Bitcoin is designed with security in mind. However, there are various ways in which thieves may steal your Bitcoins. Understanding how Bitcoin works is a crucial first step to protecting it — please read the article explaining how to set up a wallet, as that clarifies how it works.
Your Private Key: What Thieves Want (But Not In All Cases)
Your Bitcoin private key is used by your wallet app to authorize outgoing transactions from your wallet. This means that if a thief obtains your private key, they can steal all your coins. Some thieves may not opt to steal your private key, but may instead trick you into sending your tokens to them or steal them off a centralized exchange by cracking your password or hacking the exchange itself.
Also be wary of phishing (websites pretending to be well-known exchanges by copying their user interfaces).
Common examples of centralized exchanges include:
- Coinbase — ensure you are at coinbase.com.
- Gemini.
- Binance – ensure you are at binance.com or binance.us.
- KuCoin – ensure you are at kucoin.com.
- Coinspot.
You can avoid this by using decentralized exchanges, a few examples include:
- Uniswap on Ethereum. Do ensure you are on uniswap.org to prevent phishing.
- Dexter on Tezos.
- EOSDAQ on EOS.
Counterfeit Wallet Apps
Counterfeit wallet apps pretend to be the wallet apps that you already know and trust by copying their interface design. This tricks you into thinking that you have a safe, reputable wallet app — but it is actually stealing your private key or replacing your real wallet address with the thief’s address.
You can avoid this issue by:
- Only getting the wallet app from the vendor’s website (also ensure you are at the vendor’s real website).
- In app stores (this applies to all of them), read through wallet app listings carefully to ensure that the wallet app you are downloading is from the original vendor. Also be extra careful if you see duplicate apps with the same name in the search results. Hover over the app store listing to see the ‘com.company.appname‘ in the URL to ensure it’s them. See the screenshot below for an example.
Malicious Wallet Apps
A scammer may not necessarily build a counterfeit app to impersonate a legitimate software vendor. They might develop their own unique app and list it in app stores. This threat is harder to detect because it is not as conspicuous as duplicate listings. Before trying out a new Bitcoin wallet app, do some research online and see what people are saying about them.
Read through the reviews in the app store as well. Closed-source wallet apps (apps that don’t publish their source code) pose an even greater risk because no one can verify what the app is doing. Also ensure that the app is non-custodial. If it isn’t, then the app vendor has your key and may take your coins.
Reputable Bitcoin wallet apps include, but are not limited to:
- Bitcoin Core.
- Bither – Available for all OSes, including iOS and Android.
- BitPay.
- Wasabi.
- Armory.
- Bitcoin Wallet – Android.
- BRD – iOS | Android.
- Edge [Custodial – will store a copy of your keys/has access to your coins] – iOS | Android.
Malware: A Threat To Legitimate Wallet Apps
If you have taken all of the above precautions and have a good, reputable wallet app — the next thing to do is ensure that your computer (or whichever device your wallet is on) is free of malicious software (malware) and stays that way. That means you shouldn’t visit any shady websites, or any other that you don’t know for sure to be safe.
Malware may either steal your private key, or it could be a keylogger. A keylogger records your keystrokes, enabling it to intercept your exchange passwords as you type them. A hardware wallet is an effective way to avoid the malware problem. Just bear in mind it won’t protect your coins if you have them on an exchange. The coins need to be kept on the hardware wallet.
It is also important to note that anti-malware apps tend to lag behind malware developments (simply because it isn’t possible to keep up). This is why malware spreads first, and is discovered afterwards. Anti-malware apps are still helpful because of their ability to detect older malware.
It is also imperative that you don’t log into Windows with the administrator account, don’t log into Linux with the root account, and don’t give any administrative privileges to apps on your phone (regardless of how much they insist). If you accidentally give a malicious app administrative privileges or log into one of those admin accounts, that will expand its capabilities significantly. It may then be able to steal your private key from your wallet app(s).
Another way you could address this issue is to set up a computer with a fresh installation of your favourite OS and use it only for your wallet. Don’t download anything to it or use it to browse the Internet.