Insights

Operational Security: Personal OPSEC Checklist

OPSEC (Operations Security) is a risk management process used to identify, assess, and protect sensitive information that adversaries could exploit. It’s widely used in military, cybersecurity, law enforcement, and intelligence, but also applies to personal privacy and OSINT investigations.

“Thinking like an attacker”, OPSEC is not about secrecy, it’s about smart control of information. Assume anything you post or say can be cross-referenced, scraped, potentially used to identify or target you. Ask yourself “What could this information reveal, who would want it and why?” before you share or act.

⭐ The 5 OPSEC Steps (Core Principles):

1. Identify Critical Information

Ask: What information, if leaked, would pose a risk?
E.g: locations, usernames, personal identifiers, login credentials, internal procedures, crypto wallet addresses, customer data,...

2. Analyze Threats

Ask: Who are the potential adversaries? What do they want?
E.g: scammers, hackers, insider threats,...

3. Analyze Vulnerabilities

Ask: How could the information get leaked?
E.g: Insecure email, metadata leaks, weak passwords, browser fingerprinting, careless social media posts,...

4. Assess Risks

Ask: Is this a high-risk situation that needs action now? What would the impact be?
Weigh threat + vulnerability. This step helps prioritize risks and design proportional controls.

5. Apply Countermeasures

Ask: How do we reduce the exposure/threat?
E.g: Use 2FA, compartmentalization (don’t reuse accounts/data), limit data sharing, internal-only channels, encryption, anonymity (VPNs, pseudonyms), redact or remove EXIF metadata,...

⭐ Devices & Browsing

  • Use a dedicated device or virtual machine (VM) for sensitive tasks (e.g., research, crypto).
  • Install a reputable VPN
  • Use privacy browsers
  • Block browser fingerprinting & ads
  • Use separate browser profiles or containers.

⭐ Accounts & Logins

  • Never use your real name or main email for OSINT, crypto, or sensitive work
  • Create burner emails and usernames
  • Use a password manager
  • Turn on 2FA
  • Avoid using the same email/phone across platforms
  • Never link your KYC wallet to public forums or Discord.

⭐ Metadata & Files

  • Strip EXIF metadata from images and documents before sharing
  • Use tools like: ExifTool, Preview on Mac: Tools > Remove Location Info
  • Avoid uploading sensitive PDFs, spreadsheets, resumes without redaction.

⭐ Identity Compartmentalization

  • Create separate personas (sock puppets) for: OSINT, crypto activity, work
  • Don’t cross-link them or reuse usernames, emails, avatars
  • Never use work email to sign up for OSINT tools or dark web.

⭐ Location & Tracking

  • Disable GPS/location sharing unless needed
  • Avoid posting real-time location updates
  • Use maps/screenshots, not live links
  • Strip location metadata from images.

⭐ Risk Exposure

  • Scammers & fraud rings
  • OSINT-savvy attackers (reverse-searching info you post)
  • Insiders or rogue employees
  • Automated bots scraping LinkedIn, GitHub, portfolio sites.