Crypto Security: 12 Best Practices to Protect Your Holdings

Most people lose crypto in one of three ways: they get phished, they store their seed phrase carelessly, or they trust a custodian that eventually goes insolvent or gets hacked. None of these are inevitable. All of them are preventable with the right security habits.

This isn’t a theoretical guide. These are 12 concrete practices that meaningfully reduce your attack surface. Some require a few minutes to implement. Some require a small upfront cost. All of them are worth it if you’re holding anything you’d be upset to lose.

1. Use a Hardware Wallet for Significant Holdings

This is the most important thing on this list. Everything else is noise if your private keys are sitting on a hot wallet connected to the internet.

A hardware wallet (also called a cold wallet or hardware security key) is a physical device that stores your private keys offline. When you sign a transaction, the signing happens inside the device — your keys never touch the internet. Even if your computer is completely compromised with malware, an attacker can’t extract your keys.

Recommended options:

Ledger (Nano X, Flex): Largest ecosystem, Bluetooth mobile support. Note: Ledger had a customer data breach in 2020 (email/physical addresses — not keys) and a controversial “Recover” service announcement in 2023. The devices themselves remain secure if you understand their model.
Trezor (Model T, Safe 5): Fully open-source firmware. No Bluetooth. More conservative approach.
Coldcard (Mk4, Q): Bitcoin-only, most security-focused option. Steeper learning curve.
Keystone: Air-gapped device that uses QR codes instead of USB — no physical port connection.

The rule: Anything you’d genuinely be upset to lose permanently should be on a hardware wallet. Anything you’re actively using for DeFi or trading can live in a hot wallet, sized accordingly — meaning only what you need for active use.

2. Store Your Seed Phrase Correctly

Your seed phrase (12 or 24 words) is the master key to your entire wallet. Anyone who has it can generate your private keys and drain every account associated with that seed. This is the single most valuable thing to protect.

What not to do:

Don’t store it as a note in your phone
Don’t take a photo of it and store it in iCloud or Google Photos
Don’t email it to yourself “for safekeeping”
Don’t store it in a password manager (reasonable people disagree on this — we lean no)
Don’t type it into any website, ever, for any reason

What to do:

Write it on paper. Immediately.
Store that paper somewhere secure — a fireproof safe, a safety deposit box, or somewhere else with controlled access.
Consider metal backup plates (Cryptosteel, Bilodeau, etc.) that are fire and water resistant. Paper can be destroyed; steel can’t.
Consider multiple geographic copies — if your only backup burns in a house fire, you’ve lost everything. A copy at a trusted family member’s location or a bank safety deposit box adds resilience.

Passphrase (25th word): Most hardware wallets support an additional passphrase — an optional extra word you create that extends your seed phrase. This creates an entirely different set of accounts that only exist when you use the passphrase. Even if your seed phrase is compromised, an attacker without your passphrase can’t access these accounts. Worth learning if you’re holding significant amounts.

3. Never Enter Your Seed Phrase Online

This deserves its own entry because it’s where so many people get wiped out.

No legitimate wallet, exchange, DeFi protocol, or support team will ever ask for your seed phrase. Ever. Full stop.

The most common attack: you have a problem with MetaMask. You search for help. You find a website that looks official, or a “support agent” in a Discord who DMs you. They ask you to “verify” your wallet by entering your seed phrase in a form. You do. Your funds are gone within minutes.

This attack has stolen more crypto than most exchange hacks. It works because people are stressed, looking for help, and the fake support agent sounds helpful and professional.

The rule: If any website, form, or person asks for your seed phrase, close the tab and block the account. There is no legitimate reason they would need it.

4. Use a Separate Browser Profile or Browser for Crypto

Your crypto activity should be isolated from your general browsing. The reason: browser extensions, cookies, and malicious scripts from random websites can interact with wallet extensions like MetaMask.

Minimum: Use a separate browser profile exclusively for crypto activity. Install only the extensions you need (your wallet, nothing else). Don’t use that profile for general browsing.

Better: Use an entirely separate browser dedicated to crypto — or even a separate device. This sounds like overkill until you realize that browser-based attacks are a primary attack vector.

Also: Be extremely careful about the extensions you install in any profile that has a crypto wallet. Malicious browser extensions have been used to steal crypto from thousands of users. Only install extensions from official sources, check their review count and history, and don’t install extensions for features you don’t genuinely need.

5. Use Strong, Unique Passwords and a Password Manager

If you’re reusing passwords across accounts — including crypto exchanges — you’re one data breach away from an account takeover.

Use a proper password manager (1Password, Bitwarden, Dashlane) and generate unique, random passwords for every exchange and crypto service account. This is basic digital hygiene, but crypto stakes make it urgent.

Your password manager’s master password should be strong and memorized (not written down digitally). Your seed phrase should not be in your password manager.

6. Enable 2FA — But Use an Authenticator App, Not SMS

Two-factor authentication adds a second layer to account login. If your password is compromised, an attacker still needs your second factor. This is essential for every exchange account.

Critical: Do not use SMS (text message) 2FA for crypto accounts. SIM swap attacks — where an attacker calls your carrier and convinces them to transfer your phone number to a new SIM — are a known attack vector specifically targeting crypto users. With SMS 2FA, a SIM swap gives attackers full access.

Use instead:

Authenticator apps: Google Authenticator, Authy, or Aegis (Android, open-source) generate time-based codes that can’t be intercepted via SIM swap.
Hardware security keys: YubiKey is the gold standard — a physical USB/NFC device that serves as a second factor. Extremely phishing-resistant.

If you have a large amount on any exchange, a YubiKey is worth the $50.

7. Be Ruthless About Revoking Token Approvals

When you use DeFi protocols, you often give smart contracts approval to spend tokens from your wallet. Most users click “Approve” and never think about it again. That approval persists indefinitely unless you revoke it.

If that smart contract is later exploited, or if you approved a malicious contract while clicking through a phishing site, the approval can be used to drain your tokens.

Fix: Periodically audit and revoke unnecessary approvals.

Ethereum: revoke.cash or Etherscan’s Token Approval Checker
Other chains: Most have equivalent tools (BSC, Polygon, Arbitrum all work with revoke.cash)

Make it a habit — every few months, review your approvals and revoke anything you don’t actively use.

8. Verify Contract Addresses Before Interacting

Fake token contracts and cloned DeFi sites are a persistent attack vector. You find what looks like the right protocol, connect your wallet, approve a transaction — and you’ve just interacted with a malicious contract.

Before interacting with any smart contract:

Get the contract address from the official protocol documentation, not from search results or social media
Cross-reference with CoinGecko or CoinMarketCap (which list official contract addresses for most major tokens)
Check the address on a blockchain explorer to verify it’s legitimate — look at transaction count, age, and whether it’s been verified

Bookmark legitimate DeFi apps and always use your bookmarks. Search results can be manipulated with paid ads pointing to phishing sites (Google Ads has been used for this repeatedly).

9. Use a Separate “Hot” Wallet for DeFi

Don’t use the same wallet for DeFi experimentation that holds your long-term savings.

Have a dedicated wallet with limited funds for interacting with new protocols, minting NFTs, claiming airdrops, or any situation where you’re connecting to something you’re not 100% sure about. If you approve a malicious contract or get exploited, only that wallet is at risk.

Think of it as a spending account vs. a savings account. Your hardware wallet holdings are the savings account. Your hot wallet is the spending account. Never approve transactions from the savings account for anything you haven’t carefully vetted.

Technical security is necessary but not sufficient. The biggest attack vector targeting sophisticated users is social engineering — manipulating you into making a mistake rather than exploiting a technical vulnerability.

Common attacks:

Fake support in Discord or Telegram (covered above — never give your seed phrase)
Fake airdrops: “You’ve qualified for a free token claim!” Links to a site that asks you to approve a transaction that drains your wallet
Impersonation: Attackers impersonate founders, VCs, or exchange support. Crypto Twitter is rampant with impersonation accounts.
Job scams: Fake “crypto job” opportunities that require you to install software (malware) or test a “beta protocol” (phishing site)
Romance scams / “pig butchering”: Elaborately constructed fake relationships that eventually lead to a request to invest through a fraudulent platform

The defense: extreme skepticism about unsolicited messages, DMs, or opportunities that seem too good or too convenient. Real airdrops don’t need you to sign anything that spends your funds. Real jobs don’t require installing software before getting an offer.

11. Secure Your Email Account (It’s the Master Key)

Most exchange accounts can be recovered via email. Which means your email account is actually higher-value than most people treat it.

Your primary email — especially the one tied to crypto accounts — should have:

A unique, strong password (in your password manager)
A hardware security key (YubiKey) as 2FA, or at minimum an authenticator app
No recovery phone number (which could be SIM-swapped)

Also: be careful about which email address you use for crypto accounts. If you have an old Gmail account that’s been exposed in multiple data breaches, use a newer, cleaner email for exchanges. Services like haveibeenpwned.com let you check if your email has been in known breaches.

12. Have a Documented Emergency Plan

Security planning isn’t just for attacks — it’s also about what happens if you’re incapacitated or die. Crypto has no inheritance department. If you die with your seed phrase only in your head, your holdings die with you.

At minimum: a trusted person (family member, estate attorney) should know that you hold crypto, where the hardware wallet is, and how to access the seed phrase backup. You don’t have to give them access now — but they need to know it exists and how to find it.

This is uncomfortable to think about, but the alternative is your heirs finding a Ledger with no idea what it is and no way to access what might be substantial assets.

Optionally: services like Casa (multi-signature wallet infrastructure with inheritance planning) and Unchained Capital build this into their custody solutions. For large holdings, these are worth evaluating.

Frequently Asked Questions

Q: What’s the safest way to store a large amount of cryptocurrency?

A hardware wallet with your seed phrase backed up on metal plates, stored in multiple secure physical locations (home safe plus a bank safety deposit box or trusted family member). For very large amounts, multi-signature setups (where multiple keys are required to spend) add another layer — services like Casa and Unchained specialize in this.

Q: Can hardware wallets be hacked?

The devices themselves have strong security chips and haven’t been meaningfully broken remotely. Physical attacks on hardware wallets are possible with sophisticated equipment and direct access to the device — but this isn’t realistic for most threat models. The bigger risks are supply chain attacks (buy from the manufacturer directly, not third-party sellers) and social engineering attacks targeting the seed phrase rather than the device.

Q: Is it safe to leave crypto on an exchange?

Short-term, for trading purposes, reputable exchanges (Coinbase, Kraken, Gemini) are reasonably safe. For significant long-term holdings, no — exchanges have been hacked (Mt. Gox, FTX, etc.), and even legitimate exchanges expose you to counterparty risk. The principle “not your keys, not your coins” exists for good reason.

Q: What do I do if I think I’ve been phished or compromised?

Move fast. If you have any reason to believe your seed phrase or private key was exposed: immediately sweep all funds to a fresh wallet with a new seed phrase that was never exposed. Use a clean device if possible. Don’t try to “revoke approvals” first — move the funds out while you still can, then deal with cleanup.

Q: What’s a SIM swap attack and how do I protect against it?

SIM swapping is when an attacker convinces your mobile carrier to transfer your phone number to a SIM they control, giving them access to your SMS messages — including SMS 2FA codes. Protection: don’t use SMS 2FA (use an authenticator app or hardware key instead), add a PIN or password to your mobile account, and consider moving your number to a carrier with stronger security policies (Google Fi, for example, has relatively strong anti-SIM-swap measures).