How Safe Are Crypto Hot Wallets?

TLDR - How safe are crypto hot wallets?

1. Hot wallets are online by default & therefore face constant threats

2. Threats can be directed at Hot Wallet service providers

3. Threats can also target you directly via viruses & social engineering

4. You can mitigate the security risk through vigilance, best practice & education

5. Never share your passwords or Seeds; no one will ever have a genuine reason to ask for them.

6. Complete peace of mind can only come from cold storage, but this doesn’t mean losing the convenience of trading.

What is a Hot Wallet?

A crypto wallet is a tool to enable you to store and manage your funds. There are several different types of wallet and wallet vendors, but three crucial differentiators to understand.

Firstly, wallets are categorised by the method of delivery; either as software (soft) or a physical piece of hardware (hard).

The second differentiator is whether a wallet is custodial or non-custodial. This relates to who has control of the piece of information that provides ultimate control of your crypto - a Private Key. 

A custodial wallet provider has control of your keys, with access via conventional credentials (username/password), while with a non-custodial wallet you’re in charge of your keys, in the form of Seed.

• Read more about Private Keys & custody.

The third and final criteria, relevant to this article, is whether the wallet is online by default (Hot) or offline by default (Cold). 

We can look at a table of wallet types differentiated by these three characteristics.

Choosing between a hot or cold is essentially a trade-off between convenience and security.Hot Wallets are convenient because the biggest use case for crypto right now - like it or not - is speculation, which means using web wallets with centralised exchanges, mobile Apps and especially browser based apps like Meta Mask, used for DEFI and trading NFTs.

Features of a hot wallet.

The convenience aspect of being online is simple to grasp, but how safe are Hot Wallets? We can group the threats into two main groups:

• Threats directed at custodial service providers

• Threats directed at you 

Threats directed at custodial service providers

Custodial services are essentially the gatekeepers of huge amounts of user funds, so it shouldn’t be a surprise that they are under constant attack from hackers trying to get access to that booty, via Private Keys.

Custodial services also employ a hot/cold approach to storing funds on your behalf. They keep enough funds to manage the expected day-to-day demand for withdrawals across several Hot Wallets, and the rest safely in Cold Storage. This makes their Hot Wallets the focus of hacker attention.

The Route One Approach

The route-one hacker approach is to try and get direct access to one of those Hot Wallets, which is exactly what happened to Binance, one of world’s largest cryptocurrency exchanges. 

In May 2019, 7,000 Bitcoin were stolen from a single hot wallet, as hackers got access to API keys and 2FA codes. That represented 2% of its bitcoin holdings, worth $40million at the time.

Though Binance’s Secure Asset Fund made good any customer losses, exchanges are under no specific obligation to make restitution. If it can happen to one of the world’s most established exchanges, then the Hot Wallets of the hundreds of smaller, and less professional operations, will certainly be at risk.

And it seems that ‘once bitten, twice shy’ may not apply when it comes to exploits. Korean exchange, Bithumb, was hacked no less than three times within two years, the most recent in March 2019, to the tune of $20million.

The route one approach.

How to mitigate the threat

This type of exploit can simply be filed under counterparty risk. By using a custodial service you are forced to trust their security practices, which is counter to the ethos of crypto as trustless money. 

You can try and do due diligence of an exchange, by researching any history of security breaches, while being regulated will enforce a certain amount of best practice and compliance, but you cannot escape the need to trust their security. 

The only real way to mitigate this kind of threat is to limit the amount of time you keep funds on an exchange, and move them to cold storage, such as the NGRAVE ZERO.

Website Spoofing

Even when exchanges and other custodial services do a good job of protecting Private Keys, hackers have plenty more tricks up their sleeves in attempts to compromise your Hot Wallet. 

One of the most common is to simply spoof the domain or App, sending the user to a fake version where log-in credentials can be harvested and used to drain your funds.

This type of attack can be achieved in a couple of ways. The simplest is to clone the genuine website or service, registering domains that are close enough to the real thing, then use advertising, or fake social media pages, to lure users in.

It is painfully easy to circumvent Google Ads policy, which will enable a fake domain to appear before the no.1 organic listing. Here’s an example that Luno shared in their blog.

Website spoofing.

There is a more sophisticated way to spoof a website, which is to get access to a site at the DNS level, and redirect the site or App IP to wherever the hackers choose.

This requires sophisticated social engineering as DNS is managed by third parties, and in the case of GoDaddy in 2020, their support employees were duped by a voice phishing scam to gain DNS access and redirect the websites of several prominent crypto services.

How to mitigate the threat

The best way to mitigate against spoof websites is to bookmark the genuine website - checking the domain spelling and the lock symbol in the browser, proving it has the required SSL certificates - and only ever access it via that bookmark link.

If you prefer to use Apps, make sure you are downloading the genuine product by double checking that the App has recently been updated, a good number of organic reviews, professional screenshots and a name that matches the brand.

DNS spoofing is largely out of your control, though you should always place close attention to the app behaviour, and if anything looks suspicious, such as asking for passwords or your Seed, take screenshots, delete the App, then report it to customer service.

Email Spoofing

Another familiar indirect tactic is to spoof emails, and either redirect users to fake sites, or infect them with viruses that will enable the hackers to harvest info (addressed below) and access their Hot Wallet funds.

Similar to website spoofing, this can be achieved by a scatter-gun approach, sending out fake emails in huge numbers in the hope that they will land in the inbox of genuine users of the service.

Sometimes hackers will buy compromised email lists from the dark web to give them a better chance of hitting home. The more pernicious version of this scam is to access the email sending systems of the actual service, and send what will have all the hallmarks of a genuine email, but directing you to a fake site or to hand over your Seed.

Celsius, crypto lender, suffered this breach in April 2021, with customers receiving emails and texts about a fake promo and accompanying url which encouraged them to share their Seed.

Email spoofing.

How to mitigate the threat

It is good security practice to use an encrypted email provider - such as Protonmail - for any crypto related activity, such as registering a custodial Hot Wallet, and nothing else. This will immediately minimise the amount of spam emails.

If you are suspicious of an email, view the actual ‘from address’ rather than just the Sender Name, which will often reveal it to be from some random domain. Spam emails are often badly written or formatted.

If you are offered the option of an anti-phishing code by a custodial Hot Wallet service, take it. This is a unique phrase that you set, which will appear embedded in any emails from the provider. It doesn’t guarantee the email is genuine, but provides a good level of reassurance.

Threats directed at you

Rather than attacking the service provider, hackers will instead try to attack you directly in an attempt to gain access to account credentials (for custodial services) or where you custody funds yourself via a Hot Wallet, your Seeds.

Before we get to the specifics it is worth reiterating that there is no reason why any service provider should ask you for your password or Seed. They should never even have access to it, as it should always be encrypted.

Man In the Middle Attacks

One of the vulnerabilities of using a Hot Wallet is what is known as the Man In the Middle Attack.

In order to send or receive transactions you need to share address details, often using chat services and/or your device clipboard.  The Man In the Middle attack relies on compromising the clipboard module - on laptop or smartphone - and using the remote access to intercept/replace the shared address details with details of their own choosing. A Trojan called Cryptoshuffler was doing the rounds in 2017, to achieve precisely this.

An alternative approach is infect your device with a virus that eavesdrops on your activity, by logging keystrokes, which may enable the hacker to harvest credentials or Seed. This is one reason why you should never type your Seed into your device, other than during the set-up process.

Infection can be achieved from links in phishing emails, infected websites, from USB sticks, or from browser extensions. One unsuspecting Coinbase user lost $11.6million in ten short minutes, via a fake browser notification.

Man in the middle attacks.

Mitigating the threat

Use Hot Wallets with address whitelisting, which only allows you to withdraw funds to a list of confirmed addresses and after a 24hr cooling off period. Some providers enable ‘vault modes’ which block withdrawals, full stop.

Ensure that two-factor authentication and/or biometrics are required for all transactional approval.

Use a good anti-virus service and keep it automatically updated, then follow best practice with your internet habits. If you can, use a specific device just for crypto activities and nothing else.

Social Engineering

Much of the threats to Hot Wallets are technical in nature, but some rely on soft skills, to engineer access to secure information. The most common is via fake customer support pretending to represent popular services.

This might be via unsolicited calls - in the hope of reaching and duping genuine customers - or more commonly, by posting on the genuine support channels of crypto services - such as Facebook or Twitter - and directing users to fake landing pages where they will try and harvest user credentials or Seeds.

A variant of this scam will offer a wallet recovery service, for which there is a constant demand, via social media using multiple stooge accounts to create an air of credibility, then request upfront payment, after which the scammer simply disappears.

Social engineering.

How to mitigate the threat

Never respond to any customer service requests that you haven’t initiated, and never share any passwords or Seeds under any circumstances. Be very suspicious of anyone offering help via social media or forum comments. Only use official sanctioned help, originating from their main website.

How to have convenience & offline security

If all the threats posed to Hot Wallets leave you in a cold sweat, this is the unfortunate reality of the internet,  and in particular, the allure that crypto has for hackers. 

You have to balance the benefits provided by the Hot Wallet services, against the risks. In some cases, such as services paying interest on your crypto funds, it is a binary choice between that extra yield, or the total peace of mind of offline storage.

When it comes to trading however, you can actually have your crypto cake and eat it, because a crypto hardware wallet like the NGRAVE ZERO provides cutting-edge offline security AND the ability to transact without exposing your Private Keys.

The clever use of QR codes, and a companion mobile App, mean you have the best of both worlds: the convenience of Hot Wallet transactions but with the security of offline storage.

No Hot Wallet service can ever be 100% safe, because being online automatically means you are vulnerable. You can mitigate the risk through due diligence, security best practice and simply being vigilant, but the simple truth is that nothing is safer than cold storage.