Security is the most pressing matter of the decentralization movement. With the designed disappearance of custodians who manage centralized systems—the security of one's digital assets and cryptocurrency befalls the owners themselves.
This article will go in depth about what is the most recommended way to go about the security of your wallets and accounts. Likewise, we will study the most common pitfalls that have led to funds & digital assets theft.
The article will be revamped with new information—from time to time, and should hopefully be one of the first articles a crypto newbie reads.
This article is not, and should not be construed as—instructions or professional recommendations. Authors and publishers of this informative article cannot be held responsible for financial or any other losses. All responsibility in maintaining the security of accounts is the account owners’ themselves!
So let’s begin with one of the most common phrases in crypto.
Not your keys, not your crypto
Every decentralized wallet is created by a key or keys which are given to the wallet creator, upon wallet creation. These keys are necessary for access to the funds stored within the wallet.
The most common form of a human-readable key is the so-called seed phrase, which is a set of words. These words need to be written down or memorized, and generally require input before “retrieving” access to your account.
These are the “keys” which the common crypto phrase refers to—”not your keys, not your crypto”. If you do not have exclusive, non-custodial access to your wallet, the funds are not really yours—because a stranger can at any time access your wallet and take your funds, or digital assets. A great example of “not your keys, not your crypto” is the FTX debacle which resulted in the loss of 8 billion dollars of customer funds.
That is why there is such a strong emphasis on using non-custodial wallets, and employing strong security habits—within the crypto community.
Creating, storing and using your seed phrase
One should never store his seed phrase electronically—in a text file, or otherwise. This means that whoever gains access to your computer could easily stumble on the “metamask-seed.txt” and suddenly all your crypto is gone. Even if it is not pointlessly specifically named, and is “digitally camouflaged”—it is still a big security vulnerability.
Storing physically written down seed phrases, popularly called—paper wallets, is the best approach. However, the security of said solution depends somewhat on the imagination of the wallet owner and the ability to hide a paper wallet. Regardless, a paper wallet without an electronic back-up and which was created on a computer without keyloggers—is the best way to avoid theft of digital assets.
It is recommended to have more than one copy of a seed phrase, in different locations, written down on a preferably fire-proof & water-proof material.
It should go without saying that…
YOU SHOULD NEVER SHARE YOUR SEED PHRASE WITH ANYONE, FOR ANY REASON. TECHNICAL SUPPORT WILL NEVER ASK YOU FOR YOUR SEED PHRASE, NEITHER VIA DIRECT MESSAGE, A FORM, OR A PHONE CALL.
It should also go without saying that the location of your seed phrases should not be known to anyone other than to you, and likewise—the location shouldn’t be obvious to anyone.
Common pitfalls with creation, storing and usage of seed phrase
A mistake so simple as a copy-pasted “back-up” of a seed phrase into a social media message—to yourself, results in the loss of all funds contained within that wallet.
The reason is simple—social media platform’s moderators and team members can access your messages. Likewise, hackers can access such messages, and seed phrases are very easy to search for in large text databases—because of their specific format.
One might wonder, but won’t theft by the moderators or team members of a social media platform or messaging service be very obvious and can immediately be incriminating? No, because of the decentralized nature of cryptocurrency, it is very difficult to find the thief, if all steps by the thief are executed “properly”.
In a different, diametrically opposite situation—the loss of digital assets can happen as a result of the force of nature, for example—a house fire that destroys the paper with the written down seed phrase, and the computer.
If the computer survives, and the wallet is already “loaded-up” into the computer—the unfortunate digital assets’ owner can luckily create a new wallet, write down the new seed phrase, and transfer the assets from the wallet for which the seed phrase was lost—to the new wallet. The old wallet with the lost seed phrase, now empty, can and should be abandoned & not used.
Another way to lose access to digital funds, if proper steps are not taken—is to create a wallet where the seed phrase is being recorded by software or malware. For example, a keylogger planted by someone on your computer, or using an infected internet cafe computer that has dozens of keyloggers.
It can be as simple as your text auto-filler “learning” what you type—as you type in the seed phrase during the wallet creation seed phrase test. These text auto-fillers can be accessed for your seed phrase. Auto-fillers are a feature of smartphones.
The best approach to creating wallets is via either a Linux, a macOS computer, or a Windows computer with recently installed latest Windows that has a good Antivirus.
Use your own network
Even if all steps are undertaken to ensure maximum security during the wallet creation process, it is all in vain if the network that is used to create a wallet—is controlled by a malicious actor.
In other words, if you are connected to your neighbour's wi-fi, public wi-fi or your browser experience and/or LAN connection has been acting strangely lately—do not create new wallets.
If you are not a network aficionado, ask family and friends to help you ensure your internet connection is safe—and without malicious oversight.
Most common scam attempts
Double or triple-your-crypto giveaway, and almost every giveaway
Giveaways on Youtube and other platforms that claim to provide multiples of the cryptocurrency that you send them—are an outright scam. No cryptocurrency will come to you from these “giveaways”. You will not get “lucky” by finding a secret “lifehack giveaway”.
IOHK, a company developing Cardano, has attempted and failed to get Google’s attention to attend to these scams being peddled most commonly as Live videos on Youtube or Discord and Twitter messages. They are probably the most common type of a scam. They commonly falsely use Charles Hoskinsons’ or Musk’s video recording—to present the giveaway as “legit”.
Whoever claims they will send you more cryptocurrency if you send them some first, is a scammer. Don’t send them your digital assets.
On a similar note of “non-scam” giveaways where actual assets are provided to a “winner”—most of them are set up to give the rewards to friends, or even to themselves!
Influencers very often employ this tactic as a “zero-cost marketing strategy”.
That’s why it's best to avoid participating in giveaways, and especially avoid providing your info or wallet addresses in order to participate in giveaways!
Love scam
Scammers with profile pictures of beautiful women will attempt to befriend anyone who is involved with crypto and wants to talk. These scammers mostly make their advances to men via Twitter, Telegram or Discord DMs.
The scammers are functioning on a premise that they will manage to convince lonely men to give them crypto before they can “meet in real life”. The scammers pretending to be attractive women will ask the victim to cover travel expenses etc.
Do not send anyone crypto who you don’t personally know, and even then, exercise great caution.
Love scam #2
A variation of a love scam, often referred to as “pig butchering”—involves either a fake woman or man targeting individuals eager for a relationship. The scammer will “work” on the individual for weeks, sometimes months—before suggesting an investment in a fake crypto website.
In this case the scammer will never ask for money directly, like in the scam mentioned previously.
The scammers follow an elaborate script of responses, and the profile of the fake woman or man is very similar.
This profile is the following:
a.) person in their 20s who run one or two successful businesses, most often bars, restaurants, hotels
b) likes to wear expensive brands
c.) has a great interest in emigrating to your country
The scam will often start with questions about your country, attempting to establish a rapport.
Technical support
It is common to be Direct Messaged by supposed influencers on social media or community managers on Telegram. They are not the influencer or community manager they are pretending to be. They are scammers.
An influencer or community manager of a legitimate project will never direct message you first.
The attempts to get your crypto or seed phrase vary from offering technical support to you, requesting to fill out a form that asks for your seed phrase, request visual assistance to fix a made-up problem, to forwarding you to a website that looks legit, but isn’t. On this site you might get forwarded to, you will of course be asked to input your seed phrase…
These scammers will always come at you with kindness and URGENCY, do not give in.
They will most likely claim you are at a serious risk of losing ALL FUNDS, or claim that you have been HACKED.
Always think well before signing any transactions, handling seed phrases, and never ever provide your PASSWORD or seed phrase to anyone.
Impersonation of legitimate project team members
On a similar note, scammers might impersonate team members instead of influencers or community managers. These scams are often targeting team members of the same project, however, they do sometimes attempt to scam the project’s supporters as well.
The most common scam attempt with this angle is asking for a loan.
Starting an .exe to test a project for a job interview or other reasons
A very rare but possible scam is the following. Scammers set up a very legit looking website, as well as legit-looking social media accounts with numerous seemingly active followers—Youtube, Twitter, Discord…
All the graphics and written content will be stolen from another legit project.
The scammer will try to pressure you into downloading a “launcher” from their website which starts their game or “dApp”. They will try to get you to have a sense of urgency that you do it as soon as possible and that you cannot invest, or get a job interview—if you do not test out their game on your computer.
Once you start their launcher, your crypto will most likely be gone, or your computer will be locked up as part of a ransomware attack.
Friend account hacks
Let’s observe a common issue with regards to social engineering in crypto.
It has occurred many times that a scammer secretly took control of social media accounts of crypto users.
These crypto users have a reputation with their online and offline friends that could be abused. In other words, the person secretly taking over the account can request a loan from “friends”. Once the cryptocurrency is moved to the thief’s wallet, the thief disappears whilst the hacked person is stuck with the expectancy to pay back.
Don’t borrow your friend crypto until you’re absolutely sure they are not being impersonated.
Top-up wallet scam
During bull-markets when gas cost on Ethereum are very high for sustained periods of time, scammers utilize the following scam tactic.
They top-up a wallet with about 50-200 $ of some “legit” ERC20 tokens that will take a nice amount of gas to transfer. Mass-contact potential victims via social media such as Discord, Telegram or Twitter and approach with the following premise
I cannot access my funds and if you will help me I will reward you. Then the scammer provides the seed phrase.
The scam counts on human selfishness and that the person will rather attempt to steal the funds than help the person. Either way, if the person decides to genuinely help, that person will also get scammed.
Once a person falls into this trap and sends $ETH to the wallet which the phrase was provided by the scammer, the $ETH is automatically transferred out of the wallet as soon as it arrives—by the usage of a script made by the scammer.
PDF vulnerability exploit
Do not open PDFs from unknown sources! Recently, hackers figured out how to use the PDF format maliciously. Scammers might send you Whatsapp messages with PDFs or e-mails—almost certainly with great urgency about opening the PDF.
Once opened, these PDFs will compromise your computer, or phone, and steal your crypto.
Theft via Phishing
We already mentioned phishing in the “technical support” section above, and here we will discuss specifically e-mail phishing.
Phishing is pretending to be something that is legitimate and trusted, when it is in fact—a scam. For example—one might receive an email that states action is urgently required to prevent funds from being stolen from a personal account on an exchange.
By following this “phishing link” from the scam e-mail, the person will think they are on, for example, Binance—but they are instead on a clone of Binance that is run by a malicious actor.
It's possible for the scammer to know which centralized exchange the user associated with the e-mail usually uses. By pretending to be a persons’ standard choice of centralized exchange or fiat on ramp—it is far more likely that the person will “take the bait” and input highly confidential information into a fake website.
There is no trading happening on this “fake” Binance, or other faked service. The goal of the website is to steal your password and login name once you have logged in, it will possibly attempt to pressure you into giving it wallet seed phrases or credit card information.
Sometimes the domain names of these websites can be visibly different which is a warning sign that the website is run by a scammer.
For example, www.binánce.com instead of www.binance.com.
To protect yourself from phishing use 2FA, best via SMS, and a Browser-based password manager that will automatically recognize phished websites and will not fill in the password once a username is entered.
Scamming through fake “fiat on or off ramps”
Fiat on or off ramps allow the purchase and sale of cryptocurrency for “fiat money” or as some crypto-unacquainted people like to call it—“real money”. Virtually every CEX has their own fiat on and off ramp but there are some non-CEX fiat on and off ramps. A great majority of non-CEX fiat on and off ramps are scams because there is such a demand for crypto. The type of individuals that mostly fall prey to these scammers are crypto-uneducated individuals.
These fake fiat on and off ramps in most cases are not even set-up as actually registered business, some are outright scams that take all your crypto or fiat and provide nothing in return—others provide the service but with exorbitant fees attached.
An example of a fake fiat on and off ramp is a telegram bot through which you provide your credit card info, together with your crypto address. The scammers promise to charge your credit card automatically with the help of the bot, and transfer the crypto to the provided address.
To re-emphasize…99% of these unregulated, unofficial fiat on and off ramps—are scams.
An objective recommendation with regards to fiat on and off ramps is to stick to the following Centralized Exchanges:
Binance, Kucoin, OKEx, Poloniex, Coinbase and Kraken.
Fake Token
Many scammers commonly advertise a liquidity pair or a token contract on social media platforms, e-emails, and direct messages.
They make claims of super-urgent “pre-sales” with too good-to-be true token prices.
As soon as scammers detect there is great interest in a new project that is yet to release their token—they will pretend they can provide the tokens with early access and a much cheaper price. Fake tokens instead of real tokens are provided for real crypto or fiat money of the victim.
The fake tokens almost exclusively are created to impose as a token of an actual existing token with legitimate future prospects.
Likewise, fake tokens are created in cases when the legitimate token is already released and available for purchase on the open market.
One of the things one can do to defend oneself against this type of scams is to search coinmarketcap for the token someone is selling via a liquidity pair or some other means.
The best way to check if a contract address is correct — is to write into coinmarketcap search bar the token ticker of a specific token, or the project name.
Click on the token ticker when it pops up.
Now it’s time to look at the “contract address” within the page that just opened — and compare it to the contract address of the token you are acquiring or simply adding to your MetaMask wallet configuration.
This way you can ensure you are not buying a copycat, as copycat tokens can have everything identical to the original token — including the logo, but the contract address cannot be faked.
Copycat tokens have absolutely no value. You will lose all your funds buying copycat tokens.
Keep in mind — scammers can fake the beginning and the end of some blockchains’ token contracts to make them seem identical. Often there can be a difference in only one letter or number. Make sure to compare THE ENTIRE contract address — character by character.
Rug Pulls
This is considered the most heinous criminal act in the crypto community. It is likewise a type of scam that causes the biggest damage to the ecosystem, and its reputation.
Rug pulls are projects set up by scammers in such a way that the plan is to steal as much funds from project supporters—as possible. Some rug pulls are short-term focused, for example, an NFT project that sold out at mint and immediately after—all social media channels and the website are deleted.
Others are more “sophisticated” and stretch out the “development” and “in-business” time to seem like “they’ve tried” and “simply failed”. That is not true as the final destination to nowhere is well known by the leadership of rug pulls the entire time.
The BEST indicator of whether a rug pull will occur or not—is whether the team that is promising to deliver a new product is fully doxxed and has delivered quality products before.
Regardless, even if this checkbox is ‘checked’, it’s not fool-proof, and a rug can still occur.
Token Smart Contract Scam
Entire balances of decentralized wallets can be cleared through malicious exploitation of smart contract ability on smart contract enabled blockchain platforms like Ethereum.
This exploit is performed by sending a victim NFTs or tokens—both of which are actually smart contracts, which can be ‘activated’ when the victim interacts with them. For example—attempting to trade a token on a DEX, or sending the tokens to a different wallet.
Doing these things will activate code within these smart contracts which you do not know about. If you notice a new token in your wallet that you have not purchased or acquired in a legit giveaway from a legit project — ignore it.
Antivirus
If you are not using a Mac or Linux OS, it is critically important to use a good antivirus.
Good suggestions based on the author's experience are Avast and Malwarebytes. Avast has a free version that actively protects your computer well.
Likewise, it is highly recommended to not use a pirate website to acquire said Antivirus.
Antiviruses downloaded from pirate sources can contain malicious backdoors or viruses.
It does not pay off to save money on an Antivirus—especially if you are in crypto.
On the same topic—avoid installing pirated software if you wish to keep your digital assets in your ownership. Pirated software is commonly packed with malware and keyloggers. Crypto users beware!
Contain your crypto enthusiasm with strangers
Don’t talk specifics about your digital assets, which exactly you own and how much—to anyone and everyone. Especially to people “in the physical world”.
By doing so you could be making yourself a target for intimidation & theft.
To finish this informative article in a practical way—here is a list of short but to-the-point security tips:
1.) Do not click on, start or download .exe files (executable file) for which you are not sure are 100% safe and from a confidential source
2.) Do not install Apps on your phone for which you are not absolutely sure they are from a real entity that is in charge of maintaining the app you are installing
Example: a fake PancakeSwap app in the App store, which does not actually exist for mobile, nor as a desktop application
3.) Use 2FA
4.) Use a hardware wallet, for example—Trezor USB Device
5.) If you are a crypto newbie, avoid using unknown wallets and dApps
6.) If you are a crypto newbie, make crypto friends and always ask for an opinion
7.) Do not sign a transaction if you are not 100% sure what it is for. Always ask someone.
And most importantly…Be aware that scammers ALWAYS attempt to create a false sense of urgency, in order to get your guard down and make a mistake.
