Bitcoin Security
They want your keys. Here's how you keep them. — Security Intelligence, 2026 Edition
The Security Playbook
They want your keys. Here's how you keep them. — Security Intelligence, 2026 Edition
The Scam Landscape
Crypto scammers don't hack your wallet first. They hack your mind. Modern fraud is psychological before it's technical — and the schemes running today are more patient, more convincing, and more devastating than anything that came before.
Anatomy of a Pig Butchering Scam
The U.S. Secret Service called it "the modern-day Ponzi scheme." Pig butchering (shā zhū pán) is a long-con investment fraud that weaponizes trust, manufactured profit, and the near-impossibility of fund recovery once crypto leaves your wallet.
The Random Contact
It arrives as a wrong number text, a dating app match, or a LinkedIn connection. The opening is always innocent. They're not trying to sell you anything yet — they're building a persona. This phase can last weeks.
Relationship Building
Daily messages, shared interests, sometimes even video calls using deepfake technology. The scammer becomes a trusted confidant before crypto ever enters the conversation. By the time it does, you're invested emotionally.
The "Tip"
Casually, they mention how they've been making money in crypto. They share a platform — always a fake or manipulated one — and your initial "investment" shows spectacular gains almost immediately. You're hooked.
The Slaughter
When you try to withdraw, there are fees, taxes, verification requirements — endless pretexts that demand more deposits. When you can't provide more, the platform disappears along with everything you put in. Funds routed through 11+ exchanges are essentially unrecoverable.
Investment scams represent the single largest category of crypto fraud. The dashboards look real. The profits look real. One documented case involved a victim's $1 million divided across 15 transactions, routed through 11 exchanges. It was never recovered. The platforms mimic real brokerages down to the last pixel.
The Full Threat Index
Phishing & Fake Apps
Sites and apps that replicate legitimate wallets or exchanges pixel-for-pixel. In April 2026, a fake Ledger app drained users who entered their seed phrases. No amount of experience protects you from a convincing fake.
Critical ThreatPig Butchering
Long-form relationship fraud ending in fake investment platforms. Increased 40% from 2023 to 2024, accounting for a disproportionate share of the $9.9B in scam losses. Operates from organized crime centers using trafficked workers.
Critical ThreatSIM Swapping
Social engineering your carrier to redirect your phone number — and all SMS 2FA codes — to an attacker. One call to your carrier can hand an attacker every account tied to your number. SMS is not security.
High ThreatFake Influencers
Deepfake videos and compromised accounts promote rug pulls, pump-and-dump tokens, or malicious links. If a famous person is sending you DMs about crypto, it is a scam. No exceptions. Not Elon. Not Saylor. Not anyone.
High ThreatClipboard Hijacking
Malware that silently replaces copied wallet addresses with attacker-controlled ones. You copy an address, paste it, and send funds to a stranger. The attack is invisible unless you manually verify the full address before every transaction.
High ThreatFake "Support"
Scammers monitoring Reddit, Telegram, and Discord for users reporting problems — then jumping in as fake support agents. Their first move is always asking for your seed phrase "to restore access." Legitimate support never needs it.
Medium ThreatMajor Incidents: 2025–2026
Bybit — $1.5 Billion
The largest single theft in crypto history. A sophisticated social engineering attack compromised the exchange's cold wallet signing process. The defining case study for supply-chain and operational security failures at scale.
$370M Month — Social Engineering Surge
The highest monthly exploit total in nearly a year. Large-scale targeted social engineering schemes drove most losses. Stablecoins accounted for 84% of illicit activity due to ease of transfer and liquidity.
Drift Protocol — $270M Exploit
A North Korea-linked group infiltrated the protocol after posing as a quant trading firm for six months. One of the longest and most sophisticated infiltrations in DeFi history. DRIFT token lost 70% of its value.
Fake Ledger App Campaign
A convincing counterfeit Ledger Live application prompted users to enter seed phrases for "verification." Multiple confirmed victims lost six-figure amounts. Hardware wasn't compromised — users were.
Exchange Security
Exchanges are a necessary evil. You need them to on-ramp, off-ramp, and trade. But parking your crypto on an exchange long-term is not a strategy — it's a gamble on that company's security, solvency, and integrity simultaneously.
Not your keys, not your coins. You don't own crypto on an exchange. You own a promise from a company — and companies fail.
How to Vet an Exchange
Proof of Reserves
Does the exchange publish regular, third-party-audited proof-of-reserves reports? This is the minimum bar. Note: PoR shows assets, not liabilities — it's necessary but not sufficient.
Regulatory Registration
In Canada, the exchange must be registered with provincial securities regulators or FINTRAC as an MSB. Shakepay, Newton, and Kraken Canada all clear this bar. Many overseas exchanges do not.
Hardware Security Key (2FA)
Enable hardware 2FA (FIDO2 / YubiKey) on your account. Not SMS. Not email. SMS 2FA falls to a single phone carrier social engineering call. A YubiKey doesn't.
Withdrawal Address Whitelist
Lock your account so withdrawals can only go to pre-approved addresses. Even if someone compromises your login, they can't move funds to an unknown address without your explicit approval.
Dedicated Email Address
Use a unique email for each exchange — one that exists nowhere else online. If that email appears in a phishing campaign, you immediately know which exchange had a data breach.
Anti-Phishing Code
Most major exchanges let you set a custom phrase that appears in all legitimate emails from them. If you receive an email without it, it's a phishing attempt — regardless of how convincing it looks.
A Note for Canadian Users
The OSC and BCSC have meaningfully tightened exchange registration requirements since 2023. Exchanges operating in Ontario must be registered — and leverage trading platforms popular internationally are explicitly restricted. If a platform tells you to "use a VPN" to access their service from Canada, that is not a workaround — it's a terms violation and a signal the platform doesn't want accountability. Stick to compliant platforms for any fiat on/off-ramping.
Exchange Red Flags
Walk away from any platform that exhibits the following. These warning signs have preceded every major collapse.
Withdrawal delays or "technical issues" when you try to take money out. This is how Celsius, Voyager, and BlockFi started. The freeze always comes before the announcement.
Guaranteed returns or interest on deposits. No legitimate exchange promises returns on held crypto. If it sounds like a savings account with 20% APY, someone is lying about where that yield comes from.
No verifiable proof of reserves. Post-FTX, this is table stakes. Sam Bankman-Fried built a $32 billion empire on assets that didn't exist. "Trust us" is not an audit.
Pressure to deposit more to "unlock" funds. This is the signature move of every pig butchering scam. Taxes, fees, verification deposits — all fabricated pretexts.
No physical address, no legal entity, no regulation. Anonymous offshore exchanges have no accountability. When they disappear, there is no recourse, no regulator to call, and no lawyer who can help you.
Someone else recommended it in a DM. Legitimate exchanges don't recruit users through Telegram, Discord, WhatsApp, or Reddit replies. If someone steered you to a platform, that is the attack vector.
Self-Custody
Self-custody is not about distrust. It's about architecture. When you hold your own keys, there is no company to go bankrupt, no exchange to freeze, no regulator to seize assets. You are the bank. That comes with real responsibility.
The Custody Spectrum
Not all storage is equal. Where you sit on this spectrum should match what you're holding and why.
Air-Gapped Hardware
Coldcard Mk4, SeedSigner, Keystone. Never connected to internet. QR or microSD transaction signing. For serious long-term holdings.
Hardware Wallet
Ledger, Trezor, Coldcard via USB. Keys never leave the device. Strong for most users; requires vigilance against phishing that asks for seed phrases.
Software Wallet
Sparrow, Electrum, MetaMask. Keys on an internet-connected device. Acceptable for active trading amounts. Vulnerable to malware, keyloggers, clipboard attacks.
Exchange Wallet
Coinbase, Kraken, Binance. You don't hold keys. Fine for trading; unacceptable for long-term storage. History is a graveyard of exchanges that became wallets people couldn't open.
The Seed Phrase: Your Master Key
Your 12 or 24-word seed phrase is the master key to everything in your wallet. It does not belong online. It does not belong in a photo. It does not belong in a password manager, an email draft, a note app, or any digital medium whatsoever. The moment it touches a connected device, assume it is compromised. Engrave it on steel. Put it in a fireproof location. Tell no one.
Metal Backup Only
Cryptosteel, Billfodl, or stamped steel plate. Survives fire (2000°F+), flood, and physical destruction that would destroy paper. Avoid laser engraving — it's shallow.
Geographically Separate Copies
Multiple copies in physically separate, secure locations. A house fire destroys one backup. If both are in the same city, the risk isn't truly distributed.
The BIP39 Passphrase (25th Word)
Add a custom passphrase on top of your seed — creates a completely separate wallet, invisible to anyone who finds your seed alone. Your decoy wallet lives on the raw seed; real funds live behind the passphrase. Store them separately.
Verify Before You Need To
Test your recovery before the emergency. A seed backup that has never been tested might not work. Restore to a spare device, confirm addresses match, then store it away again.
For holdings you genuinely cannot afford to lose, multi-signature setups (2-of-3 or 3-of-5 across different hardware wallet vendors) eliminate the single point of failure entirely. Compromising one device, one seed phrase, or one vendor gives an attacker nothing without the remaining keys. Services like Casa and Unchained Capital have made this accessible without full DIY complexity.
The Unbreakable Rules
Crypto security doesn't require perfection across 100 practices. It requires zero failures on a handful of fundamentals. These rules have never once been the wrong call.
Your Seed Phrase Is Sacred
No website, no support agent, no recovery service ever needs your seed phrase. The only entity that ever needs it is you — when restoring to a new device. Any other request is an attack. This single rule, if never broken, prevents the most catastrophic losses.
Exchanges Are Transit, Not Storage
Buy on an exchange. Trade on an exchange. Then move to cold storage. The exchange is the airport, not the destination. Every asset sitting on an exchange is an asset you're trusting that company to protect — and that trust has been misplaced at FTX, Mt. Gox, Celsius, Voyager, BlockFi, and dozens more.
Verify Every Address Character
Clipboard-hijacking malware swaps your destination address silently. Before confirming any transaction: manually verify the first and last six characters of the receiving address on your hardware wallet's screen against what you intended. Trust the hardware screen — not the computer display.
If They Contacted You, It's a Scam
Legitimate investment opportunities, exchange support teams, and wallet providers do not send unsolicited DMs. Not on Telegram. Not on Discord. Not on WhatsApp, LinkedIn, or X. The initiating contact is itself the attack.
SMS Is Not Security
Turn off SMS 2FA on every crypto account immediately. A SIM swap attack requires one call to your carrier. Use hardware keys (YubiKey) as the first choice. Authenticator apps (Aegis, Google Authenticator) as the second. SMS is effectively no 2FA at all.
Buy Hardware Direct, Verify On Arrival
Never buy a hardware wallet from Amazon, eBay, or resellers. Supply-chain attacks are real and documented. Tampered wallets ship with pre-loaded seed phrases the attacker already knows. Buy from the manufacturer's official website only, and verify firmware before any use.
Bookmark, Never Search
Malicious websites clone legitimate exchanges with near-identical URLs. Never navigate to a crypto platform by searching for it — search ads have served malicious sites at the top of results. Bookmark every exchange and wallet during a verified first setup and always access through that bookmark.
Plan for Your Own Disappearance
Crypto in self-custody disappears with you if you haven't planned for access. An estimated $140 billion in Bitcoin is permanently inaccessible because holders died or forgot credentials without leaving instructions. Document a map to your setup — somewhere your family can find if you can't.
🚨 Immediate Red Flags
- Any request for your seed phrase
- Promised guaranteed returns
- Withdrawal delays "for technical reasons"
- Unsolicited investment DMs
- Fees to "unlock" your balance
- Support reaching out to you first
- Platform recommended via chat or DM
✅ Your Security Stack
- Hardware wallet for long-term storage
- YubiKey or TOTP app for 2FA (no SMS)
- Unique email per exchange
- Withdrawal address whitelist enabled
- Anti-phishing code set on exchange
- Seed phrase on metal, stored offline
- BIP39 passphrase for serious holdings
🍁 Canadian Specifically
- Only use FINTRAC-registered exchanges
- Leverage perp trading → GMX V2 on Arbitrum
- Track all trades for CRA reporting
- Each trade is a taxable event (capital or income)
- Report every taxable event — even swaps
- No VPNs to bypass Ontario restrictions
Security best practices described reflect community consensus as of April 2026 and may evolve as threats do. Statistics sourced from Chainalysis, PeckShield, CertiK, TRM Labs, and U.S. Secret Service public reporting. This is educational content — not financial, legal, or security advice.