Share this article

There’s good news, you’re not paranoid. They really are out to get you.

Earlier this month, leading cryptocurrency intelligence firm CipherTrace published its quarterly report, and it makes for pretty grim reading. This year alone, a staggering $4.26 billion worth of cryptocurrencies have been hacked, stolen, or otherwise misappropriated by thieves and fraudsters. As these criminals run rife across the blockchain space, is there anything you can do to keep your cryptos safe?

Most people are familiar with crypto’s cardinal rule – never store your funds on an exchange. Centralized marketplaces remain the most vulnerable places for cryptocurrency, and the CipherTrace report lays out a long catalog of exchange incidents, which lost over $227 million stolen so far. While QuadrigaCX, Coinroom, and Bitsane have been accused of running with customers’ funds, other exchanges have been hit by hackers. Binance, Gatehub, and Bittrue have all been targets this year.

But the same also goes for individual exchange accounts and online wallets. Understanding these attacks can help keep your cryptos safe from hackers. While nothing is impenetrable, good security measures can make life a lot more difficult for would-be thieves.

Typosquatting

Typosquatting is when fraudsters register a domain name that’s similar in spelling to a known brand. Think something like Ammazon.com or Microsfot.com, which are actually two brands most targeted by typosquatters.

The scam relies on you making a typo when you enter the URL into your browser. You’ll be directed to a page that looks like your intended destination. When you enter your username and password, you’re effectively handing them over to criminals who’ll access your accounts. Sometimes hackers will even take out advertisements on search engines, so that their site appears above the legitimate one.

These attacks have become even sneakier, thanks to the addition of new languages with similar-looking characters. Most readers would probably spot the error in cyrptobriefing.com, but you have to look a lot closer to notice the one in cryptobrìefing.com. That’s one costly diacritic.

Big brands are aware of typosquatting and many have scooped up domains similar to their own, to prevent them from being used by criminals. However, it’s doubtful that all the crypto exchanges and wallet services have done the same.

For users, the easiest solution is not to type URLs directly into your browser. Simply save your wallet and exchange URLs to your bookmarks, and only access them from those links.

SIM-Swapping

Every new exchange waves around the words “2-factor authentication” (2FA) as if it’s a magic wand for account security. While it’s true that multi-factor authentication can make an account more secure, it’s not necessarily the last word in keeping your crypto away from thieving hands.

2FA adds an additional layer of security to your online accounts over and above a password. Most commonly, it involves sending an SMS to your cellphone, with a code you’ll need to enter after your password.

However, there are other means of 2FA, such as Google Authenticator, which creates a new time-based code every thirty seconds. Some phones also offer biometrics, like fingerprint recognition or iPhone’s FaceID.

Of these options, SMS authentication is probably the least secure. Earlier this year, a spate of SIM-swapping attacks hit U.S. crypto users. SIM-swapping involves someone calling your cellphone company, pretending to be you, in order to re-assign your phone number to a new SIM card.

You could be vulnerable to SIM-swapping, and not even realize it. The Authy app, by default, identifies users by their mobile numbers, and allows any device associated with that number to access the account. While these features can be disabled, users do have to take the initiative to hack-proof the app.

Due to these risks, an authenticator app is likely to be a more secure option. Most exchanges offer integration with Google Authenticator, which is consistently highly rated. Other options are Lastpass, or Microsoft Authenticator. Just make sure you keep your phone safe and with you at all times.

Malware

Malware is a blanket term, but it only has one purpose – to get your money. One of the most obvious is ransomware, which will lock you out of files and demand payment to let you back in. The Wannacry ransomware attack cost the UK National Health Service £92m ($112.5m) when it spread in May 2017.

However, different types of malware can be more insidious. For example, spyware could sit on your machine, logging keystrokes and waiting for anything that looks like a password or a private key. More recently, Clipboard Viruses have attacked exchange users – when you copy a cryptocurrency address, the malware replaces it with the hackers’ address.

Mac users may be less vulnerable to viruses, but malware targets Mac and Windows users alike. No matter which operating system you use, a robust anti-malware program such as Bitdefender or AVG could help keep your crypto safe.

Password and Private Key Security

Password security is so simple, and yet more than 83 percent of people still use the same password for multiple sites. Don’t be that guy. Use a unique password every time, with a combination of alphanumeric characters and symbols.

Google and Apple both offer built-in password managers, or you could use a 3rd party service like 1Password or Bitwarden. These will also generate hard-to-guess passwords for you, as well as provide an encrypted vault for your passwords.

Needless to say, you should never store your private keys on any device you take online. One poor soul lost $25k worth of ETH after keeping a copy of their private key in a draft email on Google. If it’s online and not encrypted, it’s vulnerable to hackers.

There are plenty of other options to keep your crypto safe. Spread out your stash between multiple wallets. Keep the private keys somewhere safe, ideally offline and in a physical format. For the uber-security-minded, Cryptotag offer the option of having your private keys embossed on a piece of fire-proof titanium steel.

Don’t Flash Your Cash

If nobody knows about it, nobody can steal it. In many cases, people who’ve made themselves known as crypto users have made themselves a target.

Just ask this guy. If you decide to go online to humblebrag about the size of your HODLings, you’re laying down the gauntlet to hackers. Plus, as a wise man once said: “Humility is even more pleasing in people in whom arrogance would be understandable.”