16 Crypto Security Tips by CoinGecko’s Co-founder So You Can Invest & HODL in Peace

5.0 | by CoinGecko

The digital economy is booming and cryptocurrencies have developed to become a significant part of it. Unlike other digital currencies, cryptocurrencies use cryptography based on blockchain technology to secure and verify transactions. This means that crypto transactions are immutable and occur directly between two parties without the need for intermediaries like banks and stockbrokers. 

Why You Need to Secure Your Crypto

While crypto transactions per se are essentially secure, cryptocurrencies can get stolen depending on where they are kept. A centralized exchange, for example, is still vulnerable to attacks as it has a single point of failure by design, which is why hackers tend to target exchanges. If you keep your cryptocurrencies on an exchange or an online wallet, you risk having your valuable assets stolen from you. And so, as a crypto holder, you need to take certain precautionary measures to keep your cryptos safe.

Securing your crypto accounts does take a lot of time. It's not only that you need time to audit your personal security system but you may also need time to change your current behavior or habits. But if you're in it for the long term and value your financial well-being, you need to start taking this seriously. Stop making excuses like you're not used to taking full control of your assets or that the odds of losing cryptos to some hacker is low. It's an absolute necessity to secure your crypto accounts once you start investing in cryptocurrencies.

Crypto Security Best Practices

As a crypto holder or investor, it's your responsibility to keep your cryptos safe and navigate the digital world securely. The following are 16 best practices recommended by our co-founder, Bobby Ong.

1. Never reuse passwords

The most common thing that many people do when signing up to different website services is to use the same password for all of them so that they wouldn't have to remember too many passwords. However, this is a risky thing to do because certain websites could have leaked your password and hackers would take advantage of this. It's only a matter of time until your password is compromised and your accounts get hacked. Therefore, always use unique passwords. If you would like to know whether your password has been leaked, visit

2. Use a password manager

Creating a unique password for each website can be tough — how could you possibly remember them all? To make it easy for you, use a password manager like 1Password or LastPass that would generate a long and strong password for each account. You would only have to remember the master password and let the password manager do the rest.

3. 2FA everything

You should use 2-factor authentication (2FA) for every service that offers it. Use apps like Google Authenticator or Authy instead of SMS-based 2FA as it's not secure. Hackers can do a SIM swap which is tricking mobile carriers into porting your phone number to a new device. If you use Authy, make sure you install it on another backup device and then disable the multiple device feature for an added security measure.

4. Consider using hardware-based 2FA

If you have the funds, consider upgrading to a hardware-based 2FA like Yubico, Google Titan, and Thetis. This changes your 2FA from an app to a physical USB device that you will need to authenticate before logging in. Hardware-based security keys are based on the FIDO U2F standard, a security protocol that is difficult to intercept. They provide a fast, no-fuss way to use 2FA without relying on the app on your phone.

5. Use a crypto hardware wallet

When starting to invest in crypto, most people would store crypto on MetaMask or other online wallets. Because those wallets are still connected to the Internet, there's still the risk of attack. It's highly encouraged that you start using a hardware wallet like Trezor or Ledger unless you're happy to let a hacker take away all your coins one day. A hardware wallet may be costly, but it would be worth the expense especially when you invest in crypto over time and know that they will be safe from hackers.

Watch this video to find out what's the best hardware wallet available in the market now.


6. Uninstall all Chrome extensions

Chrome extensions are useful to help improve productivity. However, they can act as keyloggers that can have access to your data, passwords, or other confidential information. Hackers would take advantage of this to steal your crypto. So unless you absolutely trust the extension developer, uninstall them all. It's not worth the risk.

7. Use separate browser profiles

If you must use a Chrome extension for whatever reason, then separate out your MetaMask extension to its own browser profile. You can create multiple profiles for all the different wallet extensions you need to use. This prevents hackers from reading and acquiring your data from other chrome extensions.

8. Limit smart contract approvals

When you interact with smart contracts, don't allow unlimited token approvals. This would allow the smart contract to drain all your tokens if it gets hacked. To set limits on your wallet, click 'Edit' on Permission and change the spending limit to the amount you want to send. You can use Etherscan's token approval checker to see which smart contracts you have assigned an unlimited spending limit. Then, connect your wallet via Web3 and click the 'Revoke' button.

9. Don't doxx yourself

When you want to send crypto funds to someone else, be sure to use a crypto exchange platform. If you send funds straight from your wallet, you risk doxing your crypto balance as well as your entire transaction history (past and future). 

10. Secure your mobile phone

This is particularly for those in the United States where there have been many incidences of SIM-jacking. Telco providers don’t usually have a top-notch security level and with your personal information that can be obtained through the Internet, perpetrators could convince telcos to transfer your phone number to a new SIM card. Once transferred, hackers could obtain your passwords especially if you enable SMS-based 2FA. Follow this excellent guide from Kraken on how to secure your mobile number as well as the email address associated with your telco account.

11. Don't click on ads

Make it a habit to never click on ads — especially Google Search ads. Now that Google has reversed the ban on crypto ads, it's likely that more scam ads would appear. If you want to visit a website, ignore the phishing ads and look at the sites listed below them.

12. Be careful of giveaway tweets and DMs

There are tons of scam giveaway messages via tweets, DMs, Youtube ads, Facebook comments, and many more. Ignore them all. Don't waste your time and energy moderating or policing scam messages. If it's too good to be true, it probably is!

13. Never download or open files from strangers

You never know which file will end up installing a keylogger. If you’re using a  Windows laptop, configure it to always show file extensions. Don't open ZIP files from random strangers because they may contain dangerous files mixed with other types of files. Instead, learn to distinguish between data files (documents that you can open, edit, save and delete) and executable files which you would want to avoid.

File extensions you should avoid if they aren't from trusted sources are:

bat, bin, cmd, com, cpl, exe, gadget, inf, ins, inx, isu, job, jse, lnk, msc, msi, msp, mst, paf, pif, reg, rgs, scr, sct, shb, shs, u3p, vb, vbe, vbs, vbscript, ws, wsf, wsh

14. Be careful with cold emails

Scammers can be slick. They can imitate existing crypto sites’ domain names and send you a scam email. If you’re not paying close attention, you wouldn’t notice the very tiny difference in the domain name or email address. Can you spot the difference in the email address below compared to CoinGecko’s? Notice how there is no dot on the “i” in This actually happened and shows that scammers can easily add special characters representing crypto domains which are very difficult to spot. This is a scam email — don't fall for it.

CoinGecko scam

15. Use VPN on public WiFi

When you're working in a public area, avoid using public WiFi. Instead, use a Virtual Private Network (VPN) such as ExpressVPN or NordVPN, which connects to the Internet via an encrypted tunnel that protects your data and identity. With a VPN, you're connected to a server from another location that would access the Internet on your behalf. So not only that your data is protected but your location is hidden as well.

16. Use a metal storage seed backup tool

You may choose the traditional way of storing your seed phrase offline by writing it down in your notebook. But paper has its limitations as it could be destroyed or made ineligible by water, coffee, fire or acid. To mitigate this, you may want to consider using a metal storage tool like Cryptosteel or Cobo which is designed to protect your seed phrase under nearly all robust circumstances.

Safely Invest in Crypto

Now that you've got your crypto secured, you can start investing and HODL worry-free. Check out the current cryptocurrency trends and build your crypto portfolio on CoinGecko while earning rewards. Redeem your Candies in our rewards section for discounts on NordVPN, PureVPN, hardwallets, and more! 

Tell us how much you like this article!
Vote count: 5


CoinGecko's editorial team comprises writers, editors, research analysts and cryptocurrency industry experts. We produce and update our articles regularly to provide the most complete, accurate and helpful information on all things cryptocurrencies. Follow the author on Twitter @coingecko

More Articles

coingecko (thumbnail mini)
Continue in app
Track prices in real-time
Open App
coingecko (thumbnail mini)
Continue in app
Track prices in real-time
Open App