You have no doubt heard about Web3. The next generation of the internet is an open, permissionless, privacy-focused, user-owned network of services based on blockchain and other decentralised technologies.
Web3 operates on a completely different model to Web2, which is run and owned by corporate behemoths like Facebook and Google. The decentralised paradigm puts users in full control and cuts out the middlemen who hold so much power.
But these differences also bring significant challenges, especially for those who are used to the norm of hosted services, and relying on companies who can intervene (and interfere) at any point. In the Web3 world, the user is solely responsible for their own data – including the data that controls the crypto tokens that hold value in the Web3 world. Because it’s decentralised, there are no authorities who have access to your account, and who can reset your password or reverse transactions made in error.
The differences between Web2 and Web3 have also provided opportunities to scammers, who seek to exploit users’ lack of familiarity with these new technologies. The properties that arise from decentralisation can cut both ways: they offer enormous advantages, but also open areas of risk if they are not fully understood. Follow these five principles to keep your crypto safe when using Web3.
1. Keep Your Private Keys Private
Private keys are the access-all-areas pass to your crypto. These are the long strings of characters that act as a super-complicated password, allowing you to make transactions from your wallet. Without them, you can’t do anything. With them, you have full control over your crypto – but so does anyone else who knows them.
Ultimately, this is what almost every piece of security advice comes down to: keep your keys safe. When you set up a new Web3 wallet, you’ll typically generate a Seed – a list of words that acts as master password, and from which any number of private keys and crypto addresses can be created. You should back this up safely, and not allow anyone else to have access to it. Don’t enter it into any websites, since this is a common way scammers try to learn your seed. Only use it with the official wallet, like MetaMask.
In some cases, where you’re using exchanges or certain kinds of wallet, you’ll have a username and password. Keep these just as safe as your seed, and if you have the option of using two-factor authentication, take it. 2FA makes life exponentially harder for hackers.
2. Be Careful With Links
If you’re careful, you’ll never knowingly put your seed phrase at risk. But there are plenty of scammers who are on a mission to trick you into unknowingly parting with it.
One of the standard tactics is to create a replica of a popular site, like OpenSea or a crypto exchange, and get people to connect to it or log in using their regular details. While it might look like the legitimate site (and will have a very similar URL), the fake version will act a different way, and any purchases you try to make or crypto you try to deposit will be lost to the scammers. Alternatively, the site or link may expose you to malware which gives the hacker access to your computer or wallet.
The scammers may try to get you to visit a site offering some kind of ‘opportunity’ via a DM on Discord or Telegram; you might receive unexpected emails with a link; in some cases, the site might even turn up in Google’s search results.
Never click on links to sites you receive in this way. If you want to visit a site you already know, enter the name directly into the URL bar, and ideally bookmark it. Additionally, never connect with MetaMask to a site you don’t know or trust. It’s quite possible it will prompt you to confirm transactions that will give it access to your NFTs and crypto.
3. Do Your Due Diligence
While there are plenty of legitimate projects, a large percentage of what you see will fail in one way or another. Some will be outright ‘rug pulls’ – scams where a team collects money for a promising-sounding initiative, and then disappears. Others will fail because the team is unqualified or has over-promised and cannot deliver on their aims.
When you learn about an interesting new project, spend some time researching the team and their background – what they’ve worked on before, what experience they have in DeFi, whether they are public or anonymous, and so on. (Anonymity doesn’t have to be a deal-breaker, but it does make it easier to disappear at short notice.)
If you use Discord or Telegram, it’s likely that you’ll get unsolicited messages inviting you to join new projects. Needless to say, be very careful to check these out carefully before you part with any crypto. Know, too, that scammers will often pose as team members to gain your trust. No legitimate team member of a respectable project will DM you first. If you need help or to communicate with them, you will always be expected to message them first. Make sure it’s the right userid. Team members will never ask you for crypto.
4. “Free” Giveaways Can Be Very Expensive
Airdrops have become a popular part of crypto culture, with new DeFi projects often giving away tranches of tokens to community members. Unfortunately, the normalised expectation that founders will voluntarily part with valuable tokens in the interests of marketing and awareness has led to a slew of new scams in the NFT world.
These NFTs often have high offers on them on various marketplaces, inducing owners to try to sell them quickly and without due care. Sometimes they might lead you to a fake site. Some users have even reported that, when they try to take advantage of lucrative bids on OpenSea, a malicious script empties their wallet. The plausibility of this has been disputed by security experts, but there’s no question about the broad principle: if you receive a ‘valuable’ airdropped NFT that you weren't expecting, or that wasn't announced by a project you're already involved in, there’s a high chance it's a scam of some kind. Be very cautious where these NFTs might lead you if you want to cash in on your apparent new-found wealth.
5. Keep A Cold Wallet
Cold wallets are the ultimate in crypto security. Hot wallets are wallets that are connected to the web, like a regular MetaMask wallet. They’re great for everyday use because they’re fast and convenient to use. And they’re generally pretty safe, so long as you’re careful to keep your seed phrase safe. But it’s best not to keep large amounts of crypto or valuable NFTs on them.
Cold wallets are crypto wallets that are not connected to the internet, and ideally never have been. You can generate a new seed phrase on an offline computer, create new addresses, and transfer crypto to these new ‘air-gapped’ accounts. Alternatively, you can use a hardware wallet like a Ledger or Trezor, which are extremely secure but more user-friendly when you want to make transfers from them. They are well worth the investment.