Your crypto wallet is the single most important thing to protect in Web3. Unlike a bank account, there is no customer support line to call if you lose access or get hacked. In 2024, over $3.8 billion was stolen from crypto wallets through phishing, malware, and social engineering. This guide covers every layer of wallet security so you never become a statistic.
Hot Wallets vs. Cold Wallets
A hot wallet is connected to the internet (MetaMask, Coinbase Wallet, Trust Wallet). Convenient for daily use, but exposed to online attacks. A cold wallet (hardware wallet) stores your private keys offline on a physical device. It signs transactions locally and never exposes your keys to the internet. For any amount you cannot afford to lose, use a hardware wallet.
The Best Hardware Wallets in 2025
- ▶Ledger Nano X — Most widely supported. Bluetooth-enabled for mobile use. Supports 5,500+ coins.
- ▶Trezor Model T — Fully open-source firmware. Touch screen. No Bluetooth (more secure for some threat models).
- ▶Coldcard Mk4 — Bitcoin-only. Air-gapped signing. Preferred by advanced Bitcoin security practitioners.
- ▶Foundation Passport — Open-source hardware and software. Air-gapped. QR code signing.
Seed Phrase Security: The Most Critical Step
- 1Write your seed phrase on paper immediately after wallet creation. Use a pen, not a pencil.
- 2Make two copies and store them in separate physical locations (home safe + bank safety deposit box).
- 3Consider a metal seed phrase backup (Cryptosteel, Bilodal) to protect against fire and water.
- 4Never store seed phrases in password managers, cloud storage, email drafts, or notes apps.
- 5Never enter your seed phrase on any website — legitimate wallets will never ask for it online.
Phishing: The #1 Wallet Attack Vector
Phishing attacks impersonate legitimate services (MetaMask, Ledger, OpenSea, Uniswap) to trick you into entering your seed phrase or approving malicious transactions. Common vectors include fake Google Ads, Discord DMs from 'support staff', fake wallet update emails, and malicious browser extensions.
- ▶Always navigate to wallet apps directly — never click links in emails or DMs.
- ▶Bookmark your most-used DeFi apps and only use those bookmarks.
- ▶Check the URL carefully before connecting your wallet — scammers use domains like 'uniswap-app.io' or 'metamask-wallet.net'.
- ▶Use a hardware wallet for all significant transactions — even if you approve a malicious transaction, it requires physical confirmation on the device.
Token Approval Management
Every time you interact with a DeFi protocol, you grant it permission to spend your tokens. These approvals persist indefinitely unless revoked. A compromised protocol can drain all approved tokens from your wallet months after your last interaction. Use Revoke.cash or Etherscan's Token Approval Checker monthly to audit and revoke unnecessary approvals.
What to Do If You're Hacked
- 1Immediately transfer all remaining assets to a fresh wallet that has never been used.
- 2Revoke all token approvals on the compromised wallet.
- 3Identify the attack vector — check your browser extensions, recent downloads, and sites you connected to.
- 4Report to relevant platforms (OpenSea, Discord server admins) to warn others.
- 5Do not reuse the compromised wallet address for anything — treat it as permanently compromised.