The most complete and professional safety manual in the cryptocurrency world - helping you save 10 million yuan

The most important thing in stock trading is to stop loss, and the most important thing in the cryptocurrency world is safety. Does it matter how many fraudulent methods you have learned and how big the opportunity is? Yes, it does! But if you have worked hard to get your assets to A8A9, and then they are stolen due to security issues, it is undoubtedly the most unfair thing in the world.

The most painful thing about the cryptocurrency world is that the price drops when you buy it, and it plummets when you sell it. You don’t make a penny, and you’re left with nothing but your underwear.
The most painful thing in the cryptocurrency world is that you click on the wrong link, install the wrong program, and all the money you earn is given to hackers and scammers, leaving you with nothing.

A few days ago, a friend of mine had his phone stolen. He is an old man in the industry and has a high sense of security, but he was also stolen. So I reviewed the "Blockchain Dark Forest Self-help Manual" written by Yuxian and the SlowMist team and read it systematically. I believe that most friends in the industry should have this need, so I simply summarized my study notes to facilitate everyone to study together. Thanks again to Mr. Yuxian, respect!!!

The full text will be divided into four parts:
1. Wallet
2. Traditional Privacy Protection
3. Human safety
4. What to do if it is stolen

First, clarify the two major principles of cryptocurrency security
1. Zero Trust: Don’t trust easily, always be skeptical of everything
2. Continuous verification: Have the ability to verify your doubts and make this ability a habit

⭐⭐1. Wallet

Two principles of wallet:
1. Remember and save your private key/mnemonic
2. Isolate multiple wallets, use wallets with large funds less frequently, use wallets with small funds for frequent interactions, and use wallets with small funds to play with new projects and new things

1. Create a wallet

To sum up: Download genuine and unmodified applications from the official website

(1) Try to access the official website through CoinMarketCap/Rootdata/official Twitter. Try not to search for the official website through Google, as Google ads are often filled with phishing scams.

(2) PC wallet, use GPG tool to check whether it has been tampered with before installation

(3) Browser extension wallet, judging whether it is genuine by the number of users, ratings, and reviews

(4) Purchase the hardware wallet from the official website instead of directly from the online store. Create it from scratch three times in a row when using it. If the mnemonic wallet address is not repeated, it is relatively safe.

(5) It is not recommended to use web wallets

2. Backing up your wallet

(1) Backing up a wallet means backing up the mnemonic/private key. The mnemonic private key is mainly divided into four types: plain text, with password, multi-signature, and SSS.

(2) Multiple backups, including cloud backup, paper backup, electronic device backup, and brain backup

(3) It is best to encrypt before cloud backup. A relatively lazy way is to use 1Password

(4) It is recommended to use paper backup in conjunction with a safe

(5) When backing up electronic equipment, pay attention to the risk of equipment damage and check it at least once a year

(6) Brain backup: Do what you can

3. Using a wallet

(1) When purchasing digital currency, choose a platform or individual with a good reputation as a counterparty to avoid AML anti-money laundering risk control

(2) Cold wallets are relatively safe, but the operation is relatively troublesome. However, due to the limitations of the equipment, less information is displayed. For large-amount fund transfers/authorizations, the target address must be strictly checked. A small amount can be used for trial transfers first. When authorizing, the number of tokens must be paid attention to.

(3) Hot wallets, in addition to the issues with cold wallets, must pay attention to the security of the operating environment and interact with Dapps. Either access directly using the built-in browser, or interact with Dapps opened in a PC browser through the WalletConnect protocol.

(4) Try not to update your hot wallet as long as it is sufficient to avoid problems such as malicious code or backdoors in updated versions.

(5) When interacting with DeFi, try to use well-known, non-controversial, and reputable ones on a secure chain.

• For lesser-known, controversial, or emerging projects, it is best to gradually learn to read security audit reports.

• Pay attention to whether the target front-end page has an integrity mechanism when introducing third-party remote JavaScript files to avoid front-end malicious behavior.

• When you open an unfamiliar website, pay attention to whether the URL begins with HTTPS. Do not interact with websites that begin with HTTP (plain text transmission). If the browser displays a reminder of an HTTPS error certificate, in principle, do not continue to visit.

(6) NFT, in addition to the security issues of DeFi interaction, you also need to pay attention to Metadata security and signature security

• The most important principle of signature security: What you see is what you sign

• After placing an order in the NFT market, pay attention to whether the content to be signed is complete to avoid blind signing. If there is a problem, cancel the authorization in time. The tools you can use include:

Token Approvals

https://etherscan.io/tokenapprovalchecker
It is a tool for checking and canceling authorization provided by the official Ethereum browser. The Ethereum series blockchains are basically similar, because their blockchain browsers are basically developed by Etherscan, such as:
https://bscscan.com/tokenapprovalchecker
https://hecoinfo.com/tokenapprovalchecker
https://polygonscan.com/tokenapprovalchecker
https://snowtrace.io/tokenapprovalchecker
https://cronoscan.com/tokenapprovalchecker

Revoke.cash

https://revoke.cash/
An old classic that supports multiple chains and is getting stronger and stronger.

Rabby Extended Wallet

https://rabby.io/

⭐⭐2. Traditional privacy protection

1. Operating system
For beginners, just choose Win10 (or above) or macOS. For experts, choose Linux, Ubuntu, Tails, or Whonix. Also install an antivirus software, such as Kaspersky, BitDefender, or other well-reputed software. If you have the ability, set up disk encryption protection, enable BIOS or firmware passwords, etc.

2. Mobile Phone
iPhone is recommended. Try not to jailbreak or root it. Do not download apps from unofficial sources. Do not enable the official cloud service.

3. Network
Do not connect to unfamiliar WiFi, choose routers and operators with good reputation

4. Browser

• Update in time if there is an update

• Extensions are not necessary to install. If you want to install them, you need to consider word of mouth, user scale, etc. They must come from the browser's own app store.

• It is recommended to use multiple browsers for division of labor, one for important operations such as wallets, and one for routine unimportant operations, to avoid extension applications stealing cookies and doing evil.

• You can install privacy protection extensions such as uBlock Origin, HTTPS Everywhere, and ClearURLs

5. Password Manager
Well-known ones include: 1Password, Bitwarden, etc. When using them, you must be careful to protect the master password and email security.

6.2FA Two-factor Authentication
Centralized platform essential

7. Use the Internet scientifically
If you have the ability, build it yourself, otherwise choose a brand that has existed for a long time and has a good reputation.

8. Mailbox
Outlook is the most stable and secure, and Gmail is also good. What you need to pay attention to is to be careful of phishing attacks in your mailbox, and ignore non-important emails.

9.SIM card
Enable 2FA tools to prevent SIM attacks; set a PIN code to prevent SIM card theft if your phone is lost or stolen.

10. Isolate environment
Don't put all your eggs in one basket. It's safer to have multiple accounts, multiple tools, and multiple devices. You can even create a virtual identity.

⭐⭐3. Human safety

Grasp three points:

Don't be arrogant: If you think you are strong, just brag about it. Don't be arrogant to the point of challenging hackers all over the world. There is no end to learning and pitfalls.

Don't be greedy: Greed is often a driving force for progress, but you should think about why this good opportunity was given to you? Is it because you are handsome or speak well? :)

Don’t be impulsive: Impulsiveness is the devil. It will lead you to traps everywhere. Rushing without confidence is just gambling.

⭐⭐4. What to do if your account is stolen

1. Stop loss first

• After discovering the theft, transfer the remaining assets immediately. If the transaction is preempted, freeze the assets on the chain, or find that the funds have been transferred to the centralized platform, contact the risk control.

• After the situation is under control, review it to identify the problems and avoid being victimized again.

2. Protect the scene well and do not affect subsequent analysis and tracing

• Computers, servers and other networked devices should be disconnected from the Internet immediately, but not shut down;

• Unless you have the capability, wait for professional security personnel to intervene in the forensic analysis.

3. Analyze the causes

Generally, professional assistance is needed, and you need to sort out a few points:

• Summary 1: Who, when, what happened, and how much was the total loss?

• Summary 2: The wallet addresses, hacker wallet addresses, currency types, and amounts related to the losses are clearly presented in a table.

• Process description: This is the most difficult part. Here, you need to describe all the details of the accident process, which may even analyze various traces related to hackers and finally output a hacker portrait.

4. Tracking and tracing

• On-chain intelligence: Analyze the flow of funds based on wallet addresses, such as centralized exchanges, currency mixing platforms, etc., and monitor and warn of new transfers.

• Off-chain intelligence: The hacker’s IP, device information, email address, and other information derived from the association of these points, including behavioral information.

Of course, it doesn’t mean that if you follow the instructions in this article completely, you will be completely safe from being hacked. “The devil is one foot high, the way is ten feet high” is the result we hope for from the bottom of our hearts. The process before this result is established is often “the devil is one foot high, the way is ten feet high, and then the devil is two feet high again...”. So even if you have mastered all the methods mentioned in the article, you must continue to learn and understand the latest hacker methods and cases to feed back your security awareness. Among them, following Mr. Yu Xian @evilcos is of course a very effective way!

This article refers to the "Blockchain Dark Forest Self-help Manual" by Yuxian @ SlowMist Security Team

https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md#%E4%BA%BA%E6%80%A7%E5%AE%89%E5%85%A8