In an increasingly digital world, Operational Security (OpSec) refers to the practices and processes individuals and organizations use to protect sensitive information from adversaries. This could include hackers, criminals, or even state actors. Good OpSec involves minimizing your digital footprint, using secure communication channels, and being mindful of what you share publicly. Unfortunately, poor OpSec can lead to devastating consequences, from financial loss to physical harm. This article explores common bad OpSec practices, highlights notable failures, and delves into a recent tragic case involving Russian crypto blogger and entrepreneur Roman Novak, whose murder underscores the deadly risks of complacency.

Bad OpSec often stems from convenience over caution or simple oversight. Here are some prevalent mistakes:

• Posting about your wealth, location, or daily routines can paint a target on your back. Criminals scour platforms like Instagram, X, and Facebook for clues about high-value targets.

• Photos and files often contain embedded data like GPS coordinates, timestamps, or device information that can reveal your whereabouts.

• Using simple passwords, skipping two-factor authentication (2FA), or reusing credentials across accounts makes it easy for attackers to gain access.

• Discussing sensitive matters over unencrypted channels, like regular email or SMS, exposes information to interception.

• In fields like cryptocurrency, flaunting gains or holdings publicly attracts scammers, thieves, or extortionists.

• Especially in high-stakes industries, agreeing to in-person meetings without background checks or security measures can lead to ambushes.

These lapses aren't just theoretical - they've led to real-world disasters.

History is littered with examples where poor OpSec turned minor vulnerabilities into major catastrophes... One classic case is John McAfee, the antivirus software pioneer. In 2012, while on the run from Belizean authorities in connection with a murder investigation, McAfee allowed a Vice magazine reporter to publish photos of him. Unbeknownst to them, the images contained EXIF metadata with GPS coordinates, pinpointing his location in Guatemala.

This blunder led to his swift arrest, illustrating how a simple oversight in file handling can unravel even the most elaborate evasion plans. Another infamous failure involves Ross Ulbricht, the founder of the dark web marketplace Silk Road. Ulbricht's OpSec crumbled due to identity reuse: He used the same username ("altoid") on public forums to promote Silk Road as he did on Stack Overflow for coding questions, where he also mentioned his real name. Investigators connected the dots, leading to his 2013 arrest and life sentence. This highlights the dangers of not compartmentalizing online personas.

Similarly, the AlphaBay market's operator, Alexandre Cazes, was compromised in 2017 when investigators linked his dark web alias to a personal email used in clear web transactions. His OpSec faltered with visible displays of wealth and inadequate separation of digital footprints, resulting in the site's seizure and his subsequent death in custody. In the corporate world, the 2014 Sony Pictures hack exposed emails, salaries, and unreleased films because of weak passwords and unpatched systems. Employees reused credentials, and the company lacked robust monitoring, allowing North Korean hackers (allegedly) to wreak havoc.

Did you hear about Yevgeny Prigozhin and PMC Wagner? Love them or hate them, one thing is clear: this organization was unique. Few have dared to attempt a rebellion in Moscow in the last 100 years (aside from the Communists). But what ultimately destroyed this war machine? Wagner Group, a private military company, was a force to be reckoned with. But even the most powerful organizations can crumble under the weight of their own mistakes. And in this case, it wasn’t just geopolitics - it was also a failure in privacy and security.

Prigozhin, Wagner’s leader, was known for his obsession with privacy. He avoided modern devices with internet or Bluetooth connectivity. Instead, he relied on two tools:

• An iPad for secure communication.

• A Psion, an old-school device with no internet or wireless capabilities.

Why a Psion? These retro devices are essentially "digital islands" - completely offline, making them immune to modern hacking techniques. Curious about how they work? Check out these resources:

• Using an iPad for secure comms

• Psion: Breaching a digital data island

• Connecting Psions to the internet

Despite his efforts to stay off the grid, Prigozhin made one critical mistake: he stored backups online. These backups, containing sensitive data, were eventually hacked and leaked. This breach exposed Wagner’s operations and Prigozhin’s empire to the world. Here are some must-read articles:

• Le Monde: Wagner boss exposed by hackers

• Risky Business: Putin’s chef cooks up an infosec disaster

So, what’s the lesson here?

• First, making money from war is unethical and will earn you powerful enemies.

• Second, even the most secure devices can’t save you if you store sensitive backups on online servers.

After his release, the couple relocated to Dubai, where they lived lavishly and documented it all on social media.The cryptocurrency world, with its promise of anonymity and wealth, is particularly rife with OpSec pitfalls. A stark recent example is the brutal murder of Russian crypto blogger and entrepreneur Roman Novak and his wife, Anna, in the United Arab Emirates. Novak, who had a history of fraud, including a prison stint for stealing $100,000 from investors, raised $500 million through a fraudulent crypto app before fleeing Russia with the funds.

Novak frequently posted photos boasting about their opulent lifestyle, including a Rolls-Royce and a vintage British Cobra sports car (valued at around $1.9 million combined), as well as family vacations to places like Disneyland. This public flaunting of wealth was a critical OpSec failure, as it signaled to potential adversaries that Novak was a lucrative target with significant crypto holdings. In the crypto community, such displays are often called "flexing," and they frequently attract physical threats, from home invasions to kidnappings.

On October 2, 2025, the Novaks were lured to a villa in Hatta, a remote mountain resort outside Dubai, by individuals posing as potential investors. This meeting lacked any apparent verification or security precautions - another glaring OpSec lapse. Once there, they were held hostage while the kidnappers demanded the password to Novak's crypto wallet. When they discovered the wallet was empty (possibly because Novak had already spent or hidden the funds), the couple was killed, dismembered, and their body parts scattered, some even left in trash cans at a shopping mall. Their phones last pinged on October 4 in Cape Town, South Africa, before going silent, suggesting the killers may have disposed of or transported the devices. Authorities have arrested eight suspects, including defrauded investors and a former employee of Vladimir Putin's Interior Ministry, in connection with the kidnapping, extortion, and murders.

The case has sent shockwaves through the crypto community, highlighting how poor OpSec - such as oversharing online and trusting unverified contacts - can escalate from digital risks to lethal real-world violence. Novak's story echoes other crypto-related incidents, like the 2023 kidnapping of a Ukrainian crypto trader in Spain or SIM-swapping attacks that have drained millions from unsecured exchange accounts.

The best way to learn about OpSec is to learn how people fail. Here you can check a big collection of links on bad OpSec by jermanuts:

• Finnish hacker traced using Monero bad opsec Reddit investigation. Entertaining video

• Administrator of Incognito Market Complaint. Entertaining video

• Pompompurin (Conor Fitzpatrick) BreachForums owner Affidavit

• Hacker who used Genesis Market and wanted to join ISIS by contacting an undercover FBI agent (ISIS travel facilitator) Court docs

• Harvard student

The Novak tragedy and other failures serve as grim reminders that OpSec isn't optional in a connected world. To avoid similar fates:

• Scrub metadata from photos before posting.

• Use pseudonyms and separate accounts for different activities.

• Enable 2FA everywhere and use password managers.

• Avoid public displays of wealth, especially in volatile fields like crypto.

• Verify contacts through multiple channels before meetings, and consider escorts or neutral locations.

• Employ VPNs, encrypted messaging (e.g., Signal), and hardware wallets for assets.

In the end, good OpSec is about vigilance. As Novak's case shows, one slip can cost everything. By learning from these failures, individuals can better protect themselves in an era where information is both power and peril. If you want to support my work, please, consider donating me:

• 0x1191b7d163bde5f51d4d2c1ac969d514fb4f4c62 or officercia.eth - all supported EVM chains;

• 17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU or bc1q75zgp5jurtm96nltt9c9kzjnrt33uylr8uvdds - Bitcoin;

• BLyXANAw7ciS2Abd8SsN1Rc8J4QZZiJdBzkoyqEuvPAB - Solana;

• 0zk1qydq9pg9m5x9qpa7ecp3gjauczjcg52t9z0zk7hsegq8yzq5f35q3rv7j6fe3z53l7za0lc7yx9nr08pj83q0gjv4kkpkfzsdwx4gunl0pmr3q8dj82eudk5d5v - Railgun;

• TYWJoRenGB9JFD2QsdPSdrJtaT6CDoFQBN - TRX;

• 4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds - XMR;

• DQhux6WzyWb9MWWNTXKbHKAxBnAwDWa3iD - Doge;

• UQBIqIVSYt8jBS86ONHwTfXCLpeaAjgseT8t_hgOFg7u4umx - TON.

If you enjoy my content and want to help keep it ad-free, please consider supporting my work through donations. Your contributions will allow me to dedicate more time to crafting in-depth articles and sharing even more valuable insights.