With the recent wave of Ledger phishing attacks that have proved, unfortunately, to be very effective, I felt the need to write a short article to share with Bitcoin newcomers to warn them of the most common ways they can lose control of their precious sats. Please don't let this list put you off getting into Bitcoin, the world is finally waking up to the fact that it is the best money we have ever had. Unfortunately that very property makes Bitcoin very appealing to normal folk and scammers alike.
All of the risks outlined below can be 100% mitigated by taking time to educate yourself, asking questions and moving slowly. With that said, if you are unsure about anything, feel free to reach out and ask me a question.
Before we start, let's cover some of the basic terminology used in this article...
Seed words - Usually 12 or 24 words long, your seed words are a human readable backup of your entire Bitcoin wallet. These words can be imported into almost any wallet software to recover every single address, private and public key the wallet can generate. Your seed words are your bitcoin, anyone with access to them has access to all of your bitcoin. Guard them with your life and back them up using a method that is resistant to fire, water and corrosion etc.
Passphrase - An optional, additional seed word which, if specified upon wallet creation creates an additional level of security against attack. If you use a passphrase protected wallet, you must have your seed words and your passphrase to recover your wallet. Store your seed words and passphrase separately.
Private key - To spend any amount of bitcoin, a user needs to prove ownership by using private key. It is a long string of letters and numbers that are not very friendly to the human eye. Thanks to modern wallet software with simplified user interfaces, a typical user will almost never directly interact with them.
As mentioned above, your seed words (and passphrase if specified) are your bitcoin backup. If it gets stolen, you lose it or it gets destroyed, and you aren't able to access your active wallet (for example if you lose your phone or hardware device) you're screwed. Anyone with access to your seed words, has access to your wallet, so bear that in mind when selecting a storage location.
Equally, people have screwed themselves out of their own sats by over complicating their backup scheme using some 'ultra secure' memory method, which they either completely forget, or makes it impossible for their family to access in the event of their death.
Fix 1 - Store your seed words using a method that can withstand lots of abuse.
Fix 2 - Don't over complicate your backup, your family may need to recover your wallet when you aren't around. Consider using a service like Final Message for inheritance planning.
Fix 3 - Backup your passphrase (separately) if you use one.
Exchange hacks are almost as old as Bitcoin itself. There have been, and continue to be multiple hacks each year where thousands of people lose their money with little to no hope of ever getting it back. It may be easy to buy some sats on an exchange and leave it there, but every day your bitcoin is stored with a third party, you are at risk. These hacks happen suddenly and without warning and sometimes occur from within the organisation.
"Not your keys, not your coins".
Fix 1 - Withdraw your bitcoin immediately after purchasing, to a wallet where you control the private keys.
A phishing attack essentially tricks an individual into willingly giving up access to their bitcoin under false pretences, usually via tricking the user into giving up their seed words. The two most common methods of these attacks are:-
Sending a text or email to someone pretending to be from a hardware wallet manufacturer, stating that there is a problem with their account and instructing them to go to a website quickly to take action. Of course, the website is a malicious one that looks identical to the one a user would be expecting to see, often with a very similar domain name so as not to raise suspicion. Once on the malicious site, the user will be prompted to enter their seed words to 'secure' their bitcoin, at which point their entire wallet will be drained.
Messaging someone on a chat app like Telegram. Typically, these scammers wait for people to ask a question in a public chat group, then private message the individual pretending to be from 'customer support'. At which point they build a relationship under the pretence of helping them rectify the issue, when in reality they are working towards getting the user to give up their seed words.
Fix 1 - NEVER enter your seed words into a website, under any circumstances.
Fix 2 - Hardware wallet users should only ever enter their seed words directly into the device itself
Fix 3 - Be immediately suspicious of anyone private messaging you on a Bitcoin related chat room.
Fix 4 - When buying Bitcoin related hardware, use throwaway emails to register and if possible, try to have the items delivered somewhere other than your home address.
It can be easy when getting into Bitcoin to want to try out all of the latest super secure wallets, multi-sig setups and nodes etc. But with increased security, comes increased complexity. For most people starting out, a mobile wallet like Samourai or Blue that has been properly backed up is more than secure enough. Get comfortable with the basic concepts of a mobile wallet first, then look to move to a hardware wallet like a Coldcard as your bitcoin holdings increase. Don't even consider a multi-sig setup until you're 100% confident on the process. Have a read through this Twitter thread for an idea of what I mean.
Fix 1 - When starting out, "Keep it simple, stupid".
Fix 2 - Practice wiping and restoring your wallet multiple times using your seed words before sending large amounts of sats in.
To the 95% of the population, cryptocurrency trading is just plain gambling. These exchanges are setup to take your bitcoin. I get it, the temptation to increase your bitcoin stack by trading alternative (highly volatile) currencies exists, but trust me, you will get wrecked. There may be a very small group of the population with the necessary skills to trade the market and profit, but that guy you follow on YouTube isn't one of them!
Fix 1 - Don't trade. Easy!
2020 saw one of the biggest hacks Twitter had ever seen. An individual gained access to the some of the platform's largest accounts and once inside, the hacker posted tweets from these accounts offering to send back double the amount of bitcoin anyone that deposited to the address displayed. Of course, once the bitcoin was deposited to the hackers address, zero was sent back. The scan reportedly netted around $110,000 in BTC.
Fix 1 - If it sounds too good to be true, it almost certainly is! Anyone promising to send you more bitcoin back after you send to them is a scammer.
Malicious software is one of the more complex ways of relieving you of your bitcoin. These types of attack are generally dependant on a user downloading software that looks and acts like the real deal, from a source that also looks genuine. The difference is, the malicious software has features built in designed to steal your bitcoin. This can happen in a number of ways, but the two most common are :-
When a user is sending a transaction, the malware will change the receive address specified by the user for one controlled by the scammer
The software generates a seed word set that is already controlled by the scammer. When the unsuspecting user deposits some bitcoin, the scammer can spend this to the another address they control
Fix 1 - Download your Bitcoin software from a reputable source. Pay close attention to the URL you access, scammers are getting clever with tricks like using 'ë' in stead of 'e'. If you aren't sure, ask around the community.
Fix 2 - All open source software should be signed by one of the developer team. If you have the knowledge to do so, verify this signature matches the one provided from the official download source. This proves that the software you're downloading was produced by who you expect.
A sim swap occurs when an attacker gains control of someone's mobile phone account. To succeed, the attacker poses as the victim either in person at a store or, more commonly, over the phone to the mobile service provider and states that the victim's sim has been compromised and needs diverting to another number (that they control). Once the attacker has control of the victims phone number, they proceed to use SMS authentication to gain access to email accounts and any online bitcoin accounts and look for funds to steal.
Fix 1 - Don't keep any bitcoin in an online account like an exchange.
Fix 3 - Call your mobile phone service provider and place a security lock on your account ensuring that you need to go in store and present I.D to make any account changes.
Fix 4 - This attack is reliant on the hacker knowing certain pieces of information about you. Keep the personal information that you post online to an absolute minimum.
Sending to the wrong chain
This type of mishap has become increasing harder to do with the introduction of new address types, but it is still possible to send bitcoin (BTC) to a bitcoin cash (BCH) address. Doing so would result in the coins being lost, or at a minimum, very difficult to retrieve for the average user.
Fix 1 - Always verify you are sending to a Bitcoin address, generated from someone who has a 'proper' Bitcoin wallet.
Using unconventional wallets
A far less common situation with the rise of modern wallet types but worth mentioning nonetheless. A user can lose bitcoin by sweeping only part of the total balance from a paper wallet to a new wallet and subsequently destroying the paper wallet thinking that the remaining balance from the paper wallet is now held as change in the new wallet. This is explained in detail here
Fix 1 - If you are going to use paper wallets, use them only once and sweep the entire balance when spending.
- There are no refunds in Bitcoin
- Be suspicious of everyone
- Your seed words are your bitcoin, guard them with your life
- Never enter your seed words into a website
- Educate anyone with access to your backups so they do not fall into these traps