Crypto Gloss

Web3 Wallet Security

Crypto wallets require users to be their own bank — including their own bank security team, fraud department, and insurance provider. The result: cryptocurrency theft is a multi-billion-dollar industry with sophisticated adversaries specifically targeting retail investors. In 2022–2024, attackers stole an estimated $10B+ from individual wallet holders through phishing, approval draining, SIM swap attacks, and supply chain compromises. Unlike traditional finance where fraud is typically reversible (banks can clawback fraudulent transactions), blockchain transactions are final and pseudonymous — once funds leave your wallet, recovery is essentially impossible without law enforcement identifying the specific attacker. This entry covers the threat model any active crypto user faces and the specific countermeasures for each attack vector.

Attack Vector 1: Phishing — Fake Websites and Wallets

How it works: Attackers create convincing replicas of legitimate platforms:

  • app-uniswap.org instead of app.uniswap.org (subdomain swap)
  • metamaask.io instead of metamask.io (typosquat)
  • Google/Bing ads for “MetaMask download” pointing to malware sites
  • Fake support staff in Discord/Telegram sending “official” site links
  • Email phishing impersonating Ledger, Coinbase, exchanges

What happens when you connect: The fake site shows a MetaMask transaction request that is actually:

  • A transferFrom or approve call giving the attacker infinite allowance on all your tokens
  • A setApprovalForAll call (for NFTs) authorizing the attacker to move all your NFTs
  • A permit signature (EIP-2612) — offline signature that authorizes token transfer without a gas transaction

Defense:

  • Bookmark legitimate sites; never click links in emails or messages
  • Double-check the exact URL in the browser address bar before signing anything
  • Read MetaMask transaction details carefully — if you’re “approving” or “permit signing,” understand what you’re authorizing
  • Use browser extensions like Pocket Universe, Fire, or Wallet Guard that decode transaction intent

Attack Vector 2: Malicious Token Approvals (Approval Draining)

How token approvals work: When you use a DEX (Uniswap, Curve), you first sign an “approve” transaction allowing the DEX contract to spend your tokens. Standard practice: infinite approval ($MAX_UINT256 allowance) so you never need to re-approve.

The exploit:

  • You use a legitimate DEX → give the DEX contract infinite approval on your USDC
  • Later, that DEX contract (or a related exploitable contract) is compromised
  • Attacker uses the existing infinite approval to drain all your USDC from your wallet
  • You didn’t need to do anything after the initial approval — the approval persists forever

Variants:

  • Direct approval drain: Approvals to malicious contracts you accidentally approved on phishing sites
  • Protocol hack drain: Legitimate contracts you approved that get exploited later (Uniswap V2 approval still valid years after)
  • NFT setApprovalForAll: One signature authorizes transfer of all NFTs in your entire collection

Defense:

  1. Use Revoke.cash: Lists all your outstanding token approvals; revoke any old/unused ones
  2. Use Permit2 (Uniswap): Uniswap V4 and Permit2 allow time-limited approvals — the approval expires after the transaction rather than persisting indefinitely
  3. Limit approval amounts: Set approvals to the exact amount you’re spending rather than infinite (higher gas cost but safer)
  4. Regularly audit approvals: Review approvals on a fresh wallet address quarterly

Attack Vector 3: Clipboard Hijacking — Address Substitution

How it works: Malware monitors your clipboard. When it detects a copied Bitcoin/Ethereum address (format matching), it silently replaces it with the attacker’s address.

Result: You copy your exchange deposit address → paste it into your wallet → send crypto to the attacker’s address instead of your exchange.

This is the most common simple theft vector. Easy to deploy as browser extension malware, standard Windows/macOS clipboard monitor.

Defense:

  • Always double-check the first 6 and last 6 characters of a pasted address before confirming
  • Alternatively: scan a QR code instead of copying text (QR codes can’t be clipboard-hijacked)
  • Hardware wallets (Ledger, Trezor) display the destination address on the hardware device screen — if clipboard malware substituted the address, you see the attacker’s address on the Ledger screen and can reject the transaction

Attack Vector 4: SIM Swap Attacks

Target: Your cryptocurrency exchange account (Coinbase, Binance, Kraken).

How SIM swap works:

  1. Attacker gathers your personal information (name, phone number, last 4 digits of SSN — often from data breaches)
  2. Calls your mobile carrier impersonating you
  3. Claims they have a new SIM and want to transfer your number
  4. Carrier ports your phone number to attacker’s SIM
  5. Attacker now receives all SMS messages for your phone number
  6. Uses SMS 2FA to log into your exchange account and drain funds

Notable cases: Multiple high-profile crypto holders have lost $1M–$10M+ through SIM swap attacks. The carrier vulnerability is the root cause.

Defense:

  • Never use SMS 2FA for crypto exchanges. Use authenticator app (Google Authenticator, Authy) or hardware security key (YubiKey) instead.

Add a PIN lock to your mobile carrier account (specific carrier setting that requires PIN before any account changes — call your carrier)

  • Use a separate email address (unknown to anyone) for crypto exchanges — preventing attackers from knowing which exchange to target after SIM swap

Attack Vector 5: Hardware Wallet Bypass Attempts

Hardware wallets (Ledger, Trezor) are the gold standard for crypto security — the private key never leaves the device. But attacks exist:

Evil maid attack: Physical access to your hardware wallet + compromised computer. Malware on the computer modifies what the hardware wallet displays when you sign a transaction.

  • Defense: Always read the hardware wallet screen display, not your computer screen

Blind signing: Some hardware wallet integrations show only “approve transaction” rather than the actual transaction data (when the contract ABI isn’t recognized). Users approve without knowing what they’re approving.

  • Defense: Only sign transactions where you understand the decoded details; disable blind signing in Ledger settings if possible

Phishing for seed phrase: Fake Ledger/Trezor support asks for “recovery phrase” to “sync” or “restore” your device.

  • Defense: No legitimate company ever needs your seed phrase. Your 24-word seed phrase is for YOU ONLY. Anyone asking for it is a thief.

Supply chain attacks: Compromised hardware devices (pre-installed firmware with backdoors).

  • Defense: Buy hardware wallets ONLY from official manufacturer websites (Ledger.com, Trezor.io) — never from Amazon, eBay, resellers (even if “sealed”)

Seed Phrase Storage Best Practices

Your seed phrase (12 or 24 words) is the master key to your wallet. If lost: funds gone forever. If stolen: funds gone forever.

What NOT to do:

  • Store in a notes app on your phone or computer (can be accessed by malware)
  • Take a photo of seed phrase (photos sync to cloud; cloud accounts are phishable)
  • Store digitally anywhere (email drafts, Google Drive, encrypted file — all have failure modes)
  • Store in a password manager (one breach loses everything)

Best practices:

  • Write the seed phrase on paper using permanent ink
  • Consider engraving on a steel plate (fireproof, waterproof) — products: Cryptosteel, Bilodeau, Coinplate
  • Store in multiple physical locations (safety deposit box + home safe + trusted person)
  • Never photograph or digitize the seed phrase for any reason
  • Test recovery: Set up a new wallet from the seed phrase to confirm it’s correct before storing large funds

Hardware Wallet Comparison

Ledger Nano X Trezor Model T GridPlus Lattice1
Screen Small color Color touchscreen Large color touchscreen
Multi-chain Extensive (Bitcoin, ETH, all EVM, Solana) Good (fewer altcoins) Excellent
App required Ledger Live Trezor Suite GridPlus app
Open source Closed-source firmware Fully open source Partially open
Price ~$149 ~$180 ~$350
Notable Most popular; 2023 recovery service controversy (opt-in) No closed-source components Advanced safecards; best for DeFi users

Ledger Recover controversy (2023): Ledger announced an optional service allowing seed phrase recovery through identity verification (split and store seed with Ledger + two partners). The crypto community reacted strongly negatively — a hardware wallet that can transmit seed phrase fragments is not a “hardware wallet” in the traditional sense. The service is opt-in and the firmware update was rolled back after backlash, but the controversy raised questions about Ledger’s architecture.

Multi-Signature Wallets for Large Holdings

For holdings over $100,000–$1M+, a single hardware wallet is insufficient operational security:

  • Single point of failure (hardware failure, loss, theft)

Multi-signature (multisig): Requires M of N signatures to execute transactions (e.g., 2-of-3: any 2 of 3 authorized signers must approve).

Options:

  • Safe (formerly Gnosis Safe): Standard Ethereum multisig. Used by major DAOs and individuals. Web interface + mobile app. Multiple hardware wallets can be signers.
  • Casa: Managed multisig solution for individuals. 2-of-3 or 3-of-5. Casa holds one emergency key. Good for non-technical users.
  • Unchained Capital: Bitcoin multisig; collaborative custody; Unchained holds one key as emergency backup.

2-of-3 setup recommendation (for large holders):

  • Key 1: Ledger Nano X (daily use, at home)
  • Key 2: Trezor Model T (backup, different location or safety deposit box)
  • Key 3: Paper key (fireproof safe, carefully secured seed → paper wallet)
  • Any 2 keys can transact; losing 1 is not catastrophic

Token Approval Management

Revoke.cash: Connect any Ethereum/EVM wallet; see all outstanding approvals; revoke with one transaction.

Permit2 (Uniswap): Modern approval standard allowing single-transaction approvals that auto-expire. Supported by Uniswap V4, 1inch, and other protocols. Requires one Permit2 “master approval” per token (gas cost), then individual signatures per trade expire automatically.

Etherscan Token Approvals: Alternative to Revoke.cash; built into Etherscan’s interface.

Recommended audit frequency: Monthly for active DeFi users; quarterly for passive holders.

Related Terms

Sources

Moore, T., & Clayton, R. (2007). An Empirical Analysis of the Current State of Phishing Attack and Defence. Workshop on the Economics of Information Security.

Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J., & Felten, E. (2015). SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. IEEE Symposium on Security and Privacy 2015.

Eskandari, S., Barrera, D., Stobert, E., & Clark, J. (2018). A First Look at the Usability of Bitcoin Key Management. NDSS 2018, Workshop on Usable Security.

Chainalysis. (2024). Chainalysis Crypto Crime Report 2024: Hacking and Theft. Chainalysis Intelligence Report.

Alkeilani Alkadri, N., Das, P., Erwig, A., Fischlin, M., Hesse, J., Janson, C., & Struck, P. (2020). Deterministic Wallets in a Quantum World. ACM CCS 2020.