Complete Crypto Security Checklist

Every exchange and crypto service should have its own unique password that is at least 16 characters long and randomly generated. Use a reputable password manager like Bitwarden, 1Password, or KeePass to generate and securely store these passwords. Reusing passwords across sites means a single data breach can compromise all of your accounts simultaneously.

A hardware security key such as YubiKey or Titan Key provides the strongest protection against phishing and account takeover because it requires physical possession of the device. If a hardware key is not available, use an authenticator app like Authy (which supports cloud backup) or Google Authenticator. Both are vastly more secure than SMS-based codes.

SMS-based two-factor authentication is vulnerable to SIM-swap attacks, where an attacker convinces your mobile carrier to transfer your phone number to their SIM card. Once they control your number, they receive all your SMS verification codes and can access your accounts. Remove SMS 2FA from every crypto account and replace it with an authenticator app or hardware key.

Exchanges like Binance, Kraken, and others let you configure a custom code word or phrase that appears in every legitimate email they send. When you receive an email claiming to be from the exchange, check for your unique code. If the code is missing, the email is a phishing attempt. This is a simple, free feature that eliminates most email-based phishing attacks.

Address whitelisting restricts all cryptocurrency withdrawals to a pre-approved list of wallet addresses. Adding a new address to the whitelist typically requires email confirmation and a mandatory waiting period of 24-48 hours. Even if an attacker gains access to your exchange account, they cannot withdraw funds to their own address without going through this process, giving you time to detect and stop unauthorized activity.

Create a separate email address that you use exclusively for cryptocurrency exchanges and services. Do not use this email for social media, shopping, newsletters, or any other purpose. This reduces your exposure to phishing attacks and makes it much harder for attackers to identify which email is associated with your crypto accounts. Consider using a privacy-focused provider like ProtonMail.

Most exchanges offer email or push notifications when a new login occurs, when a new device accesses your account, or when security settings are changed. Enable all of these notifications. Regularly review active sessions and devices in your account settings, and revoke access for any device or session you do not recognize.

A hardware wallet (such as Ledger Nano X, Ledger Nano S Plus, or Trezor Model T) keeps your private keys completely offline, making it immune to remote hacking, malware, and phishing attacks. Any cryptocurrency holdings that you are not actively trading should be stored on a hardware wallet. This is the single most important security measure for protecting significant crypto holdings.

Hot wallets (MetaMask, Phantom, Trust Wallet, etc.) are connected to the internet and inherently more vulnerable to attacks. Treat them like a physical wallet you carry in your pocket — keep only the amount you need for near-term transactions. If a hot wallet is compromised, you only lose what was in it, not your entire portfolio.

Maintain separate wallets for different activities: one for long-term holding (hardware wallet), one for DeFi interactions (software hot wallet), and one for NFT minting or risky activities (burner wallet). This compartmentalization means that if one wallet is compromised through a malicious smart contract or phishing site, your other assets remain safe.

Never take a screenshot, photo, or digital copy of your seed phrase. Do not store it in a notes app, cloud storage, email draft, password manager, or text file. Digital storage creates attack vectors — cloud accounts get hacked, phones get stolen, and malware can scan for seed phrases. Your seed phrase should exist only in physical form, stored in a secure location.

Paper can be destroyed by fire, water, or simple degradation over time. Invest in a metal seed phrase backup (such as a Cryptosteel Capsule, Billfodl, or similar product) that can withstand house fires (up to 1,500°C), floods, and corrosion. This typically costs $50-100 and protects a potentially life-changing amount of money. Have both a paper backup for quick reference and a metal backup for disaster recovery.

If all your seed phrase backups are in one location and that location suffers a disaster (fire, flood, theft, natural disaster), you lose access to your crypto permanently. Store at least two backups in different geographic locations — for example, your home and a bank safety deposit box, or your home and a trusted family member's fireproof safe. Each location should be secure against both theft and natural disaster.

Shamir's Secret Sharing (SSS) splits your seed phrase into multiple shares where you need a specific number to reconstruct it — for example, any 3 of 5 shares. This means no single share is useful on its own, reducing theft risk, while also providing redundancy if 1-2 shares are lost or destroyed. Trezor Model T supports this natively with its SLIP-39 implementation. This is recommended for holdings above $10,000.

No legitimate exchange, wallet provider, customer support agent, developer, or software update will ever ask for your seed phrase. This is the master key to your entire wallet — anyone who has it has full, irreversible control over all your funds. Do not share it with friends, family (without a proper estate plan), online support, or anyone claiming to need it for 'verification' or 'recovery'. The only exception is a carefully planned inheritance setup with a trusted attorney or estate plan.

Before transferring significant holdings to a new wallet, practice the full recovery process. Send a small amount of crypto to the wallet, then reset the wallet and restore it using only your seed phrase backup. Verify the funds are accessible after recovery. This confirms your seed phrase is recorded correctly and you understand the recovery process before your assets depend on it.

Clipboard-hijacking malware can silently replace a copied crypto address with an attacker's address. Always manually verify the first 6+ and last 6+ characters of any pasted address against the original source. Some attackers generate 'vanity addresses' that match the beginning or end of your intended address but redirect funds elsewhere. Take an extra 10 seconds to verify — it could save your entire transfer.

Transaction simulation tools like Pocket Universe, Wallet Guard, Fire, or Blowfish preview what a transaction will actually do before you sign it. They show you exactly which tokens will leave your wallet and which will arrive, and flag suspicious approvals or interactions with known malicious contracts. Install one of these browser extensions and review every transaction preview before approving it.

Before transferring a large amount of cryptocurrency to a new address, always send a small test amount first (a few dollars worth). Wait for it to confirm and verify it arrived at the correct destination. The small network fee for the test transaction is negligible compared to the potential loss of sending a large amount to the wrong address or wrong network.

When you interact with DeFi protocols, you often grant them unlimited permission ('approval') to spend your tokens. If that protocol is later hacked or turns malicious, the attacker can drain all approved tokens from your wallet. Visit Revoke.cash regularly (monthly at minimum) to review and revoke approvals you no longer need. Pay special attention to unlimited approvals on high-value tokens.

When you submit a large swap on a decentralized exchange, your pending transaction is visible in the public mempool. MEV (Maximal Extractable Value) bots can front-run or sandwich your trade, causing you to receive a worse price. Flashbots Protect (for Ethereum) and similar private RPC endpoints submit your transaction privately, protecting you from these predatory bots. This is especially important for trades over $1,000.

Phishing sites that perfectly replicate legitimate exchanges and DeFi protocols appear in Google ads, search results, direct messages, emails, and social media posts. Create bookmarks for every crypto site you use regularly and always access them through your bookmarks — never by clicking a link, even if it appears to come from a trusted source. Verify URLs character by character before entering any credentials.

If you hold significant crypto assets, consider using a separate device (laptop, tablet, or phone) exclusively for cryptocurrency transactions. This device should not be used for general web browsing, downloading files, installing random apps, or checking email — activities that introduce malware risk. A clean, dedicated device dramatically reduces your attack surface.

Security patches fix known vulnerabilities that attackers actively exploit. Enable automatic updates for your operating system, web browser, and wallet software. Delayed updates leave you exposed to attacks that have already been publicly documented and are being actively targeted by hackers. This is one of the simplest and most effective security measures.

Modern antivirus software with real-time protection can detect clipboard hijackers, keyloggers, and crypto-stealing malware before they can do damage. Windows Defender (built into Windows) provides solid baseline protection. On macOS, consider tools like Malwarebytes. Ensure real-time scanning is enabled and run full system scans regularly — at least monthly.

Public Wi-Fi networks (coffee shops, airports, hotels) are easily compromised through man-in-the-middle attacks, evil twin networks, and packet sniffing. An attacker on the same network can potentially intercept your data, redirect you to phishing sites, or inject malicious content. If you must transact while traveling, use your mobile data connection instead, or use a trusted VPN as an additional layer of protection.

A VPN (Virtual Private Network) encrypts your internet traffic and masks your IP address, providing an additional layer of privacy. This is especially useful when accessing crypto accounts from shared or less-trusted networks. Choose a reputable, paid VPN service with a no-logs policy (such as Mullvad, ProtonVPN, or IVPN). Free VPNs often monetize your data and should be avoided.

Browser extensions have broad access to your browsing data and can be compromised through supply chain attacks (where a legitimate extension is sold to a malicious developer or injected with malicious code via an update). Review your installed extensions monthly. Remove any you do not actively use. Only install extensions from verified publishers with a strong reputation and large user base. Pay attention to permission requests — a calculator extension should not need access to all websites.

When you discover a security breach, every second counts. Panicking and trying to figure out what to do wastes precious time. Write a step-by-step emergency plan now, while you are calm, that covers exactly what actions to take if you suspect your accounts or wallets have been compromised. Include specific URLs, contact information, and the order of operations. Keep this plan printed out and easily accessible.

In an emergency, you may need to revoke all token approvals across multiple wallets and chains within minutes. Practice this process now: bookmark Revoke.cash, understand how to connect your wallet, and know how to batch-revoke approvals. If you use DeFi across multiple chains (Ethereum, Arbitrum, Polygon, BSC, etc.), make sure you know how to revoke on each one. Speed matters when an attacker is actively draining your wallet.

If your exchange account is compromised, you need to contact support immediately to freeze your account. But if your devices are also compromised, you may not be able to safely look up this information online. Keep a printed list of official support contact information (support email addresses, phone numbers, and account freeze procedures) for every exchange you use. Store this with your other important documents.

If something happens to you, your family needs to be able to access your crypto assets. Without proper planning, cryptocurrency can be permanently lost. Options include: working with an estate attorney who understands digital assets, using a multi-signature setup where your family member holds one key, or creating a sealed instruction document stored with your will. Services like Casa offer inheritance planning specifically for Bitcoin.

Create a document listing all your wallets, which assets are where, which exchanges you use, and general instructions for accessing them (without including seed phrases in the document itself). Store this document securely — for example, with your attorney or in a safety deposit box. This should reference where your seed phrase backups are located without containing the seed phrases themselves. Update it whenever your wallet structure changes.