Crypto security is your personal responsibility. There is no fraud protection department to reverse unauthorized transactions. There is no FDIC insurance backing your holdings. If someone gains access to your funds, those funds are gone permanently. The good news is that the most common attacks are preventable with basic security practices that take minutes to set up.

The most common threats

Phishing is the leading cause of crypto loss for retail traders. Phishing attacks trick you into entering your credentials or seed phrase on a fake website, in a fake app, or in response to a fake support message. The attackers create convincing replicas of legitimate platforms, sometimes with URLs that differ by a single character.

Social engineering targets you directly. Scammers impersonate support staff, influencers, or fellow traders in Discord, Telegram, and Twitter DMs. They create urgency ("your account has been compromised, act now") or offer something too good to be true ("send me 1 ETH and I'll send back 10"). Every version of this is a scam. Legitimate platforms will never DM you first asking for credentials or funds.

Malware and keyloggers capture everything you type, including passwords and seed phrases. They typically arrive through malicious downloads, browser extensions, or compromised software.

Clipboard hijacking is a more targeted attack where malware replaces a crypto address you've copied with the attacker's address. You think you're sending funds to your wallet, but the pasted address has been swapped. Always verify the first and last several characters of any address before confirming a transaction.

Two-factor authentication

Enable two-factor authentication (2FA) on every account that supports it. 2FA requires a second verification step beyond your password, typically a time-based code from an app like Google Authenticator or Authy.

Avoid SMS-based 2FA when possible. SIM-swap attacks, where an attacker convinces your phone carrier to transfer your number to their device, can bypass SMS verification entirely. App-based 2FA is significantly more secure because the codes are generated on your physical device and can't be intercepted through your phone number.

For the highest level of account security, a hardware security key like a YubiKey provides physical 2FA that requires the device to be plugged into your computer. This eliminates the possibility of remote interception entirely.

Password practices

Use a unique, strong password for every crypto-related account. If you reuse a password and one service gets breached, attackers will try that same password on every exchange and platform you use.

A password manager like 1Password or Bitwarden generates and stores strong, unique passwords for every site. You remember one master password, and the manager handles everything else. This is far more secure than trying to remember dozens of passwords or using variations of the same one.

Securing your wallet

If you use self-custody, your seed phrase is the single point of failure. Write it down on paper or stamp it into metal. Store it in a secure physical location, like a safe or a bank safety deposit box. Never store it in a text file, screenshot, email draft, or cloud storage. Never type it into any website.

Be cautious with wallet permissions. When you interact with decentralized applications, they often request permission to access your tokens. Malicious or compromised applications can use these permissions to drain your wallet. Regularly review and revoke unused permissions through tools like Revoke.cash.

Platform security

When keeping funds on a trading platform, choose platforms with strong security track records. Look for platforms that publish proof of reserves, hold security certifications (like SOC2 or ISO 27001), and have never suffered a major breach. Enable every available security feature: 2FA, withdrawal address whitelisting, login notifications, and anti-phishing codes.

Consider withdrawing funds you don't need for active trading. The less capital sitting on any single platform, the less you're exposed to platform-specific risk.

A security checklist

Set up app-based 2FA on all accounts. Use a password manager with unique passwords for each platform. Never share your seed phrase with anyone for any reason. Verify URLs carefully before entering credentials. Check wallet addresses character by character before confirming transactions. Revoke unused token permissions regularly. Stay skeptical of unsolicited messages, especially those creating urgency or offering free money.

These steps take less than an hour to implement and prevent the vast majority of crypto losses caused by security failures.