The Golden Rules of Crypto Security
Before diving into specific tools and tactics, three rules govern everything else. Violate any of them and no amount of clever security will save you.
Not Your Keys, Not Your Coins
This phrase has been repeated so often it has become a cliché — but it remains the most important concept in crypto security. When you hold crypto on an exchange (Coinbase, Binance, Kraken, etc.), you do not actually hold crypto. You hold an IOU. The exchange holds the private keys; you hold a promise.
Exchanges can be hacked. They can freeze withdrawals. They can go bankrupt (FTX collapsed in November 2022, taking billions of dollars of customer funds with it). They can be exit-scammed. Any of these events can leave you with nothing despite the balance showing in your account.
The solution is self-custody: moving your crypto off exchanges and into a wallet where you control the private keys. For any meaningful holding — define that as whatever amount would seriously hurt you to lose — self-custody is not optional, it is essential.
Use a Hardware Wallet for Significant Holdings
A hardware wallet (also called a cold wallet or cold storage device) is a physical device that stores your private keys offline, completely isolated from the internet. Even if your computer is infected with malware, a hardware wallet signs transactions in a secure environment the malware cannot reach.
The two most trusted brands in 2026 are Ledger and Trezor. Both have strong track records, support hundreds of cryptocurrencies, and integrate with popular software wallets. Buy only from the manufacturer’s official website or authorised retailers — never from Amazon third-party sellers or eBay, where tampered devices have been sold.
Never Share Your Seed Phrase — With Anyone, Ever
Your seed phrase (also called a recovery phrase or mnemonic) is a sequence of 12 or 24 words generated when you first set up a wallet. It is the master key to every address and every asset in that wallet. Anyone who obtains those words can drain your wallet completely, instantly, from anywhere in the world.
There is no legitimate reason for anyone to ask for your seed phrase. Not customer support. Not Ledger. Not MetaMask. Not a crypto recovery service. If someone is asking for your seed phrase, they are attempting to steal your crypto. Full stop.
Exchange Security
If you do keep funds on an exchange — for active trading or while waiting to move to self-custody — apply every available security measure.
Two-Factor Authentication: Use an Authenticator App, Not SMS
Two-factor authentication (2FA) adds a second verification step to logins and withdrawals. But not all 2FA is equal. SMS-based 2FA is significantly weaker than app-based 2FA because of SIM swap attacks (covered in the operational security section below). A criminal who takes over your phone number receives your SMS codes and bypasses your account protection.
Use an authenticator app instead: Google Authenticator, Authy, or — for the most security-conscious — a hardware security key like a YubiKey. Set this up on every exchange account you have, and do it today if you have not already.
Withdrawal Whitelisting
Most major exchanges offer withdrawal whitelisting (sometimes called address whitelisting or withdrawal address management). When enabled, withdrawals can only be sent to pre-approved wallet addresses. Adding a new address typically requires email confirmation and a 24–48 hour waiting period.
This means that even if an attacker gains full access to your account, they cannot steal your funds immediately — they would need to also control your email and wait out the whitelisting delay, during which you would likely notice and act.
Enable withdrawal whitelisting on every exchange account that holds meaningful funds.
Strong, Unique Passwords
Use a password that is long (20+ characters), random, and unique to each exchange. Never reuse passwords across sites. Use a password manager (Bitwarden is free and excellent; 1Password is a strong paid option) to generate and store these.
If a data breach exposes your password from one site, a unique password ensures that breach cannot compromise your crypto accounts.
Wallet Security
Choosing a Hardware Wallet Based on Holding Size
The right level of security scales with how much you hold. Use this as a rough guide:
| Holding Size | Recommended Approach |
|---|---|
| Under £500 | Software wallet (MetaMask, Trust Wallet) with strong backup |
| £500 – £5,000 | Entry-level hardware wallet (Trezor Model One, Ledger Nano S Plus) |
| £5,000 – £50,000 | Mid-range hardware wallet (Trezor Model T, Ledger Nano X) |
| £50,000+ | Multiple hardware wallets, multi-sig setup, professional custody consideration |
If you are serious about crypto long-term, a hardware wallet is worth buying even at lower amounts. The cost (typically £50–£200) is trivial compared to any meaningful crypto holding.
Seed Phrase Storage: Never Digital
When you set up a hardware wallet or any self-custody wallet, you are given a seed phrase. Write it down on paper immediately. Then follow these rules absolutely:
Metal Backup Options
Paper can burn, get wet, and fade over time. For long-term storage, metal seed phrase backups are significantly more resilient. Popular options in 2026 include Cryptosteel Capsule, Bilodeau Cryptotag, and Keystone Tablet. These allow you to stamp or engrave your seed words into stainless steel or titanium plates that can survive house fires and flooding.
Store your seed phrase backup in at least two physically separate locations — for example, a home safe and a bank safe deposit box. If one location is destroyed or burglarised, the other backup saves you.
Operational Security (OpSec)
Technical security measures protect against technical attacks. Operational security protects against attacks that target you as a person.
Use a Separate Email Address for Crypto
Create a dedicated email address used only for crypto exchanges and wallets. This email address should not be associated with your name, should not appear on social media, and should not be used for anything else. This limits the blast radius if one of your accounts is compromised through phishing or data breaches.
Use a privacy-focused email provider like ProtonMail. Enable 2FA on this email account with an authenticator app.
Do Not Announce Your Holdings
Publicly announcing crypto holdings — on social media, in forums, or in casual conversation — makes you a target for:
- Physical robbery or extortion (“$5 wrench attack”)
- Targeted phishing and social engineering
- SIM swap attacks (criminals specifically target known crypto holders)
This is not paranoia; it is basic risk management. Treat your crypto holdings like you would your bank balance: private.
SIM Swap Protection
SIM swapping is when a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. This gives them your SMS 2FA codes and the ability to reset accounts via phone number.
Protect yourself by:
- Setting a PIN or passcode with your mobile carrier that must be provided before any account changes
- Using authenticator app 2FA instead of SMS on all accounts
- Not publicly linking your phone number to your identity in crypto spaces
Recognising Common Crypto Scams
Fake Support DMs
On Twitter/X, Discord, and Telegram, scammers monitor crypto discussions and DM users who mention problems with their wallets or exchanges. They pose as official support staff and eventually ask for your seed phrase or private key to “verify your wallet” or “process a refund.”
Legitimate support from any real company will never contact you via DM and will never ask for your seed phrase. Ever.
Giveaway Scams
“Send 1 ETH and receive 2 ETH back.” Fake giveaways impersonating Elon Musk, Vitalik Buterin, Coinbase, and other high-profile names flood social media constantly. The mechanism is always the same: send crypto to receive more back. No legitimate crypto giveaway works this way. It is always a scam.
Approval Phishing
This is one of the more technically sophisticated scams. You connect your wallet to a DApp (decentralised application) that appears legitimate — a fake NFT marketplace, a fake DeFi protocol — and are prompted to approve a transaction. That “approval” actually grants the malicious smart contract unlimited access to spend tokens from your wallet.
Regularly audit and revoke token approvals using revoke.cash. Before approving any transaction, understand what you are approving.
Fake Investment Platforms (Pig Butchering)
A stranger contacts you on social media or a dating app, builds a relationship over weeks or months, then introduces you to a crypto investment platform with extraordinary returns. The platform shows your balance growing. When you try to withdraw, you are told to pay “taxes” or “fees.” The platform eventually disappears.
This is the pig butchering scam — so named because the victim is fattened up before being slaughtered. It is one of the fastest-growing and most financially devastating scams globally.
Crypto Security Checklist
Use this table to audit your current security posture:
| Security Measure | Status | Priority |
|---|---|---|
| Authenticator app 2FA on all exchanges | Done / Not Done | Critical |
| Withdrawal whitelisting enabled | Done / Not Done | Critical |
| Hardware wallet for significant holdings | Done / Not Done | Critical |
| Seed phrase stored offline only (paper/metal) | Done / Not Done | Critical |
| Seed phrase stored in 2+ separate locations | Done / Not Done | High |
| Unique strong password per exchange | Done / Not Done | Critical |
| Dedicated email for crypto accounts | Done / Not Done | High |
| PIN/passcode set with mobile carrier | Done / Not Done | High |
| Token approvals audited (revoke.cash) | Done / Not Done | Medium |
| Social media: holdings not publicly shared | Done / Not Done | Medium |
FAQ
Q: Is it safe to leave crypto on Coinbase or Binance long-term?
A: Major regulated exchanges like Coinbase are safer than smaller ones, but no exchange is risk-free. The FTX collapse showed that even large, well-regarded platforms can fail. For long-term holding of significant amounts, move to self-custody with a hardware wallet.
Q: What happens if I lose my hardware wallet?
A: Nothing, as long as you have your seed phrase. A hardware wallet is just a device for accessing your keys — the keys themselves are derived from your seed phrase. Buy a new device, enter your seed phrase during setup, and your funds are restored.
Q: Can I store my seed phrase in a password manager?
A: No. Password managers are digital and connected to the internet, making them vulnerable to breaches, malware, and account compromise. Your seed phrase must be stored offline on paper or metal only.
Q: How do I know if a crypto website is legitimate?
A: Bookmark official sites directly from verified sources (the project’s official documentation or social media). Never click links in emails or DMs. Check the URL character by character for subtle misspellings (e.g., “rnetamask.io” instead of “metamask.io”). Use browser extensions like MetaMask’s own extension rather than third-party sites.
Q: Is SMS 2FA better than no 2FA?
A: Yes — SMS 2FA is better than nothing, but it is significantly weaker than authenticator app 2FA. Upgrade to an authenticator app as a priority.
Q: What should I do if I think my wallet has been compromised?
A: Act immediately. Move all funds from the compromised wallet to a new wallet (with a new seed phrase) as fast as possible. Do not try to revoke permissions first — transfer funds to safety first. Then investigate how the compromise occurred.
Related guides:
