OPSEC for Monero

Cryptography protects your transactions; operational security — opsec — protects everything around them. Opsec is the set of everyday habits that keep your tools, keys, and behavior from leaking what the protocol works hard to hide. The hard truth of advanced Monero use is that almost every real-world deanonymization happens not because someone broke the math, but because someone got sloppy. This lesson walks through opsec across the full lifecycle: receiving, holding, and spending.

Opsec Starts With a Threat Model

There is no universal "secure setup." The right precautions depend entirely on who you're defending against, which is why every opsec decision should trace back to your threat model. A hobbyist holding pocket money and an activist in a hostile jurisdiction need different discipline. Define the adversary first, then apply only the measures that address them — over-securing against the wrong threat wastes effort and can create its own tells.

Receiving Coins Safely

The moment of acquisition is where identity most easily attaches to coins.

• Mind the source. A KYC exchange permanently links your identity to what you withdraw; a no-KYC swap or cash trade does not. This is a privacy decision as much as a purchase, covered in Choosing How to Get Monero.
• Use fresh subaddresses. Give a unique subaddress to each sender so payments aren't trivially grouped by a reused public address.
• Hide your IP when receiving and syncing by connecting over Tor or I2P, so a node doesn't learn where you are.

Holding Coins Safely

Storage is where the largest, slowest-moving risk lives, so it deserves the strongest protection.

• Protect the seed above all. Your seed phrase is your money; anyone who reads it can spend everything. Store it offline and resist photographing or cloud-syncing it — see Securing Your Seed.
• Add a passphrase for an extra secret that isn't written with the words, as covered in Passphrase and Extra Protection.
• Keep large holdings offline. A hardware wallet or cold-storage workflow keeps spend keys away from an internet-connected machine; see Hardware and Cold Storage.
• Audit without exposure. A watch-only wallet lets you check balances using only the view key, so a day-to-day device never touches the spend key.

Spending Coins Safely

Spending is where on-chain privacy meets real-world metadata.

• Control which outputs you spend. Combining outputs that an observer can tie to different identities can re-link them; coin control prevents this.
• Watch timing and amounts. Forwarding a received amount instantly and unchanged is a classic correlation tell, one of many metadata leaks to avoid.
• Limit what counterparties learn. Shipping addresses, emails, and chat handles are records you can't unsend. Give each party only what they need.
• Verify payments correctly. Use payment proofs to prove a payment privately rather than over-sharing transaction details.

The Endpoint Is the Weakest Link

All of the above assumes the device itself is trustworthy. Malware, a keylogger, a malicious wallet download, or a phishing site can defeat every other precaution at once. Verify software you install, stay alert to phishing and scams, keep your system updated, and consider a dedicated machine or offline signing setup for serious holdings. Physical security counts too: a written seed in an unlocked drawer is a real attack surface.

Building a Routine

Opsec fails when it relies on remembering to be careful in the moment. The fix is routine: a fixed way you receive, a fixed place your seed lives, a default of network privacy, and a habit of thinking about outputs before you spend. Consistency turns dozens of small decisions into muscle memory, which is exactly what holds up under pressure.

Good opsec is the connective tissue of this whole course — it's what makes Monero's cryptographic guarantees real in practice rather than in theory. Anchor it to your threat model, keep it consistent, and finish by separating fact from fiction in Privacy Myths Debunked, then test yourself with the privacy best practices quiz.