Chinese-sponsored groups are using the popular Brickstorm backdoor to access and gain persistence in government and tech firm networks, part of the ongoing effort by the PRC to establish long-term footholds in agency and critical infrastructure IT environments, according to a report by U.S. and Canadian security offices.
India is weighing a proposal to mandate always-on satellite tracking in smartphones for precise government surveillance -- an idea strongly opposed by Apple, Google, Samsung, and industry groups. Reuters reports: For years, the [Prime Minister Narendra Modi's] administration has been concerned its agencies do not get precise locations when legal requests are made to telecom firms during investigations. Under the current system, the firms are limited to using cellular tower data that can only provide an estimated area location, which can be off by several meters.
The Cellular Operators Association of India (COAI), which represents Reliance's Jio and Bharti Airtel, has proposed that precise user locations should only be provided if the government orders smartphone makers to activate A-GPS technology -- which uses satellite signals and cellular data -- according to a June internal federal IT ministry email. That would require location services to always be activated in smartphones with no option for users to disable them. Apple, Samsung, and Alphabet's Google have told New Delhi that should not be mandated, said three of the sources who have direct knowledge of the deliberations.
A measure to track device-level location has no precedent anywhere else in the world, lobbying group India Cellular & Electronics Association (ICEA), which represents both Apple and Google, wrote in a confidential July letter to the government, which was viewed by Reuters. "The A-GPS network service ... (is) not deployed or supported for location surveillance," said the letter, which added that the measure "would be a regulatory overreach." Earlier this week, Modi's government was forced to rescind an order requiring smartphone makers to preload a state-run cyber safety app on all devices after public backlash and privacy concerns.
Maximum Physical Privacy and Security as a Crypto Whale: OpSec Strategies Against Physical Threats & Scams
In recent years, physical attacks on cryptocurrency holders have surged dramatically. According to data tracked by Bitcoin security expert Jameson Lopp, reported physical attacks on Bitcoin and crypto holders increased by 169% in just six months in 2025, with dozens of violent incidents including kidnappings, home invasions, and armed robberies.
Lopp maintains a comprehensive list of over 200 known physical attacks since 2014, ranging from $5 wrench attacks (where attackers use physical coercion to force transfers) to organized kidnappings involving torture.
As a crypto whale — someone holding significant digital assets — you are a high-value target. Criminals know crypto transfers are irreversible, making you more attractive than traditional wealthy individuals. Beyond digital hacks, threats now include real-world violence and sophisticated scams like pig butchering that can lead to doxxing, luring, or physical meetings.
This article focuses on physical OpSec (operational security) to maximize privacy and safety in everyday life, drawing from best practices recommended by experts like Lopp and security firms.
Adopt a Low-Profile Lifestyle: The Foundation of Physical Privacy
The best defense is not being targeted in the first place.
Never discuss your crypto holdings publicly, at parties, or even with close friends unless absolutely necessary. Loose lips lead to targeting.
Avoid all visible signals of wealth or crypto involvement: No Bitcoin bumper stickers, conference lanyards, luxury watches/cars that stand out, or social media posts showing opulent lifestyles.
Dress modestly, drive common vehicles, and live in unassuming neighborhoods. Blend in completely.
Remove online traces: Scrub old posts, use pseudonyms, avoid linking real identity to wallets or addresses.
Fortify Your Home and Personal Environment
Your residence is the most likely attack vector.
Install layered physical barriers: Reinforced doors with deadbolts, shatter-resistant window film, motion-activated floodlights, visible security cameras, and alarm systems monitored 24/7.
Create natural deterrents: Thorny bushes under windows, fenced property with locked gates, no easy climbing points.
Build a safe room (panic room) with a solid-core door, independent communication (satellite phone or hardline), supplies, and a weapon if legal/trained.
Store seed phrases and hardware wallets in bolted safes or bank safety deposit boxes — never all in one place.
Consider professional security assessments or guarded communities if your holdings justify it.
Design Your Wallet Setup to Defensively Against the $5 Wrench Attack
The classic $5 wrench attack — where an attacker threatens violence until you hand over keys — cannot be fully prevented, but it can be made impractical.
Use multisignature (multisig) wallets requiring multiple keys from geographically separated locations (e.g., different cities or countries). Even under duress, you physically cannot comply quickly, forcing attackers to keep you hostage longer and increasing their risk.
Distribute keys/backups across trusted family, institutions, or secure vaults in multiple jurisdictions.
Avoid “duress PINs” or decoy wallets — attackers may test them or continue violence if they suspect more funds.
Consider collaborative custody services (e.g., Casa, AnchorWatch) that add institutional keys and emergency lockdowns.
Daily Movement and Travel OpSec
Vary routines: Routes to work, gym times, etc. Predictability enables ambushes.
Maintain situational awareness: Head on swivel, avoid phone distraction in public, note tailing vehicles/people.
Travel low-key: Use rideshares or rentals instead of personal luxury vehicles; fly commercial in economy if possible; never post travel plans in real-time.
For high-risk areas (e.g., certain countries with known crypto kidnappings), hire executive protection or avoid altogether.
Carry minimal identifying info; use burner phones for sensitive communications.
OpSec often comes into play in public settings. For example, if members of your team are discussing work-related matters at a nearby lunch spot, during a conference, or over a beer, odds are that someone could overhear. As they say, loose lips can sink ships, so make sure you don’t discuss any sensitive company information while out in public.
A lot of OpSec missteps can be avoided by being more aware of your surroundings and the context in which you are speaking: what you’re saying, where you are, who you’re speaking to, and who might overhear. It’s a good idea to go over the “no-no’s” for your specific company during onboarding and to remind employees of them periodically.
Counter Social Engineering, Phone Scams, and Pig Butchering Schemes
Many physical attacks begin with doxxing via scams.
Phone scams / SIM swapping: Use authentication app 2FA (not SMS), put PINs/passwords on mobile accounts, screen unknown calls ruthlessly, never give out verification codes.
To lock down your SIM, contact your mobile phone carrier. That is a standard that has been tested by telecommunications operators in the US, the UK, Poland, and China — also check out this tweet and this article. You just need to insist on it or visit the head office, and I’m sure that the support manager on the phone mayn’t know about it! Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification. This (should) prevent hackers from calling up AT&T or T-Mobile or Vodafone, claiming to be you, and asking them to port your phone number to a new phone.
Get countermeasures in place. The last step of operational security is to create and implement a plan to eliminate threats and mitigate risks. This could include updating your hardware, creating new policies regarding sensitive data, or training employees on sound security practices and company policies. Countermeasures should be straightforward and simple.
Pig Butchering Schemes
These long-con scams build fake romantic or friendship relationships online, then push “lucrative” crypto investments on fake platforms.
Red flags: Unsolicited contact on dating/social apps, rapid affection, steering conversation to crypto, pushing specific (fake) platforms.
Rule: Never invest with or send crypto to anyone you met online. Period. If someone disappears when you refuse to invest, it confirms the scam.
General rule: Any unsolicited investment “opportunity,” recovery scam, or urgency play is fraud.
Additional Physical OpSec Tips for Crypto Whales (Updated for Late 2025 Threats)
We’re talking home invasions with intruders posing as delivery drivers (San Francisco $11M robbery on Nov 22), street kidnappings (Bangkok, Bali, Ukraine), carjackings forcing on-the-spot transfers (Oxford), and straight-up torture/murder when victims can’t or won’t pay (Dubai double murder, multiple Russian cases). The pattern is clear: organized crews are now routinely use delivery disguises, follow targets from public places, grab people off the street, or hit homes with overwhelming force and torture.
The threat model has upgraded from opportunistic thugs to professional kidnapping rings.
Delivery & Package Paranoia
2025’s #1 new vector is criminals posing as FedEx/Uber Eats/Amazon drivers.
Never accept unsolicited deliveries. Route all hardware wallets, seed backup plates, anything valuable to PO Boxes, private mailboxes (e.g., UPS Store), or secure coworking spaces, or lawyer/accountant offices.
Install a package locker or secure drop box outside your perimeter that doesn’t require you to open the door.
Use doorbell cams + intercom. If a delivery person shows up you didn’t order, do not open the door — ever. Tell them to leave it outside the gate or return later.
Bonus: Have mail forwarded through re-mailing services (e.g., Traveling Mailbox or Earth Class Mail) so your real address never appears on anything.
Thief posing as a delivery man steals $11mn in crypto from a man in San Francisco, after tying him up and pulling a gun.
Data Broker Scrubbing + Digital Footprint Eradication
Most victims who got hit hard were doxxed through basic OSINT.
Pay for professional deletion services (DeleteMe, Kanary, OneRep, or 360 Privacy) — do it quarterly. The average whale appears on 70–120 data broker sites with home address, phone, relatives, property records.
Remove your home from Google Street View (request blur) and Zillow, Redfin, etc.
If you’re really paranoid (you should be), buy your next house through an anonymous land trust or Wyoming/LLC structure so your name isn’t on public property records.
Duress Planning That Actually Works
Decoy wallets are good, but pros now expect them and will keep torturing. Real solution:
Have a very believable “main” hot wallet with $50k–$250k (enough to satisfy most crews).
Real stack in geo-distributed multisig that literally cannot be moved without keys in 2–3 different countries and a 7–30 day timelock on large amounts.
Practice your duress story: “That’s everything, I promise — the rest is in a multisig with my ex-wife in Canada and my lawyer in Switzerland. It takes weeks to move.”
Safe room with ballistic blanket/door, satellite phone or VOIP line independent of home power, and a weapon if you’re trained.
Family & Staff OpSec (The Weakest Link 90% of the Time)
Most tortured victims in 2025 were attacked together with spouses/kids/parents because the attackers knew the whole family would be home.
Your spouse and adult children must be fully understand OpSec — no bragging, no crypto stickers, no “my husband is loaded in Bitcoin” comments at school events.
Domestic staff (cleaners, nannies, gardeners) are the #1 leak vector. Vet them like you’re hiring a CIA asset — background checks, NDAs, never let them go if they ever ask about crypto.
Give family pre-agreed code words for phone calls (AI voice cloning + fake kidnapping calls are now common).
Conference & Travel Hardening (You’re Being Watched)
Bitcoin 2025 in Vegas and every major conference now has professional spotters.
Book flights/hotels under alias or corporate name.
Never post that you’re going until you’re already home.
Use cash or privacy.com virtual cards for everything on-site.
Travel with a “burner” phone and laptop that have zero access to real keys.
If you’re a known whale, hire close protection for the duration — it’s $2–4k/day and worth every penny.
The Nuclear Options (For 9-Figure+ Holders)
Relocate to a truly safe jurisdiction (UAE, Singapore, Switzerland, or certain gated compounds in Puerto Rico/Cayman).
Full-time executive protection team + armored vehicle with driver.
Collaborative custody with institutions that have armed response protocols (e.g., AnchorWatch + private security integration).
During and After an Incident
Life > Bitcoin. If attacked, comply as needed but use multisig delays to your advantage (“I need my partner in another country”).
Have emergency lockdown features enabled on wallets/apps.
Report incidents to authorities and communities (e.g., contribute to Lopp’s list) to help others.
Have inheritance/dead-man-switch planning so funds aren’t lost if the worst happens.
Final Thoughts
Bottom line for end of 2025: The game has permanently changed. The crews doing these hits are no longer random junkies — they’re transnational gangs who research targets for months, use fake delivery uniforms bought on Telegram, and are willing to waterboard you while your kids watch if they think you have more. Silence, geographic distribution of keys, and making yourself an annoyingly hard target are now non-negotiable if you want to keep both your bitcoin and your fingernails.
Maximum physical privacy as a crypto whale requires treating yourself like a high-net-worth individual in witness protection — constant vigilance, multiple defense layers, and acceptance that perfect security doesn’t exist, only making attacks too costly or difficult. The combination of strict OpSec, physical fortifications, geographically distributed multisig, and scam paranoia has kept many whales safe despite rising threats.
Implement these gradually, starting with the basics: shut up about your stack, secure your home, and your home, and distribute your keys. Your wealth is freedom — don’t let poor OpSec turn it into a liability. Stay safe!
If you want to support my work, please, consider donating me:
0x1191b7d163bde5f51d4d2c1ac969d514fb4f4c62 or officercia.eth — all supported EVM chains;
17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU or bc1q75zgp5jurtm96nltt9c9kzjnrt33uylr8uvdds — Bitcoin;
If you enjoy my content and want to help keep it ad-free, please consider supporting my work through donations. Your contributions will allow me to dedicate more time to crafting in-depth articles and sharing even more valuable insights.
I spend most of my time in Windows, so I’m used to thinking about malware as a fact of life. You stay patched, you avoid sketchy downloads, and you accept that a bad attachment or sloppy update can ruin your day. macOS has always felt different to me. I only use it when work requires it or when I’m in my home studio recording, and in all the years I’ve owned a Mac, it has stayed blissfully untouched by anything resembling a virus.
An AI image generator startup’s database was left accessible to the open internet, revealing more than 1 million images and videos, including photos of real people who had been “nudified.”
The United States Inspector General report reviewing Secretary of Defense Pete Hegseth’s text messaging mess recommends a single change to keep classified material secure.
Handing over your personal information to sign up for a mobile carrier is expected, but what if it didn’t have to be that way? If you’re tired of your data being misused by the company that keeps you connected, then a new startup wireless service might be right up your alley.
Based on a leaked video, security researchers alleged that Intellexa staffers have remote live access to their customers' surveillance systems, allowing them to see hacking targets’ personal data.
Privacy stalwart Nicholas Merrill spent a decade fighting an FBI surveillance order. Now he wants to sell you phone service—without knowing almost anything about you.
Security and developer teams are scrambling to address a highly critical security flaw in frameworks tied to the popular React JavaScript library. Not only is the vulnerability, which also is in the Next.js framework, easy to exploit, but React is widely used, including in 39% of cloud environments.
A threat group dubbed ShadyPanda exploited traditional extension processes in browser marketplaces by uploading legitimate extensions and then quietly weaponization them with malicious updates, infecting 4.3 million Chrome and Edge users with RCE malware and spyware.
India has withdrawn its order requiring Apple and other smartphone makers to preinstall the government's Sanchar Saathi app after public backlash and privacy concerns. AppleInsider reports: On November 28, the India Ministry of Communication issued a secret directive to Apple and other smartphone manufacturers, requiring the preinstallation of a government-backed app. Less than a week later, the order has been rescinded. The withdrawal on Wednesday means Apple doesn't have to preload the Sanchar Saathi app onto iPhones sold in the country, in a way that couldn't be "disabled or restricted." [...]
In pulling back from the demand, the government insisted that the app had an "increasing acceptance" among citizens. There was a tenfold spike of new user registrations on Tuesday alone, with over 600,000 new users made aware of the app from the public debacle. India Minister of Communications Jyotiraditya Scindia took a moment to insist that concerns the app could be used for increased surveillance were unfounded. "Snooping is neither possible nor will it happen" with the app, Scindia claimed.
"This is a welcome development, but we are still awaiting the full text of the legal order that should accompany this announcement, including any revised directions under the Cyber Security Rules, 2024," said the Internet Freedom Foundation. It is treating the news with "cautious optimism, not closure," until formalities conclude. However, while promising, the backdown doesn't stop India from retrying something similar or another tactic in the future.
On Wednesday, the Indian telecom ministry said Sanchar Saathi, an anti-theft and cybersecurity protection app, would remain voluntary and that smartphone makers would no longer be required to preload it on devices they sell.
Koi Security exposes ShadyPanda, a group that used trusted Chrome/Edge extensions to infect 4.3 million users over 7 years for deep surveillance and corporate espionage.
Apple does not plan to comply with India's mandate to preload its smartphones with a state-owned cyber safety app that cannot be disabled. According to Reuters, the order "sparked surveillance concerns and a political uproar" after it was revealed on Monday. From the report: In the wake of the criticism, India's telecom minister Jyotiraditya M. Scindia on Tuesday said the app was a "voluntary and democratic system," adding that users can choose to activate it and can "easily delete it from their phone at any time." At present, the app can be deleted by users. Scindia did not comment on or clarify the November 28 confidential directive that ordered smartphone makers to start preloading it and ensure "its functionalities are not disabled or restricted."
Apple however does not plan to comply with the directive and will tell the government it does not follow such mandates anywhere in the world as they raise a host of privacy and security issues for the company's iOS ecosystem, said two of the industry sources who are familiar with Apple's concerns. They declined to be named publicly as the company's strategy is private. "Its not only like taking a sledgehammer, this is like a double-barrel gun," said the first source.
Login
