Loading prices…
Zipp Zipp Advertise
Sign up Sign in

Crypto Security Best Practices: A Complete Checklist

Crypto is unforgiving. A single mistake can wipe out years of savings. This 15-item checklist covers the practices that quietly separate people who keep their crypto from people who do not.

security Zipp · 6 min read ·
Crypto Security Best Practices: A Complete Checklist

Why this matters now

Crypto puts you in charge of your own security in a way traditional finance never does. There is no fraud department to call, no chargeback to file, no FDIC-style backstop. Once funds move, they are gone. That power cuts both ways: the same self-sovereignty that makes crypto interesting is what makes the security stakes real. Good news — the practices that prevent the vast majority of losses are not exotic, and once they are habits they cost almost nothing to maintain. This is educational, not financial advice.

The 15-point checklist

1. Use a hardware wallet for serious holdings

A hardware wallet stores your private keys offline and signs transactions without exposing the keys to your internet-connected computer. For anything beyond small trading balances, this is the single biggest upgrade you can make. Our best hardware wallets compared guide covers the picks.

2. Treat your seed phrase like a bearer bond

Your seed phrase is the wallet. Anyone with it can take everything; lose it and your crypto can be gone forever. Write it offline (paper or, better, etched metal). Never store it as a photo, cloud note, email or in a password manager. Keep more than one secure copy protected from fire and theft. Never share it with anyone.

3. Never type your seed phrase into a website

Legitimate wallets only ask for your seed when you genuinely restore one — and never via a web form. Any "validate your wallet" prompt on a site is a phishing trap.

4. Use app-based 2FA, not SMS

SIM-swap attacks have drained countless accounts via SMS codes. Use a TOTP authenticator app or hardware security key on every exchange and email account. Disable SMS 2FA where you can.

5. Strong, unique passwords via a password manager

Crypto-related accounts (exchanges, wallets, email) must have long, unique passwords. A password manager is the only practical way to keep this discipline. Reusing passwords means one breach unlocks everything.

6. A dedicated email for crypto

Use one email address only for crypto-related accounts, ideally one nobody knows about. It cuts phishing exposure dramatically and makes targeted attacks against your existing public address less useful.

7. Bookmark official sites, never click links

Search-engine ad poisoning and lookalike domains are common. Bookmark your exchange, wallet, and bridge sites once, verified, and use only those bookmarks. Treat every "login here" link in email or DM as hostile until proven otherwise.

8. Verify the receiving address character by character

Clipboard-hijacking malware swaps copied addresses for ones the attacker controls. Always check the first six and last six characters of an address before sending. For large transfers, send a small test transaction first.

9. Read every wallet pop-up before approving

Connecting a wallet to a malicious smart contract can drain it. Read what the contract is asking — what tokens, what amount, what permission — and reject anything that does not match what you expected to do. "Unlimited" approvals are dangerous; prefer tight limits.

10. Revoke old approvals periodically

Past approvals can be exploited if a contract is later upgraded or compromised. Use a wallet's revoke feature (or a third-party tool) every few months to clean up old, unused token approvals.

11. Keep most funds in cold storage

A hot wallet on your phone or browser is convenient but exposed. Keep only what you need for active use online; the bulk belongs in cold storage. The lower the live balance, the smaller the damage if anything goes wrong.

12. Be sceptical of anything urgent

Almost every successful scam works by manufacturing urgency — "limited time," "last chance," "verify now or lose access," "airdrop ending in five minutes." The simplest defence is a 24-hour rule: if something forces immediate action, that pressure itself is the warning sign. Real opportunities survive an hour of thinking.

13. Never share a screen with strangers

Fake support, fake recovery, and fake interview scammers ask you to share your screen so they can guide you to enter your seed phrase or approve a malicious transaction. No legitimate service ever needs this.

14. Keep devices clean

The computer or phone you use for crypto should run an up-to-date OS, current browser, no random extensions, and no pirated software. Browser extensions in particular have a long history of being weaponised after the developer is compromised.

15. Have a death-and-disaster plan

If something happens to you, can your family recover the wallet? If the house burns down, do backup seeds survive in a separate location? Crypto inheritance and disaster recovery are uncomfortable to plan and brutal to neglect.

What to do when something goes wrong

Even with good habits, things can go sideways. A few principles for the worst day:

  • Move first, ask later. If you suspect a wallet is compromised, transfer remaining assets to a known-clean wallet before anything else. Reputation and pride matter less than the next hour.
  • Document everything. Save transaction hashes, addresses involved, messages, screenshots. Even if recovery is unlikely, patterns help law enforcement and exchanges later.
  • Report. The exchange the funds touched, your local financial-crime authority, the chain's own block-explorer tagging service. Sometimes funds get frozen at the exchange before the attacker can off-ramp.
  • Tell your community. Public warnings stop the same attacker from hitting others. The scam economy thrives on victims staying silent out of embarrassment.
  • Be brutally honest about how it happened. Painful, but the only way to harden the next setup is to know exactly which link in the chain failed.

Build the habit early

None of these items is hard on its own. The trap is that they only protect you when they are already in place — bolting them on after a near miss is much harder than setting them up before you need them. Treat security setup as part of getting into crypto, not as an afterthought. A weekend of work now is worth years of peace of mind.

Stay ahead of the threats

Even the best personal setup has to live in a world where exchange hacks, smart-contract exploits and brand-new scam patterns appear every week. Zippfeed tracks crypto security headlines across many sources with sentiment and importance scoring, so you hear about active threats — exchange trouble, exploits, widespread scams — early enough to act, not after your funds are already at risk.

Frequently asked questions

What is the most important crypto security practice?
For anything beyond small trading balances, using a hardware wallet that keeps your private keys offline, combined with treating your seed phrase as the wallet (offline copies, never shared, never typed into a website), is the foundation. Almost every other practice — 2FA, password manager, careful approvals — hardens around that core.
Why is SMS 2FA dangerous for crypto?
SIM-swap attacks let an attacker convince your phone carrier to port your number to them, after which SMS codes arrive on the attacker's device. Many large crypto thefts trace back to this single vector. Use an authenticator app or hardware security key instead, and disable SMS 2FA wherever the platform allows.
Do I really need a separate email for crypto?
It is one of the highest-leverage defences. Phishing and targeted scams overwhelmingly use addresses that have leaked from past breaches or that attackers can guess from your public profile. A dedicated, low-profile email used only for crypto accounts cuts phishing exposure dramatically and makes targeted social-engineering much harder.
What should I do if I think my wallet is compromised?
Act fast: transfer remaining assets to a known-clean wallet before doing anything else. Then revoke any active token approvals from the compromised wallet, document everything (transaction hashes, addresses, messages), and report to the relevant exchange and your local financial-crime authority. Assume the wallet is permanently burned — do not reuse it.

Related guides