Web3 Impact Toolkit

OpSec is behavior

Operational security is the everyday set of decisions that shape what an adversary can learn about you, your staff, your sources and your beneficiaries. No tool replaces this; tools can only support good behavior.

Five OpSec questions per project

•Who, specifically, are we worried about? (Not "hackers in general".)

•What is the most damaging thing they could learn?

•How might they actually find that out today, given how we work?

•What is one small change that would make that significantly harder?

•Who else needs to know about this change for it to actually take effect?

Privacy tools, in plain language

•VPN: hides what you do from the local network and your internet provider; reveals it to the VPN provider. Choose a reputable one with a clear policy.

•Tor Browser: routes traffic through multiple volunteer relays, designed for anonymity and censorship circumvention. Slower; very different threat model from VPN.

•Tails OS: amnesic live operating system on a USB drive, leaves no traces on the host machine after shutdown.

•Signal + disappearing messages + verified safety numbers: the everyday baseline for sensitive conversations.

Compartmentalization

Use different identities for different parts of your work. A handle used for source contact should not also be the handle used to post family photos. Browser profiles, email addresses, phone numbers and even devices can be separated by purpose.

Public exposure

•What you and colleagues post on LinkedIn / X / Telegram becomes adversary research material.

•Photos of office whiteboards, screens and ID badges have been exploited in real targeted attacks.

•Beneficiary photos and locations require explicit, informed consent and care for vulnerable groups.

Travel and high-risk meetings

•Carry a dedicated travel device, never the daily one with the full archive.

•Plan a safe word and an "I am OK" check-in cadence with one trusted contact.

•Know in advance who you call if a device is seized or a colleague is detained.