Skip to content
OPALE

Security practices

OPALE is custodial — your wallet’s keys live on OPALE infrastructure, encrypted, and access to your Telegram account is access to your OPALE account. The practices below close the most common attack paths.

On your Telegram account

Section titled “On your Telegram account”
  • Enable Telegram 2FA. Settings → Privacy and Security → Two-Step Verification. This blocks SIM-swap account takeover, which is the highest-impact attack against any Telegram-based bot.
  • Lock your local Telegram with a passcode or biometric. Anyone with your unlocked phone can read your wallet view.
  • Terminate stale sessions. Settings → Devices → review active sessions and terminate any you don’t recognize.
  • Don’t share screen recordings of OPALE chats. Recovery phrase reveals, addresses, and balances all live in chat history.

On your recovery phrase

Section titled “On your recovery phrase”
  • Reveal it early. 💰 Wallet🔑 Export Private Key — write it down, ideally on a metal backup. Don’t screenshot it, don’t paste it into a notes app, don’t put it in cloud storage.
  • Test that it works. Paste the phrase into Sparrow, Electrum or another standard Bitcoin wallet on a separate device to confirm you can recover. Then come back to OPALE.
  • Treat the phrase as non-shareable. OPALE will never ask you for it. Anyone who does is trying to steal your funds.

How to size your OPALE balance

Section titled “How to size your OPALE balance”

OPALE is built for active trading, not cold storage. A reasonable approach:

  • Active trading float stays in OPALE — what you’re willing to risk to platform compromise.
  • Long-term holdings sit in a wallet you control — withdraw via 📨 Send BTC and store on a hardware wallet or air-gapped setup.
  • Recovery phrase is your escape hatch — with it you can move everything out of OPALE without OPALE’s cooperation.

Phishing patterns to watch for

Section titled “Phishing patterns to watch for”
  • Fake bots with names like @OpaleOfficialBot, @OPALESupport, @opale_admin. The real bot is only linked from opale.world.
  • Fake support DMs. OPALE team will never DM you first. Legitimate support starts from inside the bot.
  • Airdrop / claim messages in Telegram groups. OPALE doesn’t run airdrops or “claims.” Any message saying otherwise is fake.
  • “Verify your wallet” asks. No legitimate flow asks you to type or screenshot your recovery phrase to “verify.” Ever.

If you suspect compromise

Section titled “If you suspect compromise”
  1. Lock your Telegram — Settings → Devices → terminate other sessions immediately.
  2. Withdraw what you can — if you can still authorize, 💰 Wallet📨 Send BTC to a wallet you control.
  3. Reveal your recovery phrase if it’s safe to do so, then move funds in another wallet.
  4. Contact support — see contact. Include timestamps and any suspicious-message screenshots.

What OPALE does on its end

Section titled “What OPALE does on its end”
  • Each user’s wallet is encrypted with its own key, separate from every other user’s, and the encrypted data is bound to your account so it can’t be silently substituted for another user’s.
  • Keys are decrypted only inside a signing call; the working memory is wiped when the call returns. They never sit unencrypted on disk.
  • Order changes write an append-only audit row in the same database transaction as the order update, so nothing mutates state without an audit trail.

These reduce risk; they don’t eliminate it. Custodial means custodial.