You wouldn’t believe the progress crypto crime made in 2021 alone. As crypto adoption accelerates, illicit activities are on the rise, because the wealth stored in crypto is simply too appetizing to pass.
It’s also a low-hanging fruit. Crypto malware costs next to nothing and requires little specialist knowledge to use. Scammers can harness simple social engineering strategies to steal data without the victim ever finding out. DeFi pirates can execute a rug pull in a matter of weeks and make off with millions of dollars. If you’re looking for horror stories, well, it won’t take long to find them.
Is crypto crime really that big?
The short answer is: yes. Crypto crime is bigger than ever, even though crypto adoption is outpacing illicit applications, and by a lot. According to a Chainalysis report, the total crypto transaction volume in 2021 was up 567%. And crypto crime? That’d be 79%. The share of crypto crime hit an all-time low of 0.15%.
Don’t get excited, though. Chainalysis estimates that throughout 2021, illicit wallets received $14 billion. Part of that figure comes from the darknet market, fraud shops and terrorism financing, which rarely victimizes everyday users directly, but the crushing majority was scams and stolen funds.
Am I at risk?
You might be familiar with basic security measures and online privacy best practices, and that should be enough for casual users who only hodl coins for fun.
If you’re taking your crypto investments seriously, treat security the same way.
There are professional crypto security companies out there that can do your homework for you, but with a little effort, you can go a long way towards securing your coins on your own.
Read on to find out how.
Hardware
The first step to crypto security is always a hardware wallet. Don’t put it off.
A hardware wallet is the most bulletproof way to store your private keys. At the same time, losing the device won’t cut you off from your coins, because the seed phrases will live elsewhere.
It’s a must, but don’t rush it. Look around the available options and make sure you’ve selected the best one within your budget. When you’re ready to buy, triple check that you’re on the manufacturer’s official site. Scammers like to create fake websites selling compromised hardware wallets. The same applies to Amazon and wallet resellers.
Seed phrases
Now, what to do with the seed phrases? Store them where malware can’t reach: offline. Write them down on a piece of paper and put them where you will remember, but a burglar won’t look. Think a leftover paper box your favorite soap comes in, hidden behind the oven, under a freezer shelf, inside that Winnie the Pooh book your grandma gave you for your eleventh birthday… You get the picture.
If you want to add an extra level of security, protect your seeds from the elements, especially if you live in a region where natural disasters are common. A flood or fire will likely consume a piece of paper, but a metal plate will survive. They usually come with engraving pens or small character plates.
If you're still concerned someone could find it—perhaps a cunning nanny, an opportunist cleaner, or someone you're dating, split your seed phrases and hide them at multiple locations. You can also use Shamir's Secret Sharing, a secret splitting method that adds a cryptographic layer of security while also decentralizing your seed phrases.
Browser security
Buying a hardware wallet and storing your seeds safely is a one-time effort. When you’re set up, you’re set up. Online crypto security is much trickier, because it requires near-constant attention. That said, the basics are pretty straightforward, and many tools and solutions you can use to boost your online security will also give you more privacy.
Start with a VPN service, but steer clear of free options and read the reviews before you buy. A good VPN should encrypt your connection without interfering with your favorite websites.
You can also add protective software such as a firewall or JavaScript blocker, and set up an email account with ProtonMail or other service that uses zero-access encryption. Never use that email address for anything other than crypto.
Browser fingerprinting
As you browse the internet, trackers record your stats and behavior. Collecting enough data to identify you personally is called browser fingerprinting.
Keep in mind that it’s not the same as cookies. It can happen even when you’re not logged in or browsing incognito. Fortunately, you can prevent it with strong enough anti-tracking software. Some people even get a separate device they only use for crypto trading.
Password manager
Do you use five interchangeable passwords? No? Good. But do you create a unique, random password, a hundred or so characters long, for every website you log in to?
If you don’t, you’re not safe. If you haven’t been paying too much attention to your passwords so far, check if you’re a victim on Have I Been Pawned.
No results? Congratulations, but don’t let that delay your password system upgrade. Keep in mind that leaked data can be sold on darknet minutes after it was stolen. Scammers will then use open source tools to generate hundreds of password suggestions based on those compromised.
To stay safe, use an encrypted password manager and have it generate a unique, long and completely random password for every website you use. Change all of your current passwords that do not meet those criteria, then add them to your manager. You are now left with just one password to remember.
Make your master password as long and complicated as possible, but at the same time not impossible to learn by heart. Using services such as Diceware can help generate something slightly nonsensical but not entirely random.
Multi-factor authentication
These days, two-or multi-factor authentication isn’t just a fancy add-on. It should be a no-brainer for every internet user. If you’re serious about crypto, it’s a must.
The biggest mistake you can make when setting up your 2FA is selecting SMS as the authentication method. A smart hacker needs only a couple of smooth lines with the customer support agent at your mobile phone network to get their very own SIM card under your phone number.
The most secure authentication method is a hardware key. Much like those seed phrases that are now buried in a bag of nachos in the far corner of your pantry, a key that lives offline is least likely to fall prey to a hacker. If you want to be sure you’ve done everything you possibly could to sharpen your 2FA, choose a U2F or FIDO2 key.
To be clear, you don’t have to hide the hardware key as much as the seed phrases. After all, it’s something you’ll use a lot. Try not to lose it, though.
The second-best solution is an authenticating app that generates keys at random.
Disarming the human factor
In the end, the most vulnerable piece of the puzzle is human.
The best way to protect yourself from losses triggered by the human factor is knowing where and when they can happen. Remember that crypto scammers often use cognitive biases to trick their victims into thinking they’re doing what they’ve always done. What everyone does.
Examples include hacking famous people’s social media to post malicious links. Sometimes, scammers create new accounts to impersonate respectable figures or pretend to be someone the victim knows, like a relative or business partner. If there’s even a shade of doubt, don’t take out your wallet.
Another popular scam strategy is contacting potential victims via direct messages and impersonating customer support or a financial advisor. For these, it’s best to assume any direct message that isn’t a response to yours should be treated as a scam attempt. When you’re contacting someone yourself, always triple check that you’re reaching the person you’re looking for.
Attackers can also create fake copies of popular crypto sites, boosting the fake's credibility with a Google Ad.
Then there’s malware that replaces the cryptocurrency address a user has just copied with one that belongs to the attacker. Have you ever even considered that copying an address could put you at risk?
Of course, it’s just a few examples. The rule of thumb is not to trust easily, and that includes yourself. If something looks too good to be true, consider it suspicious. Before sending a large sum of money, send a small test transfer to make sure everything is fine. If a website or a stranger asks you to enter your seed phrases, you can be sure it’s a scam.
Last but not least, make crypto security your part-time hobby. Crypto crime is as dynamic as crypto itself. It’s impossible to learn security once and for all.
Final thoughts
A good security strategy is one you can handle with confidence, but the more coins you own, the more elaborate security measures you need.
Still, nothing is foolproof. In DeFi, unethical creators can make off with millions of dollars that well-protected users sent of their own free will, because they believed the scam. Chainalysis estimated that throughout 2021, DeFi protocols were robbed of $2.2 billion worth of crypto, 72% of all stolen crypto funds.
That’s why any crypto security strategy must be complemented by a sober approach to investing and at least a basic knowledge of social engineering. But that’s a different story.
