Losing your funds in crypto due to poor security is VERY common. An estimated amount of $14 billion in 2021 has been lost to exploits, hacks and crypto scams.
More specifically, for small time users like us, we are also very vulnerable to many scams and phishing attempts on our wallets.
Horror stories of getting scammed by “help support desk”, entering a fake Discord giveaway, or clicking on what seemed to be a legitimate looking URL – these are things that could happen to anyone if they are not careful enough.
In fact in April, some of the BAYC NFT holders lost their prized NFTs after the BAYC Instagram account was hacked. The scammer baited users into a fake Airdrop link, and gone were the prized monkey NFTs of affected users, worth almost $3 million dollars.
So how do you, as a user, learn to protect yourself from the dangers in the crypto space?
Firstly, you can refer to our guide on the different types of wallets, and what a hot vs cold wallet means here:
Here are some of the other safety practices and tips that everyone should follow:
Checking for suspicious websites and URLs
You should always be careful in whatever you click on, especially when interacting with social media that is related to crypto.
Hackers are also getting really creative in replicating existing products from the legitimate ones. Be extra careful!
Some common examples are:
- Receiving a giveaway link on Discord that prompts you to click on it.
- Search for a crypto project on the search engine and clicking on the first link, without checking if it was the appropriate URL.
In the case of the BAYC Instagram account hack, the underlying mechanism for taking user funds was the same: a simple phishing URL was employed to bait users to sign a transaction that transferred their NFTs out.
- Help support desk will NEVER ask for your seed phrase or access to your wallet
Sometimes, you might be asking questions regarding a crypto project in its Telegram group. You might receive a DM from someone that has the same profile pic and “user name”, claiming to provide support. He will eventually ask you to enter a website where you input certain details… such as your seed phrase.
Well, be careful! That person could be a copy cat. He is pretending to be the admin of the telegram group and has adjusted his username , usually by one letter (e.g @HelloIAmTheRealAdmin versus @HelloIamTheRealAdmin). This does not just apply to Telegram, but on Discord, Twitter, any other website, and even your email as well.
Here is an email scam example that requires you to “verify” your wallet… Be careful!
Never store your seed phrase online
You should NEVER store your seed phrase or private keys on an application or device connected to the Internet. This means that you should never store it on your PC, mobile or tablet. Do not share it with anyone, take a picture of it, keep it in an email/Google Docs, or print it out.
You could also try using an alert bot that tracks any sudden movement or outflow of funds from your wallets. One bot that I like to use is the EtherDrops tracking bot on Telegram. The bot has currently integrated with ETH, Fantom, BSC and AVAX. Once something happens, you can be immediately alerted and transfer your funds out immediately.
Very often, you might be interacting with a platform that has connected to your Metamask wallet. The dApp needs your approval to access and move tokens in your wallet to do things like buy/sell, provide liquidity etc.
However, the default permissions that allows the dApp to access and move our tokens are often UNLIMITED.
What I like to do is to revoke permissions especially for older protocols that I have approved but have not used for a long term.
I like to use Debank to revoke token approvals. A Youtube tutorial on how to use Debank and revoke permissions can be found here:
Check for verified accounts/symbols
This is mostly applicable to websites like Twitter (where verified accounts have a checkmark), as well as NFT marketplace such as Opensea. Verified accounts and collections are more trustworthy. This can prevent you from accidentally minting “fake”/”copied” collections of NFTs, or worse, go to a phishing site on Twitter for a project and click on the wrong link.
Use a hardware wallet
To me, this is a must when it comes to protecting your funds. A hardware wallet helps to keep your private keys offline. This helps to prevent you from getting threats from malware that you might not be aware of, even if you do not click on suspicious looking websites.
My Wallet Has Been Compromised. What Should I Do?
It is almost impossible for your funds to be recovered once it has been transferred out. What you should do is the following:
- Reinstall your Metamask/Trust/other hot wallet extensions on your browser
- Create a new ‘wallet’
- Write down your new seed/recovery phrase physically. Do not share it with anyone, take a picture of it, keep it in an email/Google Docs, or print it out.
- If you still have gas, send funds from your old wallet to the new one, and stop using the old wallet immediately.
- In the future, if you still do not have a hardware wallet, then please use it!
For those that may still be in doubt and are wary of a new project, or someone messaging you, do feel free to reach out to us in our social channels such as our Telegram and Discord!
Of course, our admins will never DM you, so be wary of the “copycat” admin that is pretending to be us. Make a check for the usernames and chat history to be extra careful.
When it comes to our community, one of our staff members and crypto investor, Tze, was also victim of an attack in the past. You may have seen him in this video here:
Tze was initially using a Metamask hot wallet, and he did not recall clicking on any suspicious links for any website. He was also quite wary of any Telegram/Discord scams that are ongoing, and regularly revokes his permissions for smart contracts.
However, he still suffered an attack on his wallets and his ETH was transferred out.
Luckily, as he was using the EtherDrops alert system, he was able to quickly identify what was happening. The attacker actually sent back a small amount of ETH to his old wallet as gas in order to transfer out his NFT collections that was untouched, but Tze took the chance to immediately transfer out his own NFTs to a new wallet he created quickly.
Ever since the experience, he is even more wary has also been using a Ledger wallet.
We hope that these helps you to prevent your funds from ever being lost.
Personally for seed phrases, writing on a piece of paper is safe but just in case that piece of paper gets destroyed, (fire, water, etc… you never know right?) I would suggest laminating or engraving it on a metal sheet (on your own). This might be quite a hassle but if it helps you to sleep at night go ahead.
As always, not your keys, not your coins. And if crypto and self-ownership is the future, then perhaps we should all take responsibility for our own funds and security.
Featured Image Credit: Chain Debrief
[Editor’s Note: This article does not represent financial advice. Please do your own research before investing.]