How to Stay Safe in Crypto
Cryptocurrency is quickly gaining popularity and widespread adoption, attracting large amounts of new investors and capital. But the unregulated and decentralized nature of cryptocurrencies also gives rise to an abundance of fraudulent behaviors, with billions of dollars worth of crypto assets stolen each year through fraud, scams, and hacks.
While we cannot help prevent losses incurred from the volatile markets, we hope to offer tips and good practices that will help secure your funds while informing you of common scams to watch out for.
1. Invest Responsibly - Regardless of the prospective outlook of cryptocurrencies, NEVER invest more than you can afford to lose and ALWAYS DYOR and understand what it is that you’re investing in.
2. Use Different Passwords - If you use the same password for everything, chances are it has been compromised. Consider using a different, more complicated one for your crypto platforms. Better yet, you can use a secure password manager to have a unique password for every platform you use.
3. Two-factor Authentication (2FA) - Use 2FA anywhere you can! Opt for apps such as Google Authenticator or Authy instead of SMS-based 2FA, which could be subjected to sim swap attacks. Note: Authy-users should disable multi-device. For an additional layer of security, consider using a hardware authenticator such as Yubico’s Yubikey or Google’s Titan Security Key.
4. Secure Your Devices - Keeping your computer secure can be a complicated task due to the multitude of methods your security can be breached. Below is a list of common preventative measures that will surely advance your security:
- 1.Have a premium antivirus and antispyware software regularly check for malware
- 2.Avoid using public wifi
- 3.Avoid clicking on ads
- 4.Uninstall software or even chrome extensions from untrusted developers
- 5.Uninstall remote access software such as TeamViewer or Anydesk
- 6.Uninstall any clipboard managers to prevent clipboard hijacking
- 7.Uninstall any screenshot applications that may upload your screenshots
- 8.ALWAYS check the URL of the website
5. Secure Your Wallets - Avoid custodial wallets (this means a third party holds your private key) and store your private key or seed phrase offline. Hardware wallets such as Trezor, Ledger, and SafePal also offer an added layer of security by requiring a physical input to approve your transactions and internally storing your private key in the hardware wallet itself, an external, offline device.
Moreover, avoid granting unlimited spending on token approvals and revoke allowances of dApps you no longer use. While token allowances are necessary for a protocol to interact with the funds in your wallet, these allowances are often permanent. This can allow malicious smart contracts to remove all of your tokens without the need to confirm the transaction. If you choose to use but are uncertain about a platform, it is also possible to set a custom allowance to potentially minimize your losses. It is also good practice to revoke token allowance using tools such as unrekt.net, debank.com, or on your block explorer.
This is a great tool to revoke permissions:
And of course, NEVER SHARE YOUR SEED PHRASE!
6. Don’t Keep Your Eggs In One Basket - Abstain from keeping all your funds in one place. You should spread your assets between on-exchange custodial wallets, hot wallets, and cold wallets to prevent the loss of all funds from a single security leak.
While applying the aforementioned security measures may secure your funds from unauthorized access, it can not aid you if you fall victim to a scam. Below will be a list of the most common scams that you should avoid at all costs.
Crypto giveaway scams have been an ongoing problem since 2017. They usually impersonate celebrities or large exchanges and promise free cryptocurrency with the caveat of requiring the victim to “verify their address” by sending them a small payment. These scams come in the form of a fake or hacked celebrity Twitter account or Youtube live streams. Often with legitimate-looking websites and a group of “satisfied customers” claiming it's real. Giveaway scams are also being directed at individuals through emails or DMs from Discord, Telegram, and Twitter.
Trading Bot Scam
Another classic scam to watch out for is trading bot scams. Mixed into the large selection of legitimate trading tools are malicious bots and Ponzi schemes. If a website claims to be a trading bot that promises high rates of return, you should avoid it. They likely operate like a Ponzi scheme. If you are genuinely looking for a trading bot, make sure to verify its authenticity as fraudulent software with API access to your exchange can cause a lot of damage. Look out for information on the team, how the software works, and testimonies from real users before deciding on using the platform.
Phishing Attacks - Cloudflare
The most well-known type of attack is ‘email phishing’. Attackers will email the victim while impersonating a legitimate entity such as popular exchanges or professional funds. It could be an email from your exchange claiming a withdrawal request, updated security measures, or even giveaways. It will then lead to a fake website in order to take your login credentials. Attackers could also impersonate government bodies or even your boss if your private information has been leaked. To avoid falling for these scams, always double-check the sender’s email address and the URL of any link that might be included.
For those of you who are in community group chats such as Telegram or Discord, be wary of direct messages from attackers impersonating admins or tech support leading you to a fake website to take your private key. Always remember to double-check the URL of the link you're visiting.
Example of a Rug Pull
Crypto exit scams are fraudulent projects with no utility whose sole purpose is to extract as much capital from the investors as possible. Different malicious projects operate differently and may choose to leave with the funds at different points of their lifecycle, ranging from fake ICOs to rug pulls at the peak of their growth. Below, we will describe commonly occurring malicious practices and point out key takeaways in avoiding them.
Fake ICOs (initial coin offerings) are a type of scam that builds hype and exposure around a legitimate-looking project, motivating investors to get in early on the presale before vanishing with the funds or never delivering on the product.
Another type of blatant exit scam in DeFi is a rug pull can be classified as a hard rug or a soft rug. Hard rugs include removing liquidity from the liquidity pools and taking locked assets on the platform. Soft rugs, however, are when the team behind a project abandons the project and sells all their remaining tokens, effectively dumping the price of a token to or near zero. While hard rugs may seem more malicious, they are usually easier to identify because they rely on malicious code (which is open-sourced) and can be avoided by simply not using a platform until it has been audited by large auditors such as Certik or Peckshield. Soft rugs, on the other hand, require the judgment of the investors themselves to determine the feasibility and longevity of a project based on its utility, tokenomics, and development.
Always do your due diligence:
- Know the Developers — Be wary of projects that have never been KYC’d by a respected party and double-check the identities of the team if they are doxxed as scammers often falsify personal information
- Read the Whitepaper/Documentation — Reading through the whitepaper or the documentation can give you insight on whether a project is legitimate through their vision, fundamentals, and plans.
- Token Allocation — Always note a project’s token allocation before investing. Projects with high allocations to the team and private investors might be more inclined to be dumped on. Others with high allocations to reward emissions may be hyperinflationary and unsustainable.
The Feeder team is available to answer any questions when you're faced with a situation or are unsure whether what you're about to do is legit or safe. The team will NEVER DM first; so please ping us if you need any help!
An article by Lee, a Feeder community member