Keep your cryptos#SAFU(advice from CZ)
Updated: 02/24/2025 Original: 02/25/2020
The lack of security awareness among cryptocurrency users is painful to witness. It’s equally painful to see experts recommending advanced setups that are hard to follow and easy to mess up.
Security is a vast topic. I am by no means an expert, but I have witnessed many security issues. I will do my best to use simple terms to explain:
Why and How You May, or May Not, Want to Store Coins Yourself
Why and how you may, or may not, want to store coins on a centralized exchange
First of all, nothing is 100% secure. Software has bugs and people can be victims of social engineering. The real question is whether these systems are secure enough.
If you’re keeping $200 in your wallet, you probably don’t need super-high security. A mobile wallet will do. If you’re keeping your life savings, you want enhanced security.
To secure your coins, you just need to do the following 3 things:
Prevent others from stealing.
Keep yourself from losing it.
Plan a way to pass them on to your loved ones in case you are unavailable.
Simple, isn't it?
Why You May or May Not Want to Store Coins Yourself
Your keys, your funds. Or not?
Many cryptocurrency experts swear that cryptocurrencies are only safe if you hold them yourself, regardless of your technical knowledge. Is this really the best advice for you?
A Bitcoin private key looks like this: KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p
That's it. Anyone who has a copy of this address can transfer bitcoins to it, if necessary.
To secure your crypto you need to:
Prevent others from obtaining (a copy of) your private keys; prevent hackers, secure your computers from viruses, the Internet, etc.
Avoid losing your private keys; have backups to prevent loss or damage to devices, and keep those backups secure.
Plan a way to pass on your private keys to your loved ones in the event of your death. This is not a pleasant scenario to consider, but as responsible adults to our loved ones, we must manage this risk.
Preventing hackers
You’ve heard of hackers. They use viruses, Trojans, and other malware. You don’t want them anywhere near your devices.
To achieve this with a decent degree of trust, your crypto wallet device should never connect to the internet. And you should never download any files onto it. So how do you use a device like this?
Let's talk about the different devices you might use.
A computer is an obvious choice, and often the most versatile in terms of supported cryptocurrencies. You should never connect this computer to the internet, or to any network. If you do connect it to a network, a hacker could break into your device by exploiting a bug in the operating system or in a software you are using. Software is never bug-free.
So how do you install software? You use a USB drive. Make sure it is clean. Use at least 3 different antivirus software to scan it. Download the software (OS and wallet) you want to install onto the USB drive. Wait for 72 hours. Check the news to make sure the website or software is not compromised. There have been cases where official websites have been hacked and the download package has been replaced with a trojan. You should only download software from official sites. You should only use open source software, to reduce the risk of backdoors. Even if you are not a coder yourself, open source software is reviewed by other coders and has a lower risk of having backdoors. This means that you should use a stable version of Linux (not Windows or Mac) for your operating system and only use open source wallet software.
Once everything is set up, you use a clean USB drive to sign your transactions offline. This process varies by wallet and is beyond the scope of this article. Aside from Bitcoin, many cryptocurrencies don’t have wallets that can sign offline.
You need to ensure the physical security of the device. If someone steals it, they could physically access it. Make sure your drive is strongly encrypted so that even if someone gets their hands on it, they can't read it. Different operating systems offer different encryption tools. Again, a tutorial on disk encryption is beyond the scope of this article; there are plenty of them online.
If you know how to do the above, you can make your own secure backup and you don't need to read the rest of this article. If the above doesn't suit you, there are other options.
You can use a mobile phone. An unrooted phone is generally more secure than a computer, due to the sandbox design of mobile operating systems. For most people, I recommend using an iPhone. If you are more technical, I recommend an Android phone with GrapheneOS. Again, you should use a phone solely for your wallet, and not mix it with your everyday phone. You should only install the wallet software, and nothing else. You should keep the phone in airplane mode at all times, except when using the wallet for transfers. I also recommend using a separate SIM card for the phone and only using 5G to connect to the internet. Never connect to any Wi-Fi network. Only connect to the internet when using the phone to sign transactions and software updates. This is usually not a problem if you do not hold very large amounts of money in your wallet.
Some mobile wallets offer offline signing of transactions (via QR code scanning) so that you can keep your phone completely offline, from the moment you finish installing the wallet apps and before generating your private keys. This way, your private keys are never on a phone that is connected to the internet. This will prevent a wallet from having a backdoor and sending data back to the developer, which has happened to several wallet apps in the past, even official versions. You will not be able to update your wallet apps or operating system. To perform software updates, you use a different phone, install the new version of the app on it, put it in airplane mode, generate a new address, back it up (more on that later), and then send funds to the new phone. Not very user-friendly. Also, these wallets support a limited number of coins/blockchains.
These wallet apps usually don’t support staking, yield farming, or meme coin imitation. If you’re into that, you’ll have to sacrifice a bit of security.
You must ensure the physical security of your phone.
Hardware Wallets
You can use a hardware wallet. These devices are designed so that your private keys “never” leave the device, so your computer won’t have a copy of them. (Update as of 2025, newer versions of Ledger can/will send your private keys to a server, for backup. So this is no longer true.)
Hardware wallets have reported bugs in firmware, software, etc. All hardware wallets require interaction with software running on a computer (or mobile phone) to work. You should always make sure that your computer is virus-free. There are viruses that replace your destination address with the hacker's address at the last minute, etc. So check the destination address on the device carefully.
Hardware wallets prevent many basic types of exploits and are still a good choice if you want to store coins independently. However, the weakest point of hardware wallets is often how you store backups, which we'll cover in the next section.
Protect yourself from yourself
You may lose or damage the device, so you need backups.
There are many methods here too. Each has its advantages and disadvantages. Basically, you want to make multiple backups, in different geographical locations, that other people cannot see (encrypted).
You can write it on a piece of paper. Some seed wallets recommend this because it is relatively easy to write 12 or 24 English words. With private keys, you could easily make a mistake. The paper can also be lost among other pieces of paper, damaged in a fire or flood, or chewed by your dog. Others can easily read the paper - without encryption.
Some people use bank safes to store paper backups. In general, I do not recommend this option for the reasons mentioned above.
Don’t take a picture of the document (or a screenshot), sync it to the cloud and think it’s safely backed up. If a hacker hacks your email account or computer, they’ll easily find it. The cloud provider has many employees who could look at it.
There are metal tags designed specifically for storing a seed backup. They are supposed to be nearly indestructible, which largely solves the problem of damage from fire or flood. But it doesn’t solve the problem of loss or easy reading by others. Again, some people store them in bank vaults, usually with their gold or other metal. If you use this approach, you need to understand the risks.
I recommend using at least 3 USB sticks, but this requires a more technical setup, the "designed for experts" mistake.
There are USB flash drives that are shockproof, waterproof, fireproof, and magnetically resistant. You can store encrypted versions of your private key backup on multiple such USB flash drives and in multiple locations (friends or relatives). This meets all the requirements at the beginning of this section: multiple locations, not easily damaged or lost, and not easily readable by others.
The key here is strong encryption. There are many tools available for this, and they evolve over time. VeraCrypt is an entry-level tool that provides a decent level of encryption. Do your own research and find the latest encryption tools for yourself.
Take care of your loved ones
We don’t live forever. An inheritance plan is necessary. In fact, cryptocurrency allows you to easily pass on your wealth to your heirs with less third-party intervention.
Again, there are several ways to do this.
If you use the low-security approach of paper wallets or metal tags, you can simply share them with them. This of course has some potential drawbacks. They may not have the proper means to keep or secure a copy of the backups, if they are young or non-technical. If they make security mistakes, a hacker could easily steal your funds through them. Plus, they could take your money at any time. You may or may not want this, depending on the trust relationship you have with them.
I strongly advise against sharing keys between people, regardless of their relationship. If the funds are stolen, there is no way to determine who moved them or who was hacked. It is complicated.
You can leave your paper wallet or metal tags in a bank safe deposit box or with a lawyer. But, as mentioned above, if one of the people involved gets a copy of the keys, they can transfer the funds without leaving a trace. This is not the same as if a lawyer had to go through a bank to transfer your bank account balance to your heirs.
If you use the USB drive method mentioned above, there are ways to transfer your wealth more securely. Again, this requires a little more preparation.
There are online services called Deadman’s switches. They send you a ping or email every so often (say once a month). You have to click a link or log in to respond. If you don’t respond within a certain period of time, they assume you are a “deadman” and send a certain number of emails to your predefined recipients. I will not endorse or vouch for any of these services, you should google them and test them for yourself. In fact, Google itself is a Deadman’s switch. Deep in Google’s settings, there is an option that allows someone to access your account if you don’t access it for 3 months. I personally have not tested this and cannot vouch for it. Do your own testing.
If you're thinking, "Oh great, I just put the private keys in my kids' emails," please reread this article from the beginning.
You might be thinking, "I could put the passwords I used to encrypt the USB drives in these emails so my child or spouse could unlock them." It's close, but it's still not a good thing. You should not leave your backup passwords on a server on the Internet. This significantly weakens the security of your backups/backups.
If you think I could scramble/encrypt emails containing USB drive passwords with another password that I share with my loved ones, then you are on the right track. In fact, you don't need the 2nd password.
There is a tried and true email encryption tool called PGP (or GPG) that you should use. PGP is one of the first tools to use asymmetric encryption (the same as used in Bitcoin). Again, I won’t include a full tutorial on PGP, there are plenty of them online. In short, you need to have your spouse and/or child generate their own PGP private key, and encrypt your deceased’s message using their public key, that way only they can read the contents of the message and no one else. This method is relatively secure, but it requires that your loved ones know how to keep their PGP private key safe and not lose it. And of course, they need to know how to use PGP email, which is somewhat technical in itself.
If you follow the recommendations shared so far, you have reached the basic (not advanced) level to store a significant amount of coins yourself. There are many other topics we could cover that could also address some of the issues mentioned so far, including multi-sig, threshold signatures, etc., but they belong in a more advanced guide. In the next part, we will look at:
Using exchanges
When we talk about exchange in this article, we mean centralized exchanges that hold custody of your funds.
After reading the previous part, you might be thinking, “Oh, this is a real hassle. So I’ll just store my coins on an exchange.” Well, using an exchange isn’t without its risks either. While exchanges are responsible for the security of funds and systems, you still need to follow best practices to keep your account secure.
Use only major and reputable exchanges
Yes, it’s easy for me to say, because Binance is one of the largest exchanges in the world. However, there are good reasons for this. Not all exchanges are created equal.
Large exchanges invest heavily in security infrastructure. Binance invests billions of dollars in security. This makes sense given the scale of our business. Security touches on many different areas, from equipment, networks, procedures, personnel, risk monitoring, big data, AI detection, training, research, testing, third-party partners, and even relationships with global law enforcement. It takes a lot of money, personnel, and effort to provide adequate security. Smaller exchanges simply don’t have the scale or financial means to do it. I risk getting flak for saying this, but it’s why I often say that for most ordinary people, using a trusted centralized exchange is safer than holding cryptocurrencies yourself.
There is counterparty risk. Many small or new exchanges are exit scams from the get-go. They collect deposits and run away with your funds. For this same reason, avoid “unprofitable” exchanges or exchanges that offer zero fees, deep discounts, or other negative profit incentives. If their goal is not revenue, your funds may be their only target. Proper security is expensive and requires funding from a sustainable business model. Don’t skimp on security when it comes to your funds. Large, profitable exchanges have no incentive to engage in exit scams. When you are already running a profitable and sustainable billion dollar business, what would be the incentive to steal a few million and live in hiding and fear?
Large exchanges are also more security tested. Yes, this is also a risk. Hackers target large exchanges more. But they also target smaller exchanges in the same way, and some of them are much easier targets. Large exchanges typically hire 5-10 external security firms that they hire on a rotating basis to perform penetration and security testing.
Binance goes further than most exchanges in terms of security. We invest heavily in big data and AI to combat hackers and scammers. We have been able to prevent many users from losing their funds even when they have undergone SIM swapping. Some users using multiple exchanges have also reported that when their email accounts were hacked, the funds on the other exchanges they were using were stolen, while the funds on Binance were protected because our AI blocked the hackers’ attempts to withdraw their funds. Smaller exchanges couldn’t do this even if they wanted to because they simply don’t have the big data.
Secure your account
When using exchanges, it is always very important to secure your account. Let’s start with the basics.
Secure your computer
Again, your computer is often the weakest link in the security chain. To access your Exchange account, use a dedicated computer. Install commercial antivirus software (yes, invest in security) and a minimum of other unwanted software. Enable the firewall to the maximum.
Play your games, surf the Internet, download, etc. on another computer. Even on this computer, run the antivirus and firewall at maximum. A virus on this computer will make it much easier for the hacker to access other computers on the same network, so keep it clean.
Do not download
Even if you’re just using a CEX, I recommend not downloading any files to your computer. If people send you a Word document, ask them to send you a link to a Google Doc instead. If they send you a PDF, open it in Google Drive in a browser, not on your computer. If they send you a funny video, ask them to send you a link to it on an online platform. Yes, I know it’s a hassle, but security doesn’t come cheap, and neither does losing your funds. View everything on the cloud.
Turn off the “Auto-save photos and videos” option in your instant messaging apps. Most of them download GIFs and videos by default, which is not a good security practice.
Stay up to date with software updates
I know all OS updates are annoying, but they contain patches for newly discovered security holes. Hackers also monitor these updates and often use them on people who are lazy with updates. So always make sure to apply patches as soon as possible. The same goes for wallets and other software you use.
Secure your email
I recommend using Gmail or Protonmail. Both of these email providers are more secure than others and we have seen a higher number of security breaches on other platforms.
I recommend setting up a unique email account for each exchange you use, to make it difficult to guess. This way, if another exchange gets hacked, your Binance account won’t be affected. This will also reduce the number of phishing attempts or targeted email scams you receive.
Protonmail has a feature called SimpleLogin that allows you to get a unique email address for each website you visit. I recommend using this if you don't use any other email forwarding service.
Enable 2FA for your email service. I recommend using Yubikey for your email accounts. It’s an effective way to prevent many types of hacks, including phishing sites, etc. More on 2FA later.
If you live in a country where SIM swapping has been reported, do not associate your phone number with any email recovery method. We have seen many SIM swap victims have their email account passwords reset and hacked. I no longer recommend associating phone numbers with email accounts. Keep them separate.
Use a password manager
Use a strong, unique password for each site. Don’t bother trying to remember passwords; use a password manager tool. For most people, Keeper or 1Password will probably do the trick. Both are well integrated with browsers, mobile phones, etc. Both claim to store passwords locally, but sync across devices using only encrypted passwords.
If you’re more serious, go for KeePass. It only stores information locally, so you don’t have to worry about your passwords being encrypted in the cloud. It doesn’t sync across devices and has less mobile support. It’s open source, so you don’t have to worry about backdoors.
Do your own research and choose a tool that works for you. But don’t try to “save time” by using the same password everywhere. Make sure you use a strong password, or the time you save could cost you.
Even with all these tools, you're toast if you have a virus on your computer, so make sure you have good antivirus software running.
Enable 2FA
It is highly recommended that you enable two-factor authentication (2FA) on your Binance account upon registration, or now if you haven’t already. Since the 2FA code is usually found on your mobile phone, it can protect you to some extent from a compromised email address and password.
However, 2FA doesn’t protect you from everything. A virus on your computer that steals your email address and password can also steal your 2FA code as you enter it by monitoring your keystrokes. You could interact with a phishing site, enter your email address and password, and then enter your 2FA code on the fake site. The hacker then uses it to log into your real account on Binance. The possibilities are numerous; we can’t list them all.
Configure U2F
U2F is a hardware device that generates unique, domain-specific, time-based code. Yubikey is the de facto device for this.
U2F keys offer three major advantages. First, they are hardware-based, making it nearly impossible to steal the secret stored on the device. Second, they are domain-specific. This protects you even if you inadvertently interact with a phishing site. And they are easy to use. You just have to carry them with you.
For the above reasons, I recommend you to link a Yubikey to your Binance account. It offers one of the best protections against hackers.
You should also link your Yubikey to your Gmail, password manager, and any other accounts to protect them.
Stop using SMS verification
There was a time when SMS verification was encouraged, but times have changed. Given the increase in SIM swapping, we recommend moving away from SMS and relying more on the 2FA or U2F described above.
Configure a withdrawal address whitelist
We strongly encourage you to use Binance's Whitelist feature for withdrawals. This feature allows for fast withdrawals to your approved addresses and makes it much harder for hackers to add a new address to withdraw to.
Enable 24-hour waiting time for new addresses added to whitelists. This way, if a hacker wants to add a new address, you will receive 24 hours notice.
API Security
Many of our users use APIs for trading. Binance offers several different versions of APIs, with support for asymmetric encryption. This means that Binance only needs your public key. You generate your private key in your environment and give the platform your public key. We use your public key to verify that orders belong to you, and we never have your private key. You must keep your private key safe.
You don’t necessarily need to back up your API key the same way you do when you store your coins. If you lose your API key in this case, you can always create a new one. You just need to make sure that no one else has a copy of your API keys.
Do not enable withdrawals of your API keys unless you really know what you are doing.
KYC L2 complet
One of the best ways to protect your account is to complete Level 2 KYC. This way, we will know what you look like. When our Big Data Risk Engine detects anomalies on your account, we can use advanced automated video verifications.
This is also important in the “if you become unavailable” situation. Binance is able to help family members access their deceased loved ones’ account, with proper verification.
Physically secure your devices
Again, keep your phone secure. You probably have your messaging app, Binance app, and 2FA codes on it. Don’t root or jailbreak your phone. This greatly reduces its security. You should also keep your phone physically secure and have proper screen locks. The same goes for your other devices.
Phishing
Beware of phishing attempts. These usually come in the form of an email, text message, or social media post that contains a link to a fake Binance-like site. The site will prompt you to enter your credentials, which the hackers will use to access your real Binance account.
Phishing prevention requires only diligence. Do not click on links in emails or on social media sites. Access Binance only by entering the URL or using a bookmark. Do not share your email with other parties. Do not use the same email address on other sites. Be careful when strangers (especially people named CZ or similar) suddenly talk to you on Telegram, Instagram, etc.
If you stick to the above recommendations, your Binance account should be relatively secure.
So what's better?
In general, I recommend people to use both centralized exchanges and their wallets. If you are not very tech-savvy, I recommend a larger share on Binance and a spending wallet (TrustWallet) on your own. If you are technically strong, adjust the shares.
Centralized exchanges sometimes go through maintenance, and if you need to make a transaction quickly, it's handy to have a separate wallet.
If you follow the recommendations outlined here, you should be able to safely store your funds, either on your own or on a CEX like Binance.
