Crypto security checklist

Self-custody is the whole point of crypto — but it's also the fastest way to lose everything if you're sloppy. FTX lost $8B through centralized custody failures; individual users lose $3-4B/year through phishing, compromised signing, and lost keys. This checklist covers every practical security layer, from 'which hardware wallet' to 'how to actually sign transactions safely.'

Work through each section. Items near the top have the highest impact — do those first. Revisit quarterly. Scams evolve; your setup should too. Also includes a hardware wallet break-even calculation: at what portfolio size does a $150 Ledger pay for itself in risk reduction?

Layer 1: Hardware wallet (the 'no single point of failure' layer)

Keep signing keys in hardware at all times for any holdings >$500.

• Buy a hardware wallet directly from the manufacturer (Ledger.com, Trezor.io) — never Amazon, eBay, or third parties.
• Initialize the device yourself. If it arrives pre-seeded, return it immediately — that's a scam.
• Write the seed phrase on metal (Cryptosteel or equivalent), store in at least 2 physical locations.
• Never enter your seed phrase anywhere digital. Not on a website, not in an email, not in a password manager, not in a photo.
• Use a 25th-word passphrase for sensitive amounts. Remember: lose the passphrase = lose the wallet.

Layer 2: Scam avoidance

99% of crypto thefts today are phishing, not technical exploits. Pattern recognition is your main defense.

• Never click links in Telegram/Discord DMs about 'airdrops,' 'support,' or 'problems with your account.'
• Bookmark every protocol you use. Type URLs directly — never trust Google search results (scam ads are common).
• Check transaction details on hardware wallet screen, not just in the browser. Compromised sites show one thing; device shows another.
• Revoke token approvals regularly via Revoke.cash — old approvals are a major attack surface.
• If someone DMs you first, it's a scam. If an offer seems too good, it's a scam. Default to suspicion.

Layer 3: Operational hygiene

Separate 'high-risk' activity from 'long-term storage' — don't sign random transactions on your cold wallet.

• Use 3 wallet tiers: cold storage (hardware, rarely signs), warm wallet (hardware, active DeFi), hot wallet (MetaMask, small amounts for minting/testing).
• Hot wallet balance: cap at ~$500-1,000. If it gets drained by a bad sign, the loss is survivable.
• Use a separate computer or browser profile for crypto vs everyday browsing. Malware in your regular browser is a major risk vector.
• Enable 2FA on every exchange account using an authenticator app (Google Authenticator, Authy) — never SMS.
• Use a separate email for exchange accounts (not your main email). Prevents credential-stuffing attacks.

Layer 4: Recovery and inheritance

Your setup has to survive you forgetting the process or dying.

• Document the wallet setup — types, PINs, seed-phrase locations — in a sealed envelope for your spouse/heir.
• Test your own recovery process quarterly. Erase the device, restore from seed. Verify the workflow.
• Include crypto in your will and name a digital executor who has the skills (or contacts) to handle it.
• Consider a multi-sig setup (Casa, Unchained) for estates >$500K — adds institutional backup to self-custody.

When is a hardware wallet worth it? (The break-even math)

Rough calculation: hardware wallet costs $100-$200. Exchange failure probability for a well-known exchange: 1-3% annually (Mt. Gox, FTX, Celsius, BlockFi, etc.). Self-custody theft probability with a hardware wallet: 0.1-0.5% annually (primarily via phishing). Break-even portfolio size: $100 ÷ (0.02 - 0.003) = ~$5,800. Above $5,800 in crypto, the expected loss from exchange custody exceeds the cost of a hardware wallet. For anyone holding long-term with $5K+, hardware wallets pay for themselves in expected value.

The anatomy of a real phishing attack — what it looks like

Understanding exactly how attacks happen is the best defense. The most common vector in 2024-2025: a user receives a Discord DM from an account impersonating a project admin. The message says their wallet is 'flagged' and they need to verify via a link. The site looks identical to a real protocol — same logo, same colors, same layout. When they connect their wallet and click 'verify,' they sign a transaction that grants unlimited token approval to an attacker-controlled address. Everything drains within seconds.

The tell: the URL is one character off (uniswop.org vs uniswap.org), or uses a homoglyph (unicode characters that look like standard letters). Hardware wallets stop this specific attack — they show the exact transaction you're signing on a screen that cannot be compromised by the website. You see 'approve USDC to 0x4a7...f2c for unlimited amount' instead of 'verify wallet.' That's the moment you close the tab.

Second most common: fake Ledger support emails after the 2020 Ledger data breach. 270,000 customer physical addresses and emails leaked. Attackers sent physical letters to those addresses with fake 'security update' instructions to enter seed phrases on a website. Ledger never asks for your seed phrase. No legitimate company or protocol ever does. This rule has zero exceptions.

Token approvals — the silent attack surface most people ignore

Every time you interact with a DeFi protocol, you grant it an approval to spend your tokens. Many approvals default to 'unlimited' — meaning the protocol can take every USDC or WETH in your wallet, any time, forever. If that protocol is later exploited or goes rogue, your approved tokens are at risk even if you stopped using it two years ago.

The fix takes 20 minutes: go to Revoke.cash, connect your wallet, and review every active approval. Revoke anything you don't recognize or don't actively use. For protocols you do use, set approvals to the exact amount needed for the current transaction rather than unlimited. On Ethereum mainnet, each revoke costs $1-5 in gas; on L2s (Arbitrum, Base, Optimism), it's under $0.10. There's no excuse not to do this quarterly.

High-risk approvals: NFT marketplace approvals (OpenSea, Blur) that grant approval for your entire collection; old DEX approvals from protocols that have since been abandoned or exploited; any approval granted to a contract that is no longer verified on Etherscan. One compromised old approval can drain a wallet even if your current operational security is perfect.

Exchange vs self-custody: a practical risk comparison

Exchanges are not as risky as the FTX narrative suggests — but the risk is non-zero and correlated. FTX, Celsius, BlockFi, Voyager, and Cryptopia all failed within 3 years of each other. Exchange failure risk isn't just about one exchange being bad; systemic contagion is real. Keeping $50,000 across three exchanges doesn't give you 3x safety — it gives you 3x exposure to systemic risk.

Self-custody eliminates counterparty risk but introduces key management risk. The right partition: funds you plan to hold for 6+ months go in cold storage. Funds you need for active trading or DeFi stay on exchanges or in hot/warm wallets. Never keep more on exchange than you're willing to lose to a catastrophic failure. A practical cap: $10,000-$25,000 per exchange for most retail holders.