Important Security Rules to Protect your Crypto Wallet and Funds
How to stay safe out there...
I see occasionally some people in my Twitter timeline getting their wallet drained and losing all their crypto funds. Also, personally, I know a few people who got drained and know how devastating it is, especially if there is some serious money in the wallet.
So to help you to stay safe out there, I am writing a few security guidelines here.
Most of them come from the book “Memecoin Millionaire” with the permission from the author. If you want to get into Memecoin Trading and understand how cryptocurrencies really work (and I think you should) I can highly recommend that book.
The entire world of cryptocurrencies is risky. If you’re new to this space, this is probably the first thing you’ll hear. But fundamentally, it’s only a problem if you don’t know or ignore the risks. Warren Buffett once said:
“Risk comes from not knowing what you’re doing.”
And actually, by taking these risks, you might be rewarded big.
More interesting than the pure risks, is usually the risk reward ratio and, especially now, it’s just insanely good. But I’ll write more about it in another article.
This article is just about how to be safe out there, and you should really take this topic seriously!
There are hundreds of stories where people lost all their cryptocurrencies to scammers, and I’m sure neither of us wants you to end up in that category.
Let’s start with the basics: A wallet has a public and private key (or Seedphrase).
Whoever has the private key can do anything with your tokens. There’s a saying that goes, “Not your keys, not your coins,” which is something you should remember.
This also applies to all centralized trading exchanges, Telegram trading bot wallets, or similar services. As soon as someone else can conduct transactions on your behalf, they — or anyone with access to their infrastructure! — can take your tokens.
The same goes for your seed phrase. This phrase allows someone to derive your private key and gain full control over your tokens.
In general, there are three major risks to losing your funds:
Someone else gains access to your private key.
You lose access to your private key.
You give a malicious Smart Contract the allowance to access your funds. This includes insecure smart contracts which might get hacked.
In all cases, your tokens are gone, and no one can help you!
Protecting Your Private Key and Seed Phrase from Loss and Access through Malicious Actors
There are various approaches to securing your private key from loss. If you follow these guidelines, you should be safe from losing your keys and make it a lot harder to gain access to your keys for malicious actors.
I’ll list some ideas, and you’ll need to decide how far you want to go. I’d generally base it on the amount at stake. Once losing access would seriously stress you out, it’s time to increase your security level.
First, you should absolutely avoid storing your key unencrypted in any digital form. Don’t take a photo, don’t store it in the cloud, and never send it through any messenger. No Dropbox, no Google Drive, no Google Docs, no iCloud or whatever — none of these are safe. Even without getting hacked, there are tons of people working for all those companies who have access to the data and it’s easy for them to run a few search scripts.
For any amount of money you wouldn’t want to lose, I recommend avoiding using your smartphone. Phones get lost more easily, are technically less secure than computers, can tempt you to trade too often, and complicate proper backups.
A common recommendation is to write your private key down on paper. Paper can degrade or be destroyed by fire or water, so it’s not foolproof. But if stored properly and in multiple places, it’s an acceptable approach.
Alternatively, you can buy something called Crypto steel. These are metal chains or plates where you can engrave your private key or string together the letters in the correct order.
Personally, I find this better than paper, but it’s too obvious what it’s for. I’d recommend using any random metal object instead. Even something as simple as a tin can lid and a screwdriver to engrave the letters would work.
Just make sure to store it in a safe place — ideally in multiple locations and different places entirely. A bank safe deposit box or buried in the garden. Just don’t forget where it is!
You should definitely split up your private key. At least into two parts, but depending on your security needs, you might want to break it down further. For example, 0x1234567890 could be split into 0x1–23–45–67–890. Store these fragments separately and in multiple locations.
Beyond the offline approach, you can also store your key digitally. The advantage here is that you can access it from anywhere in the world.
A decent approach is using various password managers. There are many options, like LastPass, which allow you to store passwords online. Just remember to never store the entire private key with a single provider, and make sure to store multiple copies of your key fragments.
Another option is to create an encrypted file container and store your keys in a simple text file (.txt file — avoid Word or similar programs that require special formats and versions or might send your data into the cloud). There are free programs like Cryptomator or Veracrypt for this. I recommend again splitting your key and using multiple storage providers. You can then upload the encrypted container to various different cloud providers like Google Drive.
To encrypt your private key you can also use well established open-source tools like GPG which are free to use and can be considered safe for now.
The idea behind all of this is to avoid having a single point of failure. If one or even two providers fail, you’ll still have access and can recover your data.
Again, to avoid a single point of failure, I would recommend splitting up bigger wallets into multiple smaller ones. You can also then use different approaches to secure them and again not rely on a single method.
So maybe two long term holding wallets using a hardware wallet and a smaller one for daily trades. The private keys would be backed up separately and secured by different methods.
I think this should be enough for starting out. I know it may sound extreme to some, especially if you’ve never thought about these topics before. But it only takes 15–30 minutes, and it can save you a lot of headaches later.
There are horror stories of people searching landfills for years to recover a hard drive with Bitcoin on it. Even years later, some of these cryptocurrencies can suddenly become extremely valuable.
So, take the extra time now, secure your private key properly and save yourself the trouble later.
Connections to Websites, Token Allowances, Staking, DeFi
When you visit various crypto websites, you’ll eventually come across a “Connect Wallet” button.
When you connect your wallet to a website, you allow that site to see your public address, including all balances, and propose transactions for you to approve.
There’s generally no risk at this stage. But it’s still a good idea not to do this unnecessarily with unknown websites, as they could propose malicious transactions.
The real risk comes when you need to confirm a transaction of any kind.
Usually, phishing and scam websites suggest some kind of malicious transaction which provides them with access to your funds. I could go into more technical details here, but to keep it simple, my general recommendation is to just not do it. That’s actually also the only way right now to stay safe.
You should not connect your wallet to any websites and should not confirm any transactions. You should not do any staking (where you lock your tokens into a Smart Contract for a period of time) or send your tokens anywhere.
The only thing most beginners should do is trading on official, well-known decentralized exchanges like Uniswap / Raydium and always use proper allowance limits. You should also avoid most bridges or otherwise complex smart contracts. It is usually better to use a CEX to make cross chain transfers.
If you follow this simple rule, you’ll already be much safer.
I also recommend for now avoiding all DeFi protocols besides the major DEXes like Uniswap. This might sound extreme, but usually, you get a few percent yield for having the extreme high smart contract risks. It is just not worth it. Even when I consider myself a fairly advanced user, I recently lost some funds when radiant.capital was hacked. This single loss basically erased all my DeFi gains from the previous years. And while I am starving now, at least it inspired me to write this article for you ;)
Crypto is the fastest growing asset class in history, so don’t be greedy and risk your gains for a few percent yield. All this technology is far too new to be really secure yet.
If you want to farm airdrops, test and learn things or just play around with new technologies, that’s absolutely great. Just create a separate wallet for it and deposit minimal amounts.
Make sure you don’t give permissions to dubious websites, and regularly use tools like revoke.cash to remove all permissions. But again, never do any of this with your investment wallets, where you hold the majority of your funds!
Should you use a Hardware Wallet to protect your funds?
You’ll often see recommendations to use a Ledger, Trezor, or other hardware wallets. These protect your private key from being extracted. So, if your computer is infected with malware (viruses, trojans, etc.), it won’t be able to access your key. In theory, this increases your security, and it might make sense. Especially considering that modern Browser wallets for example are also quite complex software with many dependencies and risks.
On the other hand, hardware wallets can make trading more cumbersome, and one issue I see is that they’re sometimes a “black box.” One of the largest providers has already had a significant customer data breach. There have also been questionable software updates, with little known about how they function.
So, whether you should use a hardware wallet isn’t such a clear decision. I generally only trust open-source solutions that have been established for several years. So I tend to use a secure computing environment and maybe add a Trezor wallet for long-term storage to it.
If you use a hardware wallet, you should be aware of the limitations of the protection it offers. In practice, the most common attack is phishing. You’ll get a suspicious link to a website and confirm a transaction. In this case, a hardware wallet won’t protect you!
Another scenario is that your computer is already infected with some malware. So when you visit a website like Uniswap, the malware will just replace the transactions in the background and wait for you to sign it with your hardware wallet. And who really checks the calldata of a suggested transaction from a seemingly secure site? So again, your funds would be gone and a hardware wallet can't protect you in this case.
That’s why I think that with a good security setup based on open-source software, maybe Linux, full disk encryption and if you follow the fundamental security rules below, you’ll be secure enough for now, even without a hardware wallet.
If you really plan to invest bigger amounts, you might still consider using an open-source hardware wallet.
Multisig Wallets
Another option to improve the security of your wallet is to use so called multi sig wallets. Usually they are used for managing funds of protocols/teams and when multiple persons should be able to sign transactions. But I think even for single users they might be an interesting choice to improve the security, especially if you manage some serious money.
The basic idea is that these wallets are not external owned accounts but instead smart contracts. Some blockchains like TON have these smart wallets by default and I think with the account abstraction ERC 4337 proposal, we will eventually also see this much more on EVM based chains.
By using a smart contract wallet, you can, for example, add additional rules to the wallet. Instead of requiring only one private key to sign a transaction, these multi sig wallets require multiple signatures. So if you have 3 private keys and to transfer funds, at least 2 of 3 of those keys need to sign the transaction. You can also customize the limits and add various access rules or more keys.
This makes attacks significantly harder, if you take care to manage the keys separately.
If you’re interested in this, check out Gnosis Safe wallet. ( https://app.safe.global/welcome )
Important Security Rules
To end this article, I’ll just give you some more general security rules which you should always follow. Most of them apply not just to cryptocurrencies, but to keeping your computer secure in general.
Read them often, write them down, print them out, and internalize them:
Elon Musk isn’t going to send you Bitcoin, Ethereum, or Doge Coins. Never. He launches some rockets but definitely no crypto token.
If something sounds too good to be true — stay away. There are no guaranteed returns — nowhere in the financial market. No one acts without self-interest, and no one will double your money.
If someone contacts you out of the blue about cryptocurrencies, ignore the message — whether it’s on Telegram, Discord, or email. Especially if you’re in Telegram or Discord groups about crypto, you’ll often attract Nigerian princes or attractive women. Ignore these requests entirely. Yes, even the attractive women who are most likely Nigerian princes anyway ;) You can usually adjust your privacy settings to block unwanted messages.
Avoid clicking on links to crypto sites — always! Some wallets like Rabby already have safety features that warn you about unfamiliar new sites. Make a list of the most important URLs for exchanges, block explorers, and the other tools. Save them as bookmarks and only access the sites through those. If you want to research a new website, always double-check the URL. Check one of the official channels like Twitter or the website and verify the URL again. You can also use sites like Coingecko or Dexscreener, which often have official information about most tokens.
If a site you used before like Uniswap asks for additional permissions, do not immediately give the permission again. One of the big weaknesses of all this Web3 stuff is that a frontend might be compromised by attackers. If you see anything suspicious activity or failed transactions, always pause for a moment, check the official news channels or, if in doubt, wait a while to understand what’s going on. If you want to dive deeper into such issues and prevent them, you double-check the smart contracts and when they were deployed, but just doing nothing is for most users usually the easiest way.
Take your time. Never rush with any clicks in crypto! Never! Most of the users lose their funds out of FOMO or greed. Both can be avoided.
Learn a bit about computer security — it’s often the same rules. Don’t click on suspicious links, avoid shady websites, and keep your computer updated regularly.
I generally recommend using a dedicated computer or at least a virtual machine that you only use for crypto-related activities. This way, you can still explore the sketchy corners of the internet on your regular account.
DO NOT install antivirus software — it’s nonsense. Keep your computer updated, use Linux or other open-source solutions, and don’t install strange programs, and you’ll be in good shape.
Install an ad blocker — it’ll block dangerous ads and, depending on your settings, also block JavaScript code on websites.
Be cautious with Google links or ads in general, as scammers often run ads that appear at the top of the search page. I recommend using DuckDuckGo as your search engine, block all ads and only access sites by the known URL.
Don’t connect to random websites or confirm transactions outside the major exchanges like Uniswap.
Always double-check the Smart Contract address before buying a token.
What should You Do If Your Wallet got Hacked / Drained?
The truth is, your funds are very likely gone. There is usually no way to recover them. I know it hurts, but that’s why it’s so important to follow the above security rules.
Hint: If it was serious money, you might still want to check for some security experts to get a second opinion on your case.
But when it’s already too late, you should first make sure, that you understand what happened, to prevent future losses. That’s all you can do for now.
To do so, you should check all the connections and transactions you made. Go to the block explorer of the chain and see all the contract addresses which have access to your wallet and go through each transaction to see if you made a mistake.
Usually Wallets like Phantom or Rabby can also show you a list with all the connected websites and tools like revoke.cash also show you the permissions you gave to various contracts.
If you find the reason / suspicious transaction, and you remember that you made it, the only thing you can do now is set up a new wallet and make sure, you follow the above rules next time.
Hint: Never reuse a Wallet which was hacked! The attacker still might have access and there might be so-called drainer contracts, which steal any funds you send to this wallet immediately.
The situation is actually worse if you don’t find anything suspicious or did not make any transaction.
In this case, someone got your private key.
If you stored it unencrypted on your computer, took pictures, stored it in the cloud or made any other mistakes like this, it might likely be the reason. In that case, again, create a new wallet and learn from your mistake.
The problem here sometimes is, that you don’t even know what you send in the cloud. If you use Google Docs or Notion ts easy, and obvious. But also seemingly local tools like Word send user Data, various integrated AI-Agent tools work by sending data to the cloud, sometimes it’s even a crash report or other things. That’s why I recommend using only simple plain text files and a safe environment.
The situation is really bad, if you did nothing like this and your private key never left your computer.
Then you might have some malware on your computer spying on you. This usually happens through phishing emails and installing a random software, but there are also more sophisticated attacks. Sometimes you have a random Windows problem, find on Reddit a link to a driver website, and this driver infects your computer and steals your crypto. There are many more sophisticated ways of this phishing attacks than just the plain old emails. Using faked Zoom links was quite popular recently.
So if you did nothing obviously wrong and cannot find the reason, how your key was leaked, I recommend reinstalling your complete computer and operating system before you do anything crypto related again.
This again might sound a bit drastic, but there is no way, to “fix” a computer from malware, once it’s infected except removing everything and starting from scratch.
The End
This is it for now. I hope it helps. If you have any questions, write me a DM on Twitter here ( https://x.com/crjameson_ ) or let me know in the comments.
I hope you all stay safe out there.