Your Crypto Fortune Could Vanish Tomorrow: Here’s the One Move That Can Save It
Not Your Keys, Not Your Coins
Note: this is part 9 of a series on how to go further by integrating asymmetrical defenses against overeager states.
Here are the 8 articles in the series:
End-to-end encryption is the foundation of any self-respecting crypto: without it, it would be impossible to ensure that only you could access your cryptos, and to separate the Currency from the State.
However, many people make a dramatic mistake that negates all the benefits of absolute ownership conferred by good cryptos1 like Bitcoin and Ethereum: they leave them on the centralized platforms where they bought them.
This poses several problems:
Firstly, if the platform isn't honest, it can claim to have all the cryptos its customers have bought, without this being true, leaving it vulnerable to the equivalent of bank panics: if too many customers try to withdraw their funds at the same time, the platform will run out of cryptos and the remaining customers will have lost their assets. This is exactly what caused the loss of one of the world's biggest platforms, FTX, whose management team had misappropriated the equivalent of $8 billion in crypto funds to make risky investments that turned out to be losers for long enough to cause the company to go bankrupt2.
Closer to our asymmetric defense, remember the 11th principle: governments attack bottlenecks first, as they are fewer in number and easier to control. Leaving your cryptos on a centralized platform therefore increases your exchange surface with governments, rather than decreasing it.
What's more, the platform can be hacked, and your funds with it.
It has even happened that the head of a platform has died unexpectedly, and customers have realized that he was the only one to hold the key to the crypto deposits3 !
Thus, the expression "not your keys, not your coins" has become a proverb in the crypto world: when your cryptos are stored on a platform, it's the platform that has the access keys, and it can ultimately choose what to do with your cryptos.
So, to take advantage of the asymmetrical defense that good cryptos give you, you need to take them off the platforms as soon as you've bought them, and transfer them to a crypto wallet that you own.
This is not an exercise. If you still have cryptos on an online platform, withdraw them now.
Hot and cold storage
You can easily download a secure wallet that handles major cryptos, such as Cake Wallet, to your smartphone, but this type of app isn't suitable for long-term storage.
Why?
Because there are two possible types of storage: hot and cold.
Hot wallets
Hot storage is provided by an application installed on a device (typically a computer or smartphone) connected to the Internet.
This makes it easy to use your cryptos (to buy something, for example), but the fact that it's a machine you use every day and that's connected makes it vulnerable to hacking.
It's no big deal if you've only got enough to cover day-to-day expenses. It's a much bigger deal if your entire fortune is in it (just as it would be for your normal portfolio).
The hot wallet I recommend is Cake Wallet, compatible with the main cryptos on the market.
Cold wallets
This is where cold storage comes in: by definition, it means that your cryptos are stored on a device that 1) isn't a multifunctional device you use every day, and 2) isn't connected to the Internet.
They are therefore small devices dedicated to their function, with no connection, and this greatly reduces the possible attack surface for hackers who would like to attack them: as these machines are not equipped with dozens of software programs (each of which can have security flaws) and the operating system is extremely reduced compared to a Windows, macOS, Android, iOS, etc., it is much more difficult to use a flaw to break in without authorization.
And of course, as the device is not connected to the Internet, physical access is required to hack into it, making the task immensely more difficult for would-be hackers.
"But", you might ask, "if the device doesn't have Internet access, how can you send cryptos?"
Excellent question!
In fact, when you need to send cryptos from your cold wallet :
You connect your cold wallet to your computer or smartphone, via cable or wireless link depending on your hardware.
You run software designed to interface with the cold wallet (this may be software supplied by the cold wallet manufacturer, or compatible third-party software) on your computer or smartphone.
You launch the operation to send cryptos on the software, and validate it on your wallet, which is equipped with a small interface allowing you to do this.
The wallet performs the cryptographic verification, validates the transaction and sends it off.
You disconnect the wallet.
Without going into too much detail - it's not the purpose of this book/Subtack - at the time of writing, the two best-known brands offering such devices are Ledger and Trezor.
None of these devices is 100% secure (there's no such thing): it has already been demonstrated that an attacker with physical access to certain Trezor models can access the cryptos stored there even without knowing the password and passphrase, using sophisticated hardware4 , and Ledger created a mini-scandal in 2023 by unveiling a new feature, Ledger Recover, which allows a third of your passphrase to be shared with three different entities, showing that this passphrase can indeed leave your Ledger, even though the company had promised in the past that this was impossible5.
Since we're looking here to minimize our trading surface with nation-states, who may have the hardware at their disposal to physically hack a Trezor, the cold wallet I'm recommending for now is a Ledger, but one on which you haven't activated the Ledger Recover function.
A good analogy for understanding the difference between wallet types
Remember this: your hot wallet is the equivalent of your normal wallet, and should only contain an amount you'd be ok to lose.
The cold wallet is the equivalent of a bank safe-deposit box, containing your wealth.
If you need liquidity, send some money from your cold wallet to your warm wallet.
Passwords and passphrases, what are they?
When you use a cold wallet for the first time, you have two security systems to configure.
The passphrase
Also known as the seed phrase. This phrase, made up of 12 or 24 words chosen at random by the wallet, is very important: it represents, in a form intelligible to human beings, the cryptographic key that will generate the addresses of your crypto wallets, and give you full access to these addresses and to what they contain.
The existence of this sentence has two major consequences:
Whoever has access to this phrase has access to all your cryptos. So protect it like the apple of your eye.
Contrary to what many beginners believe, your cryptos are not stored in your cold wallet device. This device is just a mini-computer designed to present the weakest possible exchange surface to potential attackers. So if you lose your device, you can retrieve all your cryptos by typing your passphrase into another cold wallet, which doesn't even have to be of the same make or model (in fact, you can even perform this operation on a hot wallet, which is not recommended).
I therefore recommend that you store your passphrase very securely, ideally as follows:
Under no circumstances should you use a digital device such as a computer or smartphone, either by taking a photo or by copying the text, as the device could be hacked and you'd lose everything.
Ideally in two or more parts, stored in different physical locations, ideally in different countries. This way, if a thief has access to the keywords stored in one place, he won't be able to access your cryptos because he'll be missing half the words.
You can use a metal "wallet" designed to withstand fire, floods and even an earthquake to store your phrase. Or rather, you guessed it, two or more such wallets, in separate locations.
An additionnal password
In addition to this, Ledger and Trezor allow you to add an extra password after the 12 or 24 words, which generates a new cryptographic key that creates other addresses and wallets for your cryptos.
This has two major advantages:
Even if someone manages to gain access to your 12 or 24 words, they'll still have to guess your additional password to gain access to your cryptos.
You can create a hidden wallet, or even several, as I explained in this series if, for example, you are physically forced to give access to your cold wallet, you can give access to the classic wallet, the one unlocked by your 12 or 24 words, to your attacker, while omitting to mention that another wallet would be unlocked by entering an additional password. It's advisable to have enough cryptos in the first wallet to be credible in relation to your profile.
PIN code
The PIN is the code that protects access to your cold wallet, so you don't have to enter your passphrase every time you use it.
It is unique to your wallet, and most are configured to clear after a certain number of unsuccessful attempts: 16 times for Trezors6 , and 3 times for Ledgers7.
If you lose your PIN code, the only solution is to cold reset your wallet (a good solution is to type in the wrong PIN code until the device resets), then restore your wallet using your passphrase.
Coming soon
In the next article, we'll be looking at the 3rd way of providing an asymmetrical defense against greedy states: leaving a minimum of traces.
Stay tuned ! In the meantime, feel free to follow Disruptive Horizons on X/Twitter & Linkedin, and join the tribe of Intelligent Rebels by subscribing to the newsletter :
And here are the 8 articles of this series :
I call "good cryptos" cryptos that have a real use that generates real value, as opposed to junk cryptos, also known as "shitcoins" by our English-speaking friends, which don't serve much purpose.
"The Collapse of FTX: What Went Wrong With the Crypto Exchange?", Nathan Reiff, Investopedia, 2023.
"Investigation of Quadriga cryptocurrency debacle turns up only $28 million in assets," Michael MacDonald, The Canadian Press, 2018.
"Crypto Security Firm Unciphered Claims Ability to Physically Hack Trezor T Wallet," Margaux Nijkerk, Coin Desk, 2023.
"Crypto Wallet Provider Ledger Delays Key-Recovery Service After Uproar," Anna Baydakova
[PAS DE REF!!!] AccessTimeIcon, CoinDesk, 2023.
"PIN protection on Trezor devices", Trezor Support.
"Forgot Your Pin Code?", Ledger Support.