Module 11: OPSEC & Operational Security - Blue Helix TCG
Lesson 11

Module 11: OPSEC & Operational Security

Why this matters

For a home-based TCG operator, your home is your warehouse, your vault, and your office all at once — which means a single leak can connect a high-value inventory to a residential address with a known schedule. OPSEC is the discipline that keeps those facts from ever lining up. The entire doctrine rests on one failure condition: if value, identity, and timing can be connected, OPSEC has failed. Get this right and you remain an anonymous logistics signal; get it wrong and you become a mapped, scheduled, exploitable target.

What you'll be able to do

  • Apply the six-domain OPSEC doctrine in strict priority order
  • Run three separate identities (brand, personal, logistics) that never link
  • Conceal what you hold, when you move it, and what you're worth
  • Gate every data export behind a coded acknowledgment, with a self-destructing process for the rare legal exception
  • Maintain OPSEC as a living system on a fixed review cadence

The Core Doctrine & Priorities

Everything in this module exists to prevent outsiders from combining value, identity, timing, and behavior into a single exploitable attack surface. Each rule is a wedge that keeps those variables uncorrelated. An attacker who knows you hold a $4,000 slab but not who or where you are has nothing actionable. One who knows your address but thinks you sell candles has nothing actionable. The danger is only ever in the connection.

The doctrine partitions all risk into six domains, ranked by priority:

  1. Shipping — neutral labels, neutral logistics identity, no hobby language
  2. Identity — separate brand / legal / logistics identities, never link home address to brand
  3. Inventory — no full-holdings disclosure, no real-time acquisitions
  4. Timing — no real-time shipment/PSA/delivery announcements, no predictable schedules
  5. Financial — no balances, limits, or cash-position disclosure
  6. Digital & Platform — assume everything is logged; never link accounts

The ranking is not arbitrary. Because the home is the warehouse, the domains that physically connect product to your front door — Shipping (1), Identity (2), and Timing (4) — are existential rather than abstract. A financial leak is embarrassing; a shipping leak that puts "Pokemon" on a label going to your house is a theft waiting to happen.

Two default postures govern all six domains. First: default to zero trust — assume all external systems and people are untrusted, and break OPSEC only for a hard legal or contractual requirement, never for convenience. Second: treat every screenshot as public. Your internal records are safe only as long as their surface never leaves the building.

Identity, Inventory & Timing

These three domains are where the home operator lives or dies, so they get the most concrete rules.

Identity — run three separate identities, never linked. You maintain (a) a public-facing brand identity (your store name), (b) your legal identity (the human and the LLC), and (c) a logistics identity (the neutral name on shipping labels). The cardinal sin is linking your home address to collectibles branding. Concretely:

  • Brand account uses the business name, a business email, and a VoIP/business phone — never a personal number.
  • Never reuse a username, email, or metadata across platforms — that's how cross-platform identity correlation happens.
  • Cross-link your brand accounts to each other only; never follow personal contacts from the brand, and never link brand to personal.

Failure modes here are targeted theft, doxxing, and reputation-based targeting.

Inventory — never expose what you hold. Avoid public disclosure of full holdings. Don't post real-time acquisitions. Delay or generalize any inventory announcement. A "look at my whole binder" post is a shopping list for a thief who then only needs your timing and location to act.

Timing — kill the predictable pattern. This is the one most operators underrate. Do not announce shipments, PSA returns, or deliveries in real time. Avoid predictable inbound/outbound schedules. The concrete delays that break pattern visibility:

  • Graded-card reveal: post 2–4 weeks after receipt
  • Purchase showcase: 1–2 weeks after acquisition
  • Shipment unboxing: 1+ week delay
  • Show attendance: post only after returning home
  • Sale announcements: never real-time

The principle is that a real-time PSA-return post tells a watcher exactly when a high-value, freshly-graded slab is sitting on your porch.

Worked walkthrough: how three small leaks compound

Imagine you make three "harmless" posts in one week:

  1. A binder photo showing a PSA 10 Charizard (value disclosed).
  2. A story tagged at the local card shop, window and street sign visible (identity/location disclosed).
  3. "Mailman just dropped my PSA returns!" (timing disclosed).

Individually each feels minor. Connected, an attacker now knows what you have, roughly where you live, and when fresh slabs hit your porch. That is the exact value + identity + timing triangle the doctrine exists to prevent. The fix costs nothing: don't show the binder, never tag location, and delay the PSA-return mention by a week or more.

Financial & Platform Silence

Financial OPSEC (rank 5) is silence. Never publicly disclose balances, credit limits, or cash position. Avoid screenshots that show totals or account details. Segregate operational accounts and cards where possible. For the work-from-home operator, the sharpest risk is the screen-share or stream: a home-office Zoom call, a Discord screen-share, or a casual stream that flashes a spreadsheet, an inventory total, or your balances instantly hands an attacker your leverage. Before you ever share a screen, close any sheet, file, or page showing a number. Why silence? Disclosed financials enable social engineering, leverage exploitation, and reputation-based financial pressure.

Digital & Platform OPSEC (rank 6): assume everything is logged. Treat every DM, Discord, and group chat as logged, screenshotted, or forwarded — because it is. Rules:

  • Don't discuss deals, inventory, or shipments in public or semi-public channels.
  • Don't link platform accounts via shared usernames, emails, or metadata.
  • Use authenticator-app 2FA (not SMS) and a password manager.

Incoming-DM red flags signal scam or targeting. Watch for: "What's your address for a collab?", "How much inventory do you have?", "When are you going to [show]?", "Can I see your full collection?", unsolicited proposals from brand-new accounts, and pressure to move off-platform fast. Every one of these is an attempt to harvest a corner of the value/identity/timing triangle.

Red-flag protocol — if X then Y:

  • If a stranger asks for address, inventory size, travel, or full collection → do not engage; never provide the info.
  • If the account looks malicious → screenshot first, then block and report.
  • If pressured to move off-platform fast → disengage.

Export Gate & Maintenance

Exporting or sharing any data file is the highest-risk surface in the entire operation, because a single file can bundle full item details, costs, values, contribution history, and complete financials — it reconnects value + identity + timing in one downloadable artifact. The risk runs three tiers — HIGH (red), MEDIUM (yellow), LOW (green) — and anything that bundles inventory, capital, or full financials is HIGH. Treat every export as a deliberate act, not a habit, and run a four-step gate before you create or send one:

  1. Know what is in it. Be explicit about which data classes the file contains (inventory, costs, financials, contributions) and how sensitive that makes it.
  2. Make it a conscious decision each time. Never let exporting become automatic — pause and confirm you actually need this file and exactly where it is going.
  3. Use a neutral filename. Never name a file after your brand or the hobby (no YourBrand_*, no Pokemon_*); the name alone is an identity leak.
  4. Log it. Keep your own record of what you exported and when, so there is a trail if a file ever surfaces where it should not.

A useful gut-check before any export leaves your hands: this file holds sensitive inventory and financial data that could compromise OPSEC if shared or exposed, and I will handle it accordingly.

Never share externally — these are the four data classes that most directly reconnect the triangle: export files, raw data dumps, your transaction logs, and screenshots of your records. Never screenshot any sheet or file showing financial totals, full inventory values, account details, or transaction history. (Note: even a cloud-drive folder named after the hobby or your brand is itself a MEDIUM identity leak — rename anything that does.)

The 5-step exception process. You break OPSEC only when legally or contractually required — tax filing, insurance claims, carrier claims, compliance. When you must:

  1. Document the specific requirement (which authority, which obligation).
  2. Export the minimum necessary data — never the full file if a subset satisfies it.
  3. Use secure transfer methods.
  4. Delete the exported file after use.
  5. Log the exception in the audit trail.

The delete-after-use step is the home operator's safeguard against a single forgotten file on a laptop reconstructing the whole operation.

Maintenance — OPSEC is a system, not a setup. Run the review cycle: a quarterly (every 3 months) review of all OPSEC surfaces, an immediate review after any loss event, and an audit of every new feature's code for OPSEC implications before it ships. New code is assumed to introduce new leak surfaces until proven otherwise.

Action Steps

This week, do the following:

  1. Audit your three identities. Confirm brand, personal, and logistics are fully separated — no shared username, email, phone, or metadata. Fix any link you find.
  2. Inspect a real outbound label. Verify zero hobby language (no cards/TCG/Pokemon/sports/memorabilia) and a neutral logistics identity on both ship-from and ship-to.
  3. Set posting delays as defaults. Bake in the 2–4 week graded-card delay, 1–2 week purchase delay, 1+ week unboxing delay, and "no real-time" rule for sales and PSA returns.
  4. Do a screenshot/screen-share sweep. Practice closing any spreadsheet, export file, or record before any call or stream; confirm no totals are ever visible.
  5. Test the export gate. Run one export and verify the warning modal, the disabled-until-checked acknowledgment, the neutral filename prefix, and the audit-log entry all fire.
  6. Schedule your reviews. Put a recurring quarterly OPSEC review on the calendar, and write the "immediate review after any loss" trigger into your SOPs.

Track it: Keep your own export log — what data each file contained, its neutral filename, and when you made it — and gate every export behind the four-step checklist above. Treat export files, raw data dumps, your transaction logs, and screenshots of your records as the four things never to share, because each one reconnects value to identity to timing.