- Understanding Wallet Types
- Seed Phrase Storage and Protection
- Hardware Wallet Best Practices
- Operational Security Measures
- Transaction Security
- Physical Security
- Privacy Considerations
- Backup Strategies
- Comprehensive Inheritance Planning
- Regular Security Audits
- Emergency Procedures
- Advanced Techniques
- Security Levels Framework
- Common Security Threats
- Mobile Device Security
- Environmental Risks
- Behavioral Security
- International Travel Considerations
- Common Mistakes to Avoid
- Security Checklist
- Exchange Security
- General Cybersecurity Practices
- Psychological Aspects of Security
- Preparing for Technological Changes
- DeFi-Specific Risks
- Disclaimer
- Connected to the internet: Includes mobile apps, desktop software, and browser extensions.
- Risk Profile: High. Vulnerable to malware, remote exploits, and phishing.
- Use Case: Small amounts for daily spending or frequent interactions with dApps.
- Offline storage: Private keys are generated and stored on devices that never connect to the internet.
- Risk Profile: Lowest. Virtually immune to remote digital attacks.
- Use Case: Long-term storage of significant wealth (HODLing).
- Dedicated physical devices: A form of cold storage that allows transaction signing without exposing private keys to the host computer.
- Mechanism: The private key lives in a secure element chip; the computer only receives the signed transaction data.
- Recommendation: The industry standard for self-custody.
- Examples: Trezor, Keystone.
- Printed private keys: Keys generated offline and printed on paper.
- Current Status: Not recommended.
- Risks: Vulnerable to physical degradation (ink fading, water, fire), printer cache malware, and difficult to spend from without sweeping the entire balance (potential change address errors).
- Modern Alternative: Metal backups of a hardware wallet seed phrase.
- Material: Write down seed phrases on durable, non-digital materials (e.g., stainless steel or titanium plates).
- Verification: Immediately after engraving or stamping, verify that every character is legible. Poorly struck metal can become unreadable over time or after fire damage.
- Tamper-Evidence: Store physical backups in serialized tamper-evident bags. This allows you to verify if the backup has been accessed or viewed by an unauthorized party (e.g., a "maid attack").
- Prohibition: Never store seed phrases digitally. This includes photos, cloud storage, password managers, or text files.
- Redundancy: Create multiple physical copies.
- BIP39 Passphrase (The "25th Word"):
- Function: An optional passphrase added to the seed phrase that generates a completely different wallet.
- Security: If the physical seed phrase is stolen, the attacker cannot access the funds without this passphrase.
- Storage: Must be stored separately from the main seed phrase. Losing the passphrase results in permanent fund loss.
Example Scenario: A user stamps their 24-word seed phrase onto a steel plate, checks the legibility, seals it in a tamper-evident bag, and stores it in a home safe. The corresponding BIP39 passphrase is memorized and a backup copy is stamped onto a separate metal washer hidden in a vehicle or secondary location.
- Supply Chain Security: Purchase only directly from the manufacturer. Avoid Amazon, eBay, or third-party resellers.
- Tamper Evidence: Inspect packaging for broken seals or physical manipulation.
- Firmware: Update firmware immediately upon setup using the official manufacturer software.
- PIN Security: Use a PIN of at least 6-8 digits.
- Verification: Perform a full wipe and recovery test with a small amount of funds before depositing the full balance.
- Backup Device: Maintain a spare hardware wallet in a secure location for immediate access if the primary device fails.
- Dedicated Hardware: Ideally, use a dedicated laptop or "air-gapped" machine for crypto operations, free from bloatware or unnecessary software.
- Software Integrity: Use open-source wallet software. Verify GPG signatures or checksums before installation.
- Authentication: Enable Two-Factor Authentication (2FA) on all related services.
- Critical: Do not use SMS 2FA. Use Time-based One-Time Passwords (TOTP) (e.g., Ente Auth) or hardware keys (e.g., YubiKey).
- Network Security: Never transact on public Wi-Fi. Use a VPN if a trusted network is unavailable.
- Operating System: Consider privacy-focused OS environments like Tails or Qubes OS for high-value management.
- Address Verification: Malware (Clipboard Hijackers) can swap copied addresses. Always verify the first 4-6 and last 4-6 characters of the destination address on the device screen before confirming.
- Test Transactions: Send a minimal amount first to verify the destination.
- Gas/Fees: Check current network fees to avoid overpaying or having transactions stuck.
- Multisig: For high-net-worth individuals or organizations, use Multi-Signature wallets (requiring m-of-n keys to sign).
- Privacy: Utilize coin-control features to select which UTXOs to spend, preventing the linking of separate wallet balances.
- Storage: Use fireproof and waterproof safes (UL-rated) or bank safety deposit boxes.
- Diversification: Do not store all backups in a single geographic location.
- OpSec: Mitigate the "$5 Wrench Attack" (physical coercion) by keeping ownership private.
- Duress Wallets: Set up a secondary wallet with a small balance that can be unlocked with a different PIN/passphrase to satisfy an attacker while protecting the main funds.
- Address Reuse: Avoid reusing addresses. Most modern HD (Hierarchical Deterministic) wallets generate new addresses automatically.
- Metadata: Be aware that transactions are public. Do not link a KYC-compliant exchange withdrawal directly to a cold wallet that interacts with controversial services.
- Network Level: Use Tor or I2P when broadcasting transactions to mask IP addresses.
- Social Engineering: Do not brag about gains or holdings online.
The 3-2-1 Rule:
- 3 Copies: Maintain three total copies of the recovery phrase.
- 2 Media Types: Use two different storage mediums (e.g., two different brands of steel plates, or one steel plate and one titanium rod).
- 1 Offsite: Keep at least one copy in a physically separate location (e.g., a trusted relative's house or a bank vault).
- Access Plan: Create a clear, written guide for heirs explaining how to locate and use the backup materials.
- Security: This plan should not contain the seed phrase itself, but rather the location of the seed phrase and the location of the passphrase.
- Dead Man's Switch: Consider automated services or smart contracts that release information if proof-of-life is not provided after a set duration (advanced users only).
- Legal: Consult with an estate planner familiar with digital assets to ensure the plan is legally binding and tax-efficient.
- Schedule: Review security posture every 6-12 months.
- Updates: Check for firmware updates for hardware wallets and software updates for hot wallets.
- Access Logs: Review exchange login history for unrecognized IP addresses.
- Practice: Perform dry-run recoveries to ensure you still know how to restore your wallet from backup.
- Compromise Protocol: Have a "break-glass" plan. If a seed is suspected to be compromised, immediately move funds to a pre-configured secondary wallet.
- Contacts: Maintain an offline list of support contacts for exchanges and legal counsel.
- Tools: Keep a clean USB drive with necessary wallet software installers in case of internet outages or primary device failure.
- Air-Gapped Signing: Use a computer with its network card removed to generate transactions, transfer the unsigned transaction via QR code or SD card to a networked machine, broadcast it, and wipe the data.
- Time-Locks: Use protocol-level time locks to prevent funds from moving until a specific block height or date.
- Decoy Wallets: Maintain wallets with small amounts of active history to present as "primary" wallets in coercion scenarios.
| Level | Configuration | Target User |
|---|---|---|
| Basic | Hardware wallet, TOTP 2FA, Steel backup | Standard investor |
| Intermediate | Passphrase (25th word), Dedicated laptop, 3-2-1 backup | High-net-worth |
| Advanced | Multisig (2-of-3), Air-gapped machine, Geographic distribution | Institutional / Whale |
- Phishing: Fake emails or websites mimicking legitimate services to steal credentials or seeds.
- SIM Swapping: Attackers port your phone number to intercept SMS 2FA. Defense: Disable SMS 2FA.
- Address Poisoning: Attackers spam your wallet with 0-value transactions from addresses that look similar to yours (same start/end characters), hoping you copy-paste them by mistake from history.
- Dust Attacks: Attackers send tiny amounts of crypto ("dust") to many addresses. If the victim spends this dust combined with other funds, the attacker can use blockchain analysis to deanonymize the wallet owner and link their addresses. Defense: Do not spend dust; mark it as "unspendable" in coin-control settings.
- Malicious Smart Contracts: Granting unlimited token approvals to shady dApps can drain wallets. Defense: Use tools like Revoke.cash to audit allowances.
- Supply Chain Attacks: Compromised hardware or software updates delivered through official-looking channels.
- Biometrics: Enable FaceID or fingerprint locking for wallet apps.
- App Store Safety: Only download from official stores. Check developer names and review counts.
- Permissions: Audit app permissions. A calculator app does not need network access.
- Updates: Keep iOS/Android updated to the latest security patch level.
- Degradation: Paper rots; ink fades. Use metal for backups.
- Magnets: Standard hard drives are susceptible to magnets; SSDs and optical media are less so, but metal plates are immune.
- Disaster: Fire and flood are primary risks. Use rated storage containers.
- Compartmentalization: Keep crypto identity separate from real-world identity.
- Hygiene: Do not use the same email for crypto exchanges that you use for social media.
- Silence: The most effective security layer is anonymity. If no one knows you have it, no one will try to take it.
- Border Search: Border agents in many jurisdictions (including the US, UK, and NZ) may demand access to electronic devices and passwords.
- Travel Mode: Do not cross borders with a loaded hardware wallet or written seed phrase.
- Brain Wallets: Memorizing the seed phrase is an option for extreme border scenarios, but it carries high risk due to human memory fallibility under stress.
- Procedure: Wipe the hardware wallet before travel. Restore upon arrival using a remote backup or memorized seed (if confident).
- Customs Reporting: Be aware that some countries require the declaration of digital assets over a certain value upon entry, regardless of storage method.
- VPN: Always use a VPN when accessing data abroad.
- Typing seed phrases on a computer: Never do this, even to "test" them.
- Storing seeds in a cloud (iCloud/Google Drive): This is the most common vector for hacks.
- Using SMS 2FA: It is a security vulnerability, not a feature.
- Neglecting updates: Failing to patch critical OS vulnerabilities.
- Over-complication: Creating a security scheme so complex that you get locked out.
- Hardware wallet initialized and updated.
- Seed phrase recorded on metal (non-digital) and verified for legibility.
- Passphrase (25th word) established and stored separately.
- SMS 2FA disabled; TOTP/YubiKey enabled.
- Recovery drill performed successfully.
- Inheritance instructions drafted.
- Withdrawal whitelisting enabled on exchanges.
- Custody: Exchanges are for trading, not storage. "Not your keys, not your coins."
- Whitelisting: Enable address whitelisting to restrict withdrawals only to your known hardware wallet addresses.
- Proof of Reserves: Prefer exchanges that publish cryptographic Proof of Reserves (PoR), but understand that PoR does not guarantee solvency without Proof of Liabilities.
- Withdrawal Limits/Delays: Configure 24-48 hour withdrawal delays or limits. This provides a window to freeze accounts if a hack occurs.
- 2FA: Use hardware keys (YubiKey) for exchange login and withdrawal confirmation.
- Phishing Codes: Set up anti-phishing codes so all official emails from the exchange contain a secret word you verify.
- Password Managers: Use Bitwarden or KeePassXC. Do not reuse passwords.
- Email Security: Use a dedicated, secure email provider (e.g., ProtonMail) for crypto accounts.
- Link Hygiene: Never click links in emails claiming urgent action is required. Navigate to the site manually.
- Panic: Scammers create urgency to force errors. Pause and verify.
- Fatigue: Alert fatigue can lead to clicking "Approve" without reading. Stay disciplined.
- Complacency: Security is a process, not a state. Constant vigilance is required.
- Quantum Computing: Monitor the development of quantum-resistant algorithms. Current elliptic curve cryptography (ECC) may eventually be vulnerable, but migration paths will be established by protocol developers.
- Algorithm Updates: Be prepared to migrate funds to new address formats (e.g., Taproot) as standards evolve.
- Unlimited Approvals: Many dApps request permission to spend an "unlimited" amount of tokens to save on gas fees. If the contract is compromised, your wallet can be drained.
- Mitigation: Use "Edit Permission" to approve only the specific amount needed for the transaction. Regularly revoke old allowances using tools like Revoke.cash.
- Smart Contract Risk: Even audited contracts can have bugs or backdoors. An audit is not a guarantee of security.
- Oracle Manipulation: Attackers may manipulate on-chain price feeds (oracles) to liquidate positions or drain lending pools. Avoid low-liquidity pools and unproven protocols.
- Front-End Compromise: Sometimes the smart contract is safe, but the website (front-end) is hijacked to send funds to the attacker. Verify contract addresses on block explorers before interacting.
This guide is for educational and informational purposes only. It does not constitute financial or legal advice. Implementation of security practices is the sole responsibility of the user. The authors assume no liability for asset loss.
