Master crypto security practices. Learn phishing vectors, hardware wallet setup, transaction verification, and defense-in-depth strategies to protect large holdings.
Phishing is social engineering to steal crypto. Unlike traditional phishing (stealing passwords), crypto phishing is irreversible. Once an attacker has your seed phrase or makes you sign a transaction, the theft is final. Billions are stolen annually; this is the largest category of crypto fraud, exceeding exchange hacks.
Attack vectors: (1) Fake websites (phishing.uniswap.app, 1 character different), (2) Malicious Discord bots (claim to verify wallet, actually steal seeds), (3) Compromised browser extensions (fake MetaMask), (4) Signature requests (trick users into signing smart contract transfers), (5) Social engineering (pretend to be support, gain trust, ask for seed). Each vector exploits human psychology: urgency, authority, trust.
Key insight: crypto is a trust system, not a password system. Your seed phrase = total access. One careless moment = total loss. Unlike banks (insurance, account recovery), crypto is your responsibility. Fortunately, security practices are simple if disciplined: hardware wallets, signature verification, and skepticism prevent 99% of attacks.
Private keys live on a physical device, offline. Transactions are signed on-device; the signature is sent to blockchain, not the key. This means: even if your computer is hacked, the hacker can't access keys (they're on the device). Gold standard security. Cost: $50-150 (Ledger Nano S, Trezor One). For holdings >$10k, hardware wallet is essential.
(1) Unbox hardware wallet (directly from manufacturer, not used), (2) Initialize on-device (NOT on computer), (3) Device generates seed phrase (12-24 words), (4) Write seed on physical paper (never digitize), (5) Store paper in safe (not your house if possible), (6) Setup PIN (prevents physical theft), (7) Connect wallet software (MetaMask, Ledger Live), (8) Transfer funds to hardware wallet address. Test with small amount first.
Keep firmware updated (new security patches). Use passphrase feature (adds extra security layer beyond PIN). Backup seed multiple times in separate locations (fire-proof safe, safe deposit box, lawyer's vault). Never share seed phrase with anyone, ever. For very large holdings (>$1M), use multisig (2-of-3 hardware wallets, requires 2 signatures to move funds). This prevents single point of failure.
Before signing any transaction, verify: (1) Contract address (compare to official source, not DM), (2) Function being called (e.g., 'swap', 'approve'), (3) Parameters (amount, destination address), (4) Gas price (avoid overpaying). MetaMask shows these details. If you don't recognize the contract, don't sign. Attackers often use near-identical addresses (0x...1234 vs 0x...1235, hard to spot).
Approval management: when you use a DEX, you often approve unlimited tokens to the smart contract. This is convenient but risky. Better approach: (1) Approve only the amount needed for one trade, (2) Revoke approvals for old contracts (use Etherscan's Token Approvals tab, free), or (3) Use permit() functions (self-revoking approvals). Annual review: check all approvals, revoke unused ones. One compromised contract could drain your entire wallet if you approved infinite tokens.
Gas price strategy: always compare current gas price (Etherscan Gas Tracker). Overpaying gas (accident) is much safer than underpaying and transaction failing (leaving approvals hanging). Use 'Standard' gas mode unless urgent.
No. Blockchain transactions are immutable. Once funds are transferred, recovery is impossible. Prevention is the only option. Use hardware wallets + transaction verification.
If it wasn't executed yet: revoke on Etherscan (Edit Approvals) or cancel transaction (increase gas price on replacement tx). If already executed: move remaining funds to new wallet immediately.
Yes, if used correctly. MetaMask is an extension wallet (keys stored locally). Risk: compromised browser or malicious websites. For large holdings, use hardware wallet + MetaMask (hardware wallet signs, MetaMask checks).
Authenticator app (Google Authenticator, Authy). SMS is vulnerable to SIM hijacking (attacker steals your phone number). Authenticator app is offline, much more secure.
Use seed phrase to recover on new device (you'll get same addresses/funds). This is the whole point of seed phrases: recovery. Keep seed backed up!
Yes: DMs from 'support', slight URL misspellings, urgent language ('act now'), requests for seed phrases, requests for payment. Legitimate projects don't DM. Trust your skepticism.