Open in app

Sign in

Write

Sign in

Keeping your Crypto:

Security for Beginners

CryptoMugen
Sherpa Library
Published in
10 min readDec 17, 2021

--

It is far too common for people in crypto to have their funds stolen. Most incidents can be avoided with awareness, education and proper operational security. This is not to say elaborate scams don’t happen but, in general, scams happen to new and inexperienced users who don’t understand the basics of security or those who have been complacent about security. It still surprises me how often I hear about people who have been in the Web3 space for some time but still leave all of their tokens in a hot wallet.

This is by no means a comprehensive list but it should give you the ability to avoid most of the common attacks.

The Swiss Cheese Model

A method helpful for understanding security is the Swiss Cheese Model. Imagine your key is at the end of a tube. In this tube is a series of security layers resembling swiss cheese. All the layers have holes but what it takes to have your key stolen if for those holes to line up. The more layers you have and the smaller the holes are the more secure your key is.

A failure of one layer does not mean you are compromised if your other layers are there. For example, if your MetaMask password was compromised, but you are properly using a hardware wallet, your key and crypto is still safe.

Education

The first and most important layer of security is your education. I consider this the most important because it enhances all other layers of security and is sometimes the only one that really matters.

In general, scammers target the new and uneducated. Just like with telephone or email scammers they don’t want to spend a lot of time and effort on a complex scam.

Something we often see in crypto is people who refuse to read. The other day I wrote a guide for Olympus V2 migration. On Twitter, where I shared the link, I had people asking me the exact questions I answered in the article who clearly did not bother to read the article. Sure enough scammers pretending to be support were messaging them. If you are uninformed or even worse, lazy, you are putting a big target on your back.

Anyone considering diving into crypto must do their due diligence and take the time to learn about proper security. Take your time, ask questions from knowledgeable individuals, but most of all take initiative and do your own research.

OpSec

Operational Security is guarding or compartmentalizing information. Essentially, the less a scammer can find out about you the safer you will be.

  1. Use a VPN. This is basic security to keep people from snooping your IP address. This won’t do much on it’s own but can provide a good base.
  2. Have an email only for crypto that doesn’t have personal information like your name attached to it. The older and more used your email is, the more likely it is to leak. If a scammer knows your email is used for crypto you could be targeted by phishing or other attacks.
  3. Never share your wallet address to the public. This also puts a target on your back, now a scammer can see how much you have and if you’re worth targeting. They can connect an address to your Discord, Twitter, email, etc… If you’re not using a VPN it may be possible for them to connect your IP and wallet by monitoring traffic and transactions in your wallet
  4. Don’t tell people about your crypto or how much you invested. I often see people bragging about their holdings. This poses two threats, one is the same as above. The blockchain is public, if you go to Olympus’ Discord and say, “I just staked $20,000 of OHM.” Well, now the scammer goes and looks at the contract and has your wallet. The other danger is the $5 wrench attack. If you have $100,000 in crypto and someone finds out where you live, you are putting yourself in danger.
  5. Using a pseudonym. This is one reason many in crypto use pseudonyms, you never know what information about you is out there that a scammer could use.
  6. Use strong passwords. A password manager is useful here. Use the manager to generate strong passwords and never use the same one. My passwords always have at least 12 characters, completely randomized, upper and lower case, special characters and numbers. You can use the password manager to store less critical passwords but passwords for wallets and exchanges should not be in your password manager. Paper only!

A tertiary reason to have good OpSec is bad OpSec gives away your education level. People experienced in Web3 aren’t telling everyone how much they invest and when; they aren’t sharing their addresses on Discord. If you do this we all know you’re new, especially the scammer.

Key Handling

The number one rule in crypto is to never give your keys to anyone. Ever. Regardless, this happens all the time. Often this is plain ignorance from the user, sometimes it is more complex. Here are a few basic principles, some should be known but they are worth repeating because they are still broken:

  1. Never type your key phrase on your computer. There are rare exceptions such as recovering your wallet. If you ever need to do this be sure you have downloaded an authentic wallet. If a dApp or website asks you for a seed phrase it is a scam. If you ever do need to recover a hot MetaMask you can use an onscreen keyboard for an added layer of security; this would at least protect you from a keylogger.
  2. Never save your seed on your phone or computer. You should only ever write your seed on paper. Malware such as keyloggers and screenloggers can compromise your key. Additionally malware can hijack your clipboard and see what you copy and paste. It should go without saying this means you should never save your keys in a password manager.
  3. Never give your key to anyone. This is something that sounds obvious but again, it happens all the time. Usually the way this happens is a scammer will pretend to be support or someone else who is trusted, maybe a fake account of a Mod on Discord. They will then tell you they need your phrase to fix your wallet or similar trick to get you to divulge your wallet key.

Hardware Wallets

This could tie into proper key handling but it deserves it’s own section. Anyone in DeFi should have one of these. It is absolutely one of your best layers of security.

There is a general misunderstanding of what a hardware wallet is and how it works. A hardware wallet, like Trezor or Ledger, does not hold your tokens, it holds your key. When you want to do a transaction the hardware wallet simply exports your key to allow the transaction. This has a few benefits, one is immunity to keyloggers or similar malware. This also requires transactions to be authorized on the physical device.

You should never type in your hardware wallet key. If you need to recover your wallet this should be done with the physical buttons on your hardware wallet. If you are ever prompted to give your hardware wallet key on a site or dApp it is a scam.

Smart-Contract Wallets

Smart contract wallets, like Argent, are wallets that store your cryptoassets in a smart contract, this allows for far more functionality and security. With Argent you can set up “Guardians” for wallet recovery without using a seed phrase. Guardians act like a multi-sig and are trusted third parties, such as friends and family, or a secondary wallet. Guardians can recover the wallet or approve a new device; approve transfers over your daily limit, and allow transfers to untrusted wallets.

Argent has multiple other features like the ability to set withdrawal limits, freeze your wallet, or whitelist addresses.

Common attack vectors

One of the most common attacks are Direct Message scammers. If you’ve spent more than 15 minutes on discord you have probably seen a warning that mods or admins will never DM you first, this is why. Any unsolicited message should be met with caution. There are multiple types of DM scams.

  1. Fake Support: These guys message you pretending to want to help you with your tech issue but really will trick you into giving them your key. Sometimes they will tell you to send it to them or get you to share your screen where they try to convince you to reveal your seed in your wallet.
  • How to avoid: 99% of the time these should be instantly reported. If you do need to dm a mod you can verify them by checking their server roles on Discord. Sometimes they get crafty and make their bio look like server roles. Be careful!
  1. Giveaway Scams: You receive a message saying you have won a large sum of crypto. If you follow the link you will be laid to a seemingly legit website. Often the exact website will be copied and put on a similar domain as the real one. When you go to claim your giveaway you are told you need to make a deposit for security purposes. If you make this deposit you will never get it back and you definitely won’t get free crypto.
  • How to avoid: This will never be legit. Just don’t be greedy and try it.
  1. Fake Websites: This has been a persistent problem with Olympus. Scammers will message links to a fake “official app” and tell users they need to use the new app. Often these will ask you to sync your wallet by entering your key at which point you are compromised. Also scammers will create a fake website and pay for an ad. Sometimes a fake website will be the number one result on Google because they bought an ad to be featured as a top result.
  • Never click or open links messaged to you. Any necessary action will be officially announced by the protocol, if you’re not sure, ask or check announcements. Never click sites that are in results as ads. I usually go to the official Twitter page of the protocol and use the official link there. Be sure it’s the real Twitter, you can usually tell by follower count and by who is following it.

Keep in mind very similar scams also happen in email. This is another reason to have a crypto only email. Always know the sender and be careful with what you open. Even crypto OG’s fall victim to some of the more advanced phishing scams.

Spyware is another attack method. This can be slipped onto your computer through malicious links that are messaged to you or that you click on dodgy websites. There are a few types:

  1. Keyloggers: These save your keystrokes and allow the attacker to see what you type. They could easily learn your passwords or get your wallet key if you type your seed phrase.
  • How to avoid: If you can, buy a subscription to a good AV program like Kaspersky or Norton. Many of these also have VPN’s, password generators and managers included. If you are on a budget Malware bytes is a good, free alternative. Also use your hardware wallet! A scammer can’t steal your phrase if you never type it.
  1. Screenloggers: These allow an attacker to see your screen. This can allow you to be compromised without typing your seed. Even viewing your seed could compromise you. A screenlogger could compromise a new wallet by allowing the attacker to see your seed phrase at creation. Then they just wait for the wallet to receive funds and take them.
  • How to avoid: Same as a keylogger
  1. Clipboard Hijacking: Similar to a keylogger this allows an attacker to see what you copy on your clipboard. If you are copying and pasting passwords the attacker could steal them.
  • How to avoid: Same as a keylogger/screenlogger. Additionally this is a major reason why you shouldn’t save your critical passwords to a password manager. Since most people copy and paste from the manager the attacker can steal passwords from your manager without actually hacking your password manager.

One last attack is the fake airdrop, this may be the most dangerous. It is not as well known as the others and can bypass all of your security measures. Here’s how this one goes:

You look in your wallet and see a large amount of new tokens in your wallet, maybe tens of thousands of dollars. You think you received a large airdrop, get excited, and go to swap the tokens for a stablecoin.

The fake token actually allows the attacker to bypass all your security without your seed phrase and drain your wallet.

Rekt.

  • How to avoid: Never approve or interact with unknown tokens or NFTs in any way. Attackers will use large amounts to make you think you just received life changing money. Most of the time you will be aware of your airdrops. If not, do some digging on the token to make sure it’s legit.

Final Thoughts

Don’t put all your eggs in one basket. It’s good to have multiple wallets and accounts where you have diversified your holdings. It’s not a bad idea to have multiple hardware wallets, one for more general use and another for long-term storage that is locked away somewhere secure.

Always use hardware wallets and smart contract wallets. For MetaMask, and other browser wallets always use them through Trezor or another hardware wallet.

Do your own research and educate yourself. Don’t be the one that thinks it won’t happen to them.

I hope this helps friends.

Cheers!

Follow us on Twitter: @OlympusDAO

Become an Ohmie on Discord

Join the discussion on the Forum

Follow on Reddit

and visit Sherpa Library to learn everything about OlympusDAO.

Cryptocurrency
Security
Privacy

--

--

CryptoMugen
Sherpa Library

Written by CryptoMugen

88 Followers
Writer for

Olympus DAO Sherpa trying to educate people on Olympus and Web3.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams