CIA Officer Profile picture
Apr 25 33 tweets 14 min read
You've been asking me for a long time and finally I decided to write an ultimative thread on an advanced (and authorial, please note) cryptocurrency storage technology 😎

Read carefully, there will be only Spy-level trips 👇
1/X

Understand that all sorts of blockchain.info, TrustWallet, MetaM/\sk and other wallets are just interfaces.
2/X

Consider cold wallets, personally I do not trust Ledger or Trezor. There is a hardcore version BitLox Ultimate, which is literally stuffed with security-related features, lets the traffic through Tor, and has several levels of encryption: bitlox.com/products/bitlo…
3/X

Or an ascetic cold card which is a good choice for those, who love simple and clear mechanics. coldcard.com
4/X

Make a cold wallet yourself. For example, from an old smartphone. You can also make a cold wallet with Electrum and let all the traffic through Tor. Know AirGap weak sides.
5/X

- airgap.it

Weak parts: airgapcomputer.com
6/X

Check what are you signing, if we speak about ETH L1 L2, never use your main cold storage for casual work, but if you have to, always check if there are no allowance approve (which allows to drain your wallet) or proxy behind which mentioned function may be hiding.
8/X

Never use your main cold storage and «Back Office PC» for casual work, but if you have to do it, use only open-source wallets like alphawallet.com, electrum.org, sparrowwallet.com

-

-
9/X

Check out wallet rating: walletscrutiny.com
10/X

Accept as a fact that if the device falls into the hands of intruders, only custom capacitors can save your money (so that you can not get directly to the brains and read electric signals) and other things like self-destruction, epoxy, and so on.
11/X

That is, ideally, you can not allow physical contact in any case. You can use special logic bombs or logic gates, extra passwords that trigger some kind of security action, alert events on your address via tenderly.co or using 2/3 multi-sig.
12/X

One could also create a honeypot wallet and have a script that listens for tx originating from those addresses that alerts authorities, security companies and/or friends & family that you are under duress, perhaps even sending your location or last known location via GPS.
13/X

Always double check an address you've copied to the clipboard. There is an evil software existing which can replace an address in your clipboard to a very similar-looking address which has the same symbols in the beginning/end as your address.

-
14/X

Be aware of modern attack methods, carefully read step-by-step my Guide and a Compendium, you don't need a deep understanding of how hacks work exactly but that's important to know how does it looks like to be a victim:

- github.com/OffcierCia/Cry…

- graph.org/All-known-smar…
16/X

Study threat modeling and establish all possible threats even if they seem crazy to you. Being suspicion is always a good thing. After all, fake news only works best with those who carry it to their acquaintances, becoming a kind of donor.
17/X

In the same way with attacks, very often you may try to be hacked through acquaintances, pretending to be acquaintances or acquaintances themselves. Always keep this in mind. This world is cruel and dangerous.

- usenix.org/system/files/1…
18/X

For deals use escrow and tx alarm clock and with special services like safient.io, sarcophagus.io, safehaven.io.

- github.com/OffcierCia/Cry…

- github.com/OffcierCia/Cry…
19/X

Use OpenSource password storage, self-hosted link system, reliable communication method, use #OpSec services, be aware of the latest anonymity and #privacy techniques:
- keepass.info
- obsidian.md
- github.com/jlopp/physical…
- docs.google.com/spreadsheets/d…
20/X

Counter-OSINT is important. Read about it here:

- t.me/officer_cia/200
-
No one service in the article, not one person paid me to mention them in the list unfortunately 😅.

This thread is an article I wrote a couple of days ago, read it here: graph.org/Key-principles…
Also check out my #OpSec guide github.com/OffcierCia/Cry…
Tip: use this tool when working w ith PDFs, CVs and such files 😎Or just use Qubes OS
Support is very important to me, with it I can spend less time at work and do what I love - educating #DeFi & #Crypto users 💖

If you want to support my work, please donate me to the address:

0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A — ERC20 & ETH (officercia.eth)
Or make a paper wallet. Store it in reliable safe. That’s for the part of money, ideally is to split them.
Choose Water proof and Fire proof material for such purpose. Ideally is o use medical steel.
Why OpSec in general and Counter-OSINT in particular are important? Let’s take a look 👇

coindesk.com/business/2022/…

This guy used his real name and/or a phone number associated with his real identity. Bad OpSec and no Counter-OSINT been used… These techniques might saved him.
- Conduct an OSINT investigation against himself or hire an OSINTer

- All information that cannot be deleted by queries/abuse and complaints/attacks should be made unreadable by "obfuscation".

Example:

Visit my OpSec Map: github.com/OffcierCia/Cry…
Thank you! Here you can track all my activities start.me/p/QRg5ad/offic…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with CIA Officer

CIA Officer Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @officer_cia

Apr 26
Gm fam ❤️ Let me start a mega-thread about smart contract-side and user-side attacks in Dapp, Web3, Blockchain, DeFi, NFT and Metaverse 🧐

You'll find the coolest links and tools in this track. Let's go! 👇
2/X

👉 arxiv.org/pdf/2109.06836… - User-Side Attacks Image
Read 39 tweets
Apr 26
Gm fam 🙌 I see that you love my recent thread and today I would like to complete it a little bit and post 25 #OpSec tips from my Guide, in other words, let's look at the methodology from a slightly different angle.
This is the Author's methodology❗️

See the thread below 👇
1/X

Problem 1

Secure email provider like protonmail or tutanota. Use trusted VPN like Mullvad.net or Proton VPN.

youtube.com/channel/UCYVU6…
2/X

Problem 2

Different emails / different strong passwords. Store them in one place. Never use repeat passwords, especially for accounts with personally identifiable and sensitive information (e.g. Facebook, Gmail, AppleID, Twitter, banks/payments, crypto accounts).
Read 40 tweets
Feb 15
Gn fam 🙌 In six parts of this thread I will tell you exactly how I investigate cypto hacks and secuity incidents, and describe methodolgy ⬇️
1/6
Usually in blockchain investigation I use tools first for manual analysis such as tenderly.co, ethtective.com, breadcrumbs.app, 9000.hal.xyz, dune.xyz, nansen.ai, , bloxy.info.
2/6
I seen also a rather unusual method - the use of #VR, which will empower the first step: ethresear.ch/t/open-source-…
Read 10 tweets
Feb 1
Spotted an awesome data terminal made by @SirH4shalot 👀

👉github.com/sirhashalot/SC…

This list highlights the accomplishments and disclosed vulnerabilities of the top white-hat security experts in #DeFi 🤯
This list only includes actual vulnerabilities. There are CWE-like lists that exist to capture common weaknesses in code, including these lists:

👉swcregistry.io
👉securing.github.io/SCSVS
👉github.com/sigp/solidity-…
👉github.com/blockthreat
👉secureum.xyz
This list does not include black hat hacks which involved user loss of funds, even if the funds are returned. There are other lists for that, including these lists:

👉rekt.news
👉hacked.slowmist.io
👉cryptosec.info/defi-hacks
👉github.com/jwparktom/Gutt…
Read 5 tweets
Jan 21
Awesome tip for using canarytokens.org/generate honeypot traps as a defence mechanism & #SIEM 🤯
1/3

There are three fun techniques for those who are constantly under attack.

One of them is to set up similar honeypots, IP loggers like “grabify dot link” and put a script for notifications.

👇👇👇
2/3

The second is to set up fake wallets, potential targets and name them tempting for the hacker. If you try to steal money from them (the hacker will probably notice them first), you can get a notification from @TenderlyApp or own script via SMS.

👇👇👇
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(