How to Secure Your Crypto Holdings — Step by Step

The vast majority of crypto theft is preventable. Exchange hacks make headlines, but most losses happen through phishing, SIM-swapping, weak passwords, and leaving funds on exchanges during bankruptcy events. This step-by-step guide covers every layer.

Step 1 — Move Holdings Off Exchange

Exchanges are the highest-risk storage location. They are centralised targets for hackers. They can freeze withdrawals. They can go bankrupt (FTX, Celsius, QuadrigaCX).

The rule: only keep on an exchange what you are actively trading. Everything else belongs in self-custody.

Set up a self-custody wallet (see our wallet setup tutorial) and withdraw long-term holdings to it.

Step 2 — Write Your Seed Phrase on Paper and Store in Two Locations

Your seed phrase (12 or 24 words) is the master key to your self-custody wallet. If you lose it, your funds are permanently inaccessible. If someone finds it, your funds are gone.

- Write it on paper only — never digital

Store copies in two separate physical locations

Consider a metal backup plate for fire/water resistance

Never photograph it, type it, or put it in cloud storage

Step 3 — Enable 2FA on All Exchange Accounts

Two-factor authentication (2FA) prevents access even if your password is stolen.

Use an authenticator app (Google Authenticator or Authy) — not SMS. SMS 2FA is vulnerable to SIM-swapping, where attackers convince your phone carrier to transfer your number to their SIM, then intercept your 2FA codes.

Go to your exchange security settings → enable 2FA → scan the QR code with your authenticator app → save the backup codes printed on paper.

Do this on every exchange account you use.

Step 4 — Use a Unique Strong Password on Every Platform

Reusing passwords is the single most exploited security vulnerability. If one platform you use is breached, attackers try the same credentials on every other platform.

Use NordPass (or an equivalent password manager) to generate and store unique strong passwords for every account. A strong password is 16+ characters, random, and unique — not a variation of a memorable phrase.

Never use your exchange password for any other account.

Step 5 — Use a VPN on Public WiFi

Public WiFi networks (cafes, airports, hotels) expose your internet traffic to anyone on the same network. Using a VPN encrypts all traffic, preventing interception.

NordVPN is our recommended option — fast, reliable, and audited by an independent third party. Enable it every time you access crypto accounts on a network you don't control.

At home on your own secured router, a VPN is less critical but still adds a layer of protection.

Step 6 — Remove Your Personal Data From Data Broker Sites

Data brokers collect and sell personal information — your home address, phone number, employer, relatives. This information is used by attackers to impersonate you in SIM-swapping attacks and social engineering.

MyDataRemoval automates the opt-out process from hundreds of data broker databases. This reduces your attack surface significantly, particularly for SIM-swapping — where attackers need personal information to convince your carrier to transfer your number.

Step 7 — Enable Withdrawal Whitelist on Exchanges

Most exchanges offer a withdrawal whitelist feature — only pre-approved wallet addresses can receive withdrawals from your account, even if an attacker gets in.

Go to your exchange security settings → find withdrawal address whitelist or address management → add your wallet addresses → enable the whitelist.

After enabling, new addresses are typically subject to a 24-48 hour waiting period before they can receive withdrawals. This gives you time to react if an unauthorised address is added.

Final check: update all software regularly (OS, browser, exchange apps). Outdated software is the most common vector for malware that targets crypto accounts.