How to Protect Your Crypto from Scammers for Good
One of the most frequently asked questions I receive as Chief Crypto Strategist for American Institute for Crypto Investors is about the best way to protect your digital assets from theft, scammers, and other bad actors in the sometimes-seedy market
And if you aren’t asking this question, but are already invested in cryptocurrency – then you need to get laser-focused on security.
Because not only can your crypto be stolen, but crypto transactions are designed to be “one-way” – there’s no mechanism to reverse them. And the lack of sufficient regulation means that in many cases, lost or stolen crypto cannot be recovered.
Hackers and scammers made off with $4 billion worth of crypto in 2022, according to analytics firm Chainalysis. And that was in a bear market.
The bull market theft is a whole different ball game. Scammers are greedy, too, and the higher your portfolio’s value, the more hackers will target your accounts.
To help you keep your crypto safe, we put together this comprehensive guide exclusively for American Institute for Crypto Investors members.
Scammers, Hackers, and Criminals
Thieves have multiple ways to take other people’s crypto. But you can make it harder for them to get yours. Here are some of the most common things to look out for and what you can do about them…
Last year alone, there were more than 20 separate hacks of crypto exchanges that caused losses of more than $100 million.
What you can do: A mantra among crypto veterans is “not your keys, not your crypto.” That means you don’t have the same full control and possession of crypto you have stored on an exchange as you do with a private wallet stored on your PC or with a hardware wallet. You only want to have crypto on an exchange when you’re trading it. Otherwise, move it to a private wallet for safekeeping.
Otherwise known as “social engineering,” phishing scams seek to trick you into surrendering your crypto voluntarily. Scammers typically send phishing texts or emails (although sometimes you’ll see these on social media as well) to lure victims to fake websites that look like legitimate, well-known exchanges.
Often the email warns of some sort of problem with the user’s account, and that they need to fix it immediately or their account will be closed. But all links take the victim to the fake website. When the victim types in their credentials, the info is sent to the scammer – who can then use them to access the victim’s real exchange account to drain it.
What you can do: Treat emails from exchanges with skepticism. Try to go to the exchange site directly to do business. And when on an exchange site, double-check the address bar to make sure the URL is correct and there are no misspellings. Look for the secure badge.
Scammers will create fake accounts of well-known crypto personalities on social media, especially Twitter, to trick people into sending their crypto voluntarily. So you might see a tweet that appeared to be from Ethereum (ETH) founder Vitalik Buterin that said something like, “Send me 0.5 ETH and I’ll send you back 10 ETH!” The purported reason for the giveaway will be fake but plausible enough. Of course, any crypto sent to the address listed becomes the property of the scammer. The victims receive nothing but regret.
We’re not talking about airdrops here. That’s when a project gives away a portion of its tokens to crypto users who qualify (such as by holding another, better-known crypto). Airdrops are legit and are used to jump-start adoption and raise awareness.
What you can do: People typically don’t just give away crypto on social media, and when they do, they don’t ask for a “donation” upfront. If it sounds too good to be true, it probably is.
A rug pull is when the developers behind a crypto project are actually scammers. They rush together a token and hype it up. When the price moves high enough, they dump their holdings, shut the project down, and disappear.
What you can do: Watch out for young projects that are all hype and no substance. The best way to avoid rug pulls is by sticking with well-established cryptocurrencies.
SIM Swap Fraud
A SIM is the ID card in your smartphone. Scammers call your mobile carrier, claiming to be you and saying the original SIM (the one still in your phone) was lost, stolen, or damaged. Using personal info obtained from one of the many major data breaches that have occurred over the past few years, the scammer convinces the carrier they are indeed you. The carrier reassigns your phone number to the scammer’s SIM. Now they have control of everything on your phone – including any crypto accounts you may have. You can be cleaned out in a matter of minutes.
What you can do: This is a tough one. The only way to avoid losing your crypto to a SIM swap scam is by not having any crypto apps on your phone. But you’ll have to sacrifice the convenience of using crypto apps. A few crypto sites are only accessible via their phone apps.
Several browser extension wallets, including the very popular MetaMask, as well as Nifty Wallet, Binance Chain Wallet, MEW CX, Ronin Wallet, TronLink, and the relatively new Coinbase Wallet, are susceptible to a new malware variant. Called Mars Stealer, this malware is spread through file-hosting websites and torrent clients. Once installed it sniffs out the browser wallet’s address info and private keys, which it transmits to the hacker. Then it deletes itself.
What you can do: Don’t visit file-sharing sites or use any torrent clients (like BitTorrent).
User Mistakes You Need to Avoid
Unfortunately, crypto investors also can lose tokens by making a critical error. When sending or storing crypto, you need to be very careful.
Sending to the Wrong Address
Addresses – those crazy long strings of letters and numbers – are how crypto knows where to go when zipping around the Internet. The trouble is, the addresses are so long and random that it’s easy to get wrong. That’s why you want to cut-and-paste addresses when doing crypto transactions. But it gets trickier. Some related cryptos, such as the forks of Bitcoin, have very similar addresses. People sometimes send Bitcoin to a Bitcoin Cash (BCH) or Bitcoin SV (BSV) address. And when they do, that BTC is lost forever.
What’s become more prevalent in recent years with the rise of “platform” networks is folks sending crypto to the wrong platform. The stablecoin USD Coin (USDC) is a good example. USDC is primarily an ERC-20 token that runs on the Ethereum network. But USDC also runs on top of the Binance Smart Chain network as well as Solana (SOL). If you erroneously send ERC-20 USDC to the Binance Smart Chain (or vice-versa), you will lose it.
What you can do: Double and triple-check your receiving addresses to make sure they’re correct. (After pasting an address into a receiving window, look at the site where you copied it from and make sure the letters and numbers match exactly.)
Leaving Your Private Key Out in the Open
Because crypto private keys tend to be long phrases, a lot of people want to make sure they won’t forget it by putting them in an unencrypted text file (like a Word document) or taking a screenshot of them. While this may seem like a good idea, it’s really just making you more vulnerable to getting your crypto hacked.
What you can do: Never do this. If you have already done it, delete the files. If you really want to keep a copy of your private key somewhere, write it on a piece of paper and hide it in a place where you know you’ll remember where to find it.
Forget/Misplace Private Key
This is something of a corollary to the item above. Private keys can be easy to forget since they need to be so long. If you do forget your private key, there is no way to access the crypto in your wallet. The worst part is, you can still see the crypto, right there in your wallet – right there in front of you. But you can’t move it to trade or spend it. And even if you have no trouble remembering your private key, you need to consider what would happen if you died unexpectedly. In 2019, we saw that happen on a large scale when the founder of Canada-based crypto exchange Quadriga died. He never shared the private keys, so $250 million worth of customer funds became locked and inaccessible forever.
What you can do: If you have a poor memory, write your private key on a piece of paper. And make sure at least one trusted loved one knows where that paper is.
More Security-Minded Crypto Habits
Finally, keep these tips in mind to keep your crypto as safe as possible.
Just about every crypto exchange requires 2FA (two-factor authentication), but most make it optional. That’s unfortunate because 2FA is an extra layer of protection for your crypto exchange account, and making it optional means many users won’t bother with it. It’s actually pretty easy to set up. Two apps provide most 2FA, Google Authenticator, and Authy. When you set it up, you usually scan in a QR code. After that, every time you log in to your exchange account, it will ask for a 2FA code. You need to fetch the code for that exchange from your 2FA app and type it in. (The codes change every 30 seconds.) The added security is worth the effort.
Weak/Re-used Private Key
Your wallet password (private key in crypto-speak) protects your crypto. If it’s short or too easy to guess, you’re making yourself vulnerable to the bad guys. Choose a long phrase you will remember (see above) but that no one else would associate with you. And don’t re-use private keys for different wallets. That gives a hacker who gets the key access to all of your wallets instead of just one (which is bad enough).
This guide is designed to help crypto investors of any experience level protect their assets from scammers and hackers.
It doesn’t matter if you consider yourself a newbie or a pro… With top-level Wall Street insiders predicting Bitcoin (BTC) could rally to $100K this year, wherever you fall on the spectrum, you can be sure you’re in the right place at the right time to maximize your profits from crypto.
Chief Crypto Strategist, American Institute for Crypto Investors