2.1.2. Wallet Security

By now, you’ve learned how to pick a wallet that suits your style, needs, and level of control.

But having a wallet is just the first step.

Keeping it secure and avoiding scammers is where most beginners (and even experienced users) slip up.

Phishing - Bitdefender

It's a shame, because blockchain and crypto are such beautiful technologies with use cases beyond our current scope, but a lot of people turn their backs on it due to one bad experience.

It's a whole new world that people have to get used to, and transition periods are always messy, which is why this article is very important.

Educating new users is paramount for a future where crypto is trusted.

Let’s go over some clear, practical practices to keep your crypto safe and avoid the most common threats to your wallet.

a) Standard security practices

Before we jump into setting up your wallet and interacting with tools, it's important you build good security habits.

People usually learn this the hard way, and it's what allows scammers to exploit new and unexperienced investors.

By following these practices you will drastically reduce the chances of your wallet being exploited:

i) Seed Phrase and Private key Management

When you create a new non-custodial wallet, it will give you something called a seed phrase (also known as a recovery phrase).

This is usually a list of 12 or 24 random words. It might look overkill for a password, but it is the foundation of your entire wallet.

Seed phrase - Tangem

Here’s why: your seed phrase is used to create all your private keys.

You can think of it like the root of a big tree. The seed phrase is the root, and from it, many branches grow. These branches are your private keys. Your private keys then create your public wallet addresses, which people use to send you crypto.

Seed phrase and private key creation - Blog

The private keys are what actually control your crypto. If someone has them, they can move your funds without your permission, because that key is all the permission they need.

But because all your private keys are generated from your one seed phrase, anyone with your seed phrase can recreate every key and access everything.

Analogy:

An easy way to picture this is to think of your seed phrase like a master key to a giant room of deposit boxes.

You might have different keys or combinations inside (your private keys), but as long as someone has the master password, they can recreate these keys and access everything.

Seed phrase and private key creation - Blog

This is why you should never share your seed phrase or private key with anyone. No legit service or support team will ever ask for it. If someone does, it's a scam, always.

Write your seed phrase down on paper (not on your phone or computer) and keep it somewhere safe, like a fireproof safe or a secure place at home.

Avoid taking photos or storing it in cloud services, since those can be hacked or leaked.

Seed phrase recovery sheet - Unchained

If you lose your seed phrase and your wallet gets wiped or your device is lost, there’s no password reset button. You’ll lose access to your crypto forever. So treat it like the most valuable thing you own, because it is.

If this sounds risky or difficult for you, your best option is to go for a custodial wallet, as then a third party will manage your seed phrases and keys.

ii) Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is an extra security step that makes you prove it’s really you when you log in, usually by entering a code from an app on your phone after your password(creating 2 layers of security).

2FA explained - Imperva

2FA is much more common in custodial wallets and third party services but can also be found in some dApps, so always look for an option to turn it on.

Use an authenticator app like Google Authenticator or Authy, not SMS, as SIM-swapping attacks happen more often than people think, and using an app is much safer.

2FA wallet - Crypto.com

Yes, it might feel annoying to enter a code every time, but trust me, it's far better than being drained.

One small extra step can save you from losing everything.

iii) Strong Device and Internet Hygiene

Security isn’t just about your wallet app, it’s about your entire device and how you use the internet.

  • Keep your phone and computer updated so they always have the latest security patches.

  • Install good antivirus and anti-malware software (like Bitdefender) and run regular scans.

  • Use a VPN when managing your crypto and avoid using public Wi-Fi. A VPN hides your real IP address and encrypts your internet traffic, making it harder for attackers to swoop in.

  • Bookmark the official websites you connect your wallets to so you don’t accidentally click on fake links or phishing sites. Always double-check URLs, and never click random links in emails or social media messages.

  • If possible, dedicate one device to crypto activities. By keeping this device clean and only using it for wallet management, you reduce the chances of it getting infected through day-to-day browsing or random downloads.

These small extra tasks could save you the pain of losing all your funds, and coming from someone who has been a victim to attacks, the effort is 100% worth it.

iv) Permission Management (Revoke.cash)

When you connect your wallet to an app or website (for example, when you use a DEX or mint an NFT), you often have to approve permissions.

These permissions let the app interact with certain tokens in your wallet.

ERC 20 Token Approval - SmartContractTips

Think of it like giving a client a key to your AirBNB. If you forget to take the key back later, they can come back and enter that house anytime.

Most people don’t realize that these approvals often stay open. This means an app or smart contract can move or spend tokens from your wallet later on, even after you stop using it.

Example of how this can be exploited:

Let’s say you connect your wallet to a fake DEX, which often use similar links to real ones("app.uniswop.org" instead of "app.uniswap.org"). This is called phishing.

This website will then request for an approval to manage your tokens so you can complete the trade, which is normal, so you confirm the approval without thinking too much.

Now they are able to steal all the tokens you gave them access to.

Anatomy of an approval phishing scam - Chainalysis

These are usually pretty instant, but often the scammer might let weeks or even months go by so you forget about that approval.

Later, when your wallet balance is higher, they pull the trigger and drain you.

This tactic is common because waiting makes it harder for you to connect the attack back to that one fake site. By the time it happens, it feels random, and most victims don’t remember giving that approval at all.

That’s where Revoke.cash comes in(not sponsored). It lets you see all the apps and contracts that still have access to your wallet. You can review and remove (revoke) any permissions you don’t trust or no longer need.

Their browser extension also warns you before you sign something, showing exactly what permissions you’re about to give. This helps you understand what you’re agreeing to and avoid risky approvals by accident.

In addition to that, revoke.cash also keeps and updates a long list of fake sites so you are instantly warned when you do click on one.

So, if you want to feel reassured that your wallet is safe, make sure to check your permissions, and if you happen to approve a permission which you feel might be dodgy, it never hurts to quickly revoke.

Keeping track of your permissions gives you control and keeps your tokens safer.

v) Multi-Signature Wallets:

A multi-signature wallet (often called a "multi-sig" wallet) requires more than one approval to move your funds.

Instead of relying on a single private key, a multi-sig wallet is set up to need two or more signatures to confirm a transaction.

Think of it like a safe that needs two keys turned at the same time to open. Even if someone gets one key, they can’t steal what’s inside without the other one.

Multi-sig Transaction - Fortris

This is a powerful option for teams or shared accounts, but it can also work great for individuals who want extra security.

For example, you could set up your wallet so it requires a signature from both your phone and your laptop to approve any transaction. Even if one device gets hacked, your funds are still safe because the attacker would need access to both devices.

Multi-sig wallets are also useful if you want to include a trusted friend or family member as an additional signer for extra peace of mind.

Gnosis Multi-Sig - Phemex

Tools like Gnosis Safe make this setup easy, and you can decide how many approvals are needed out of the total keys (for example, 2 out of 3).

The main trade-off is convenience. You need access to all the devices or people required to approve a transaction, which can slow things down a bit. But if you’re protecting a large amount or want to be extra careful, the extra effort is well worth it.

Pros & cons - Koinly

In short, multi-sig wallets let you create your own security, making it much harder for one mistake or hack to empty your wallet.

b) Common threats to your wallet

Even with good habits, you still need to understand the most common threats to actively protect yourself against them, as scammers always find new ways to drain you.

i) Phishing attacks

Phishing is when attackers create fake websites, apps, or pop-ups that look exactly like real services (like an exchange or wallet interface) to trick you into giving them your private info.

Uniswap fake Airdrop site - PCrisk

The goal of phishing is to steal your seed phrase, private keys, login credentials or to get token approvals.

For example, a scammer might build a website that looks exactly like Uniswap.

Usually they will create similar link, for example "app.uniswop.org" instead of "app.uniswap.org"

When you connect your wallet and approve a "token spending limit" for a swap, it goes to them, meaning they can move tokens from your wallet.

Approval phsing scam - Chainalysis

Many beginners panic and and hand over info without thinking.

How to avoid it:

  • Bookmark official websites and always access them from your saved bookmarks rather than clicking on links and double-check the website URL carefully.

  • Be extremely cautious of pop-ups or urgent messages asking for sensitive information.

  • Never click a link from someone you don't 100% trust. Often people will make fake profiles pretending to be the projects official team to lower your guard.

ii) Scams

Scams come in many shapes and sizes in crypto.

They’re designed to make you act fast, feel lucky, or think you’re getting alpha(exclusive information on a project).

Scammers love to play on emotions like greed or fear of missing out (FOMO).

One of the most common scams is the fake giveaway. You’ll see posts on social media from fake accounts that look like big crypto influencers or official projects, saying something like, "Send us 1 ETH and we’ll send you back 2 ETH as part of a special event!"

These posts often include fake comments praising the "quick rewards" to make it seem real.

Fake Celebrity Giveaway scam - SoSafe

Then there’s the fake NFT mint or fake token launch. Scammers create websites that look exactly like real project sites. They announce a "limited-time mint" or "early token sale"(presale) to pressure you into acting fast.

You connect your wallet, thinking you’re getting in early, but instead, you give them approval to drain your tokens.

Fake NFT minting site - PCrisk

Another classic is the fake support scam. Scammers pretend to be customer support or an official representative from an exchange, a wallet service, a project you are invested in, etc.

They might DM you saying, "There’s a problem with your wallet, please share your seed phrase so we can help recover your funds." The moment you share it, they take everything.

This example is of course redundant, as these "agents" can be very convincing and are proffessional emotional manipulators.

Fake support in DM'S - TrustWallet

There’s also the pump-and-dump group scam, where someone invites you to a "private alpha group" that promises insider signals on which coins will "moon."

They buy up a low-value coin, get people to buy in after them, then the insiders sell and disappear, leaving everyone else holding worthless bags.

How to avoid it:

  • Do your own research (DYOR). Always double-check official websites and real social channels.

  • Be suspicious of anything that sounds too good to be true, because it almost always is.

  • Never trust direct messages from people you don’t know, even if they look official. Legit support teams and project admins will never DM you first or ask for private info.

iii) Malware

This section includes all the sneaky ways attackers try to infect or take over your device to steal your money.

Many people think malware just means viruses, but it covers a lot more. It can include spyware, clipboard hijackers, screen loggers, and keyloggers.

Examples of Malware - SoSafe

Malware can hide on your computer or phone and quietly watch everything you do.

One of the most common tricks is clipboard hijacking. When you copy a wallet address to send someone crypto, the malware automatically replaces it with the scammer’s address. If you don’t check carefully before you hit "send," your funds go straight to them, and there is no way to reverse it.

Keyloggers go even further. They record every single keystroke on your keyboard. If you type in your seed phrase, wallet password, or any sensitive information, the attacker sees it. Once they have this, they can take control of your wallet and move your funds without your permission.

Keylogger Threats - Wallarm

How to avoid it:

  • Keep your operating system, browsers, and apps updated. Updates often include important security patches that fix exploits attackers might use.

  • Install good antivirus and anti-malware software (like Bitdefender) and run regular scans.

  • Use a password manager(1Password is a good option) so you don’t have to type out sensitive passwords or phrases. This helps reduce the chance of a keylogger picking them up.

  • Most importantly, use a hardware wallet whenever possible. Even if your computer is infected, your private keys stay safely on the device, and transactions must be confirmed by physically pressing a button.

  • Finally, be very careful with what you download and which links you click. Avoid downloading random files or using unknown apps, and never click on suspicious links in crypto groups or emails.

iv) SIM-Swapping

A SIM-swap attack happens when an attacker tricks your phone provider into transferring your phone number to a SIM card they control.

Once they have control of your number, they can intercept your text messages and reset your accounts, especially if you use SMS-based two-factor authentication (2FA).

For example, an attacker might gather bits of your personal information online, such as your birthday or address. They use this to convince the phone company they are you.

Once they gain control, they can intercept verification codes, change your exchange passwords, and quickly drain your funds before you realize what's happening.

SIM-Swap attack Flowchart - SNBonline

How to avoid it:

  • Use app-based 2FA (like Google Authenticator or Authy) instead of SMS codes whenever possible.

  • Add a PIN or extra security question to your mobile account with your carrier to make it harder for someone to impersonate you.

  • Also, avoid sharing too much personal information online, especially on social media, since attackers often use those details to carry out these scams.

v) Social Engineering

Social engineering is when someone targets you directly by playing with your emotions rather than hacking your device.

Instead of using malware or technical tricks, they rely on trust and manipulation.

A scammer might pretend to be a helpful support agent, a community admin(usually on TG), or even a friendly trader in a chat group.

SIM-Swap attack Flowchart - SNBonline

They slowly build trust and then claim there's a problem with your wallet, or they offer to help you recover "stuck" funds. At that point, they ask for your seed phrase or push you to approve a risky transaction. Once you give in, they take your crypto and disappear.

Another common one is playing on peoples empathy, by faking that their wallet got drained, then asking for some financial help.

How to avoid it:

  • Always remember that no real support team or admin will ever ask for your seed phrase or private keys. If someone messages you first, assume it’s a scam until you can verify through official channels.

  • Stay cautious of strangers who reach out privately and try to build a personal connection quickly.

  • The best defense is to never share sensitive info, no matter how convincing or friendly someone seems.

Real life example:

A recent and shocking example of social engineering is the case of Malone Lam, a Singaporean who was charged in the US in 2024 for stealing and laundering over US$230 million worth of cryptocurrency.

Malone Lam Mugshot

Lam and his co-conspirator, Jeandiel Serrano, specifically targeted a high-net-worth crypto investor in Washington.

They began by sending fake security alerts and account access notifications, making it seem like the victim's accounts were being hacked. This was all part of a carefully planned social engineering setup.

Lam then called the victim while pretending to be a member of Google's security team. He claimed there had been a hack attempt and convinced the victim to share security codes to "secure" his accounts.

After getting into the victim's Gmail and OneDrive accounts, Lam found records of the victim's crypto holdings and private keys.

They didn't stop there. In a follow-up call, they impersonated the security team from Gemini, the crypto exchange the victim used, telling him that his crypto accounts were also compromised.

They tricked the victim into downloading a remote desktop program, giving them real-time access to his computer. While one scammer kept the victim distracted on the phone, the other used the private keys to steal more than 4,100 Bitcoin — worth about US$230 million at the time.

A screenshot showing how they allegedly manipulated the victim into opening his Google Drive - CNA Article

With the stolen funds, Lam went on a massive spending spree. He bought luxury cars, designer watches, and rented extravagant houses in Miami and Los Angeles. Reports say he even spent hundreds of thousands of dollars in nightclubs in a single night, trying to pay in crypto and flashing his sudden wealth.

Lam was eventually arrested in Miami, and Serrano was caught at Los Angeles airport after returning from a luxury holiday.

ZachXBT report

Lam was eventually arrested in Miami, and Serrano was caught at Los Angeles airport after returning from a luxury holiday.

This case is one of the largest individual crypto thefts ever recorded and is a clear reminder that social engineering can be more dangerous than any technical hack, although this hack included technical elements as well.

Your crypto security is only as strong as the habits you build.

In this article, you've learned the absolute necessity of keeping your seed phrase safe, using two-factor authentication, and being cautious of common threats like phishing and malware.

It's about being proactive, not reactive.

You never think it will be you, and then it is.

By managing your permissions and considering extra security like multi-signature wallets, you can sleep easy knowing your funds are safe.

Keep your wallet secure and stay updated on the newest scams, as they always find new ways to try exploit you.

YOU HAVE REACHED THE END OF THE ARTICLE

OPTIONAL QUIZ TO TEST YOUR COMPREHENSION

Feedback is much appreciated. You can fill out this short form or find me on X: @chili_pepper_m

This article is for absolute beginners, so judge the content based on how well you think your parents would understand it.

Previous2.1.1. Picking the Right WalletsNext2.1.3. Recommended Tools

Last updated