STOP BEING STUPID
Welcome to crypto! Self-sovereign money, NFTs, DeFi, cross-border transactions and new volatile markets await!
Now get your head out of the clouds and start paying some fucking attention to what you’re actually doing. I’m writing this article because a lot of the newer entrants to crypto seem to have very little understanding of the responsibilities they are assuming by default when they first dip their feet in.
Everybody in crypto wants to take your coins. Some of us will steal it if possible, some of us have a moral compass. Don’t rely on it. Unless you’re cool with handing over all of your shit with no way to get it back, follow these security measures (and think of ways to improve on them where possible). I’m holding your hand here, if you fail to follow these fairly basic instructions, I’m going to laugh and call you a moron when you inevitably lose everything. The responsibility is entirely on you. Don’t like it? Fuck off and play somewhere else, this article is for adults. You don’t get a choice.
On-Chain Security Measures
Gonna keep it real basic. There’s a lot of on-chain shit to do these days, most of this applies to all chains, wallets, browsers, etc.
Seed Phrases
When you create a new wallet address (whether it’s using a browser extension like MetaMask or a hardware wallet like a Ledger), you receive a “seed phrase”. This seed phrase gives total and absolute control over the wallet and all of its contents to anyone who knows it.
YOU SHOULD NEVER EVER EVER HAVE TO USE THIS.
It is for emergency use only (like if your computer or hardware wallet completely bricks out), and represents complete, total and irreversible access to everything stored in that wallet. It cannot be changed or reset, if someone else at any point in time discovers that seed phrase, they now own everything you thought was yours.
Keep it physically secure and offline. Do not store it as a text file. Do not store it as a picture. Do not keep it anywhere you can even get to it easily, because if you can get to it easily, so can someone else. Store it in a safe or bank vault, engraved in metal or on a piece of paper. Redundant copies are ideal.
Do not (for the love of God and all things holy) type it in to any web browser. You should not even be able to access it easily, mine are split into two halves, physically secured and stored across state lines. There is absolutely no fucking excuse for you to ever be typing that phrase into a website or giving it to “support staff”.
The ONLY use for a seed phrase is to hand over complete control of the wallet and everything in it.
So if you think you want to do that, go ahead! But don’t come crying about it later when your stupid ass decided that the guy pretending to be support staff needed ownership of your jpegs and illiquid meme coins.
All of the above also applies to your private key.
Wallet Management
Hot new NFT dropping? Sketchy new DEX the only place to farm PotatoYamSolPunkNFTCoin? Cool, make a new wallet.
Every. Fucking. Time.
The reason is simple: if you don’t know exactly what the transaction you’re signing does (aka, if you can’t read and verify the code being executed), approving that transaction could very well be approving instructions to drain your entire wallet and send the contents off to Vitalik-knows-where.
While your philanthropic urge to feed second and third-world scammers is admirable, consider sending the funds you intend to use into a wallet freshly generated for the purpose, that way any malicious code only receives access to the funds in that specific wallet, not your entire net worth.
If you decide that your funds aren’t worth protecting properly, at least go to https://etherscan.io/tokenapprovalchecker and regularly (read, after every time you do something on chain) remove approvals for different dApps you may have interacted with. There’s no reason to allow continued permission for these apps to move your tokens around any longer than absolutely necessary.
If gas fees are too expensive, use a better blockchain. Or at least realize that you’re gambling with your wallet contents and if you keep it up, eventually you’ll be playing the part of Santa Claus for some dude in Nigeria who learned how to ctrl+c / ctrl+v some Solidity code.
Hardware Wallets
Use one. Use multiple and split balances between them. If your portfolio is worth more than the cost of a hardware wallet and you aren’t using one, you fucked up.
My favorite is Ledger (works with MetaMask most of the time and also supports Solana). I’m too lazy to set up a reflink so just go buy one from their site https://www.ledger.com/. Don’t ever buy a wallet from a third party, it could easily have been tampered with.
General Common Sense
Don’t sign transactions you don’t understand.
Don’t google for sites you want to visit, find the project twitter handle and visit the site from their official links. Bookmark that link, then only visit using your bookmarks. This prevents accidental use of fake phishing websites.
If someone DMs you on Discord or Telegram claiming to be support staff, or hosting a giveaway from anywhere, for any reason, ignore them. I have never seen support staff contact people in this way. Stop giving them your money/seed phrases/private keys.
Google forms are a no-no. Don’t put any wallet information into them.
If something looks sketchy, it is. If something doesn’t look sketchy, assume it is anyways. Be a paranoid motherfucker or be a broke motherfucker, there isn’t a third option.
Off-Chain Security Measures
This is a bit simpler because it’s largely synonymous with general online security. Nevertheless, the bounds of human stupidity know no limits. Onward!
Email Management
Use a different email for every exchange account. Never tie a personal email to a financial account login.
Using multiple email accounts is a free and easy way to ensure that if there is a compromise somewhere, you’re only partially fucked. Much better than being completely fucked. This is negated if you keep all your shit in one place, so don’t do that.
Make sure that your email provider supports…
Two-Factor Authentication
Use it. Use it everywhere. Email and exchange accounts, you MUST have it on both.
Dedicate a device for your 2FA. This means a not-your-cellphone-device. Old cellphones work just fine, so does a tablet or iPod touch. You don’t want your 2FA device to be stolen, so don’t use a device you regularly leave the house with. Ideally, don’t connect the device to the internet at all, ever.
Never use text message-based 2FA, sim swap attacks are incredibly easy to perform. Use Google 2FA, Authy or a Yubikey.
Password Management
Do: use a random password generator, with different passwords on every single login.
Don’t: store passwords in text files, on your computer’s clipboard or anywhere connected to the internet. Memorize or write them down, then make a copy. Physically secure the copy.
Conclusion
This is a really basic starting point to security, and we haven’t even talked about privacy (because it’s getting late and fuck it, article’s getting long).
All of this shit is a massive pain in the ass. No two ways about it. But you know what’s an even bigger pain in the ass? Not having any money because you’re a lazy fuck who assumed it would never happen to you.
I know most of you aren’t going to implement most/all of this advice, but that’s not my problem, it’s yours. If you want to play in crypto, be your own bank, make outsized returns in DeFi or NFTs, you have directly chosen to assume responsibility of your own financial security.
If you fail and get hacked/exploited/drained, it’s because you chose to suck at providing your own security. So don’t do that. Follow these steps, eliminate all single points of failure (also applies to trading, but that’s a whole different set of articles, go read them).
Be paranoid, or go broke when somebody steals all your crap. Not my problem either way, but at least now you know what you gotta do.
If you liked the article or learned something, gimme claps and share with your friends.
But most importantly, don’t wait until it’s too late to protect your money.
