Crypto hackers have been busy lately. Hardly a day goes by when we don’t read another dramatic headline about a multimillion-dollar crypto scam.
Cyber thieves purloined a whopping $4.5 billion worth of digital currency in 2021, doubling their bounty from 2020.
Cyber criminals helped themselves to nearly $2bn worth of crypto this year alone, clocking a 60 per cent jump in such transgressions.
These frequent crypto-related crimes are the proverbial salt on the wounds of investors already smarting from the precipitous and unrelenting fall of crypto prices across the spectrum.
Worth more than $3 trillion barely months ago, the crypto market value has now sunk to $1tn, as of November 7, according to Coinmarketcap.com.
Worse yet, crypto transactions are irreversible - once stolen, digital assets are often lost for ever.
Crypto theft isn’t a risk that’s going to disappear overnight. With crypto becoming more mainstream and attracting more investors, learning about how to protect your crypto has become more critical than ever before.
Read on to learn how to be an astute — and safe — crypto investor.
Threats to crypto safety
Blockchain, a digital ledger for transactions, forms the backbone of cryptocurrencies.
Its decentralised nature and lack of intermediaries makes a blockchain vulnerable to sophisticated hackers who can find safety gaps in the tech infrastructure of crypto exchanges and online trading platforms, and exploit it to drain crypto accounts.
“Vulnerabilities can happen through a variety of ways: both simple bugs, but also design flaws that open the door for attacks,” says Christian Seifert, security researcher at Forta, a real-time detection network for security and operational monitoring of blockchain activity.
Lack of awareness among investors and failure to take adequate security measures is another area crypto thieves look for.
____________
Watch: what is Bitcoin and how did it start?
What is Bitcoin and how did it start?
Hacking risks can also take the form of malicious links or malware that are designed to steal private information.
Phishing remains the most common cause of theft in the crypto industry. Swindlers design phishing websites that mirror established brands and trick users into giving up personal financial information.
“A major way that end users are impacted is through private key theft and ice phishing attacks,” says Mr Seifert.
“Both are social engineering attacks where users are tricked into disclosing information or signing transactions that give attackers access to a user’s digital assets.”
Account takeover attacks have also been on the rise. Criminals are using this automated scam to take over people’s online accounts using bot-driven hacking techniques, including credential stuffing or credential cracking.
Once perpetrators take control of accounts of popular businesses, they redirect users to fake websites to either drain crypto held in wallets or steal seed phrases — a list of 12 to 24 words that can be used to access funds in a crypto storage.
Storage choices
Custodial wallets, cold wallets and hot wallets are some of the most common storage options used by crypto investors to secure their coins and private keys.
For the average crypto investor, custodial wallets are the default storage option as they’re held and operated by crypto exchanges.
Cold wallets are offline hardware wallets regarded as arguably the safest bet for holding cryptocurrency. It’s an external storage device, like a memory stick, and is not connected to the internet.
Hot wallets, by contrast, are internet-connected desktop, mobile and web-based applications.
In crypto wallets, “digital assets are stored on the ledger, or the blockchain, and wallets manage the keys that allow one to operate on these digital assets”, says Mr Seifert.
“Hot wallets store these keys locally on your device [and thus, they are subject to being stolen] whereas cold wallets are disconnected, making it much more difficult to steal the keys.”
Unlike custodial wallets, held by third parties, non-custodial wallets allow users full control over their assets. They eliminate the danger of unauthorised access of your account information.
Whereas hot wallets require users to be technical savvy, cold wallets don't so much. Hot wallets used to access or store crypto within centralised exchanges require labyrinthine registration and verification processes and require a tremendous amount of trust that a big tech company will not steal or cut the user off from their digital assets.
Protecting your crypto
Offline crypto storage is widely regarded as the safest option, used both by individuals and exchange platforms to secure their digital assets.
When digital assets are stored with an exchange, you are delegating the management and safety of those assets to that entity.
“Exchanges have instituted best practices to secure your digital assets and theft from exchanges have been increasingly rare,” Mr Seifert says.
____________
Cryptocurrencies — in pictures
Non-custodial wallets, particularly cold wallets, put the onus on the owner for managing and securing their keys.
There are three distinct aspects to securing a cold wallet, says Walt Greene, founder, inventor and chief executive of QDEx Labs, a cybersecurity and blockchain development company.
“Keep your chosen physical storage device in a safe place — preferably in a safe until you need to use it,” he says.
Second, store your recovery phrase offline, in a safe. This provides you the ability to restore “the entire wallet’s contents if something were to happen to it and grants access to all your private keys”, says Mr Greene, who advises against saving a recovery phrase on any device connected to a network since it can be accessed by skilled hackers.
“Written format is preferable,” he stresses.
Third, your private keys are specific to a coin/blockchain via a unique address and should be kept in a secure place in written format, preferably in a physical safe and “always immediately disconnect your cold wallet from the device you are performing a trade on when finished”, Mr Greene cautions.
Keep your IDs non-obvious and passwords as strong as possible such as mixtures of “nonsense letters, phrases and words that have no correlation to each other along with numbers/symbols scattered throughout”, he says.
The more complex, the better, and write it down. Make sure you are on the right website (URL) every time you log in.
____________
Watch: take a look inside Thailand's cryptocurrency cafe
Take a look inside Thailand's cryptocurrency cafe
“Never enter your private [ID/password] information anywhere other than the proper log-in screen,” says Mr Greene, who urges investors to never share their seed phrase, ID or password with anyone who says they need it to transfer you anything.
To make it more foolproof, avoid using the same password for multiple accounts.
Cybercrime experts suggest using a password manager, an encrypted digital vault that safely stores password/login information for apps and accounts on your digital devices and websites.
“For the average user,” Mr Seifert says, “I would recommend custodial wallets as one delegates the responsibility of managing wallet keys to professionals.”
This can be beneficial both in the event of a key loss or a cyberattack.
Final word
The threat landscape is constantly evolving and attackers are innovating to steal digital assets. In recent years, this has even led to well-funded state-sponsored adversaries to be active in this space.
“Overall, the industry has recognised the need for built-in security features, understanding the threat landscape in real-time,” says Mr Seifert.
End users need to demand security from the platforms and wallets they are using, he adds.
That said, save for not investing in crypto at all, nothing is watertight when it comes to crypto safety, warns Mr Greene.
“Because many attacks are based on social engineering [meaning techniques that rely on human failing, not the technical prowess of a potential hacker], nothing will ever be 100 per cent safe from theft,” Mr Greene says.
As crypto holders, therefore, keeping your assets safe, taking maximum precaution and putting protective measures in place is your responsibility.
