The Best Tips to Secure Your web3 Wallets
The year is 2022. The non-fungible token craze has hit the cryptocurrency space, and NFT projects are springing up at breakneck speed. As expected, 'degens' are leaping onto every alpha they can find on Twitter, chasing whitelist spots and minting opportunities. Some NFT traders mint a token after the project's launch, and a few hours later, their Solana web wallets get drained completely. All their hard work went down the drain in minutes.
In shock, they troop to Twitter to share their losses. Then, they realize they minted worthless pieces of JPEGs and lost their hard-earned crypto in return. As they share their stories, they connect the threads and see the genesis of their problem. As it turns out, the NFT project wasn't another Okaybears or Moonbirds. It was an idea born of malicious intent. When they connected their wallets to the minting website, the hackers could access their coins and steal them.
If you are well versed in the crypto space, you must have seen this exact scenario happen over and over. As the web3 idea continues to gain traction and projects take center stage in the ecosystem, the rate of scams has risen in direct proportion. From draining wallets to rug pulls, from honeypots to fraudulent crypto doubling schemes, bad actors will stop at nothing to steal your crypto.
Web3 wallet scams are one of the most popular today and mainly because many crypto enthusiasts, especially newbies, do not know how to stay safe in the crypto space. Also, crypto is rife with opportunities, and a new person in the space can be easily deceived into exposing the critical details of their wallets or connecting to a malicious contract in the hopes of making money.
In this article, we will explore the types of web3 wallet scams and give you the best tips on securing your web3 wallet against malicious activities.
Types of web3 wallet scams
Billions of dollars are lost to crypto scams yearly. A sizable chunk of these billions are lost to web3 wallet scams, but why are wallet scams common in the crypto space?
Firstly, it is essential to understand the pivotal role of wallets in web3. Traditionally, wallets store money and other valuable documents or means of exchange. In web3, they play a much different role, acting as a bridge between the internet and the blockchain. Popular web3 wallets include Metamask, Trust Wallet, Ledger (hardware), Phantom Wallet, etc.
A crypto wallet is an application or a hardware device that holds the private keys needed to interact with the blockchain.
Crypto wallets do not store cryptocurrencies. Instead, they hold keys – public keys that double as wallet addresses and private keys that give you control over the funds associated with the public addresses. web3 wallets secure your private keys, as they are so important that anyone who gains access to them has total control over your coins. With your web3 wallet, you interact with the blockchain through your private keys, which brings us to the first type of web3 wallet scam:
The private key/seed phrase scam
The famous saying in the crypto space – not your keys, not your coins – underlines the importance of private keys as far as web3 wallets are concerned. With them, you have unbridled control over all assets tied to your public address. Wallet providers do not have access to your private jets for apparent reasons. If they store your private keys and someone breaks into their database, they will expose your coins to thieves.
Also, storing your private keys defeats the idea of decentralization or the promise of giving you absolute control over your crypto assets. Most wallet providers make it clear to new users that they must never give out their private keys, no matter the circumstance. This is why the secret key scam is a sure way of robbing people of their crypto assets.
How does it work?
The private key scam can take several approaches, but the ultimate aim is to get you to release your wallet's private key. Upon doing that, you can kiss whatever coins you have in the wallet goodbye. Sometimes, they scheme through airdrops, either directly or by impersonating the project's founders to exploit unsuspecting people. With airdrops, they'll tell you that you have won an airdrop and that you need to provide your private keys or passphrase to receive your winnings.
Another approach is to pose as your wallet provider's social media support handle using spambots. When you report an issue publicly online, they will rush to you with an automated message saying how they can be of help but that they need your private keys or seed phrase to troubleshoot the incident. If you fall for that trick, you can forget about your coins in the compromised wallet. When you give out your private keys, your coins are as good as lost. Your private keys or secret/seed phrase ought to remain private.
The wallet connect and phishing scams
One outstanding characteristic of web3 is that countless products will be built on the blockchain. To interact with these decentralized applications, you would need a web3 wallet. Through the wallet connect feature common to most web3 wallets, you can connect your wallet to these platforms to perform transactions on the application. As with any good thing, bad actors will make you think twice when using the feature.
The Wallet Connect scam can follow different pathways to the same result. In the introduction, we shared a story of NFT degens who lost everything because they connected their wallet to a malicious website. Some scammers come up with projects and build sites requiring you to click your wallet to interact. When you connect your wallet to a malicious website to mint an NFT, swap a token, stake, or 'unstake' your coins, you'll give the contract unrestricted access to your crypto, which is promptly drained.
Another approach is to pair Wallet Connect with phishing. This time, the attacker clones a popular decentralized app website, like pancakeswap.com or Uniswap. Using spambots, the attacker shares the cloned websites and tries to convince you to interact with them. If you're not careful enough, you will be unable to tell the difference between the original website and its clone. Connecting your wallet to a malicious website will allow the fraudulent contract to drain your cryptocurrencies.
Malware attacks
Although you cannot call this type a scam, indirectly, it could pass as one. Unscrupulous fellows load websites and files with malware. The malware finds its way into your computer and steals confidential information, including your private keys or secret phrase. With this information, the attacker can drain any wallet connected to the computer's browser.
Wallet dusting scams
Sometimes, you may wake up to see a large amount of a particular coin in your wallet, one that you did not purchase. Wallet dusting scams involve sending a specific quantity of a malicious token to a wallet address, hoping to lure its owner into trying to trade the coin on a decentralized exchange. In some cases, the purpose is to de-anonymize the user. In others, as soon as you approve the coin in your wallet, your wallet's security is compromised.
How to secure your web3 wallet against any attack
No matter who you are in web3 – builder, investor, newbie, learner, or speculator – your wallet's security is essential to you. As complex as the crypto space may be, keeping your web3 wallet secure is not exactly difficult. Here are a few of the best tips to secure your web3 wallet:
Never share your private keys and seed phrase
Keeping your private keys and seed phrase secret is perhaps the most straightforward way to secure your wallet. Under no circumstances should you send your seed phrase or private keys to anyone, share with scammers disguised as support staff, or post them on social media. Do not provide your seed phrase to receive airdrops. Do not fill your seed phrase or private key in any form. Also, avoid saving or uploading your seed phrase or private key to your email or on cloud storage.
Always use a burner wallet
If you constantly interact with decentralized applications, minting non-fungible tokens on random sites, participating in brights, or actively participating in DeFi, it is advisable to create burner wallets.
A burner wallet is similar to a one-time password that becomes invalid after its use – you're meant to delete it after use. You can create a wallet for a particular purpose and close it after completing the task or activity. Also, do not save money in your burner wallets after use.
Disconnect your web3 wallet from Dapps after use
Leaving your wallet connected to decentralized applications after use exposes them to exploits targeted at the dApp. If there is a bug in the application's smart contract that is exploited to drain users' wallets, only connected wallets will be affected.
After swapping your favorite tokens on Uniswap or playing Axie Infinity, disconnect your wallet. You can always reconnect it when you want to use the dApp again. If you lose your crypto due to an oversight, it won't be easy to recover.
Store your long-term bags in offline hardware wallets
In crypto, there are cold wallets and hot wallets. The former are usually hardware wallets traditionally disconnected from the internet, which you can connect at your whim, unlike hot wallets (web and desktop), which are always connected to the internet.
It is advisable to store your crypto money and coins you intend on holding for a long time in your cold hardware wallet. Tying your long-term bags to a wallet that is not built by default to be online keeps it beyond the reach of malicious players.
Double-check the website address you are visiting
Phishing scams are rampant in the crypto space, and in reality, they are easily avoidable. Most phishing scams involve cloned websites with carefully misspelled words that you may overlook at first look. When you launch the website of any centralized or decentralized application, double-check the address to be sure it's the same as the one you intend on visiting. If not, please close the website immediately and do not connect your wallet to it.
Use mobile app wallets instead of browser extension wallet
When it comes to web3, it would suffice to say most of the web3 apps along with their UX are limited to desktops only. However, it is changing with new-age mobile-first web3 wallets such as Obvious.
Theoretically, mobile wallets are safer than browser-extension wallets since mobile wallets store the private key locally on the device in an encrypted folder. For example, in Obvious wallet, the keys are stored on Keystore for Android devices and on Keychain for Apple devices.
This makes the mobile wallets inherently more secure than browser-extension wallets since web wallets leave it to the user to secure the private key whereas mobile wallets ensure that the seed phrase is stored locally on the device, that too, in an encrypted folder.
Staying safe in web3 is pivotal
Security is one of the tenets of blockchain technology. Hence, staying safe in web3 is non-negotiable. Phishing, Wallet Connect schemes, private key/seed phrase scams, and others are well-known web3 wallet scams that have resulted in the loss of billions of dollars.
web3 wallets are custodial, meaning that you have total control over your assets, and their safety is your responsibility. Thus, we must adopt best practices and be security conscious as we interact on the blockchain, trade, and prepare for a digital future.
Obvious is trying to overcome a lot of the above issues by bringing the best of wallet experience to transact on the go.
