones are good - just please have something on your employee's devices.
• Below is a quick note on some essential tools highlighted by @PabloSabbatellaL
• Use a hardware wallet especially for large amounts of funds. . Do NOT store it online. The same applies to hot wallets. Store your seedphrase securely
• Rotate your keysssssssss (seriously nobody does this)
• For godsake never ever execute code you don't know the source of or fully trust. Do NOT blindly clone, install, or run anything locally. Use a sandbox environment if absolutely necessary.

There's probably a ton more but again this is just to serve as a braindump. Hope it's helpful. Please send any tips you may have my way and I'll add them! The rest of this document is more structured :)

3rd Party Platforms

This section is not meant to be exhaustive but to at least capture the important configurations and steps you can take to secure the dependencies in your crypto organization stack. There are many 3rd party platforms used within the crypto industry but for the sake of this guide we will focus on some core best practices to securing the following:

• X / Twitter
• Telegram
• Discord
• Slack
• Google Workspace
• Github
• Cloud (AWS / GCP)
• Wallet / Multisig

The following 2FA and Credential recommendations applies to all platforms / accounts mentioned above as universal requirements. I just don't want to keep typing them out:

2FA

• 2FA must be applied to every single account in your organization and that you own - use Google Authenticator at the bare minimum but make sure you disable syncing to the cloud
• SMS-based 2FA is NOT allowed under any circumstance due to the risk of For more details on protecting against SIM swapping please see SIM swapping. The SIM Swapping Bible
• Ensure there is hardware-based MFA for any critical admin accounts. For example, the usage of a for 2FA would make your account phishing-resistant. The recommendation is to have 2 hardware keys per critical account for the sake of redundancy. YubiKey
• Do NOT store credentials and 2FA TOTPs in the same location (yes, that goes for password managers). The same goes for backup codes.

Credential Management

• All passwords must be at least 12 characters long and include a combination of uppercase letters, lowercase letters, numbers, and special characters.
• Passwords should not contain common dictionary words, personal information, or obvious patterns like "123456" or "qwerty”
• Perform a hygiene check of your accounts by referencing breach data sets for password leaks such as via haveibeenpwned
• Avoid reusing passwords
• Do not store or transmit sensitive credentials in plain text ANYWHERE (Slack, Telegram, Discord, Notes, etc.) - use a password manager such as . Please be wary that password managers are not 100% secure like any other application and have been BitWarden exploited in the past

X / Twitter Security

There's no arguing X is the most critical marketing resource for any crypto user or project. As a result, it's a very attractive target for threat actors to leverage taken over accounts for social engineering.

Here are some recommendations to securing your X account:

1. Delegate Access - Review and ensure only authorized delegates are enabled for your X accounts and that delegates are only given access if it is a true business need.
2. Connected Apps - Review and ensure all connected apps are critical for any business needs. Remove any connected apps you don't recognize or use.
3. Phone Number - Remove any phone numbers associated with your account.
4. Verify Active Sessions - Ensure that any active sessions are confirmed to be from you or your team.
5. Additional Password Protection - Ensure this setting is enabled
6. Updated Version - Ensure mobile & desktop app versions are up to date.
7. Have a X Contact or Pay for Enterprise / Business - Either know someone internal at X that has enough swing to recover your account if it gets compromised or pay up for X Enterprise or Business. Business and Enterprise accounts get significantly quicker response times for account recovery.
8. Cold Email - The ideal setup for email of an account would be a completely separate email from your personal / employee email. This is to separate the two as much as possible.
9. Cold Device - ****If you want to to take things a step further, then ensure you setup / login to your X account from a new device that has been wiped and is solely used for access to X.

Unfortunately, in the current state of X, one can seemingly get compromised even if they take all the necessary precautions above due to X employees allegedly colluding with threat actors. Nonetheless, the recommendations above will greatly reduce your risk of compromise.

In the current state of X, it is best to assume that it is only a matter of time until your account gets compromised and to prepare for the worst by educating yourself on proper incident response / account recovery procedures.

If your account is already taken over or you want to understand proper incident response procedure for when it is, then I would recommend following this excellent guide by @Jon_HQ.

Telegram

Telegram has quickly become the standard for all interpersonal crypto communications - both business and personal. As a result, Telegram is a hot spot for threat actors to try to compromise accounts, funds, or devices. Here are some recommended best practices for account configuration.

1. Passcode Lock - This adds a PIN or lock pattern to your Telegram app. It protects your chats if someone else uses your phone or computer.
2. Secret Chats - Secret Chats use end-to-end encryption and messages can also self-destruct. For any conversations with sensitive information or data - use these.
3. Virtual Phone Number - It's best to avoid using your personal phone number here. Instead, you can use a virtual phone number.
4. Phone Number Discoverability - Set Who can see my phone number and Who can find me by my number → Nobody.
5. Calls - Set Who can call me → My Contacts (or Nobody, if you prefer) and Peer-to-peer → My contacts (or Nobody, if you prefer not to share your IP address)
6. Data and Storage - Set Auto Download Media → Toggle Off
7. Last Seen & Online - Set Who can see my timestamp → Nobody
8. Review Sessions - Terminate inactive sessions and ensure sessions that are live are intended.
9. Invites - Set Who can add me → My Contacts;
10. Updated Version - Ensure mobile & desktop app versions are up to date.
11. Telegram Bots - In general, it is best to avoid these unless promoted / widely-known and accepted by Telegram themselves. Best practice regardless is to limit using any third-party sources or services. The more dependencies you create - the broader your attack surface.

Another excellent resource is @officer_cia's Telegram Security Best Practices article as well as @_SEAL_Org's Telegram Framework

Discord

Discord is still very prominent in the crypto industry with nearly every project having some degree of presence on the platform. Discord has historically been a hotbed for threat actors to exploit misconfigurations and phish admins or users to do some serious damage.

For the sake of this section, I would just recommend following @_SEAL_Org's Discord Security Framework. It's probably the best open guide to discord security out there currently, so no need for me to regurgitate.Discord is still a bit of a beast in and of itself so if you want to take the very diligent approach of getting a discord audit, @Jon_HQ is a good resource. He also has a ton of free resources on discord security that he posts on X.

Slack

Slack is increasingly common for larger crypto organizations. While less common than the above it is still important to secure Slack as much as possible.

1. Enforce 2FA at the organization level - Enable mandatory 2FA for all workspace members in Settings → Authentication → Require two-factor authentication.
2. Restrict Workspace Access by Domain - Navigate to Settings → Authentication → Approved Authentication Domains to limit workspace access to only verified company email domains, blocking unauthorized users from joining.
3. Control Invitation Workflow - Go to Settings → Permissions → Invitations and require admin approval for all workspace invitations to prevent unauthorized account creation and ensure proper vetting of new users.
4. Configure Guest Account Restrictions - Use Guest accounts for external collaborators with minimally required channel access. Configure through Settings → Manage Members, selecting either Single-Channel or Multi-Channel Guest options.
5. Restrict App Installation Permissions - Navigate to Configure Apps → App Management Settings and enable "Require approved apps" to prevent users from installing potentially malicious third-party applications.
6. Manage App Sources - In Configure Apps → App Management Settings, enable "Only allow apps from Slack App Directory" to prevent installation of unverified applications that could access sensitive data. Ensure only apps that are needed are used.
7. Configure Slack Connect Restrictions - Access Settings → Permissions → Slack Connect Channels and require owner/admin approval for all external organization connections to prevent data exfiltration through external channels.
8. Control External Direct Messages - Set Settings → Permissions → Slack Connect for direct messages to only allow workspace owners/admins to send and accept external DM invitations, limiting social engineering attack vectors.
9. Disable Public File URL Creation - Access Settings → Permissions → Public File Sharing and disable the ability to create public, unauthenticated links to files to prevent sensitive data leakage.
10. Configure Message Retention Policies - Set appropriate retention periods in Settings → Retention & Exports to automatically delete messages after a defined period (30-90 days recommended) to minimize data exposure.
11. Enable Link Preview Restrictions - Access Configure Apps → App Management Settings and enable "Only show link previews from installed apps" to prevent potentially malicious content from automatically loading.
12. Implement External Content Controls - Disable automatic loading of external content in Settings → External File Thumbnail Previews to prevent malicious content from being rendered in channels.
13. Disable Workflow Publishing - Access Settings → Permissions → Publish workflows and restrict to administrators only to prevent creation of automated data exfiltration pathways through custom workflows.
14. Manage User Group Permissions - Navigate to Settings → Permissions → User Groups and restrict the ability to create and manage user groups to workspace owners and admins only to maintain controlled access boundaries.
15. Enable Link Preview Restrictions - Access Configure Apps → App Management Settings and enable "Only show link previews from installed apps" to prevent potentially malicious content from automatically loading.
16. Configure DM Restrictions Between Workspaces - Navigate to Settings → Permissions → Slack Connect for direct messages and configure to only allow DMs with verified organizations to prevent phishing through unverified external communications.

Google Workspace

Nearly every crypto organization is using GSuite. To avoid regurgitating the same things that are already listed on the official Google website here is Google's Security Checklist.

Additionally, @_SEAL_Org has a good reference for Google account security here.

These two resources should be sufficient.

Github

Nearly every engineering / development function of a crypto organization uses GitHub, thereby making it a critical resource to safeguard. Despite this, secure DevOps is still rare to be found amongst crypto projects. This may be see a bit extensive but there's no end to developers pushing secrets in public, pushing code they shouldn't, and other DevOps nightmares.

1. Enforce Multi-Factor Authentication - Navigate to Organization Settings → Security → Authentication security and enable "Require two-factor authentication for all members."
2. Require Secure MFA Methods - Access Organization Settings → Security → Authentication security, enable "Require two-factor authentication" and select "Require use of security keys or passkeys for two-factor authentication" to disable less secure methods like SMS that are vulnerable to SIM swapping attacks.
3. Verify Organization Domain - Go to Organization Settings → Profile → Verified domains and add your company domain. Verify ownership through DNS records to prove legitimate ownership of your organization and enable email domain restrictions.
4. Review Connected GitHub Apps - Regularly audit installed GitHub Apps in Organization Settings → Third-party access → Installed GitHub Apps and remove any unnecessary or suspicious applications that may have excessive access to your repositories.
5. Audit Organization Webhooks - Examine all webhooks in Organization Settings → Webhooks, ensuring each has a legitimate purpose, uses HTTPS, employs webhook secrets, and points to valid endpoints owned by your organization.
6. Restrict App Installation Rights - Configure Organization Settings → Third-party access → GitHub Apps integration and select "Do not allow members to install GitHub Apps" to ensure only organization owners can install apps that might access sensitive data.
7. Review Owner Permissions - Periodically audit users with Owner roles in Organization Settings → People and reduce the number of owners to the minimum necessary following the principle of least privilege.
8. Configure Dependabot Alerts - Enable Dependabot alerts in repository settings → Security & analysis to receive notifications about vulnerabilities in your dependencies and stay informed about security risks.
9. Set Up Dependabot Security Updates - Turn on Dependabot security updates in repository settings → Security & analysis to automatically create pull requests that upgrade vulnerable dependencies to patched versions.
10. Implement Branch Protection Rules - Configure robust branch protection for critical branches (main, release/*) in repository settings → Branches → Add rule, requiring pull request reviews and status checks before merging.
11. Require Pull Request Approvals - Under branch protection settings, enable "Require a pull request before merging" and set "Required number of approvals before merging" to at least 1 (preferably 2) to ensure code review before changes are merged.
12. Pin GitHub Actions to Commit Hashes - Modify workflow files (.github/workflows/*.yml) to reference actions using full commit SHAs instead of tags or branch names (e.g., uses: actions/checkout@a12a394824761eff12e14e5dc05f8eff2e9a8ce4) to prevent supply chain attacks.
13. Set Repository Default Permissions - Configure Organization Settings → Member privileges → Base permissions to "Read" or "None" and grant higher permissions only as needed to implement the principle of least privilege.
14. Restrict Repository Creation - In Organization Settings → Member privileges, limit who can create repositories by selecting "Admins only" to prevent unauthorized repository creation that might bypass security controls.
15. Manage Repository Visibility - Set Organization Settings → Member privileges → Repository creation to restrict public repository creation and prevent accidental exposure of private code.
16. Enable Secret Scanning - Activate secret scanning in repository settings → Security & analysis to automatically detect and prevent committed secrets like API keys, credentials, and tokens.
17. Implement Secret Scanning Push Protection - Enable push protection for secret scanning to block commits containing secrets before they enter your repository, preventing credential exposure entirely.
18. Configure Required Status Checks - In branch protection rules, enable "Require status checks to pass before merging" and specify critical checks like security scans, linting, and tests to ensure code quality and security.
19. Require Code Owner Reviews - Create a CODEOWNERS file in the repository's root or .github directory and enable "Require review from Code Owners" in branch protection to ensure experts review changes to critical code.
20. Enable Signed Commits - Activate "Require signed commits" in branch protection rules to verify commit authenticity through cryptographic signing, preventing code from unverified sources.
21. Disable Force Pushes - Enable "Do not allow force pushes" in branch protection rules to prevent history rewrites that could hide malicious changes or destroy valuable commit history.
22. Prevent Branch Deletion - Enable "Do not allow deletions" in branch protection for critical branches to prevent accidental or malicious branch removal.
23. Review Outside Collaborators - Regularly audit outside collaborators in Organization Settings → People → Outside collaborators and remove access when no longer needed.
24. Configure External Collaborator Policies - Restrict external collaborator invitations in Organization Settings → Member privileges → Repository invitations to "Only organization owners" to prevent unauthorized access to repositories.
25. Set Up Security Advisories - Enable repository security advisories to privately discuss, fix, and publish information about security vulnerabilities in your projects.
26. Configure Audit Log Monitoring - Regularly review Organization Settings → Audit log to detect suspicious activity, unauthorized changes, or potential security incidents.
27. Implement Team Access Controls - Structure teams with nested hierarchies in Organization Settings → Teams and grant repository access at the team level rather than individual level for more manageable permissions.

Cloud

For your cloud environment I would highly suggest the usage of a tool called Prowler.

Prowler will analyze your cloud environment and produce a report on areas you need to remediate. It's particularly great for AWS environments.

It's an excellent tool for reviewing your cloud environment and is available as a CLI tool and web app.

Multisig

@frederiksvantes (Security lead at @ethereumfndn) has a great resource for anyone interacting with multisigs. I had my own write-up but after researching and finding this resource - I'd rather just link his best practices checklist called aptly named: How to Multisig.

Thank you @frederiksvantes for this excellent resource.

I also strongly recommend doing @CyfrinAudits' wise-signer simulated quiz. Super helpful for teams or individuals that want to run tabletop scenarios on real transaction signing related attacks.

Physical Security

There is an excellent article on approaching physical security by Carl Agnelli, @a16zcrypto's Head of Security. I'd highly recommend giving it a read for a good primer on the mindset of the physcial threat landscape and how attackers think.

As a former pentester and red-teamer I've done my fair share of physical assessments. For the sake of this guide we'll be covering a few things commonly seen in the wild for this section.

Piggybacking and Tailgating

Ensure that any access points used to enter the physical space are promptly shut/locked upon entering to prevent tailgating. Likewise for piggybacking, ensure that there are robust controls internally in place to verify whoever is trying to access your space is actually authorized to do so.

Unattended Devices

Regardless of where you are whether that's home, the library, a conference, or event the office. Do NOT leave any of your devices unattended especially if they're left by themselves open. It only takes a few seconds for a threat actor to plug into your device to install malware, steal it, or if it's open access all your critical accounts / wallets.

Don't Connect to Anything you Don't Know

The physical hacking world is getting more advanced everyday. So much so that hackers have created USB-C and Lighting Cable chargers that look, charge, and feel just like the official Apple products, but with an evil catch. They establish a beacon on your device and ping back to the attacker's device giving them remote access control.

Similarly WiFi, especially public WiFi, should be avoided. There are numerous attacks hackers can conduct in order to compromise you if you're not careful. A few common vectors are:

• Man-in-the-Middle Attacks: Attackers can position themselves between you and the connection point, intercepting your data without your knowledge.
• Evil Twin Networks: Hackers create fake WiFi networks with names similar to legitimate ones (like "Airport_Free_WiFi") to trick users into connecting.
• Session Hijacking: Attackers can steal browser cookies used to authenticate sessions on websites, gaining unauthorized access to your accounts.

I cannot stress enough the importance of not connecting physically or wirelessly to anything that you have not verified to be safe. If you must, please exercise caution and use a VPN.

Personal / Kidnapping

There has been a large uptick in crypto-related kidnapping over the past year or so. Both for leaders of crypto organizations and even more scarily so their family members. Kidnapping often occurs to hold the kidnapped for ransom. I would recommend if you are a high-profile individual known to have large crypto holdings or a founder of a crypto project, that you exercise caution and awareness for you and your family. If you haven't already - an alarm system would be beneficial for your residence or office.

For context, attackers interested in compromising your physical security via methods such as kidnapping will most likely strike when they anticipate you to be least aware such as during your ingress or egress points of travel. I highly recommend moving forward if you are a public individual with high status in the crypto industry to heighten your awareness and caution in light of these incidents.

Conclusion

I sincerely hope this helps in whatever capacity to move the needle in securing our space. Even if it's just one person or protocol that finds it helpful, then it's all worth it.

If you have any feedback, suggestions, or revisions please don't hesitate to dm me!