The recent spate of cryptocurrency thefts is worrisome. Not only did the victims generally lose more than a million dollars, almost all of their assets, but the platforms involved were not second- or third-tier small platforms, but large first-tier exchanges that have been trusted by the majority of users for many years, or well-known brands that have always boasted of their technological strength. It is truly shocking.

XBtVxyPB4GPXrlNzBmuuSmgVFA1unAH0nub2UXcI.png

Everyone should have heard of it.

One guy's assets were stolen in 15 minutes, 5 million, and the rest of the exchanges had nearly tens of millions of dollars stolen. Even the thousands of wallets that the studio had used to make money were stolen. Hackers are rampant, and all the hard work I've done for ten years has gone to the hackers.

Today I have summarized some anti-theft guidelines for everyone. No matter how much money you have, safety is the top priority.

The users in the above two incidents have one thing in common: they did not have Google two-factor authentication 2FA enabled on their exchange accounts.

It is recommended to enable two-factor authentication 2FA for exchange accounts. No matter whether you are using OKX, Binance, Bitget, Gate... or any other exchange, it is best to enable this verification.

What are the risky behaviors on the chain?

1. Save in plain text, take screenshots or wallet private keys;

2. Save the private key to a file and send it through social software, email, etc. to inform others of the private key;

3. Store large amounts of assets in hot wallets for a long time - (Regularly manage the exchange's withdrawal whitelist. If you are an Apple user, you can choose not to set the exchange's withdrawal whitelist and set a "pass key". Every time you withdraw money to the Web3 wallet, you must verify your face);

4. Directly authorize various websites, third-party applications, discord, tokens, etc.;

5. Frequently use unsafe WiFi to log in to the wallet and perform operations;

6. Check "Exchange Device Management" regularly to see if there are any abnormal activities;

7. Run third-party application scripts obtained through various unofficial channels and visit websites from unknown sources;

8. Use Apple ID, Google ID, etc. provided by others;

9. Frequently register wallets in various places, and wallets with assets to receive various airdrops.

The above operations are all risky behaviors. We should pay attention to them first. They can be avoided. If you unfortunately have multiple check marks, you may soon be included in the list of stolen behaviors.

What are the common scammers' tricks?

Often, fake accounts will reply to phishing content under official posts; it is easy to be fooled, and it is hard to guard against. Take yesterday's ZKS for example. Yesterday afternoon, the airdrop query was opened, which caused a large number of retail investors to curse fiercely. Of course, I did not receive the airdrop, and I was also among those cursing the project party. At this time, an identical avatar and name appeared under the official comments. I forgot to take a screenshot and can't find it now. I guess it has been cancelled. The general meaning of the comment under the official is that you are not qualified for the first inspection, you can try the second inspection. For us, it is fake at first glance, but for some newbies and new leeks, it is really hard to tell without careful observation.

How to tell:

1. Pay attention to the number of followers of the account, the number of common followers (pay more attention to big Vs first), the interaction of tweets and the traffic situation. The brushed data can be easily seen.

2. Use detection plug-in

In addition, there are phishing websites from "official" websites: Official accounts have been stolen: for example, the meson bridge before

3. Fundamental solution: Hot wallet asset isolation

Prepare a trial wallet: The asset account is isolated in the mobile phone account, not in the computer; relatively speaking, there will be much less operation. Usually only a small amount of assets is placed in the trial wallet, and the wallet is used when interacting with the website and contract for the first time. Even if you encounter a phishing website or accidentally authorize incorrectly, the loss of assets is not much. The environment is also isolated.

Search engine phishing

Similar to the Twitter scam above, when you use search engines to download wallets, web3 and apps, you will most likely encounter fake websites and fake apps. Don’t download anything through small channels; only through official channels. For example, if you want to download a plug-in, please be sure to go to the Google Market and find the official plug-in. The one with the most downloads is the real one. Don’t download unknown plug-ins casually.

How to deal with it: Don’t use search engines anymore; use Twitter to search instead; the one below the official tweet must be the official website, and authorization detection and website monitoring plug-ins are required.

Airdrop NFT and token licensing scams

BSC, ETH, SOL, there are a lot of authorization phishing on each chain. Attackers airdrop NFTs to users in batches. Users enter the target website through the link in the airdrop NFT description, connect the wallet, click "Mint" on the page, and an approval prompt box will appear. Note that there is no special prompt in the approval prompt box at this time. Once approved, all SOL in the wallet will be transferred away.

Summary of anti-theft measures for novices

1. Do not save private keys and mnemonics in plain text, do not take screenshots or photos, and do not upload private keys to the Internet. You can store mnemonics in offline storage (such as a USB flash drive, a mobile hard drive, a pad that is not connected to the Internet, etc.), and then make a handwritten backup;

2. Put large assets into cold wallets and encrypt the mnemonics;

3. Do not provide private keys to third-party wallet tools, applications, or websites;

4. Do not perform mindless authorization. When authorization is necessary, you must read the authorization information, cancel the authorization in time, and check regularly;

5. For exchange accounts, it is recommended to enable two-factor authentication 2FA. Whether you are using OKX, Binance, Bitget, Gate, etc., it is best to enable this verification. If you are using Google Authenticator, check whether your verification code is synchronized to your Google account. If it is synchronized to the cloud, it is recommended to cancel the verification and reset it.

6. Please be sure to copy your transfer address every time and check the address; the clipboard can also be attacked

Human safety

Don't be greedy, there is no such thing as a free lunch.

Don't be careless, the clipboard may be swapped; the transfer address may be fake; the other party may be a scammer; the account may be fake; the file and app may have a virus; the contract may be a Pixiu

Don’t be impulsive; check the contract first to see if it is correct; don’t rush to the wrong address;

The cryptocurrency world is like a dark forest; once assets are lost, it is almost impossible to recover them;

So, what we can do is to continuously improve our ability to prevent theft and fraud;

Otherwise, the money you have worked so hard to earn may end up being gone by accident, which can really make people feel desperate and miserable.

I hope everyone can make more money in web3; after reading this article; they will not be stolen or cheated;

Later, I will bring you analysis of leading projects in other tracks. If you are interested, you can click to follow. I will also organize some cutting-edge consulting and project reviews from time to time. Welcome all like-minded people in the cryptocurrency circle to explore together.