Crypto as a space has grown a lot in recent years, with new users and liquidity coming on-chain, and a major attack vector we still notice is the social engineering attacks, an area where strong opsec crypto practices are often overlooked. In the year 2024, users lost a net of $1.1B in phishing attacks, followed by private key compromise, responsible for the loss of $850M out of the net loss of $2.3B. Even more recently, a Bitcoin holder lost $330M in BTC due to a phishing attack which were later swapped to Monero, pushing the price by 40%.
Over the years, the crypto projects have become more security forward, securing their smart contracts but one thing that still remains a threat to broader crypto liquidity is human error, which leads to attack vectors like social engineering.
The good news is, there are ways to protect yourself as a user from such attacks. This article focuses on how to create a completely isolated environment for your crypto and improve your OpSec (Operational Security). Before starting out, a general rule of thumb is to be paranoid and cynical about your every on-chain interaction.
Revoke Approvals: Your Crypto Wallet might not be as Safe as you think
This is basic but often ignored by almost all the on-chain users. When you do the transaction in any EVM chain, you are often required to do approvals of the amount you wanna spend, while some of it changed post Pectra in EIP-7702, and we are going to cover that, you can still revoke the approvals. This mostly comes as a Wallet Functionality in wallets like Rabby, where you can revoke your approvals to different dApps. This costs a little bit of gas as it is an on-chain interaction. Moreover, it is best to manually adjust the approval you are providing while doing an initial transaction to a smart contract.
EIP-7702 changed how you interact with the dApps, as now users’ EOA (Externally Owned Accounts) can temporarily function as a Smart Contract, which means users can delegate their funds to contracts, pay the gas in any token, but it comes with different security measures as well, which needs to be adopted.
A general rule is don’t delegate your wallet to any contract that you don’t trust or that isn’t audited. Always manage your delegations as one delegation to wrong contract will drain your funds. Be vigilant about every transaction, as attackers might trick users into delegation.
Protect Your Crypto Journey with QuillAudits
Security goes beyond wallets, it starts with safe code. Whether you're a user or a builder, take the first step toward a more secure blockchain experience. Request an audit with QuillAudits and keep threats at bay.
Get Access to Your Crypto: Not Your Keys, Not Your Funds
If you have your assets stored in any exchange, it is not ideally safe. You might be a trader, but you won’t need all of your funds to be present in a single exchange at all times. Keep them safe, not your keys, not your funds.
Get yourself a hardware wallet. Major options in the market are Ledger, Trezor, and Grid. The goal of a hardware wallet is to secure your private keys and show clearly what message you are signing in a transaction. Remember, you are just one click away from getting drained. Always keep your passwords unique and long. Don’t use the same password for everything.
Set up a BIP39 passphrase, a BIP39 passphrase is an extra layer of security that sits on top of your seed phrase. It's the 25th word of the seed phrase that you have full control over, and it is not limited to the BIP-39 dictionary, so it is very secure and case-sensitive.
It is suggested to store your seed phrase and BIP-39 passphrase separately, as a combination of both gives the attacker access to your wallet. In the case you lose the seed phrase, putting the wrong passphrase would generate a different wallet with potentially no funds. Moreover, don’t keep the dependency on a single seed phrase to generate multiple wallets. Different wallet, different seed phrase.
Isolate Your Device: Avoid using the same device for everything
As a normal internet user, you would receive emails, get spammed, and sometimes click the wrong links. To protect yourself from any sort of phishing attacks via email, TG, Discord, or any other social network you utilize for communication, keep a separate device. Use a different device for all your crypto interaction and a different one for other purposes. Don’t trust, verify.
The other device that you use for your crypto transaction should be treated with very care; there should be as little interaction with the web, and it should only be involved in performing transactions.
If interacting with a new protocol, use a different wallet. Utilize tools like Virtual Machines to further isolate your interaction. A virtual machine is an isolated environment within your system that takes up its own space and memory to perform processes. These tools ensure your interaction, like downloading any file or checking something that might be important, is done securely.
Patch Your Network: Keep Your Interactions Safe
This might sound like very common advice, but often ignored is that never use a public Wi-Fi on Airports, Cafes, or Hotels to do any transaction, as there might be attacks like Man-in-the-Middle (MITM) that can intercept and manipulate the data you interact with.
Moreover, in public environments, there could be attacks related to Network Spoofing, as attackers create a fake Wi-Fi network that might look legitimate, but once you connect with such a network, your data flows through their system.
Carefully choose your VPN provider, can go with Mulvad or a self-hosted VPN service like OpenVPN, as some of the VPN providers log the traffic and suffer from attacks.
In a compromised network, an attacker can push malware like Keyloggers and Clipboard Hijackers to your primary device. Keyloggers, as the name suggests, log each interaction with the keyboard, hence draining your funds. Clipboard Hijackers can manipulate the device’s clipboard. Suppose you are trying to send funds to a particular wallet, and you copy the address, and the clipboard gets manipulated, which can direct funds to the attacker.
Be Anonymous: A Major Segment of Great OpSec
This might be difficult and not truly possible in every sense to execute, but at the same time, approachable. Keep your identity secure; never leave a connection between your real world and your on-chain identity. This is essentially important as attacks can even go physical sometimes, someone can break into your house and ask you for your seed phrase, then the general OpSec won’t be useful.
Crypto already gives us this power partially, though all the transactions are public, users are still hidden behind a public address and can be referred to as a pseudonymous identity. This is easy to manage, and you are open to do on-ramp and off-ramp easily through centralized exchanges, and no one needs to know. But achieving a full disconnect is a little hard and requires severe measures.
Moreover, keep separate emails to do different interactions. Never keep all your eggs in the same basket, and try to provide minimal personal information anywhere on the web.
| Recommended OpSec Actions | Explanation |
|---|---|
| Revoke Approvals in Your Wallet | Revoke every approval given to smart contracts, as these contracts are approved to a spending limit set by you. |
| Use Hardware Wallets | Hardware Wallets are more secure. A wallet should secure your private key and properly display the message you are signing. |
| Isolate Your Device | Keep a different device for crypto transactions. |
| Patch Your Network | Don’t connect to public network providers or leaky VPNs, as it can open doors to multiple attack vectors. |
| Be Anonymous | Try not to share your personal information anywhere, and unlink your on-chain identity with your real identity. |
Key Takeaways
Attack vectors like Phishing Attacks or Social Engineering Attacks are still responsible for the major funds hacked in crypto. The users need to take measures against these attacks and be vigilant about every transaction they perform on-chain.
Users need to improve their OpSec Crypto (Operational Security) to protect themselves from attackers. While some measures might sound extreme but at the same time important to take if handling large amounts.
As a protocol, it is very important to get the infrastructure audited before going mainnet or dealing with real user funds. At QuillAudits, we ensure that the whole infrastructure, including smart contracts, is secured with our multi-layered audit framework, team of experienced auditors, and our 7+ years of experience.
