Best practices for securing a crypto wallet

Sat Nov 22 2025

This guide is a concise, practical checklist for crypto wallet security. It focuses on steps that reduce real‑world loss risk, with clear defaults.

TL;DR checklist

Use a hardware wallet (or air‑gapped signer); disable blind signing
Store the seed phrase offline (metal backup), never in cloud/notes/photos
Add a passphrase (BIP‑39 25th word) and keep it separate from the seed
For large funds, use multisig or MPC (t‑of‑n) with different device vendors
Verify on‑device what you sign; prefer EIP‑712 typed data over arbitrary data
Regularly revoke token approvals; use tight spending allowances
Keep devices updated, locked down, and phishing‑resistant
Back up securely; test recovery; document break‑glass steps
Monitor addresses and set withdrawal limits/alerts where supported
Segment funds across separate wallets (spend/trade/cold) to reduce blast radius
Source hardware from official vendors; set strong PIN + passphrase day‑one

1) Choose the right wallet model (threat model first)

Hot wallet (browser/phone): convenient but higher phishing/malware risk
Hardware signer: private keys on device; confirm on‑device before signing
Air‑gapped: QR/PSBT flow; excellent isolation, more friction
Custodial: operational controls and insurance vary; assume API/insider risks

Rule of thumb:

Daily spending: hot + hardware signer
Treasury/savings: multisig/MPC with policy controls and multiple vendors

Segmentation:

Maintain separate wallets for “spend,” “trading,” and “treasury” with different security policies
Never connect treasury wallets to dApps; use them only for cold storage movements
Do not reuse addresses across contexts; label wallets clearly in your tracker

2) Generate and store your seed phrase safely (BIP‑39)

Generate offline on the device, never on a connected computer or website. Back up on paper or metal; avoid digital photos or cloud sync. Consider adding a BIP‑39 passphrase (the “25th word”) for plausible deniability and extra protection.

Key tips:

Never type seeds on an internet‑connected machine
Keep seed and passphrase in separate locations; test recovery before funding
Store backups in geographically separate locations; protect against fire/flood
If using steel plates, ensure correct word order and checksum before sealing

Ensure firmware is authentic and up to date
Disable blind signing; require clear, on‑device prompts (address, amount, contract)
For EVM chains, prefer EIP‑712 typed data signing over eth_sign
Buy devices directly from the manufacturer or authorized resellers
Use a strong PIN; enable passphrase; lock device on disconnect
Turn off Bluetooth if not needed; avoid pairing on untrusted networks

4) Multisig or MPC for high‑value funds

Use t‑of‑n with different device vendors and storage locations
Require two‑person approval and policy controls (limits, time locks, allowlists)
For EVM, consider Gnosis Safe (Safe Multisig) or enterprise MPC providers (with export and recovery plans)
Document a recovery plan that works if one signer is lost or a vendor sunsets
Separate approvers and initiators; log and review policy changes

5) Safer transaction signing (EIP‑712)

Typed data makes intent human‑readable and reduces phishing risk.

Recommendations:

Always verify the domain (name, chainId, contract) and values on‑device
Reject signing on unexpected chains or contracts; compare to your allowlist
Beware signatures that grant approvals (permit, setApprovalForAll) or change owners
Simulate transactions in a trusted simulator before final confirmation when possible

6) Token approvals and allowances

Unlimited approvals are a common loss vector. Use small, per‑use allowances and revoke after use.

Review approvals regularly with a reputable revoke tool; clean up stale approvals
Prefer per‑transaction or small‑limit approvals over “unlimited” allowances
Maintain an allowlist of trusted spenders; verify before granting
Set a recurring calendar reminder (e.g., monthly) to review and revoke allowances
Pay special attention to NFT marketplace approvals and “Permit2” style delegations

7) Bitcoin PSBT: offline signing

Use PSBT for air‑gapped signing flows.

Tips:

Verify addresses on-device; do not trust clipboard/QR alone
Use descriptor‑based wallets to avoid address‑type mismatches
Keep an air‑gapped signer dedicated to PSBT workflows; avoid mixing with hot usage

8) Encrypt hot keys at rest (apps and bots)

If you must store a hot key (market‑maker, bot), encrypt it with a strong key from a secrets manager and protect the host.

Hardening:

Short‑lived hosts; minimal packages; no shared users; strict outbound firewall
Limit key lifetime; rotate; scope API keys to specific actions
Use an OS keychain, HSM, or reputable secrets manager; avoid plaintext keys on disk
Restrict access with strong OS permissions and audit access regularly
Separate hot keys from the app server role (e.g., sidecar or isolated service)

9) Device hygiene and phishing resistance

Keep OS/firmware/browser updated; disable risky extensions
Use dedicated devices/profiles for crypto; block USB autorun; prefer hardware keys (FIDO2) for accounts
Type URLs; bookmark official sites; verify certificates; beware homograph domains
Never import seeds to browser extensions unless absolutely necessary
Use passkeys or TOTP (not SMS) for exchange/custodian accounts
Treat “support” DMs and wallet pop‑ups with suspicion; verify via official channels

10) Backups and recovery

Back up seed phrases on metal; store passphrase separately
Consider Shamir Secret Sharing (SLIP‑39) or multisig for social recovery
Practice recovery with a small amount; document break‑glass procedure
Destroy scratch notes and printer memory; avoid photocopies/photos
Include step‑by‑step recovery docs in sealed envelopes; test annually with a small balance
Record derivation paths or wallet type to avoid restoration surprises

11) Monitoring and policies

Watch addresses on chain; set email/SMS/Telegram alerts for large movements
Use allowlists and spending limits when supported by custodians/wallets
For teams: require two‑person review, time‑locks, and change management for policies
Label addresses in your tracker; detect dusting attacks and ignore unknown tiny inflows
Maintain a “known contacts” list to avoid clipboard/QR swap attacks

12) Supply chain and downloads

Verify firmware signatures and checksums; download from official sources
Prefer open‑source, widely‑audited libraries; pin versions; review permissions
Be cautious with browser extensions; check permissions and maintainer history
Store firmware files securely; do not install from links sent in chats

13) Operational and travel security

Do not travel with your main seed; use a minimal balance travel wallet
Keep devices and cables in your possession; avoid public chargers
Use a VPN and trusted networks; avoid signing on shared or kiosk machines
Prefer watch‑only wallets while on the move; defer actions until back in a trusted setup

14) Incident response (if something goes wrong)

Move remaining funds immediately to a clean wallet you control
Revoke approvals on affected addresses; rotate keys and change passwords
In multisig setups, remove compromised signers and reconstitute with new keys
Document what happened; notify impacted parties and tighten policies to prevent recurrence

15) Inheritance and succession planning

Define who can recover funds and under what conditions (legal + technical)
Use sealed instructions and time‑delayed access; consider professional executors
Test the plan with small amounts and an external reviewer for clarity

16) Common scams to avoid

Fake support or “refund” agents asking you to sign or share a seed
Airdrop/drainer sites prompting unlimited approvals or blind signatures
Malicious wallet updates and phishing sites with look‑alike domains
QR/clipboard swapping malware redirecting your destination address