Earlier this year, The New York Times ran an article about an early Bitcoiner, Stefan Thomas, who had accidentally locked away the private keys to 7,002 BTC (over $400 million) on a device that would lock up and encrypt the contents forever if given incorrect passwords 10 times.
As of last January, he had tried eight passwords, to no avail.
After the article came out, so many people would randomly mention to me “the guy” who had lost access to his bitcoin, and I’d have to correct them — no, there were many, many, many people who had done such a thing.
As the crypto markets have continued to rise over the long-term (at the time of publication in January, the value of his bitcoin had been $220 million), reaching a total market cap of $2.6 trillion up from $0 a dozen years ago, there have certainly been a lot of people looking to get in.
If you’re interested in buying crypto, read on to find out how not to become one of those people who have lost the keys to their coins.
What You Own When You Own Crypto
Crypto is unlike other digital assets that you may own. Obviously, the main distinguishing feature is that it can act as money. Unlike other digital assets, it is not possible to copy it. The whole reason bitcoins have value is that they are provably scarce. You can’t counterfeit a bitcoin or any other true crypto. This is unlike photos or mp3s or text messages, which are passed around as copies, not as unique objects, and which can be doctored or faked.
Crypto is also different from other forms of “digital” money like Venmo or PayPal (which are analog versions of money with a digital veneer) in that it is like cash — but in digital form. If you lose it, you’re not going to get it back unless someone somehow finds it or is otherwise able to access it and gives it back to you. There’s no Bitcoin or Ethereum customer service to help you.
Since it’s not physical like cash, what you lose when you lose access to a crypto asset is actually what’s called the private key. Every wallet or address has a public and a private key associated with it. You can think of the public key as the address, or what allows coins to be sent in. You can think of the private key as what enables you to move money out of that wallet or address.
When you say you own crypto, what you’re saying is that you have the private keys to the address holding those coins.
Deciding Which Security Model Works Best for You
The reason why security is the number one factor to consider when buying or owning crypto is that the risks are high, and there’s no one right model for everyone.
There’s a popular saying in crypto: “Not your keys, not your coins.” What this means is that if you don’t manage your own private keys, and you instead leave your coins on an exchange for that company to manage them for you, if that exchange gets hacked, you are out of luck.
This famously happened with the Mt. Gox case, the first really big and popular bitcoin exchange, which in February 2014 was revealed to have been hacked for 850,000 BTC ($450 million at the time; $49 billion today).
Here we are, nearly eight years later, and Mt. Gox creditors are only just now finding out that they will eventually get a payout of about $9 billion from it.
Since then, there have been numerous hacks of crypto exchanges, such as Binance, Bitfinex, Coincheck, Bithumb (which has been hacked three times), etc.
This is why many people choose to manage their private keys themselves. However, going that route runs the risk of landing you in a Stefan Thomas-like situation, where you yourself lose access to your keys — or, as is also extremely common, they are phished from you to line the pockets of a hacker.
Here’s a short, not comprehensive list of ways in which people have either lost their coins themselves, or had the keys stolen from them:
- fake emails, Slack messages, Discord messages, Telegram messages, etc. phishing for keys
- fake websites that show up as the top ad result in Google that phish for keys
- so-called phone hijackings in which their phone numbers are stolen, and once their phone number is tied to the hacker’s device, the hacker will click “forgot password” on sensitive accounts like those at crypto exchanges and have the code to reset their password sent to the victim’s phone number (which is now tied to the hacker’s device) and then log in to their account to move the money out
- forgetting or losing the password or seed phrase (typically, devices do not actually have the user deal directly with the private key but instead with more human-readable words called a seed phrase) to the wallet
Being your own crypto bank is no joke — it’s a real job or task that you have to take seriously, and it’s so easy to either be hacked, phished or otherwise lose access to your coins.
How You Should Secure Your Coins
There is no single right way, and neither I nor anyone would blanket-recommend the same security setup to everyone without understanding their needs. Be sure to consider your personal situation before deciding.
Managing Your Own Private Keys
As described above, the “not your keys, not your coins,” mantra indicates that if you’re in control of your own coins, they are not at risk of being stolen in an exchange hack.
The downside, of course, is that, in this scenario, you are responsible — and you’ll only have yourself to blame if you lose them. For that reason, you’ll need to think carefully about the best way for you to secure your coins. Many people choose to do so using a so-called cold-storage solution, which is a way of securing crypto that keeps it offline. (In contrast, a hot wallet is one connected to the internet.)
(Exchanges themselves may use this cold-warm-hot setup, in which its hot wallets are used for transacting regularly with customers, while warm addresses have a medium level of security in between completely offline and always online.)
Going the cold storage route requires you to decide what device you’ll use. If you use a dedicated crypto hardware wallet — meaning a device whose sole function is to store crypto assets — there are multiple brands from which to choose. Then, you have to decide from where to buy, as there have been times when sellers have been found to have been trying to phish people out of they crypto by selling compromised devices.
If you have some money, you could go with a service that enables multi-signature transactions, in which money cannot be moved without, say, two of three or three of five valid signatures. However, some of these, such as Casa, can be quite pricy, so this only makes sense if you have large holdings of the coin you want to store.
Having an Exchange or Other Custodial Service Manage Your Private Keys
This solution may appeal to those who don’t trust themselves to keep their own secret password or to those who may have such large holdings of crypto that it could make them a target of, say, kidnapping/ransom. In order to deter wannabe criminals who may want to obtain crypto — and who are willing to go great lengths to do it — they advertise that they do not personally manage their crypto holdings. (On my podcast, Unchained, billionaire Chamath Palihapitiya said this is his method.)
If you decide to go this route, you’ll again want to study up on the various exchanges’ policies and security histories so as to be confident in your selection. At the very least, if you keep your coins on an exchange, you should install two-factor authentication on your account — and, because of how rampant the aforementioned “phone hijackings” are, you should not enable SMS text messages since, if your phone number does get stolen, you could very well become the victim of a crypto thief.
Instead of using your phone number as your second factor, you can use Google Authenticator or Yubikey, which the hacker would have to physically obtain in order to access your account. That almost always is enough deterrent since it is so much easier for a hacker to steal money from the comfort of their own home, but it’s not 100% foolproof, since there have been incidents of thieves either kidnapping or physically threatening people in order to try to take their coins.
A Hybrid Model
In the end, what many people do is a mix of all or some of the above, similar to how people tend to keep their money in their real lives. They’ll keep their “savings” or the bulk of their coins offline in cold storage, and move whatever it is that they’re using to either a crypto exchange or an online wallet when necessary.
If you’re interacting with crypto a lot, such as if you’re yield farming (chasing high interest rates across various decentralized finance or DeFi protocols) or if you’re buying, creating or selling a lot of non-fungible tokens (NFTs), or if you’re participating in the governance of decentralized autonomous organizations (DAOs), then you’ll probably have more of your crypto online, in which case you’ll need to shore up your own personal behaviors.
In that case, you’ll want to get in the habit of checking urls carefully, not believing every email, text message, Discord chat member, Telegram announcement, etc. that comes your way. (I recently received what looked like an extremely credible email with the url “noreply-[internet note taking service].com” — when I asked the company if it was a legitimate email, the answer was no.)
It’s probably a good idea to get in the habit of never entering your password into a link that was sent to you from someone else. If you receive one and aren’t sure about its provenance, either ask the company directly, or go straight to the website yourself (not clicking on a Google search advertising link to access it but carefully typing the url in with the proper spelling yourself) to see if what the message or email is asking you to do is necessary.
You’ll want to find a way of securely storing the seed phrase to online wallets such as your MetaMask wallet. And if you decide to keep any crypto-related passwords or seed phrases in any online services, you’ll want to button those up with their own two-factor authentication security, in which that second factor is, again, not your phone number.
Additionally, you can use a separate phone number, such as a Google voice or Google Fi number, that does not have customer service agents to dupe, in which you control whether or not that number can be moved to another device. (Plus, some carriers, now have “do not port” or “port freeze” settings that you can turn on or off. Porting is the act of transferring a phone number from one carrier to another.)
Even better, use an email address no one else knows about, disconnected from your other addresses, that is only used for sensitive accounts so a hacker doesn’t even know what to use to try to attack you.
As you can see, getting into crypto in any significant way requires understanding how this new type of money is different from the old, and what new behaviors you need to adopt to ensure you don’t lose your coins.
But don’t feel daunted. Millions of people have already gotten started. Although some of them have unfortunately learned these lessons the hard way, including this executive at a crypto security firm, who had his phone number hijacked and lost what was then $100,000+ worth of crypto from his Coinbase account, many others have successfully created a secure crypto storage setup and learned about these new types of assets — and maybe even made a few shekels off their dollar investment.
Good luck, be careful, and have fun!