2022 Guide: Everything You Should Know to Invest in Crypto Safely

Crypto investing is increasing in popularity, but there are security measures every investor should take. Here's how to stay safe while investing in cryptocurrency.

By
&
Tom Blackstone
Gabe TurnerChief Editor
Last Updated on Apr 5, 2022
By Tom Blackstone & Gabe Turner on Apr 5, 2022
The content on this page is provided for informational purposes only. Security.org does not offer financial or investment advice, nor does it advise or encourage anyone to buy, sell, or trade cryptocurrency. It is advised that you conduct your own investigation as to the accuracy of any information contained herein as such information is provided “as is” for informational purposes only. Further, Security.org shall not be liable for any informational error or for any action taken in reliance on information contained herein.

In 2021, cryptocurrency investments had high returns. Bitcoin rose by over 60 percent, Ethereum by more than 400 percent, and some smaller cryptocurrencies had returns in many thousands of percent.

Given these gains, you may be tempted to try to get in on the action.

At the same time, you may wonder if investing in cryptocurrency is safe or if you can protect yourself against hackers and scammers while investing in them.

This article is a complete guide to keeping your crypto secure. We’ll go over how to choose an exchange that is safe, how to store your crypto effectively, what kind of scams to look out for, and more.

In other words, we’ll touch on everything you need to know to invest in crypto safely.

An Overview of Crypto Safety in 2022

There are a lot of regulations governing cryptocurrency in the U.S., but one key point to understand is that it is not insured by the FDIC. So if an exchange goes bankrupt, you may lose everything. And if an attacker gets into your exchange account, they can transfer your crypto into an anonymous wallet address and disappear forever.

By contrast, if a hacker gets into your stock brokerage account, the worst they can do is sell your stock and transfer the money to their bank account. This is definitely bad, but at least the transfer can be tracked, and maybe you’ll have a chance to recover your funds.

But when crypto is stolen, it is often impossible to get back.

I don’t say this to scare you, but it’s a reality that you should consider. Thankfully, there have been great developments in recent years concerning crypto safety.

The best way to protect your crypto investments is to take a multi-pronged approach.

First, take steps to make sure your exchange is secure. This means using a reputable exchange and enabling the best security features available, including two-factor authentication (or 2FA).

Second, only keep cryptocurrency on an exchange if you are actively trading it. If you are holding your crypto long-term, we strongly consider transferring it to an external wallet that is completely under your control.

What’s a Wallet: A crypto wallet is a device or piece of software that is used to make transactions on a cryptocurrency network. A wallet stores your “private key,” a string of characters used to prove that you are the owner of a particular cryptocurrency account. Learn more in our ultimate guide to crypto wallets.

Third, take steps to make sure that your wallet is secure. This includes keeping a paper backup of your seed words, encrypting your keystore file with a strong password, and, if necessary, using a cold wallet for the bulk of your crypto holdings.

Got all that? Don’t worry, you’ll be a crypto-safety pro by the time you’re finished with this guide. Let’s dive into crypto exchanges.

What to Look for in a Cryptocurrency Exchange and What to Steer Clear of

When you purchase crypto safely, you’re most likely going to get it from an exchange. And in most cases, the exchange will have possession of your crypto until the moment you withdraw it.

So your first line of defense against hackers and scammers is to make sure your exchange is honest and secure.

Any legitimate crypto exchange will comply with the laws in your country or state. If your country requires all exchanges to have money transmitter licenses, for example, then the exchange will get a license. Or if it needs to register with a regulatory body, you’ll find that it has registered with the government and declared itself to be selling cryptocurrency.

So one red flag to look out for is an exchange that doesn’t comply with local laws but still wants to accept customers from your region. This may indicate that the exchange isn’t honest or secure.

FYI: Wondering what the crypto laws are in your state? You may want to read our guide to state laws for crypto.

Luckily, there are plenty of legitimate, law-abiding crypto exchanges in almost every country these days. So for most users, this won’t be a problem.

Security and reimbursement

Another problem that may arise is an exchange with security loopholes. In 2021, cryptocurrency exchange Bitmart was hacked and lost over $200 million worth of crypto.1

As we were preparing this article for publication, Crypto.com was also hacked for a loss of $35 million.

Both Bitmart and Crypto.com have promised to reimburse users who lost their funds.

In the past, other major exchanges have been hacked, including Binance, Bitfinex, KuCoin, and more. But these exchanges have all reimbursed users who lost funds.

One way of defending against security flaws is to find out how much of the exchange’s crypto is kept in “hot wallets” connected to the internet.

The best exchanges will keep only a small amount of crypto on these wallets. The rest will be stored off-line. This will limit losses in case a major hack occurs.

Another line of defense is to only use exchanges that reimburse users for hacks.

The better exchanges will have some kind of reserve fund they use to do this. If an exchange has been hacked in the past and has not reimbursed its users, this is a sure sign to steer clear of it.

Protecting Your Exchange Account With 2FA

Choosing a reputable exchange will help to protect you from attacks that are the exchange’s fault. But if your account is compromised through no fault of the exchange, you won’t be reimbursed.

This is why it’s important to enable 2FA.

If 2FA is enabled, you’ll be required to enter a code from a text message or mobile app every time you log in or make a withdrawal. This helps protect you from having your crypto stolen if your email account is compromised.

Pro Tip: Want to learn more about how to find a legitimate exchange? Check out our guide to legit and safe crypto exchanges.

If 2FA is not enabled, an attacker who has access to your email account can use the “forgot my password” feature to change your password and lock you out of your account. The attacker can then safely transfer your crypto away while you watch helplessly.

If this happens, the exchange will usually not reimburse you for the loss.

Pro Tip: Text messaging should also not be used for 2FA if at all possible. This is because many attackers know how to use SIM hijacking to intercept 2FA codes from text messages. So using a mobile app like Google Authenticator for 2FA codes is a better option.

Storing Crypto Safely Using Wallets

While the above steps can help to protect you against an exchange attack, you are ultimately not in control as long as the exchange has your crypto.

So unless you are a day trader or scalper who must keep crypto in an exchange, it’s important to put it in an external wallet as soon as you can.

External or “private” cryptocurrency wallets don’t have usernames or passwords. They can’t be reset with an email account, and they don’t use a central server that can be hacked.

The only way for an attacker to get crypto out of your personal wallet is to attack your personal device.

While it is always possible that your device can be hacked, it is generally going to be less enticing of a target than your exchange is. So the most effective strategy you can use to protect your crypto is to move it into a private wallet.

See below for the different types of wallets and how to use them.

Hot wallets vs. cold wallets

If you plan on making daily transactions with your crypto, you’ll usually need to store it in a “hot wallet.” A hot wallet is a piece of software that runs on a device connected to the internet, such as a desktop or mobile wallet. You can download hot wallets from websites or from mobile app stores.

A “cold wallet,” on the other hand, is a wallet that is not connected to the internet. This includes paper wallets and hardware wallets. Cold wallets can’t be downloaded; they can only be purchased or created.

If you are going to be using your crypto on a daily basis, you may want to keep it in a hot wallet. But if you are just buying and holding, a cold wallet is the safer option.

Storing Crypto - hot wallet vs cold wallet pros and cons

Using a hot wallet to store crypto

To store your crypto in a hot wallet, first download it from the official website and run the setup file.

Setting up the app (seed words, passwords, and addresses)

When the app opens, it will display a set of seed words. These seed words are used to generate your crypto accounts and addresses.

Write down these words on a physical piece of paper in the order they are given to you. Do not take a screenshot of these words or store them on any kind of cloud service such as Dropbox or Google Drive.

Store your physical backup in a safe place where it cannot get wet, catch fire, or otherwise be destroyed. Don’t tell anyone where it is unless you intend for them to have access to your crypto.

Passwords

After allowing you to record your seed words, the app will ask you for a password. Use a strong password with numbers, capital and lowercase letters, and special characters if possible.

If you forget your password, you can restore your account using your seed words. So don’t stress about forgetting it. But make sure you don’t lose your physical copy of your seed words.

Addresses

When you finish this process, you’ll see your cryptocurrency address. It’s a long string of characters that is derived from your seed words.

When you withdraw your crypto, your exchange will ask for this string of characters. Make sure you copy and paste the address instead of hand-typing it. If you leave out or change even one character, you will lose the crypto you are sending!

Once your crypto is safely transferred into your wallet, the exchange will no longer have control over it. At this point, even if an attacker gets access to your exchange account, they will not be able to steal your crypto.

Understanding hot wallet security

Now that your crypto is in your hot wallet, you need to make sure it is protected from attacks. I’ve touched on how to do that in the previous section. But let’s further explain how hot wallet security works.

The seed words you copied down on the piece of paper are used to generate an unlimited number of private keys. A private key is a string of characters your device uses to sign transactions and to prove that you’re the owner of the account.

Each private key corresponds to an account or address. You can create as many addresses as you want from a single set of seed words.

Pro Tip: Want to better understand which cryptocurrencies to invest in? Start with our guide to understanding how crypto gains value.

Your seed words are stored on your device in a file called a key vault. This file is encrypted with your password. When you make transactions or browse crypto-enabled websites, your wallet will ask for your password in order to decrypt this file.

For an attacker to get your crypto, they need to steal both your key vault and your password. If they only have one of these items, they can’t get your crypto. They need both.

There is a hash of your password on your device. If your password is weak and the attacker gets this hash, they might be able to crack it by guessing millions of random strings of characters until they find one that produces this hash. This is why using a strong password is important.

If your device is infected with malware, an attacker may be able to log your keystrokes whenever you enter your password (more on malware in just a bit). There is no recorded case of anyone losing their crypto this way, but it is a known security flaw in all hot wallets. So it’s only a matter of time before this happens to someone.

Because of this problem, it’s best to only keep crypto in a hot wallet that you plan on using. If you’re storing a large amount long term, it should go in a cold wallet.

List of secure hot wallets

Here is a chart showing some of the most secure hot wallets. In each case, we’ve provided a link to the official website where an authentic copy of the software can be downloaded. We’ve also listed the type of wallet (desktop or mobile) and the networks it can be used on.

Software Crypto Wallets

Wallet Type Networks Official website
Electrum Desktop Bitcoin Electrum.org
Mycelium Mobile Bitcoin Mycelium.com
Exodus Desktop and mobile Multiple Exodus.com
Metamask Desktop and mobile Ethereum, BSC, Avalanche, HarmonyONE Metamask.io
Brave Browser Desktop and mobile Ethereum, BSC, Avalanche, HarmonyONE Brave.com
Coinbase wallet Desktop and mobile Ethereum, BSC, Avalanche, HarmonyONE Coinbase.com/wallet

Using a cold wallet to store crypto

Hot wallets can be extremely secure if you use them correctly, but they can still be compromised if your device becomes infected with keystroke logging software. This is where using a cold wallet can help to protect you further.

If used correctly, a cold wallet should be impossible to hack except through physical theft.

Hardware wallets

The most popular form of a cold wallet is a hardware wallet. A hardware wallet is a small USB device that stores a keystore file. If you want to make a transaction with a hardware wallet, you can attach it to your PC or mobile device and send a signature through the USB port.

However, the key vault is stored on a separate memory bank in the device and can’t be transmitted through USB in an unencrypted form. This means that even if an attacker infects your PC with malware, they should be unable to gain access to your crypto.

The biggest risk to using a hardware wallet is physical theft. To further protect against even this possibility, hardware wallets have pin code locks.

Security experts have been able to hack hardware wallets using very sophisticated techniques once they had physical possession of them. So if you lose your hardware wallet, it’s best to transfer your crypto out of the wallet as soon as you realize it’s missing.

The biggest disadvantages to hardware wallets are inconvenience and cost.

If you use a hardware wallet, you have to connect the wallet to your PC and confirm the transaction using both the USB device and the software running on your PC. This can be quite inconvenient if you make a lot of transactions.

In addition, hardware wallets usually cost from $49-$220. So they are not economical for storing very small amounts of crypto.

List of hardware wallets

Here is a list of some of the more popular hardware wallets. We’ve included main features and prices for these as well.

Hardware Crypto Wallets

Model Features Price
Trezor Model T Supports all major networks; large, full-color touch screen (no buttons) $185-$220
Ledger Nano X Supports all major networks; Bluetooth for mobile devices, large buttons, black & white OLCD screen $119-$149
Ledger Nano S Supports 27 different networks; small buttons, black & white OLCD screen $59
Keepkey Supports 7 different networks; small buttons, large OLCD screen $49

Paper wallets

Another form of cold wallet is a paper wallet. A paper wallet is a private key and address that are only stored on a piece of paper. Since the key is not stored on any kind of computing device, it should be impossible for a hacker to steal it.

In the early days of Bitcoin, paper wallets were very popular as a method of storage.

But unfortunately, this method turned out to have one big security flaw: in order to generate the key and address, you needed to download an app into your browser. And it was difficult to know if the app was sending your keys to the web server and exposing your account.

Today, paper wallets should not be considered secure.

Now that we’ve got the basics of wallets out of the way, let’s discuss some common crypto scams to watch out for.

Common Crypto Scams

Even if you store your crypto in a private wallet, it’s still possible to fall for common crypto scams if you don’t know what they are. So here are a few things to be aware of.

Common Crypto scams to watch out for

Crypto website phishing scams

There are a lot of phony websites that will pose as legitimate sites and ask you to enter your wallet seed words. This kind of fraud is called a “phishing site,” and it’s a common type of crypto scam.

For example, you may think you’ve gone to the official Uniswap app at app.uniswap.org, but you’ve actually gone to app.uniswop.org instead (notice the spelling!). If a hacker sets up a website to look exactly like the official site, but on a slightly different URL, they may convince you that you’re interacting with the official site.

It’s especially easy to avoid crypto website phishing scams though. Just be sure to never enter your seed words or private key into any field on any website. Even if it looks like your wallet itself is asking for your seed words as you are browsing the web, don’t enter them.

If you forget your password or otherwise get locked out of your account, first delete your wallet from your device. Then, reinstall the wallet.

Once it’s reinstalled, you can safely enter your seed words into the wallet to recover your account. But this should be done from a blank page in your browser, not from an actual page on the web. And it should only be done once, right after installing.

Did You Know: Your wallet will ask you for your password often. But it will never ask you for your seed words as you are browsing the web. Seed words are only required during installation.

Fake wallets

Another common crypto scam is fake wallets.

Some scammers will create software that looks just like Metamask or another popular crypto wallet.

They’ll advertise their “wallet” in places like Google Ads or Facebook. When you click through the ad and visit the site, you’ll be given a link where you can download what you think is a legitimate copy of the software. But in reality, this software has been altered so that once you generate your seed words, it will send them to the scammer. Now all they have to do is wait until you send some crypto to the wallet; when you do, the attacker will transfer it to their own wallet.

The best way to protect against this kind of attack is to only download your wallet from the official website.

Google places its ads above the organic search results, so if you search for a wallet, make sure you scroll down to the organic results instead of clicking an ad. Wallets generally do not advertise. So if you see an ad for a wallet, it’s probably a scam.

Also, don’t search for a wallet from within the Google or Apple app stores. These stores have been known to place scam wallets at the top of their results in the past (probably not intentionally). Instead, go to the wallet’s official website. From there, click the link to get to the Google or Apple app store page for the wallet.

Malware

Another common crypto scam is to simply infect your computer with malware. A bad actor may send you an email and bait you into downloading a file and running it on your device. When you run the file, it can secretly infect your computer with malware that monitors everything you do.

We’ve already talked about malware in other sections, so we won’t spend much time on it here. But here are a few short tips to protect against losing your crypto to a malware attack.

  • Don’t use a wallet password that is the same as a stored website password
  • Don’t take a screenshot of your seed words
  • Don’t download files from emails unless you’ve verified the address
  • If possible, check your inbox on a different device from the one you use for crypto
  • If possible, use a hardware wallet

Even if you take these steps to protect your seed words, you may wonder if there is some way for a hacker to steal your crypto anyway. Can a crypto network itself be hacked? Can an attacker transfer your crypto to themselves even if they don’t have your seed words or private key? For answers to these and other questions, read below.

Can Crypto Networks Be Hacked?

On centralized networks like PayPal or banks, an attacker may be able to gain access to your account even if you keep your password completely secure. This is because the network itself may have a security flaw that can be exploited.

You may wonder if crypto networks can suffer from similar flaws that will allow an attacker to transfer your funds without having your private key.

In other words, can crypto networks be hacked?

The short answer is “no.” Under most circumstances, there is simply no way for an attacker to steal another person’s crypto without having that person’s private key. The one exception to this is if you are a merchant who is actively selling goods in exchange for crypto. In this case, there is a short window of time in which the attacker may be able to buy goods from you and then reverse the crypto transaction, allowing the attacker to keep the goods and the crypto.

But if you are not a merchant selling goods for crypto, this attack will not work on you. So if you are just holding crypto in your wallet, there is no known way for a scammer to steal it without getting your key.

If you’re curious and want a more detailed answer as to why crypto networks can’t be hacked, read the rest of this section. Otherwise, skip down to “wrapping up” for the conclusion.

Shared database

On a crypto network, all of the nodes have a copy of the database. If an attacker alters the balances on one copy, the copies stored by other nodes will show a discrepancy. As a result, the hacked node’s copy of the database will be rejected by them.

Signatures

Each transaction is required to have a valid “signature,” a message encrypted with the owner of the account’s private key. If a node claims that a particular transaction is valid, all other nodes on the network will expect to see a signature proving that the transaction is valid.

If the signature can’t be produced, the rest of the network will reject the transaction.

This is why a hacker needs your private key in order to steal your crypto. Even if the hacker is running a validator service and is therefore “in charge” of the network, they still can’t transfer your crypto without your consent. Because the network is decentralized, even the people validating transactions don’t have the power to break the rules.

Want to know more about how crypto transactions are secured? Check out our crypto user’s guide to cryptography.

Double-spend attacks

Of course, a hacker might be able to spend their own cryptocurrency and then erase the transaction. This is called a “double-spend attack.”

In order to perform a double-spend attack, the malicious node needs to somehow make its transaction history longer than every other node. If it can pull this off, it can get its own fraudulent copy of the database accepted as the real one. So it will need to add a bunch of spam transactions to its database if it wants to accomplish this.

Cryptocurrency networks defend against double-spend attacks using various techniques. For example, the oldest crypto networks like Bitcoin and Ethereum require nodes to spend a bunch of electricity on a complicated math problem each time they add transactions to the ledger. This makes it so expensive to produce spam transactions that the attacker would probably lose more money on electricity than they would gain from the fraud.

Newer networks like Avalanche, Binance Smart Chain, and Ethereum 2 tackle the problem in a different way. They require each node to put up a certain amount of cryptocurrency in a bond, and each node has to sign every block of transactions it wants to add to the ledger. If a validator tries to double-spend, any other node can easily detect this and submit proof of it to the network.

If a node is caught trying to double-spend on these networks, it has its bond taken from it and given to the validator who discovered the fraud. Because of this incentive, double-spends are extremely difficult to pull off on these newer networks.

The bottom line is that double-spend attacks are not a problem for most users because most users are not selling goods in exchange for crypto.

And there is no other known vulnerability in crypto networks. So essentially, crypto networks cannot be hacked.

Wrapping Up

Crypto can seem like an especially risky investment to hold compared to other assets. Other assets only carry the risk of going down in price. With crypto, there seems to be the additional risk of hacking and digital theft.

But investing in crypto doesn’t have to be especially risky. By taking the proper steps to protect your digital currency, and making sure you don’t take on undue legal risks while investing, you can minimize the risk of losing it to hacking or scams.

FAQs

See below for answers to a few frequently asked questions about investing in crypto safely.

  • Are crypto exchanges safe for long-term storage?

    No. Crypto exchanges are as safe as they can be, but they face some unique problems compared to stock exchanges.

    Crypto exchanges allow you to withdraw crypto into your own possession. As long as this is possible, there is always the chance that an attacker can transfer your crypto into their own hands. The best way to protect yourself against this threat is to move your crypto into your own wallet.

  • Are crypto investments insured?

    Under most circumstances, cryptocurrency investments are not insured. Some exchanges may insure your crypto in case your exchange is hacked. But if the theft wasn’t the exchange’s fault, the insurance usually won’t pay.

  • What is a crypto wallet?

    A crypto wallet is a piece of software or device that stores your private key or seed words. If you want to perform cryptocurrency transactions, you need a wallet. If used correctly, wallets are also a very secure way to store cryptocurrency.

  • What is a cold wallet?

    A cold wallet is a crypto wallet that is not connected to the internet. Some examples include a hardware wallet, a piece of paper with a private key on it, or a laptop that has a private key on it but no network adapter.

    Cold wallets are especially secure ways to store crypto. Because they are not connected to the internet, they cannot be hacked remotely, although they can still be physically stolen.

Citations
  1. NBC News. (2021, Dec. 17). Crypto exchanges keep getting hacked, and there's little anyone can do.
    nbcnews.com/tech/security/bitcoin-crypto-exchange-hacks-little-anyone-can-do-rcna7870