Foreword

Money is data. This has been true for a while now, but most people have not fully absorbed what it means.

For more than thirty years, I have been investigating cybercrime. When I started in 1991, online criminals were teenage hobbyists writing viruses for fun. It was a game we played against them, and we were fairly good at it. Before long, the hobbyists were replaced by professionals. Today, organized ransomware gangs run operations with customer service desks, performance reviews, and employee benefits. Crime, it turns out, scales just as well as any other online business.

One of the things that changed along the way was money. For most of history, money was physical. You could hold it, count it, hide it under a mattress. When money moved online, we handed control of it to intermediaries.

Banks, payment processors, and credit card companies secured our money for us. They also decided who could use it and who could not. In practice, most people found this arrangement acceptable. If someone stole your credit card number, the bank would sort it out.

Bitcoin changed this. For the first time, value could be transferred across the internet without asking permission from anyone. No bank in the middle. No payment processor. The mathematics handled it.

The cybersecurity community was introduced to Bitcoin through ransomware. In the early 2010s, criminal gangs discovered that Bitcoin gave them something they had never had before: a way to collect payments from victims anywhere in the world, instantly and irreversibly, without a financial institution that might freeze the funds. Ransomware existed before Bitcoin, but Bitcoin made it into a billion-dollar industry.

Hospitals have been shut down. Pipelines have been shut down. City governments have been shut down. For many of my colleagues, ransomware is still their primary association with Bitcoin, and I understand why.

But the picture is incomplete. The same properties that make Bitcoin useful for criminals also make it useful for people living under authoritarian regimes, for dissidents, for anyone who needs to move value without asking for permission. Mathematics does not care about jurisdiction. Like cash, Bitcoin is neither good nor bad. It is a tool.

Traditional money has traditional guardians. Banks employ thousands of security professionals. Payment networks run fraud detection systems. Regulators enforce rules. If something goes wrong, there is usually someone to call.

Bitcoin has none of this. If you hold your own bitcoins, you are the bank, the security team, and the fraud department. If you lose your private key or someone steals it, there's no one to call. The money is gone, and no court order can get it back.

That is how the system works. And it means that safeguarding Bitcoin is the responsibility of the users themselves. For someone who has spent thirty years watching people lose data, passwords, and access to their own accounts, that reality still makes me pause.

In my book If It's Smart, It's Vulnerable, I described how connecting devices to the internet creates attack surfaces that most people never think about. The same principle applies here. Bitcoin is the smartest money ever created. And if it is smart, it is vulnerable.

Its security depends not just on the mathematics of its protocol but on every piece of software, hardware, and human decision in the chain. Securing all of that is a cybersecurity problem, whether the cybersecurity community has recognized it yet or not.

I met Luke de Wolf at the BTC HEL conference in 2025. Luke approaches Bitcoin the way I approach malware. He wants to understand how it actually works, where it is strong, and where it can be broken. He is not an evangelist pretending that everything is fine. His background is in securing industrial control systems, the kind of systems that keep power grids running and oil refineries from blowing up. People who work in this field think about defense differently from people who secure corporate networks. They think in layers, redundancy, and failure modes. They assume that any single control will eventually be bypassed, and they plan accordingly.

This book applies that thinking to Bitcoin. I have not seen it done before. It also serves as a solid introduction to both cybersecurity and Bitcoin for readers who may know one subject but not the other.

I am not a Bitcoin maximalist. I am a cybersecurity professional who has watched money become data and data become a target. The question is no longer whether Bitcoin needs to be defended. The question is how.