Protecting Your Crypto From Thieves

Level 3 - Virgin DeFi Analyst

Nov 20, 2024

Welcome Avatar!

Your cryptocurrencies can be easily stolen if you make a mistake.

~$1,400,000,000.00 of crypto has been reported stolen just in the first half of this year.

Unlike other investments, crypto transactions are irreversible and it may not be possible to trace or recover your funds. Sophisticated cybercriminals target crypto investors with various attacks, ranging from elaborate fake job interviews or investment pitches through to technical attacks on the smart contract software code.

For over three years we’ve helped our subscribers avoid loss from theft and scams with our crypto security bulletins, best practice guides, and Q&A sessions.

If you’re not security aware, it’s only a matter of time before your funds are “drained”. This applies to everyone - rich, smart, well known people have lost money in crypto attacks.

Today’s post covers how to protect yourself at a high level:

staying anonymous
recommended hardware wallets
recommended software wallets
pros and cons of trading bots
avoiding “rug pulls”
smart contract vulnerabilities in DeFi

We can give an example of a major hack from almost every week of each year. This week, Polter Finance, a DeFi borrow/lending protocol lost $8.7 million of customer funds due to an oracle manipulation attack. By the end of this article, you’ll know the basic checks to make which would have flagged this protocol as high risk.

Staying Anonymous - Why We Don’t Do “KYC”

A unique feature of crypto is that you can be forced to transfer your entire investment balance and the transaction is irreversible and potentially untraceable.

If you were forced to call your bank to make a transfer to a robber, it’s likely that there would be a transfer limit on your account, the bank may detect something suspicious about the transaction and block it, or you might not be able to access all of your funds on the same day. Investment accounts aren’t set up to make transfers to third parties, wiring first to your checking account would take time. There’s a chance that the bank could trace or even reverse the payment after you reported the crime. For all of these reasons, we don’t often hear about home invasions targeting bank accounts. But crypto investors are routinely targeted in violent attacks:

Known Physical Bitcoin Attacks (some links broken, search article titles)

How do the robbers know who has a lot of money in crypto? Well, some people unwisely flex on social media. We’d suggest posting about crypto under a pseudonym.

Others talk about crypto in real life, making themselves a potential target. Avoid crypto conferences unless you run / work at a crypto company and need to be there.

Criminals often obtain “KYC” details provided by a customer to a crypto exchange.

Nearly every major exchange has disclosed a data breach:

FTX customers had their names, home and email addresses, phone numbers, claim numbers and amounts, account IDs, and coin holdings and balances impacted by the breach, with some individuals also having their birthdates compromised, said Kroll in breach notification letters. (Bloomberg Law)

Think this through. If you provide identity information to a company in crypto, a hacker who breaches their database (very common) knows how much you have and where you live.

Serious organized crime has thoroughly infiltrated crypto: exchanges have been used for money laundering, evading sanctions, and terrorist financing. Identity theft and extortion of crypto owners is part and parcel of how these organizations operate.

Some staff working at crypto companies may be compromised by gangs. Although larger reputable exchanges will disclose data breaches *if* they become aware of them, what are you going to do when you’re told criminals have accessed your data?

Sell your house and move?

Or risk about yourself and your family being targeted by thugs?

In our view this isn’t a risk worth taking. We don’t link our real world identities with our crypto holdings. We don’t use centralized exchanges. And we keep low profile.

How do you operate in crypto without centralized exchanges? We use DeFi, our newsletter has detailed guides on which products we use and trust including:

Hyperliquid for Perps trading
Jupiter and 1inch/Odos for spot trades
Aave for borrowing/lending
Bisq to buy and sell crypto peer to peer with no KYC (free post!)

DeFi is (slowly) making centralized exchanges and KYC risks obsolete.

We also don’t recommend using a commercial VPN for your crypto activities because your billing details could be associated with the wallets you control.

Recommended Hardware Wallets

The first thing to do is get your first hardware wallet from a reputable provider. We prefer Trezor. There are some tradeoffs to both which we will cover here but either Trezor wallet should be sufficient for most people.

If you have a lot of crypto - let’s draw the line at half a million - then you’ll want to do some more research into different wallets, such as a Gnosis Multisig.

These wallets can also protect your online accounts. Trezor Model T supports U2F standard, allowing you to use your hardware wallet as a 2 factor device to secure accounts such as Google and Dropbox.

This feature alone is worth the money as using SMS for two factor isn’t secure.

Ledger now has issues with a “recover” product which allows you to retrieve your private keys. This is a big red flag since it implies there are ways to get the keys via an “update”. While you’re more than likely fine if you never use any software update and never use the recover product, the brand damage is high.

Any hardware wallet is better than not using one at all.

The best option for most people is going to be the Trezor Model One.

Recommended Software Wallets

The security of your software wallet is extremely important, whether it holds your keys (“hot wallet”) or simply presents transactions for your hardware wallet to sign.

We prefer “battle tested” wallets which have existed for years without being hacked. When a chain is new, we will only use wallets developed by the official core team (or by another reputable crypto wallet developer e.g. Metamask).

Bitcoin

Light client: Electrum - an old and very battle tested app which we trust to be secure.

Full node: these clients download and verify the entire Bitcoin blockchain, so you’ll need at lest 750 GB (gigabytes) of free storage space and a fast Internet connection.

Bitcoin Core - the official Bitcoin client
Bitcoin Armory - a client for power users, many advanced features

Ethereum

For Ethereum and all compatible chains (Avalanche, Fantom/Sonic, Polygon, Arbitrum, Optimism, zkSync, etc) we only use Metamask. This is the leading self-custodial Ethereum-compatible wallet developed by Consensys, a large organization with a commensurate budget and a good security track record. Security is expensive!

Safety trumps convenience, so there’s no good reason to look for an alternative wallet. Unless you’re a security expert, you probably won’t spot potential red flags in alternative wallets. We do most DeFi on Ethereum based chains and have most of our funds in DeFi, so any software bug in our Ethereum wallet would be a big deal!

We covered this subject in detail for paid subscribers as people were asking about a popular new wallet. When we examined the source code on Github we found several security issues.

Stick with Metamask (although we don’t recommend the build in “swap” feature as it charges excessive fees). Alternatives are 1inch, DeFiLlama Swap, and Odos.

Solana

WARNING: Be Careful On Solana

“As EVM-based networks are more mature, the security measures in the [Ethereum] ecosystem are much more effective, and attackers reported that they are unable to get users as easily as before. This is why they’ve targeted Solana.”
-Blockaid CEO Ido Ben-Natan

Solflare - also available as a MetaMask “snap”, audited by Consensys Diligence.

When Solana was experiencing issues and we needed to fiddle with priority settings to land a transaction we’ve also used Backpack. Backpack wallet is working with BlockAid on security to scan and alert malicious transactions:

Blockaid scanned over 180 million transactions of Backpack’s users between June and September, detecting more than 71,000 malicious activities on the Solana network.

Aptos / SUI

Solflare Metamask “snap” - audited by Consensys Diligence.

Mobile Wallets

This section refers to any crypto wallet installed on a smart phone. Smart phones are not secure. Assume you can lose any funds you put on a mobile wallet: a good rule of thumb is to only load - for convenience - the equivalent value of physical cash you’d be happy to carry with you. Sometimes you’ll want to make a small payment, bet a few dollars on a prediction market or a memecoin, and a mobile wallet is convenient.

Mobile software developers - Apple/Android - are in a losing battle against hackers. They release updates to fix flaws hackers are already exploiting - search “Pegasus spyware” for more

Trading Bots

A web based user interface for trading crypto is slow. Transactions pop up and need to be signed on a wallet. You probably don’t have your main wallet loaded on your mobile phone (see above). So there are now platforms available which allow you to manage your portfolio via Telegram or other apps.

These applications have their uses. There’s a security trade off in that you send your funds to a wallet they generate. Even if they allow you to “back up” the key for the wallet, they also have a copy of the key. Reminder: anyone with the key can spend your funds. Even if the bot developers are honest, they might get hacked.

We’ve spoken with a DevOps person who has seen private keys for a telegram bot sitting *unencrypted* on a cloud database platform - which means anyone who can access this database can steal all customer funds! There are probably many such cases.

You have no visibility into how they manage the keys in their back end system.

“Not Your Keys, Not Your Coins”

Rule of thumb here is similar to mobile wallets above: don’t deposit funds to these services which you can’t afford to lose. This is fine because you’re probably only keeping your very high risk memecoin allocation here, which could go to zero anyway.

For larger amounts: after you’re done buying/selling, move your SOL or meme tokens to a more secure wallet. We’ve used BonkBot / BananaBot / Ape Pro for memecoins.

Rug Pulls

This term refers to a type of crime where a founder, developer, or hacker intentionally removes investor money from a crypto project. There are a few variations:

raise funds for a project and then don’t do any work or deliver on the “roadmap”
launch a memecoin and then drain the liquidity pool after others have invested
impersonate a legitimate project with fake social media accounts and tokens
“fork” (copy) a finance project to a new platform, and then exploit a known security bug to steal funds after people deposit/trade through the platform
soft / slow rug: raise money for a project, appear to do work but divert money to “insiders” at the expense of investors. Can include bleeding the project out with high salaries, mis-using the “treasury” funds, insider trading, and more.

How to detect these is more nuanced and we cover screening these in our investing framework for paid subs. It’s worth putting in the effort to develop your skills for evaluating which crypto teams deserve your investment, and which have “rug risk”.

Smart Contract Vulnerabilities

Audits

Reputable decentralized finance projects will engage a Smart Contract Auditor to review their codebase to detect bugs which could be used by an attacker to steal money or break the protocol. This is usually expensive ($100k+) and doesn’t prove the software is safe. But. It’s “table stakes”. Engaging an auditor demonstrates by costly signalling that the backers of the project have invested in the security of funds.

Obviously some audit firms are better than others. If you’d like an opinion on whether a security audit for a crypto project you’d like to use is good, you can ask us in Q&As.

When you’re new, avoid depositing in projects which aren’t audited.

If you want higher returns, you’ll need to go out the risk curve and experiment with newer protocols or forks on new blockchains. There is more risk here, but also more reward. The goal of DeFi Education is to give you the tools you need to make your own judgments, so we have detailed guides on how to read a smart contract audit in the newsletter and as a dedicated module in our crypto course.

Bug Bounties

Legitimate projects will provide compensation to anyone who responsibly discloses a vulnerability which could result in loss of investor funds. This is called a “bug bounty” and serious teams will set aside at least six figures to pay for this. Security researchers (“whitehats”) operate on a freelance basis to find bugs in live projects. This is highly skilled, time-consuming work and the best auditors aren’t going to bother with projects who don’t offer a respectable reward. For large projects, where a hack could result in hundreds of millions (or more!) being lost, bug bounties should reach $1mm.

A project should prominently display whether it offers a bug bounty. This is usually done through a third party service like ImmuneFi but some projects run it “in house”.

Battle Tested Protocols

If you’re new, we’d recommend staying with the brand name protocols which have many security audits, big budgets, and competent teams. Although hacks aren’t impossible, they’re less likely with the established names e.g.:

Exchanges: Uniswap, Curve, Aero and aggregators (1inch, CowSwap)
Lending: Aave, MakerDAO
Staking: Lido, Jito

Case Study: Polter Finance ($8.7 million lost)

Here’s what usually happens when a project skips getting audited. Earlier this week,

Polter Finance, the latest victim in DeFi's parade of recklessness, lost roughly $8.7 million when their unaudited protocol met a classic price manipulation attack.

Concluding Thoughts

Most people send money into crypto through a centralized exchange, make transactions on their smart phone through the exchange app or wallet, and don’t think much about security. If you’ve bought a hardware wallet, know what a private key is, and have some curiosity about how crypto works you’re ahead of 90% of people.

If you plan on investing or earning significant money in crypto, then you’ll need to level up to protect yourself from hackers and scammers. Or. Risk losing it all.

Disclaimer: None of this is to be deemed legal or financial advice of any kind. These are opinions from an anonymous group of cartoon animals with Wall Street and Software backgrounds.

We now have a full course on crypto that will get you up to speed (Click Here)
Security: Our official views on how to store Crypto correctly (Click Here)