How to Protect Your Crypto From Hacks in 2022 and 2023

Here's what we cover:

The main security risks of crypto
How to keep your crypto safe
How to protect your private key and seed phrase
How to secure your wallets and internet connection
How to DYOR
How to protect crypto from sending it to a wrong address
Bonus: who and when should keep money on exchanges

Cryptocurrency has not been particularly Safu in 2022. In fact, October has been especially spooky, with a whopping $718 million stolen across 11 different hacks:

2022 is on track to set a record. Unfortunately, not the one you'd like to see:

With crypto hacks becoming ever more present, CoinMarketCap Academy prepared a guide on how to protect your crypto from hacks in 2022 and 2023. We wouldn't want you to get caught out in only a few months, right?

Don't have time to read? Check our video instead! ⬇️

What Are the Main Security Risks of Crypto?

Of course, we all know that crypto is volatile (sometimes a bit too volatile on the downside).

But what are the main security risks? In other words, how could your crypto get stolen or hacked?

Getting Scammed

Scams are ubiquitous and popular in crypto. There are several scams like Telegram scams, giveaway scams, Uniswap scams, and more. There's also pump-and-dump schemes and shitcoins, although those do not strictly count as scams (but you can still lose money).

Keeping your Crypto on Centralized Exchanges

Centralized exchanges are great and sometimes they make sense for longer-term crypto storage. But you can also lose your crypto if they get hacked. Thus, most crypto security experts recommend that you keep all funds that you plan to HODL in self-custody.

Losing Your Private Keys or Seed Phrase

The old favorite. You can either be plain forgetful and not careful enough or you can lose your seed phrase in a phishing attack. Even your phone could guess your seed phrase, so be extra careful with it.

Malware

Malware as a security risk relates to losing your seed phrase, since the phrase could get stolen without you ever noticing it before it's too late. If you store your seed phrase in the cloud or somewhere where it's especially exposed to attackers, you might regret it. Best practice says to use a hardware wallet.

Fake Apps or Spoofing

Fake crypto apps or websites that pretend to be legitimate, real crypto applications are a type of phishing attack that can get access to your private keys and drain your wallet of funds. It’s always important to double check the URL you are accessing and make sure that it matches that of the real website.

Protocol Hacks

DeFi protocols are liable to hacks, particularly if they have not been around for a long time and have not passed several audits. As we’ve seen in the past year, DeFi bridges are a favorite target for hacks.

Sending Crypto to the Wrong Address

A transaction sent in a rush, a wrongly-copied address and your crypto ends up on a network it was never supposed to go to. It's an annoying and entirely avoidable way of losing crypto, so we will cover how to not send it to the wrong address (and if you can recover it).

How to Keep Your Crypto Safe

In this section, we cover several important aspects of how to keep your crypto safe.

How to Protect Your Private Key and Seed Phrase

There are three mains aspects to safe seed phrase storage:

Never sharing it with anyone;
Never storing it in the cloud (or anywhere on the computer);
Backing it up and storing it offline.

First, you should not share your seed phrase with anyone. You may make an exception with trusted parties like family members or close friends, as long as you can be sure you want these people to know your seed phrase just in case. But do not, under any circumstances, share it with strangers online or offline.

Second, when you store your seed phrase, do so preferably offline. There are ways to engrave seed phrases if you do not want to use an old-fashioned pen and paper. You can also use a computer to store your seed phrase; however, it should be a separate computer from the one you use for transactions, and it should not be used for accessing the internet.

How to Store Your Crypto Safely

Next, you want to make sure that your crypto is safe wherever you keep it.

First, you should use different wallets for different purposes. For example, you may store some crypto on a centralized exchange — but that should not usually be the crypto you intend to hold on to for a long time. The rules of thumb should be:

Use a hardware wallet for long-term investments;
Use a software wallet for smaller investments and interactions with protocols;
Use a centralized exchange if you trade, swap or buy crypto.

Second, you should be careful with the protocols you interact with. You should periodically check which protocols have access to your wallet. Here is a guide on how to revoke token approvals for protocols you don't interact with.

Finally, be careful with the transactions you sign. Remember that a fake transaction can drain your wallet, so only sign the transactions you are certain to be legitimate.

How to Secure Your Devices and Internet Connection

Another important aspect of crypto safety is securing the devices you use for access andan internet connection. Ideally, you have a dedicated device only for crypto transactions. You should not sign smart contract transactions from the same computer you access certain websites with. Also using two-factor authentication is mandatory. It’s best practice to use a dedicated 2FA app like Google Authenticator instead of 2FA with SMS due to the prevalence of SIM-swapping attacks. Furthermore, your password should be at least 12 characters long.

Finally, consider using a VPN to cover your traces. A malicious party will find it harder to track you if you do not use your real IP address.

Why (and How) to DYOR

DYOR is short for Do Your Own Research and is a very important concept for crypto investments — but also an important guideline for staying safe in crypto. You should pay attention to two things:

Always double-check everything
Careful with DMs on all social platforms

First, you should always double and triple-check the addresses and networks you send crypto to. Also double-check the links you click on, particularly when it comes to decentralized applications. You may also want to do test transfers with small amounts first, in case you are unsure you are interacting with a legit protocol.

Second, DMs on Telegram, Twitter or Discord are almost always spam or scams. Do not answer them and do not ever click on a link, unless you know the sender.

How to Prevent Crypto From Being Sent to the Wrong Address

It can happen to the best of us: you need to send some cryptocurrency, but you copy-paste the wrong address or click on the wrong network. Or even worse: you happen to be a victim of a phishing attack and your funds get siphoned off.

Since crypto transactions are irreversible, you cannot generally get your crypto back. Here is a guide on how to recover cryptocurrency in the limited ways that are possible: but in short, if the transaction was really completed to an address that you do not control, your coins are gone.

Here is how to prevent sending crypto to the wrong address:

Copy and paste the recipient address or use a QR code. ALWAYS. And always double-check. You can check the first few and final few characters of the address to make sure it's correct.
If you are receiving crypto, you may want to use a domain like ENS to make it easier for people to send you crypto. Much easier to send crypto to moonboi.eth than to a long 32-character address.
Double-check the network you are sending to. If you are using a software wallet, make sure you are on the correct network. If you are withdrawing from a centralized exchange, make sure to check that you are withdrawing to the right network.

Bonus: Who Should Keep Crypto on Exchanges?

Of course, you want and need to use centralized exchanges – and most of the time they are perfectly safe, especially if we are talking about the biggest ones. There are a few instances when keeping some money on a CEX is considered an ok security practice:

If you hold some of the platform tokens like BNB or FTT, you receive discounts on fees.
If you are an active day-trader, you need to keep your capital on a CEX to trade.
If you want to swap crypto or bridge it. CEXes are often cheaper (and safer) than decentralized bridges.
If you are using staking services, your crypto will be in the exchange's cold storage.
If you are simply very forgetful or not careful with your self-custody and do not trust yourself to keep your crypto safe. Also, if you are traveling, you may not want to think about your hardware wallet all the time.

Conclusion

You can never be perfectly safe with any online money, but you can reduce the risks and the attack vectors. Keeping your crypto safe is actually pretty easy if you follow a few basic rules — and this guide will help you to protect your crypto even in a bear market.

This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap. CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.