In cryptocurrency investing or trading the potential for large gains lies in parallel with the potential for losses. These losses may come from assets losing real world value but more dangerously because we are dealing with cutting edge systems that are minimally regulated. Projects may have bugs or even be outright scams. But the space is also rife with bad actors, taking advantage of misunderstood technology, poorly developed security habits and practices, and the sometimes exuberant and overly hopeful emotions of unseasoned - well, sometimes very seasoned! - participants.
Let's talk about a few ways that people get hacked and how you can avoid joining the club.
1) PRIVATE KEYS ARE PRIVATE.
In cryptocurrency, every wallet transaction relies on a public and a private key for that wallet. These keys are long strings of hexadecimal characters. Each character is one of 16 symbols, 0-9,A-E. Every single wallet on the blockchain has a public and a private key. The public keys are public addresses, and are perfectly safe and necessary to give out... it's how other wallets transfer funds to you, how you interact with contracts.. for anything you have to do on the blockchain, you have to provide your PUBLIC key. Now there's no need to give it to someone for no reason, but it's not fishy if someone, say, who wants to pay you, or is helping to trace some transactions, asks for it. The public key. Public.
In Metamask, the most popular Web3 wallet, it's displayed right in the main interface and is easy to copy to the clipboard by clicking on it.
The public key of this wallet is 0xFaa03b641eA6196175f7C4b433519c85AEDe355d .
On the other hand, your private key should never ever be given out. The only people who should know your private key are maybe your family members or if you're some rich person who's hired someone to handle your defi business, who you completely trust. If you have only interacted with a big centralized exchange like Coinbase, it's likely you've never even gone close to your private key. You're in fact using Coinbase's wallet, and it's up to them to keep those private keys safe.
But when you get a little more experience, and you start setting up your own wallet and doing your own transactions, you'll likely be using METAMASK or another Web3 wallet, and though this software often creates your private key without you ever having to know it, that key is available to you. There's also a 12 or more word passphrase that you'll create when making a new wallet, that is essentially a mapping to your private key, and that is just as important to keep safe.
Basically, you need this 12 word passphrase, or private key... they both do the same thing... in order to recover your wallet on the blockchain. If you lose your computer, or your operating system needs to be reinstalled, etc., you haven't lost any funds as long as you can recreate this wallet. It also allows you to use the same wallet in multiple different places.
But there will be times when the nicest people, in a forum, on telegram, on discord, on twitter, in places where you may be actually trying to educate yourself, will pop up and offer to help you with something and ask for your 12 words or your private key. NEVER EVER give it out to someone like this. If you do, you'll be hacked, and your funds will be stolen. That's one of the only "sure things" in crypto.
2) SO MAKE SURE YOU SECURE YOUR KEYS!
Most hacks in fact are not complex ingenious feats of software engineering... they are social engineering. We talked above about people asking for keys or passphrases that you should just tell to screw off. But what about the seemingly innocent people in your life who you're around all the time who may just be a little less innocent than you think? Have you ever written down an important piece of information, left it on your desk, then gotten up to go to lunch? Maybe you're gone for a few hours. And maybe during that time, the custodian comes in the office. Or there's a job interview going on and a new candidate enters the building. Or the IT person who comes by to fix the servers every so often just happens to have picked up on the fact that you have done some crypto trades now and then, and has figured out over the course of their 20 visits how to put a camera in your office that looks like any other webcam. This may be an extreme scenario, but if he or she knows you've got $10K worth of crypto in a wallet (which you CAN find out from your public key), maybe it's worth it to sabotage your machine, so you have to set up a new one, and that camera has your screen in view.... I mean, it's ten thousand dollars, right?
Recently, EasyFi, a very popular DeFi platform, was hacked, simply because one of the admins had their private key stolen. How this happened remains to be seen. But this was the admin of a platform dealing with hundreds of millions of dollars in assets, who supposedly had experience in technology and finance. You can do the right thing 99 times, and the wrong one only once, and it may only take that once for you to lose it all.
3) BUT IT COULD BE MALICIOUS SOFTWARE TOO.
The recent SolarWinds attack was a supply chain attack. That is, the attacker replaced a legitimate file in a software update with one of their own, that then ended up being deployed on all the clients' machines who installed the update. The attack happened at the source. In our case, if a wallet like Metamask were to be compromised, well that would be very very bad. I guess the main security against that is if funds started disappearing from a new Metamask update, it would be noticed so quickly that hopefully the entire world would be aware and be able to stop the spread... again, hopefully before too many people got hurt.
BUT, what you CAN prevent against is running a counterfeit version of Metamask, or another crypto wallet, or other software that acts badly.
Sometimes, you'll notice ads in Google Search, for instance, that appear above search results. I've seen ads for wallets that have names very close to Metamask but that aren't (Metamask is here, by the way: https://metamask.io). CHECK CAREFULLY. When downloading software that deals with money, or anything, really, make sure you're downloading the right thing. Check each letter. Check the extension. Is it metamask.io ? or metamask.is ? Not the same!!
Even in the Android or IOS store, occasional fake versions of wallet software get through. Before you install anything, just double or triple check that the name is exactly as it is supposed to be, that the 1000s of people who talk about it online are talking about this, yes this, thing you're installing on your phone. Check that logo. Check the developer's account name. Check the punctuation, check how many people have actually downloaded it... is it 100,000 or 100 ?
As well, when you download software, there are ways to ensure that what you've downloaded is actually what the developer intended... that is, nobody say replaced their released version secretly. Here's two articles on how to do this... it's a bit involved, but if you manage a few million in funds, it's something you should do!
https://medium.com/mycrypto/how-to-ensure-youre-running-the-legitimate-version-of-metamask-5fcd8ab32b96
https://technastic.com/check-md5-checksum-hash/
And lastly for this section, make sure you secure your machine from downloading any other malware, that could for instance, log your keystrokes, take screenshots, do anything nasty in the background. If you notice a previously well-performing system that is degrading, and there's no reason for it to be, stop, and do a check. See what's running, and if you're not sure about anything, find someone that is or get help online... you may have some malware.
4) BUYER BEWARE!
Well if you do have your system secure and everything's running, then great! Maybe you're ready to go out and swap for some tokens, and wait for the profits to come in! But just be cautious as you step into the world of defi... there are tokens that are fake, counterfeit, designed to trick. When you trade for a token, make sure that's the actual token you want. Look up its contract address and compare it with what you're getting on, say, Uniswap. And watch for new projects that aren't vetted by the community yet. It's possible you've stumbled onto a gem, but it's also possible you've just stumbled.
Sites like Rekt, DeFi Pulse, and DappRadar can give you a good idea of what's legitimate (or thought to be) and not.
5) FINALLY...
It sucks to get scammed. It can make you feel like a fool and get you disheartened about an otherwise exciting technological revolution! But, even the best of us are flawed and have our lapses in judgment. What's more important is to manage your risk. If you lose some lunch money to a promising project that turned out to be too promising, well, as long as you can still eat dinner, you've learned a little something. And if a wallet gets drained, that'd be horrible, but if you have two other wallets where you still have more than half your funds, you live to fight another day. And of all your funds in wallets, if that's not the majority of your net worth, you'll live to fight many many other days. Manage your risk, and do your due diligence. Good luck!
