SSP Editorial Team

Your Crypto OpSec Checklist

·6 min read·By SSP Editorial Team
SSP security cover with wallet, key, shield, and chip icons for a crypto OpSec checklist

Self-custody is not a one-time setup — it is a routine. Your keys stay safe because you keep them safe, quarter after quarter. This is your operational-security (OpSec) checklist: a 15-minute audit you run four times a year to catch the small drifts before they become incidents. Backups fade, extensions pile up, approvals accumulate, and a phone you trusted last spring gets sold. None of those is an emergency on its own; together, over a year of neglect, they are how good setups quietly rot. Block out a quiet evening at the start of each quarter, print this page, and work down the boxes. None of it is hard — the value is entirely in doing it on a schedule instead of after something has already gone wrong.

OpSec is a discipline borrowed from people whose threat model is serious for a living — the EFF's Surveillance Self-Defense guides are a good primer on the mindset. For crypto, the same idea narrows to a handful of questions: are my keys recoverable, are my devices clean, do I understand what I am signing, and are the accounts around my wallet locked down? With SSP's 2-of-2 setup, every spend already needs a second, independent approval on your SSP Key, so a single compromised device should not be enough to move funds — but that safety net only holds if both halves stay healthy and independent. The checklist below keeps them that way.

Run it every quarter. Check the box only when it is actually true, not when you intend to get to it.

Keys & backups

Your recovery material is the one thing you cannot regenerate, so start here and fix anything shaky before moving on — our seed phrase best practices guide covers the storage details. A backup you assume is fine but have not looked at in a year is the most common single point of failure in self-custody.

  • Locate every seed phrase backup and confirm each one is physically readable, complete, and undamaged by water, heat, or fading ink.
  • Confirm backups live in at least two geographically separate places, so a single fire, flood, or theft cannot take both at once.
  • Verify both SSP halves are backed up: the extension wallet and the SSP Key can each be restored independently of the other.
  • Check that no seed phrase has ever been typed into a phone, photographed, emailed, or stored in a password manager or cloud note.
  • Confirm anyone you trusted with a backup location still has access — and, just as important, still should.

Devices & extensions

A clean device is the foundation under every other control, so treat your browser as part of your wallet — browser extension hygiene for crypto users explains why a single malicious extension can quietly rewrite what you sign.

  • Update your operating system, browser, and the SSP extension to their latest versions.
  • Update the SSP Key device and confirm it still pairs, displays, and signs correctly.
  • Review every installed browser extension and remove anything unused, unfamiliar, or no longer maintained.
  • Confirm the SSP extension's publisher and store ID match the official listing — no look-alike fork has slipped in.
  • Run a reputable malware scan on both the computer and the phone you use to transact.

Transactions & approvals

Most modern losses are not stolen keys — they are signatures you gave away months ago and forgot about, so review what you have granted with a tool like revoke.cash and re-read our explainer on token approvals.

  • Review active token approvals and revoke any that are stale, unlimited, or tied to a dapp you no longer use.
  • Confirm you read each transaction on the SSP Key screen before approving it — the amount, the destination, and the network.
  • Spot-check recent outgoing transactions in a block explorer against what you actually intended to send.
  • Re-verify that saved contract and dapp bookmarks still point to the real, current addresses and not a swapped one.

Accounts around your wallet

Attackers rarely break the wallet first — they break the email or exchange account next to it and pivot inward, so CISA's Secure Our World is a plain-language baseline and mobile 2FA done right covers the crypto-specific traps.

  • Move email, exchange, and cloud accounts off SMS 2FA and onto TOTP or passkeys, which cannot be SIM-swapped.
  • Confirm a unique, strong password on every account that touches your crypto, generated and stored in a password manager.
  • Review your saved address book and remove or re-verify any entry you can no longer personally vouch for.
  • Check each account's recovery options — backup email, phone number, security questions — for weak links an attacker could pivot through.

Phishing readiness

Phishing is the attack you will actually face, and it keeps getting more convincing, so keep the patterns fresh with phishing attacks targeting crypto users and rehearse your own reflexes before a real lure arrives.

  • Re-bookmark the official SSP site and your exchanges, and reach them only through those bookmarks — never a search ad or a DM link.
  • Confirm you never approve a transaction or enter a seed phrase in response to an unsolicited message, call, or "support" agent.
  • Review recent emails and DMs for anything you clicked that you should not have — and rotate the affected credentials if you are unsure.
  • Remind anyone who shares your finances that SSP, and any legitimate support, will never ask for a seed phrase.

Recovery & inheritance dry-run

A backup you have never tested is a guess, so once a quarter prove you could actually recover rather than assuming it — start from recovering SSP when you lose your browser.

  • Run a lose-your-browser drill: restore the SSP extension from backup on a clean profile and confirm your balances appear.
  • Run a lose-your-phone drill: confirm you can re-establish the SSP Key and complete a full 2-of-2 approval end to end.
  • Document emergency and inheritance access — where the backups are, what is needed, and who to contact — for someone you trust.
  • Confirm that document is stored securely and that the trusted person knows it exists, without learning the secrets prematurely.

A checklist only works if it actually runs, so make next quarter's audit automatic rather than relying on memory.

  • Print this checklist or save it offline somewhere you will genuinely see it again.
  • Put a recurring quarterly reminder on your calendar, set for the same week each quarter.
  • Note the date you completed today's audit and anything you deferred, so next quarter starts exactly where this one ended.

Share this article

Related articles

Twelve-word seed phrase printed on a paper card next to a hardware wallet

Seed phrase best practices

What a seed phrase actually is, how to store it without losing it or leaking it, and how SSP's 2-of-2 multisig changes the threat model.

7 min read
SSP security cover with wallet, key, shield, and chip icons, illustrating a guide to crypto phishing attacks.

Phishing Attacks Targeting Crypto Users (and How to Spot Them)

Crypto phishing targets you, not the cryptography. Learn the patterns — wallet drainers, approval phishing, address poisoning — and how SSP helps.

7 min read
SSP security cover with wallet, key, shield, and chip icons on a navy square card

Browser-Extension Hygiene for Crypto Users

Browser extension security for self-custody: vet what you install, apply least privilege, lean on LavaMoat, and let SSP's 2-of-2 backstop a bad extension.

6 min read