Most of those who lose crypto lose it for reasons other than a token’s collapse. They lose it due to typing the recovery phrase into the wrong website, signing a transaction that they didn’t read or linking the wallet to a page that appeared identical to the one they intended to navigate to. According to the FBI’s latest Internet Crime Report, the number of cryptocurrency-related complaints amounted to over 181,000 with more than $11 billion in losses, with a significant portion of these complaints regarding wallet security rather than an investment. The losses from wallet drainers alone in 2024 were estimated to be around $500 million, according to separate industry tracking, while phishing and address-poisoning attacks resulted in nearly $84 million worth of losses on up to 17 million impacted wallet addresses.
None of it is due to the fact that the technology is flawed. Blockchains do what they say they do pretty darn well: They finalize transactions in an irreversible manner, without any bank, chargeback staff, or customer service representative to revoke a transaction. The system is all about that permanence, to the point where it’s even more important than anywhere else in personal finance, aside from crypto. Once they’re correct, they’ll keep you safe for years. Avoid them and it may be a final click.
Why This Is More Important Than the Coin You Purchase?
First and foremost, think about a fact once confirmed on-chain, a crypto deal is irrevocable by any activity. There is no alternative to disputing a charge with your bank. If you send money to an incorrect wallet address or if you approve or execute a malicious smart contract, the money is lost once the transaction is confirmed, typically within seconds.
That changes the entire risk calculation. They spend hours on end studying and researching which token to purchase and almost no time trying to figure out how to secure the wallet they are going to spend money on the tokens with, but wallet level mistakes result in far more permanent losses than choosing the bad investment does. A token can drop to zero and you’ve lost the token. If you take the money out of your wallet, it can take everything in it, including the things that you didn’t click on.
Hot Wallets vs. Cold Storage: Use Both, on Purpose
A hot wallet, Phantom, MetaMask, Trust Wallet and more browser or mobile app, is always connected to the internet and this is a necessity if you intend to actively trade or go to decentralized exchanges to mint anything. A cold wallet is typically a physical device such as a hardware wallet like a Ledger or Trezor, where the private keys remain offline and only come into contact with the device when they are needed to sign a particular transaction, under your direct control.
The easiest guideline that most seasoned holders have is to store any money that you think you can save in cold storage and any money you’ll use on a daily basis in a hot wallet. Use your hot wallet as you would use a physical wallet, and with the amount of money you need for the day, not with your net-worth. In the case of a hot wallet, if it is hacked via a phishing site or a malicious approval, then the loss will only be the amount of funds in the wallet at the time of the hack.
Your Seed Phrase Is the Whole Game
Each wallet is finally protected by a recovery phrase, typically 12 or 24 words, that is created the initial time you set up the wallet. If somebody has those words, they are in control of everything in that wallet, with or without passwords, device locks, etc. on top of them. It is the one thing that matters most and is the place where many people fail to get it right.
Some rules that are without exception: do not send your seed phrase to any website, pop-up in the browser, chat window, or support form. It is a red flag you are being scammed if any wallet provider, exchange or support agent is asking you to provide it. Never store it as a picture, screenshot or note in a cloud storage app, email or messaging app, as these can be compromised without the wallet. Write it on paper, on a metal back-up plate, and have it somewhere where it will not be lost along with all of your other important documents in case of fire, flood, or simple loss. Whether the site looks convincing or not, if a project, “support agent” or urgent pop-up asks you to “verify,” “re-sync” or “restore” your wallet, no matter what you are asked to do, that’s the scam.
Industry research on phishing indicates that about one-third of crypto wallet users have never backed up their recovery phrase properly, which can be equally as expensive as a phishing attack, just in reverse; if a phone is lost or a device corrupted. Failure mode #1 is just as easily avoided as failure mode #2, with the simple practice of writing it down one time, correctly, and storing it somewhere sturdy.
How Wallet Drainers Actually Work
Wallet drainer is a type of phishing tool designed to convince you to sign a transaction that gives the impersonator the keys to your assets, rather than the password, but the keys that you explicitly sign on the chain. That distinction is important because when it comes to antivirus software and strong passwords, they don’t prevent it. The attack takes place during the normal and expected process of connecting a wallet and approving a transaction.
The most popular scam is fake airdrops, which come in the form of a post to social media which may appear to be from an actual project that offers free tokens and a link to a claim page. The page looks real and sometimes, even pixel perfect to a real project’s website. You connect your wallet and click “claim,” but what you are approving is not a token claim, it’s a general permission to transfer the assets out of your wallet at any time, perhaps even one you’re not even aware of, until the time is right for a larger claim and the more valuable assets arrive.
It’s now a business that is industrialized. There have been reports of drainer-as-a-service operations, where the script authors sell the code to less technical operators for a share of any proceeds. One known drainer service, Inferno Drainer, was estimated to have taken more than $80 million in a short span of time before shutting down; newer drainer services have followed in the same vein. Revenue losses related to this attack category have been in the hundreds of millions of dollars in recent years and studies have shown that drainer activity has more than doubled in each year in recent years as the tooling becomes more accessible.
The defense is not out of the ordinary. It’s reading what you’re actually approving.
Read all Approval, Don’t Just Click Through
If connecting a wallet to a site requires you to approve a transaction, your wallet app will show you what the transaction will do, even if the interface allows you to overlook that detail. When approving, look at what asset and how much the transactions are asking to gain access to. Moving a particular, reasonable quantity of a particular token requires a legitimate mint/swap. Even if the website that you’re seeking approval for seems reliable, a request for unlimited approval of something unrelated to the project you are doing should be a warning sign.
Additionally, you should periodically audit and revoke old permissions you no longer require by either relying on a tool such as Revoke.cash or the permissions screen within the majority of the latest wallet apps. Each time you log into a new website to use a token, mint an NFT or use a DEX you can leave a standing permission behind you. Your old approvals are not automatically removed, and months-old compromised sites you used to enter into your wallet can still access it today if the approval hasn’t been removed.
Spotting Phishing Before You Click
The vast majority of wallet hacks stem from a phishing attack that succeeded due to urgency. Get a message saying your account is suspended, a security problem must be “verification” or a limited-time claim is about to expire. There is no pressure involved; if there is, then the platform is not legitimate and it is worth taking a pause to learn more about the no-pressure part of it.
Pay attention to the domain, and more so, the page’s appearance. Phishing sites often have a domain name that’s a single character different from the true domain name or an unfamiliar domain with the real project’s logo and layout. Create web bookmarks of official sites that you visit often, and then go directly to them, not through a Google search or a social media post or message; paid search results and social posts are both common sites for cloned pages to appear. These are some of the most popular names to be spoofed in recent phishing attacks, and they are so popular and trusted that they are the prime targets of such attacks in an unsolicited message.
Verify Before You Connect
Take time to check what you’re dealing with before adding any wallet to a new site and accepting interactions with a new token. Do not rely on a single contract address or link, but use several separate ones, and use a neutral block explorer to verify the address of the block chain of interest. Before putting real money behind a contract that you have never seen before, run it through a scanner like Crypstudio that will examine the types of restrictions and hidden functions not visible on a price chart or the project’s website.
When it comes to anything based around a trending news story or political moment, that’s one of the most consistent scams we see for token launches and the same verification techniques go for new coins as well as for a claimed high-profile endorsement when it comes to giveaways. We walked through exactly this pattern in our breakdown of the USRX token, where a real government program’s name was borrowed to sell an unrelated crypto asset.
Everyday Account and Device Hygiene
Security for wallets doesn’t end at the wallet. Use two-factor authentication on all exchanges and email addresses associated with your cryptocurrency trading, and where available, opt for an authenticator app rather than SMS codes, which could be compromised by SMS hackers. Install the wallet software, browser and device operating system updates many attacks are successful because the vulnerability was known and patched, but the update had not been installed. Regularly check what extensions are active on the browser and delete extensions you do not recognize or use: This is a very common and subtle method of stealing wallet information without having to visit a malicious site directly. And don’t conduct important crypto operations on public WiFi, where it’s easier to spy on communications than it is via a private, trusted network.
If You Think You’ve Been Compromised
Time is of the essence. Immediately transfer any remaining assets to a totally new wallet that is on a separate device if you think that a wallet has been compromised; do not use the compromised wallet address for any future transactions. On Revoke.cash, revoke all the permissions of the old wallet, even if you have already removed all your funds, as a drainer may still have the permissions of the previous wallet. Report the attacker’s wallet address to blockchain analytics companies and report to the appropriate law enforcement agencies in your country (The FBI’s IC3 & The FTC in the U.S.). Wait for the recovery scammers to hit you again, after everyone has announced publicly that they’ve lost out on their crypto, they’ll then promise to get them back for a fee, and you should always assume any offer you receive to recover your crypto is a scam unless it’s from a trusted source, because crypto is not reversible and no legitimate company or individual can just enter a scam wallet and retrieve your money. If you want the fuller picture of how these scams get structured from the very start, we cover the mechanics in our guide to spotting a rug pull before it happens.
The Bottom Line
The security of crypto wallets isn’t difficult, however it’s not caring a bit about. There’s no institution behind a transaction once it has been confirmed, and the few habits listed above (cold storage for savings, a protected seed phrase, careful approvals, verified contract addresses, and simple account practice) have extra weight in this place than in nearly anyplace else in private funds. This doesn’t require technical know-how. It involves slowing down at those moments when the world around you is meant to go at a quick pace.