Whether your Bitcoin (BTC) is worth $69,000 or $21,000, there’s a bad guy out there who wants to get their hands on it – badly. We may well be in a bear market or a “crypto winter,” but, to coin a phrase, there’s no such thing as a bear market for crooks.
A quick scan of just this past week’s headlines reveals crypto scamming and theft is still a booming business. Analytics firm Chainalysis estimates $14 billion in crypto was swiped last year by hackers and scammers.
We’ve already gone through some of the red flags you need to look out for to avoid becoming the victim of a crypto scam, that is to say, handing over your crypto willingly to a bad actor.
But the flip side of that coin is out-and-out theft. Cryptocurrency is unbreakable, but, unfortunately, the systems we use to buy, sell, and hold coins are far from fail-safe. It can be all too easy for even seasoned crypto owners to slip up and let thieves in through the proverbial backdoor.
In fact, you don’t even need a bad guy in the equation to slip up and lose your crypto – transactions are largely irreversible by design. There’s no Customer Support department to call and reverse the transaction when you goof.
And it’s all too easy to forget a passkey or lose track of a disk drive. Crypto data firm Glassnode puts the number of “lost-forever” Bitcoins at 3 million. That’s around 16% of all Bitcoins in existence. At today’s prices, that’s around $63 billion in value.
So clearly, when it comes to crypto, you must be the fail-safe – the proverbial last line of defense.
I’m here to help – I’m going to show you some of the techniques and methods I’ve learned in my 10-plus years as a successful crypto miner and investor. This guide will help you keep your crypto where it belongs – your wallet.
What to Watch Out for Now
Exchange hacks: As I said, crypto itself is unbreakable, but the exchanges where we trade it can be astonishingly easy – and tempting – for hackers. Last year alone, there were more than 20 separate hacks of crypto exchanges that caused losses of more than $100 million.
What you can do: A mantra among crypto veterans is “Not your keys, not your crypto.” That means you don’t have the same full control and possession of crypto you have stored on an exchange as you do with a private wallet stored on your PC or with a hardware wallet. You only want to have crypto on an exchange when you’re trading it. Otherwise, move it to a private wallet for safekeeping.
Phishing scams: Otherwise known as “social engineering,” phishing scams seek to trick you into surrendering your crypto voluntarily. Scammers typically send phishing texts or e-mails (although sometimes you’ll see these on social media as well) to lure victims to fake websites that look like legitimate, well-known exchanges.
Often the e-mail warns of some sort of problem with the user’s account, and that they need to fix it immediately or their account will be closed. But all links take the victim to the fake website. When the victim types in their credentials, the info is sent to the scammer – who can then use them to access the victim’s real exchange account and promptly drain it.
What you can do: Treat e-mails from exchanges with a healthy dose of skepticism – and then some. Try to go to the exchange site directly to do business. And when on an exchange site, double-check the address bar to make sure the URL is correct and there are no misspellings. Look for the secure badge.
Crypto “giveaways”: Scammers will create fake accounts of well-known crypto personalities on social media, especially Twitter, to trick people into sending their crypto voluntarily. So, you might see a tweet that appeared to be from Ethereum (ETH) founder Vitalik Buterin that said something like, “Send me 0.5 ETH, and I’ll send you back 10 ETH!” The purported reason for the giveaway will be fake, but with a remotely plausible veneer. Of course, any crypto sent to the address listed becomes the property of the scammer. The victims receive nothing but regret.
Now, it’s very important to note we’re not talking about airdrops here. That’s when a project gives away a portion of its tokens to crypto users who qualify (such as by holding another, better-known crypto). Airdrops are legit and are used to jump-start adoption and raise awareness.
What you can do: People typically don’t just give away crypto on social media, and when they do, they don’t ask for a “donation” up front. As has been the case since the beginning of time, if it sounds too good to be true, it probably is.
“Rug pulls”: This unfortunate situation happens when the developers behind a crypto project are actually scammers. They rush together a token and hype it up. When the price moves high enough, they dump their holdings, shut the project down, and disappear.
What you can do: Watch out for young projects that are all hype and no substance. The best way to avoid rug pulls is by sticking with well-established cryptocurrencies.
SIM swap fraud: A SIM is the ID card in your smartphone. Scammers call your mobile carrier, claiming to be you and saying the original SIM (the one still in your phone) was lost, stolen, or damaged. Using personal info obtained from one of the many major data breaches that have occurred over the past few years, the scammer convinces the carrier they are indeed you. The carrier reassigns your phone number to the scammer’s SIM. Now they have control of everything on your phone – including any crypto accounts you may have. You can be cleaned out in a matter of minutes.
What you can do: This is a tough one. The only way to avoid losing your crypto to a SIM swap scam is by not having any crypto apps on your phone. But you’ll have to sacrifice the convenience of using crypto apps. A few crypto sites are only accessible via their phone apps.
Browser-based wallets: Several browser extension wallets, including the very popular MetaMask, as well as Nifty Wallet, Binance Chain Wallet, MEW CX, Ronin Wallet, TronLink, and the relatively new Coinbase Wallet, are susceptible to a new malware variant. Called Mars Stealer, this malware is spread through file-hosting websites and BitTorrent clients. Once installed, it sniffs out the browser wallet’s address info and private keys, which it transmits to the hacker. Then it deletes itself.
What you can do: Don’t visit file-sharing sites or use any torrent clients (like BitTorrent).
These are the major scams and hacks crypto investors need to be on the lookout for. But there are also mistakes people can make that can send their hard-earned crypto off into oblivion.
When sending or storing crypto, you need to be very careful, even if the transaction is legitimate.
User Mistakes to Avoid at All Costs
Sending crypto to the wrong address: Wallet addresses, those crazy-long strings of letters and numbers, are how crypto knows where to go when zipping around the Internet. The trouble is, the addresses are so long and random – anywhere from 26 to 35 alphanumeric characters – that it’s all too easy to get wrong.
For example, 3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5 is completely different than 3FZbgi29cqjp2GjdwV8eyHuJJnkLtktzC5. Can you spot the differences in under one second? Me neither.
That’s why you want to cut-and-paste addresses when doing crypto transactions. But it gets trickier. Some related cryptos, such as the forks of Bitcoin, have very similar addresses. People sometimes send Bitcoin to a Bitcoin Cash (BCH) or Bitcoin SV (BSV) address. And when they do, that BTC is lost forever.
What’s become more prevalent in recent years with the rise of “platform” networks is folks sending crypto to the wrong platform. The stablecoin USD Coin (USDC) is a good example. USDC is primarily an ERC-20 token that runs on the Ethereum network. But USDC also runs on top of the Binance Smart Chain network as well as Solana (SOL). If you erroneously send ERC-20 USDC to the Binance Smart Chain (or vice-versa), you will lose it.
What you can do: Double and triple-check your receiving addresses to make sure they’re correct. (After pasting an address into a receiving window, look at the site where you copied it from and make sure the letters and numbers match exactly.)
Leaving your private key out in the open: Because crypto private keys tend to be long phrases, a lot of people want to make sure they won’t forget it by putting them in an unencrypted text file (like a Word document) or taking a screenshot of them. While this may seem like a good idea, it’s really just making you more vulnerable to getting your crypto hacked.
What you can do: Never do this. If you have already done it, delete the files. If you really want to keep a copy of your private key somewhere, write it on a piece of paper and hide it in a place where you know you’ll remember where to find it.
Forgetting or misplacing your private key: This is something of a corollary to the item above. Private keys can be easy to forget since they need to be so long. If you do forget your private key, there is no way to access the crypto in your wallet. The worst part is, you can still see the crypto, right there in your wallet – right there in front of you. But you can’t move it to trade or spend it.
And even if you have no trouble remembering your private key, you need to consider what would happen if you died unexpectedly. In 2019, we saw that happen on a large scale when the founder of Canada-based crypto exchange Quadriga died. He never shared the private keys, so $250 million worth of customer funds became locked and inaccessible forever.
What you can do: If you have a poor memory, write your private key on a piece of paper. And make sure at least one trusted loved one knows where that paper is.
Finally, keep these tips in mind to keep your crypto as safe as possible.
Get Into These Security-Minded Crypto Habits
Use two-factor authentication (2FA): Just about every crypto exchange requires 2FA, but most make it optional. That’s unfortunate because 2FA is an extra layer of protection for your crypto exchange account, and making it optional means many users won’t bother with it.
For serious, security-minded crypto investors, skipping 2FA isn’t an option.
The good news is, 2FA’s actually pretty easy to set up. Two apps provide most 2FA – Google Authenticator and Authy. When you set it up, you usually scan in a QR code. After that, every time you log in to your exchange account, it will ask for a 2FA code. You need to fetch the code for that exchange from your 2FA app and type it in. (The codes change every 30 seconds.)
The added security and peace of mind are well worth the effort.
Avoid weak private keys – and don’t re-use keys, either: Your wallet password (private key in crypto-speak) protects your crypto. If it’s short or too easy to guess, you’re making yourself vulnerable to the bad guys. Choose a long phrase you will remember (see above) but that no one else would associate with you. And don’t re-use private keys for different wallets. Giving a hacker access to just one wallet is bad enough, but all of them – you could be completely wiped out in the time it takes you to type “abc123.”