Almost every crypto loss comes down to one of two things: you gave up your seed phrase, or you signed something you shouldn't have. Neither requires anyone to "hack" you — both rely on tricking you. The good news is that defending against them is mechanical. Work through the layers below from top to bottom; the earlier ones matter most.

The whole thing in one line: install the real wallet, never reveal your seed phrase, read every transaction before you sign, and revoke approvals you no longer use.

1. Install the real wallet in the first place

A counterfeit wallet captures your seed phrase the moment you type it, so protection starts before you install anything. Download only from the official site or store listing — never from a search ad, an email link, or a "mirror."

More on the ways fake downloads reach people: spotting a fake MetaMask extension and why search-ad downloads are dangerous.

2. Guard your seed phrase — the one unbreakable rule

Your recovery phrase restores full control of your wallet on any device. It can't be reset and isn't rate-limited: one disclosure is total, irreversible loss.

Never enter your seed phrase anywhere except your own wallet's recovery screen, when you deliberately restore it. No legitimate site, app, support agent, or "wallet migration" page ever needs it. A request for your seed phrase is, by itself, proof of a scam. Store it offline on paper or steel — never a screenshot, cloud note, or password manager. Full breakdown: seed phrase phishing and how to avoid it.

3. Read what you sign — this is how drainers work

Modern DeFi security is less about stolen keys and more about malicious signatures. A wallet drainer doesn't need your seed phrase — it needs you to approve one transaction. That approval can grant a contract permission to move your tokens, or transfer an asset outright.

  • Slow down on any request to "connect," "approve," or "sign." Read the plain-language summary your wallet shows.
  • Be suspicious of unlimited token approvals and of signature requests you didn't initiate.
  • Prefer wallets that simulate a transaction and warn on risky ones before you confirm — MetaMask now does this natively, and Rabby is built around it (see MetaMask vs Rabby).

4. Audit and revoke old approvals

Every approval you've ever granted stays live until you remove it — including ones to contracts that later turn malicious. Most wallets now let you review and revoke token approvals from their own settings; do it periodically and remove anything you no longer actively use. Think of it as closing doors you left open months ago. For how these approvals get abused in the first place, see how wallet drainers work.

5. Reduce your attack surface

  • Use a hardware wallet for meaningful balances. Keys stay offline and every transaction needs a physical confirmation. Weigh it up in hardware vs software wallets.
  • Separate wallets by purpose. Keep a "hot" wallet with small amounts for minting and dapps, and a cold wallet you rarely connect for savings.
  • Watch what you paste. Attackers seed your history with lookalike addresses — always check the full address, not just the first and last characters. See address poisoning.
Two reflexes that prevent most losses: if something asks for your seed phrase, it's a scam — close it. If you don't fully understand a transaction, don't sign it.

A note on what protection can and can't do

No checklist makes you unhackable — social engineering evolves. What these habits do is remove the easy wins attackers rely on. WalletGuard is an independent verified-download directory and checksum tool; we don't sell a wallet, extension, or "protection" product. We make the official path and verification discipline easier to follow. Always confirm URLs, extension IDs, and contract addresses yourself when funds are involved.

Frequently asked questions

What is the single most important way to protect a crypto wallet?

Never enter your seed phrase anywhere except your own wallet's recovery screen. It's the master key, and disclosing it means total, irreversible loss. Every other step is secondary to that one rule.

How do wallet drainers empty a wallet without my seed phrase?

They trick you into signing a malicious transaction or token approval, which grants permission to move your tokens — so they never need your seed phrase. Read every transaction before signing and revoke approvals you don't use.

How do I know a wallet download is safe?

Download only from the official source, confirm the extension ID or publisher, then verify the file's SHA-256 against the developer's published value with the WalletGuard verifier.

Does a hardware wallet stop phishing?

It blocks a lot by keeping keys offline and forcing physical confirmation, but it can't save you if you approve a malicious transaction on the device. You still have to read what you're signing.