Security Checklist: Is Your Crypto Portfolio Safe ?

Crypto thefts increasingly target end users through social engineering, SIM swaps, wallet drainers, approval abuse, and fake apps. Regulators and security agencies now push phishing-resistant logins and stricter mobile-account protections, while analytics firms report rising losses from personal-wallet attacks. This checklist turns that guidance into practical, verifiable steps you can complete today.

1) Lock down your exchange accounts and email

• Turn on phishing-resistant MFA such as passkeys or FIDO2 security keys wherever supported. These are the only widely available methods CISA classifies as phishing-resistant.
• Enable withdrawal address allowlisting on exchanges so funds can only leave to pre-approved addresses. Coinbase, Binance, and Kraken document these controls.
• On Kraken, consider Global Settings Lock (GSL) and a Master Key to block critical changes without your hardware key.
• Prefer hardware-key or passkey MFA over SMS; the FCC’s new SIM-swap rules highlight phone-number takeovers as a major risk.
• Protect your email with strong MFA and a password manager; check if your address appears in known breaches and rotate affected passwords.

Checklist

• Passkeys or FIDO2 security keys enabled on all exchanges and email.
• Withdrawal allowlisting turned on; test a small withdrawal.
• Kraken GSL and Master Key configured if you use Kraken.
• Email checked on Have I Been Pwned; compromised passwords changed.

2) Secure self-custody wallets

• Back up your seed phrase correctly; Bitcoin.org’s guidance stresses tested backups and understanding recovery.
• Consider passphrase protection (the “25th word”) only if you can store it safely; Ledger explains how it derives a separate account set.
• For Shamir multi-share backups, follow the official SLIP-39 process and required thresholds.
• Always download wallet software and updates from official sources to avoid fake apps.

Checklist

• Primary and secondary offline backups verified by a full test restore.
• Passphrase or Shamir backup documented and stored separately, if used.
• Wallet apps and firmware installed from official links only.

3) Kill dangerous token approvals and stop drainers

• Wallet drainers rely on users approving malicious contracts. Revoke stale approvals on EVM chains using explorers or dedicated tools.
• Use Etherscan’s Token Approval Checker or Revoke.cash to review and revoke allowances; expect a small on-chain gas fee for each revoke.
• MetaMask’s Blockaid-powered Security Alerts simulate transactions and warn about malicious dapps—turn them on.

Checklist

• Monthly review of approvals; revoke anything you don’t recognize or need.
• Security alerts enabled in MetaMask or your wallet.

4) Avoid address-poisoning and copy-paste traps

• Attackers send lookalike transactions to plant a similar address in your history; Ledger details how this scam works and how to avoid it. Always verify the full address or use an allowlisted contact.

Checklist

• Don’t copy addresses from recent activity; confirm via address book, QR, or domain you trust.

5) Device and network hygiene

• Turn on automatic updates for your OS, browsers, extensions, and wallet apps; CISA recommends auto-updates to close known holes.
• Use a reputable password manager for long, unique passphrases, and follow NIST’s modern guidance against outdated password rules.

Checklist

• Automatic updates enabled on all devices and apps.
• Password manager in use; unique passphrases for every service.

6) Segment your holdings by risk

• Keep day-to-day funds in a hot wallet; move long-term holdings to hardware wallets or multisig smart accounts like Safe with appropriate thresholds.
• For teams/treasuries, use multisig with spending policies or guards. Safe’s modules/guards can enforce additional checks before execution.

Checklist

• Long-term funds stored offline or in multisig with documented recovery.
• Per-wallet spend limits and policies where supported.

7) Have an incident plan

• If you suspect compromise, move funds to a fresh wallet, then revoke approvals on the old address. Tools and explorers document the flow.
• For investment-scam victims, file a report with the FBI’s IC3 and follow FTC guidance on what to do next.

Checklist

• Pre-printed emergency steps and fresh wallet ready.
• Local law-enforcement and IC3 reporting links saved.

8) Advanced: Bitcoin PSBT workflows and cold signing

• PSBT (BIP-174) lets you build unsigned transactions on an online machine and sign them offline on a hardware wallet, improving operational security for large balances. See the BIP and Optech overview.

Checklist

• For large BTC moves, use PSBT cold-signing practices.

Quick self-audit: 12-point scorecard

• Passkeys or FIDO2 enabled on exchange and email logins.
• Exchange withdrawal allowlisting active.
• Kraken GSL/Master Key, if applicable.
• Seed backup tested; off-site copy kept.
• Optional passphrase or SLIP-39 documented and separate.
• Approvals reviewed and unsafe ones revoked.
• MetaMask Security Alerts on.
• Do not copy addresses from history; verify end-to-end.
• Automatic updates enabled everywhere.
• Password manager in place; unique passphrases.
• Long-term holdings in hardware/multisig Safe with policies.
• Incident playbook printed; IC3/FTC links saved.

FAQ

Are SMS codes still okay as a backup?

They are better than nothing but vulnerable to SIM-swap and phishing; prefer passkeys or hardware security keys when possible.

How often should I review token approvals?

Monthly is a good default, and immediately after using a new dapp or noticing odd signatures. Explorer tools and Revoke.cash document how.

What’s the safest way to check if my email is in a breach?

Use Have I Been Pwned and rotate passwords for any affected services; enable MFA everywhere.