How to Keep Your Crypto Safe: A Practical Checklist

Why "crypto security" is really a list of failure modes, not a list of products

The reason generic security guides feel unsatisfying is that they describe tools without describing the attacks. They tell you to "use a hardware wallet" and "be careful online," which sounds fine until a phishing email shows up that looks exactly like a real Ledger notice, or until you need to sign a transaction in MetaMask and the gas math is in numbers you do not recognize. At that point, "be careful" is not a strategy.

It helps to think about crypto security as a list of failure modes, the specific ways people actually lose funds. Once you know the failure mode, the right habit almost picks itself. Most documented losses fall into roughly six buckets: phishing sites and emails that steal credentials or seed phrases, fake support accounts on social media, malicious browser extensions and drainer sites, blind-signing a transaction that drains your wallet, sending funds to the wrong network or address, and centralized exchanges that become insolvent or freeze withdrawals.

Some of these you can fully neutralize with a single habit. Others you can only reduce. The trick is matching the habit to the failure mode, not collecting apps. A password manager plus a hardware wallet plus bookmarking your exchange URLs will defeat the majority of real attacks in 2024 and 2025. A pile of browser extensions and a Telegram "alpha" group will not.

Real risks you are actually defending against

Before going through the checklist, it is worth naming the risks in plain English so you know what you are guarding against.

Phishing emails that look like real company notices. In 2020, hardware-wallet maker Ledger disclosed a customer email database breach. Years later, scammers still send messages that look almost identical to real Ledger updates, complete with the same fonts and footer, telling users to "verify their recovery phrase" or "install a critical firmware update." Anyone who types their 24 words into the linked page loses everything. The attackers are patient and the emails are good.

Fake support accounts on X and Discord. Search for any major wallet or exchange on X and you will find dozens of lookalike accounts replying to users with "DM me for help." The fake agent walks the user through "resyncing" their wallet by pasting a seed phrase or signing a transaction. The same pattern happens on Discord where official-looking bots DM users about "security updates."

Drainer sites posing as mints, airdrops, or bridges. A "free mint" page, a "claim your airdrop" page, or a fake bridge UI asks you to connect your wallet and then prompts a signature that grants the site permission to move specific tokens out. The transaction is worded in English but the underlying approval is not, and once signed it can sit dormant for weeks before draining.

Exchange insolvency and withdrawal freezes. This is the failure mode people forget, because it does not look like a hack at all. When the centralized exchange FTX collapsed in November 2022, customers did not lose funds to a phishing email. They lost them because the company holding their balances went bankrupt. The same pattern played out at smaller scales with Celsius, Voyager, BlockFi, and various offshore platforms. A centralized exchange (CEX) is a custodian: convenient, but not the same as owning crypto yourself.

Smart-contract exploits. If you interact with decentralized finance (DeFi), you are trusting that the underlying code has no bugs a thief can exploit. Bridges in particular have been hit: Ronin, Wormhole, Harmony, Nomad, and others have lost hundreds of millions of dollars combined. You cannot patch this risk away as a user, but you can choose whether to take it on at all.

The practical checklist, ordered by impact

The items below are listed roughly in the order of leverage, meaning how much risk each one removes for the time it costs. You do not have to do everything at once. Even the first three will put you ahead of most holders.

1. Move meaningful balances to a hardware wallet

A hardware wallet, such as those sold by Ledger, Trezor, and a few smaller vendors, is a small device that holds your private keys in a chip that is never directly exposed to your computer. When you want to send crypto, you prepare the transaction on your computer and then physically confirm it on the device by pressing buttons. Even if your laptop is fully compromised, the keys cannot leave the device without you pressing the buttons.

The threshold for "should I bother" is usually framed as: any amount you would not walk around with in a physical wallet is worth moving off an exchange or hot wallet. For many people that is anything more than a few hundred dollars. You do not need to put every dollar on a hardware wallet, but the long-term holdings belong there.

A common mistake is buying a hardware wallet, setting it up, and then continuing to leave funds on the exchange because trading is easier. The hardware wallet only protects what is actually on it.

2. Give every exchange and wallet a unique email, strong password, and 2FA

Most account takeovers start with credential stuffing, where attackers try leaked email-and-password pairs from other breaches against every major exchange. If your exchange login uses the same email and password as an old forum account that leaked in 2013, your account is one database away from being drained.

The fix is mechanical and not glamorous:

• A unique email for each exchange, ideally a dedicated alias you do not use anywhere else.
• A long, randomly generated password from a password manager, never reused anywhere.
• Two-factor authentication (2FA) using an authenticator app like Aegis, Raivo, or Google Authenticator, not SMS, since SIM swaps are still common.

This single habit, applied across every account that touches money, defeats the bulk of credential-based attacks.

3. Bookmark exchange and wallet URLs, never click links

Most "I got phished" stories start with a Google ad, a search result, or a link in an email that looked right but was one or two characters off. Typing your exchange URL into the address bar is fine. Clicking the top ad for "Binance login" is a coin flip.

Build a small bookmarks folder for crypto sites. Use those bookmarks forever. If an email or message asks you to log in for any reason, open the bookmark, not the link. This is the cheapest, fastest habit on the list and one of the most effective.

4. Store your seed phrase offline, ideally on metal

Your seed phrase, the 12 or 24 words generated when you set up a wallet, is the master key to every address derived from it. Anyone who has those words has your crypto, full stop. There is no customer support that can reverse this, no transaction that can be rolled back.

Two rules cover most of the risk:

• Never type the words into a website, a chat window, a form, or a Google Doc. No legitimate company, agent, or "support rep" will ever ask for them.
• Never store them in a way that requires a connected device to read. Photos in your camera roll, notes in your phone, and password managers are all bad places for a seed phrase because they can be exfiltrated.

Paper works for moderate amounts, but paper burns, gets wet, and fades. For anything you would be upset to lose, write or stamp the words into a metal seed-storage plate designed for the purpose. Keep one copy in a secure location, ideally a second in a different physical place.

5. Never sign wallet transactions you do not fully understand

When you use a self-custody wallet like MetaMask, Rabby, or Frame, every action ends with a signature. Some signatures move funds. Some signatures approve a contract to move a specific token on your behalf. Some signatures grant unlimited, permanent approval to drain that token. The wallet UI shows you the human-readable summary, but the underlying data is what counts.

Before signing anything, ask yourself three questions:

• What am I actually approving? Read the function name and the spender address, not just the dollar amount.
• Is this an "approve" or a "setApprovalForAll"? Those are the signatures that drain wallets, often days later.
• Does the site match what I expected to be using? If you clicked a link, did you end up on the real domain?

When in doubt, reject and ask someone you trust. There is no cost to rejecting a transaction. There is often no recovery from accepting the wrong one.

6. Keep a small "spending" balance and a separate "savings" balance

Most people only need a hardware wallet for their long-term holdings. For daily use, a hot wallet with a small balance is more practical. Splitting your funds this way means a compromised hot wallet only costs you what you would have lost anyway if you had dropped your physical wallet.

The same logic applies to exchange accounts. There is no reason to keep your entire net worth on a single CEX. If you trade, only keep what you are actively using on the platform.

7. Learn the difference between an exchange going bankrupt and a smart-contract hack

These are very different events with very different recoveries.

When a centralized exchange goes bankrupt, like FTX, Celsius, or Voyager, your name is on a list of creditors. Depending on the jurisdiction and the assets recovered, you may get some of your funds back, years later, at a haircut. Custody was the problem: the exchange pooled customer funds and used them. The lesson is that on a CEX you have an IOU, not crypto.

When a smart contract is hacked, like a bridge or a lending protocol, the funds are usually gone immediately. There is no company to sue, no bankruptcy court. Recovery, if any, comes from a white-hat bounty, a governance vote to fork, or a slow legal fight. The lesson is that interacting with smart contracts is opting into code-execution risk.

You cannot fully eliminate either risk, but you can choose how much of each you take on. Self-custody eliminates the first. Avoiding unaudited protocols and bridges eliminates most of the second.

Common scams to recognize on sight

Even with perfect habits, you will still see these in the wild. Recognizing them on sight is half the battle.

"Verify your wallet" or "sync your device" pages. No real wallet provider will ever ask you to enter your seed phrase on a website to "verify" it. This is always theft.

Fake airdrops and mints. A token shows up in your wallet that you did not buy. A linked site says "claim" or "mint." The site asks you to sign a transaction that grants token approvals to an attacker-controlled contract. The token was sent specifically to bait this signature.

Address-poisoning. You copy an address you sent to before, paste it into your wallet, and send. The address is correct except for the last few characters, because a lookalike address was generated and a tiny amount of dust was sent to your history to make it look familiar. Always re-verify the full address, not just the start and end.

"Customer support" reaching out first. No real support agent will DM you, call you, or email you unprompted to help with your account. If someone does, it is a scam, full stop.

Job-offer and OTC-desk impersonators. "Recruiters" offering remote crypto jobs often walk victims through installing scripts or "test transactions" that turn out to be drainers. OTC desk impersonators offer to "help" you swap large balances and disappear with the funds.

What to do if something goes wrong

No checklist is perfect. If you suspect you have been phished, signed a malicious transaction, or lost access, speed matters more than elegance.

If you typed your seed phrase into a site, assume the wallet is compromised. Move the funds to a brand-new wallet, generated on a clean device, immediately. If you do not have a hardware wallet, even a new hot wallet is better than the old one.

If you signed an "approve" transaction to a drainer, the drainer may not act immediately. Some sit and wait for a large balance before sweeping. Revoke token approvals using a tool like Etherscan's Token Approvals page or a dedicated revoker, and move remaining funds to a new wallet the drainer has no approval on.

If your exchange account was compromised, contact the exchange through official channels, not the email or DM you received. Withdraw remaining funds if you can. Expect slow and partial recovery at best.

For larger balances, consider professional recovery services only after independently verifying their legitimacy, since the "recovery" space is itself full of secondary scams targeting victims.

Practical implications for everyday holders

The honest summary is that crypto security is mostly boring, repetitive hygiene, not clever technical work. The same handful of habits protect against the same handful of failures, year after year. The reason people still lose money is not that the advice is unknown. It is that the habits are not installed before the incident.

If you are starting fresh, do these four things this week:

• Set up a hardware wallet and move long-term holdings to it.
• Generate unique emails and strong passwords for every exchange you use, with 2FA on each.
• Bookmark the real URLs for each exchange and wallet, and remove any saved passwords to lookalike domains.
• Make sure your seed phrase is written down on something offline, ideally metal, and that no digital copy exists anywhere.

Once those are in place, the marginal effort shifts to transaction-level awareness: reading what you sign, recognizing scams, and keeping spending and savings separate. None of this requires expertise. It requires a routine.

Stay ahead of crypto security news

Crypto security moves fast and so does the news around it: new phishing kits, fresh drainer campaigns, exchange incidents, and protocol exploits all surface daily. Tracking them manually is a losing game. Zippfeed surfaces crypto headlines with sentiment scoring, bullish, neutral, or bearish, and an importance rating, so you can spot real risks early instead of finding out about them from your wallet balance.