4 Ways to Stay Safe in Crypto

Online safety is paramount in this digital age, especially when investing and storing wealth in crypto assets.

Updated Jan 12, 2023 at 9:36 p.m. UTC

Digital assets are resistant to censorship by design and give private key holders complete control over their crypto. The only caveat is that investors are solely responsible for protecting and safely storing their own funds.

The crypto community is growing at an exponential rate, with the number of users now totaling over 100 million. It’s reported that at least 14 million users are new market participants as of 2021, drawn in by the latest bull cycle excitement and eager to invest in their futures. These first-time crypto users can be easy targets for cybercriminals and scammers if they don’t follow basic online security protocols and crypto best practices.

According to recent findings from the Ciphertrace “2020 Cryptocurrency Crime and Anti-Money Laundering Report,” over $1.9 billion worth of crypto assets were stolen via hacks, scams and fraud in 2020. This figure is down from $4.5 billion the year before.

Among these, exit scams and decentralized finance (DeFi) hacks were highlighted as the leading causes of crypto theft. “Massive exit scams have dominated cryptocurrency crimes in the last two years. In 2019, the Ponzi scheme PlusToken netted $2.9 billion with its exit scam – 64% of the year’s major crime volume,” the report said. In 2020 was "WoToken, a similar scheme operated by some of the same people as PlusToken" that defrauded investors "out of $1.1 billion in its exit scam – 58% of 2020’s major crime volume. While major fraud volume saw a significant decrease, it still made up 73% of 2020’s crime total.”

Last year also saw a rise in sophisticated phishing attacks – fake emails used to deliver malware or dupe victims into handing over their crypto, passwords and personal information. In July 2020, Twitter was the target of such an attack, leading to a group of hackers gaining access to more than 130 high-profile accounts and using them to promote a bitcoin giveaway scam. Apple, Uber, Ripple, Binance, Elon Musk, Barack Obama, Bill Gates, Kim Kardashian and even CoinDesk were among those affected.

So how do you protect yourself from these types of cyberattacks?

1. Be aware of the most common crypto scams

There are three main types of scams you will undoubtedly come across when starting out in the crypto space. It’s important to learn how to spot these scams before ending up a victim and potentially losing your assets.

  1. Fake crypto giveaways
  2. Trading bot scams
  3. Phishing emails

Fake crypto giveaways

Crypto giveaway scams are online posts, usually on social media, that invite users to deposit crypto to an address with the promise the sender will receive double or more back. This type of fraud has been around since the initial coin offering boom of 2017 and tends to abide by a very rigid format. This makes fake crypto giveaway scams easy to spot once you know what to look for.

Crypto giveaway scam using fake Elon Musk Twitter profile
Crypto giveaway scam using fake Elon Musk Twitter profile
  • They use the identities of famous celebrities or business icons to promote the scam. Most of the time, this is done from fake social media profiles or imposter accounts (blue arrow.) With last year's Twitter hack, however, real accounts were used, so you always have to be on alert.
  • Crypto giveaway scams ALWAYS promise to send you back more funds than you deposit, but this is a completely false statement and you should never send any money to the address provided.
  • Scammers use other fake Twitter accounts to flood the comment sections with messages supporting the scam offer and confirming it works (red arrow.) This is just another tactic to convince genuine social media users to hand over their crypto funds. Shortly after, the fake user accounts are usually deleted.
A deleted Twitter scam bot account
A deleted Twitter scam bot account

Top tip: The best way to spot a scam is to look for subtle changes to the profile’s username. In the example above, the scammer created an account with the Twitter handle @Elonmmusk. The extra “m” is subtle and can be easily overlooked at a glance. Verified Twitter accounts also have blue check marks next to the account name to help users identify legitimate accounts.

Trading bot scams

Fraudulent trading bot websites are another classic crypto scam. These involve platforms that promise users extremely high rates of return every month. These websites operate as a Ponzi scheme – where new money entering the scam is used to pay people who are already invested in the scam. Once the creators of the platform have accumulated enough funds they usually disappear with investors’ money and close down the website.

One of the most famous examples is Bitconnect. This platform promised investors 40% returns every month as well as additional interest for people who invested larger amounts. The platform ran over two years and its native token even became a top 10 cryptocurrency before regulators eventually shut it down. Over $250 million was believed to have been stolen when the creators of Bitconnect disappeared.

A screenshot from the Bitconnect website before it shut down.
A screenshot from the Bitconnect website before it shut down.

Here are some telltale signs of a fraudulent crypto trading bot platform:

  • Crypto trading bot Ponzi schemes always promise very high rates of return.
  • Usually, you cannot find any information about the team behind the platform. If the platform does have a team page, check to see if team members’ Linkedin, email or Twitter accounts are connected. You can also try searching for individuals on the internet to see if they’re real people.
  • There is no information or documentation on how the trading bot works.
  • It’s common to see multiple spelling errors on the website.

Phishing emails

Phishing scams are becoming increasingly difficult to detect as malicious agents take greater care in creating seemingly real emails from legitimate companies. Many will encourage people to click on links that instantly infect the device with malware, giving the perpetrator full access to information stored on it. Other phishing emails will redirect users to imposter websites and ask them to reset their passwords, send money or reconfirm their seed words.

A phishing email disguised as LocalBitcoins.
A phishing email disguised as LocalBitcoins.

When faced with a suspicious email that asks you to divulge sensitive information, send payments or click on links, it’s important to remember three key rules:

  • Always check the sending email address.
  • NEVER open links from an unknown sender.
  • NEVER share your personal information, passwords or seed words with anyone. If you’re ever uncertain about any email, head to the official website and contact customer support.

2. Never make a digital copy of your personal crypto details

One of the biggest mistakes both first-time and experienced crypto users make is creating digital copies of their crypto wallet passwords, seed words or backup codes. Digital copies can be anything from:

  • Taking a screenshot using your laptop or desktop
  • Taking a photograph using your mobile phone
  • Copy and pasting the code into an email, on a notepad app or anywhere else on your device

As soon as you create a digital copy of your sensitive information, you run the risk of a hacker gaining access to it through malware, brute force attacks and other attack vectors.

The best way to safely copy and store your crypto information is either through writing it down on paper away from people and any device camera, or etching it into metal plates. Providers of this solution include:

3. Always enable 2-factor authentication when possible

When opening a new crypto account, it’s important to enable two-factor authentication (2FA) if the option is available on the platform. 2FA is simply a verification process that requires two or more pieces of information, usually from two different devices, to grant access to an account.

While there are several different methods to do this, including receiving an SMS or code via email, a vast majority of crypto platforms ask the user to download a third-party mobile app that links to the new account and generates a random, self-destructing, six-digit password that replenishes every 30-40 seconds. This adds a vital second layer of security to any service and makes it significantly more difficult for a malicious agent to access.

The main 2FA apps that are widely compatible with crypto websites are:

  • Google authenticator
  • Authy

To set it up, download whichever 2FA app is supported by the platform you’re using. Once that’s done, you’ll need to head to your online account settings, find the privacy settings and then click “enable 2FA.” Find the option to set up via a QR code and click it.

Then go on to your mobile 2FA app, find the “+” icon and then the “Scan QR code” button. Clicking this will open your smartphone camera. Simply aim it at the QR code that appears on your laptop screen and it will automatically add the account to your 2FA app and a password will appear.

A screenshot of the Google Authenticator mobile application.
A screenshot of the Google Authenticator mobile application.

When setting up 2FA for the first time you have to type in the password on your account settings as it appears in your mobile app. This then enables 2FA on your account. Once that’s done, every time you log into that service you’ll need to type in your login password and the 2FA password.

4. Use a different password for every crypto platform you use

So you’ve enabled 2FA on all your crypto accounts, you’ve copied all your sensitive information on paper or on to metal plates and you’re now always on the lookout for potential crypto scams. This is all great, but now let’s imagine one of the websites you’ve used accidentally leaks its customers' information including your email and password. Let’s assume you use the same email and password for all your accounts, even the ones for which you haven’t enabled 2FA. Now you have a problem.

Using different passwords for all your crypto accounts is essential for reducing the impact data breaches and leaks can have on your online security. If you have multiple accounts and can’t feasibly remember several different passwords at the same time then there is a range of free password-managing browser extensions and apps you can use that store and generate secure passwords for your platforms.

All you have to do is set a master password to access the app and all the password data stored inside. Most password managers will automatically fill out any pre-saved login details when you arrive on a platform and prompt you to save any new login details to your vault when you create them.

Leading password managing services include:

So remember, while there are plenty of lucrative opportunities in the crypto space there are also countless scammers and cybercriminals looking to steal your digital assets. Be safe, follow these simple steps and make sure you always conduct your own diligent research before doing anything with your money.

This article was originally published on Apr 20, 2021 at 6:19 p.m. UTC


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Ollie Leech

Ollie is the Learn editor for the Crypto Explainer+ section. He holds some SOL, RAY, CHSB and BTC.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.