📗 Date: 14 Aug, 2023 🧟 Author: Mellow a.k.a CryptoPLSinator
Publishing Editor: CryptoVince369
In the world of crypto, user error accounts for most incidents of people getting “wrecked” and losing their wallet funds. Learn the philosophy of securing your seed phrase and how to prevent yourself from getting scammed by securing your setup and your crypto assets!
Has your wallet already been compromised? Let’s look at different ways you could have been compromised and address each scenario individually.
Did you give anyone your wallet seed phrase?
Your seed phrase is the key to your assets. If you give your seed phrase out to anyone, you are giving them access to your entire vault of assets associated with any address (or public key) that can be derived from that seed phrase. Learning to use crypto and investing in it is akin to “being your own bank.” And this entails being responsible for your own security as well. This requires you to maintain exclusive access to your own seed phrases for all the sets of wallets you own. Seed phrases are distinct from private keys.
A seed phrase acts as a master key that can generate an unlimited number of public-private key pairs. Private keys, on the other hand, provide access solely to the funds linked with their corresponding public key.
In short, *NEVER* give your seed phrases or private keys to anyone, especially if they message you on any messaging or social media app claiming to be from a support group, a project admin, or a developer!
Editor’s Note: The only people you should consider sharing your crypto seed phrases with are family members / next-of-kin, and that’s only if you plan to pass your assets on as inheritance, but even that should be done with extreme care and thoughtful planning.
Having said all of this, if your seed phrase has already been acquired by someone else, these tips by themselves won’t help your situation. Once you realize you’ve been compromised, immediately access your crypto wallets, assess the damage, and if you have any assets that haven’t been stolen yet. As quickly as possible, do your best to move any remaining assets to a brand-new wallet. If you’re going to do that, make sure to generate the new seed phrase on a different device or a hardware wallet so that there’s minimal risk of the new seed phrase being immediately compromised, in case there’s a keylogger or malware on your old device.
Were you hacked or socially engineered?
These are just a few of the many possible attack vectors that attackers can use to gain access to your seed phrase without you giving them out directly to a person:
-Typing your seed phrase (sometimes also known as a “Secret Recovery Phrase”) into a keyboard that may contain malware or a keylogger that records your keystrokes
-Storing your secret recovery phrase in any digital text or document file, online key storage and password manager software, flash drives, CDs, and cloud storage services (i.e., Dropbox, Apple iCloud, Google Drive)
-Visiting adult sites, file-sharing sites, and any other questionable sites that may contain malware/riskware
-Clicking any suspicious malicious links via ads and search results, or even opening unsolicited emails with attachments
Even using a software wallet that has your seed phrase in an encrypted file stored locally in your device can be a vulnerability, as the only thing securing your seed phrase at that point is the password that you use to log in to the wallet, which could be cracked by the attacker.
Any of the above methods by themselves or in combination with each other could compromise your seed phrase. Attackers use phishing emails and SMS texts containing malicious links could lead you to inadvertently navigate to websites that can stealthily download malware or ransomware. From there the attackers can freely access any files you have on your device, and in some cases hold your device hostage while demanding a payment in crypto.
With normal malware, attackers have the ability to obtain your seed phrases and other sensitive information (such as login credentials for websites) if stored anywhere on the device. If the malware also happens to contain a keylogger, it also logs your keystrokes to be able to see every word typed. Clouds included are most likely registered with your ID and, thus, could be compromised.
Editor’s Note: If you fell victim to any one of these attack vectors, the most important thing is to first quickly assess the situation, and, like in the first example, generate a new set of seed words (preferably on a clean device that you know hasn’t been compromised, and move your remaining assets to that new wallet. After that time-sensitive step, you then have time to take a breather and go back to analyzing how you were compromised and proceeding to change your security habits from there.
Have you interacted with Malicious DApps or Tokens?
Interacting with Decentralized Applications, Tokens, and Smart Contracts may take the form of approving permissions, transfers, swaps (within a Decentralized Exchange), and simply connecting one’s wallet to a protocol’s website.
If a token or asset appears in your wallet that you do not recognize or have not bought yourself, do *NOT* interact with it at first, just leave it alone. Take the time to research whether the token you received through an airdrop is legitimate or potentially a scam designed to get you to compromise your own wallet. One of many free resources available to you is the matrix at https://b9.xyz/matrix2/, where you can find code reviews for an ever-growing list of tokens.
When interacting with an unfamiliar token or asset, you are putting yourself at risk for malicious attacks upon approving a contract action (such as a “spend permission” where you authorize your wallet to spend a certain number of tokens) for the token via any crypto wallet connection.
By default, a DEX or yield farming platform needs to be granted token approvals to spend tokens in your wallet. Token approvals can be checked and revoked. Although you may not own a particular asset anymore, the token spend approval for that asset will still be active until you revoke it.
Exploited projects/tokens could have access to move other assets out of your wallet. Read through the wallet prompts thoroughly and the permissions you have granted. It may be difficult or downright impossible to understand if you have no programming or code-reading experience but beware of anything asking for permission to spend your tokens.
Always be cautious of approving anything in this space without a deeper understanding of what you want to accomplish each time you interact with a particular protocol’s website.
Below are some tools you may use to check and revoke any approvals you have made for your wallet to make sure your funds are safe from being moved by an attacker:
1.) https://revoke.cash/ (beware of imposter sites that may look similar to this one)
Using the Connect Wallet button, connect your compatible wallet and then choose the blockchain you’re looking for with the network dropdown button, and follow the procedure for revoking any approvals you may want to remove.
2) https://info.etherscan.com/tokenapprovals/
The popular Ethereum block explorer site Etherscan has a dedicated explainer page that also links to their own token approval checker tool, which does the same thing as Revoke.cash. This page explains the methodology in a little more detail.
What exactly is my seed phrase and how does it work? Can someone guess my seed phrase?
A seed phrase is a human-readable master key, that derives all the public-private key pairs that it has control of. The seed phrase pulls from a list of 2,048 unique words established as part of Bitcoin Improvement Proposal 39, also known as the BIP39 standard. Although it was invented for Bitcoin wallets, other blockchain wallets also use this same system. Each word represents a range of bits in a long alphanumeric string that is represented by your full seed phrase. The odds of guessing a 12-word BIP39 seed phrase are 1 in 2¹²⁸, or approximately 1 in 3.4×10³⁸. For a 24-word phrase, it’s 1 in 2²⁵⁶ or roughly 1 in 1.15×10⁷⁷. So far, a supercomputer has not been able to crack a seed phrase, though that may change someday.
A seed phrase, also known as a secret recovery phrase, mnemonic phrase, BIP39 seed phrase, and other names, is a human-readable representation of a seed used to generate multiple private keys. It should not be confused with the private key itself.
This private key proves ownership of the public key. The public key (also known as your public address) is used for receiving funds, while the private key enables users to sign transactions through the creation of a digital signature, granting them the capability to spend, swap, and transfer assets. Users rarely need to see or directly interact with their private keys as your wallet manages all the complex math behind the scenes. If someone gets access to your seed phrases, they have access to all your funds, from all public keys associated with those seed phrases!
Let’s look at an example of a typical crypto transaction:
-> Bob opens his wallet and enters Alice’s public key into the recipient field of the wallet.
-> Bob proceeds to send $PLS and the wallet creates a transaction and gets signed by Bob using Bob’s private keys. If the digital signature generated corresponds to the private key of the wallet that Bob is attempting to send $PLS from, the transaction will then be accepted as valid by the network.
-> The funds can now be accessed by whoever owns the private keys that correspond to Alice’s public key. In this case, that would be Alice, as she is the only one who holds that private key.
-> In the event that Alice’s wallet gets compromised by her seed phrase getting stolen, she is now in an awkward situation where both she and the attacker share the seed phrase to the wallet. She must quickly remedy her situation by transferring her assets to a wallet from a brand-new seed phrase that hasn’t been compromised.
Do you have a hardware wallet?
– YES, but I’m already compromised.
If funds have been taken from you and have a hardware wallet, you either have given your seed phrase away or have been a victim of the above-mentioned phishing or malware attack. It’s okay if you have caught it in time and still have assets left in the wallet. You want to hurry and send your assets out to another wallet you hold your keys to. We recommend having multiple hardware wallets, which means you can have your funds diversified and not all in one place, another good practice to have. If you only have 1 hardware wallet, you can then temporarily send your funds to your preferred centralized exchange, where you can off-ramp and on-ramp fiat currencies (if you know your login credentials haven’t been compromised as well). Hold it elsewhere until you factory reset or wipe your device. Create a brand new 12–24-word seed phrase that will now be your main wallet with new seeds that you will keep better protected.
– NO? Buy a hardware wallet, generate new keys directly within the wallet, and don’t ever store the seeds digitally, especially on a device that has already been compromised.
I recommend using a hardware wallet for enhanced security. If feasible, obtaining two hardware wallets can provide an extra layer of protection. The reason for having two is to provide yourself with an extra layer of security and diversify the location of your assets so that future hackers won’t be able to get all your assets in one attack. One of the most reputable hardware wallets is Trezor (https://trezor.io/).
*Please make sure when buying hardware wallets, to only purchase them from the manufacturer’s website! Never buy used or even new from 3rd-party vendors!
You will need to create a brand new 12 or 24-word seed phrase and secure them using the steps below. After generating the new seed phrase, you can then send any assets left from the compromised wallet (seed phrase) or any other wallet that you want to send from to fund the brand-new un-compromised seed phrase. One hardware wallet will be the “main” wallet for your daily trades, transfers, short-term stakes, yield farming, connecting to DApps (Decentralized Applications), fiat on and off ramping via centralized exchanges, etc.
The second hardware wallet is your “vault”, which means you will be using this wallet for receiving funds, and if you desire, lengthy time-based investments such as Hex stakes. Once you’ve set up your “vault” (sometimes also known as “cold wallet” or “cold storage”, you don’t need to connect frequently; it primarily serves as a long-term storage method.
Copy and paste your crypto address (also known as the public key) in your notes on your computer for easy access to grab and send to that address. Again, only use this 2nd hardware wallet as long-term storage, not day-to-day transactions! When your Hex stakes mature or you decide it’s time to pull out from the vault, is the only time you will need to connect the hardware wallet.
Consider purchasing a pack of stainless-steel washers and bolts from your local hardware store or online. Use a Dremel or any rotary tool (diamond tips work best) to engrave the washers with your seed phrase. Then find a secure location (i.e., a fireproof safe) in your home that only you have access to. Titanium plates also work great but are a bit pricey to acquire and most come with punches and some with letter plates to insert. Some pre-made metal kits from companies that specialize in crypto security products are also a decent option if you’re willing to pay the premium for convenience. Write down your seed words on fireproof or waterproof paper (if you can find it) and place it in a fireproof safe that only you can access.
For extra-secure, decentralized storage, you could also consider splitting and spreading your seeds geographically (half the set on one side of the house, and the other half in another location that you have full access to when needed). This is also known as “sharding.” You can shard it as many times as you like but *always* have a full backup of the original seed phrase that you keep securely in your safe.
The primary advantage of a hardware wallet is that it stores your private keys offline, isolated from internet vulnerabilities. This ‘cold storage’ method ensures that your keys remain secure even if your computer is compromised. A hardware wallet securely stores the private keys (seed phrase) in its own offline storage space. The return of any stolen funds is slim-to-none, being this is Decentralized Finance and not a bank. Understand that the compromising of your wallet can happen from a single attack vector or multiple vectors at the same time, and just because your funds haven’t moved yet doesn’t mean you haven’t been compromised. The scammer could simply be waiting until you have a larger amount to make their moves.
Exercise caution with Centralized Exchanges (CEXs): While centralized exchanges offer conveniences such as user-friendly interfaces and sometimes higher liquidity, they come with the risk of not having control over your private keys, only UI access to the public keys. Always weigh the pros and cons and consider diversifying your holdings between centralized and decentralized platforms. It is recommended that you use your own private wallet for all long-term holdings and only use CEXs when you must convert crypto back into fiat, or to onramp more fiat into crypto.
Even if you have been compromised, things will be okay as long as you learn from your mistakes, don’t repeat them, and continue your journey. Don’t let one bad situation destroy you and chase you away from your financial freedom.
The Four Don’ts of Crypto Security:
1.) Don’t Share Your Recovery Phrases or Private Keys:
Never disclose your 12 or 24-word Secret Recovery Phrase, Seed Phrases, or Private Keys to anyone, especially if they claim to be part of a support group. These keys provide direct access to your assets and should be kept confidential.
2.) Don’t Trust Unsolicited Direct Messages:
Be cautious of unsolicited DMs from unfamiliar individuals. Authentic admins, mods, and developers won’t reach out to offer assistance or send links to “authenticate your wallet.” Scammers may create fake profiles that closely resemble genuine accounts, so scrutinize usernames for slight variations.
3.) Don’t Import Keys into Unverified Sources:
Refrain from importing your recovery phrases, seed phrases, or private keys into wallets suggested by others, unfamiliar websites, advertisements, sponsored search results, browser extensions, or hot wallets. Always use reputable sources to ensure the security of your assets.
4.) Don’t Click on Suspicious Links:
Exercise caution with untrusted links received via platforms like Discord, WhatsApp, WeChat, Telegram, or DMs from social media platforms like Instagram, Facebook or X (formerly Twitter). Clicking on such links can expose your device to vulnerabilities. Stay skeptical, verify sources, and maintain a healthy level of suspicion.
Bonus Tip: Prioritize PC Over Mobile: Whenever possible, avoid using cryptocurrency on your mobile device. Using a PC provides a higher level of security, reducing the risk of vulnerabilities associated with mobile platforms.