Read on Twitter
What do crypto and an old Windows have in common?
Both are a Minefield 💣
You are always 1-2 clicks away from losing your life savings.
The Ultimate Crypto Survival Guide: How to Step up Your Wallet Security
🔐 ⬇️
Both are a Minefield 💣
You are always 1-2 clicks away from losing your life savings.
The Ultimate Crypto Survival Guide: How to Step up Your Wallet Security
🔐 ⬇️
1/72
Navigating the crypto ecosystem is increasingly complex 🚨
Every day scammers find new ways to circumvent security measures and attempt to take control of your assets.
This is not even about naivety, a mere moment of distraction, and BOOM, your life savings are gone.
Navigating the crypto ecosystem is increasingly complex 🚨
Every day scammers find new ways to circumvent security measures and attempt to take control of your assets.
This is not even about naivety, a mere moment of distraction, and BOOM, your life savings are gone.
2/72
This can happen in so many ways:
• Clicking a wrong link
• Clicking a wrong Google ad
• Joining an unofficial Discord group
• Interacting with an imposter on Telegram
• Accessing a malicious website
This can happen in so many ways:
• Clicking a wrong link
• Clicking a wrong Google ad
• Joining an unofficial Discord group
• Interacting with an imposter on Telegram
• Accessing a malicious website
3/72
Perhaps a hacked friend sends you a seemingly innocuous Google Doc on something you working on… 😔
Even the biggest NFTs projects are not immune: their Discord could get compromised and share malicious links, leading you into traps.
Perhaps a hacked friend sends you a seemingly innocuous Google Doc on something you working on… 😔
Even the biggest NFTs projects are not immune: their Discord could get compromised and share malicious links, leading you into traps.
4/72
This is a major barrier to entry for new users ⛔
Imagine sharing with your friends interested in crypto that a simple misclick on a Google ad can cost someone 300k+ in NFTs.
Crypto is a tough sell.
This is a major barrier to entry for new users ⛔
Imagine sharing with your friends interested in crypto that a simple misclick on a Google ad can cost someone 300k+ in NFTs.
Crypto is a tough sell.
6/72
There are a couple more factors that have to be taken into consideration:
1. The majority of users overlook essential security practices
2. Scammers evolve more rapidly than security tools
There are a couple more factors that have to be taken into consideration:
1. The majority of users overlook essential security practices
2. Scammers evolve more rapidly than security tools
7/72
Regrettably, tools like Metamask have been very slow to step up the security of their wallet, despite leading the market for years 🦊
While scammers advance, our security often lags.
Regrettably, tools like Metamask have been very slow to step up the security of their wallet, despite leading the market for years 🦊
While scammers advance, our security often lags.
8/72
But the tools that can help us are out there, it’s just a matter of not being lazy and stepping up our security 💪
We always see scams as something we would never fall into.
Until we do.
😩
But the tools that can help us are out there, it’s just a matter of not being lazy and stepping up our security 💪
We always see scams as something we would never fall into.
Until we do.
😩
9/72
So.. What can we do to protect ourselves? 🛡️
Here are some steps we can take to step up our security:
1. Invest in a hardware cold wallet
2. Get rid of Metamask for Rabby
3. Install Wallet Security Extensions
4. Periodically revoke Contract Approvals
So.. What can we do to protect ourselves? 🛡️
Here are some steps we can take to step up our security:
1. Invest in a hardware cold wallet
2. Get rid of Metamask for Rabby
3. Install Wallet Security Extensions
4. Periodically revoke Contract Approvals
10/72
Before diving in, remember that your security level depends on your threat model and which adversary you are up against.
Before diving in, remember that your security level depends on your threat model and which adversary you are up against.
11/72
Get a Hardware Wallet 🔑
It’s astonishing how many degens store excessive amounts on software wallets like Metamask 🦊
This effectively means that you are always 1-2 clicks away from losing it all.
Get a Hardware Wallet 🔑
It’s astonishing how many degens store excessive amounts on software wallets like Metamask 🦊
This effectively means that you are always 1-2 clicks away from losing it all.
12/72
A hardware wallet can cost anywhere between 90/400€, including the most complex ones.
If you are invested even a couple of thousands in crypto, getting one is a prudent move.
A hardware wallet can cost anywhere between 90/400€, including the most complex ones.
If you are invested even a couple of thousands in crypto, getting one is a prudent move.
13/72
Ledger isn’t your only option out there — lots of startups are crafting more privacy-focused hardware wallets, such as the @gridplus Lattice or the @BitLox Ultimate.
Ledger isn’t your only option out there — lots of startups are crafting more privacy-focused hardware wallets, such as the @gridplus Lattice or the @BitLox Ultimate.
14/72
Hardware wallets add an extra level of protection as you need your physical wallet to confirm every transaction carried out.
But in itself, hardware wallets won’t save you from getting scammed 🙅
Hardware wallets add an extra level of protection as you need your physical wallet to confirm every transaction carried out.
But in itself, hardware wallets won’t save you from getting scammed 🙅
15/72
They can though save you from impulse-clicking links, but if you link your wallet and approve a transaction, your funds are vulnerable.
Always check what are you signing.
They can though save you from impulse-clicking links, but if you link your wallet and approve a transaction, your funds are vulnerable.
Always check what are you signing.
16/72
This brings us back to the screenshot of the hack at the beginning of this article, where the victim claims that ⬇️
This brings us back to the screenshot of the hack at the beginning of this article, where the victim claims that ⬇️
17/72
Well, this is simply not true. One way or another, he did connect the wallet and confirmed and signed the transaction.
Well, this is simply not true. One way or another, he did connect the wallet and confirmed and signed the transaction.
https://twitter.com/Plumferno/status/1687829042408337408
18/72
However, hardware wallets are not the holy grail of security.
It is important to add that not a single hardware cold wallet at the moment is fully Open-Sourced - not even Trezor, Ledger, and the ones cited above.
However, hardware wallets are not the holy grail of security.
It is important to add that not a single hardware cold wallet at the moment is fully Open-Sourced - not even Trezor, Ledger, and the ones cited above.
19/72
Also, if you go to their websites you can see that they are one of these companies that does not consider the bug-bounty report "in scope" if you have physical access to the device ( @officer_cia )
Also, if you go to their websites you can see that they are one of these companies that does not consider the bug-bounty report "in scope" if you have physical access to the device ( @officer_cia )
20/72
This is a worrisome aspect since Trezor ”serves as the basis for many hardware wallet clones out there, but it also has no physical security which is why there are numerous key recovery services you can reach out to for extraction if you own one”.
This is a worrisome aspect since Trezor ”serves as the basis for many hardware wallet clones out there, but it also has no physical security which is why there are numerous key recovery services you can reach out to for extraction if you own one”.
21/72
In fact, companies like Trezor and Ledger have faced recent criticism:
Ledger acknowledged its ability to extract a user's private key via a firmware upgrade.
In fact, companies like Trezor and Ledger have faced recent criticism:
Ledger acknowledged its ability to extract a user's private key via a firmware upgrade.
22/72
This emerged after a user commented about the launch of their new product: Ledger Recovery.
This emerged after a user commented about the launch of their new product: Ledger Recovery.
https://twitter.com/Ledger/status/1658458714771169282
23/72
On the other hand, a security company @uncipheredLLC has shown that it is very well possible to physically hack into a Trezor wallet.
On the other hand, a security company @uncipheredLLC has shown that it is very well possible to physically hack into a Trezor wallet.
24/72
There’s also another video online with a user being able to recover funds by hacking a Trezor:
There’s also another video online with a user being able to recover funds by hacking a Trezor:
25/72
Some more articles on hacked hardware wallets:
( sourced from a list from @officer_cia )
•
• https://t.co/NtlZ7wKGiL
• https://t.co/bpXz472FQF
• https://t.co/sNU7B3jmZK
• https://t.co/uQ74s3091t
• https://t.co/sFoi3A4G3Fkaspersky.com/blog/hardware-…
adatainment.com/index.php
ieeexplore.ieee.org/document/92847…
cossacklabs.com/blog/crypto-wa…
cipherblade.com/blog/list-of-b…
graph.org/All-known-smar…
Some more articles on hacked hardware wallets:
( sourced from a list from @officer_cia )
•
• https://t.co/NtlZ7wKGiL
• https://t.co/bpXz472FQF
• https://t.co/sNU7B3jmZK
• https://t.co/uQ74s3091t
• https://t.co/sFoi3A4G3Fkaspersky.com/blog/hardware-…
adatainment.com/index.php
ieeexplore.ieee.org/document/92847…
cossacklabs.com/blog/crypto-wa…
cipherblade.com/blog/list-of-b…
graph.org/All-known-smar…
26/72
• https://t.co/jWKsCR7M07
• https://t.co/2mhjP595sR https://t.co/2mhjP595sR
• https://t.co/6i0ADZOuz4 https://t.co/b9w6UuiAxk
• https://t.co/5qFi918cO6
• https://t.co/SaTYmX0G1uarxiv.org/pdf/2108.14004…
arxiv.org/pdf/2108.14004…
bloom.co/blog/6-ways-a-…
bloom.co/blog/6-ways-a-…
phishfort.com/blog/web3-phis…
phishfort.com/blog/web3-phis…
arxiv.org/pdf/2204.01487…
arxiv.org/pdf/2111.08893…
• https://t.co/jWKsCR7M07
• https://t.co/2mhjP595sR https://t.co/2mhjP595sR
• https://t.co/6i0ADZOuz4 https://t.co/b9w6UuiAxk
• https://t.co/5qFi918cO6
• https://t.co/SaTYmX0G1uarxiv.org/pdf/2108.14004…
arxiv.org/pdf/2108.14004…
bloom.co/blog/6-ways-a-…
bloom.co/blog/6-ways-a-…
phishfort.com/blog/web3-phis…
phishfort.com/blog/web3-phis…
arxiv.org/pdf/2204.01487…
arxiv.org/pdf/2111.08893…
27/72
Well - hardware wallets are not perfect.
If you decide to purchase a hardware wallet, always buy them directly from manufacturers.
Avoid Amazon or eBay since these devices might be tampered with 🙅
Nonetheless getting a hardware wallet is an improvement.
Well - hardware wallets are not perfect.
If you decide to purchase a hardware wallet, always buy them directly from manufacturers.
Avoid Amazon or eBay since these devices might be tampered with 🙅
Nonetheless getting a hardware wallet is an improvement.
28/72
What’s even more important is to organize wallets by function, and maintain separate COLD 🧊 and HOT 🔥 wallets.
What’s even more important is to organize wallets by function, and maintain separate COLD 🧊 and HOT 🔥 wallets.
29/72
This distinction is pretty straightforward: never use your cold wallet for casual work 👍
➡️ Be a degen on your hot wallet
➡️ Safely send your funds over to your cold wallet.
This distinction is pretty straightforward: never use your cold wallet for casual work 👍
➡️ Be a degen on your hot wallet
➡️ Safely send your funds over to your cold wallet.
30/72
Among the possible improvements to this OpSec, it would be nice, for instance, to include warnings and descriptions on the transaction you are signing, which brings us to the next point.
Among the possible improvements to this OpSec, it would be nice, for instance, to include warnings and descriptions on the transaction you are signing, which brings us to the next point.
31/72
From Foxes to Rabbits 🐇
If you are still using Metamask, you either like being hacked or you haven’t checked Twitter for the last few years.
From Foxes to Rabbits 🐇
If you are still using Metamask, you either like being hacked or you haven’t checked Twitter for the last few years.
32/72
This is one of those “Game of Thrones” situations where everyone just keeps telling you to check it out!!!!
I eventually downloaded Rabby after a bit of peer pressure AND now I get it 😳
This is one of those “Game of Thrones” situations where everyone just keeps telling you to check it out!!!!
I eventually downloaded Rabby after a bit of peer pressure AND now I get it 😳
33/72
Why is everyone obsessed with @Rabby_io ? 🤯
Rabby is a wallet extension, developed by the Debank team.
Why is everyone obsessed with @Rabby_io ? 🤯
Rabby is a wallet extension, developed by the Debank team.
https://twitter.com/edgar_eth/status/1688164353449598981
34/72
While technically similar to Metamask, it is greatly improved with regard to:
• UX
• Security Warnings for Users
• In-app Swaps
• Multichain Portfolio Tracker
• In-app Revoke
While technically similar to Metamask, it is greatly improved with regard to:
• UX
• Security Warnings for Users
• In-app Swaps
• Multichain Portfolio Tracker
• In-app Revoke
35/72
Our King @monosarin here sums up some of the main differences:
Our King @monosarin here sums up some of the main differences:
36/72
By using its own RPCs Rabby does not share your information with third parties providers such as Infure - contrary to what Metamask does.
By using its own RPCs Rabby does not share your information with third parties providers such as Infure - contrary to what Metamask does.
37/72
This also means that Rabby automatically switches across all supported networks, as well as having waaay fewer RPC issues - especially on new networks.
This also means that Rabby automatically switches across all supported networks, as well as having waaay fewer RPC issues - especially on new networks.
38/72
Rabby’s privacy policy is also better than Metamask:
https://t.co/XG1ER8TynGrabby.io/docs/privacy/
Rabby’s privacy policy is also better than Metamask:
https://t.co/XG1ER8TynGrabby.io/docs/privacy/
39/72
But more importantly, Rabby brings about a couple of security-focused improvements:
1️⃣ You can revoke contracts directly in-wallet by simply clicking on approvals on the wallet homepage:
But more importantly, Rabby brings about a couple of security-focused improvements:
1️⃣ You can revoke contracts directly in-wallet by simply clicking on approvals on the wallet homepage:
40/72
It then opens a page showing you all the contracts you have ever approved with your address, which you can also sort by token.
Similarly to Revoke Cash you can then select all of them and revoke permission.
It then opens a page showing you all the contracts you have ever approved with your address, which you can also sort by token.
Similarly to Revoke Cash you can then select all of them and revoke permission.
41/72
2️⃣ Every time you connect to a new contract or have to sign a transaction Rabby gives you an explanation of what you are about to sign, as well as showing you a graphical warning to inform you of the related risks.
2️⃣ Every time you connect to a new contract or have to sign a transaction Rabby gives you an explanation of what you are about to sign, as well as showing you a graphical warning to inform you of the related risks.
42/72
At the last moment, you may realize that the contract you are about to sign might be compromised, and might steal your funds.
Last minute save.
At the last moment, you may realize that the contract you are about to sign might be compromised, and might steal your funds.
Last minute save.
43/72
3️⃣ Every new wallet created on Rabby has a new seed phrase. On the other hand, every time you create a new account on Metamask it is derived from the same seed phrase as the others.
3️⃣ Every new wallet created on Rabby has a new seed phrase. On the other hand, every time you create a new account on Metamask it is derived from the same seed phrase as the others.
44/72
But surely Rabby itself is not enough to save you from everything.
Consider pairing it with a supportive browser extension.
But surely Rabby itself is not enough to save you from everything.
Consider pairing it with a supportive browser extension.
45/72
Browser Extensions 🌐
Browser extensions won’t make you more secure. Their main purpose is to help you understand what you are signing and alert you of malicious transactions.
Browser Extensions 🌐
Browser extensions won’t make you more secure. Their main purpose is to help you understand what you are signing and alert you of malicious transactions.
https://twitter.com/Plumferno/status/1618611416004722694
46/72
Here are a few of the most known ones:
1️⃣ @PocketUniverseZ
Here are a few of the most known ones:
1️⃣ @PocketUniverseZ
47/72
The differentiating element of Pocket Universe is that they simulate every transaction and signature and show you its outcome before sending it through your wallet.
The differentiating element of Pocket Universe is that they simulate every transaction and signature and show you its outcome before sending it through your wallet.
48/72
What’s cool about Pocket Universe is that they also offer Insurance of up to $2000 on funds lost to scams that they don’t warn you about!
For more information on the insurance, you can refer to the Pocket Universe website. pocketuniverse.app/insurance
What’s cool about Pocket Universe is that they also offer Insurance of up to $2000 on funds lost to scams that they don’t warn you about!
For more information on the insurance, you can refer to the Pocket Universe website. pocketuniverse.app/insurance
49/72
A user opinion:
A user opinion:
50/72
2️⃣ @peckshield - @AegisWeb3
PeckShield is a blockchain security company providing auditing and threat protection services, which also incubated Aegis, a security browser extension.
2️⃣ @peckshield - @AegisWeb3
PeckShield is a blockchain security company providing auditing and threat protection services, which also incubated Aegis, a security browser extension.
51/72
Among its services, @AegisWeb3 can:
⛔ Block phishing sites
💰 Check token contracts
📝 Manage approvals
⚠️ Report risks
Among its services, @AegisWeb3 can:
⛔ Block phishing sites
💰 Check token contracts
📝 Manage approvals
⚠️ Report risks
52/72
Like Pocket Universe, AegisWeb3 also simulates transactions and displays the results to you.
Like Pocket Universe, AegisWeb3 also simulates transactions and displays the results to you.
53/72
3️⃣ @RevokeCash
Revoke is the browser extension of the popular website allowing you to revoke smart contract permissions.
The main purpose of this extension is to pop up and inform you of the approval details every time you are about to sign an approval transaction.
3️⃣ @RevokeCash
Revoke is the browser extension of the popular website allowing you to revoke smart contract permissions.
The main purpose of this extension is to pop up and inform you of the approval details every time you are about to sign an approval transaction.
54/72
This also works for NFTs - and is a useful addition that works as an additional warning.
Currently, the Revoke extension is available on Ethereum, Polygon, and Avalanche.
This also works for NFTs - and is a useful addition that works as an additional warning.
Currently, the Revoke extension is available on Ethereum, Polygon, and Avalanche.
55/72
Which one should I use? Is there any difference? 🤔
I wouldn’t be picky here tbh - you can easily download all of them and use your favorite ones interchangeably.
Which one should I use? Is there any difference? 🤔
I wouldn’t be picky here tbh - you can easily download all of them and use your favorite ones interchangeably.
56/72
Some might miss specific transactions, that others may instead be aware of.
Using more than one will provide maximum security coverage! 🛡️
Some might miss specific transactions, that others may instead be aware of.
Using more than one will provide maximum security coverage! 🛡️
57/72
On the negative side of the Web3 browser extension, we have to mention the fact that as third parties dApps, they all require you to trust the developing team 👎
On the negative side of the Web3 browser extension, we have to mention the fact that as third parties dApps, they all require you to trust the developing team 👎
58/72
Sure, some of them come from teams like PeckShield, which is a known auditing company, but nonetheless installing a browser extension comes with third-party risks ⚠️
Sure, some of them come from teams like PeckShield, which is a known auditing company, but nonetheless installing a browser extension comes with third-party risks ⚠️
59/72
Installing an extension introduces new software to your browser—software that could potentially have security weaknesses (or be downright malicious). Third-party extensions might secretly include malware, or have security flaws that hackers can exploit ( @brave )
Installing an extension introduces new software to your browser—software that could potentially have security weaknesses (or be downright malicious). Third-party extensions might secretly include malware, or have security flaws that hackers can exploit ( @brave )
60/72
Furthermore, the use of browser extensions also implies the fact that our data and personal information will be collected and disclosed.
For instance, these are the terms and conditions of Pocket Universe with regard to information disclosure:
https://t.co/VxEzOhpAL7pocketuniverse.app/privacy-policy
Furthermore, the use of browser extensions also implies the fact that our data and personal information will be collected and disclosed.
For instance, these are the terms and conditions of Pocket Universe with regard to information disclosure:
https://t.co/VxEzOhpAL7pocketuniverse.app/privacy-policy
61/72
Just like wallets, browser extensions also gather and share your data with third parties.
As such, using them is not recommended for everyone 🙅
Just like wallets, browser extensions also gather and share your data with third parties.
As such, using them is not recommended for everyone 🙅
62/72
However, if you have an active wallet that you use frequently to transact, then browser extensions may come in handy to increase warnings of malicious contracts.
Here’s a more extensive article with more examples of Web3 browser extensions:
medium.com/@wiimee/web3-b…
However, if you have an active wallet that you use frequently to transact, then browser extensions may come in handy to increase warnings of malicious contracts.
Here’s a more extensive article with more examples of Web3 browser extensions:
medium.com/@wiimee/web3-b…
63/72
Finally, regularly revoke all contracts 🚫
This very easy practice is often overlooked and can go a long way to save your ass-ets.
You can do so within @Rabby_io or on @RevokeCash
Finally, regularly revoke all contracts 🚫
This very easy practice is often overlooked and can go a long way to save your ass-ets.
You can do so within @Rabby_io or on @RevokeCash
64/72
Aside from the ones we have already mentioned, there are a couple of bonus measures you should be aware of.
Aside from the ones we have already mentioned, there are a couple of bonus measures you should be aware of.
65/72
Disposable Addresses 🗑️ ♻️
Ideally, you should never use any of your addresses more than once.
Every time you are transacting, you are supposed to create a new one, to preserve your privacy.
While admittedly cumbersome, disposable addresses are gaining traction.
Disposable Addresses 🗑️ ♻️
Ideally, you should never use any of your addresses more than once.
Every time you are transacting, you are supposed to create a new one, to preserve your privacy.
While admittedly cumbersome, disposable addresses are gaining traction.
66/72
@AirGap_it 🌬️
Did you know that you can easily turn your phone into a cold wallet?
Airgap is an interesting solution whereby you download an app and you are able to use 2 phones one of which is not connected to the internet to create a cold wallet.
@AirGap_it 🌬️
Did you know that you can easily turn your phone into a cold wallet?
Airgap is an interesting solution whereby you download an app and you are able to use 2 phones one of which is not connected to the internet to create a cold wallet.
67/72
@WalletScrutiny 🐕
As mentioned above, most wallets are not open-source - you can use some tools such as Wallet Scrutiny to verify whether a wallet is secure and open-source.walletscrutiny.com
@WalletScrutiny 🐕
As mentioned above, most wallets are not open-source - you can use some tools such as Wallet Scrutiny to verify whether a wallet is secure and open-source.walletscrutiny.com
68/72
Using an encrypted email provider and never linking your phone number to crypto platforms are also two other best practices.
Using an encrypted email provider and never linking your phone number to crypto platforms are also two other best practices.
69/72
More best practices from @officer_cia:
More best practices from @officer_cia:
70/72
I am by no means a security expert.
But that’s the beauty of it. You don’t really need to be.
There’s no barrier stopping you from stepping up your security literally right now.
I am by no means a security expert.
But that’s the beauty of it. You don’t really need to be.
There’s no barrier stopping you from stepping up your security literally right now.
71/72
But if you do want to learn more from an expert on the subject I highly recommend you take a look at @officer_cia Blog, which is the main source of some of the materials I used for this article:
officercia.mirror.xyz
But if you do want to learn more from an expert on the subject I highly recommend you take a look at @officer_cia Blog, which is the main source of some of the materials I used for this article:
officercia.mirror.xyz
Special Mentions ⬇️ 🧠
@Rabby_io
@DeBankDeFi
@Plumferno
@DefiLlama
@LouisCooper_
@blockworksres
@adamscochran
@poopmandefi
@Slappjakke
@Hercules_Defi
@Deebs_DeFi
@Moomsxxx
@Cryptoalpharian
@Haylesdefi
@CryptoStreamHub
@CryptMoose_
@the_smart_ape
@Rabby_io
@DeBankDeFi
@Plumferno
@DefiLlama
@LouisCooper_
@blockworksres
@adamscochran
@poopmandefi
@Slappjakke
@Hercules_Defi
@Deebs_DeFi
@Moomsxxx
@Cryptoalpharian
@Haylesdefi
@CryptoStreamHub
@CryptMoose_
@the_smart_ape
@C4dotgg
@OvrCldJonny
@Rektfencer
@0xFlips
@0xSalazar
@WinterSoldierxz
@0xcrypto_doctor
@Jake_pahor
@CryptoKoryo
@ThorHartvigsen
@rektdiomedes
@0xFlips
@0xFinish
@VirtualKenji
@JiraiyaReal
@TheNorwegianNFT
@officer_cia
@OvrCldJonny
@Rektfencer
@0xFlips
@0xSalazar
@WinterSoldierxz
@0xcrypto_doctor
@Jake_pahor
@CryptoKoryo
@ThorHartvigsen
@rektdiomedes
@0xFlips
@0xFinish
@VirtualKenji
@JiraiyaReal
@TheNorwegianNFT
@officer_cia
Please leave a like and retweet
if you enjoyed this thread!
Comment if you have any feedback!
And Follow me @francescoweb3.
Subscribe to my Blog for more articles!
(it's free - LINK IN BIO)
Thanks
if you enjoyed this thread!
Comment if you have any feedback!
And Follow me @francescoweb3.
Subscribe to my Blog for more articles!
(it's free - LINK IN BIO)
Thanks
https://twitter.com/francescoweb3/status/1688521206193176576
Full article on: tinyurl.com/6h9ch83j
• • •
Missing some Tweet in this thread? You can try to
force a refresh
