Crypto Best Security Practices ⚠️
Rule #1 is to remember: The biggest threat is you. Seriously. The best hardware wallet in the world won't protect you from simple mistakes that are 99% of the scams in this space.
That’s why this document was created - to educate and protect the people of crypto twitter. If you read, understand, and implement what’s outlaid in this guide then the chance of you losing your assets greatly decreases.
* Storing your seed phrase on any device that has access to the internet leaves you highly susceptible to a number of attack vectors. Do NOT store your seed phrase in a notepad on your computer or in your emails. This is the same as entering it on a scam site. When we say “do not type your seed phrase” we mean NEVER TYPE IT AT ALL ON YOUR KEYBOARD. And also NEVER take a photo of it either (as it’s effectively the same thing).
* Using cryptocurrency means that you’re liberated from relying on financial institutions but are also FUCKED if you ever lose your assets. Nobody’s coming to help you because you ARE the bank and are responsible for everything that happens to your funds. Take your security seriously because you cannot be refunded/reimbursed.
* Using a hardware wallet is highly recommended especially when you have higher value crypto or NFTs. Anything you do not want to lose should definitely NOT be stored in a wallet that was generated via Metamask or on a computer.
* Consider setting up 3 separate wallets (a dedicated burner wallet for minting projects, a trading wallet, and a vault). This strategy greatly reduces the chances of loss if used correctly.
Section 1: Basic Security
Part 1 - Not doxxing yourself
If someone knows your real identity then it can threaten the security of your NFTs/Crypto. It may open you up to certain types of hacks if you don’t follow good security measures in other areas of your life.
This is why most people in this space use anonymous usernames and do not share their real info.
Here are some good suggestion on how not to dox yourself:
* Try to be vague and don’t share identifying personal details. Mentioning any landmarks that are specifically in your area can let someone know where you are. If someone asks where you’re going to college, or what your job is, then try to keep it as simple as possible (eg: I’m at a local college or I work at one of the big 4). Same with towns/cities. If they are smaller cities then just say your state or general whereabouts.
* Do not share your screen. If you absolutely have to do this then make sure it’s a private browsing window only and dont click off into other tabs or open other windows. Opt-ing to share only a certain window/tab can be helpful in this situation. You would be surprised how much private information can accidentally be leaked by sharing your screen on voice chat.
* Be careful requesting editing access to google docs. If you are going to edit a google doc with someone else then please use a dedicated burner address. It’s easy to create a gmail account that is not tied to your real name or any crypto exchanges.
* If you are taking a screenshot then it’s best to use the snipping tool to select the specific section that you want to show people (instead of taking a photo of your full screen). Be sure to always check it for private info before sending.
Part 2 - Reducing risk of malicious downloads/files
* Never trust links or download files that people in DM on discord or twitter have sent you. Especially if you have not talked to them before. If you are looking for a website address or OpenSea link etc then check the projects #faq or #links page in their official discord.
* Run all downloads through virus total first before opening them. This website will scan the file and tell you if there’s anything malicious inside it: https://www.virustotal.com/gui/home/upload. However please note that even this scanner can be fooled. But it is a good basic security measure to use for all of your downloads.
Part 3 - Being selective with browser extensions
* Dodgy browser extensions can put you at risk of hacks. Review all your chrome extensions regularly and delete any unnecessary ones.
* Always be 100% sure that you are downloading the correct Metamask or trust wallet extension. There are some fake ones going around that will drain your wallet. The Metamask official website is (metamask.io)
Part 4 - Don’t access your crypto while on public WiFi
Beware of Free WiFi. If you connect to an unencrypted WiFi network then your data could be leaked and accessed by hackers. This is especially important if your device is used for crypto transactions. Disabling NFC and bluetooth while in public spaces is also recommended.
Section 2: Hacks and scams
There are many different ways that you can lose your funds in Crypto. The key is to be aware of them and be able to spot them. If you are skeptical of something then you can always refer back to this document and try to identify it in the list below.
Part 1 - Categories of hacks and scams
* Seed phrase loss and leaks / storing private keys online
* Malicious contracts / bad code that can drain your wallet
* Fake websites / scammers impersonating legitimate projects or well known websites
* Scam and phishing emails / messages intended to convince you to click fake links
* Intentional rug NFTs / projects created to be hyped up and then deserted
* Social engineering / other humans building trust and then scamming you
* Dodgy browser extensions / fake Metamasks and exploits
* Malware and keylogging / malicious files and downloads that hack your PC
Part 2 - Examples of hacks/scams per category
Seed phrase loss/leaks
* Storing your seed phrase on a computer in text files, or in your emails and then it being found by a hacker once your device gets compromised
* Entering your seed phrase into a scam website or giving it to someone else
* Installing a sketchy program and it ends up being a keylogger that saves your seed phrase or password the next time you type it on your computer.
* Sharing your screen and exposing your metamask seed phrase by accident to the viewers
* Scam NFTs that get airdropped to your opensea wallet (it is OK to hide them in the opensea website but please don't interact with them i.e transferring, selling etc.)
* Contracts that end up having bad code in them that grants the owner permission to drain your wallet or drain the contract of funds and run
* Real looking (but fake) opensea and Metamask websites. These usually end in weird domain extensions such as .it .xyz etc
* Discord DMs that look like they have came from a project, but it is actually a user pretending to be that project with an important announcement (most commonly about minting)
* Hacked discords of projects (announcement channels linking to fake mint websites)
* Fake discord profiles of verification bots such as collab land and of people you know
Scam and phishing emails
* Emails from opensea about offers on your NFT that do not come from the official opensea email address and instead redirect to a fake opensea website
* Text messages from crypto exchanges, opensea, or metamask support asking for person info or telling you to click a link
Intentional rug NFTs
* Pop up / stealth drop projects that seem dodgy and do not have discords
* Projects that have a high mint price and high supply without a legitimate reason and end up ghosting everyone after collecting funds
* Being asked to trade NFTs with someone and being told to set the price to $0 on OpenSea in order to swap them
* Leaking your private info to someone you trusted and them using it against you
* Loaning or lending your crypto or NFT to someone because they need it to buy something or to get out of a bad situation and then them ghosting you
* Starting a DAO with someone without properly setting up a multisig wallet
* DMs on twitter/discord pretending to be metamask support
* Being “banned” from a discord server and messaged by a mod asking you to prove you are innocent by showing your discord private token ID (this bypasses 2FA).
Dodgy browser extensions
* Installing a fake version of Metamask or any other wallet
* Untrusted extensions leaking your personal data or getting hacked and exposing you
Malware and keylogging
* Files that you have downloaded from DM or users on discord (including images) that can provide remote access to your computer or install malware
* Untrusted versions of programs such as ledger live that can trick you into a false sense of security or also install malware
Section 3: Prevention and protection
Part 1 - Understand that your seed phrase is everything
Storing your seed phrase on any device that has access to the internet leaves you highly susceptible to a number of attack vectors. Do NOT store your seed phrase in a notepad on your computer or in your emails. This is the same as entering it on a scam site. When we say “do not type your seed phrase” we mean NEVER TYPE IT AT ALL ON YOUR KEYBOARD. And also NEVER take a photo of it either (as it’s effectively the same thing).
Your seed phrase or recovery phrase to your wallet should only ever be written on a piece of paper or carved into a chunk of metal. The moment it is typed into a computer, it has been exposed and increases the chance of you being hacked.
Getting a hardware wallet helps with this. You can read more about that in Section 4
Part 2 - Use separate wallets for each activity
The best way to avoid being hacked because you minted something sketchy/malicious is having different wallets for specific things. If used cor