Advanced·Execution Systems
Security for Traders: How to Not Lose Everything to a Hack
Crypto security failures wipe out years of trading gains in minutes. The basics, done well, protect against most realistic attacks. The basics aren't optional.
8 min readUpdated 2025-07-15
Security in crypto isn't theoretical. People lose everything regularly to hacks, phishing, and operational mistakes. The losses aren't from exotic attacks, they're almost always from missing the basics. Doing the basics well prevents most realistic attacks. The basics aren't glamorous; they're not optional either.
The threats that actually happen
Realistic attack vectors:
1. Phishing. Fake login pages that capture your credentials. "Your exchange account needs verification" emails linking to a fake site. By far the most common successful attack against retail.
2. Malware. Software on your device that captures keystrokes, copies wallet files, or modifies clipboard contents (replacing addresses you copy with attacker addresses). Common when people install untrusted software.
3. SIM swapping. Attacker convinces your phone carrier to transfer your number to their device. They then receive your 2FA SMS codes and reset accounts. Targets people with publicly visible crypto wealth.
4. Compromised seed phrases. Seed phrase stored where someone (a thief, a tech person doing repairs, a vindictive ex) can find it. Any seed phrase exposure is total compromise.
5. Malicious dApps and contracts. You connect your wallet to a dApp that has malicious code. The dApp drains your wallet via approval exploits or direct theft.
6. Exchange hacks / failures. Mt. Gox (2014), QuadrigaCX (2019), FTX (2022). The exchange itself fails, taking customer funds with it. Different from individual hack but functionally similar, your assets become inaccessible.
7. Wallet drainer scripts. Browser extensions or compromised wallet software that signs transactions you didn't intend.
8. Social engineering. Attacker manipulates you (or someone in your life) into giving them access. "I'm from exchange support; please verify..."
These are the actual attack vectors. Sophisticated exotic attacks happen but most losses are from the basics being missed.
The security basics
Done well, these prevent most realistic attacks:
1. Hardware wallet for self-custody. Ledger, Trezor, or similar. Private keys never leave the device. Even if your computer is compromised, the attacker can't sign transactions without physical access to the hardware wallet.
For any meaningful self-custody, hardware wallet is non-negotiable.
2. Strong unique passwords. Different password for every service. Long random strings (use a password manager). The exchange password should not be reused anywhere else.
3. 2FA on everything (with care). Two-factor authentication for all crypto accounts. Use authenticator apps (Authy, Google Authenticator, Yubikey), not SMS, which is vulnerable to SIM swapping.
For high-value accounts, hardware-based 2FA (Yubikey) is strongest.
4. Withdrawal whitelisting. Most exchanges support whitelisting specific withdrawal addresses. Withdrawals to non-whitelisted addresses require a delayed confirmation period. Even if your account is compromised, attackers can't withdraw to addresses they control without the whitelist setup.
This single feature has prevented countless withdrawals in compromised accounts. Set it up.
5. Email account protection. Your email is the password reset gateway for everything. Strong password + 2FA on email is more critical than any individual exchange. A compromised email = compromised everything.
Use a dedicated email for crypto, not your normal email that's posted publicly.
6. Seed phrase storage. Seed phrases on paper (or metal) in safe physical location. Never digital, never photographed, never in cloud storage, never typed into any computer.
For larger holdings, consider geographic distribution (multiple copies in different physical locations) and Shamir's Secret Sharing schemes.
7. Verify before signing. For any transaction signing (especially DeFi interactions), verify what you're signing. Hardware wallets show transaction details on the device itself; verify before pressing approve.
8. Limit dApp approvals. When you give a dApp permission to spend your tokens, you're trusting that dApp's contract. Old approvals to defunct or compromised dApps are ongoing risk. Periodically revoke unused approvals (via Etherscan token approval checker, Revoke.cash).
These are the basics. Done well, they prevent most realistic attacks.
A common mistake: 2FA via SMS
A trader uses SMS 2FA. Their phone number is SIM- swapped (attacker convinces the carrier to port the number). Attacker receives 2FA codes; resets account passwords; drains funds.
The fix: authenticator apps or hardware tokens for 2FA. SMS is the weakest 2FA option and should be treated as no 2FA for high-value accounts. Most exchanges support TOTP (authenticator apps); use that.
A common mistake: seed phrase in cloud / password manager
A trader stores their seed phrase in a password manager "for convenience." The password manager is breached (it happens, LastPass 2022). Seed phrase is exposed; wallet drained.
The fix: seed phrase on physical paper or metal, never digital. The inconvenience is real but the alternative is worse. Cloud storage of seed phrases is the single most common path to total loss.
A common mistake: clicking links in emails
A trader receives an email "from Coinbase" about account verification. They click the link, log in to the (fake) page, enter their 2FA code. Attacker has both their password and a 2FA code window.
The fix: never click links in security-related emails. Always navigate to exchanges directly via typed URL or saved bookmarks. Phishing pages can look identical to real ones; the URL is the only reliable identifier.
A common mistake: signing without reading
A trader gets a transaction prompt from a dApp. They click "approve" without reading. The transaction grants unlimited token-spending approval to the dApp. The dApp drains their tokens.
The fix: read every approval prompt. Limited approvals (only the amount needed for the current trade) are safer than unlimited approvals. For unfamiliar dApps, be especially cautious about approval scope.
A common mistake: connecting wallet to suspicious sites
A trader connects their wallet to a new dApp they saw on Twitter. The dApp is a phishing site. They sign a transaction that appears to be a swap but is actually a transfer of their tokens.
The fix: only connect wallets to verified, well- established dApps. For new sites, use a separate "hot" wallet with minimal funds, never your primary wallet. The primary wallet should only connect to a small set of long-trusted dApps.
A common mistake: keeping everything on exchanges
A trader keeps their entire crypto net worth on exchanges. The exchange fails (FTX, etc.). They lose everything.
The fix: self-custody for funds you're not actively trading. Keep on exchanges only what you need for active positions plus a working buffer. Move everything else to a hardware-wallet-secured self-custody address.
A common mistake: using public WiFi for trading
A trader uses public WiFi (coffee shop, hotel) for trading. The network is compromised; their session is intercepted.
The fix: avoid trading on public WiFi. If you must, use a reputable VPN. For high-value actions (withdrawals, large trades), wait until you're on a trusted network.
A common mistake: mixing personal and crypto identities
A trader uses the same email and personal info for crypto accounts as for everything else. Their crypto holdings become guessable / discoverable / targetable.
The fix: separate crypto identity from personal. Different email. Different name handles. Don't publicly disclose holdings sizes. The lower your public profile, the less you're targeted.
A common mistake: not testing recovery
A trader has a hardware wallet. They've never tested recovery. The wallet eventually fails. They try to recover with the seed phrase; something doesn't work; they're locked out.
The fix: test recovery on setup. Restore the seed phrase to a different device to verify the seed works. The test gives confidence; if the test fails, you discover the problem before it matters.
The threat model framework
For any security decision, ask:
1. What am I protecting? The size and importance of the assets at risk determines how much security investment is justified.
2. Who might attack? Random opportunistic attackers (phishing, malware) vs targeted attackers (someone who knows your crypto holdings). Different threats need different defenses.
3. What's the realistic attack surface? Where could attackers reach you? Email, SMS, web browser, dApps, etc. Each surface needs its own defense.
4. What's the cost of each defense? Hardware wallet: ~$80. Annual password manager: ~$50. 2FA app: free. Seed phrase metal storage: ~$50. The basics together cost a few hundred dollars and prevent most attacks.
5. What's the cost of failure? For most retail with meaningful crypto holdings, total loss is the failure cost. The basics are incredibly cheap relative to the protection provided.
The threat model framework keeps you focused on the right defenses for your specific situation.
Mental model, security as insurance you can't buy
For most assets, you can buy insurance. Lose your phone? AppleCare. Car gets stolen? Auto insurance. House burns down? Homeowner's insurance.
Crypto has no insurance market for retail. If you lose your funds (hack, phishing, lost seed phrase), nobody compensates you. The loss is permanent.
This makes prevention much more important than for other asset classes. The basics aren't optional, they're the only insurance available.
Why this matters for trading
You can be the best trader in the world; if you lose everything to a phishing attack or malware, your trading skill doesn't matter. Security is the necessary precondition for trading mattering. Hex37's platform-side security handles parts of this; your client-side security (wallet protection, phishing awareness, 2FA hygiene) is what completes the picture. The basics done well prevent most realistic attacks.
Takeaway
Most crypto losses are from missing the basics, not from exotic attacks. Use hardware wallets for self-custody. Strong unique passwords. 2FA via authenticator apps (not SMS). Withdrawal whitelisting. Strong protected email. Seed phrases on physical paper/metal, never digital. Verify before signing. Limit dApp approvals. Don't click email links. Don't connect to suspicious dApps. Don't keep everything on exchanges. Avoid public WiFi for trading. Separate crypto from personal identity. Test recovery. The basics cost a few hundred dollars total and prevent most attacks. Security isn't optional, it's the precondition for trading mattering.
Related chapters
- Execution Systems7 min read
API Trading Introduction: How to Connect Code to Exchanges Safely
Trading via API unlocks automation, custom analytics, and faster execution. The setup has specific safety requirements that protect you from the worst failure modes.
Read chapter - Execution Systems6 min read
Redundancy and Failover: Surviving the Outages That Eventually Happen
Every system fails eventually. Trading systems that survive failures keep operating; ones that don't survive lose money on every outage. Designing for failure is what separates the two.
Read chapter