With the growing popularity of the crypto market, Web3 projects and innovations are emerging rapidly, fueling excitement among users. However, this excitement also brings risks, as users may inadvertently fall victim to scams, hacks, or phishing attempts while exploring new projects. In light of this, and based on our extensive research both on-chain and off-chain, we’ve developed a series of informative case studies focused on safeguarding user assets. This has led to the creation of our Beginner’s Guide to Web3 Security.
Our goal is to provide a comprehensive overview of potential risks in the Web3 space, supported by real-world examples, to help readers better identify and mitigate these threats. The guide covers topics such as risks associated with downloading and using wallets, common pitfalls when engaging with Web3 ecosystem projects, tips on recognizing dangerous signature authorizations, and steps to take if you’ve been hacked. (Note: The content is subject to change based on ongoing developments and feedback, so the final guide may vary in scope.)
Whether you’re a newcomer curious about the exciting world of Web3 but feeling overwhelmed by industry jargon, unfamiliar gameplay, and hidden risks, or a seasoned Web3 user who has navigated the blockchain’s “dark forest” and encountered various traps—this guide is for you. It’s designed to help every user protect their assets and navigate the blockchain world with confidence.
Wallets are the gateway to the crypto world and a key component of Web3 infrastructure. Their importance can’t be overstated. Let’s dive right into our first course—an overview of wallet types and the risks associated with them.
Browser wallets, like MetaMask and Rabby, are browser extensions that integrate directly with your web browser (such as Google Chrome or Firefox). They are typically easy to access and use, requiring no additional software downloads or installations.
(https://metamask.io/download/)
Web wallets allow you to manage your crypto assets directly through a web browser. While convenient, they come with significant risks. Web wallets generally store encrypted mnemonic phrases in your browser’s local storage, which makes them vulnerable to malware or network attacks.
(https://www.myetherwallet.com/wallet/access/software?type=overview)
Mobile wallets function similarly to web wallets but are available as apps that you can download and install on your smartphone.
(https://token.im/download?locale=en-us)
Desktop wallets were more common in the early days of cryptocurrency, with popular examples including Electrum and Sparrow. These wallets are installed as applications on your computer, with private keys and transaction data stored locally, giving you full control over your crypto private keys.
Hardware wallets are physical devices designed to securely store cryptocurrencies and digital assets, such as Trezor, imKey, Ledger, Keystone, and OneKey. They provide a secure, offline method of storing private keys, ensuring that your keys remain safe even when interacting with DApps.
(https://shop.ledger.com/products/ledger-nano-s-plus/matte-black)
A paper wallet involves printing your cryptocurrency address and private key in the form of a QR code on a piece of paper. You can then use the QR code to conduct cryptocurrency transactions.
(https://www.walletgenerator.net/?culture=zh¤cy=bitcoin)
Many users, due to limited access to Google Play or network issues, often download wallets from alternative sources, such as third-party download sites, or by searching for a wallet online and clicking on one of the top search results. This approach significantly increases the risk of downloading a fake wallet, as search engine ads and high-ranking search results can be purchased. Scammers take advantage of this by buying ad space and creating fake wallet websites to deceive users. Below is an example of the search results when looking for the TP wallet on Baidu:
(https://mp.weixin.qq.com/s/NdwIE412MJ7y-O5f2OrSHA)
Supply chain attacks are a major threat to the security of hardware wallets. If you purchase a hardware wallet from somewhere other than the official store or an authorized dealer, you have no way of knowing how many hands it has passed through or whether any internal components have been tampered with. In the image below, the hardware wallet on the right has been altered.
(https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/)
If your computer is infected with a Trojan, your wallet could be compromised by malware. The SlowMist security team conducted an in-depth analysis of this issue in their article “Dark Night Thief: Redline Stealer Trojan Steals Cryptocurrency,” explaining how this risk develops and its potential impact. We recommend users to install reputable antivirus software, such as Kaspersky, AVG, or 360, keep real-time protection enabled, and regularly update virus definitions to stay secure.
Even if you download a legitimate wallet, use it carefully, and ensure your device and environment are secure, you could still be at risk if the wallet itself has design flaws. This is why it’s important to consider not only the convenience of a wallet but also whether its code is open-source. Open-source wallets allow external developers and auditors to identify potential vulnerabilities, reducing the risk of attacks. In the event of a vulnerability being exploited, security teams can quickly locate and patch the issue.
In this guide, we’ve outlined the different types of wallets and common risks associated with them to help you build a fundamental understanding of wallet security. No matter which type or brand of wallet you choose, always keep your mnemonic phrases and private keys confidential and secure. You might also consider using a combination of wallet types—such as a well-known hardware wallet paired with a reputable software wallet to manage large assets, or multiple trusted software wallets to distribute smaller assets. In our next installment, we’ll take a closer look at the risks associated with downloading and purchasing wallets. Stay tuned! (Note: The wallet brands and images mentioned in this article are for educational purposes only and do not constitute recommendations or endorsements.)
Share
Content
With the growing popularity of the crypto market, Web3 projects and innovations are emerging rapidly, fueling excitement among users. However, this excitement also brings risks, as users may inadvertently fall victim to scams, hacks, or phishing attempts while exploring new projects. In light of this, and based on our extensive research both on-chain and off-chain, we’ve developed a series of informative case studies focused on safeguarding user assets. This has led to the creation of our Beginner’s Guide to Web3 Security.
Our goal is to provide a comprehensive overview of potential risks in the Web3 space, supported by real-world examples, to help readers better identify and mitigate these threats. The guide covers topics such as risks associated with downloading and using wallets, common pitfalls when engaging with Web3 ecosystem projects, tips on recognizing dangerous signature authorizations, and steps to take if you’ve been hacked. (Note: The content is subject to change based on ongoing developments and feedback, so the final guide may vary in scope.)
Whether you’re a newcomer curious about the exciting world of Web3 but feeling overwhelmed by industry jargon, unfamiliar gameplay, and hidden risks, or a seasoned Web3 user who has navigated the blockchain’s “dark forest” and encountered various traps—this guide is for you. It’s designed to help every user protect their assets and navigate the blockchain world with confidence.
Wallets are the gateway to the crypto world and a key component of Web3 infrastructure. Their importance can’t be overstated. Let’s dive right into our first course—an overview of wallet types and the risks associated with them.
Browser wallets, like MetaMask and Rabby, are browser extensions that integrate directly with your web browser (such as Google Chrome or Firefox). They are typically easy to access and use, requiring no additional software downloads or installations.
(https://metamask.io/download/)
Web wallets allow you to manage your crypto assets directly through a web browser. While convenient, they come with significant risks. Web wallets generally store encrypted mnemonic phrases in your browser’s local storage, which makes them vulnerable to malware or network attacks.
(https://www.myetherwallet.com/wallet/access/software?type=overview)
Mobile wallets function similarly to web wallets but are available as apps that you can download and install on your smartphone.
(https://token.im/download?locale=en-us)
Desktop wallets were more common in the early days of cryptocurrency, with popular examples including Electrum and Sparrow. These wallets are installed as applications on your computer, with private keys and transaction data stored locally, giving you full control over your crypto private keys.
Hardware wallets are physical devices designed to securely store cryptocurrencies and digital assets, such as Trezor, imKey, Ledger, Keystone, and OneKey. They provide a secure, offline method of storing private keys, ensuring that your keys remain safe even when interacting with DApps.
(https://shop.ledger.com/products/ledger-nano-s-plus/matte-black)
A paper wallet involves printing your cryptocurrency address and private key in the form of a QR code on a piece of paper. You can then use the QR code to conduct cryptocurrency transactions.
(https://www.walletgenerator.net/?culture=zh¤cy=bitcoin)
Many users, due to limited access to Google Play or network issues, often download wallets from alternative sources, such as third-party download sites, or by searching for a wallet online and clicking on one of the top search results. This approach significantly increases the risk of downloading a fake wallet, as search engine ads and high-ranking search results can be purchased. Scammers take advantage of this by buying ad space and creating fake wallet websites to deceive users. Below is an example of the search results when looking for the TP wallet on Baidu:
(https://mp.weixin.qq.com/s/NdwIE412MJ7y-O5f2OrSHA)
Supply chain attacks are a major threat to the security of hardware wallets. If you purchase a hardware wallet from somewhere other than the official store or an authorized dealer, you have no way of knowing how many hands it has passed through or whether any internal components have been tampered with. In the image below, the hardware wallet on the right has been altered.
(https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/)
If your computer is infected with a Trojan, your wallet could be compromised by malware. The SlowMist security team conducted an in-depth analysis of this issue in their article “Dark Night Thief: Redline Stealer Trojan Steals Cryptocurrency,” explaining how this risk develops and its potential impact. We recommend users to install reputable antivirus software, such as Kaspersky, AVG, or 360, keep real-time protection enabled, and regularly update virus definitions to stay secure.
Even if you download a legitimate wallet, use it carefully, and ensure your device and environment are secure, you could still be at risk if the wallet itself has design flaws. This is why it’s important to consider not only the convenience of a wallet but also whether its code is open-source. Open-source wallets allow external developers and auditors to identify potential vulnerabilities, reducing the risk of attacks. In the event of a vulnerability being exploited, security teams can quickly locate and patch the issue.
In this guide, we’ve outlined the different types of wallets and common risks associated with them to help you build a fundamental understanding of wallet security. No matter which type or brand of wallet you choose, always keep your mnemonic phrases and private keys confidential and secure. You might also consider using a combination of wallet types—such as a well-known hardware wallet paired with a reputable software wallet to manage large assets, or multiple trusted software wallets to distribute smaller assets. In our next installment, we’ll take a closer look at the risks associated with downloading and purchasing wallets. Stay tuned! (Note: The wallet brands and images mentioned in this article are for educational purposes only and do not constitute recommendations or endorsements.)