While security is gradually improving across the crypto industry, cyberattacks still happen. In September 2020, for instance, hackers stole over $281 million from Kucoin, one of the largest crypto exchanges. In August 2021, they made off with more than $610 million from the blockchain platform Poly Network. During the summer of 2022, $100 million was swiped from crypto transfer platform Horizon Bridge.
In addition to these headline-grabbing hacks, smaller phishing scams (i.e., social media and email scams) are continuously occurring.
The good news is you can take steps to store your crypto safely. Here are a few suggestions for improving the security of your crypto investments.
Is cryptocurrency safe?
Crypto is bought and sold on the internet, which means it comes with risks, just as there are with any asset you purchase online.
In general, remember that crypto is highly volatile, and may be more susceptible to market manipulation than securities. Crypto holders do not benefit from the same regulatory protections applicable to registered securities, and the future regulatory environment for crypto is currently uncertain.
Crypto is also not insured by the Federal Deposit Insurance Corporation (FDIC) or the Securities Investor Protection Corporation (SIPC), meaning you should only buy crypto with an amount you're willing to lose.
With that said, there are steps you can follow to help keep your crypto safe from cyberattacks, like protecting your passwords and never clicking on suspicious links. While many of the following strategies may sound familiar to anyone who has invested in stocks or commodities, crypto cybersecurity has some additional nuances we'll explore below.
How do cybercriminals steal crypto?
Before we look at how to help keep your crypto safe, let's identify some of the ways your investments could be targeted. Cybercriminals often use the following methods:
- Exchange attacks. Hundreds of millions of dollars of crypto are kept on exchanges. Platforms with security vulnerabilities have been targeted in the past.
- Phishing emails or direct messages on social media. These include fake giveaways and fraudulent confirmation emails. They're designed to look like they're from an exchange or the development team of the cryptocurrency you're invested in. The goal is to get you to click on a fake link that gives the scammer access to your crypto wallet.
- SIM swaps. A bad actor who obtains your phone number may be able to gain control of your phone by contacting your carrier and requesting a new SIM card. This gives them the ability to reset the logins to your crypto accounts with 2-factor authentication.
Stealing isn't the only way cybercriminals can defraud the market. They can also use pump-and-dump scams (known as "rugs"), where bad actors hype a coin to attract new investors. Once the price reaches a peak, they sell all their holdings at a profit and send the price falling.
While not technically hacks, these scams can wipe out your entire investment if you're not careful.
Strategies that can help you store bitcoin and other cryptos safely
Here are 4 strategies that can reduce the chances your crypto gets stolen.
1. Choose where to store your crypto
There are 2 primary options to consider: Store your crypto with a trusted custodian, or provide your own custody.
a. Store your crypto with a trusted custodian
Third-party custodians may be a better option for inexperienced investors. One example of a third-party custodian is traditional trading platforms. These are typically platforms that traditionally offer equities, and are now also offering crypto. There are a few advantages to storing your crypto with this method.
First, you may have a lower chance of losing access to your crypto. If you lose your login, you may be able to work with a dedicated customer service team to recover it. This often isn't the case if you provide your own custody, where it can be impossible to find your login information if you lose it.
Second, keeping your investments secure can be a simpler process if you choose a reputable custodian with years of experience. Providing your own custody can be a complicated, multi-step process with more chances for errors. In contrast, using a third-party custodian may mean you only need to keep track of one username and password.
All things considered, this route may be the most secure strategy for those who don't have time or the desire to learn about the nuances of crypto cybersecurity.
Note that some platforms may not yet provide the ability to transfer your coins to other wallets. Though this may change in the future, it may also not be a significant downside if your only goal is to use crypto as an investment.
b. Provide your own custody
If you decide to manage your own security, you'll first buy crypto on a crypto trading platform. When you complete your purchase, it'll initially be stored in a digital account (also known as a "hot wallet") managed by the platform. From there, consider transferring it to a digital crypto wallet or a physical, USB-like device known as a "cold wallet."
The benefit of providing your own custody is that it gives you full ownership of your coins. You can use them however you want, including to pay for goods and services.
The downside is that it can be both more complicated and more risky. If you lose the password to your wallet, or accidentally send your crypto to the wrong wallet address, you won't have access to a customer service department. Cold wallets may protect you from virtual theft, but are still vulnerable to physical theft and damage. Any of these events can result in losing access to your crypto forever.
2. Always research founders’ backgrounds before investing
Because anyone can start their own coin, crypto often attracts pump-and-dump scams (commonly referred to as "rugs" or "rug pulls"). In 2015, a Bulgarian woman named Ruja Ignatova launched OneCoin, promising it would soon overthrow bitcoin. After accumulating over $4 billion from investors around the world, Ignatova pocketed the money and disappeared.
New investors may want to consider sticking to cryptocurrencies that have established histories and have survived impactful events. Also look for interest from institutional investors with large research teams. Coins that have institutional interest may be comparatively less likely to be brought down by a single bad actor.
However, if you're committed to exploring relatively unproven coins, always research the founders' backgrounds before you jump in. This might help you spot potential red flags. Ignatova, for example, had a history of frauds and multi-level marketing scams.
3. Only buy through established exchanges with reliable histories
If you choose to buy your crypto on a crypto trading platform instead of a traditional trading platform, choose your exchange carefully, as security features can vary widely.
Consider the example of Canada's largest crypto exchange, QuadrigaCX, whose CEO passed away while traveling in 2018. Because only he had the password to the company's cold wallets, customers suddenly found themselves locked out of their investments.
When choosing an exchange, consider sticking to well-funded exchanges with at least several hundred employees. Also be wary of exchanges that offer high yields, as they are often not sustainable. One example is Voyager Digital, an exchange that advertised yields as high as 12%. In July 2022, the company filed for bankruptcy.
4. Follow common sense crypto cybersecurity rules
It’s vital to get familiar with strategies cybercriminals commonly use to steal crypto. In addition, also consider following standard cybersecurity recommendations, such as:
- If you choose to provide your own custody, never share the key to your private or cold wallet with anyone. Just as you would never share your email password, keep your keys safe. Also make sure to write it down, as losing it could mean losing access to your crypto forever.
- Avoid bragging about how much crypto you have online. To avoid being targeted by SIM swap scammers, the FBI recommends keeping details about your financial holdings private.
- Check twice before you click an email link. Phishing scams are common in crypto. If you receive an email that looks like it's from your exchange, first check to see that the domain address is correct. For example, an email from Coinbase should come from an @coinbase.com address. When in doubt, contact your exchange's customer support team to verify the email is legitimate.
- Never click a link in a direct social media message. Exchanges will rarely contact you through direct message on social media, unless you've initiated it by contacting their support team. Sending fraudulent social media message links is currently one of the most popular phishing strategies.
- Set 2-factor authentication for all accounts. This is where you must enter an additional code beyond your basic username and password to access your account. This code is usually sent to either your mobile phone or email, and adds an added level of security in case your login information is hacked.
- Be cautious when transferring crypto to another wallet. Transferring crypto is typically done through the “Withdraw” or “Send” function (the label may vary depending on the platform you use). Remember that if you send coins to the wrong address, enter the wrong amount, select the wrong asset, or select the wrong blockchain network, you may not be able to reverse your transaction. Always check these elements before making transfers. Assets sent to unsupported network addresses may not be able to be recovered, and you may lose access to your coins forever. This is a risk even if you're sending payments through a centralized exchange or platform.
One way to minimize risk is to use a “penny test.” Withdraw a tiny amount (typically equal to less than $1) from your wallet. Confirm your withdrawal on the blockchain and make sure the recipient sees it in their account. Then proceed with the full withdrawal amount. - Never accept a transaction or NFT you didn’t sign up for. Cybercriminals may send fraudulent cryptocurrencies or NFTs to your private wallet. These may contain smart contracts or phishing links that enable them to steal your coins. Don’t accept any unknown transactions that appear in your private wallet.
Are crypto exchanges safe?
As we noted in the section "Choose where to store your crypto," crypto exchanges come with both benefits and risks.
Investors should consider their personal risk tolerance before choosing how to invest. Those who aren't interested in learning the nuances of crypto cybersecurity may feel more confident keeping their investments on an established traditional trading platform.
The bottom line on storing your crypto safely
Hacking stories may be scary, but the reality is there are ways to lower the chances of losing your investments if you follow commonsense steps.
For most, the least stressful strategy will be to keep it on a traditional trading platform platform, where security measures are taken care of for you. If you'd rather provide your own custody, consider transferring your investments to a cold wallet.
Never click on links without first verifying the source, and think about sticking to blue-chip coins if you are new to crypto. Take these precautions and bad actors will likely have a harder time getting your coins.