Crypto Risks and Security Basics
If you’ve taken the orange pill and finally decided that cryptocurrency, specifically bitcoin (BTC) isn’t going anywhere but up due to supply and demand; then you need to understand how important (and empowering) it is to be your own bank.
The Federal Reserve raised interest rates from near 0% to 5%+ in 2023 which left banks holding the bag when customers tried to cash in their IOUs by making withdrawals.
In an oversimplified example, banks take customer deposits (ie – your salary direct deposit) and they lend your money to other individuals (ie – credit cards, mortgages and car loans) or businesses (ie – commercial loans/debt).
The bank makes a profit on the interest payments less any expenses.
At the risk of turning this post into a post-mortem of central bank monetary policy of currency debasement triggering a high risk situation for banks like SVB and Silvergate collapsing due to losses from premature selling off long term debt to meet deposit requirements, let’s focus on those expenses that banks incur during normal course of business.
If we look at a traditional publicly traded bank like Chase, BoA, Silicon Valley Bank, etrade (owned by a bank – Morgan Stanley), their primary function is to make a profit via interest payments from debtors (businesses or individuals who have a line of credit and pay interest).
As it relates to crypto, being your own bank doesn’t mean you need to worry about credit risk or deposit ratios. Being your own bank means that you are the custodian of your crypto assets and YOU are responsible for securing those assets.
It’s fundamental to understand that by using a software based hot wallet (ie – metamask, mobile wallet, exchange custodial wallet), you’re not the actual custodian of your crypto. You own an IOU with no government bailout or FDIC insurance.
If the wallet provider or exchange goes bankrupt, falls victim to a hacker exploit or government seizure/freeze then your crypto is gone and there is likely no way to recover all of your assets.
To act as your own bank requires that you a) trust no one but yourself to act as the custodian of your crypto assets and b) execute your own personal security plan to keep your crypto safe.
Most Common Crypto Related Scams and Hacks (and how to avoid them)
Due to its digital nature, crypto is vulnerable to hacks, personal threats, and scams.
If you are new(ish) to crypto, you may not even be aware of the threats that can exist in this ecosystem.
According to the 2023 Chainalalysis Crime report , 2022 was the biggest year ever for crypto hacking, with $3.8 billion stolen from cryptocurrency businesses up from $3.2 billion in 2022.
The one common vulnerability to your cryptocurrency is your internet connection which acts as a vector for attackers to wreck havoc with your crypto.
Using a software wallet that is connected to the internet opens the door for a silent attack from an online hacker. Crypto transactions are irreversible, so your funds are gone if your hot wallets get attacked.
There is no central authority or crypto customer service to call if you lose your crypto.
The Most Common and Avoidable Crypto Risks for Noobs
Pump and Dump Rug Pull Scam – A rug pull happens when scammers artificially ‘pump up’ the price of the coin for a (often new) crypto project. Investors get a ‘good price’ in exchange for a lockup period where they can’t sell. Eventually the price crashes in a liquidity crunch and everyone is left holding the bag.
Fake Crypto Sites – Verify that the website you are on is the official site for the company you are actually trying to use. Download apps only from these websites. This generally goes for anything on the internet. There are sites out there that look like legitimate review websites offering trusted downloads of a software you’re trying to download for free (psst you know who you are). Don’t trust, verify. Inspect the URL, make sure the connection is secured with https://, reference Github, and if you want to get nerdy you can verify the project’s PGP key.
Fake Crypto Apps – Beware of a fake wallet app you just downloaded for your iPhone that has a legit looking logo then asks for your seed phrase. This should be as obvious as the Nigerian Prince scam but there is a non zero probability that people will continue to ignore the warnings.
NEVER GIVE ANYONE OR ANY APP YOUR SEED PHRASE!
Fake Crypto Wallets – Always buy your hardware wallet directly from the manufacturer’s website. Avoid resellers like BestBuy or Amazon as there is a risk of a real life man-in-the-middle attack where a bad actor somewhere along the supply chain corrupts the device.
Sh1tcoiners – there are a lot of interesting projects out there that portent to add value to the crypto ecosystem. They are not bitcoin. They are more like securities. Even Gensler thinks they walk and talk like a duck. Bitcoin is a better form of money, not programmed to lose value (eh inflation).
Government Sanctions for Crypto – The OFAC Sanctions List is no joke and names some state sponsored entities like North Korea’s Lazarus Group as well as Crypto tumbler Tornado Cash.
dApps w/ Bugs – Some Decentralized Finance Apps (dApps) are susceptible to getting hacked, often via oracle exploits of smart contracts on Ethereum blockchain (not bitcoin).
Blind Signing Smart Contracts – A common social engineering scam in Web3 and with dApps when you’re dealing with smart contracts. An attacker will gain your trust and convince you to sign a smart contract without disclosing all of the contract details which essentially give them access to your wallet in the worst case scenario.
Hot Wallets – Hot Wallets serve a purpose and not all are bad. Even the good hot wallets like MetaMask, Coinbase Wallet, and Trust pose a risk to your crypto security in the simple fact that you don’t control your keys so your coins are not in your custody.
Pro Tip: Schedule regular withdrawals from your hot to your cold wallet only keeping what you’re ok to lose on the hot wallet.
Anything ‘too good to be true’ – Your Spidey-Sense needs to be on high alert when you’re dealing with crypto. Giveaways, business opportunities, romance, job offers, investment ‘schemes’, and easy money with flash loans are all sus. These are just a few examples of the crypto ecosystem’s Nigerian Prince scam.
ProTip: Get rich quick is not worth the risk when you can dollar cost average your way into a bitcoin position on autopilot with the Stratus Bot. #HODL
The Most Underreported Crypto Scam is Phishing & Social Engineering
Phishing and Social Engineering: The most frequency crypto scams are phishing attacks which are designed to deceive and manipulate users into revealing sensitive information.
Phishers often impersonate legitimate entities, such as wallet providers or exchanges, by using fake websites, emails, or messages that closely resemble the real ones just like this attack.
Phishing Red Flags: Common signs of phishing include misspellings or poor grammar, an incited sense of urgency, requests for information, unsolicited emails or phone calls from fake customer service agents.
The best ways to avoid crypto phishing scams:
- Verify the authenticity of the communication before taking any action.
- Don’t click links, download attachments, or visit the website of the email sender.
- Visit the official website of the company the suspected phisher claims to represent.
- Secure your crypto related accounts with strong, unique passwords and enable two-factor authentication (2FA).
- Use cold wallet storage.
Go Paul Blart on a suspected phishing attempt. Detect, deter, observe and report the phishing attempt to authorities and the targeted company. Most exchanges and wallet providers have dedicated channels and email addresses for reporting.
Here are 4 places US citizens can report crypto phishing scams:
- Commodity Futures Trading Commission (CFTC)
- Federal Bureau of Investigation (FBI)
- Federal Trade Commission (FTC)
- Internet Crime Complaint Center (IC3)
What are the best ways to prevent losing my bitcoin?
The two best ways to prevent your crypto getting hacked are 1) setting up a crypto cold wallet and 2) using common sense.
Maintaining privacy this digitally surveilled information age is difficult to accomplish, but if you can take a deep dive in privacy here.
You might not know what you don’t know when it comes to crypto security best practices, but I’ll describe a few things to look out for below.
- Pay to Play: There is no reason you would need to front crypto for anything like getting a job. A friend of mine lost her crypto when she ‘blind signed’ a scammer’s smart contract selling a Shopify website.
- Too good to be true: No one is going to give you anything of value for free. If an offer seems too good to be true, it is. Walk away then change your passwords and create new private keys.
- Guarantees: These are tell tale signs of a ponzi scheme. Walk away.
- Urgency: You should never feel rushed in a crypto transaction. With cold storage you can sign transactions offline. There’s no need to rush anything and urgency plays into the hand of a dubious crypto hacker.
What is a crypto wallet?
A wallet stores your private key and is used to sign crypto related transactions.
- Hot Wallet – A hot wallet is a software program that runs on your phone (wallet app – Trust), internet browser (software browser wallet – MetaMask), or web platform (automatically created on a centralized exchange where you buy or sell crypto). These wallets are always connected to the internet, so if your browser, mobile phone, or the company hosting the wallet is hacked then the hacker has access to your private keys and can easily wipe your crypto holdings.
- Cold Wallet – A cold wallet is offline storage for your crypto private keys. Cold wallets can be hardware devices or physical pieces of paper with your private key. Cold wallets store your private keys offline and provides the quickest and least expensive way to increase your crypto security.
Should I move all of my crypto off of my hot wallet?
No, don’t move ALL of your crypto off of your hot wallets.
Just move what you a) aren’t afraid to lose and/or b) actively trading. Hot wallets, though less secure, are a lot easier to use for trading crypto than cold wallets. They are so easy to use and serve a purpose but you need to have a plan for moving crypto from hot wallets to cold storage.
Do I need cold wallet hardware?
Yes!
Some OGs may still be rocking paper wallets , but that’s like taking vacation pics with a flip phone.
A hardware wallet is not connected to the internet so your seed phrase, which protects your private keys, is never exposed to software vulnerabilities or online exploits. Your crypto is in your control.
Spend ~$100 and get a Trezor or Ledger. Follow these steps to set up your cold wallet.
Can my cold wallet get hacked?
Hardware wallets can only be hacked if someone physically steals your hardware wallet and has your seed phrase which would allow them to create new private keys.
Here are the 30 best ways to secure your backup recovery seed.
Most cold wallets have security mechanisms in place so that even if your computer, browser or online hot wallet accounts are compromised, your crypto assets remain secure in the cold wallet.
What is a Cold Wallet Backup Recovery Seed Phrase?
Your recovery seed is an easy to remember ordered list of 12-24 words that serves as the backup and recovery method to restore your cold wallet.
The mnemonic phrase is derived from a public list of words. The Bitcoin Improvement Proposal 39 (BIP39) is the most common public list of 2,048 words that can be combined by a wallet provider’s deterministic algorithm to produce a 12-24 word recovery seed to backup and restore your wallet.
The order of the words is based on a source of entropy (ie – randomness) to compile the backup seed words. Ledger uses BIP39 (2,048 words) and Trezor uses SLIP39 (1,024 words).
How hard is it to guess the recovery seed phrase for Ledger cold wallet?
A BIP39 list of 2,048 words has 2,048^24 different possibilities. There are more combinations than atoms in the universe. The likelihood of someone guessing your backup seed or two wallets having the same seed is 1 in 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936.
Pro Tip: Remember that recovery seed phrases can be used to recover BOTH hot wallets and cold wallets.
If you think it’s a pain to safeguard your 24 recovery seed words, your alternative is safely storing a string of 256 0s and 1s (ie – 1001010000101….) which is exactly what your cold wallet does and why you need one.
What is a Crypto Wrench Attack?
The $5 wrench attack is a crypto meme but also a reality for a few high net worth crypto holders.
Even the most technically secure hot wallet isn’t safe from being hacked in real life and held hostage until you transfer your crypto.
Keeping all of your crypto in a hot wallet secured by FaceID on your iphone is only going to accelerate losing your crypto to thieves.
How do I Protect Myself From a $5 Wrench Attack
Privacy is the the first step to prevent a wrench attack. If you aren’t known to be a subject of an attack, the likelihood that you will be attacked is low.
The next step after privacy is to make accessing your wallet(s) difficult and expensive by deploying a digital and physical security process.
A multi-sig wallet with a time-lock is another advanced alternative. A decoy or duress passphrase wallet that holds enough crypto to satisfy the attacker is a much simpler tactic to deploy.
Transferring your crypto to a cold wallet with decentralized security could throw a wrench into a well laid out plan to drain your mobile and browser accessible wallets.
Be safe out there!
Note: Stratus does NOT provide investment, legal or tax advice. All information in this article is for educational purposes and should not be interpreted as investment, legal or tax advice. The opinions expressed are those of the author for informational purposes and neither Stratus nor the author are liable for any errors, inaccuracies or omissions. . Digital assets, such as cryptocurrencies or decentralized finance, present unique risks for investors. For investment, legal, tax, or other financial guidance you should consult your own advisor.