Wallets & Security FAQ
In crypto, security is your job — there's no bank to reverse a theft. These answers explain how wallets and keys work and the habits that keep your funds safe. Each answer stands on its own.
45 questions · Last updated: July 17, 2026.
What is a crypto wallet?
A crypto wallet is software or a device that stores the private keys controlling your coins and lets you send, receive, and interact with apps. The coins themselves live on the blockchain; the wallet holds the keys that prove ownership and authorize transactions.
What is a private key?
A private key is the secret number that proves ownership of the crypto at an address and authorizes spending. Whoever holds it fully controls the funds, so it must never be shared, and losing it usually means the coins are gone forever.
What is a seed phrase?
A seed phrase is a list of 12 or 24 words that serves as the master backup for a wallet, able to regenerate all its private keys. Written down and stored offline, it can restore your funds on a new device, so anyone who sees it can also take everything.
What is the difference between a hot and cold wallet?
A hot wallet is connected to the internet, like a phone app or browser extension, convenient but more exposed to hacks. A cold wallet keeps keys offline, usually on a hardware device, far safer for long-term holdings but less convenient for frequent use.
What is a hardware wallet?
A hardware wallet is a small physical device that stores your private keys offline and signs transactions internally, so the keys never touch an internet-connected computer. It is one of the safest ways to hold crypto, protecting funds even if your PC is compromised.
What is a software wallet?
A software wallet is an app on a phone or computer that stores your keys and connects to blockchains and dApps, such as MetaMask or Trust Wallet. It is easy and free to use but, being online, is more vulnerable than a hardware wallet to malware and phishing.
What is self-custody?
Self-custody means you hold your own private keys rather than trusting an exchange or company to hold your crypto for you. It gives full control and removes reliance on a third party, but it also makes you solely responsible for security and backups.
What is a custodial wallet?
A custodial wallet is one where a third party, like an exchange, holds your private keys on your behalf. It is convenient and can offer recovery options, but you must trust that provider, and a hack, freeze, or failure can put your funds at risk.
Why is 'not your keys, not your coins' important?
The phrase means that if you don't control the private keys, you don't truly own the crypto — you're relying on whoever does. It became a mantra after exchanges collapsed and froze customer funds, underscoring the value of self-custody for holdings you aren't actively trading.
What happens if I lose my seed phrase?
If you lose your seed phrase and no longer have access to the wallet, your funds are almost always permanently unrecoverable, since no company can reset it. This is why the seed phrase should be backed up carefully offline, ideally in more than one secure location.
Can someone steal my crypto with just my address?
No. A public address only lets people send you crypto or view your balance; it cannot be used to take funds. Theft requires your private key or seed phrase, or tricking you into approving a malicious transaction, which is why those secrets must be guarded.
What is phishing in crypto?
Phishing is when scammers impersonate a trusted site, app, or person to trick you into revealing your seed phrase or approving a harmful transaction. It is the leading cause of crypto theft, so verifying links and never entering your seed phrase online is essential.
What is a wallet approval and why is it risky?
An approval grants a smart contract permission to move certain tokens from your wallet, which apps need to function. A malicious or overly broad approval can let a scammer drain those tokens later, so reviewing and revoking unused approvals is an important safety habit.
How do I revoke a token approval?
You can revoke token approvals using tools like a blockchain explorer's approval checker or dedicated revoke sites, which show what contracts can access your tokens and let you cancel them. Doing this periodically limits the damage a malicious contract could cause.
What is a multisig wallet?
A multisig wallet requires multiple private keys to approve a transaction, such as two of three signers. It removes the single point of failure of one key, making it popular for teams, treasuries, and high-value holdings where no one person should have sole control.
What is a passphrase in addition to a seed phrase?
A passphrase is an extra secret word added on top of a seed phrase to create a hidden wallet, sometimes called the 25th word. It boosts security because the seed alone won't reveal those funds, but forgetting the passphrase makes them permanently inaccessible.
Are mobile wallets safe?
Mobile wallets are reasonably safe for everyday amounts if you download them from official sources, keep your phone updated, and never share your seed phrase. As hot wallets they still carry more risk than cold storage, so large holdings are better kept on a hardware wallet.
What is a brain wallet and why is it risky?
A brain wallet derives keys from a memorized phrase you choose. It is dangerous because human-chosen phrases are far easier to guess than random keys, and attackers actively scan for funds secured this way, so brain wallets have led to many thefts.
What is address poisoning?
Address poisoning is a scam where an attacker sends a tiny transaction from an address that looks similar to one you use, hoping you'll later copy it from your history and send funds to them. Always verify the full address, not just the first and last characters.
What is a fake wallet app?
A fake wallet app impersonates a real one to steal your seed phrase when you enter it. They appear in app stores and search ads, so downloading only from official links and checking developer details helps you avoid handing your keys to a scammer.
Should I write my seed phrase digitally?
Storing a seed phrase digitally — in notes, photos, email, or the cloud — is risky because those can be hacked or synced online. The safer practice is to record it offline on paper or metal and keep it somewhere secure and private.
What is a cold wallet best for?
A cold wallet is best for long-term holdings and larger amounts you don't need to move often, since keeping keys offline shields them from online attacks. Many people pair a cold wallet for savings with a small hot wallet for everyday spending and trading.
Can hardware wallets be hacked?
Hardware wallets are very secure but not magic: risks include buying a tampered device from an unofficial seller, entering your seed into a fake recovery prompt, or approving a malicious transaction on-screen. Buying direct and verifying every action keeps them safe.
What is two-factor authentication (2FA)?
Two-factor authentication adds a second step, like a code from an app, on top of your password when logging into exchanges. App-based 2FA is far safer than SMS, which can be hijacked, and enabling it greatly reduces the chance of account takeover.
Why is SMS 2FA risky?
SMS 2FA is risky because attackers can perform SIM swaps, transferring your phone number to their device to intercept the codes. This has enabled many account takeovers, so authenticator apps or hardware security keys are recommended over text-message codes.
What is a SIM swap attack?
A SIM swap is when an attacker convinces or bribes a carrier to move your phone number to their SIM, letting them receive your calls and texts, including SMS 2FA codes. From there they can reset accounts, which is why phone-based security is considered weak.
How do I back up my wallet?
Back up a wallet by securely recording its seed phrase offline, ideally in two or more separate, private locations, and never storing it digitally. With the seed safely backed up, you can restore your funds even if the device is lost, stolen, or damaged.
What is a watch-only wallet?
A watch-only wallet lets you view balances and transactions of an address without holding its private keys, so it can't spend funds. It is useful for monitoring cold storage or someone else's public activity while keeping the actual keys safely offline.
What is clipboard hijacking malware?
Clipboard hijacking malware silently swaps a crypto address you copy for the attacker's address, so you unknowingly send funds to them. Always verify the pasted address before confirming a transaction, since the change is easy to miss during a routine copy and paste.
Are browser extension wallets safe?
Browser extension wallets like MetaMask are convenient and reasonably safe if you install the genuine version, but they operate in a risky environment full of malicious sites. Pairing one with a hardware wallet keeps keys offline even while using the extension to interact with apps.
What is a recovery phrase scam?
A recovery phrase scam tricks you into entering your seed phrase on a fake support page or form, often during a staged wallet problem. No legitimate service ever needs your seed phrase, so any request for it is a scam, full stop.
What should I do if my wallet is compromised?
If a wallet is compromised, immediately move any remaining funds to a new, secure wallet with a fresh seed phrase, and revoke the old wallet's approvals. Because crypto transactions are irreversible, act fast, and never reuse the compromised seed phrase again.
What is a burner wallet?
A burner wallet is a temporary, low-value wallet used for risky activities like minting new NFTs or trying unfamiliar dApps. Keeping such interactions away from your main wallet limits the damage if you sign something malicious or connect to a bad site.
What is transaction signing?
Transaction signing is approving an action with your private key so the network accepts it as authorized by you. Because a signature can grant far-reaching permissions, understanding what you're signing — not just clicking confirm — is central to staying safe.
What is a blind signing risk?
Blind signing is approving a transaction whose details your device can't fully display, so you can't see exactly what you're authorizing. Scammers exploit it to get sweeping approvals, so enabling clear signing and avoiding opaque requests reduces the danger.
How do scammers usually steal crypto?
Most crypto theft comes from tricking users, not breaking blockchains: phishing sites, fake support, malicious approvals, SIM swaps, fake apps, and seed-phrase scams. Because these target human error, careful habits protect you better than any single tool.
What is a cold storage backup on metal?
A metal backup engraves or stamps your seed phrase onto steel or titanium so it survives fire, water, and time far better than paper. For long-term or high-value holdings, a metal backup guards against physical damage that could otherwise destroy a paper copy.
Can I recover crypto sent to the wrong address?
Almost never. Crypto transactions are irreversible, so coins sent to a wrong or incompatible address are typically lost, with no company able to retrieve them. Double-checking the address and network before every send is the only reliable protection.
What is a wallet drainer?
A wallet drainer is malicious code on a scam site that, once you connect and sign, transfers out your tokens and NFTs. They often hide behind fake airdrops or mint pages, so avoiding unknown sites and scrutinizing signature requests is the key defense.
Should I use the same wallet for everything?
Using one wallet for everything concentrates risk, since a single bad signature could expose all your assets. Many people separate a secure cold wallet for savings, a main wallet for regular use, and a burner for risky interactions to contain potential damage.
What is a security key (hardware 2FA)?
A security key is a physical device you plug in or tap to prove your identity during login, providing phishing-resistant two-factor authentication. It is stronger than app or SMS codes because approval requires the physical key, blocking remote account takeovers.
How do I verify a website is legitimate?
Verify a site by reaching it through official bookmarks or the project's verified channels rather than ads or search results, checking the exact URL for misspellings, and never entering your seed phrase. When unsure, don't connect your wallet, since a wrong site can drain it.
What is the safest way to store large amounts of crypto?
The safest common approach is a hardware wallet with its seed phrase backed up offline on metal in secure locations, or a multisig setup for very large holdings. Keeping keys offline and limiting exposure to online sites protects against the most frequent forms of theft.
Do I need to update my wallet software?
Yes. Keeping wallet software updated patches security flaws and adds protections, so running old versions can leave you exposed. Update only through official sources, since fake update prompts are themselves a phishing tactic used to steal seed phrases.
What is the single most important security rule?
The single most important rule is to never share or enter your seed phrase anywhere except when restoring your own wallet on a trusted device. Nearly every major crypto theft traces back to a leaked seed phrase or an approved malicious transaction.