Here’s How To Safeguard Your Digital Assets

Violent kidnappings, hacks and data breaches have dominated crypto headlines in recent months. In March, a North Korean hacking group known as Lazarus Group swiped $1.5 billion worth of tokens from Dubai-based crypto exchange Bybit in the largest heist in crypto history. Since January, criminals have successfully lifted more than $2.17 billion in crypto assets, according to a report published by blockchain forensics firm Chainalysis based in New York City. But often overlooked and unaccounted for are the smaller, more frequent attacks targeting ordinary users.

According to Chainalysis data, the recent flurry of crypto attacks dovetails with the rising price of bitcoin, which recently traded as high as $120,000 and is up more than 90% in the last 12 months. “The motivator is the price signal, or the volume of wealth that is thought to be there,” says a company spokesperson, who asked to remain anonymous given the subject matter. With hundreds of tokens, from solana to dogecoin, trading lofty values totaling $4 trillion, the crypto industry presents a rife opportunity for bad actors. If the trend continues, researchers predict that losses could total $4 billion by year’s end.

The decentralized, immutable and largely anonymous nature of blockchain transactions make stolen funds notoriously difficult to recover – producing an enticing risk-reward ratio for criminals, says Rishi Baviskar, global head of cyber risk consulting at Allianz in London.

Though security loopholes at crypto exchanges are sometimes exploited by criminals, personal wallet compromises account for a growing proportion of theft within the industry. “You can make one tiny mistake and your money is irretrievably gone,” says Riad Wahby, the CEO of digital security firm Cubist, headquartered in San Diego, and a computer engineering professor at Carnegie Mellon University.

Wallet protection and key management are two of the most vulnerable areas, says Jim Reavis, a blockchain security expert and the co-founder and CEO of Seattle-based nonprofit Cloud Security Alliance. He recommends people use a hardware wallet, a physical device often compared to a USB drive that secures crypto keys offline. These private keys, made up of a secret assortment of letters and numbers, can be thought of as a password to gatekeep your crypto funds. Though cold storage methods require a certain degree of technical acumen, he says that self-custody using wallets from manufacturers such as Ledger and Trezor can “mitigate some of the backdoors people might find on the different exchanges.”

Another option for investors seeking safe and indirect exposure to crypto assets might be to buy ETFs via brokerages like Fidelity, Robinhood and Schwab, Reavis says. There are now dozens of crypto funds available, though mostly tracking bitcoin and ether, the two largest cryptocurrencies. The largest is BlackRock’s iShares Bitcoin ETF (IBIT) with more than $80 billion in assets, but there is a host of new ether-based funds including Fidelity’s Ethereum Fund (FETH) which has about $2.5 billion in assets. These regulated investment vehicles allow investors to benefit from the financial upside of the asset without inheriting as much risk or needing to worry about custody issues.

The other option would be to turn to platforms like Coinbase, Robinhood and Kraken for a more conventional “bank-like” experience requiring a standard login and password to access and transfer assets. Though exchanges can be vulnerable to hacks, reputable ones will generally have decent safety protocols and incident responses. Nonetheless, even on these generally safe platforms, Wahby cautions that “it’s still super easy to be tricked into doing the wrong stuff.” In May, Coinbase reported a $400 million data breach in which hackers stole personal information belonging to tens of thousands of Coinbase users by convincing customer service agents to share confidential records. Users should also be on the lookout for common crypto scams. Address poisoning attacks, wherein scammers will use lookalike wallet addresses to deceive users out of their funds, are becoming more prevalent, according to Baviskar. Moreover, shady websites that carry malware can put your private keys at risk.

Overall, Reavis underscores the importance of finding a multi-layered security approach balanced by two often competing interests: a person’s risk tolerance and their need for convenience. For instance, using a smart card such as a YubiKey or Google’s Titan Key for multifactor authentication, is advisable from a security point of view, but may rank lower on the convenience scale. The cards, which require a password to operate, hold cryptographic keys that a computer can then read to authenticate a user. Though they’re nearly impossible to compromise, they may not be a pragmatic solution for everyone, such as day traders needing to execute fast transactions.

Other best practices for security include diversifying large asset sums across platforms and never publicly disclosing your crypto holdings.

“The [security] solutions are all out there,” says Reavis. “But it’s always a fight against the convenience people want as well.”