How to keep your crypto safe
The beginner’s guide
One of the greatest appeals of cryptocurrency when compared to traditional government-issued currencies, such as the U.S. dollar, is the self-sovereignty holders have over their digital assets.
Instead of relying on financial institutions to custody and manage the transfer of value and settlement of transactions, cryptocurrency, by design, can only be accessed by the owner(s) of the digital wallet it’s stored in.
This means cryptocurrency cannot be censored, ceased or frozen by a centralized authority or bad actor – provided it’s custodied properly.
It also means that crypto holders must shoulder the burden of securing and protecting their wealth alone; something that’s not easy when theft and accidental loss are commonplace in the industry.
While buying cryptocurrency is becoming increasingly easier to do, knowing how to properly keep crypto assets safe remains a much more difficult task – particularly for non tech-savvy individuals.
How to store crypto safely
Since all cryptocurrency tokens are purely digital assets, there are no physical coins to stash in bank vaults or safety deposit boxes.
Instead, access to any cryptocurrency you own is stored in digital wallets. These are usually software applications or physical devices akin to USB drives that are used to secure information regarding a user's funds.
How crypto wallets work
Before outlining the different types of wallets available to store cryptoassets and their pros and cons, it’s important to first understand how cryptocurrencies are actually secured.
When a crypto wallet is generated, two mathematically-linked digital codes are created:
- A public key
- A private key
These two keys are used to prove ownership over assets held in a corresponding crypto wallet when sending those assets to other people.
The public key is run through a cryptographic hashing algorithm to generate a public wallet address. This turns the public key into a fixed-length alphanumeric code that is made available for anyone to see and can be used to receive inbound transactions in the same way a home address can be freely shared to receive inbound packages.
If you are interested in learning more about these concepts, you can check out our article How do cryptocurrencies use cryptography?
A private key is the part that proves ownership of the funds and should never be shared with anyone, wihile the public key is ok to share. If the public key is like a home address, the private key should be thought of as a front door key. Only a homeowner should have access to their front door key, otherwise anyone could enter their home and steal the items inside.
This means that if a crypto wallet owner loses or forgets their private key, they can permanently lose access to their funds.
In the event the device where a crypto wallet is downloaded is lost, stolen or damaged, a backup code, usually referred to as a “seed phrase,” can be used to recover it onto a new device. Seed phrases must be generated before devices are compromised, and stored offline somewhere safe (more on that below).
Much like a private key, if another party manages to get hold of your seed phrase, they can duplicate your wallet onto any other device and drain your funds.
Cryptocurrency security threats
Purchasing cryptocurrency and storing it in a wallet doesn’t necessarily mean your assets are completely safe. The lucrative, unregulated nature of cryptocurrencies makes them a lightning rod for hackers and scammers.
Oftentimes, the threats posed by cybercriminals can be easily avoided as long as a few simple steps are followed.
Educating yourself about the telltale signs of common scams is one of the most effective ways to combat crypto-based fraud.
A majority of scams that exist within the industry follow one of three classic setups:
- Crypto giveaways: This type of scam is prolific on popular platforms such as Twitter and Youtube. They typically involve fake profiles leveraging the image of a famous, influential person and claim to automatically double any crypto deposited into a stated wallet address. The reality is, the funds deposited into the wallet are taken and no assets are sent back.
Additional fake profile accounts are set up pretending to be people who have “successfully” had their assets doubled by the scheme, adding an air of credibility to the scam.
- Phishing emails: Data leaks are nothing new in the digital age, and over the years there have been several high profile data leaks from crypto-based companies. Ledger, OpenSea and Celsius Network to name a few have all experienced breaches resulting in their customers’ personal data being made accessible to third-parties.
Once data such as email addresses are leaked, affected users often begin receiving flurries of messages from seemingly official sources asking them to resubmit sensitive information or provide their login details. In some cases, malicious links are included which infect the host’s device with malware that targets crypto wallets.
- Ponzi schemes: The volatile nature of cryptocurrencies has made them attractive investment vehicles for traders looking for “get rich quick” opportunities. Tapping into this speculation, a long list of ponzi schemes have emerged offering extremely high rates of return for little to no effort on the investor’s part.
While some platforms are easily distinguished as outright scams, others have gone to extreme lengths to create professional looking platforms that appear legitimate to the untrained eye.
A simple checklist should be a part of everyone’s due diligence before making any investment – crypto-related or otherwise. This checklist should include things like checking if the platform’s team can be easily identified? Are Linkedin or other social media channels made available? Is the platform’s mechanism for generating high returns expressly outlined on the website? Is it possible to withdraw money from the platform?
Bitconnect, a former top ten cryptocurrency, is a renowned example of a crypto-based Ponzi scheme that duped thousands of crypto investors between 2016 and 2018, stealing over $2 billion worth of assets. Despite a convincing website and team of public facing promoters, its core team was never identified, nor was its ‘automated trading bot’ used for generating profits as described.
Crypto security best practices
To safeguard your assets and ensure you don’t fall foul to common crypto-based scams, there are a number of steps you should familiarize yourself with.
Never keep digital copies of private keys/seed phrases
As mentioned above, private keys and seed phrases are vitally important pieces of information for accessing and recovering a person’s crypto wallet.
When making copies of this sensitive data, it’s imperative that users manually write the codes down on paper or make use of several metal plate products available for recording crypto keys. These can then be secured in a fireproof or waterproof safe that’s bolted to the floor for maximum protection.
Taking a screenshot, sending phrases or keys to yourself in an email or texting them to a trusted person are common ways people make it easy for cybercriminals to access sensitive crypto information.
Minimize crypto held on exchanges and DeFi platforms
For active traders and DeFi users, cryptoassets will most likely need to be deposited on to an exchange or put to work in a DeFi protocol such as a liquidity pool at some point.
Assets held on centralized exchanges often sit in online crypto wallets controlled by the underlying platform. This isolates huge amounts of crypto funds in a single place, making them a hot target for hackers.
Billions of dollars have been stolen from exchange-based hacks due to poor security measures surrounding these online wallets. Kraken remains one of the very few leading regulated exchanges that has never been breached. Nevertheless, it’s recommended that users never hold all their funds on any single crypto exchange.
With DeFi protocols, a user’s assets are held in smart contracts written and deployed by a protocol’s development team. In many instances, smart contracts have been found to contain exploitable loopholes which permit hackers to manipulate them. There have even been cases where fraudulent backdoors have allowed a protocol’s team to make off with users’ funds.
Much like with exchanges, it’s advisable that DeFi users should only hold a percentage of their digital wealth in any given DeFi protocol to mitigate the risk of fraud or theft.
Enable two-factor authentication
To add an additional layer of security to your email and crypto accounts, two factor authentication (2FA) is advisable.
2FA is available through Google Authenticator and several other similarly available apps. These apps provide passcodes that self-destruct and renew every 10 seconds or so. Specific codes are linked to each of your accounts and make it increasingly difficult for a hacker to access them.
Like the seed phrases used with crypto wallets, backup codes for these apps can be generated to recover master accounts onto new devices.
Avoid disclosing crypto holdings
Whether you’re actively involved in online forums or speaking to friends in a public setting, it’s recommended crypto holders never disclose their holdings to anyone.
Telling people you own an amount of crypto can make you a target for criminals. Even a number of high profile Youtube crypto influencers have been targeted by criminals and had their assets siphoned after leaking information regarding their holdings.
In more extreme examples, individuals have been take hostage and forced to hand over their crypto assets after criminals learned about their holdings.
Types of crypto wallet
All of the hundreds of various crypto wallets available on the market today can be broadly categorized into two distinct types,
- Hot wallets.
- Cold wallets.
Crypto wallets belonging to this category are those that are permanently connected to the internet; think of browser-based crypto wallets like MetaMask or Coinbase Wallet or software wallets like Exodus.
By virtue of always being connected to the internet, hot wallets have the advantage of allowing users to view balances and send and receive transactions quickly – often in one click.
However, this convenience comes with an inherent security problem.
Hot wallet private keys are usually stored online or on the device where the software is installed. This makes them vulnerable to cyber attacks, especially if the end user hasn’t taken the proper precautions to safeguard their sensitive wallet information.
Sophisticated phishing emails and other types of scams have emerged over the years geared toward accessing a user’s private keys, including infecting devices with targeted malware or creating fake websites masquerading as official platforms.
Cold wallets are the total opposite of hot wallets. Instead of being permanently online, cold wallets represent physical devices that are only connected to the internet when manually inserted into a computer.
For the most part, cold wallets remain completely disconnected from any internet source, meaning criminals would need to physically be in possession of the cold wallet device before they can attempt to access the funds inside.
While this makes them significantly more secure than hot wallets, the downside is they involve a lot more friction when making transfers.
Leading manufacturers of cold wallets include Ledger and Trezor.
As a general rule, cold wallets should only be purchased directly from an official manufacturer, as tampered devices exist on the secondary market that have led to loss of funds when used.
Kraken's crypto guides
- What is 0x? (ZRX)
- What is 1inch? (1INCH)
- What is Aave? (AAVE)
- What Is Aavegotchi? (GHST)
- What is Acala? (ACA)
- What is Akash? (AKT)
- What is Akropolis? (AKRO)
- What is Algorand? (ALGO)
- What is Ampleforth? (AMPL)
- What is Ankr? (ANKR)
- What is Aragon? (ANT)
- What is Arweave? (AR)
- What is Audius? (AUDIO)
- What is Augur? (REP)
- What is Avalanche? (AVAX)
- What is Axie Infinity? (AXS)
- What is Badger DAO (BADGER)?
- What is Balancer? (BAL)
- What is Bancor? (BNT)
- What is Band Protocol? (BAND)
- What is Basic Attention Token? (BAT)
- What is Bifrost? (BNC)
- What is BitTorrent? (BTT)
- What is Bitcoin? (BTC)
- What is Taproot?
- What is the Bitcoin white paper?
- What is Bitcoin Cash? (BCH)
- What is Reddit's BRICK token?
- What is Cardano? (ADA)
- What is Cartesi? (CTSI)
- What is Celo? (CELO)
- What is Celsius? (CEL)
- What is Centrifuge? (CFG)
- What is Chainlink? (LINK)
- What is Chiliz? (CHZ)
- What is Compound? (COMP)
- What Is Convex? (CVX)
- What is Cosmos? (ATOM)
- What is Covalent? (CQT)
- What is Curve? (CRV)
- What is Dai? (DAI)
- What is Dash? (DASH)
- What is Decentraland? (MANA)
- What is Decred? (DCR)
- What is DigiByte? (DGB)
- What is district0x? (DNT)
- What is Dogecoin? (DOGE)
- What is EOSIO? (EOS)
- What is Elrond? (EGLD)
- What is Energy Web Token? (EWT)
- What is Enjin? (ENJ)
- What is Enzyme Finance? (MLN)
- What is Ethereum? (ETH)
- What is Ethereum Classic? (ETC)
- What is Ethereum Name Service? (ENS)
- What is Fantom? (FTM)
- What is Filecoin? (FIL)
- What is Flow? (FLOW)
- What is Gala Games? (GALA)
- What is Genshiro? (GENS)
- What Is GensoKishi Metaverse? (MV token)
- What is Gnosis? (GNO)
- What is Golem? (GNT)
- What is Handshake? (HNS)
- What is Hedera Hashgraph? (HBAR)
- What is Icon? (ICX)
- What is Injective? (INJ)
- What is Internet Computer Protocol? (ICP)
- What is Karura? (KAR)
- What is Kava? (KAVA)
- What is Keep Network? (KEEP)
- What is Kintsugi? (KINT)
- What is Kusama? (KSM)
- What is Kyber Network? (KNC)
- What is Lisk? (LSK)
- What is Litecoin? (LTC)
- What Is Livepeer? (LPT)
- What is Loopring? (LRC)
- What is MakerDAO? (MKR)
- What is Mina Protocol? (MINA)
- What is Mirror Protocol (MIR)?
- What is Monero? (XMR)
- What is Reddit's MOON token?
- What is Moonriver? (MOVR)
- What is Nano? (NANO)
- What is NEAR Protocol? (NEAR)
- What is Neo? (NEO)
- What is NuCypher? (NU)
- What is Numeraire? (NMR)
- What is OMG Network? (OMG)
- What is Ocean Protocol? (OCEAN)
- What is Orca? (ORCA)
- What is Orchid? (OXT)
- What is Origin? (OGN)
- What is Oxygen (OXY)?
- What is Paxos Gold? (PAXG)
- What is Perpetual Protocol? (PERP)
- What is Phala Network? (PHA)
- What is Polkadot? (DOT)
- What is Polygon? (MATIC)
- What is Qtum? (QTUM)
- What is Quant? (QNT)
- What is RMRK? (RMRK)
- What is Rarible? (RARI)
- What is Ravencoin? (RVN)
- What is Raydium? (RAY)
- What is Ren? (REN)
- What is Revain? (REV)
- What is Ripple? (XRP)
- What is Secret Network? (SCRT)
- What is Serum? (SRM)
- What is Shiden? (SDN)
- What is Siacoin? (SC)
- What is Solana? (SOL)
- What is Songbird? (SGB)
- What is Star Atlas? (ATLAS)
- What is Stellar? (XLM)
- What is Storj? (STORJ)
- What is SushiSwap? (SUSHI)
- What is Swipe? (SXP)
- What is Synthetix? (SNX)
- What is THORChain? (RUNE)
- What is Tether? (USDT)
- What is Tezos? (XTZ)
- What is The Graph? (GRT)
- What is The Sandbox? (SAND)
- What is Theta? (THETA)
- What is Tron? (TRX)
- What is USD Coin? (USDC)
- What is Uniswap? (UNI)
- What is VeChain? (VET)
- What is Waves? (WAVES)
- What is Woo Network? (WOO)
- What is Wrapped Bitcoin? (wBTC)
- What is Yam Protocol? (YAM)
- What is Zcash? (ZEC)
- What is Zilliqa? (ZIL)
- What is tBTC?
- What is yearn.finance? (YFI)