Steini's User Avatar

@Steini

in /crypto-wallets 9 days ago

Signup / Login

What’s a secret vs what’s metadata (and why metadata can still hurt)

Most wallet advice online is either “share nothing ever” or “it’s fine bro”. Neither is useful.

Here’s the calmer truth: in self-custody, there are secrets (instant loss if leaked), and there’s metadata (usually not instant loss, but can still enable scams, tracking, targeted attacks, and privacy blow-ups).

If you want better help from the internet without turning yourself into a soft target, you need to know the difference.

  • Tier 1 – Secrets (do not share, ever)

    • These are the “game over” items. If someone gets them, they can usually take your funds.

      • Seed/recovery phrase (12/18/24 words)

      • Passphrase (hidden wallet secret)

      • Private keys (any format)

      • xprv/yprev/zprv (extended private keys)

      • Wallet export that includes private keys

      • Signing device backups that contain secrets

      • Photos/screenshots of any of the above

      • Anything you typed into a browser form that looks like recovery/verify/sync/unlock/upgrade

    • If a “helper” asks for any of this, they are not helping. They are stealing.

  • Tier 2 – Sensitive metadata (not keys, but still risky)

    • This stuff usually can’t spend your funds on its own, but it can:

      • deanonymise you

      • help an attacker craft believable phishing

      • reveal balances and habits

      • narrow down your wallet type/derivation

      • make you a target

    • Think of it as “safe-ish, but only if you understand your threat model”.

    • xpubs and descriptors (watch-only data)

      • xpub/ypub/zpub: allows someone to view your wallet’s addresses and transaction history, often indefinitely.

      • Descriptors (common in modern Bitcoin wallets): same idea, often more precise about how addresses are derived.

      • These are not spend keys, but they can be a privacy disaster. If you post them publicly, assume:

        • your balance can be tracked

        • your future incoming addresses can be tracked

        • you might get targeted with tailored scams

    • Wallet fingerprints and device identifiers

      • Master fingerprint (mfp), wallet fingerprint strings, some export metadata

      • These can help people understand what you’re using and how it’s set up, which makes social engineering easier.

    • Exact balances, screenshots, and bragging

      • Posting exact amounts, full portfolio screenshots, or “I just moved 12 BTC” is basically putting a sign on your back.

    • Your setup details (when combined)

      • Any single detail might be fine, but combined they can identify you.

        • your country/city

        • the wallet app you use

        • the signer model

        • screenshots showing UI, account names, labels

        • timestamped transaction IDs

        • your exchange on-ramp/off-ramp habits

      • Individually: meh. Together: very useful to an attacker.

  • Tier 3 – Usually safe to share (if you keep it boring)

    • This is the stuff that can help troubleshooting without exposing you.

      • A single receive address

        • Usually fine to share a single address for a specific issue (e. g., “is this the right network?”), but remember:

          • addresses link to on-chain history

          • posting it ties that history to your online identity

      • If you care about privacy, use a fresh address and don’t reuse it.

    • Transaction ID (txid)

      • Also usually safe for “is my transaction stuck?” type questions, but it reveals amounts and timing. Don’t post it alongside personal details.

    • Error messages (text-only)

      • Copying the error text is better than posting screenshots. Screenshots leak more than you think (wallet name, device model, account labels).

    • Wallet type and general flow

      • “Ledger with Sparrow on macOS, PSBT via microSD” is fine. “Here’s my export file” is not.

  • The two classic own goals

    • “It’s not a secret, so it’s safe”

      • No. Not a spend key doesn’t mean harmless. Privacy loss can become security loss via targeting.

    • “I’ll just DM it to you”

      • Never. DMs are where scams live. Keep support public and keep secrets private.

  • How to ask for help safely (copy/paste template)

    • Use this and you’ll get better answers with less risk:

      • What wallet app/software: (name + version if relevant)

      • What device/signer: (model, connection method: USB/QR/microSD)

      • What chain/network: (Bitcoin, Ethereum, Solana, etc.)

      • What you were trying to do: (send/receive/restore/update/sign PSBT)

      • What happened: (exact error text, steps you took)

      • What you have NOT shared: seed/passphrase/private keys (confirm this)

      • Optional: one receive address or a txid (only if needed)

  • Comment test: is this safe to post?

    • If you answer “yes” to any of these, don’t post it:

      • Would this let someone spend my funds?

      • Would this let someone track my wallet forever?

      • Would this help someone impersonate support convincingly?

      • Would I be comfortable if this was indexed by Google permanently?

Self-custody isn’t just “protect keys”. It’s also “don’t make yourself easy to target”.

If you’re unsure, post less. You can always reveal more later. You can’t un-leak a seed phrase.

1Score: 1

0 Comments