Offered to Web3 community by zôÖma, edited by Samouraï Coop with the support of my mates from Berty core team (@berty), Feel free to contribute.
This is an exciting time for those of us in the Web3 world who are exploring this new continent of decentralized protocols.
In just 13 years, this new wave of technology, initiated by Bitcoin, has proven its robust security. The growth of its market over the last ten years has led to ever higher valuations of tokens, and has enabled all kinds of profiles around the world, young and old, technical and non-technical, to have access to funds that are sometimes very important.
It is important to remember that Bitcoin, just like its little sister crypto-currencies, brings to the world a totally new freedom of emancipation from banks and financial systems. With this freedom comes a huge responsibility: to be your own bank. Where Bitcoin liberates, it brings its own set of constraints and challenges that every user must keep in mind.
You may think this is useless advice, because your wallet is too small to be of interest to malicious people. Or you may think you are safe, because you live in a safe country.
And it is a common mistake not to plan for the future. Your portfolio today could be worth millions of dollars in a few years. The security mistakes, or negligence, you make today will impact your security tomorrow.
This little book is for you, all forms of cryptocurrency users around the world, and is intended to bring together all the information about your security, today and tomorrow.
This book will include a collection of documentation, recommendations, and resources to ensure the safety of :
- young, newly rich cryptocurrency traders
- celebrities and public figures involved in cryptocurrencies
- new users of this new continent
- your mother, who asks you to buy her some Bitcoin
:spiral_note_pad: This document will be updated and upgraded by the community, and will remain free. It will also be available in a book version with a new edition every year, edited by Samouraï Coop team, for those who prefer to read it in paper, or offer it to their new comers friends.
Let's build your configuration from scratch. Make yourself comfortable and let's go.
- Prepare some cash money to buy your devices without any credit card
- This will protect you from any metadata associated to this device.
- Setup a safe & secured environnement around you to create your setup.
- Make sure you're using a secured WIFI
- Do not use any public wifi, obviously.
-
Buy a separate and dedicated device for all your crypto-related activities
- Linux or MacOS recommanded.
-
Create a dedicated email for all NON-CRYPTO related stuffs
- We'll call it in this book the lambda email
- This email will be used for all commercial stuffs
- Even if it's not a really sensible mail, Protonmail.com is recommended.
-
Setup a VPN using your lambda email
- Do not trust closed source VPN. (ie: NordVPN cannot be 100% trusted) :link: OpenVPN recommended https://openvpn.net/
-
Setup NextDNS using your lambda email 🔗 https://nextdns.io recommanded.
-
Setup a password manager (and pay it!)
- recommanded : Bitwarden, 1password or Dashlane
- Tip: Highly recommanded to understand how to create strong passwords.
-
Create a dedicated email for all crypto-related activities
- This email will be used only for exchanges platforms
- We'll call it in this book the crypto email
🔗 Protonmail.com recommanded.
- Make it secured with a very strong password
- More than 20 caracters composed of capitals & specifics
- You can experiment how to build a strong one using: https://www.security.org/how-secure-is-my-password
- Add a 2FactorAuthentification (2FA) using GoogleAutentificator on Protonmail
⚠️ Do not use this email account for anything else, and do not communicate it anywhere. If you receveive an message or spams from strangers, it means your email has been leaked from an exchange you're using.
- Buy a hardware wallet
⚠️ Do not use your personal postal adress! Use a relay adress as a physical proxy Do not give correct informations about sensible private data Tip: Create a dedicated pseudonym for this order. 🔗 Ledger.com recommanded, do not buy it anywhere else.
- Setup a Samourai Wallet :link: https://samouraiwallet.com
- Setup a full node using DOJO :link: https://samouraiwallet.com/dojo
- Setup Metamask
Make sure your seed phrase are safe from fire, moisture, and all forms of hazards. Don't put all your passphrases together in one place.
-
Save your passphrase in a secured hidden place :link: https://link.infini.fr/gravitis-secret-walll-safe 🔗 https://link.infini.fr/vault-miniature
-
Put your seed phrase in a secured place and metal box :link: https://cryptosteel.com/
Case study: 🔦 Hide your passphrase in a metal box, then hide it in a wall, an invisible hiding place, or in a discreet personal safe.
Associated notes: 📔 Never copy/paste your seed phrase on your device Never share it to anyone. (👋Captain obvious in the house)
TBD
TBD
TBD
TBD
TBD
TBD
One of the most important rule you need to understand is that security depend on your exposure factors. If you're publicly engaged in Bitcoin & Cryptocommunity since few years, you'll be a potential target for malveillant people or organisations. By having a public exposure with your real identity, you are exposed to various side channel attacks that can be important to have in mind.
As example of recent cases, many young cryptomillionaires were so proud to communicate on twitter & instagram about their amazing travel life, jumping from a crypto event to another, and publishing pictures in all places they goes.
This type of behavior seems normal in the era of permanent public representation. However, these habits should be completely banned from your habits, if you have a large portfolio.
The best and first protection is to remain anonymous.
Why should you do this?
Because by having information about your name, first name, and your movements, several types of attacks are possible:
-
The Robbery, under physical constraint. This type of attack is relatively logical and easy. Since the attackers know your movements, your face, and your name, they can position themselves in various places to wait for you, and take you to a potentially very painful hell in order to force you to release your funds.
-
The Social Engineering attack Sometimes you don't have to pull out a gun to get funds released. Some scammers will use well-documented manipulation techniques, based on OSINT (open source intelligence) that you yourself have published on the networks. Knowing your tastes, your background, your projects, your CV, or even your aspirations and needs, they can present themselves in the form of a friendly meeting, during which a very well prepared hack potentially takes place. In the last two years, there has been a resurgence of such attacks, especially in the NFTs community, with scammers offering a professional meeting in a restaurant of their choice. By presenting themselves as buyers or partners with a very interesting offer, they set the stage for a discussion in which the victim's trust is established. Then, they can either use a "fake WIFI" attack or a simple keylogger (usb key that will open a gateway with your device), take possession of your passphrase, and operate the rest of the hack as soon as the meeting is over.
- Use nicknames to book your travels tickets, hotels, etc. Every stars and public personnalities are used to do it. Even if you're unknown, you should use a nickname when you're booking an hotel for a crypto conference or even a simple holidays travel. Don't think it's a paranoïd tip.
If organized crime groups are using the same means they have used for nearly 100 years to rob banks to analyze opportunities for cryptocurrency holders, then you can be sure that a simple piece of information about the time and place of your next trip can be worth a lot of money.
For example, a social engineering attack on a hotel near a crypto event is all it takes to get a target's reservation date information from the operator. Sometimes, this information can be obtained for free through trickery. But it is also common in these malicious circles to have budgets to ensure a network of reliable informants.
By default, do not trust anyone. It's a sad adage, but everyone should trust that risk-taking is purely and simply unnecessary. If you have $20 million, and you are the only protection between you and this world, believe it or not, but you will be very glad you thought your way through it carefully.
- Do not communicate about "where you live" Never use your personal adress for anything related to internet with your real identity.
When a service provider, a platform (Amazon, or any service delivering physical products to you) has your address, and your identity, it has a huge responsibility. Unfortunately, we can't trust them at all. Even with the best security team in the world, vulnerabilities exist that can reveal your address to malicious third parties.
From the server that hosts the data, which can be hacked and sold to a variety of people, to the simple delivery man who recognizes you by chance, consider that the interactions are too risky to be foolproof over time.
Use a maximum of :
- Post office boxes
- Parcel relays
- Trusted addresses, from a relative or a company
Here, we are obviously not inventing the wheel. Celebrity artists have always received their mail at the record company. So think like a rockstar. Your "fans" are just a lot more dangerous than the Beatles after all.
-
Data trolling & Social Networks : "Island food is amazing" One of the most common sources of information for criminals is the use of social networks. Take two drastic steps regarding your social media posts:
-
Never post a picture of a place where you are still. Leave a 72-hour delay between the photo and the post. Consider that any of its information can be used, both through the photo itself, but also through its metadata. We can for example identify the exact location of a photo, but also the devices present around it from a simple post. Sorry, but your fans on instagram are not worth it in the balance with your security in front.
-
Play with this data, troll the audience. If you post regularly, because you are addicted, that's your business. But in this case, maybe it's smart to incorporate "" noise "" into your posts, information that would disrupt a detailed analysis of your movements. If an investigator is watching you, see a picture in Iceland where you describe the quality of a meal in a good restaurant, it's always a good thing, and you are potentially safe in the south of France during this time.
- Ledger Dondon (tbd)
- Paymium : Be safe using exchanges (tbd)
- Samouraï Wallet : Be safe using Bitcoin Wallets (tbd)
- Rekt.news : Be safe using DeFi (tbd)
- Wagram Protection, Veritas : Take care of your physical protection (tbd)
- some POV from ecosystem members (tbd)
- Who should we interview?
- TBD
- TBD
- TBD
500 Eth https://twitter.com/0xflim/status/1459673602874249216?s=21
Cryptotrader kidnapped in HK https://u.today/crypto-trader-kidnapped-by-gang-in-hong-kong
Tortured to reveal Bitcoin private keys https://cryptopotato.com/tuentis-founder-tortured-to-reveal-his-bitcoin-private-keys-report/
Assassinat à Plancher-Bas : l’étudiant tué pour 200 000 € de cryptomonnaie https://www.estrepublicain.fr/faits-divers-justice/2021/10/22/assassinat-a-plancher-bas-l-etudiant-tue-pour-200-000-de-cryptomonnaie
Je viens de me faire agresser à mon domicile https://twitter.com/PowerHasheur/status/1486426960393867274
9 tips https://cryptopotato.com/9-must-tips-securing-crypto-wallet/
Protecting your funds https://support.mycrypto.com/staying-safe/protecting-yourself-and-your-funds/
An other quick guide https://medium.com/mycrypto/mycryptos-security-guide-for-dummies-and-smart-people-too-ab178299c82e