In 2022, hackers breached several popular cryptocurrency services. For instance, users of the Profanity Ethereum address generator lost $3.3 million, and Solana-based wallet holders around around $8 million.
The Mixer.money bitcoin mixer team explains how to prevent theft of digital assets. Bonus: a checklist for preserving the anonymity of your Bitcoin transactions.
Different wallets — different risks
Cryptocurrency wallets are applications or devices for storing, sending and receiving digital assets. They hold users’ private keys and provide an interface for interacting with one or more blockchains.
Crypto wallets can be categorized by the degree of third-party involvement — custodial and non-custodial; and by connectivity — cold and hot.
Custodial wallets are services whose operators have access to users’ funds and private keys. Almost all crypto exchanges provide such wallets to clients.
Transferring funds to a third party is always risky, so one should choose providers carefully and not keep all funds in custodial wallets.
If a user forgets the password to a custodial wallet, access can be recovered using personal data or a seed phrase—a sequence of random words in which the private key is encrypted.
Non-custodial wallets allow users to manage their funds and private keys themselves. However they also bear full responsibility for safeguarding funds. If the private key is lost, access to assets is impossible.
Hot wallets are applications and browser extensions that are constantly connected to the internet. Users can check their balance or send tokens at any moment.
Cold wallets are various ways to store private keys without internet access:
- brainwallet — keep the seed phrase in your head;
- paper wallets — write the sequence on paper;
- hardware wallets — use dedicated hardware devices.
Potential vulnerabilities of hardware wallets
A hardware wallet is a physical device with one or more microcontrollers that connects to a computer or phone via a USB port. Some models also support Bluetooth connections.
Hardware wallets are considered the most secure tool for dealing with cryptocurrencies. However, they can also be hacked by malicious actors.
Owners of such devices face risks in a variety of situations:
- Purchasing a device. Buy wallets only from official vendors, such as Ledger and Trezor. Carefully check the integrity and originality of the packaging. If there are even minor damages, demand a replacement—the attackers could have hacked the wallet during delivery;
- Activation of the wallet. Make sure that the device has not been used. The owner generates a seed phrase and sets a PIN during initial setup. If the seed phrase comes in the package with the wallet, scammers may have already activated the device. Report the issue to the supplier;
- Firmware update. Updates are downloaded when the device is connected to a computer or phone via USB. At this moment, attackers could remotely dump the memory of the microcontroller containing private keys. To mitigate the threat, verify that the computer or phone is not compromised before each update. For Ledger, the attack risk is lower: such devices have two microcontrollers— one for signing and one for private keys;
- Loss or theft of the device. Malicious actors may hack the wallet by gaining physical access. In case of loss or theft, move the funds as soon as possible. This will require a new device and the original seed phrase. During the activation of a secondary wallet, choose the option “I already have a seed phrase” and enter the 12–24 initial words. If criminals could not intercept the private keys, you will see the balance in its previous state. Transfer the funds to another wallet and do not use the activated device: the threat of private-key theft remains.
Hot wallets — a cool head
Software wallets are more convenient for everyday use, but are more vulnerable to remote breaches due to their constant internet connectivity.
Owners of hot wallets should be aware of possible vulnerabilities: from personal-data leaks to the hacking of third-party apps. For example, scammers could attack Solana-based wallets of users who created, imported, or used the Slope mobile apps.
How to mitigate these risks? Start with following basic online security practices:
- generate strong passwords;
- do not reuse the same password for different accounts;
- avoid suspicious links;
- do not open dubious emails;
- check the security of connections;
- do not use public Wi-Fi and public networks;
- do not store passwords and seed phrases on digital media;
- use two-factor authentication.
In addition, the Mixer.money team recommends taking extra security measures when dealing with cryptocurrencies:
- dedicate a separate browser and accounts only for wallets and transactions;
- do not install unknown extensions — they can compromise your device and substitute your wallet for a fraudulent one;
- do not store the private key in one place; split it using the Shamir’s secret sharing scheme and make a paper backup;
- use multi-signatures that require two or three private keys to approve a transaction. Generate these keys on separate devices.
How to trade and invest safely
Non-custodial wallets are not the only places where cryptocurrency is stored. Holders also keep funds in pools and on trading venues.
This introduces new risks — platform breaches and exit scams by their founders. The team at Mixer.money offers several principles to follow to avoid losing funds:
- trade on decentralised exchanges. They do not hold funds or personal data of users, adhere to privacy principles, and do not require KYC;
- verify information about the platform before you start. Choose services that have established themselves in the market. Do not rely solely on high returns;
- do not keep funds on a exchange if they are not actively being used. Trading and investment platforms are prone to hacks, experience technical glitches, and can have funds frozen under regulatory pressure.
Bitcoin-transfer anonymity checklist
Regulators require centralised exchanges to collect user data and de-anonymise suspicious addresses using blockchain analytics.
But not only criminals are at risk of blocking; ordinary coin holders can also be targeted. For example, in August FTX froze an account after a transfer to the Aztec Network platform designed to increase privacy.
Maintaining anonymity when sending Bitcoin and avoiding blocks can be achieved by taking extra measures:
- transact each time through a new address. This complicates linking transfers;
- use a VPN and the TOR browser to hide your IP. Note that exchanges may block accounts when onion routing is detected;
- process funds through mixers. Choose services that ensure coin cleanliness after mixing, such as Mixer.money.
Conclusions
Cybersecurity and anonymity are integral to handling digital assets in an environment of persistent hacking and growing regulatory pressure.
Risk management and adherence to security practices help avoid many types of attacks, and coin-mixing helps preserve transaction anonymity.
Read ForkLog’s Bitcoin news in our Telegram — crypto news, rates and analysis.