How to Protect Your Crypto in 2022

An in-depth guide to protecting your crypto from hackers and scammers

By
&
Tom Blackstone
Gabe TurnerChief Editor
Last Updated on Apr 5, 2022
By Tom Blackstone & Gabe Turner on Apr 5, 2022
The content on this page is provided for informational purposes only. Security.org does not offer financial or investment advice, nor does it advise or encourage anyone to buy, sell, or trade cryptocurrency. It is advised that you conduct your own investigation as to the accuracy of any information contained herein as such information is provided “as is” for informational purposes only. Further, Security.org shall not be liable for any informational error or for any action taken in reliance on information contained herein.

Cryptocurrency prices are on the rise, and a lot of investors are buying crypto for the first time. But while investors see this as a great opportunity, so do hackers, scammers, and other criminal types who see these new investors as easy prey. While there are several pitfalls of crypto investing to avoid, keeping your funds safe is certainly high on the priority list.

The cryptocurrency exchange Liquid was hacked in August 2021, losing over $97 million worth of crypto.1 In January 2022, another $30 million in Bitcoin and Ethereum was stolen from North American exchange Crypto.com.2

With all these attacks against crypto investors, you may wonder how you can protect your crypto from being stolen. Should you keep your crypto in an exchange? What about using a hardware wallet? Should you store a screenshot of your password in case you forget it?

Pro Tip: Speaking of exchanges and wallets, we have a guide for selecting a legitimate exchange as well as a resource on crypto wallets for you to dig into.

We’ll answer all these questions and more. We’ll explain the ways hackers can steal your crypto, and we’ll discuss the steps you can take to make it almost impossible to fall victim to a scheme.

Of course, no security method is 100 percent effective, and you may choose not to implement some of the methods we highlight if they’re too inconvenient. There are also quite a few legal risks of crypto investing to consider, but in this article we’ll provide all the information you need to buy and sell crypto as safely as possible.

Let’s jump right in and discuss some ways you can protect your crypto from digital theft.

Did You Know: Crypto networks are virtually impossible to hack, so anyone can keep their crypto safe if they practice the good digital hygiene we discuss in this guide.

Use Two-Factor Authentication for Your Exchange

Whenever you first buy cryptocurrency, it will generally be in an exchange account. If a hacker gets access to this account, they can “withdraw” your crypto to a wallet address under their own control.

One of the easiest things you can do to help thwart these attacks is to first make sure you purchase your crypto safely, and then turn on two-factor authentication (2FA) for withdrawals in your exchange app.

2FA requires you to input a code from your phone every time you make a crypto withdrawal. It can be a nuisance if your phone’s battery has died or if you have to get your phone from another room when you want to withdraw, but it could also save you from losing your crypto if an attacker gets access to your account.

If you don’t have 2FA enabled, you have to rely entirely on the security of your email address and password to protect your crypto. These can be pretty easy for bad actors to circumvent.

An attacker may be able to steal your password hash from another website and break it using hash-cracking software, or they may be able to trick you into downloading a malware file through email, steal your email password, and use the “reset password” feature to take control of your exchange account.

These are standard techniques hackers use to steal crypto from an exchange, but having 2FA enabled makes them much less likely to succeed.

With 2FA enabled, the attacker will need to perform these steps plus convince your phone company to transfer your phone service to the attacker’s phone. That will allow them to receive your text messages and get the code intended for you. It’s an extra layer of effort the hacker has to go through to make the withdrawal, and it’s often enough to deter them from completing the attack.

Pro Tip: If SMS 2FA is enabled, an attacker can’t withdraw your crypto from the exchange without first gaining access to your mobile phone service.

Use an Authenticator app

If you use an authenticator app such as Google Authenticator for your 2FA, then your exchange account can be even more secure. Authenticator apps don’t use SMS text messaging to send you the withdrawal code, which means the attacker still can’t get your withdrawal code even if they transfer your phone service to themselves or mirror your messages.

If you use an authenticator app, then the hacker would need to get possession of your phone to get the 2FA code. That’s a much stronger layer of defense than using SMS.

Even if you have 2FA enabled, an attacker may be able to bypass the security of the exchange itself. In this case, you could lose your crypto through no fault of your own. If the exchange is hacked, then you could also be subject to withdrawal holds or other policies that keep you from accessing your crypto. This is where withdrawing your crypto can be useful.

Withdraw Your Crypto

Exchanges often have millions of dollars’ worth of crypto stored in them. With that much loot available, they make enticing targets for scammers everywhere. One way to avoid this potentially devastating threat is to just withdraw your cryptocurrency from the exchange.

To withdraw your crypto, you’ll need to download a wallet and set it up on your PC, then instruct your exchange to send your crypto to your new wallet address.

Once you’ve done this, an attacker can no longer steal your crypto by gaining access to your exchange account or hacking the exchange itself. Instead, the attacker would effectively need to compromise your PC to get your crypto.

Since you probably don’t run around telling everyone you store loads of crypto on your PC, it’s probably less of a target than an exchange. Withdrawing your crypto can be a simple and effective way to reduce the threat of crypto theft.

Back Up Your Seed Words Properly

Let’s say you’ve downloaded wallet software and started setting it up. You’re immediately confronted with what may be an unfamiliar experience: You’re told to back up your seed words.

Secure your wallet on MetaMask

What are seed words?: A set of seed words — also called a “secret recovery phrase” or “master key” — is a series of words that can be used to cryptographically derive all your account keys. You can use your seed words to recover your accounts if your device crashes. Anyone who has access to your seed words has access to every account tied to these words.

If you’re new to crypto and also in a hurry, then you may be tempted to skip this step or just take a screenshot to use as a backup. But there are good reasons to be careful with how you store your seed words.

If you don’t back up your seed words, you will lose access to all your cryptocurrency the moment your device crashes. PCs have moving parts that wear out over time, so, eventually, your device will crash.

Luckily, there’s an easy way to avoid losing your crypto because your PC bit the dust. Just write down your seed words on a physical piece of paper and store the paper in a safe place where it can’t be destroyed. If you’re worried about losing your physical copy, you can even write down your words on multiple pieces of paper and store them in different secret hiding spots. We recommend fireproof, waterproof safes for storing your seed words.

Pro Tip: When you recover a wallet, you have to enter your seed words in the order they were first displayed. When you write them down, make sure you don’t rearrange the order!

The important point is to store them on a physical thing that can’t be erased.

Storing your plaintext seed words on your PC is fraught with additional risk. If you store them as a screenshot on your computer, for example, then any person who gets access to your computer can steal all your crypto. All they have to do is find the image, copy your seed words, and import them into their own wallet.

A person could do this by physically having access to your PC or by infecting your computer with malware. Either way, it’s a good idea to make sure only encrypted copies of your seed words are on your PC, which means no screenshots or notepad files.

Unless you are using a hardware wallet (more on that later), there will be a copy of your seed words in a special file called a “key vault.” This file will allow you to make transactions without entering your seed words each time.

Unlike a plaintext file, your key vault is encrypted with a password. Even if an attacker gets a hold of it, they’ll open the file to find a bunch of useless gibberish. This is a lot safer than storing the file in plaintext.

To recap seed words, keep the following security measures in mind:

  • Back up your seed words on a physical piece of paper.
  • Keep the backup in a safe place where it can’t catch fire or get water damage.
  • Don’t keep plaintext copies or screenshots of your seed words on your PC.
  • Keep the location of your physical backup a secret.
  • If your device crashes, then use your seed words to recover your accounts.

Now let’s talk about your password, which should be Fort Knox strong.

Use a Strong Password to Protect Your Crypto

More on this in our guide to staying safe with crypto keys and passwords, but let’s take a 30,000-foot view. If your device is infected with malware, then the attacker shouldn’t be able to read your key vault file and get your seed words. That’s because (hopefully) no one knows your password except you. But an attacker may be able to use Hashcat’s password-recovery tool or other hash-cracking software to guess thousands of random characters until the vault is successfully decrypted.3

Whether they can do this cheaply and quickly depends on how complex your password is. The longer the password, the more difficult it is to crack. If a password has both capital and lowercase letters, numbers, and special characters, then it’s even more difficult to crack.

No password is completely uncrackable, but, if you make one that takes several years and millions of dollars’ worth of computing power to crack, for all practical purposes it may as well be impossible to hack.

You may worry that you’ll forget your password if you make it too complicated, but you can restore access to your account even if you forget it — as long as you still have a backup of your seed words.

What if you’ve forgotten your password? If you still have your seed words, then just uninstall your wallet, reinstall it, and import your seed words during installation. That will restore your account, and you can choose a new password during the installation process.

The bottom line is that you can protect your crypto by choosing a password that is as strong as possible.

Pro Tip: Use our How Secure Is My Password tool to find ultra-secure passwords and shore up older, less-secure passwords.

Use a Different Password for Your Wallet

You may be tempted to use a wallet password that is the same as one you use for a website, but there are several reasons to use a unique password for your wallet.

First, if a hacker breaches a popular website you use, then they may be able to get your password hash and run cracking software on it. That’s more likely to happen to a popular website (like the Facebook breach last year) than it is to your own device.

Second, many people store their website passwords in plaintext inside their browsers. If you do this and you’re unlucky enough to have your device infected with malware, the attacker may be able to gain access to all your website passwords. There is a nasty piece of malware called Redline Stealer that has gained popularity with cybercriminals for giving them exactly this kind of access.4

Losing your website passwords is bad enough, but if your wallet password is the same as one you use for a website, then the attacker will also have access to your wallet password and can use it to decrypt your key vault. (In these types of attacks, the key vault is usually also stolen.)

Your wallet password is probably the most important password you have, so you should make it unique. Even if you use a strong, unique password, it’s still technically possible for an attacker to use key-logging malware to record your keystrokes when you enter your password or pull your unencrypted vault data out of your PC’s RAM.

These are very sophisticated techniques and, so far, there is no recorded case of a crypto user losing their seed words this way. As cryptocurrencies become more widely adopted, however, this type of attack may become more common.

How can you protect your crypto against even these kinds of attacks? We’ll discuss that in the section on hardware wallets.

Pro Tip: We highly recommend using a combination of a VPN (to protect your online activity) and an identity theft protection service (to protect your identity). Aura is one company that combines both tools into one service. Read our full Aura review to learn more.

Use a Hardware Wallet If Possible

One of the best ways to protect your crypto is to use a hardware wallet, a USB device that can store your key vault. It is designed so your seed words cannot be moved out of the device unencrypted.

A hardware wallet has no Internet connection, so it’s extremely difficult for an attacker to infect it with malware.

Each time you do a transaction with a hardware wallet, you have to connect it to your PC or mobile device through USB or Bluetooth. A signature is produced from within the wallet and sent to your internet-connected device, which allows you to do transactions without exposing your key to a possibly malware-infected device.

Hardware wallets also have PIN codes, so the attacker would still have a hard time getting your crypto if your wallet is physically stolen.

Security experts have been able to crack hardware wallets using extremely sophisticated techniques such as hardware implants, RF signals, and microcontroller memory rewrapping, but they needed to have physical access to the wallets in order to perform these hacks.

If you lose your hardware wallet or have it stolen, then you may want to transfer your crypto out of the wallet’s address as soon as you can.5

If you’re keeping your hardware wallet in your home, then installing a good home security system can help protect it from theft.

Did You Know: Sometimes attackers will sell “used” hardware wallets on places like eBay and Amazon. These have often been altered to allow an attacker to get your seed words, so it’s safest to buy the device directly from the manufacturer instead.

The biggest disadvantages to hardware wallets are inconvenience and cost. Hardware wallet transactions often take longer than software ones, and, depending on where you keep your wallet, you may have to take time getting it from wherever it’s stored. Hardware wallets also cost between $50 and $150.

If you’re only storing a small amount of crypto, then you may not want to spend money on a hardware wallet. If you have a sizable crypto holding, then it may be worth investing in.

Even though hardware wallets are physical devices, they still rely on software to make them work — and attackers can try to get you to install fake copies of the software for them. Even if you don’t use a hardware wallet, fake software is a threat you should be aware of.

Check the URL (Avoid Fake Software)

Aside from hacking an exchange, probably the most common scam used to steal crypto is to convince a person to download a fake wallet or use a fake application.

Many scammers, for example, will offer fake versions of the popular Ethereum wallet, MetaMask. They’ll even advertise these fake wallets on Facebook or Google.

The best way to avoid this type of scam is to only download a wallet from the developer’s official website, which means avoiding click-through advertisements on search engines or social media sites. You may also want to avoid using searches in Google Play or the iOS App Store to find wallets, since these stores have been known to place fake wallets near the top of search results (likely unintentionally).6

FYI: Most developers offer direct links to their mobile wallets from their official websites, so using a mobile app store search engine usually isn’t necessary anyway.

Fake Web Apps

Wallets aren’t the only type of crypto software scam. An attacker can also create a fake website that looks just like a legitimate one but has a slightly different spelling in its URL. The site may lead to different smart contracts from the legitimate one, and these smart contracts may be malicious. An attacker can use this to steal your crypto almost as easily as with a fake wallet.

For example, maybe you want to swap your 1Dai for Viper on ViperSwap. You navigate to what you think is the official website for ViperSwap, but you misspelled the URL when or clicked an advertisement posted by scammers when you searched for the site on Google. You’re now on a fake version of ViperSwap, and, when you attempt to make the swap, you’re told you need to approve your tokens to be spent by the exchange. After you approve the tokens, all your 1Dai is drained from your wallet and you get nothing in return.

In most cases, this happens because the malicious “exchange” has a line of code that allows the owner to transfer your tokens to themselves. If you had not approved it to spend your 1Dai, then the 1Dai contract would have blocked the transaction. Because you made the approval, the token contract allowed the malicious Dapp to steal your tokens.

There are a few techniques you can use to avoid this kind of attack.

  • Use only Dapps you trust. If you feel comfortable reading code, then you can look up the contract addresses in the developer’s documents and find the code in a block explorer. In this case, you can verify whether there are weird “ownerOnly” or “adminOnly” functions in the Dapp that could allow the developer to steal your tokens.

    If you don’t feel comfortable reading Solidity, then just avoid Dapps that are too new to have been vetted by independent programmers.
  • Make sure you use only the official website for an app. In most cases, it will be the first site in the organic search results in Google, Bing, etc. If there is any question, then you can check crypto news sites and other reputable sources to make sure you’ve got the right URL.
  • Check the lock icon to the left of the URL. If the site has been hacked, it will usually fail its SSL certification, which will cause the lock to appear red. Your browser may also warn you that the site is unsafe.
  • Double check contract addresses. If you have to call an “approve” function to allow a Dapp to use your tokens, then make sure the contract address that pops up in your wallet is the same as the one mentioned in the developer’s documents. That way, you won’t accidently approve a contract to spend your tokens that you didn’t actually intend to approve.

Pro Tip: You can send the native cryptocurrency of a network (ETH, BNB, AVAX, etc.) directly to an application, but you can’t do it with a token. Instead, you have to approve the app to take the tokens from your wallet. It’s important not to make this approval for an app you don’t understand or trust.

Some malicious sites are so bold that they may even tell you to give them your seed words. Read on to find out more.

Don’t Enter Your Seed Words on a Website

If you use a browser-extension wallet, it will ask you for your password frequently. If you close your browser and reopen it, it will ask for your password. If you step away for a few minutes, your wallet will close and it will ask for your password when you come back.

You’ll get used to being asked for your password.

But a browser-extension wallet such as Metamask, Coinbase wallet, or Brave wallet will ask for your seed words only the first time it is installed.

If you’re browsing the web and suddenly come across a window that looks like your wallet and asks for your seed words, then this is probably a malicious website. The safest way to deal with this is to close the tab and flush your browser’s cache.

If you think your wallet really is malfunctioning, then you can uninstall it and reinstall it from a blank browser page. That should help ensure you are really interacting with your wallet and not a web app on a particular page.

The previous few sections have detailed ways to defend yourself against an attack, but the next two are about preventing yourself from becoming a target in the first place.

Avoid Public Wi-Fi

You may sometimes have to connect to the internet while you’re not at home, and free public Wi-Fi at a restaurant or coffee shop may seem like a tempting solution.

When you’re doing crypto transactions, however, you may want to avoid using open public Wi-Fi. When you use open public Wi-Fi, other people nearby can easily intercept your internet traffic using Wireshark or similar tools.7

With the information they receive, they can often tell if you’re visiting crypto sites. In some circumstances, they may even be able to view your transactions.

That won’t necessarily allow them to steal your crypto, but a scammer may decide to pay a lot more attention to you if they see you making high-value crypto transactions or simply browsing crypto sites. That’s probably not the kind of attention you want.

Aside from avoiding public Wi-Fi, another way to avoid attention from scammers is to subscribe to a VPN service.

Pro Tip: If you ever choose to buy or sell crypto on your smartphone, it’s important to keep your online activity private from lurking eyes. Be sure to read our guides to the Best VPNs for iPhone or the Best VPNs for Android.

Subscribe to a VPN Service

One thing to watch out for with any kind of online transaction, including crypto transactions, is a man-in-the-middle (MITM) attack. Subscribing to a VPN service can help prevent these attacks.

In an MITM attack, the hacker breaks your connection with a website you are visiting and injects their own device between you and the site. They then pass on your data to the site you intend to interact with, making it appear that you are connected as normal. But now they can monitor everything you are doing.

MITM attacks can be used to find out what you are doing on a site. The information a scammer gets may tip them off that you are a crypto user, which may lead to them using other methods to get to your crypto investments, such as showing you fake sites or convincing you to install a fake wallet.

You may want to subscribe to a VPN service and use it whenever you make crypto transactions. VPNs usually cost between $5 and $15 per month, and they can be even less expensive if you pay for multiple months or years up front.

VPNs are also useful for streaming foreign TV shows and movies or for keeping your online activity hidden from the prying eyes of your ISP, so they have value beyond the crypto world.

FYI: To really enhance your digital security, check out our guide to The Best VPNs of 2022.

Now let’s talk about one of the easiest ways an attacker can gain access to your crypto: getting you to download a malicious file.

Be Wary of Emailed Files

One of the most common techniques attackers use to steal crypto is to get the user to open an email and download a malicious file. These emails are often cleverly made to look as if they come from a legitimate company.

Let’s say an attacker monitors your internet traffic and finds out you are looking for a new job. They may send you an email that looks like a company with exactly the kind of position you are looking for.

The company mentioned in the email may be a real company, and the person’s name may match the name of an actual person who works for that company. The email address, however, may be slightly different from the email the real company uses, which you probably don’t notice because you are so excited someone from the company sent you an email.

So the email says, “We’ve looked at your LinkedIn profile, and we think you’ll be a great match for this position. Please fill out this .pdf with the time you are available for an interview and send it back to us as soon as you can.”

You download the .pdf file. When you open it, malware is installed on your computer.

At this point, the attacker can get your key vault if you are not using a hardware wallet. They can steal all your website passwords and try them on your wallet in the hopes that one of them works. They can use a variety of strategies to either steal your seed words or get you to give them up willingly.

One way to protect against this type of attack is to use a different PC for your crypto transactions than you use to open emails. You simply don’t install your wallet on your main PC at all.

That can be expensive, though, so the other option is to simply be extra diligent every time someone asks you to download a file through email. Look at the email address, which will usually have a slightly different spelling than expected or there will be something else wrong with it once you examine it closely.

Sometimes the attacker will spoof the email address as well, so it will appear correct. To protect against this possibility, another option is to run antivirus on the file before you open it. Download the file but don’t open it. Instead, right-click and select the option to scan the file with your favorite antivirus program.

That still won’t give you 100% protection, because you may have downloaded a new piece of malware that your antivirus doesn’t know about yet. But if you absolutely must open the file, it at least gives you a fighting chance of detecting the malware and avoiding installing it.

Ultimately, the best way to protect against malware is to use a hardware wallet. If you can’t get one, though, these techniques can also help.

Final Words

The crypto market continues to hit new highs as more people download wallets and join networks for the first time, but this rise in activity also leads to an increase in criminals who seek to take advantage of the new entrants.

We’ve gone over numerous ways you can protect your crypto against this new breed of criminal, including using 2FA, withdrawing from an exchange, backing up your seed words, avoiding open public Wi-Fi, and using a VPN.

In the future, scammers will likely come up with even more ways to steal crypto, and we’ll update this page as new threats arise. In the meantime, these are some of the most effective ways to protect your crypto.

Looking for more crypto information? Check out our guide to how crypto gains value. There you’ll find a wealth of information to help you better understand this interesting world.

Citations
  1. CNBC. (2021, Aug 19). More than $90 million in cryptocurrency stolen after a top Japanese exchange is hacked.
    cnbc.com/2021/08/19/liquid-cryptocurrency-exchange-hack.html

  2. CBS News. (2022, Jan 21). Crypto.com says hackers stole more than $30 million in bitcoin and ethereum.
    cbsnews.com/news/crypto-com-hack-bitcoin-ethereum-30-million/

  3. hashcat. (2019). advanced password recovery.
    hashcat.net/hashcat/

  4. The National Law Review. (2022, Jan 20). Privacy Tip #315 – Redline Malware Used to Steal Saved Credentials.
    natlawreview.com/article/privacy-tip-315-redline-malware-used-to-steal-saved-credentials

  5. Kaspersky. (2019, Jan 10). How to hack a hardware cryptocurrency wallet.
    kaspersky.com/blog/hardware-wallets-hacked/16959/

  6. Twitter. (2019, May 23). Fake cryptocurrency wallets found again on Google Play.
    twitter.com/lukasstefanko/status/1131504405797376000

  7. GeeksforGeeks. (2020, Jun 29). How to Hack a Open WiFi?
    geeksforgeeks.org/how-to-hack-a-open-wifi/