# Crypto Security 101

**Published by:** [chosta.eth](https://paragraph.com/@chosta/)
**Published on:** 2022-06-10
**URL:** https://paragraph.com/@chosta/crypto-security-101

## Content

I've been meaning to write about crypto security for quite a while. The urgency increases daily as I see many accounts getting their assets stolen. So here it is — my take on crypto security based on my personal experiences and research. I'll try to address the most common threats, bust some myths and confirm some others, and try to give some simple but handy tips on how to protect your crypto assets (or any assets whatsoever).A brief introductionTaking advice from anons on the internet is generally not recommended, so I guess I need to introduce myself and give you a reason to trust me…Well, you should only trust yourselves and your research, but I needed a segway into who I am. Fullstack dev with 15+ years of web2 experience. I am a fan of *react *and *nodejs *but have been through a lot of shit during the years (I mean, *jQuery *used to make me wet). Web2 is now boring for me, so I’m trying to migrate to web3, which is not as easy as it seems, even for senior devs. A bit of solidity, a bit of ethers.js, a bit of ipfs, and a lot of patience are what you need to get you started. This knowledge helped me successfully launch a PFP project called MetaSlavs (time for a shameless plug, I guess…You should check it and ape in if you have some spare ETH — https://metaslavs.com or simply join our discord and talk about crypto-security).The problemCyber security is and will always be relevant. As long as there's something of value, there's a bad actor who will try and steal or destroy. Crypto is no exception. The paradox is that its good parts are also its biggest enemies. Transparency, immutability, fast settlement, consensus mechanisms are all great until someone uses them against you. I've been in crypto for more than five years, with 2021 being the most active in that regard, and boy, I've seen a lot of people and accounts getting hacked and brought to a zero balance. I managed to get hacked myself too. This often happens because it is easy to transfer funds from one wallet. There is also no one to complain to or support to help you return your assets. If you fuck up, you are done (well, almost).The most common scenariosTrojan attackYou may think trojan viruses are a thing of the past, but they are resurfacing with the initiation of crypto mainstream adoption. The simple reason is that most users are introduced to crypto by installing the metamask browser extension. It is an extension that every crypto native loves and hates simultaneously. As you may already know, a metamask needs a password and a seed phrase for it to generate your private keys (I'm going to skip the intro to cryptography, but if you are interested in learning more about it, I highly recommend "The Code Book" by Simon Singh). So it would be best to keep the seed phrase as private as possible and write it down on a piece of paper, blah blah… Unfortunately, a trojan is going to get to it**, you are not safe if you've only stored it in a non-digital way. Everything, of course, depends on the trojan version. Unfortunately, the newest and most dangerous ones immediately attack the metamask, as well as your stored passwords that start with 'coin' and end in 'base.' True story — a friend of mine got a trojan recently and called me immediately for help. He opened a corrupted file that was supposed to be a project description. While we were on the phone considering our moves, he got a message that someone had changed his coinbase password! The account was done. Luckily he lost just 50$. ***HOW TO PROTECT OURSELVES FROM THIS KIND OF ATTACK***Have a freaking anti-virus on, especially if you are on windows. It's an urban legend that anti-virus software does more harm than good. It may save your fortune and protect you from ransomware. I use AVG, it's spammy, but it works.Always "lock" your metamask whenever you are not making a transaction. This little trick can save your ass as the perpetrator would most likely not get to your seed phrase because it is encoded together with the metamask password.Use a password manager. This, I can't recommend enough. If you want to be serious about security, all your passwords need to be strong and stored in a manager like 1password or KeePass. I use both. If you use weak and repeating passwords and "save them" in your browser, they will be compromised as soon as the trojan kicks in.Use 2FA. If you don't know what that is, you are in big trouble. Please read about it and add it to as many of your accounts as possible.***HOLY SHIT, THE TROJAN IS IN***Rule number one is "Don't Panic". Remember that and repeat it a couple of times if you have to. Not all is lost, and you can salvage a lot before the damage is done, but you need to keep your CALM.Start changing the password directly connected to bank accounts or any app that stores sensitive and valuable information. Fuck social media accounts. Save your assets first!If you have a secondary device or OS (laptop, dual OS, even a tablet) and you have your seed phrases close by, go and do a fresh metamask installation, add your seed phrase, and try to move it to a safe address (send it to your coinbase, bitstamp, binance addresses, they should be safe for a while there if you have 2FA on).Once your most critical passwords have been changed, start changing all others. Don't be lazy! If the attacker gets to a seemingly inactive account, they might be able to log in and find additional valuable information like your address, personal phone number, etc. This will give them different targets and angles to do more harm.Move any files that hold personal information to a hardware device that has already running anti-virus software turned on.Do a fresh OS installation. Yes, there is no other way to get rid of a trojan forever. Running anti-virus software after the trojan has entered won't do any good. Just kill it with fire by re-installing and formatting everything.Phishing One of the most dangerous and ruthless ways to steal your belongings is done via phishing. A phishing attack is when an attacker disguises a web interface or a URL link with a fake one that executes a script that gets a hold of your assets. The power of this approach is that the user shoots themselves in the foot by interacting with a web interface and accepting the terms and conditions, believing they are doing the right thing. A well-executed phishing attack can fool even the most experienced web3 users. I got hacked recently in such a way. I was exploring uniswap on a different network (optimism) and wanted to add the network to my metamask. I got a suggestion from a website that I searched in google to add the network properties automatically (because metamask has a terrible UX anyway, and I was lazy). Upon clicking, I’ve probably compromised my seed phrase, and my assets were drained in a matter of hours. It was an expensive lesson to learn. Another example of a typical phishing attack is through well-known services like email. For example, OpenSea sends emails to users whenever an interaction with their NFTs happens, like selling or buying. The trick is that the attacker sends an exact copy of a legitimate item interaction using a fake opensea email account. Upon clicking on the link (view item, for example), the unprepared user might be redirected to a seemingly known interface, a one-to-one copy of an existing OpenSea interface. If the user interacts with their metamask and approves a transaction, the attacker gains access to the user's assets and can transfer them quickly. The most blatant and surprisingly efficient phishing method I’ve seen is the exact replacement of the metamask.io website. If you are new to crypto, the first thing you are advised to do is install metamask. Imagine you are new to NFTs and don't have a metamask. You ask in a discord server, “Hey, how do I install metamask?”, someone might DM you, pretending they are “support,” and send you a link that is a fake but exact copy of metamask.io. You install and add ETH, but your seed phrase is already compromised since you’ve entered it twice when generating the wallet addresses using a rigged website. I’ve seen this happen at least five times in the past six months, and the sad part is that the newcomers might never come back to try and enter the crypto world because their initial experience was a terrible scam. As a community of users and builders, we should do much better than just tapping them on the back, saying, “Be careful, mate, it’s the wild, wild west here.” Of course, Metamask should also step up their game in terms of security, but that’s a different topic. ***HOW TO PROTECT OURSELVES FROM THIS KIND OF ATTACK***Use a separate operating system that is for crypto interactions only. This might not seem like the most obvious solution to the problem, but if you are serious about web3 and want to learn, earn and be safe at the same time, it’s the way to go. Having a separate OS just for crypto gives you the mindset of being focused only on dealing with transactions and security. You can have your gaming or work environment on a different laptop and PC, where you don’t need to stress over each website that you open and run an anti-virus check every 5 minutes.Do not open **ANY **external links that anyone sends you, especially from discord or social media. Even if the link comes from your mother (especially if it comes from her), the hacker might have compromised her weak facebook (meta…blah) password to send you a malicious link.Once you are sure that the web3 URL is safe and is something that you use daily like uniswap or aave — bookmark it and use it from the browser’s bookmarks bar. Do Not Google Web3 Apps! An attacker can find a way to trick Google’s ranking algorithm and move their fake and rigged version of the website with a slightly different name to the top of the google search results. This is especially valid for apps on side chains that pop up every day.Use a hardware wallet. This is the most powerful way to protect your assets. Just get a Ledger or a Trezor. The way a HW protects you is by making sure YOU confirm every metamask transaction. The only way for a perpetrator to bypass it is by getting a hold of the seed phrase (which should be written down on a piece of paper and stored securely).Lock your metamask whenever you are not doing a transaction. You don’t need to be logged in unless you want to interact with the blockchain, so keep metamask closed especially if you browse the internet or research. This trick will decrease the chances of your seed phrase being stolen significantly.Add activity notifications on etherscan.io*. *There are two ways you’d know you’ve been phished. Your metamask balance shows 0, or you receive a message that there is an activity on your wallet address that you did not do. Adding an address to be monitored by etherscan.io is pretty straightforward, but you need to be a registered user.***OMG, I GOT PHISHED***Don’t Panic. Keep your calm. Not all is lost.OK, it happened, the perpetrator is in, and they started moving your assets. If you have set an email notification setting in etherscan.io to monitor your wallet address, you might be able to salvage something. If you act fast, you can move ahead of the attacker by making a transaction (or several) to send tokens to a different wallet address (IT HAS TO BE FROM A DIFFERENT SEED, once your seed phrase is compromised, any account created in metamask is done).It’s imperative to keep in mind that anyone that wants to transfer assets from your wallet has to pay the gas price for the transaction in the native network token (ETH, MATIC, SOL). Unfortunately, most hackers start moving out non-native tokens first, so they always have enough from the native token to make the transactions. If you see something like that happening, you can transfer the native token immediately to a safe wallet and thus stopping the attacker until someone fills the wallet with ETH again. This can become a game of cat and mouse, and if there’s no bot activity involved, chances are you’ll be able to win it by choosing specific times to send ETH and move out assets immediately upon tx completion.I’ve read a crazy story where an experienced solidity dev got hacked. He held many valuable NFTs (Kongz mainly), and the attackers started moving them one by one. The guy remembered rule number one and didn’t panic. Instead, he came up with a brilliant solution that helped him win time and salvaged some NFTs. He knew that the seed was already gone, so he just sent it in chat to some NFT native friends and asked them to use the seed and move out assets simultaneously. It turned out to be a productive strategy because the attacker couldn’t move them out fast enough, and his friends managed to rescue many Baby Kongz in the process.Try to follow the money. Usually, when your assets are stolen on the blockchain, they are gone for good. You can check the transactions leading the funds out of your wallet and see where they end up. You need to report the address of the final destination, and if the hackers are big enough, they might get flagged, and their whole activity monitored. If they get flagged, it becomes almost impossible to run away with fiat money. There is an off chance for your assets to be returned willingly (this happened in the past when a significant protocol was hacked for millions).Social engineering Social engineering is used for a broad range of malicious activities accomplished through human interactions. For example, it uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Some examples of social engineering in crypto are:Impersonating support of a service like MetaMask or OpenSea — for inexperienced crypto users, a direct message in their discord from MetaMask support might seem like something completely normal. They politely ask the victim to click on a link to verify their metamask, and the user provides the seed to do so. Unfortunately, this happens WAY TOO OFTEN. There’s no metamask support; there’s no OpenSea support; it’s you and your wallet. NEVER GIVE AWAY YOUR SEED PHRASE!If you are a big influencer or someone vocal about their crypto bags, you might become a target for social engineering. The attackers might profile you and slowly accumulate information about your personal life, habits, moods, timelines, etc. They might find out where you live and if you are using weakly protected WiFi or no firewalls, you’ll be an easy target. Hacking weak WiFi is relatively easy, and I’ve heard many stories about drained wallets through a hacked WiFi connection.If you are a Bored Ape Yacht Club owner and you’ve managed to become filthy rich in a matter of months, you might get cocky and believe that you are somehow special and better than the rest of us 9to5 grinders. Sometimes, you get so high on arrogance that you don’t care what you click or who you give your seed phrase to. You don’t bother even reading a simple guide on protecting your crypto assets. Luckily, attackers know this, and they can study your behavior and politely ask you for your seed. After giving it to them, you lose the apes that you worked so hard for, go back to working at McDonald's, and balance in the universe is restored.***HOW TO PROTECT OURSELVES FROM THIS KIND OF ATTACK***Don’t boast about your crypto assets. Be humble, respectful, and share the knowledge with others. Try to focus on making connections with people, teach them what you know and warn them about potential dangers. Be a decent human being.Don’t use a weakly protected WiFi connection. If possible, don’t use WiFi at all. Instead, get a VPN service to reduce the risk of attackers detecting your location.Avoid Direct Messages with anyone. There’s a setting in discord that disables direct messages on a server by default. I use it all the time and still can find a way to connect to people. If someone needs to get to you, they can write on a public channel so everyone can see. If they are with malicious intent, mods will sniff them out immediately.If you are a BAYC holder, use your influence to make good. Spread the word of crypto, share the things you’ve learned (not your seed).***HELP, I GOT SCAMMED***You guessed it! Rule number one — “Don’t panic”All previous advice on what you do when you get a Trojan or become a victim of Phishing do apply for social engineering attacks. Just recheck them.One thing you should most definitely not do is to blame yourself if you fall victim to a scam. Social engineering works because the attackers are good at making you feel in safe hands. Even the most experienced security experts can be tricked if they don’t pay enough attention. So yes, you are not dumb. Next time be more cautious to the point where you feel like you are becoming paranoid. This is the sweet spot; keep yourself in there.Tell your story. Don’t be ashamed. Just go out and talk, write about it. Share screenshots and warn others about what’s been done to you. Chances are, the attacker might not be so successful next time since you gave the warning.What follows are some pro tips on crypto security that I recommend you remember and use:Don’t panic, don’t be lazy, and be paranoidUse a hardware walletUse a separate environment for crypto transactions only (not crypto research, just plain transactions)Bookmark your most commonly used web3 apps. Before bookmarking them, make sure you enter the correct URL and double-check if you have to. Don’t use Google to find an app URL.Don’t open ANY links sent to you on your crypto-only OS. Likewise, don’t download torrents there.Don’t watch porn on your crypto-only OS.Use a burner wallet to mint or interact with new and unproven crypto websites.Check transaction details in metamask — if you are unsure about a transaction, check its details in the DATA tab. For example, which address does it interact with, what permissions do you give the smart contract to do with your wallet. What input data do you send.If you fear that you have given permissions to a smart contract that you shouldn’t have to, you can revoke them by using a service like debank.comWhen you send a significant amount of an ERC20 token (ETH) to a new and unknown address, send a small amount first to see if the transaction goes through. Better safe than sorry.Don’t use public WiFi or WiFi at all if possible. Use a mobile device with a 5g connection instead.Check the last four digits of the address you are interacting with when sending assets (malware can fake copy your shit). Do the same when you provide your OWN address!Lock your metamask whenever you are not making a tx.Use a VPN.Don’t google for tools or apps, or if you have to, double or triple check the website name and extension and if the website looks legit.Use a password manager like *1password *or KeePass2.Avoid moving around seed phrases.Avoid importing private keys.Store seeds on paper — if you don’t trust piece or yourself -> store it in a password manager.Set notifications on etherscan.io to follow your wallet address transactions.Use multiple browsers with different seeds (chrome, Mozilla, brave).You can try and remember your seed as it is comprised of 12–24 human-readable words. Just make sure you exercise and check on it every once in a while, as your brain might fail you.If you don’t want to remember the whole seed — write it down and change just one of the words. REMEMBER what you’ve changed. Then, in case your paper with the seed gets compromised, you have a chance of recovering your assets before the attacker brute forces your seed.

## Publication Information

- [chosta.eth](https://paragraph.com/@chosta/): Publication homepage
- [All Posts](https://paragraph.com/@chosta/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@chosta): Subscribe to updates