Recently, a massive scam broke out where many users of Trezor hardware wallets were affected.
Yes, most scams/hacks occur when holding your Bitcoin on exchanges or with custodians but when custodying your own Bitcoin. The highest risk comes with human engineering.
There are steps you need to take and a mindset you need to maintain, to avoid scams when custodying your own Bitcoin.
Self-custody: don’t get scammed
Trezor released the news of a hack on their email provider.
If you are holding your Bitcoin in any type of self-custodial wallet (Ledger, Trezor, mobile wallet) etc. – please do remember that this doesn’t mean you are 100% free from the risk of people stealing your Bitcoin.
The one thing you need to always remember is that maintaining custody of your Bitcoin is not a completely passive activity. Security needs to be checked and maintained over the long term.
As the price of Bitcoin goes up (yes, it will) the quality of the hacker goes up as well.
Below, is a post from a recent Trezor victim:
Trezor (like Ledger and other hardware wallet providers) keep a list of the details of their clients, including their emails. This is for newsletters, marketing efforts and other reasons.
Trezor uses Mailchimp as their email provider, to send emails to all their users. Hackers breached Mailchimp (not Trezor) and got a hold of their mailing list.
The hackers then sent a fake breach notification to its users which prompted them to go to a fake site with a fake web application that asked the users to urgently update their software – so as to not lose their crypto.
The fake version of the application asked the users to enter their 24 words (seed phrase) and thus the hackers got a hold of that and the users’ private keys. They then simply swept the Bitcoin off of the wallets and the users lost everything.
Now, this sounds like an easy scam and one would ask, ‘how can you be so stupid???’
I assure you, this has happened to many people who are the furthest thing from dumb – they were simply human beings who are prone to making mistakes, as we all do.
The number one rule from all of this is… If you have a hardware wallet and you saved the 12-24 words seedphrase, you must never, never, never enter those words online.
If you find yourself typing these words on your computer’s or phone’s keyboard – you are probably being scammed.
The wallet provider (Trezor, Ledger and others) will never ask you to provide them your seed phrase – it is just that simple.
The seed phrase is always entered onto the device itself and nothing else. This is because a hardware wallet is offline and is only synchronized to the private keys.
At Bitvice, we don’t use Mailchimp. We will never reach out to you directly on email, Twitter, Facebook or any medium to ask you to confirm your seed phrase. We don’t need them – because you, and only you, maintain and control your Bitcoin.
If a wallet provider does ask you to update their firmware or software – this doesn’t mean it is a scam. Always, check the validity of this on forums online before actioning anything. And sometimes if you don’t update your wallet for a number of years, it might not work with the latest application on your computer or phone.
This doesn’t mean your Bitcoin is lost – your private keys will last forever because Bitcoin’s protocol is unchangeable. There will always be a way to access your Bitcoin via your private keys/seed phrase. Just always check, before actioning anything.
Some other security tips:
- Get a hardware wallet if you don’t have one. If you currently have a mobile wallet, this is certainly a safe way to hold your Bitcoin. But as the value of your Bitcoin grows, learn more about hardware wallets and try to list the steps you will take to moving your Bitcoin to a hardware wallet. Mobile wallets are always online (if you have an active phone) so it is more open to vectors of attacks. Hardware wallets are offline, if not connected to your laptop/mobile. They are a completely dedicated device and service to storing your private keys. If you haven’t already, also consider a multisig setup. You can always contact us at firstname.lastname@example.org if you want to learn more.
- Keep performing health checks on your self-custody setup. However you hold your Bitcoin (mobile, hardware or multisig) always determine how to check that you have 100% access to your Bitcoin at least annually.
Widen the scope of your health-checks. Determine what you need to do, if you lose one set of 24 words. Where can you get access to the 2nd copy? What do you do if something happens to you and your beneficiaries need to get access to your Bitcoin?
These might seem silly at this point – but Bitcoin’s price will go where it needs to go. And this asset is going to become serious in your portfolio. Self-custody means responsibility. And there are countless methods shared online to maintain security (but be aware of insidious articles). Once again, Bitvice is always here to help as well.
- Maintain your privacy. Don’t talk about how much Bitcoin you have and how you self-custody it. The only person who should know, is the person who needs to access it in case anything happens to you. This is an asset that is outside the peripheries of banks and custodians. Bitcoin allows one to be completely sovereign. And privacy is an absolute necessity for self-sovereignty.
I hope this helped and yes, some of it may seem scary. But remember, it is WAY scarier to keep your Bitcoin with someone else. The risk of doing that is so much larger over the long term, than simply holding it yourself.
And lastly, the best engineers in the world are working on the betterment of Bitcoin self-custody. This is all going to become easier and easier over time – so just keep learning, don’t trust, just verify.