Keeping Your Crypto Safe

This is the most important phrase in all of crypto: "Not your keys, not your coins."

If your crypto sits on an exchange — Binance, Coinbase, Kraken, or any other — you don't actually own it. You own a claim on their balance sheet. The exchange holds the real private keys.

In November 2022, FTX — the world's second-largest exchange — collapsed overnight. Millions of users had billions of dollars in crypto on the platform. It was all frozen. Most of it was gone. Users who held their own keys were fine. Users who trusted the exchange lost everything.

Self-custody means you hold your own private keys — on a hardware wallet you control. It's more responsibility, but it's also the only way to truly own your crypto. The whole point of Bitcoin was to remove the need to trust a third party. Use that.

Understanding how attacks work is the first step to avoiding them. Here are the most common ways people lose their crypto:

Phishing emails and fake websites: You receive an email that looks like it's from Coinbase, Ledger, or MetaMask. The link takes you to a near-identical fake site that captures your login or seed phrase. Always type exchange URLs manually or use bookmarks.

SIM swapping: A hacker tricks your mobile carrier into transferring your phone number to their SIM. They then intercept SMS 2FA codes and take over your accounts. Never use SMS as your 2FA method for crypto accounts.

Malicious browser extensions: A browser extension that seems useful (price tracker, wallet connector) secretly monitors your clipboard or wallet transactions. Only install extensions from verified developers with large, reviewed user bases.

Social engineering: Someone poses as "support" in Discord or Telegram DMs. They gain your trust and eventually ask for your seed phrase to "verify" your wallet. No legitimate service will ever ask for your seed phrase.

Basic account security stops the majority of attacks. Most people skip these steps — don't be most people.

Use a unique password for every account. If you reuse passwords and one site is breached, attackers try that same password everywhere. Use a password manager (Bitwarden, 1Password) to generate and store strong, unique passwords.

Enable 2FA everywhere — but use an app, not SMS. SMS 2FA can be defeated by SIM swapping. Use an authenticator app (Google Authenticator, Authy) instead. It generates codes locally on your device — even if your phone number is hijacked, the codes can't be intercepted.

Use a separate email address for crypto accounts. If your main email is compromised, your crypto accounts stay protected. Create a dedicated email — used for nothing else — just for exchange accounts and wallet-related services.

Most hacks don't exploit technical vulnerabilities — they exploit human habits. Build these habits and you eliminate most of your risk.

Bookmark your exchanges. Never navigate to an exchange by clicking a link in an email, ad, or search result. Bookmark the official URL directly in your browser and always use that.

Never click links in DMs. If someone messages you on Discord, Telegram, or Twitter with a "special opportunity" or "urgent alert" — ignore it. Legitimate projects and exchanges don't cold-DM users with links.

Verify contract addresses before any transaction. When interacting with DeFi protocols, always verify the smart contract address through the official project website — not through a link someone shared. Fake tokens with similar names are a common scam.

Double-check wallet addresses when sending. Some malware replaces clipboard wallet addresses with the attacker's address. Always verify the first and last 4-6 characters of an address before confirming a transaction.

If you suspect your wallet or account has been compromised, speed matters. Every second counts.

Step 1 — Move remaining funds immediately. Create a brand new wallet on a different device. Transfer everything from the compromised wallet to the new one as fast as possible. Assume the attacker is watching.

Step 2 — Revoke token approvals. In DeFi, you may have given smart contracts permission to spend your tokens. Go to revoke.cash and revoke all active approvals from your compromised wallet. Attackers use these to drain funds even after you think the attack is over.

Step 3 — Secure your email and related accounts. Change your email password immediately. Enable 2FA with an authenticator app. Check if any forwarding rules were added to your email (a common attacker tactic).

Remember: There is no recovery fund for crypto theft. No insurance. No dispute process. The best move is prevention — everything in this module is cheaper than losing your coins.