Security & Scam Prevention

A rug pull occurs when developers abandon a project and drain liquidity or dump tokens on unsuspecting investors. They are the most common scam within DeFi and memecoin markets, costing the crypto market billions of dollars every year. Rug pulls can be 'hard' — involving malicious smart-contract code that lets the deployer steal funds — or 'soft,' where founding teams quietly sell their token allocation after generating hype. Learning to spot the warning signs, such as unaudited contracts, anonymous teams, and unlocked liquidity, is essential for protecting your portfolio. The phishing protection guide covers related social-engineering tactics that often accompany rug-pull schemes.

Phishing is the number-one attack vector against crypto users, responsible for hundreds of millions in stolen funds each year. Fake websites, malicious links, and social-engineering messages trick users into revealing seed phrases or signing fraudulent transactions. Common targets include clones of popular wallets like MetaMask, major exchanges, and NFT marketplaces that are replicated pixel-for-pixel. Protecting yourself starts with understanding how phishing works and layering defences such as two-factor authentication and browser-based transaction pre-viewers. Read the dedicated protecting against phishing scams guide for a step-by-step action plan.

Pump-and-dump groups coordinate artificial price inflation of low-liquidity assets before selling into unsuspecting buyers. These schemes are prevalent across the crypto market, where thin order books and 24/7 trading make manipulation easier than in traditional finance. Participants typically promote a low-cap token through Telegram or Discord, generating enough hype to spike the price before the organisers dump their holdings. By the time retail traders see the alert, they become the exit liquidity and are left holding a worthless asset. Understanding trading psychology and using TradingView to analyse volume patterns can help you spot these scams before committing funds.

Crypto Ponzi schemes promise impossibly high fixed returns funded by new investor deposits rather than genuine revenue. From OneCoin to Celsius, these schemes always collapse once withdrawals exceed new inflows — often overnight. They are especially common in DeFi, where complex smart-contract mechanics can obscure the underlying Ponzi structure. Learning to distinguish legitimate yield from fraudulent promises is critical for anyone farming or staking within the crypto market. Review the glossary for definitions of yield-related terminology and explore the cold storage guide to keep your funds safe from compromised platforms.

Social engineering exploits human trust rather than technical vulnerabilities, making it one of the most dangerous attack vectors in crypto. Impersonation of support staff, influencers, and protocol teams is rampant across Discord, Telegram, and Twitter. Attackers use deepfake videos, fake giveaway campaigns, and SIM-swap exploits to bypass even strong security setups and steal funds. Protecting yourself starts with enabling strong two-factor authentication and learning to verify official channels directly from a project's website. The phishing protection guide and trading psychology resources will help you recognise manipulation tactics before you fall victim.

Your seed phrase (recovery phrase) is the master key to all your cryptocurrency holdings — if someone gains access to it, they control your funds entirely. Whether you use a software wallet or a hardware wallet, your seed phrase is the single most important piece of data to protect. Generating it in a secure offline environment and storing it on durable, fireproof media is the gold standard for self-custody. Review the cold storage best practices guide for comprehensive storage strategies and consider pairing seed phrase security with strong two-factor authentication on all associated accounts.

Hot wallets are connected to the internet and offer convenience for daily transactions, while cold wallets store private keys offline for superior security. Choosing between them — or using both — depends on your trading frequency, portfolio size, and risk tolerance. Software wallets like MetaMask and Trust Wallet are ideal for everyday DeFi activity, whereas hardware wallets from Ledger and Trezor are essential for safeguarding large holdings. Understanding the tradeoffs helps you build a layered security approach that keeps funds accessible without unnecessary exposure. Browse our best hardware wallets comparison to find the right cold storage device for your needs.

Multisignature (multisig) wallets require multiple private keys to authorise a transaction, eliminating the single point of failure that exists in standard wallets. They are essential for DAOs, teams managing shared treasuries, and individuals with high-value crypto holdings. By distributing signing authority across several hardware wallets or trusted parties, multisig setups protect against both external theft and internal compromise. Our dedicated multi-signature wallets guide covers setup instructions for popular platforms like Gnosis Safe. Pairing multisig with strong seed phrase security for each signing key creates one of the most robust custody solutions available.

Your exchange account is a prime target for hackers, and a single breach can result in a total loss of funds. Securing it requires a layered approach that includes strong passwords, two-factor authentication, withdrawal address whitelisting, and anti-phishing codes. Major platforms like Binance, Coinbase, and Kraken offer these features — but you must enable them manually. Taking the time to configure every available security option dramatically reduces your risk of account compromise.

After the FTX collapse, Proof of Reserves (PoR) became a critical trust metric for centralised crypto exchanges. PoR uses Merkle tree cryptography to demonstrate that an exchange holds assets at least equal to customer deposits, providing a verifiable solvency check. Major exchanges such as Binance and Kraken now publish regular PoR reports, though quality and methodology vary. Understanding how to verify these reports — and knowing their limitations — is essential for deciding where to keep your funds. For long-term holdings, cold storage remains the safest option regardless of an exchange's PoR status.

Smart contracts are immutable code that handle billions in value across DeFi protocols — but bugs, exploits, and design flaws have cost users over six billion dollars to date. Reentrancy attacks, flash loan exploits, and oracle manipulation remain the top attack vectors, and even audited contracts are not immune. Understanding these risks is essential for anyone interacting with decentralised applications on Ethereum and other smart-contract platforms. Pairing protocol awareness with safe wallet practices described in our cold storage guide helps minimise exposure. Always review a protocol's audit history and community reputation before committing significant funds.

Every time you interact with a DeFi protocol, you grant a token approval that can remain active indefinitely — giving the contract permission to spend your tokens without further consent. These unlimited approvals represent a major security risk: if the protocol is exploited or turns malicious, an attacker can drain every approved token from your wallet. Managing approvals is especially important for users active across multiple protocols on Ethereum and Layer-2 networks. Tools like Revoke.cash make it easy to audit and revoke stale permissions on a regular basis. For additional wallet security strategies, see our MetaMask setup guide and our best DeFi wallets comparison.

Using strong, unique passwords for every exchange, wallet, and email account is non-negotiable for anyone trading in the crypto market. A password manager generates and stores complex credentials so you never have to reuse passwords — the number-one cause of credential-stuffing attacks. Popular options like Bitwarden and 1Password integrate seamlessly with browsers and mobile devices, making security effortless. Combining a password manager with two-factor authentication on exchanges like Binance and Kraken creates a strong line of defence against account takeover.

Public Wi-Fi, ISP logging, and man-in-the-middle attacks are real threats for traders who access exchanges and wallets on the go. A VPN encrypts your internet connection and masks your IP address, adding a critical layer of privacy when interacting with crypto platforms. No-log providers like Mullvad and ProtonVPN ensure that even the VPN company cannot link activity to your identity. Pairing a VPN with two-factor authentication and strong seed phrase security creates a comprehensive operational security stack. Check your exchange's policy — some platforms such as Binance restrict access from certain VPN regions.

Your email account is the recovery key for most online services — if compromised, an attacker can reset passwords across all your exchanges and wallets in minutes. Using a separate, dedicated email for crypto trading limits the blast radius of any breach and makes targeted phishing far more difficult. End-to-end encrypted providers like ProtonMail and Tutanota keep your messages private by default. Strengthening your email with hardware-key two-factor authentication and following our phishing protection guide dramatically reduces the risk of account takeover. This foundational step protects your accounts on exchanges like Coinbase and every other service tied to that email address.

Two-factor authentication adds a second layer of verification beyond your password, and it is one of the most effective security measures for protecting crypto accounts. However, not all 2FA methods are equal — SMS-based codes are vulnerable to SIM-swap attacks, while authenticator apps and hardware security keys provide progressively stronger protection. Understanding the hierarchy of 2FA methods lets you choose the right level of defence for each account, from exchange logins on Binance and Kraken to your email and password manager. Our detailed two-factor authentication guide walks through setup instructions for every major platform and explains how to securely back up your 2FA recovery codes.