Elliot Friedman

The Personal Attack Surface

I wrote previously about the attack surface of a crypto company. The same logic applies one level down. A person who works in this industry also has a multidimensional attack surface. The wallet is a surface. The email is a surface. The phone, the laptop, the browser, the SIM card, the social handles, the family, the home address, the travel itinerary, all of them are surfaces. Anyone holding real funds or signing real transactions is a target whether they know it or not.

The shape matters because the defender has to see all of it at once. Hardening one corner while ignoring the rest does not make you safer. It makes you safer against one class of attacker, which is not the same thing.

Twelve personal threat vectors arranged radially around a single person, grouped into six categories: wallet, comms, devices, social, identity, physical.

Twelve vectors arranged around the person they are trying to reach, grouped into six categories: wallet, comms, devices, social, identity, and physical.

The least-defended surface and the highest-leverage attack vector for individuals is the same thing: the recovery path. People harden the front door with a strong password, hardware-backed 2FA on the primary account, and a hardware key on the wallet. Then they leave the back door wired up the way the account wizard set it up six years ago. Email recovery routes through the phone. Phone recovery routes through email. Both fall back to a secondary address that has not been logged into since 2019 and a set of security questions whose answers are available with a simple Google search or LLM query. The attacker does not need to break the locked front door. They need to find one weak link in a chain of resets the user has never audited as a unit.

Most successful account takeovers in crypto land here. The SIM swap that drains the exchange. The email reset that pulls the seed backup out of cloud storage. The social-engineered support agent who restores the "lost" account to the attacker's device. All of them are recovery-path attacks dressed as something else. The fix is to walk the chain end to end. Every primary account. Every recovery method on each one. Every fallback under each method. Every secondary address. Anything that resolves to a phone number or a mailbox not protected by hardware-backed 2FA is the attacker's path in.

The wallet

The wallet is the obvious surface and the one most people think they have covered. They do not. A hardware wallet protects the key. It does not protect the signer from being asked to sign the wrong thing. Approval phishing does not require any key compromise. A malicious dApp asks for unlimited permission to move your tokens, you click once, and the wallet is empty. Drainer-as-a-service kits are sold openly. The screen is designed to be misleading.

The seed phrase is the other half. Most leaks are not dramatic. A photo of the recovery card on a phone that is backed up to iCloud. A note in a password manager whose master password is reused on a forum that gets breached. A DM from a "support" account in your wallet's Discord that knew exactly what to ask. The seed never had to leave the room.

Comms

Email is the master key on the modern internet. It resets every other account. If an attacker owns the inbox, they own the password manager, they own every exchange and GitHub account that points back to it, and they own the cloud storage where the seed backup lives. A strong password does not fix this. The defense is hardware-backed 2FA on the email itself, no SMS fallback, and a recovery account that is not tied to the same phone number.

SIM swap is the same attack from a different angle. The attacker calls the carrier, social-engineers a port, receives the SMS codes, and resets every account that uses SMS as a recovery method. Carriers are the weak link, not the user. Remove SMS from every reset path. Use an authenticator app or a hardware key. If the carrier is the recovery channel, the carrier can own you.

Devices

The phone is now where most people sign. Mobile wallet apps, biometric unlock, push notifications for transaction approval. The phone is terminally online, running third-party SDKs you didn't vet, and one tap away from any URL. iOS is hardened, but not enough to be the only thing between a signer and their keys. Storing your life savings on a mobile device is ill advised.

The laptop is where the deploy keys live, where the IDE runs the code that touches the keys, where the browser holds the session cookies. The fix is isolation and firewalling. A dedicated machine that does nothing except sign transactions, with no email, no Slack, no Discord, no general-purpose browsing, no npm install of anything you did not personally read. Most people will not do this. Most people should.

The browser is the most exposed surface on the laptop. Extensions can read every page. A legitimate extension can be sold to a new owner who pushes a malicious update. The wallet popup that asks for a signature is rendered by the same browser that just loaded an ad network from a publisher you have never heard of. If you must sign on your daily driver laptop, use a separate browser profile without extensions to reduce risk.

Social

Impersonation is the most reliable way to reach someone who already knows better. A DM from someone who looks like a teammate. A calendar invite from a recruiter at a fund you would actually take a meeting with. A Telegram message from "support" of a protocol you actually use. A Zoom link that opens a "driver update" prompt when the audio fails. A GitHub PR from a contributor who has been making good commits for three months and now needs you to review one specific file. The pattern is always the same. Establish trust on a channel where trust is cheap, then ask for the single click that costs everything.

The romance and long-con variants work on people who would never click a generic phishing link. A relationship built over months on a dating app. A business relationship cultivated at conferences. A co-investor who introduces a deal that requires a signature on a malicious contract. Skepticism toward strangers does not fix this. The fix is a rule that no warm relationship gets to bypass the rules about what you sign on what device.

Identity

On-chain addresses are a permanent record. Once a wallet is linked to a real-world identity through an ENS, a Twitter post, or a podcast appearance, the transaction history becomes part of that identity, retroactively and forever. Net worth, counterparties, schedule, travel patterns, all readable. Attackers do not have to guess who is worth attacking.

Doxxing closes the loop. The home address is in the domain WHOIS. The phone number is available for sale under $5 if you know which sites to check. The spouse's name and the kids' school are on a public Instagram. The conference badge in a Twitter photo gives the hotel. All of a sudden, your world seems strangely visible to outsiders, but privacy is possible. Register domains through a privacy service. Remove yourself from data brokers. Do not post pictures with geotags. Do not let your family's social presence be an OSINT primitive that can be used against you.

Physical

The five-dollar wrench attack is the limiting case of every other vector. If the funds are large enough and the location is known, the cheapest attack is to send three people to the door. The pattern is documented well enough now that "wrench attack" no longer needs the quotation marks. The mitigations are well documented, implementing them requires acknowledging the threats head on. Multisigs that cannot be drained from one location. Geographic separation between signers. Fresh signers on all multisigs, shielding owners from prying eyes.

Travel collapses the device, the network, and the physical surface into one. Hotel Wi-Fi is hostile. Hotel safes are not safes. Border crossings can compel device unlock in ways your home country can't. Travel with the signing device and you will lose it. Travel with a clean machine. Sign from home. If you must sign on the road, set up something beforehand that does not depend on the hardware in your bag.

What to do

The point of the picture is to name what is assumed, to plainly visualize your current surface so you can question your assumptions. Most people in this industry have hardened one corner, usually the wallet, and assumed the rest is somebody else's problem. It is not. The attacker only needs one of these to land, and they get to choose.

Sit down with the picture. Look at every box and ask what an attacker would do if they owned that surface tomorrow. Walk the recovery chain on every account and write down every reset method and every fallback. Ask what is publicly tied to the address that holds the funds. Ask who in your life is the soft target.

The wallet isn't the whole picture, it's just the start.