- The world of decentralised finance can be daunting. All the responsibility for your assets is on yourself, rather than an entity like a bank or exchange. It is vital that you understand wallet security, get to know how malicious actors prey on peoples' vulnerabilities, and learn how to avoid getting scammed.
- Centralised exchanges can be useful for buying with or selling to fiat, but your assets are held in the exchange's wallet with everyone else's. You can't be sure what they are doing with the assets, compared to holding in your own personal 'non-custodial' wallet.
There is a common crypto saying: "not your keys, not your coins". These keys are your seed phrase (also known as mnemonic) of 12 or 24 words displayed when you create a wallet. Centralized exchanges are considered 'custodial' since they hold this key.
Unlike online accounts where passwords and 2-factor authentication can be enabled for security, the seed phrase is your wallet's unique identifier and all that is needed to move funds.
- Because of this, there are many scammers who attempt to trick people into giving away their seed phrase. Some examples to be aware of:
👉 Twitter, Telegram, Discord accounts claiming to be technical support or group moderators.
It is very easy to copy profiles. Real moderators will chat in public rather than in private messages as they have nothing to hide. Some scammers even pose as verification bots on discord, so pay close attention when joining a server.
👉 Accounts posing as official accounts (e.g Osmosis) offering airdrops.
They will either direct you to a phishing website, or tell you to send funds to a wallet to receive more in return. If you send funds to some unknown wallet, they are gone for good. Verify that accounts and groups are official by joining from official websites, not using a search.
👉 Paid ads on search engines making a phishing website or fake wallet app come up at the top of the search.
Cross-check that websites are legitimate before connecting to them. One way to find genuine links is by finding the coin on a tracking site like CoinGecko.
👉 E-mails and text messages saying your wallet isn't verified or your account is about to be closed.
Non-custodial wallets like Keplr and Metamask do not require verification and it is unlikely you even linked your e-mail with the wallet. Delete and block immediately, and don't click any links. (If you receive a message that looks like it is from an exchange you use, it is best to go to the exchange's website directly and see if you have any messages in your account inbox.)
👉 Proposals posted on official governance voting pages with malicious links in them.
As anyone can post a governance proposal, scammers take advantage of this to share their links in a trusted environment. Scam proposals are usually easy to spot. They are often one-sentence proposals with the promise of an airdrop to lure people in. It is best to avoid clicking links if you do not know where they lead.
- Let's take a look at some ways you can protect your seed phrase.
📌 Store your seed phrase on a physical medium, ideally fire and flood resistant, for example on laminated paper, metal plate.
📌 Do not store your seed phrase on anything that can connect to the internet or any network, like a mobile phone, computer or cloud storage. This includes taking photos or screenshots of it. There is always a chance that these can be hacked and exploited. You could use a USB device that is shock-proof, magnetic-proof, etc, as long as you only use it with a computer that is not connected to any networks.
📌 Buy a ledger and store your assets on the addresses on it. When you use a ledger, you never have to type in your seed phrase anywhere to connect to a wallet app. The seed phrase is only ever on the screen of the ledger. (See our ledger setup guide HERE)
📌 Spread out your holdings over different wallets with different seed phrases. This way if the worst happens and one seed phrase is compromised, it is only a portion of your assets.
📌 When you connect to a new site for the first time, read the information panel in your wallet app before approving the connection, and when signing transactions, double-check what you are signing.
- Some wallets give you the option of saving a private key instead of seed phrase. This is a long string of letters and numbers, and is used to access your wallet the same way a seed phrase does. This is much harder to copy down by hand.
You will get a private key instead of a seed phrase if you create a Keplr wallet with your Google account. Consider the implications of setting up your wallet with an e-mail account before doing this: if you lose access to your Google account, or try to recover the wallet in a different wallet app that expects a seed phrase instead of a private key, you will not be able to access your funds.
- Scammers are constantly evolving. The bottom line is that they all want your seed phrase as that is what they need to access your funds. If they succeed in taking your funds, there is no way to reverse the transactions. Be sure to verify all links and think twice before entering your seed phrase in any website or wallet app.
Buy a ledger if you can afford it: you'll learn you never have to enter your seed phrase in wallet apps. You only click 'connect with ledger', so scam sites become much more obvious.
Now that you know how to safeguard your wallets, explore and enjoy the freedom of decentralised finance!