Skip to main content
Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong. Take 2 min to learn more.

How to Protect Your Crypto From Hackers

A layered defence for your coins, ordered by what actually catches people, with a hardening checklist you can finish in an afternoon.

beginner6 min readDan Clarke
Hero image for how-to-protect-crypto-from-hackers

TL;DR

  • Most crypto theft starts with phishing and reused passwords, and nobody legitimate ever asks for your seed phrase or private key.
  • Upgrade two-factor in this order: hardware key, then authenticator app, with SMS only as a last resort.
  • On exchanges, switch on withdrawal allowlists and an anti-phishing code; for long-term holdings, a hardware wallet with the seed on paper or steel.
  • Token approvals stay live until revoked, so run a block-explorer approval checker twice a year.
  • General security guidance only, not financial advice.

In December 2020, a file appeared on a public hacking forum. It held names, email addresses and home addresses for roughly 272,000 people who had bought a hardware wallet from Ledger, lifted from the company's marketing database the previous July. No coins moved, no device gave up a key. What followed instead was years of targeted phishing: emails, texts, letters through real letterboxes, even convincing fake devices in the post.

That dump is the whole subject in one story. Attackers rarely break cryptography, they ask you for the keys while dressed as support staff, or they walk into an account guarded by a reused password and a phone number. So this guide orders the defences by what actually catches people, and nearly all of it fits in one afternoon. It covers bitcoin, ethereum and everything else, because thieves do not care what you hold. And it is a how-to, not financial advice.

Most hacks are self-service

Nearly every individual loss begins with social engineering rather than broken code. Fake support staff who message first on Discord, Telegram and X, airdrop sites built to harvest wallets, drainer prompts dressed up as a mint page or a token claim. Each ends the same way: you approve something hostile, or you type your seed phrase somewhere it should never go.

One rule has no exceptions: real platforms and real networks never ask for your seed phrase or private key, and there is no legitimate "validate your wallet" or "sync your wallet" flow anywhere in crypto. Treat any request for those words as an attack, whoever appears to be asking. The people who lost coins to the Ledger letters were not hacked in any technical sense. They were persuaded.

The email account behind everything

Your exchange login is only as strong as the inbox that can reset it, so start there. Give your main email a long unique password and proper two-factor before you touch anything crypto-specific.

Then end password reuse wherever money lives: a password manager makes unique passwords the default rather than a chore, and it refuses to autofill on lookalike domains, which quietly blocks a lot of phishing by itself.

Notice what the Ledger breach actually leaked: no keys, just names, home addresses and proof the victims owned crypto, and that was enough to fuel attacks for years. Your details in a marketing database are an attack surface, so consider a separate email address for crypto services and share as little as a checkout allows.

Two-factor is a ladder

All two-factor authentication is not equal, not close.

SMS codes sit at the bottom: they fail to a SIM swap, where an attacker persuades your phone company to move your number, and every code then lands on their handset. The investor Michael Terpin lost roughly $24m that way in 2018 and then spent years suing AT&T over it, which tells you exactly how much weight one phone number can end up carrying. If a service that touches your money still texts you codes, change it this week.

An authenticator app is a big step up, because the codes live on your device rather than your number. A hardware security key of the FIDO2 sort is better again: it refuses to sign in on a lookalike domain at all, which closes off the standard phishing ending for that account. Ladder order: key, then app, then SMS only where nothing better is offered.

Four switches most people never flip

If coins sit on an exchange, the major venues already ship the hardening, though much of it is off by default.

  • A unique password out of the manager.

  • App or hardware-key two-factor, with SMS removed as a fallback.

  • A withdrawal allowlist, so funds can only leave to addresses you approved in advance, usually with a delay on changes.

  • An anti-phishing code, a word you choose that appears in every genuine email from the platform, so a message without it is fake on sight.

Twenty minutes covers all four.

If you hold your own keys

Self-custody moves the job from a platform's security team to you, and three habits do most of the work.

Keys first: a hardware wallet keeps them offline and signs transactions inside the device, so malware on your laptop never sees them. Buy directly from the manufacturer, never secondhand, and treat any unsolicited device in the post as hostile, because after the 2020 breach some Ledger customers were mailed convincing fakes.

Seed next: the 12 or 24 words go on paper or steel, somewhere a burglar would not casually find. Never photograph them, never cloud-sync them, never type them into any website, app or support tool, whatever the on-screen story says.

Approvals last, and least known: Token approvals you grant to dapps stay live until you revoke them, even if you used the dapp once, years ago. Free block-explorer checkers list every open approval on your address, so review twice a year and cut anything stale.

The layer you cannot patch

Platforms themselves get robbed, at a scale no personal checklist reaches. In March 2022 the Ronin bridge behind the game Axie Infinity lost about $620m, and a month later the US Treasury attributed the raid to North Korea's Lazarus Group. Chainalysis put 2022's protocol-hack losses at roughly $3.8bn, the worst year on record. That November, FTX collapsed while holding customer coins, which is the quieter failure mode: a balance on a platform is a promise, not a possession.

So the last defence is placement: keep on venues only what you are actively trading. An on-ramp such as Banxa, which has run fiat-to-crypto plumbing since 2014, sends purchased coins straight to the wallet you name at checkout in the markets it serves, so new buys never need to sit in an exchange account first. Long-term holdings belong in your own wallet, behind the habits above.

None of this makes theft impossible, it just closes the routes that produce most of it.

The afternoon, in order

  1. Give the email behind your accounts a unique password and app or key two-factor.

  2. Repeat on every exchange account, then remove SMS as a fallback.

  3. Switch on withdrawal allowlists and an anti-phishing code where offered.

  4. If you self-custody, order a hardware wallet directly from the maker.

  5. Move your seed to paper or steel and delete every digital copy.

  6. Run an approval checker and revoke anything you no longer use.

Six jobs, none of which needs a manual. The fake "urgent wallet validation" emails will keep arriving either way. This afternoon is what turns them from an emergency into spam.

Frequently Asked Questions

Sort the email account behind your exchange logins. Give it a unique password and app or hardware-key two-factor. That inbox can reset everything else, which is exactly why attackers go for it first. It takes about twenty minutes.

Better than nothing, yes, but it is the weakest option. A SIM swap moves your number, and your codes, to an attacker's phone; the investor Michael Terpin lost roughly $24m that way in 2018. Use an authenticator app or a hardware key on anything that touches money.

Yes, completely and from anywhere in the world. The seed phrase recreates your wallet with no further checks. If yours has ever been typed into a website, app or chat, set up a fresh wallet with a new seed and move your funds to it now.

No. They fix one large problem: malware on your computer cannot read keys that never leave the device. You can still lose funds by approving a hostile transaction or typing your seed into a fake tool. The device guards the keys. What you approve is still up to you.

They carry risks your settings cannot reach. Big platforms have been robbed, the Ronin bridge lost about $620m in March 2022, and FTX failed in November 2022 while holding customer coins. For anything you plan to hold long-term, your own wallet removes that whole layer.

Many dapps ask for permission to move a token on your behalf, and that permission stays live until you cancel it, sometimes years after you stopped using the dapp. Free block-explorer tools list your open approvals. Check twice a year and revoke anything you no longer recognise.

By Dan ClarkeLast updated: 14 July 2026