Cybercrime is an ever-present threat in the digital world. Wallet scams are often the most common and damaging, leaving victims financially and emotionally vulnerable. Fortunately, there are steps you can take to protect yourself from becoming a victim of cybercrime. By understanding the actions you can take ahead of time, you can better shield yourself from potential losses and preserve your peace of mind. Here are my top eight tips for securing your digital life in web3.
Basic Security
1. Use a quality password manager
Securing online accounts with strong and unique passwords is number one. Passwords leak online via data breaches or can usually be easily guessed by hackers.
Unfortunately, keeping track of all these passwords can be a challenge. That is where a quality password manager comes in. A password manager can help you create strong and unique passwords for each account and store them in one place, secured by your single master password. This way, you only need to remember one password and never have to worry about forgetting passwords or using the same password for multiple accounts again.
Use a quality password manager.
2. Use 2FA everywhere possible
Two-factor authentication (2FA) adds an additional security layer to your digital life. With hackers running rampant, two-factor authentication (2FA) is a must. SMS-based (text message) 2FA is still a popular method of authentication, but it is vulnerable to SIM swap attacks. App-based 2FA is a more secure solution. Finally, using a physical security key for 2FA offers the ultimate protection.
![post image](https://storage.googleapis.com/papyrus_images/344336e39734521fed51e6ff42927e3e.png)
Avoid copycat sites + addresses
3. Bookmark sites
In recent years, scammers have found an easy way to target unsuspecting victims through sponsored Google search ads. Using these ads, they trick people looking for legitimate websites, directing them instead to fake versions of those sites to steal their wallet contents. Protect yourself by bookmarking the legitimate version; then navigate to the site via the bookmark rather than using search.
4. Use the Address Book
The wallet Address Book is the web3 equivalent of a bookmark, it allows people to save approved addresses with a human-readable name. Later, when sending a transaction, they can (re)check the address before proceeding. Copycat sites with fake contracts will appear in the wallet as a 0x....
address and not as the named address that got saved earlier. This way, you can ensure that you only interact with addresses and contracts you know about and protect yourself from malicious smart contracts. Don't trust, verify!
web3 security
5. Install wallet warning browser extensions
One of the best things you can do to keep your cryptocurrency safe is to use a browser extension like Pocket Universe, Revoke.Cash, Fire, and/or Stelo. These extensions are designed to help protect users from malicious activity by decoding transactions ahead of time to provide real-time warnings about what the transaction is about to do in plain English. With the help of these extensions, you can have peace of mind knowing that your wallet is secure and that you're fully aware of its activity at all times. Know before you FOMO.
6. Revoke infinite approvals
I know what you're thinking now, "Well, I just won't sign any transactions then!" You can do that, but you won't get much done in web3 and it won't protect you from all scams either.
Even gasless message signatures can result in your wallet getting drained if you have infinite approvals on erc20s or have already given OpenSea approval to sell your NFTs. Little known fact, OpenSea uses the setApprovalForAll method, which means that when you allow OpenSea to list an item for sale on your behalf, it can do that for ALL assets from that collection (contract).
This is how the recent Kevin Rose hack happened, he already had approved those assets for sale; one gasless signature later, oops! OpenSea accepted the hacker’s 0 ETH offers for his NFTs.
Revoke infinite approvals using revoke.cash or etherscan.io/tokenapprovalchecker to protect yourself from this exploit.
7. Maintain assets in "wallet silos"
The single best practice a user can do is to maintain the separation of their assets by purpose into different wallets. Basically, as more money gets stored in a single wallet, you should be extra cautious and restrict what you use that address for.
High-value assets ("blue-chips") and large amounts of crypto should be kept in a hardware wallet, a VAULT account that is not directly connected to the internet. This is the least-accessed account, think of it as your safety-deposit box at the bank.
Your day-to-day funds can be kept in an operational wallet, a separate internet-connected account that you use to interact with trusted entities, be they dapps, exchanges, or people.
Finally, you want to have a third, risky "degen" wallet. This is the condom for all your other assets, preventing those untested NFT minting contracts, those unsafe airdrops, etc. from putting the rest of your money at risk. If you interact with the wrong contract and lose ALL the funds in this account, it shouldn't hurt too bad because your funds are elsewhere.... they are elsewhere, right? :|
8. Delegate provable ownership
Tools like Delegate.cash and Warm.xyz allow proving ownership of vault-stored NFTs at a different registered wallet. This means you can safely connect your vault and degen wallets via a read-only connection. This is essential when meeting conditions to claim airdrops and mint NFTs. Scammers use those carrots to get people to connect their wallets and then drain them. With delegated ownership, you can prove you meet requirements indirectly and use a degen hot wallet to mint while keeping your high-value NFTs in a separate wallet.
Extra
Take the Bankless Academy security lesson to earn a non-transferrable NFT proving your understanding.
Notes
iSpeakNerd is an educator, wordsmith, and DAO techie at Collab.Land. He does community education, documentation, UX, IT, security research, and helps with Operations and tooling for multiple DAOs. His background is in physical science and education.
This article was originally published on iSpeakNerd's Mirror.
As a rookie, some topics I find it hard to get started with: 1. How to bridge (especially to degen L3, but also DEX recommendations for other stuff) 2. How to store crypto (hot wallet or hardware wallet, which one?) 3. Storing keys and seed phrases 4. As a FC new user, load eth on OP / Base? Help appreciated!
Have been reading online but what do the veterans of FBI do? Would love to know.
Great questions! I am writing a detailed thread on this here today.
great qs 333 $DEGEN 1 - info is on degen.tips 4 - dont understand what you're asking 2,3 - check out my security article Top Tips for Securing your Digital Life 🔐 https://paragraph.xyz/@ispeaknerd.eth/personal-security-for-web3-and-beyond?referrer=0x3eEFAa9d6e2ab7972C1001D41C82BB4881389257
honestly, how to bridge has been my biggest problem. Debridge is reliable but if you have most of your crypto on chains like solana - there is no direct route to bridge to base. Bridging from polygon to base is easy on debridge though.
What I did for Solana to Base: Swapped to USDC on Solana, bridged using wormhole to ETH, then bungee exchange to Base. Not easy at all.
Omg yes I tried this and instantly was sick of it haha
Hardware wallets are useful once you’ve crossed a certain small milestone (like for me personally it’s like $1500/2000$). Storing key phrases in a trusty password manager (like proton pass) And I usually load ETH on base.
Keep your stuff secure folks I've been moving to 1password OTP progressively for a while, don't leave yourself vuln to sim swaps
Do you use the same SRP on your phone as you do on desktop? I'm thinking my personal optimal wallet setup might be to have three separate SRPs: - Mobile hot wallet - Desktop hot wallet - Cold storage Though I imagine many people combine mobile/desktop hot wallet into one SRP.
SRP?
secret recovery phrase aka mnemonic phrase https://support.metamask.io/hc/en-us/articles/360060826432-What-is-a-Secret-Recovery-Phrase-and-how-to-keep-your-crypto-wallet-secure
Degen wallet Daily driver - shared bw mobile/desktop Cold storage
is your degen wallet also mobile/desktop?
Tbh bad opsec left over from my early days, daily driver and degen are same SRP and desktop/mobile shared
resolve that before you regret it! at a very minimum make sure you're not keeping too much valuable funds/nfts on that SRP. at best, sit down for a day and start fresh with new SRPs/wallets/backups.
I have 4. -desktop (for development) (flask) -laptop (personal) -mobile -cold
Hi Casters. I got scammed and lost a bunch of NFTs a few weeks ago. I posted about the experience and the valuable lessons I learned from it https://avc.mirror.xyz/VUu7-BOTlH2J-qF9SctXr17CLBFx9Xu5xr6sACXehr8
omg nooo, did they also remove your Kiwi News NFT?
Don't think so
asking the real questions 🥝
lol no they burned that one 😂
@fredwilson.eth liked that, ok 😂😭
Anyways, I have you know that the posting rights on Kiwi go to the minter of the NFT and it stays that way whereever you send the NFT 😇
Sad to hear that, thanks for sharing your lessons learned. For minting via hot wallet I highly recommend delegate.cash
scammers must be banned! sorry to hear that 🥹
Oh dear… I guess you’re one of us now. I got scammed last November and lost all my crypto and NFTs. Hard lessons learned.
what was the scam?
I got socially engineered to download a file on my laptop which granted the scammer access to it without me noticing anything. Then, I guess the scammer exported my private keys from MetaMask and drained all my wallets.
Really sorry to hear that. Probably not helpful at this point, but I found Zengo's pro offering (https://zengo.com/pro/) pretty compelling for added security.
Thank you for sharing this is a very good reminder, about best practices and I am happy to hear that many nfts are now back in your possession
sorry this happened - appreciate you sharing lessons learned
Be careful and sorry for hearing your story. I hope your suffer can lead a bull market
So it was coinbase wallet. Any cb folks here can comment on whether changes are coming? As it is, messages are unuseable. Ability to whitelist addresses, and keep everything else in Other could be a good start. https://warpcast.com/czar/0xec9e5f
Sorry to hear that 🙏🏼
I’m really sorry to hear that, Fred. Thank you for sharing. In the not too distant future, imo devices should have a local LLM that can analyze and warn you of potential scams in all apps.
There are good tools already available. For example, all @safe transactions are scanned by Redefine for potential threats. https://safe.mirror.xyz/rInLWZwD_sf7enjoFerj6FIzCYmVMGrrV8Nhg4THdwI
Solid write up, thanks for sharing. Sorry you had to go through any of it. But yeah... Everyone with significant holdings should vault them up, pronto. These scams won't get any less convincing, prevalent, or pernicious with the help of AI. Vault. Your. Shit. Folks.
Ouch. We are trying to solve some of these problems (Evertas, insurance); I got scammed for one NFT once and it was somewhat embarrassing too on top of the $30 loss.
Kind of timely to post this here since right now there is a compromise of @dwr.eth twitter account running a similar scam against innocent victims. I tried contacting him and can’t get to him.
oh no! so sorry that happened to you
Very nice of you to thank the thief at the end.
So sorry to hear that . Thank you for sharing
Oh that sucks…
I fell for the same attack, almost the same day. They stole my most valuable NFTs, as well, including my CryptoPunk. I was able to buy it back I'm currently putting together an analysis that I'll be presenting at https://cryptoconsortium.org/ Honestly, the mechanisms they used were extremely clever. It was impressive