Wallet Safety Checklist: Cold vs Hot, Seed Phrases, Common Scams

Cold Wallets vs Hot Wallets

Hot Wallets (Software/Online)

Hot wallets are connected to the internet. Examples: MetaMask, Coinbase Wallet, Trust Wallet, Exodus.

Pros:

• Free and easy to set up
• Convenient for frequent transactions
• Good for small amounts and daily use

Cons:

• More vulnerable to malware, phishing, and online attacks
• Private keys stored on device (phone/computer) can be compromised
• If your device is hacked, your wallet could be drained

Cold Wallets (Hardware)

Cold wallets are physical devices that store private keys offline. Examples: Ledger, Trezor, KeepKey.

Pros:

• Private keys never leave the device (even when connected to computer)
• Require physical button press to confirm transactions
• Most secure option for large amounts
• Immune to computer malware (unless device is physically compromised)

Cons:

• Cost: $50-$200 for hardware device
• Less convenient for frequent transactions
• Need to connect to computer/phone for transactions

Recommendation

Use hot wallets for daily spending (small amounts). Use cold wallets for savings, long-term holdings, or amounts over $1,000-$5,000. Think of it like cash vs a bank vault.

Seed Phrase Security

Your seed phrase (recovery phrase) is 12-24 words that can recover your entire wallet. Lose it, and you lose access. Share it, and you lose your funds.

Seed Phrase Best Practices

1. Write it down on paper: Never store it digitally (screenshots, cloud storage, notes apps). Paper is safe from hackers.
2. Store multiple copies: Keep copies in separate secure locations (safe deposit box, fireproof safe, trusted family member). One location gets destroyed? You have backups.
3. Never share it: Legitimate services never ask for your seed phrase. If someone asks, it's a scam.
4. Verify the recovery phrase: When setting up a wallet, write down all words, then verify by entering them back to ensure accuracy.
5. Use a metal backup: For long-term storage, consider metal seed phrase backups (Cryptosteel, Billfodl) that survive fire/water damage.

Common Seed Phrase Mistakes

• Storing digitally: Screenshots, text files, or cloud storage are vulnerable to malware/hackers
• Taking photos: Never photograph your seed phrase with your phone (cloud backups can expose it)
• Sharing with "support": Scammers pose as wallet support and ask for seed phrases. Real support never asks.
• Not verifying: Typos in seed phrases mean you can't recover your wallet. Always verify during setup

Common Wallet Scams

1. Phishing Websites

Fake websites that look like real wallets (e.g., "metamask-wallet.io" instead of "metamask.io"). They steal seed phrases when you enter them.

How to avoid:

• Always verify URLs. Check for typos, wrong domains
• Use bookmarks for frequently visited sites (don't click links in emails/messages)
• Look for HTTPS (padlock icon) but note: scammers also use HTTPS
• Use official links from wallet websites, not search engine ads

2. Fake Wallet Apps

Scammers create fake wallet apps that look like legitimate ones. Once installed, they steal your seed phrase or private keys.

How to avoid:

• Download only from official app stores (Google Play, Apple App Store)
• Check developer name. Verify it matches the official company
• Read reviews carefully. Fake apps often have fake positive reviews
• Check download count. Legitimate wallets have thousands/millions of downloads

3. Social Engineering

Scammers contact you via email, Discord, Telegram, or Twitter pretending to be support. They ask for seed phrases or ask you to "verify" by sending funds.

How to avoid:

• Legitimate support never asks for seed phrases or private keys
• Never click links in unsolicited messages
• Contact support through official websites only
• If someone says your wallet is "compromised" and needs "verification," it's a scam

4. Contract Approval Scams

Scammers trick you into approving malicious smart contracts that can drain your wallet. You approve a contract thinking it's legitimate, but it has a backdoor.

How to avoid:

• Always verify contract addresses on Etherscan before approving
• Be wary of unlimited approvals. Revoke unnecessary approvals using Revoke.cash
• Read contract code if possible, or check if it's been audited
• Don't approve contracts from unknown sources or suspicious links

5. Airdrop Scams

Scammers send fake tokens to your wallet. When you interact with them (claiming an "airdrop"), they drain your wallet or trick you into approving malicious contracts.

How to avoid:

• Ignore unexpected airdrops. Legitimate projects announce them publicly
• Never interact with unknown tokens or contracts
• Don't click links in token names or descriptions

Wallet Security Checklist

Use this checklist when setting up or reviewing your wallet security:

Setup Phase

• Downloaded wallet from official source only
• Verified seed phrase written down correctly (tested recovery)
• Stored seed phrase on paper, not digitally
• Created multiple secure backups of seed phrase
• Set up PIN/password protection on wallet

Daily Use

• Verified website URLs before connecting wallet
• Checked contract addresses on Etherscan before approving
• Used hardware wallet for large amounts ($1,000+)
• Revoked unnecessary token approvals regularly
• Kept wallet software updated

Ongoing Security

• Never shared seed phrase with anyone
• Ignored unsolicited support messages
• Used bookmarks for frequently visited DeFi sites
• Enabled 2FA on exchange accounts (if applicable)
• Reviewed transaction history regularly for suspicious activity

What To Do If Compromised

If you suspect your wallet is compromised:

1. Move funds immediately: If you still have access, send funds to a new wallet ASAP
2. Don't interact further: Stop all transactions until you secure your wallet
3. Create a new wallet: Generate a new wallet with a new seed phrase
4. Revoke approvals: Use Revoke.cash to revoke all token approvals from the compromised wallet
5. Report the scam: File reports with relevant authorities (FBI IC3, local police if significant loss)

Prevention is better than recovery. Most compromised wallets lose funds permanently since crypto transactions are irreversible.

Additional Resources

• Learn about reading smart contracts before approving them
• Understand how smart contracts work to avoid malicious approvals
• Check out Revoke.cash to manage token approvals
• Verify contract addresses on Etherscan