Keeping cryptocurrency safe comes down to one principle: controlling your private keys and limiting the ways anyone else can access them. A private key is the string of characters that proves you own your crypto and authorizes transfers. If someone else gets it, they can take everything. If you lose it, your funds are gone permanently. Every security decision you make revolves around protecting that key and the seed phrase that generates it.
Choose the Right Wallet Type
Crypto wallets fall into two broad categories based on whether they connect to the internet. The distinction matters because it determines your exposure to the most common threats.
A hot wallet (software wallet) runs on your phone, browser, or computer and stays connected to the internet. It’s convenient for everyday transactions, but its security depends entirely on the security of your device. If your phone picks up malware or you click a phishing link, a hot wallet is directly exposed.
A cold wallet (hardware wallet) is a small physical device that stores your private keys offline. Because it never exposes those keys to an internet-connected environment, it eliminates the most common online attack vectors: phishing, browser-based exploits, and malware that silently monitors your clipboard or keystrokes. Hardware wallets from established manufacturers typically cost between $60 and $200.
The practical approach most people settle on is using both. Keep a small amount in a hot wallet for regular transactions, the way you’d carry cash in a physical wallet. Move the bulk of your holdings to a hardware wallet for long-term storage. If your portfolio is large enough that losing it would be financially painful, a hardware wallet is not optional.
Protect Your Seed Phrase
When you set up any self-custody wallet, it generates a seed phrase, usually 12 or 24 words in a specific order. This phrase can reconstruct your entire wallet and every key inside it. Losing the seed phrase while also losing access to the wallet device means permanent, irreversible loss of funds.
Write the seed phrase down on paper immediately, then consider upgrading to a more durable format. Steel or titanium plates designed for seed storage resist fire, water, and corrosion. You can stamp or engrave each word into the metal, giving you a backup that survives disasters a piece of paper won’t. Plates made from solid steel or 6mm-thick titanium are widely available from crypto security vendors.
Store at least two copies in separate physical locations. A home safe and a bank safety deposit box is one common combination. The goal is surviving a single catastrophic event (fire, flood, burglary) without losing every copy. Another option is storing the seed phrase on a second hardware wallet, which lets you recover access from either device.
Never store your seed phrase in a screenshot, a notes app, a text file, cloud storage, or an email draft. Any digital format that isn’t heavily encrypted is vulnerable to malware, phishing, and data breaches. If an attacker compromises your cloud account and finds a photo of your seed words, they can drain your wallet in seconds from anywhere in the world.
Lock Down Exchange Accounts
If you buy, sell, or trade on a centralized exchange, that account is a high-value target. Exchanges hold funds on your behalf, which means your login credentials are the only barrier between an attacker and your crypto.
Start with two-factor authentication (2FA). Use an authenticator app or a physical security key rather than SMS-based codes. SIM-swap attacks, where a criminal convinces your phone carrier to transfer your number to their device, can intercept text-message codes. An authenticator app like Google Authenticator or Authy generates codes locally on your phone and isn’t vulnerable to that attack. A hardware security key (like a YubiKey) is even stronger because it requires physical possession of the device.
Enable withdrawal address whitelisting if your exchange offers it. This feature restricts outgoing transfers to addresses you’ve pre-approved. On Coinbase Exchange, for example, whitelisting is on by default for new users, and adding a new address requires a 48-hour hold period before it becomes active. That delay is a critical safety net: even if an attacker gains access to your account, they can’t immediately send your funds to their own wallet. They’d need to add their address, wait 48 hours, and hope you don’t notice.
Use a unique, strong password for your exchange account, one you don’t reuse anywhere else. A password manager makes this painless. Check your exchange’s security settings for additional features like login notifications, device management (so you can see and revoke sessions), and anti-phishing codes that appear in legitimate emails to help you spot fakes.
Audit Smart Contract Approvals
If you use decentralized apps for trading, lending, or minting NFTs, you’ve likely signed transactions that grant smart contracts permission to move tokens from your wallet. These approvals, sometimes called “token allowances,” often request unlimited access to a specific token. That means the contract can move as many of those tokens as you hold, whenever it wants, without asking again.
This is a major attack vector. If a smart contract has a vulnerability that a hacker exploits, or if the contract was malicious from the start (a rug pull), those unlimited approvals let the attacker drain every approved token from your wallet in a single transaction.
Build a habit of reviewing and revoking approvals you no longer need. Several tools make this straightforward. MetaMask Portfolio has a built-in approval viewer for Ethereum, Polygon, and BNB Chain. Block explorers like Etherscan and BscScan have token approval checker tools. Third-party services like Revoke.cash support many networks and let you revoke permissions in a few clicks. Each revocation is an on-chain transaction, so you’ll pay a small gas fee for each one.
A monthly check is a reasonable rhythm. Look for approvals tied to contracts you no longer use, contracts you don’t recognize, or any approval with an unlimited allowance that you could reduce to a specific amount. When interacting with a new decentralized app, consider setting a custom spending limit during the approval step rather than accepting the default unlimited amount.
Guard Against Phishing and Social Engineering
The most sophisticated wallet setup in the world won’t help if you hand over your seed phrase to a scammer. Phishing is the single most common way people lose crypto, and the attacks are increasingly convincing.
No legitimate service, wallet provider, exchange, or support agent will ever ask for your seed phrase. Period. If someone contacts you claiming to need it for “verification,” “recovery,” or “migration,” it’s a scam. This applies to direct messages on social media, Discord, Telegram, emails, and even phone calls.
Bookmark the URLs of exchanges and apps you use regularly instead of clicking links from emails or search ads. Phishing sites often use nearly identical domain names with a single swapped character. When you sign a transaction in your wallet, read what you’re approving. If a site asks you to sign something unexpected or connect your wallet for a “free airdrop,” slow down and verify independently.
Plan for Inheritance and Recovery
Self-custody means there’s no “forgot password” button and no customer service to call. If you’re incapacitated or pass away, your heirs need a way to access your holdings without compromising your security while you’re alive.
Simply leaving behind a hardware wallet or a written seed phrase often isn’t enough. If your family doesn’t understand crypto wallets, they may not know how to use those materials to actually recover the assets. Document clear, step-by-step instructions and store them with your seed phrase backup or in your estate planning documents. Include which wallets you use, what networks your assets are on, and exactly how to restore access.
For larger holdings, a regulated qualified custodian can hold crypto in a structure that allows you to designate beneficiaries and name a trustee. Custodians are required to segregate your assets from their own, which provides some protection if the custodian itself runs into financial trouble. A trust structure can add privacy, tax efficiency, and clear succession rules. The trustee, not the original owner, holds authority over the assets on behalf of the beneficiaries.
Whatever method you choose, the critical step is making sure your succession plan is documented in your estate planning materials. Crypto that no one can access after your death is functionally lost forever.