Published in


How To Secure Your Crypto Wallet and NFTs

Yesterday, the Co-Founder of DeFiance Capital, a DeFi venture capital fund, had US$1.7 million worth of NFTs stolen from his personal wallet. He claims that he was a victim of a phishing attack after opening a suspicious looking email attachment from apparently, one of DeFiance’s portfolio companies.

This social engineering attack even affected someone who’s sophisticated, with 5 years experience in crypto who uses a password manager and hardware wallets to interact with DeFi protocols.

Notwithstanding the hack, it is a timely reminder for all of us that hot wallets remain dangerously susceptible to hacks in crypto, even more so when we are active DeFi users.

In this article, we explore several non-exhaustive ways to secure your crypto wallets and precious NFTs.

Create multiple wallets

Technically, it is possible to create an unlimited number of crypto wallets to hold and custodize your digital assets, although managing a large number of them would become quite a chore.

We explained that cold wallets are a great, secure way to store your digital assets because they secure your assets offline away from bad actors on the Internet or malicious computer, meaning no compromises in security.

Hot wallets like MetaMask and Coinbase Wallet on the other hand, offer more convenience at the expense of security, since these wallets often float your private key around when you copy and paste, creating an attack vector for hackers to steal your private key and drain your wallet.

Once you’ve purchased a cold wallet, do not store all your assets in a single wallet tied to your online identity. This also creates an attack vector where a single breach of security can drain your entire net worth.

Instead, a good practice is to create 2 levels of wallets:

  • Hot wallet (e.g. Metamask) for making daily transactions
  • Cold hardware wallet (e.g. Ledger X) for storage

It is also possible to further breakdown the cold hardware wallet into 2 sub-wallets using either the same Ledger seed phrase.

  • Cold wallet address 1 for vault storage (only send/receive)
  • Cold wallet address 2 for infrequent transactions on trusted sites (e.g. Aave)

With this multiple wallet practice, you can be sure that you have multiple levels of defence against bad actors. Even if your hot wallet is compromised, your assets are still securely stored in your cold wallets.

Sign contracts carefully

We will only use the hot wallet or cold wallet address 2 for signing contracts. Remember, cold wallet address 1 is for pure storage, and for send/receive transactions to your other wallets.

When signing transactions, ensure that you’re only signing transactions on websites that you trust.

A single malicious contract, when improperly signed, can give it the permission to move all your assets in your wallet to another wallet — essentially draining your funds.

There are many phishing websites, emails and messages that pretend to be legitimate sources, then manipulating you to sign a contract that looks real, but under the hood, it disguises the fact that you gave the contract permission to move all funds out of your wallet.

Phishing is one of the most popular ways hackers try to scam you. For example, you could be a victim of a targeted fraud, email or website, that tricks you to sign something in return for a limited mint NFT or whatever.

Stay clear headed at all times. If something is too good to be true, or even slightly suspicious, avoid it. Do not risk it.

If you ever signed something malicious by accident, or think that you might have fallen victim to something malicious, immediate revoke your permissions to the contract.

Proper seed phrase and private key hygiene

Seed phrases and private keys need to be protected at all costs.

These are the gateway to your entire collection of assets. Do not store your seed phrase in the Internet, in the Cloud, in any computer file that can potentially be compromised, whether it’s typed or in a photo.

There are many programs and malwares that can sniff seed phrases out and once detected, can be used to gain access to your entire portfolio.

Similarly, even if you’re using a cold wallet, do not ever type the seed phrase out on a computer. You should never see the need to do this action, as most modern wallets like MetaMask have the ability to import accounts from your Ledger without ever revealing your seed phrase.

Using mobile wallets like MetaMask mobile, or Coinbase Wallet, carry a much higher risk of compromise. You will never know when your phone is hacked, especially when connected to public WiFi or other untrusted hotspots when you’re travelling.

It is important that you should not store too much in a hot wallet imported into a mobile phone, as these devices carry huge security risks that more often than not, results in the entire drainage of your wallet.

Diversify your assets across multiple wallets

The last tip is to simply diversify across wallets. You could create two sets of hot/cold wallets, for different chains for example, to further spread the risks of being hacked.

Obviously this comes at a cost of inconvenience, but if you’re holding a large portfolio, it’s worth considering given that the cost of losing everything far outweighs the cost of inconvenience.

What to do if you believe you are compromised

If you believe that your wallet is ever compromised, do these steps:

  1. Disconnect from the Internet immediately
  2. On a brand new device, create a new wallet
  3. Import the compromised wallet seed and immediately send all assets to your newly created wallet
  4. To identify what assets you have, you can use a blockchain explorer or an aggregator like Zapper to help identify

The key is to remain calm when you believe you might been a victim. However, this might already be too late.

In order to pre-emptively detect unauthorized transactions, you can use or build a service to monitor transactions from an address and send notifications to your Telegram account.

We hope these tips are helpful to securing your crypto wallet and preventing yourself from getting hacked.

Subscribe to our newsletter so that you don’t miss our latest updates! Join as a Medium member and get unlimited access to Medium for just $5 monthly.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Staking bits and bytes. DeFi’s fastest growing content platform helping investors navigate DeFi’s wild forest.