Bitcoin security: threats, hygiene and OPSEC in 2026

Bitcoin security is not a single brick but the assembly of the tools already covered : seed phrase×Seed phraseSequence of 12 or 24 words (usually in English) that encodes your master key. Universal wallet backup : with these words, you can restore your funds on any compatible software.See in the lexicon →, hardware wallet×Hardware walletSmall dedicated device (Ledger, Trezor, Coldcard, BitBox, etc.) that keeps the private key away from a potentially compromised computer. Signs transactions inside the device itself.See in the lexicon →, multisig×Multisig (multi-signature)Configuration where a transaction must be signed by several independent keys to be valid (for example 2 of 3). Reduces the risk that a single key theft causes loss of funds.See in the lexicon →, mobile wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon →, Lightning. In 2026, attacks almost never break cryptography ; they go around it, through the human and the operational.

Phishing×PhishingAttack where someone impersonates a legitimate service via email, SMS or clone website, in order to extract your credentials or your seed phrase.See in the lexicon → on a fake exchange×ExchangeService that lets you buy, sell and swap cryptocurrencies against fiat money. Examples : Kraken, Coinbase, Bitstamp, Bitvavo. Most are custodial.See in the lexicon →, SIM swap×SIM swapAttack where a fraudster convinces your phone carrier to transfer your number onto their own SIM card. They then receive your 2FA SMS messages and can take over your accounts.See in the lexicon → taking over SMS 2FA×2FA (Two-Factor Authentication)Two-factor authentication. On top of the password, a second element is required to sign in (TOTP code, SMS, physical key). Standard on every serious platform.See in the lexicon →, clipboard malware that swaps an address at the moment of copy-paste, fake tax adviser asking for the seed to regularise, Instagram photo showing a Ledger×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon → on a desk : the attack surface is human and operational, not cryptographic.

This article maps the threats really active today, suggests password and 2FA hygiene, covers a bitcoiner×BitcoinerPerson interested in Bitcoin, who holds some and adheres more or less to its values (individual sovereignty, sound money, decentralisation).See in the lexicon →'s public OPSEC×OPSEC (operational security)Discipline of not exposing exploitable information: not revealing holdings, separating identities and addresses, limiting metadata. A bitcoin holder's first line of defence.See in the lexicon →, explains when and how to use a BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → passphrase×PassphraseExtra word or phrase you add to your seed phrase to create a hidden wallet. Optional security layer, independent of the seed.See in the lexicon →, and gives the steps to follow in the first hour when a seed is potentially compromised.

Password and 2FA hygiene

The exchange×ExchangeService that lets you buy, sell and swap cryptocurrencies against fiat money. Examples : Kraken, Coinbase, Bitstamp, Bitvavo. Most are custodial.See in the lexicon → account or email account of a bitcoiner×BitcoinerPerson interested in Bitcoin, who holds some and adheres more or less to its values (individual sovereignty, sound money, decentralisation).See in the lexicon → is what monetises fastest for an attacker. Compromise often happens via two chained weaknesses: a reused password, and an SMS 2FA×2FA (Two-Factor Authentication)Two-factor authentication. On top of the password, a second element is required to sign in (TOTP code, SMS, physical key). Standard on every serious platform.See in the lexicon → recoverable via SIM swap×SIM swapAttack where a fraudster convinces your phone carrier to transfer your number onto their own SIM card. They then receive your 2FA SMS messages and can take over your accounts.See in the lexicon →. Three rules settle 90 % of the problem.

• A password manager for everything. KeePassXC (local, encrypted `.kdbx` file, you back it up) or Bitwarden self-hosted via Vaultwarden (sync between devices, server control). Avoid cloud SaaS managers for Bitcoin-related accounts: they concentrate a critical asset at a third party (see the 2022 LastPass breach). Each Bitcoin service has a unique 20+ character randomly generated password.
• App-based 2FA, never SMS. Aegis (Android, open source×Open sourceSoftware whose source code is public and modifiable by anyone. A fundamental auditability guarantee in Bitcoin.See in the lexicon →), Raivo (iOS), 2FAS (cross-platform). To configure on all exchanges, on email, on the password manager itself. Back up the recovery codes of each service in the password manager or on paper in a safe. The number one cause of exchange-access loss is not hacking: it is a lost phone with no recovery codes.
• Yubikey or Solokey for critical accounts. A physical U2F/FIDO2 key, plugged via USB or NFC, signs the login. Phishing×PhishingAttack where someone impersonates a legitimate service via email, SMS or clone website, in order to extract your credentials or your seed phrase.See in the lexicon →-proof, SIM-swap-proof. Cost 25 to 60 EUR. To install on the main email and main exchange, doubled with a second key kept in a safe as backup.

Four Bitcoin-specific weaknesses to fix.

• Main email shared with other uses. If your Gmail address serves your exchange, PayPal and LinkedIn, a password breach on a third-party service exposes your exchange access. Create a dedicated Bitcoin email address (on a separate provider: ProtonMail, Tutanota, mailbox.org), used only for exchanges and Bitcoin services, never published anywhere.
• Phone number tied to the exchange. If you can remove that number from your exchange profile, do so; otherwise, at least remove SMS 2FA. Ask your operator (Swisscom, Salt, Orange, Free, Deutsche Telekom, TIM) for a port-out lock: a password or in-store visit to transfer the SIM. It is free and blocks most SIM swaps.
• Whitelisted withdrawal address. Every serious exchange lets you register a list of authorised withdrawal Bitcoin addresses (whitelist), with a 24-to-48-hour delay before a new address takes effect. Enable it. On account compromise, the attacker cannot withdraw immediately to their own address.
• Login email notifications. Enable on every exchange. A login from a new browser triggers an email. If you see it without having logged in, you know immediately there is a compromise.

A quick audit to run this month: list your exchange accounts, check 1) unique 20+ character password, 2) app-based 2FA enabled and SMS disabled, 3) address whitelist enabled, 4) email notifications on. An hour of work that closes most opportunistic attack vectors.

Public OPSEC: what you let people see

OPSEC×OPSEC (operational security)Discipline of not exposing exploitable information: not revealing holdings, separating identities and addresses, limiting metadata. A bitcoin holder's first line of defence.See in the lexicon →, for Operational Security, refers to what an observer can deduce from your public Bitcoin behaviour. For most people, it is a non-issue: a random attacker does not care about 200 EUR. But starting at a few tens of thousands of euros, and especially above 100,000 EUR, OPSEC becomes a security asset as important as a hardware wallet×Hardware walletSmall dedicated device (Ledger, Trezor, Coldcard, BitBox, etc.) that keeps the private key away from a potentially compromised computer. Signs transactions inside the device itself.See in the lexicon →. The basic rule: you must be economically invisible.

Five typical leaks to eliminate.

• Showing off on social networks. Picture of a Ledger×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon → on a desk, "Bitcoiner×BitcoinerPerson interested in Bitcoin, who holds some and adheres more or less to its values (individual sovereignty, sound money, decentralisation).See in the lexicon → since 2014" badge, LinkedIn post "I invested early and it pays", X thread bragging about cycle gains: all of it catalogues you. The kidnapping cases recorded in 2024-2025 (France, Belgium, USA) almost all started from a public trace. If you must talk about Bitcoin publicly, do it under a pseudonym and never mention an amount.
• EXIF metadata×MetadataData that describes other data. For a Bitcoin transaction : size, fees, type. For an email : sender, date, subject, without the content itself.See in the lexicon → of photos. A smartphone photo carries by default GPS geolocation, date, device model. Posted on a Bitcoin blog with a hardware in the background, it tells an attacker where you live. Disable GPS in camera settings or clean EXIF before publishing (ImageMagick `mogrify -strip`, or an online service with file deletion after processing).
• Public Lightning activity. Cleartext Lightning Addresses (name@domain.tld) are scannable. If your Lightning Address×Lightning AddressEmail-style address (alice@strike.me) that lets you receive Lightning payments without generating an invoice each time.See in the lexicon → is john.smith@strike.me and you post under your real name, you are publishing a receive channel that can be used to estimate your flows. Prefer an LA derived from a pseudonym, or via an anonymised LNURL×LNURLFamily of standards that simplifies Lightning usage: reusable QR codes, withdrawals, authentication. Complemented by readable Lightning Addresses (user@domain).See in the lexicon →.
• Poorly compartmentalised Nostr and X pseudonymity. If your Nostr account posts under npub with an avatar linked to your real LinkedIn, or if your X handle uses your first name and city, correlation is instant. Dedicate clean accounts to Bitcoin, never tie them to your civil identity, and use a systematic VPN for those sessions.
• Careless Bitcoin ATM×Bitcoin ATM (BTM)Automated teller machine where you can buy (and sometimes sell) bitcoin against cash. Often subject to KYC from 1,000 EUR upwards.See in the lexicon → purchase. Bitcoin ATMs are under video surveillance. A regular withdrawal at the same ATM (bank, gas station) creates a pattern, and links your civil identity to your Bitcoin address×Bitcoin addressString of characters that identifies a destination for receiving bitcoins. Four main formats, starting with 1..., 3..., bc1q... or bc1p... (Taproot, the recommended format in 2026).See in the lexicon →. Vary the ATMs, pay in cash, and if possible immediately route the sats to a different wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → via Lightning or CoinJoin×CoinJoinTransaction-mixing technique where several users combine their UTXOs into one large transaction, in order to break the input / output link.See in the lexicon →.

A useful self-check: "if someone wanted to identify who holds bitcoins in my city from public sources, could they find me in under an hour?". If the answer is yes, your OPSEC is leaking and it is time to clean up.

Separate devices: the best passive defence

A daily computer is used for hundreds of things: browsing, opening PDFs, downloading tools, receiving email, installing browser extensions. Each action adds an attack surface. If that same computer signs your Bitcoin transactions, you add up all the risks at the exact moment the signature matters.

Device separation breaks that accumulation. Three levels to consider based on your stakes.

• Level 1, the minimum: hardware wallet×Hardware walletSmall dedicated device (Ledger, Trezor, Coldcard, BitBox, etc.) that keeps the private key away from a potentially compromised computer. Signs transactions inside the device itself.See in the lexicon → to sign. Your daily computer can be infected without draining your bitcoins, because the final signature happens on a dedicated, offline device with a verification screen. This is the 80 % security guide for the least effort. Ledger×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon →, Trezor×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon →, Coldcard×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon →, BitBox02 all play this role. Detail in the Hardware wallet article.
• Level 2, recommended above 10,000 EUR: dedicated computer. An old Linux laptop (Ubuntu, Fedora, Pop!_OS, Debian) with Sparrow Wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → or Specter Desktop, never used for anything else. No email, no browsing, no Slack. On only when you handle your bitcoins. Marginal cost: 0 EUR if you recycle an existing laptop, 300-500 EUR otherwise. Drastically reduces the infection window.
• Level 3, for significant Bitcoin holdings: permanent offline computer (air-gap). A device that has never touched the internet, used only with a hardware wallet to generate and sign PSBTs (Partially Signed Bitcoin Transactions) transferred by microSD card. Typical pairing: Coldcard + Sparrow on Tails OS. Reserved for multisig×Multisig (multi-signature)Configuration where a transaction must be signed by several independent keys to be valid (for example 2 of 3). Reduces the risk that a single key theft causes loss of funds.See in the lexicon → setups or 7-figure holdings.

Three complementary practices to adopt.

• Secondary phone for mobile wallet. An entry-level Android phone (200-300 EUR), with only Phoenix or Muun installed, plus banking if needed to top up EUR. No WhatsApp, no TikTok, no personal email. The main phone stays usable normally, and any daily leak does not reach the Bitcoin wallet.
• Faraday bag for travel. A Faraday bag (15-30 EUR) blocks all radio communication (Bluetooth, NFC, Wi-Fi, cellular) of the phone or the hardware. Useful on business trips or in hostile contexts (foreign customs, Bitcoin conventions where rogue NFC bracelets circulate). Not needed daily.
• VPN on Bitcoin sessions. Mullvad, IVPN, ProtonVPN. Prevents your ISP and exchanges from correlating your IP with your activity, and prevents a malicious Wi-Fi neighbour from intercepting metadata×MetadataData that describes other data. For a Bitcoin transaction : size, fees, type. For an email : sender, date, subject, without the content itself.See in the lexicon →. Cost 5 to 10 EUR per month.

BIP39 passphrase and plausible deniability

The BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → passphrase×PassphraseExtra word or phrase you add to your seed phrase to create a hidden wallet. Optional security layer, independent of the seed.See in the lexicon →, sometimes called the 13th or 25th word, is a word or phrase added to your seed to derive an entirely different wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon →. The same seed without passphrase yields wallet A. With the passphrase "BitcoinMarketSummer2026" it yields wallet B, and with "AnotherPhrase" it yields wallet C. Mathematically these are distinct, independent wallets that only share the underlying BIP39 seed.

Three common uses.

• Seed reinforcement. If the paper seed is stolen but the passphrase is only in your head, the attacker can do nothing. It is a defence-in-depth layer. Phoenix, Sparrow, Trezor×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon →, Coldcard×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon →, BitBox02 all support BIP39 passphrase.
• Decoy wallet for plausible deniability. You leave a few sats on the "no-passphrase" wallet (typically 50 to 200 EUR to stay credible). Under physical coercion, you give your seed, the attacker restores wallet A and finds a small balance. The real holdings stay protected on wallet B, behind the passphrase. Conditional on the attacker not knowing a passphrase exists, otherwise they will press.
• Use compartmentalisation. Wallet A for daily use, wallet B for long-term savings, wallet C for pseudonymous payments. One seed to back up, as many wallets as memorised or separately-stored passphrases.

Three pitfalls to avoid, because they have cost bitcoins to many people.

• Passphrase too short or obvious. "password", "bitcoin", a child's first name, a birthday: all of it is brute-forceable once the seed is known. A good passphrase is at least 5 Diceware words (~64 bits of entropy) or 12 random alphanumeric characters. Do not rely on human creativity, use a generator.
• Forgotten or lost passphrase. A passphrase is by construction unrecoverable. If you forget it, the bitcoins on wallet B are as permanently lost as if you had burned the seed. Force yourself to a paper backup of the passphrase, in a location separate from the seed (the combination of both is what gives access, separating the two supports protects against a single theft).
• Passphrase typed on a compromised device. If you type the passphrase on the keyboard of an infected computer, a keylogger×KeyloggerMalicious software that records every keystroke. A seed phrase typed on an infected machine is compromised.See in the lexicon → captures it alongside the potentially stored seed. Entry is always done directly on the hardware wallet×Hardware walletSmall dedicated device (Ledger, Trezor, Coldcard, BitBox, etc.) that keeps the private key away from a potentially compromised computer. Signs transactions inside the device itself.See in the lexicon → (Trezor, Coldcard, BitBox02 have a screen and physical keys for this), never via desktop software.

Level advice: a beginner should not use a passphrase until the seed backup is mastered. A mishandled passphrase causes more damage than it prevents. For an intermediate user with notable Bitcoin holdings, adopt it in a second phase, after six to twelve months of healthy operational experience.

Incident response: the first hour counts

All the prevention in the world does not stop an incident from happening someday. The difference between a mere alert and a hard loss often plays out within the hour following detection. Three frequent scenarios, and the sequence to execute.

Scenario A: potentially compromised seed. You typed the seed on a computer you suspect is infected. You lost a notebook where you had copied the seed. Someone entered your home and you are no longer sure the paper backup is intact.

1. Immediately open a clean wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → (different device, blank hardware or freshly set-up new phone), generate a new seed with a new passphrase×PassphraseExtra word or phrase you add to your seed phrase to create a hidden wallet. Optional security layer, independent of the seed.See in the lexicon →.
2. Build a transaction that transfers all UTXOs of the old wallet to an address of the new one. Not a partial transfer: everything, in a single transaction when possible.
3. Set L1 fees high enough to land in the next block. A compromised seed is a race against time, this is not the moment to save 5 EUR.
4. Once the transaction is confirmed, physically destroy the compromised backup.

Scenario B: stolen phone with mobile wallet. The phone has been untraceable for a few hours, you do not know if it is off, on, or in someone's hands.

1. From another device, launch the find my device function and trigger the remote lock. iCloud Find My or Google Find My Device. If possible, wipe the data remotely (the mobile wallet is no longer usable, but you keep the seed).
2. On a new phone, restore the mobile wallet from your seed (paper backup). Build a transaction that empties the funds to a different address, ideally already unknown to your mobile seed (cold storage×Cold storageStoring bitcoins on an offline wallet that is not connected to the Internet. Maximum security for amounts you are not spending.See in the lexicon →, other wallet).
3. Revoke active sessions on the exchanges linked to the phone (check emails on Kraken, Bitstamp, Coinbase for active device lists).
4. Change the iCloud / Google account password associated, because the thief may try to reset the phone and access your backups.

Scenario C: hacked exchange×ExchangeService that lets you buy, sell and swap cryptocurrencies against fiat money. Examples : Kraken, Coinbase, Bitstamp, Bitvavo. Most are custodial.See in the lexicon → account. You receive a suspicious login notification. Or you see a withdrawal order you did not initiate.

1. Freeze withdrawals immediately: most exchanges offer a "lock my account" or "freeze withdrawals" button. Otherwise, contact official support via the site (never via an email link).
2. Change the password from a clean and healthy device. Regenerate the 2FA×2FA (Two-Factor Authentication)Two-factor authentication. On top of the password, a second element is required to sign in (TOTP code, SMS, physical key). Standard on every serious platform.See in the lexicon →.
3. Withdraw all accessible balances to an address you control (your hardware wallet×Hardware walletSmall dedicated device (Ledger, Trezor, Coldcard, BitBox, etc.) that keeps the private key away from a potentially compromised computer. Signs transactions inside the device itself.See in the lexicon →), even at the cost of small fee losses.
4. Document everything: screenshots of suspicious emails, transaction IDs, timestamps. Open a support ticket, and if the loss is notable, file with police and competent authorities (Finma×FINMASwiss Financial Market Supervisory Authority. Frames crypto activities in Switzerland.See in the lexicon → for CH, AMF for FR, BaFin for DE, Consob for IT). Keep evidence for possible insurance.

An annual audit routine to integrate so you do not discover the problem during the incident: review active exchange sessions, rotate critical passwords, test seed recovery on a blank wallet, check hardware firmware is up to date, audit EXIF of your publications, review notification emails received over the year (anomaly?), test Yubikey backup. One day per year, scheduled like a technical birthday. This is what turns theoretical Bitcoin security into operational security that holds.