Have your crypto assets ever been stolen?
According to the latest data from the SlowMist security team, a total of 40 Web3 security incidents occurred in January 2025, with losses reaching $87.94 million. The reasons for the hacks involved contract vulnerabilities, account hacks, and private key leaks. In addition, there were 9,220 victims of phishing incidents this month, with losses reaching $10.25 million.
In recent years, Web3 security incidents have occurred frequently, and the security issues of encrypted wallets have become increasingly prominent.
As a tool that every Web3 investor cannot avoid, crypto wallets are not only the key line of defense for protecting crypto assets, but also the number one key to Web3 time. Precisely because of this importance, crypto wallets have become the hardest hit area for virtual asset thefts - mnemonic phrase loss, fake wallet traps, authorization loopholes... If you are not careful, your assets may be reduced to zero overnight.
For the safety of everyone’s virtual assets, in this article, Portal Labs will start from the main usage scenarios of encrypted wallets, list the most common wallet dangers, and provide practical suggestions to help you protect your digital wealth.
Hidden dangers of mnemonic management
In previous articles, we have repeatedly mentioned that you must keep your wallet's mnemonic phrase well, because it is the most important asset certificate of the encrypted wallet and the key to recovering your wallet. When you open an encrypted wallet on a new device, you need to import the mnemonic phrase (because the private key is a bunch of numbers + letters, which is not easy to remember and enter).
However, what is worrying is that many users have serious security vulnerabilities when storing mnemonics.
The most common mistake is to store the mnemonic online, such as in cloud notes, email, chat history on social software, or even directly take screenshots and save them in photo albums. These methods seem convenient, but they are actually extremely dangerous. Once your device is hacked, the mnemonic will likely be automatically scanned, extracted, and used to directly steal your wallet assets.
In addition, insufficient backup is also a major hidden danger. Some users simply write down the mnemonic on a piece of paper and put it in a drawer, wallet, or book gap, or take a photo and throw the paper away. However, ordinary paper is very easy to damage, and there is also the risk of loss, theft or accidental damage if it is kept in a single place for a long time.
So, how do you store mnemonics correctly?
First, make a handwritten backup and try not to save it in the cloud, social software, email or any Internet-connected device;
Secondly, you can choose a durable storage medium. Of course, you don’t have to use a metal mnemonic backup board. It’s better to choose a good notebook than just a piece of paper.
Furthermore, make multiple copies and store them in multiple safe places (such as safes, storage boxes) to ensure that you can find them in at least one place;
Finally, check the status of your backups regularly to ensure that your records are legible and stored in a safe and secure location.
Authorization and transactions
In the Web3 world, a crypto wallet is not just a tool for saving money, but also a credential for you to interact with various things. Whether you are participating in DeFi, buying NFTs, or receiving airdrops, many operations require you to "authorize" your crypto wallet to interact with smart contracts.
But have you ever thought that every "authorization" may hide huge security risks?
Simply put, when you authorize a smart contract to access your wallet, you are actually telling the contract: "I allow you to perform certain operations in my wallet." If the contract is secure, there is no problem; but if you authorize a carefully disguised phishing contract, it is very likely that the contract will directly transfer all the assets in your wallet in the next second after the authorization is completed.
In recent years, such phishing incidents have emerged one after another, especially before and after the airdrop of a well-known project, a large number of "fake airdrop" websites have appeared, guiding users to authorize their wallets. These so-called "receiving airdrops" are actually traps for direct transfers.
So, how can this be avoided?
Do not authorize wallets on unfamiliar websites at will, and give priority to well-known projects and audited dApps. Think twice about any website that claims to "receive airdrops" or "distribute benefits", especially those that require wallet authorization. You should first search the authenticity of the project in the community or forum.
Check the contract content to confirm that it will not directly call your assets. If necessary, it is recommended to use a blockchain browser (such as Etherscan) to verify the contract address.
Revoke unnecessary authorizations. Even if you have authorized a contract, you can use tools such as Revoke.cash to regularly check and revoke access permissions for high-risk contracts.
Fake Wallet Scam
In the Web3 world, a crypto wallet is not only your "digital bank", but also your identity credential. However, have you ever thought that the wallet you downloaded may not be an official application at all, but a carefully disguised "phishing trap"?
In recent years, more and more users have downloaded fake crypto wallet applications without realizing it. As a result, hackers have obtained the mnemonic phrases as soon as they created the wallet, and the assets have been monitored by hackers; or when the mnemonic phrases are imported, the wallets are immediately hijacked, causing the accounts to be emptied instantly. The means of these scams are often more hidden and sophisticated than you think.
So, how do you avoid falling into the trap of fake wallets?
The most important principle is of course to only download wallets from official channels. Do not trust search engine ads or promotional links on social media, such as MetaMask’s official website metamask.io, Trust Wallet’s official website trustwallet.com, and Ledger’s official website ledger.com.
At the same time, you should also develop the habit of checking the URL. Hackers often use similar domain names to forge official websites, such as metamask-wallet.io, trustwallets.com, and other seemingly legitimate but malicious URLs. For further prevention, you can also install MetaMask's built-in anti-phishing plug-in or Web3 anti-fraud tools such as PhishFort, which will automatically alarm when visiting suspicious websites to avoid falling into phishing traps.
For mobile users, never download APK files from unknown sources, because hackers can modify wallet applications at the code level and implant malicious scripts, causing the wallet to be hijacked once it is created or imported. It is recommended that iOS and Android users always download official applications through the App Store or Google Play, and confirm whether the developer information of the wallet is consistent with the official one after installation.
In addition, do not install browser plug-in versions of crypto wallets at will. Some fake plug-ins may hijack wallet authorization when you make transactions, tamper with the payment address, and let your assets flow into the hacker account without your knowledge.
Avoid "pitfalls" step by step to make your wallet safer
There are many pitfalls in crypto wallets, but there are corresponding solutions behind each pitfall. As long as you are willing to spend time learning and follow the above guidelines, you can greatly reduce the risk. Remember to protect your mnemonic, be cautious about each authorization, and choose reliable tools and services, so that your Web3 investment journey can be safer and more stable.
Next, Portal Labs will continue to write articles on security tools to protect your Web3 investments. Stay tuned!
