Skip to main content
CryptoRyancy logoCRYPTORYANCY
CryptoRyancy logoCRYPTORYANCY
Subscribe Free

Research · Guides · Income Strategies

Cryptocurrency Guides

Crypto Security Basics: 7 Things I Do to Protect My Portfolio

Crypto Ryan11 min readAffiliate disclosureUpdated: April 2026

This page contains affiliate links. I may earn a commission at no extra cost to you.

The Exchange I Trust for Security

Gemini is SOC 2 audited and NYDFS regulated. It is the exchange I use for long-term holdings.

Try Gemini (SOC 2 Audited) →

I lost money on Celsius Network. Real money, locked on a platform that froze withdrawals in June 2022 and filed for bankruptcy a month later. I watched my holdings become a line item in a creditor distribution spreadsheet.

Open a Gemini account (get up to $200 in BTC) →

That experience changed everything about how I handle crypto security. Not gradually — immediately. Within a week of the Celsius freeze, I had a hardware wallet, a new password manager, and a completely different approach to where my crypto lives and how I access it.

Social engineering fueled over 60% of crypto incidents in 2025, according to AMLBot. Coinbase users alone lost an estimated $65 million to social engineering scams in just two months (December 2024 through January 2025). The Bybit hack in February 2025 — $1.5 billion stolen in a single transfer — was the largest in crypto history. (data via CoinDesk market data)

The threats are real and getting more sophisticated. But the defenses are simple. Here are the 7 things I actually do.

TLDR

  • Use app-based 2FA (Google Authenticator or YubiKey) on every crypto account — never SMS
  • Move long-term holdings to a hardware wallet ($59-179 for peace of mind)
  • Set a SIM PIN with your carrier to block SIM-swap attacks
  • Use unique passwords via a password manager and enable every lock your exchange offers

Why I Take Crypto Security Personally

You can read the full Celsius story on this site. The short version: I trusted a platform with my crypto because it offered yield. They gambled with customer funds, the market turned, and they couldn’t cover withdrawals. I got back pennies on the dollar through bankruptcy proceedings in 2024.

The lesson wasn’t “don’t use yield platforms” (though I’m a lot more careful now). The lesson was: if you don’t control your keys, you don’t control your crypto. That’s not a bumper sticker — it’s a statement about counterparty risk that I now take literally.

Everything below is designed to minimize the ways someone — a hacker, a scammer, or a failing platform — can take my crypto. These aren’t theoretical best practices. They’re what I actually do, every day, after learning the hard way.

1. Use App-Based 2FA on Everything (Never SMS)

If you want to go one step further on your most important accounts, a hardware security key like the YubiKey 5 NFC adds a layer that phishing kits and SIM-swap nonsense have a much harder time getting around.

This is the single most important security step in crypto. If you do nothing else from this list, do this one.

What 2FA does: Two-factor authentication means logging in requires both your password and a temporary code from a second device. Even if someone steals your password, they can’t get in without the second factor.

Why not SMS: SIM-swapping. An attacker calls your phone carrier, convinces them to transfer your number to a new SIM card, and suddenly they’re receiving your text message codes. It’s disturbingly easy — I’ve seen reports of it being done in under 15 minutes. In 2025, SIM-swap attacks remained one of the top vectors for crypto account takeovers.

What to use instead:

  • Google Authenticator or Authy — free apps that generate time-based codes on your phone. Codes change every 30 seconds and only exist on your physical device.
  • YubiKey — a physical hardware key ($25-60) you plug into your computer or tap on your phone. This is the strongest 2FA available. It’s phishing-resistant because it cryptographically verifies the website you’re logging into. A fake Coinbase site can’t trick a YubiKey.

My setup: I use YubiKey on my primary exchange accounts (Kraken and Coinbase) and Google Authenticator as backup. I keep a second YubiKey in a safe as a recovery backup. This costs me about $100 total and protects every crypto account I own.

Set this up today. Open each exchange app, go to security settings, and switch from SMS to authenticator. It takes 5 minutes and it’s the highest-impact security change you can make.

2. Move Long-Term Holdings to a Hardware Wallet

An exchange is for buying and trading. It’s not a savings account. After Celsius, I keep the absolute minimum on exchanges — only what I’m actively trading or using in the near term.

What a hardware wallet does: It stores your private keys on a physical device that never connects to the internet. To send crypto from a hardware wallet, you must physically approve the transaction on the device. Remote hackers can’t reach it.

What it costs:

  • Trezor One: ~$59 — basic, reliable, supports most major cryptos
  • Trezor Model T / Trezor Safe 5: ~$169-179 — touchscreen, broader coin support
  • Ledger Nano S Plus: ~$79 — compact, solid for BTC and ETH
  • Ledger Stax: ~$279 — premium design, e-ink display

For most people, a $59-79 device is plenty. You’re paying for the security of self-custody, not a luxury gadget.

My rule: If I’m not planning to sell it in the next 30 days, it goes to the hardware wallet. My BTC core position (roughly 55% of my crypto allocation) lives entirely on hardware. I only keep trading capital and stablecoin reserves on exchanges.

The setup process is simpler than you think. For a complete walkthrough, see my guide on how to move crypto to cold storage safely.

3. Use a Password Manager with Unique Passwords

If your Coinbase password is the same as your email password, you have a single point of failure. When (not if) one of those services gets breached, every account that shares the password is compromised.

My approach:

  • I use a password manager (1Password, Bitwarden, and LastPass are all fine options) to generate and store unique 20+ character passwords for every account.
  • My exchange passwords are randomly generated — I couldn’t tell you what my Kraken password is if you asked. The password manager knows.
  • My password manager itself is protected by a strong master password I’ve memorized plus YubiKey 2FA.

The math: The Coinbase insider breach in late 2024 exposed data for ~70,000 customers. If any of those customers reused their email password on Coinbase, attackers had everything they needed. A unique password on Coinbase would have limited the damage to data exposure only — not account takeover.

Time to set up: About 30 minutes to install, set up, and change passwords on your 3-4 most critical accounts. Then change the rest gradually over the next week.

4. Learn to Recognize Phishing (It’s Everywhere)

Phishing is the #1 way people lose crypto. Not software exploits. Not blockchain hacks. Plain old fake emails and websites that trick you into entering your real credentials on a fake page.

Common patterns I’ve seen:

  • Fake exchange emails: “Your Coinbase account has been locked. Click here to verify.” The link goes to coinbace.com or coinbase-verify.com — close enough to fool you if you’re not looking.
  • Fake support on social media: Someone DMs you on Discord or Telegram claiming to be Kraken support. Real exchange support will never DM you first.
  • Fake browser bookmarks: You google “Coinbase login” and click an ad that looks like the real site but isn’t. Always type the URL directly or use a bookmark you created yourself.
  • Urgent phone calls: “This is Coinbase security, your account has been compromised, we need you to verify your identity.” Real exchange support doesn’t cold-call you.

My rules:
1. Never click links in emails that claim to be from an exchange. Go directly to the site by typing the URL.
2. Never respond to DMs from “support staff” on any platform.
3. Bookmark your exchange login pages and always use those bookmarks.
4. If something feels urgent, it’s probably a scam. Urgency is the primary tool of social engineers.

5. Set a SIM PIN to Block SIM-Swap Attacks

This takes 5 minutes and blocks one of the most effective attack vectors in crypto. A SIM PIN is a separate numeric code that must be provided before your carrier will make any changes to your account — including transferring your number to a new SIM.

How to set it up:

  • AT&T: Log into your account → Profile → Security → Add SIM PIN
  • Verizon: Call *611 or set up Number Lock in the My Verizon app
  • T-Mobile: Call 611 or visit Account → Security → SIM Protection

Once enabled, even if a scammer calls your carrier and perfectly impersonates you, they can’t transfer your number without the PIN. It’s one of the simplest and most effective protections available, and almost nobody does it.

I also set account-level PINs on my carrier account. This is a separate PIN from the SIM PIN — it prevents unauthorized changes to your account settings, plan, or authorized users.

6. Use a VPN on Public WiFi

If you ever access your exchange account from a coffee shop, airport, or hotel WiFi, you need a VPN. Public networks can be monitored, and man-in-the-middle attacks can intercept unencrypted traffic.

What a VPN does: It encrypts all traffic between your device and the internet, making it unreadable to anyone on the same network. Even if someone is monitoring the WiFi, they see encrypted gibberish instead of your login credentials.

My setup: I use NordVPN on my laptop and phone. It auto-connects when I’m on any network that isn’t my home WiFi. I chose Nord because it has a no-logs policy that’s been independently audited, it’s fast enough that I don’t notice it’s running, and it costs roughly $3-4/month on annual plans.

When I use it: Anytime I’m not on my home or office network. Non-negotiable. I also use it when accessing DeFi platforms or making large transactions, just as an extra layer.

A VPN won’t protect you from phishing — if you enter your password on a fake site, encryption doesn’t help. But it eliminates the risk of network-level snooping, which is the other major attack surface on public WiFi.

7. Treat Exchange Accounts Like Bank Accounts

Most people set up an exchange account, buy some crypto, and never look at the security settings again. That’s how accounts get drained.

What I enable on every exchange account:

On Kraken:

  • Global Settings Lock (set to 72 hours) — freezes all sensitive changes
  • Withdrawal address allowlisting
  • YubiKey as primary 2FA
  • PGP-encrypted email verification

On Coinbase:

  • Withdrawal allowlist with 48-hour delay on new addresses
  • Authenticator 2FA (no SMS)
  • Vault for any holdings I’m not actively trading
  • Email notifications for every transaction

On any exchange:

  • Review authorized devices regularly and remove any you don’t recognize
  • Check login history monthly — if you see logins from locations you weren’t in, change everything immediately
  • Enable every notification: login alerts, withdrawal alerts, settings change alerts

For a detailed security comparison between the two exchanges I use most, see my breakdown of Kraken vs Coinbase security.

The mindset shift: Your exchange account potentially holds more value than your bank account. Treat it that way. You wouldn’t use the same password for your bank as your Netflix account. You wouldn’t skip 2FA on your bank. Apply the same standard to your crypto.

Move Your Crypto to Cold Storage

I keep most of my portfolio on a Ledger. It is the simplest way to take full control of your keys.

Get a Ledger Wallet →

FAQ: Crypto Security Basics

Q: What’s the #1 way people lose crypto?
A: Social engineering — phishing emails, fake support calls, and scam messages that trick you into giving up your credentials. Over 60% of crypto incidents in 2025 involved social engineering. Technical hacks of exchanges are rare; human error is common.

Q: Do I really need a hardware wallet?
A: If you hold more than $500-1,000 in crypto and plan to keep it long-term, yes. A $59 Trezor One protects you from exchange failures, hacking, and the temptation to impulsively trade. Think of it as insurance. For a step-by-step setup guide, see how to move crypto to cold storage.

Q: Is it safe to keep crypto on Coinbase or Kraken?
A: Both are Tier 1 exchanges with strong security records. Coinbase is publicly traded and FDIC-insures your cash. Kraken has never been hacked in 15 years. For trading capital and short-term holdings, both are reasonable. For long-term holdings, self-custody is safer. Read my full Kraken vs Coinbase security comparison.

Q: What if I lose my hardware wallet?
A: Your crypto is not on the device — it’s on the blockchain. The hardware wallet stores the keys to access it. When you set up the wallet, you receive a 24-word seed phrase (recovery phrase). If you lose the device, you buy a new one and restore from the seed phrase. Guard the seed phrase with your life. Write it on paper (or stamp it into metal), store it in a secure location, and never store it digitally.

Q: How much does good crypto security cost?
A: Less than you’d think. Hardware wallet ($59-79), password manager (free-$36/year), YubiKey ($25-60 for two), VPN ($40-60/year). Total: roughly $125-175 for a setup that protects your entire portfolio. Compare that to the $65 million Coinbase users lost to scams in two months. The ROI on security is infinite.

My Review Criteria /
Last updated

April 20, 2026

How we evaluate

I evaluate platforms based on total fee drag, spreads, withdrawal friction, security track record, ease of use, and whether the tradeoffs make sense for real investors using real money.

Continue Researching

Newsletter

The Edge.
Weekly.

Crypto signals, macro shifts, and trades worth watching. No noise.

No spam. Unsubscribe anytime.