How do I keep my crypto safe?

The most important practices are: use a hardware wallet for large amounts, never share your seed phrase with anyone, verify URLs before connecting your wallet, use unique passwords and 2FA on exchanges, regularly review and revoke unused token approvals, and be skeptical of any offer promising guaranteed returns. Most crypto losses come from social engineering, not technical hacks.

What is a seed phrase?

A seed phrase (or recovery phrase) is a set of 12 or 24 words that serves as the master key to your crypto wallet. Anyone with these words can access all your funds. Never store it digitally (no photos, no cloud storage, no notes apps). Write it on paper or metal and store it securely offline. No legitimate service will ever ask for your seed phrase.

What is the difference between custodial and self-custody?

In custodial storage, a company (like Coinbase) holds your crypto for you — like a bank. In self-custody, you hold your own private keys — like cash in a safe. Custodial is more convenient but requires trusting the company. Self-custody gives you full control but means you're responsible for security. If you lose your seed phrase in self-custody, your funds are gone permanently.

What are token approvals and why are they risky?

Token approvals are permissions you grant to smart contracts to move your tokens. When you use a DeFi service, you approve it to access specific tokens. These approvals often persist after you stop using the service. If the approved contract is later compromised, attackers can drain the approved tokens from your wallet. Regularly review and revoke unnecessary approvals.

How do I recognize a crypto scam?

Common red flags include: guaranteed high returns, urgency to act now, requests for your seed phrase or private key, unsolicited messages from 'support' staff, fake websites that look like real ones (check the URL carefully), tokens that appear in your wallet uninvited (don't interact with them), and projects with anonymous teams and no audits.

O que é um rug pull em crypto?

Um rug pull é um tipo de golpe crypto em que os desenvolvedores de um projeto o abandonam e fogem com os fundos dos investidores. Geralmente acontece com novos protocolos DeFi ou lançamentos de tokens. Os sinais de alerta incluem equipes anônimas, liquidez não bloqueada, ausência de auditorias de segurança e um TVL artificialmente inflado. Verifique sempre o histórico de auditorias, as credenciais da equipe e o status do bloqueio de liquidez antes de investir.

Staying Safe in Crypto — Wallets, Scams, and Security

Custody: who holds your money?

This is the most important security concept in crypto. There are two models:

Custodial (someone else holds it)

When you keep crypto on an exchange like Coinbase or Binance, they hold your keys. It's like a bank — convenient, but if the company is hacked, goes bankrupt, or freezes your account, you may lose access.

Self-custody (you hold it)

When you use a wallet like MetaMask, Phantom, or a hardware wallet, you hold your own keys. No one can freeze your funds, but if you lose your keys, no one can recover them either.

Most DeFi activity happens with self-custody wallets. This gives you full control — and full responsibility.

Your seed phrase is everything

When you create a self-custody wallet, you receive a seed phrase (also called recovery phrase) — usually 12 or 24 words. This phrase is the master key to your wallet. Anyone who has it controls your funds.

Rules for your seed phrase:

Write it down on paper. Never store it digitally (no screenshots, no cloud notes, no email).
Store it in a safe, secure location — ideally two separate physical locations.
Never share it with anyone. No legitimate service will ever ask for it.
If someone asks for your seed phrase, it is a scam. Always. No exceptions.

Hardware wallets

A hardware wallet (like Ledger or Trezor) is a physical device that stores your private keys offline. Even if your computer is compromised, your keys remain safe on the device. To sign any transaction, you must physically confirm it on the device.

For any significant amount of crypto, a hardware wallet is strongly recommended. Think of it like a safe for your most important documents — less convenient than leaving them on your desk, but much more secure.

Common scams and how to recognize them

Crypto scams follow predictable patterns. Knowing them is your best defense:

Phishing

Fake websites that look identical to real services (like a fake Uniswap or MetaMask). They ask you to connect your wallet and approve a transaction that drains your funds. Always verify the URL before connecting your wallet. Bookmark the real sites you use.

Fake customer support

Scammers impersonate support agents on Discord, Telegram, or Twitter. They offer to "help" with a problem and ask you to share your screen, enter your seed phrase, or visit a link. No legitimate project will ever DM you first offering help.

Too-good-to-be-true yields

A new token offering 1,000% APY, a mysterious airdrop worth thousands, a guaranteed return on investment. If it sounds too good to be true, it is. Sustainable yields in DeFi are typically 2%–8%. Anything dramatically higher carries extreme risk or is an outright scam.

Malicious tokens and airdrops

Scammers send random tokens to your wallet that appear to be worth money. When you try to sell or interact with them, you approve a transaction that drains your real tokens. Ignore tokens you don't recognize. Don't interact with them.

Impersonation

Fake social media accounts posing as project founders, influencers, or companies. They promote scam links, fake giveaways, or malicious contracts. Always verify accounts through official channels.

Rug pulls e golpes de saída

Um rug pull ocorre quando os desenvolvedores de um projeto crypto o abandonam repentinamente e desaparecem com os fundos dos investidores. Isso acontece frequentemente com novos protocolos DeFi ou lançamentos de tokens: a equipe arrecada dinheiro através de vendas de tokens ou pools de liquidez, depois esvazia os contratos inteligentes e desaparece. Os sinais de alerta incluem equipes anônimas sem histórico verificável, liquidez não bloqueada ou com períodos de bloqueio muito curtos, ausência de auditorias de segurança independentes e um TVL (valor total bloqueado) artificialmente inflado para criar uma falsa sensação de confiança. Projetos que promovem agressivamente retornos irreais enquanto desencorajam a pesquisa são particularmente suspeitos. Pesquise sempre a equipe, o histórico de auditorias e o status do bloqueio de liquidez antes de depositar fundos.

Token permissions and approvals

Every time you use a DeFi service, you typically grant it permission to move a specific token on your behalf. These approvals persist indefinitely — even after you've stopped using the service.

If a service you approved is later hacked, attackers can use that approval to move your tokens. This is why periodically reviewing and revoking old approvals is good security practice.

CleanSky's Security tab shows all active permissions on your wallets — which services have access to which tokens, and whether any of them look risky. This is one of the most important security checks you can do.

Smart contract risk

When you deposit crypto into a DeFi service, your tokens are held by a smart contract — a program running on the blockchain. If that program has a bug or vulnerability, your funds could be at risk.

Things that reduce (but don't eliminate) smart contract risk:

Audits — Reputable services have their code reviewed by independent security firms. Look for audit reports on the protocol's website.
Track record — Services that have been running for years with significant value locked have been battle-tested.
Open source code — When the code is public, more eyes can find potential issues.
Insurance — Some DeFi insurance services (like Nexus Mutual) offer coverage against smart contract failures, though coverage is limited and not automatic.

Contratos não auditados são um ingrediente comum em rug pulls. Se um projeto não possui uma auditoria publicamente disponível de uma firma reconhecida, considere isso um sinal de alerta significativo antes de comprometer fundos.

Aprenda como se proteger: Como verificar contratos inteligentes.

Network and bridge risks

Moving tokens between different blockchain networks requires bridges — services that lock your tokens on one network and release equivalent tokens on another. Bridges are historically one of the highest-risk components in crypto, having suffered some of the largest hacks in DeFi history.

If you bridge tokens, understand that you're adding a layer of risk on top of whatever you do with those tokens afterward. CleanSky's risk analysis accounts for bridge exposure as a separate risk factor.

Practical security habits

The most effective security comes from consistent habits:

Use a dedicated browser profile for crypto. Don't install unnecessary extensions.
Bookmark the services you use and always navigate from bookmarks, never from search results or links in messages.
Verify before you sign. Read what a transaction is doing before you approve it in your wallet.
Start small. When using a new service for the first time, try it with a small amount before committing more.
Revoke old approvals. Periodically review which services have permission to move your tokens.
Keep software updated. Your wallet app, browser, and operating system should always be current.
Don't share your setup. Avoid publicly discussing which services you use, how much you hold, or which wallets are yours.

Remember: In crypto, there are no refunds, no chargebacks, and no fraud departments. Every transaction is final. The time you spend on security is always worth it.

Scan your wallet for risky token approvals and suspicious permissions — no signup required.

Try CleanSky Free →

Escolher idioma

Staying safe in crypto