The real ways beginners lose money in crypto are not complicated, and the habits that stop almost all of them are not difficult to learn — they’re just easy to skip when something looks exciting. This is part four and the finale of the Crypto Safety series. The three previous posts covered the specific scam mechanics, what wallets actually are and how to secure them, and how exchanges work and where the custody risk sits. This post puts it into one actionable checklist. Print it. Save it. Use it before you do anything with real money.
Why a checklist, and why now
The Crypto Safety series started with scams because that’s where most beginners lose money first — not to bad trades, but to manipulation. Then it went to wallets because “not your keys, not your coins” is a phrase you hear everywhere in crypto and understand properly almost nowhere. Then exchanges, because that’s where most people interact with crypto first and where the most significant historical losses have occurred.
Distilling all three into a checklist is the point. According to the FBI’s Internet Crime Complaint Center, crypto investment fraud was the single largest category of reported losses in 2025, totaling approximately $7.2 billion in the US alone. Chainalysis put global crypto scam losses at roughly $14 billion for the same year. The overwhelming majority of those losses came from patterns this series covered: social engineering, custody misunderstanding, and approval phishing. None of these required a technical attack. They required a person who hadn’t read the checklist.
The complete checklist
Work through this once before you move any real money. Then use the relevant sections as a pre-flight check whenever you do something new.
| # | Habit | What it prevents | Red flag if you skip it |
|---|---|---|---|
| 1 | Seed phrase written on paper, stored offline | Permanent loss of access to all funds in that wallet | You can’t recover a wallet if you lose the phrase and the device |
| 2 | Seed phrase never typed into any website or app | Seed phrase phishing and fake recovery sites | Any site asking for your seed phrase is a scam, 100% |
| 3 | Seed phrase never shared with any person | Social engineering; fake support agents | No real support team, exchange, or hardware wallet company will ever ask for it |
| 4 | Backup copy of seed phrase in a second secure physical location | Single point of failure (fire, flood, theft) | One copy that gets destroyed means permanent loss |
| 5 | Know whether your exchange holds your keys or you do | Misunderstanding your actual ownership | Exchange custody = you’re an unsecured creditor if the exchange fails |
| 6 | Meaningful amounts moved to a self-custody wallet | Exchange failure, freeze, or hack | FTX (2022, ~$8B lost), Bybit hack ($1.5B, Feb 2025) — it keeps happening |
| 7 | Read every wallet approval prompt before confirming | Approval phishing / wallet drainers | A single “approve” to a malicious contract can drain your tokens without further action |
| 8 | Periodically revoke old token approvals | Forgotten permissions that remain active attack surfaces | Tools exist to review and revoke these; do it |
| 9 | Verify wallet addresses after pasting (full address) | Clipboard hijacking malware | Malware replaces your copied address with the attacker’s at the moment you paste |
| 10 | Download wallet software from official sites only | Fake wallet apps that capture seed phrases | Search results and app stores can list fakes — verify the URL character by character |
| 11 | Never act on a stranger’s investment tip | Pig butchering and long-con investment scams | Nobody messaging you out of nowhere is doing you a favor |
| 12 | Urgency = stop completely | Every social engineering scam in existence | Legitimate finance does not have countdowns |
| 13 | Check exchange for: regulation, proof of reserves, asset segregation | Depositing funds into an unregistered or insolvent platform | Absence of reserve transparency is a warning sign |
| 14 | Understand the full fee structure before trading | Unexpected withdrawal fees, card surcharges, spread markups | Fees compound; check the full schedule, not the headline rate |
| 15 | A “support agent” who DMed you first is not real | Fake support impersonation scams | Legitimate exchanges never initiate contact to ask for credentials or remote access |
Walking through each section
The checklist is faster to use if you understand what each group covers and why.
Seed phrase (items 1–4)
From Crypto Wallets Explained: the seed phrase — typically 12 or 24 words generated when you set up a non-custodial wallet — is the root of everything. All your private keys can be mathematically regenerated from it. This means possessing the seed phrase is equivalent to owning the funds, and losing it is equivalent to permanent forfeiture.
The threats come from multiple directions: physical mail phishing impersonating hardware wallet manufacturers, fake recovery websites built to look identical to the real ones, and social engineering where someone poses as support and asks you to “verify” the phrase. None of those attack vectors require technical sophistication from the attacker. They require you to type the phrase somewhere you shouldn’t. I’ve seen people store seed phrases in cloud notes, email drafts, screenshots — once, in the notes field of a phone contact — and the outcomes were uniformly bad.
Physical paper, stored in a private location, with a backup copy somewhere else. That’s the answer. It’s not complicated; it’s just inconvenient enough that people skip it.
Custody and the “not your keys” rule (items 5–6)
From Crypto Exchanges Explained: when your crypto sits on an exchange, the exchange holds the private keys. You have a contract claim to those assets, not direct possession. If the exchange is hacked, freezes withdrawals, or collapses, you are typically an unsecured creditor — last in line in a bankruptcy proceeding.
This is not theoretical. FTX collapsed in November 2022; roughly $8 billion in customer funds disappeared. Celsius and Voyager froze withdrawals the same year, affecting approximately 4.3 million users. In February 2025, the Bybit exchange suffered a $1.5 billion ETH theft attributed to North Korea’s Lazarus Group. Bybit survived and covered losses — not every exchange will.
The checklist item is not “never use an exchange.” It’s “understand what you own.” Actively trading funds on a regulated exchange is a reasonable trade-off. Leaving a meaningful portion of your holdings on a platform indefinitely, trusting it the way you’d trust a bank, is a different decision — one that ignores what history keeps demonstrating.
Approval phishing and wallet hygiene (items 7–10)
From How to Avoid Crypto Scams: approval phishing is quiet and technical, which makes it dangerous. You connect a wallet to what looks like a legitimate decentralized app and approve a transaction. You think you’re claiming a reward or accessing a feature. What you signed gives an attacker’s contract the right to move your tokens out at any time — without any further interaction from you. No password stolen. No dramatic hack. You authorized it.
The defense has three parts: read what you’re approving before confirming, periodically revoke token approvals you no longer use (tools like Revoke.cash make this straightforward), and verify the full wallet address after you paste it anywhere — clipboard-hijacking malware swaps addresses at paste time. These habits take minutes and block a category of attack that has caused billions in losses.
Downloading wallet software from official sites only is the last line of this group. Attackers build near-perfect replicas of popular wallets and distribute them through search ads, social media, and sometimes even app store listings. The URL check takes five seconds.
Scam patterns (items 11–12, 15)
From How to Avoid Crypto Scams: the most costly scam type by volume is “pig butchering” — a long-con where a stranger builds a relationship over weeks, introduces a “great” investment platform (which is fake), lets you withdraw a small profit to build confidence, then encourages larger and larger deposits before disappearing with the funds. Many of these operations run out of organized scam compounds. The 2026 coordinated takedown by the FBI, Dubai Police, and Chinese authorities resulted in 276 arrests and froze more than $701 million — and that’s one operation.
The pattern that all scam types share: urgency designed to stop you thinking, and a stranger who knows what you want to hear. Slowing down is not being unsophisticated. It’s the specific behavior that prevents the vast majority of these losses.
Fake support agents follow the same pattern on a shorter timeline — they appear in search results, Discord servers, social media replies, and sometimes in-app chat interfaces, offering to help with a problem you just posted about publicly. A real exchange will never DM you first and never needs your recovery phrase or remote access to your screen.
Exchange selection (items 13–14)
From Crypto Exchanges Explained: regulation, proof of reserves, and asset segregation are the three things that meaningfully distinguish a better-operated exchange from a worse-operated one. Regulation means the platform operates under a framework (MiCA in the EU, FinCEN registration in the US, FCA in the UK) with accountability. Proof of reserves means independent attestation that the exchange holds assets to match customer balances — something many platforms started publishing after FTX. Asset segregation means customer funds are kept separate from company operating capital, which is what FTX violated.
Fees are lower-stakes but still matter. Trading fees, withdrawal fees, card surcharges, and bid/ask spread markups all come out of your funds. Platforms designed for beginners often charge significantly more than they appear to at first glance.
The one pattern that covers everything
Every item on this checklist is a specific application of one principle: in crypto, there is no undo, no customer service that can reverse a transaction, and no regulator who can get your seed phrase back. The blockchain records what happened. The mechanism ran as designed. The loss is final.
That’s not a reason to panic or to avoid the space entirely. It’s just what’s true, and designing your behavior around what’s true is the entire point of this series. The people who lose money are almost never outwitted by sophisticated attacks. They’re in a hurry, they’re excited, and they haven’t read the checklist.
If you want to understand the underlying technology rather than just the safety layer, start with What Is Cryptocurrency? and work forward through Crypto 101. The safety habits make more intuitive sense once you understand why there’s no undo.
FAQ
Is a hardware wallet really necessary if I’m just starting out? For small amounts you’re actively exploring: not immediately. For anything meaningful you’re not planning to move frequently: yes. Hardware wallets store private keys offline, in a secure chip that never exposes keys to your internet-connected device — even if that device is fully compromised. The inconvenience is the point. Start learning how they work before you need one, not after.
Can approval phishing happen on a well-known decentralized app? Yes, through several vectors: a malicious ad that mimics the real site, a compromised DNS that redirects the official URL, or a malicious link from a trusted source whose account was itself compromised. The defense isn’t trusting the brand — it’s reading the specific transaction before confirming. What does the approval actually grant? To which contract address?
What should I do if I think I’ve been scammed? Stop sending money immediately, cut contact with whoever is involved, and report it. In the US, file a report with the FBI’s Internet Crime Complaint Center (ic3.gov). Fast reporting has occasionally allowed law enforcement to freeze funds — the FBI’s Operation Level Up had warned nearly 9,000 victims and prevented an estimated $562 million in losses as of early 2026. One important warning: be immediately suspicious of anyone who contacts you afterward offering to “recover” your lost funds. That is almost always a second scam targeting victims.
How often should I revoke token approvals? There’s no universal rule, but periodically — every few months, or after you stop using a specific dApp — is reasonable. Tools that display your active approvals across wallets are freely available. Every approval you’ve forgotten about is a potential open door. Closing them costs a small gas fee and takes a few minutes.
Browse the full Crypto Safety series and all plain-English explainers in the Crypto section. About the author — Theo is a developer who has followed crypto since the early days and writes about it without the hype. Not a financial advisor; just here to explain how things work.