How do most people lose cryptocurrency?

Most cryptocurrency losses come from structural failures — compromised private keys, seed phrase mismanagement, forgotten token approvals, and operational drift — not from sophisticated code exploits. In 2024, roughly 70% of stolen crypto resulted from infrastructure attacks like compromised keys and seeds, not smart contract hacks.

What are forgotten token approvals?

Forgotten token approvals (also called zombie approvals) are permissions you granted to DeFi smart contracts to spend your tokens that remain active long after you stopped using those protocols. Most dApps request infinite approval (2^256 - 1 tokens) to save gas. If any of those approved contracts is later compromised or upgraded maliciously, it can drain your wallet because you already pre-signed the permission.

What is operational drift in crypto security?

Operational drift is the gradual erosion of security practices over time. You start with a pristine setup — dedicated laptop, hardware wallet, paper backup in a vault — but over months you install browser extensions on the dedicated device, connect your hardware wallet to unverified dApps, or photograph your seed phrase for convenience. Each shortcut feels harmless because nothing goes wrong, reinforcing the dangerous behavior until the system eventually fails.

Is having multiple wallets safer?

Not necessarily. Going from 1 wallet to 12 wallets increases your attack surface, operational overhead, and cognitive load without improving security if all wallets share the same browser extension, device, or seed management practices. The weakest link problem means 12 wallets from the same browser extension equals one point of failure. Better structure — like multisig and strict separation of cold and hot wallets — matters more than wallet count.

How do I check my token approvals?

You can check token approvals using tools like Revoke.cash for individual wallets, or CleanSky which shows your token approvals across all your wallets in one view so you can see what is exposed. Regularly auditing and revoking unnecessary approvals is one of the most important security practices in crypto.

What is a multisig wallet and why does it help?

A multisig (multi-signature) wallet requires multiple private keys to authorize a transaction — for example, 2 out of 3 keys must sign. This eliminates the single point of failure problem: if one key is compromised, stolen, or lost, an attacker still cannot move your funds. Multisig is the institutional standard for securing significant crypto holdings.

How People Really Lose Crypto: Complexity, Drift, and Forgotten Approvals

The myth: hackers break the code

When people hear about crypto theft, they picture a hooded figure exploiting a zero-day vulnerability in a smart contract. It makes for a good headline, but it misrepresents where the money actually goes.

In 2024, roughly 70% of stolen cryptocurrency came from "infrastructure attacks" — compromised private keys and seed phrases. These aren't really hacks in the way most people understand the word. They're structural failures in how people store, manage, and interact with their crypto.

The code on the blockchain might be fine. The vulnerability is the person holding the keys — their habits, their shortcuts, their memory, and the gap between their security intentions and their day-to-day behavior.

The real killer: complexity

A common piece of advice in crypto is to use multiple wallets: one for trading, one for cold storage, one for DeFi, one for NFTs. The logic sounds good — compartmentalize risk. But in practice, going from 1 wallet to 12 wallets doesn't make you safer. It makes everything harder to manage.

Factor	Single wallet (cold)	Multi-wallet (fragmented)
Attack surface	Single point	Multiple vectors
Operational overhead	Low	High — multiple seeds, derivation paths, hardware devices
Cognitive load	Manageable	Leads to alert fatigue and operational drift
Allowance management	Easy to audit	Impossible to track manually

Wallet sprawl

Dust scattered across dozens of addresses, small balances you forgot about, tokens stuck on chains you no longer use. Over time, you lose track of what you own and where it lives. This isn't just messy — it's a security liability. Assets you don't know about are assets you can't protect.

The weakest link problem

12 wallets managed from the same browser extension on the same laptop equals one point of failure. If that browser extension is compromised, or if your laptop is infected with malware, all 12 wallets are exposed simultaneously. The complexity gave you the illusion of security without the substance.

Learn more about wallet fundamentals in our guide: What is a crypto wallet?

Operational drift: the silent killer

You start with a pristine security setup. Dedicated laptop. Hardware wallet. Paper seed phrase backup stored in a fireproof safe. You promise yourself you'll never cut corners.

Then 12 to 24 months pass, and drift happens:

Phase 1: You install a browser extension on the dedicated laptop for "just one quick transaction." It stays.
Phase 2: You connect the hardware wallet to an unverified dApp because moving funds through your normal process is too slow and you need to catch a yield opportunity.
Phase 3: You photograph the seed phrase or type it into a password manager "temporarily" because you need access while traveling.

None of these steps trigger an alarm. The system appears secure because nothing has gone wrong yet. You mistake the absence of incidents for the presence of security. Then one day, a compromised extension or a phished approval drains everything.

Normalization of deviance

A concept from engineering safety: every time you skip a security step and nothing bad happens, the dangerous behavior gets reinforced. It becomes "normal." Over time, the gap between your documented security procedures and your actual behavior widens until a failure exploits that gap. The Challenger disaster, the Deepwater Horizon explosion, and most crypto losses share this pattern.

For more on practical security habits, see: Staying safe in crypto

Forgotten approvals: the open doors you don't know about

Every time you interact with a DeFi protocol — swapping tokens, providing liquidity, depositing into a vault — you approve that protocol's smart contract to spend your tokens. This is how DeFi works: you give the contract permission to move your assets on your behalf.

The problem: most dApps request "infinite" approval — technically 2²⁵⁶ - 1 tokens — to save you gas on future transactions. That approval stays active forever, or until you explicitly revoke it.

If you've used 50 protocols across 12 wallets over 3 years, you might have hundreds of open, infinite approvals. Each one is a door into your wallet. If any of those contracts gets compromised, has an upgrade path that's exploited, or is maliciously modified — it can drain the approved tokens from your wallet. You already pre-signed the theft.

Zombie approvals

Approvals to contracts you haven't used in months or years, for protocols you forgot about, on chains you barely touch. These contracts still have permission to move your tokens. The protocol might have been abandoned, its team might have disappeared, its admin keys might have been compromised — and it can still drain your wallet.

Tools like Revoke.cash exist specifically for this problem — but the fact they need to exist proves the system is broken. You shouldn't have to use a third-party tool to close doors that were silently left open.

CleanSky shows your token approvals across all your wallets so you can see what's exposed in one view. Instead of checking each wallet on each chain individually, you get a complete picture of every contract that has permission to move your tokens.

Phishing through approvals

Modern crypto phishing has evolved. Sophisticated attackers don't ask for your seed phrase anymore — that approach only works on beginners. Instead, they use UI spoofing to trick you into signing an approve() transaction disguised as something harmless.

The attack looks like this: you visit what appears to be a legitimate dApp and click "Login" or "Verify wallet." What you're actually signing is an approval granting the attacker's contract unlimited access to your tokens. Because users are accustomed to signing complex, unreadable transaction data (a symptom of operational drift), they click "Confirm" without reading.

Domain spoofing amplifies this. Attackers register domains like uni-swap.com or revokecash.net and buy Google ads that place their sites above the real ones in search results. If you navigate to DeFi apps via search engine instead of bookmarks, you're gambling every time.

For a broader view of threats and how to defend against them, see: Staying safe in crypto

Role mixing: being your own bank is harder than it sounds

In traditional finance, different people handle different functions. A custodian holds the keys. A trader executes transactions. An IT team manages devices and infrastructure. An auditor checks the history. These roles are separated on purpose — because no single person should have unchecked access to every function.

In crypto self-custody, you are all of these roles simultaneously. You hold the keys, you execute trades, you manage the devices, and you audit your own history. The "Trader" in you wants speed and convenience. The "Custodian" wants isolation and caution. When you play both roles, the Trader usually wins — and security pays the price.

This leads to two critical failure modes:

Cold Signing Like Hot (CSLH)

Using your cold storage key — meant to live in an air-gapped vault — to sign transactions on a connected device for convenience. Maybe you need to approve a swap quickly and don't want to go through the full cold-signing procedure. If that connected device is compromised, your savings are gone. The cold wallet was your last line of defense, and you bypassed it.

Hot Holding Like Cold (HHLC)

Storing significant savings in a hot wallet that's always connected to the internet. The institutional standard is 90-95% of holdings in cold storage with only 5-10% hot for active use. Individual users often keep everything in a single hot wallet — their trading wallet, their savings, their long-term holdings — all one compromised transaction away from being drained.

Learn about hardware wallets for proper cold storage: What is a hardware wallet?

Wealth is structure, not just numbers

The solution isn't more wallets — it's better structure. A well-designed setup with three wallets can be dramatically more secure than a chaotic setup with twelve.

Three pillars matter:

Legal structure — Trusts, succession planning, documented beneficiaries. If something happens to you, can your family access your crypto? Without legal structure, your wealth can become permanently inaccessible.
Technical structure — Multisig: require 2-of-3 keys to sign any transaction, eliminating the single point of failure. Account abstraction enables social recovery and spending limits. These aren't theoretical — they're deployed and working today.
Operational structure — Documented procedures, quarterly allowance audits, strict separation of vault wallets (cold, never connected) from operational wallets (hot, limited funds). If it's not written down, it's not a procedure — it's a memory, and memories drift.

A human cannot formally prove the security of a 12-wallet mesh with hundreds of contract interactions. They can only approximate safety, and approximations eventually fail. The goal isn't perfect security — it's a structure simple enough that you can actually verify it.

For context on the scale of losses that structural failures cause, see: Biggest crypto hacks

What you can do right now

You don't need to overhaul everything at once. Start with the highest-impact actions:

Audit your token approvals. CleanSky shows these across all your wallets. Revoke anything you're not actively using.
Use multisig for significant holdings. Even a simple 2-of-3 setup eliminates the single point of failure that causes most losses.
Keep cold storage strictly cold. Never connect a cold wallet to a dApp. If you're tempted, that's the Trader overriding the Custodian.
Use separate seed phrases for different risk tiers. Your vault seed and your DeFi exploration seed should have no relationship to each other.
Bookmark trusted sites. Never navigate to DeFi apps via search engines. One mistyped URL or one promoted phishing ad is all it takes.
Review your setup every quarter. Check approvals, verify your cold storage is still cold, confirm your backup procedures still work.
Write down your operational procedures. Don't rely on memory. Memory drifts. Paper doesn't.

For a deeper look at risk categories across your portfolio, see: Understanding risk in crypto

See all your token approvals, wallet exposure, and security risks across every chain — no signup required.

Try CleanSky Free →

Choose your language

How people really lose crypto: complexity, drift, and forgotten approvals