In this guide
The biggest threats
Let's be blunt about what actually costs people money. In order of how many people they affect:
1. Scams and social engineering. By far the biggest threat. Fake giveaways, impersonation, romance scams, fake customer support. The FBI reported over $5.6 billion in crypto fraud losses in 2023 alone. Most victims weren't hacked. They were tricked.
2. Phishing. Fake websites that look identical to real ones. You connect your wallet, approve a transaction, and your funds are gone. Phishing sites appear in Google ads, Discord DMs, and even search results.
3. Seed phrase compromise. People store their seed phrase in a notes app, email draft, cloud storage, or screenshot. Hackers find it and drain everything. This happens daily.
4. Exchange failures. FTX, Mt. Gox, QuadrigaCX. Billions lost because people left funds on exchanges that collapsed. Not your keys, not your coins.
5. Smart contract exploits. DeFi protocol bugs that let attackers drain funds. Billions lost across hundreds of incidents. Even audited protocols get hit.
Phishing attacks
Phishing is the number one attack vector for individual crypto users. It's not sophisticated. It's effective because it exploits human behavior.
How it works: An attacker creates a fake version of a popular DeFi site (Uniswap, Aave, OpenSea). The URL looks almost identical: maybe "unisswap.com" or "app-uniswap.org" instead of "app.uniswap.org". You connect your wallet and either sign a malicious transaction that gives the attacker access to your tokens, or you're prompted to enter your seed phrase.
Where they appear: Google search ads (attackers literally buy ads for popular DeFi protocols), Discord DMs from "admin" accounts, Twitter replies, Telegram groups, emails pretending to be from exchanges. Even legitimate-looking browser extensions have turned out to be phishing tools.
How to protect yourself: Bookmark every DeFi site you use and only access them through bookmarks. Never click links in DMs, emails, or social media. Never enter your seed phrase on any website. No legitimate service will ever ask for it. Install the Pocket Universe or Wallet Guard browser extension, which simulates transactions before you approve them and warns you about suspicious contracts.
Token approval phishing: The sneakiest version. You visit a site and approve a token transfer. It looks normal. But instead of approving spending on one token, the malicious contract gets unlimited access to all tokens of that type in your wallet. Days or weeks later, they drain everything. Check and revoke approvals regularly at revoke.cash.
Wallet security
Use a hardware wallet for significant amounts. Ledger and Trezor keep your private keys offline. Even if your computer is compromised, attackers can't access funds on a hardware wallet. If you have more than $1,000 in crypto, get one. It's $79-150 for potentially life-changing protection.
Separate wallets for different purposes. Have a "hot" wallet with small amounts for daily DeFi use. Keep the bulk of your holdings in a hardware wallet that rarely connects to anything. If your hot wallet gets compromised, your savings wallet is untouched.
Seed phrase storage: Write it on paper (or better, stamp it on steel). Store in at least two physical locations. Never photograph it. Never type it into any device. Never store it digitally in any form. This is the one piece of advice that, if followed, would prevent the majority of individual crypto theft.
Use a burner wallet for new protocols. When interacting with a new or unaudited smart contract, use a separate wallet with only the funds needed. If the contract is malicious, you only lose what's in the burner wallet.
Exchange safety
If you're keeping funds on an exchange (for active trading, for example), here's how to minimize risk:
Enable 2FA with an authenticator app. Google Authenticator, Authy, or YubiKey. Never use SMS-based 2FA. SIM swap attacks, where an attacker convinces your phone company to transfer your number to their SIM, have been used to steal millions in crypto. An authenticator app eliminates this risk.
Use a unique, strong password. Use a password manager (Bitwarden, 1Password). Your exchange password should be unique, meaning not used anywhere else, and at least 16 characters.
Enable withdrawal whitelisting. Most exchanges let you restrict withdrawals to pre-approved addresses with a 24-48 hour delay for new addresses. If an attacker gets into your account, they can't withdraw to their own wallet.
Use reputable exchanges. Coinbase, Kraken, and Gemini are US-regulated with strong security track records. Avoid smaller, unregulated exchanges. They might offer lower fees but the risk of losing everything isn't worth the savings.
Don't keep more than you need on an exchange. Only keep what you're actively trading. Move everything else to self-custody. This one rule would have saved billions of dollars across crypto's history.
DeFi-specific risks
Token approvals: Every time you interact with a DeFi protocol, you approve it to spend your tokens. Many protocols request unlimited approval (infinite spending). If the protocol gets hacked later, the attacker can drain approved tokens from your wallet even if you're not using the protocol anymore. Regularly revoke old approvals at revoke.cash.
Rug pulls: New protocols that collect deposits and then the team disappears with the money. Red flags: anonymous team, unaudited contracts, copy-paste code with minor changes, impossibly high APYs (1,000%+), and aggressive marketing with paid influencers.
Oracle manipulation: DeFi protocols use price feeds (oracles) to determine asset values. Attackers can manipulate these feeds to trick protocols into making trades at wrong prices, draining liquidity pools. Protocols using Chainlink oracles are generally safer than those using on-chain price data.
Bridge hacks: Cross-chain bridges have been the target of the largest crypto hacks in history. Ronin ($625M), Wormhole ($320M), Nomad ($190M). Use official bridges and avoid bridging large amounts through new protocols.
Security checklist
Here's a practical checklist. Do all of these and you'll be more secure than 95% of crypto users:
Wallet: Hardware wallet for holdings over $1,000. Seed phrase on paper/steel in 2+ locations. Separate wallets for DeFi vs. savings. Never enter seed phrase on any website.
Exchange: Authenticator app for 2FA (never SMS). Unique, strong password via password manager. Withdrawal whitelist enabled. Minimal funds kept on exchange.
DeFi: Bookmark all DeFi sites. Use transaction simulators (Pocket Universe). Revoke old token approvals monthly. Use burner wallet for new protocols. Research before depositing (audit, team, TVL, time live).
General: Never click links in DMs. Never trust "too good to be true" offers. Be skeptical of everything. Keep operating system and wallet software updated. Use a dedicated browser or profile for crypto activities.
Advanced: Consider a dedicated device for crypto (an old phone or laptop used only for crypto transactions). Use a VPN on public networks. Consider multisig wallets (requiring multiple signatures for transactions) for large holdings.
The bottom line
The vast majority of crypto theft happens through social engineering and phishing, not sophisticated hacking. If you protect your seed phrase, use hardware wallets, enable proper 2FA, and don't click suspicious links, you've eliminated most of the risk.
Related: crypto wallets guide, trading for beginners, DeFi basics.
Social engineering
Fake customer support: You post a question on Twitter or Reddit about a crypto issue. Within minutes, someone DMs you pretending to be support for that protocol. They send you a link to "verify your wallet" or ask for your seed phrase. It's always a scam. Legitimate companies never DM first and never ask for your seed phrase.
Romance and relationship scams: Someone builds a relationship with you online over weeks or months, then introduces you to a "great investment opportunity." They direct you to a fake exchange where your deposits are visible but can never be withdrawn. Called "pig butchering" scams, they've stolen billions globally.
Fake airdrops: You receive unknown tokens in your wallet. When you try to interact with them (sell, transfer), the contract steals your other tokens. Rule: never interact with tokens you didn't buy or earn from a known protocol.
Celebrity impersonation: "Elon Musk is giving away Bitcoin! Send 0.1 BTC to receive 1 BTC back!" This is always, 100% of the time, a scam. Nobody gives away free crypto. Ever.