How attackers steal cryptocurrency and how to defend your wallet.
Cryptocurrency wallets occupy a uniquely high-stakes security position because of how irreversible compromise typically is. Unlike banking fraud where regulatory frameworks and reversibility provide some safety net, crypto theft is essentially permanent — once funds leave your wallet to an attacker-controlled address, there is rarely any meaningful path to recovery. The financial loss potential is high; the recovery options are minimal.
Attackers invest heavily in crypto-targeting capabilities because of this combination — large potential payouts and minimal recovery. The threat landscape is more sophisticated than typical consumer security: clipboard hijackers replacing copied wallet addresses, malicious browser extensions targeting wallet interfaces, supply chain compromises of legitimate crypto software, fake wallet apps in app stores, address poisoning attacks via dust transactions.
For most crypto users, the protection priorities are concrete: hardware wallets for any non-trivial amounts, careful seed phrase storage (offline only, multiple copies in secure locations, never in cloud or photos), scepticism about every transaction interaction, and operational security awareness around what wallet addresses you publicise. Common mistakes — seed phrase in iCloud, hot wallet for life savings, signing transactions without verification — lead to total irreversible loss.
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Users often back up seed phrases to cloud (iCloud Notes, Google Drive, password manager). When cloud account is compromised — even years later — attacker finds seed phrase and drains wallet. Highest-volume crypto theft pattern for typical users. Seed phrase should never be in cloud storage of any kind.
Sophisticated phishing impersonating wallet support, exchange support, or wallet recovery flows asking users to enter seed phrase to "verify ownership", "fix wallet issue", or "claim airdrop". Legitimate wallet operations NEVER require entering seed phrase anywhere except during initial wallet setup or recovery. Any request for seed phrase is by definition fraud.
Fake wallet apps that look like legitimate wallets (MetaMask, Phantom, Trust Wallet, etc.) periodically appear in app stores and slip through review. Funds sent to these wallets are immediately accessible to attacker; "wallets" capture seed phrases entered during setup. Major problem on Android due to easier app submission; less common but not absent on iOS.
Malware monitors clipboard for cryptocurrency addresses (recognisable patterns) and replaces them with attacker-controlled addresses. User pastes attacker address thinking they are pasting their copied address; transaction sent to attacker. Particularly dangerous because the attack is transparent — user does not realise the address changed.
Browser extensions with wallet-related permissions can manipulate wallet interfaces, intercept seed phrases entered, modify transaction details before signing. Some explicitly malicious; others legitimate but compromised by attacker. Browser extension hygiene matters significantly for crypto users.
When users interact with DeFi protocols, they grant token approvals to smart contracts. Malicious or later-compromised contracts can drain approved tokens. Excessive approvals (unlimited spend instead of specific amount) common; users rarely revoke approvals after using a service. Each unrevoked approval is potential attack vector.
Wallet software, related libraries, or dependencies compromised in supply chain attacks. Legitimate-looking updates contain malicious code that exfiltrates seed phrases or modifies transactions. Documented incidents have affected major wallet ecosystems. Users running latest version may be exposed if compromise occurred recently.
Attacker sends tiny "dust" transactions from addresses that look similar to addresses victim has previously transacted with. Victim copying from transaction history may copy the malicious address (looks similar) and send subsequent transactions there. Particularly common in well-known transaction patterns.
For users known to hold significant cryptocurrency, physical coercion or kidnapping attacks have been documented. The "$5 wrench attack" — coercion to access wallets via physical violence — is real and has occurred. Operational security around crypto holdings (not publicising, hardware wallets with PINs, multisig for large holdings) addresses this threat category.
Signs that your cryptocurrency wallets may have been compromised:
Most direct sign — funds moved without your action. Check transaction history for the outflow. Once funds have moved, recovery is rarely possible; immediate response is incident-management rather than fund-recovery.
If wallet shows pending outgoing transactions you did not initiate, immediate action required. May be possible to interfere if transaction not yet confirmed (depending on chain and circumstances); check wallet documentation for cancellation procedures.
Approvals, swaps, or other contract interactions you did not initiate indicate compromise. Even small unexplained transactions are concerning — sometimes attackers test access with small interactions before larger drainage.
If addresses you copy from one place are different when pasted, clipboard hijacking malware is present. Verify carefully on every transaction.
Any request to enter your seed phrase is fraud. No legitimate wallet operation, support process, or recovery procedure requires entering seed phrase except during initial setup or wallet recovery in your own wallet app. If seed phrase is requested, it is an attack.
UI changes, unexpected prompts, balance display issues that started after specific events (browser update, new extension installed, OS update, new app installed) suggest investigation.
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
Hardware wallets (Ledger, Trezor, Coldcard, BitBox, GridPlus) keep private keys on dedicated devices that never expose keys to internet-connected systems. Transactions are signed on the hardware device after physical confirmation. Defeats most software-based attacks. The cost ($50-200) is trivial compared to amounts being protected.
Seed phrase written on paper or stamped on metal (Cryptosteel, Billfodl, similar). Multiple copies in geographically-separated secure locations (home safe, bank safe deposit box, trusted family member). NEVER in iCloud, Google Drive, photos, password manager (debatable), email, or any electronic storage with cloud backup. Single seed phrase loss to compromise typically means total fund loss.
Clipboard hijacking and address poisoning specifically defeated by careful address verification. Look at first and last several characters; for high-value transactions, verify entire address. Use hardware wallet display (which shows actual address being signed) rather than relying on screen of compromised computer.
No legitimate purpose requires sharing seed phrase. Wallet "support" asking for seed phrase is fraud. "Recovery services" asking for seed phrase are scams. The rule has no exceptions; teach this to everyone in your life.
Common pattern: small amount in hot wallet (browser extension or mobile app) for active use; majority of holdings in hardware wallet, accessed only for occasional larger transactions. Limits exposure if hot wallet compromised; transactions on hardware wallet require physical access.
Tools like Revoke.cash, Etherscan token approvals, similar tools for other chains let you see and revoke smart contract approvals. Quarterly audit; revoke approvals to contracts no longer in active use. Particularly important after using DeFi protocols where unlimited approvals are common.
Browser extensions with wallet-related permissions are high-value targets for compromise. Use only well-established extensions from clear ownership. Audit installed extensions periodically. Consider dedicated browser profile for crypto activity with no other extensions.
Download wallet software only from official sources (official website typed directly, not via search results). Verify checksums where provided. Avoid wallet apps from unofficial app stores. Major wallet brands have been impersonated; due diligence on download sources matters.
Multi-signature wallets require multiple keys (typically 2-of-3 or 3-of-5) to authorise transactions. Even compromise of one key does not lead to fund loss. Operationally complex; appropriate for substantial holdings or organisational treasuries. Major wallets (Gnosis Safe, Casa, Unchained Capital, Nunchuk) provide multisig solutions.
High-profile crypto holders are targeted by both online attacks and physical attacks. Discretion about holdings, addresses, and identifying information reduces targeting. The crypto culture sometimes encourages public discussion of holdings; resist this for security reasons regardless of cultural pressure.
Many "airdrop" opportunities are wallet drains — interactions request signature that grants attacker access to existing tokens. If something seems too good to be true (free tokens for connecting wallet), it almost always is. Specifically, never sign transactions you do not understand; use tools that decode transaction details before signing.
Dedicated laptop or device used only for crypto, not used for general browsing/email/social media, dramatically reduces malware exposure. Higher-value users particularly benefit. The operational overhead is justified by the security improvement for substantial holdings.