How to protect a crypto wallet from stealers and theft

Cryptocurrency Asset Security Guide

TL;DR: Key Steps for Protection

1. Hardware Wallet: Store private keys offline. This is the foundation of security.
2. Reliable 2FA: Use hardware U2F keys (e.g., YubiKey) to protect exchange accounts.
3. Physical Backup: Record your seed phrase on a metal plate and store it in a secure location. Never store it digitally.
4. Multisig: For large sums, use wallets that require multiple signatures for a transaction.
5. Regular Audit: Periodically check and revoke token approvals using services like Revoke.cash.

---

Introduction

This article is a practical guide to protecting your cryptocurrency assets from modern threats: stealers, phishing, and social engineering. It is intended for both beginners and experienced users. You will learn how to conduct a security audit, implement multi-layered protection, and act in an emergency.

Key Concepts

• Custodial Wallet: Your private keys are stored by a third party (e.g., an exchange). You trust them with the security of your funds.

• Non-Custodial Wallet: Only you control the private keys. This gives you full control but also full responsibility. Examples: MetaMask, Ledger, Trezor.

• Mnemonic / Seed Phrase: A sequence of 12 or 24 words — the master key to your funds in a non-custodial wallet. Its compromise is equivalent to the loss of assets.

• BIP39 Passphrase: An additional secret phrase that, together with the seed phrase, creates a completely new wallet. If an attacker steals the seed phrase, they will not gain access to the wallet protected by the passphrase without it.

  Recommendation: Use a unique phrase of 16+ characters. Do not store it digitally.
  Warning: Loss of a passphrase is irreversible. Different wallets may have incompatibilities due to differences in UTF-8 normalization.

• Multi-Sig (Multisignature): Technology that requires signatures from multiple private keys (e.g., 2 out of 3) to authorize a transaction. Similar to a bank safety deposit box requiring two keys.

---

Threat Modeling

Assess the risk level to choose adequate protection measures. Ask yourself:

• What is the total value of my assets? Protecting $1,000 is different from protecting $1,000,000.
• How public is my persona? Public figures are more attractive targets.
• What services do I use? DeFi protocols carry more risks than simple Bitcoin storage.

Protection Levels (Examples)

1. Novice (<$5,000):

   • Hardware wallet + Reliable 2FA (U2F) + Physical seed phrase backup.

2. Experienced User (>$50,000):

   • All of the above + Multisig + Regular approval audits.

3. Large Holder / Whale (>$500,000):

   • All of the above + Air-gapped computer for signing transactions + Distributed key storage + Legal procedures for inheritance.

---

Main Attack Vectors

Technical Attacks

• Stealers: Malware that steals seed phrases, passwords, and session tokens from browsers.
• Malicious Browser Extensions: Disguised as legitimate tools but intercept data in the background.
• Clipboard Hijacking: When you copy a wallet address, a virus silently replaces it with the attacker's address.
• DNS and BGP Attacks: Redirecting you to a phishing site even if you enter the correct address.

Social Engineering

• Phishing: Fake websites for exchanges, wallets, or services.
• Fake Support: Scammers on Telegram and Discord pose as administrators and ask for your seed phrase or for you to connect your wallet to a malicious site.
• Screenshot Phishing: Asking for a screenshot for "diagnostics" in the hope that sensitive information will be captured.

Main Rule: Never share your seed phrase with anyone. Official support will never ask for it.

---

Comprehensive Security Strategy: Step-by-Step

1. Isolate Private Keys: Hardware Wallets

Hardware wallets (Ledger, Trezor) are the gold standard of security. They store keys in a secure chip and sign transactions offline.

• Buy only from official vendors to avoid device tampering.
• Generate the seed phrase only on the device itself during initial setup.
• Update firmware only through the official app (Ledger Live, Trezor Suite).

2. Physical Storage of the Seed Phrase

Digital storage of a seed phrase (in a file, cloud, password manager) is unacceptable.

• Metal Plates: Use devices like Cryptosteel or Billfodl for protection against fire and water.
• Distributed Storage: Store backups in several physically separate and secure locations (e.g., at home and in a bank vault).
• Inheritance Planning: Prepare clear instructions for a trusted person or heirs in case of unforeseen circumstances.

3. Advanced Strategies: Multisig and Shamir

• Multisig: Distributes control over funds. For Ethereum/EVM use Safe (formerly Gnosis Safe), for Bitcoin use Specter Desktop. A common mistake is storing all keys for a multisig wallet in one place.
• Shamir’s Secret Sharing: Allows you to split a seed phrase into several "shares." Restoration requires a set number of shares (e.g., 3 out of 5). This standard (SLIP-0039) is incompatible with regular BIP39. Ensure your wallet supports it (e.g., Trezor Model T).

4. Use Reliable Two-Factor Authentication (2FA)

• Priority — U2F/FIDO: Hardware keys (YubiKey) provide the highest level of phishing protection by requiring physical presence for authentication.
• Offline Apps: Use Aegis Authenticator (Android) or FreeOTP (iOS/Android), which allow you to create backups.
• Authy: If you use Authy, disable the Allow Multi-device function and set a strong password for encrypted backups.
• Backup Codes: Save them in a secure offline location.

5. Mobile Device Security

• Do not use Root (Android) or Jailbreak (iOS): This breaks the OS's built-in security mechanisms.
• Separate Device: Ideally, use a separate smartphone exclusively for cryptocurrency operations.
• Disable Cloud Backups: For wallet apps, disable backups to avoid accidentally uploading your seed phrase to iCloud or Google Drive.
• Install Apps Only from Official Stores: Use Google Play or Apple App Store and beware of fake apps.

6. Audit Browser Extensions

1. Review Permissions: In Chrome, open chrome://extensions. Pay special attention to the permission "Read and change all your data on the websites you visit."
2. Use Profiles: Create a separate browser profile for crypto work, where only verified extensions are installed (e.g., MetaMask and the hardware wallet extension).
3. Script Blockers: NoScript or uMatrix can prevent the execution of malicious code on phishing sites.
4. Delete Unused Items: Regularly delete unused extensions.

7. Verify Transactions Thoroughly

1. Verification on Hardware Wallet: Always verify the full recipient address on the device screen against the original. The hardware wallet screen is a trusted environment.
2. Checksum Verification: Ethereum addresses (EIP-55) use mixed-case letters as a checksum. If you copy an address with an error, the wallet will issue a warning.
3. Beware of Homograph Attacks: Attackers may use similar characters in domain names (e.g., myetherwallet with a Cyrillic е).
4. Test Transaction: When transferring a significant amount, first send a minimal amount.

8. Isolated Environment for Large Transactions

• LiveUSB with Linux: A bootable flash drive with a Linux distribution (e.g., Ubuntu) creates a temporary, clean operating system.
• How to Safely Create a LiveUSB:
  1. Download the ISO image from the official site.
  2. Verify the file integrity (hash sum). On Linux/macOS:
     sha256sum ubuntu-24.04-desktop-amd64.iso
  3. Verify the PGP signature to confirm authenticity:
     gpg --keyserver-options auto-key-retrieve --verify SHA256SUMS.gpg SHA256SUMS
  4. Create a bootable flash drive using Rufus or BalenaEtcher.

---

What to Do if Your Wallet is Compromised?

Act immediately. If the seed phrase is compromised, you are in a race with the attacker.

Distinguish Between Compromise Types:

1. Seed Phrase/Private Key Compromise: The most dangerous scenario. The only chance is to outpace the hacker.
2. Session Compromise / Malicious Approval: You have more time. Revoking permissions may help.

Action Steps for Seed Phrase Compromise:

1. Isolation and Creation of a Clean Wallet:

   • Immediately disconnect the infected device from the internet.
   • On a clean, uninfected device (another computer, new phone), create a new wallet.

2. Race to Save Assets (Front-running):

   • Import the compromised seed phrase into a reliable wallet on a clean device.
   • Immediately create a transaction to transfer all assets to your new, clean address.
   • Set the highest possible Gas fee. Your goal is for miners to process your transaction before the hacker's transaction.

3. Revocation and Data Collection:

   • Only after attempting to save funds. If NFTs or tokens remain on the wallet, use Revoke.cash to revoke permissions.
   • Save the attacker's addresses and transaction hashes.

---

Actions After an Incident

1. Evidence Gathering: Take screenshots, save transaction hashes, attacker addresses, and any correspondence.
2. Platform Notification: Report the hack and the hacker's addresses to the support services of exchanges (Binance, Coinbase, etc.). They may freeze funds if the attacker tries to deposit them.
3. Contact Law Enforcement: File a report with the cybercrime division in your country, providing all collected evidence.

---

Recommended Tools and Services

Tool / Service	Trust Level	Note
Ledger, Trezor	✅ Recommended	Hardware wallets. Buy only from official dealers.
YubiKey	✅ Recommended	Hardware key for 2FA (U2F).
Safe, Specter	✅ Recommended	Proven Multisig solutions.
Revoke.cash	✅ Recommended	Service for revoking token approvals.
Aegis, FreeOTP	✅ Recommended	2FA apps with backup capabilities.
Authy	⚠️ Use with Caution	Disable Allow Multi-device and set a strong backup password.
MetaMask	⚠️ Use with Caution	Reliable, but vulnerable if the OS is compromised. Always use with a hardware wallet.
.exe/.dmg/.apk from Telegram	❌ Avoid	Extremely high risk of stealer infection.