How to Protect Your Digital Assets: A Detailed Guide to Safe Storage And Usage Of Crypto
Users of exchanges and wallets are regularly phished, and decentralized protocols and their contracts are routinely hacked. In the first half of 2021 alone, according to a research firm called Cipher Trace fraud losses in the DeFi sector hit a record $ 474 million. To illustrate the magnitude of these events we will demonstrate to you the statistics of the largest crypto hacks provided by Statista.
Description: In this article, you will learn how to store crypto safely, how to avoid crypto theft and what are the biggest crypto hacks ever.
Wallet users cannot prevent hacking of smart contracts or crypto exchanges, but they often become victims of fraudsters due to non-compliance with simple security rules in the crypto world.
We will describe to you how to protect your crypto assets from fraud and scams, as well as minimize risks when working with DeFi projects and crypto investments.
Storage of cryptocurrency: Choose a safe crypto wallet
The first step to safely storing your crypto assets is choosing your crypto wallet. The most reliable wallets are wallets for cold storage of cryptocurrencies or cold crypto wallets. This means that no one will be able to access the wallet over the Internet, only physically.
Experienced crypto holders prefer hardware wallets because private keys are stored in secure SE chips (Secure Element) and never leave them. You can get access to private keys only by jailbreaking the device. Among the wallets that have proven themselves in the hardware wallet market are Trezor T, Ledger Nano S and Nano X, SafePal, and KeepKey.
Mobile wallets are less reliable than hardware ones but still secure. Their main advantage is the ease of use and the fact that you can keep them always at hand. Trust Wallet, Exodus, and MetaMask are suitable for both novice and experienced users.
Desktop wallets for PCs and laptops are more vulnerable than mobile wallets as they have more surface for virus attacks. The device can be infected with an exploit that can intercept or replace user data. Like mobile apps, desktop clients store users’ private keys encrypted on a local device. If you are looking for such a wallet, take a closer look at Electrum, Exodus, and Atomic Wallet.
Online wallets are the least secure as they are the most susceptible to phishing. Blockchain.com holds the record for the number of phishing attacks among all crypto wallets. For authorization in Blockchain.com, the email address is used, which can be hacked to gain access to the wallet.
How to safely create a wallet
Let’s go through the process of creating a new crypto wallet using the example of Trust Wallet. Some steps may differ slightly in other clients, but the basic routine will be roughly the same.
1. Download Trust Wallet from the links on the official website and install it on your device. The wallet is available on iOS and Android mobile platforms.
2. Launch the application and click Create a New Wallet.
3. Create a backup copy of the crypto wallet. At this stage, you will need to write down the 12-word seed phrase that is required to restore the wallet. Please note that if you lose the mnemonic phrase, it will be impossible to restore access to the wallet if you lose your device and credentials. Check the box and click Continue.
The next screen will display a list of words required to restore the backup. Let’s write them in the same sequence in which they are displayed on the screen, and click Continue to go to the next step.
Here are simple rules for storing your seed phrase:
- Write it down on paper, a dedicated backup storage device, or some other medium.
- Do not take a screenshot or copy the seed phrase to the clipboard to avoid compromising it.
- Hide the media with the recorded recovery phrase in a safe place, inaccessible and hidden from unauthorized persons.
- Do not give or disclose the mnemonic password to anyone other than trusted persons.
- To keep the wallet as secure as possible, you can create several copies of the phrase and hide it in several places, for example, a safe or a safe deposit box.
4. Confirm that you have saved the seed phrase correctly. You need to add words to the field on the screen by clicking on them. After you’ve done this, click Continue again.
5. The wallet has been created. But that’s not all: you need to additionally protect your wallet. Go to the Settings section and then open the tab Security.
6. Turn on App Lock option and set a password.
Additionally, you can enable a password prompt when making transactions.
Now the wallet is sufficiently secure, and if the device is found or stolen by an unauthorized user, it will take time before he can figure out a password that is enough to transfer assets to another wallet.
Note: Other clients offer more advanced security methods, such as two-factor authentication via Google Authenticator, Touch ID and Face ID sign-in, multisignature, and others. The more protection you have, the better. But be careful when using 2FA via SMS or email, as they can be affected by exploits.
Types of scam and ways to protect yourself
Attackers are constantly finding new ways to steal funds from crypto holders. The most vulnerable group are novice users who have only recently started using digital assets and are not yet familiar with all the nuances of crypto security. We have compiled a list of the most common types of fraud and prepared methods of protecting against them.
One of the most common attack methods is: cybercriminals steal user credentials using fake websites and applications. The more popular a resource is, the more attractive it is to hackers. For example, attackers posted a fake Trezor app on Google Play, taking advantage of the fact that these hardware wallets do not have the original app.
Some users, without checking the information on the official website, downloaded a fake application and entered private keys, as a result of which their assets were stolen. Moreover, that happened more than once. Instances that involve publication of fake applications were also encountered in App Store, despite stricter moderation.
Phishing works like so:
- Attackers post a fake application or a fake page on the Internet with a malformed domain.
- Users follow the fraudulent link and enter credentials that the attackers receive and use them to access a wallet or exchange account.
Sometimes attackers act differently: they send messages on behalf of the company containing a message that your device or wallet has been compromised and you urgently need to send data to a manager in order to restore access and protect digital assets. Messages and methods may vary, but the goal is the same – to get a private key or mnemonic phrase from your wallet. Here is an example of such a scam:
- A fraudster introduces himself as a company manager and reports an attack on your wallet.
- He asks you to immediately send him a private key or restore access using the link that he sent you in private messages.
If you enter a private key or a seed phrase on the page provided or give them to a scammer, your funds will be stolen.
How to protect yourself from phishing
- Check your domain carefully when you visit the site. For example, the only original domain of hardware wallet manufacturer SatoshiLabs is trezor.io. All other addresses are fake.
- Check the information on the official website before downloading the app. It is better to follow the links from the original resource so as not to download a fraudulent application by mistake.
- Do not follow links in contextual advertisements from Google or other search engines – they can often lead to scam sites.
- Do not enter your seed phrase or private key to enter the wallet, especially if the site requires it right away. The mnemonic password is only needed to restore the wallet – this is its only purpose.
- Do not share your backup recovery phrase and private key with anyone. Nobody, except you, should know them, with the exception of close people whom you trust.
- Do not connect to public Wi-Fi networks, especially if the channel is not encrypted.
In case you become a victim of phishing and suspect that your private data has been stolen, immediately transfer funds to a backup address. If you do not have an additional wallet, be sure to get one so that it is always at hand in case of confidential data getting compromised. Until the transaction is confirmed, it is possible to replace or cancel it. In this article, we wrote about the how-tos using the example of Ethereum.
Another common attack method is infecting the victim’s device with virus software. Malicious code acts in different ways: a virus can modify an application, intercept data, give hackers access to files, or spoof an address when sending a transaction.
For example, the Address Switcher program replaces bitcoin addresses in the clipboard. Newer malware can only replace the first and last two characters: it is the ones that users check most often. Therefore, address spoofing may not even be noticed.
Other viruses scan the hard drive to find and steal users’ private keys. There are also exploits and Trojans: malicious clients that disguise themselves as legitimate software. These are often used for extortion: the program encrypts the user’s hard drive and demands a ransom if the user wants to get the decryption key. Moreover, the time for payment is limited: usually, a timer is set, after which the hard disk data will be formatted. If you send cryptocurrency, the program will extort funds over and over again, and the disk will remain encrypted.
How to protect yourself from virus attacks
- Do not download software from suspicious sites and from links in email attachments that can harm your computer.
- Keep your antivirus software and operating system up to date. For example, hackers found a vulnerability in an outdated version of iOS using which they were able to gain access to users’ wallets.
- Store private keys on offline devices that viruses cannot access.
- Always verify the entire address when submitting a transaction.
- Enable 2FA protection or use hardware authenticators as the second factor for authorizing accounts. This will further protect your crypto wallet.
- Always back up your recovery wallets in case of malware infection of your computer.
The popularity of DeFi apps has opened the doors for hackers: cybercriminals release pyramid schemes based on the Ponzi scheme, disguising them as DeFi protocols that offer crypto amateurs money on Yield Farming. One of the most popular cases is the massive exit scam of SharkTron and SharkDefi platforms on the Tron blockchain. The creators of the projects have withdrawn more than $7 million in TRX from the smart contract cryptocurrency.
The platforms actually worked like DeFi protocols and allowed you to farm your own SWD token, and users interacted with the smart contract when adding assets to the pool. But the mechanics were hidden from ordinary users: to stabilize the exchange rate of the platform token, the funds of the investors were used, and the smart contract contained a backdoor through which the hacker withdrew the investors’ assets.
In addition, the hacker stole assets from users’ wallets that were connected to the platform. The fact is that when connecting to a smart contract, users allow the protocol to spend funds in the wallet. Therefore, if an attacker is able to withdraw assets from a smart contract, he will be able to do this using the holders’ crypto wallets.
How to protect yourself from exit scams
- Do not trust platforms that have not been adequately audited by large companies.
- Check the project for signs of a pyramid scheme. For example, DeFi platforms operate in a decentralized manner and do not provide affiliate programs to attract referrals, as was the case with SharkTron and SharkDefi.
- Do not invest in any projects amounts you are not ready to lose.
- If you have any suspicions, withdraw assets from the contract and transfer them to another wallet that does not interact with the protocol.
Hacking a smart contract
In August 2021, an unknown hacker broke into the second layer protocol for Ethereum PolyNetwork, stealing more than $600 million in cryptocurrency. Although the founders of the project managed to completely recover the funds that the hacker returned, such events caused irreparable damage to the reputation of DeFi platforms.
When you connect to a decentralized protocol, the wallet is automatically vulnerable to hacks. Even large platforms like Ethereum (The DAO) and Maker DAO have been hacked once, not to mention numerous hacks of less secure protocols.
How to protect your digital assets from possible hacking
- Use backup wallets to work with the DeFi protocol, and these wallets should be different for every protocol. If hackers break into a smart contract and withdraw users’ digital assets, the rest of the wallets will not be affected.
- Diversify your portfolio by connecting to different protocols.
- Check if the contract has passed a rigorous security audit by companies like Certik.
Loss of device
You could lose your hardware wallet or the device that stores your cryptocurrency storage software (or it could be stolen). In case you lose your hardware wallet, in theory, a hacker could open the SE chip and “pull” the private key out. The security chip of the Ledger Nano S and Nano X wallets was hacked.
How to protect a wallet in case of loss
- If you find that the device on which the wallet is installed is missing immediately restore access to funds and transfer digital assets to a backup address.
- Enable additional client protection: PIN, 2FA, Touch ID, or Face ID. This will make it harder for an attacker to access the assets in the wallet.
- Do not digitally store copies of the private keys and mnemonic phrases so that they cannot be compromised.
Final Checklist for Digital Asset Security
- Choose a trusted crypto wallet.
- Save the seed phrase in a hidden place known only to you and the ones closest to you.
- Do not trust, transfer or disclose private information to anyone. Managers will never ask for private information in a chat and they will not contact you first.
- Do not install software from extraneous resources.
- Don’t click on links in PPC ads and always check the domain’s authenticity.
- Do not connect to a public network over Wi-Fi.
- Use only custodial crypto wallets that store private keys on a local device.
- Do not buy hardware wallets off-hand: they may have been modified. Especially if they have a pre-installed PIN.
- Always check the address when submitting a transaction.
- If you are in doubt whether the software is original or fraudulent, you can always contact the community in thematic chats or forums such as BitcoinTalk.
- Create a backup wallet that can be used for checking protocols and other purposes.
- Check the legitimacy of the software on the developer’s website.
The possibility that you will lose cryptocurrency funds cannot be ruled out, but if you follow simple safety rules, the probability will decrease significantly. Remember, the likelihood of losing assets due to a breach or other external cause is low. Most of the damage is caused by the carelessness of the users themselves, which is why it is important to pay attention to the security of wallets for storing crypto assets.