CZ's long read: How to keep your crypto assets secure?

2025.02.25

CZ's long read: How to keep your crypto assets secure?

Whether you're a beginner or an expert, this is a great guide!

2025.02.25 - 05:31:22

安全

Navigating Web3 tides with focused insights

Whether you're a beginner or an expert, this is a great guide!

Written by: CZ, Founder of Binance

Translated by: Editor Jr., BlockTempo

Binance founder Changpeng Zhao (CZ) posted an update yesterday (24th) evening on social platform X, sharing a revised article on cryptocurrency security advice to help users avoid hacker attacks. Below is the full translation and compilation of CZ's article.

Last week on the 21st, cryptocurrency exchange Bybit suffered a major hack with losses amounting to approximately $1.46 billion, making it the largest theft in crypto history; then just yesterday (24th), the crypto payment project Infini was confirmed to have been hacked, losing nearly $50 million... A series of hacking incidents has once again sounded the alarm for crypto security.

Against this backdrop, Binance founder Changpeng Zhao (CZ) posted on social platform X yesterday (24th) evening, stating that he spent an entire day on Sunday updating an article he originally wrote five years ago about security recommendations, aiming to help people in the crypto space avoid hacker attacks.

Below is the full translation of CZ’s article:

Keeping Your Crypto Assets Secure (CZ’s Advice)

Updated: February 24, 2025

Originally Published: February 25, 2020

It’s truly painful to see how lacking in security awareness many cryptocurrency users are. It’s equally painful to see experts recommending advanced setups that are difficult to follow and prone to errors.

Security is a broad topic. I’m by no means an expert, but I’ve seen many security issues. I’ll do my best to explain things in plain language:

Why and how you might or might not want to self-store your cryptocurrency?
Why and how you might or might not want to store your cryptocurrency on a centralized exchange?

First, nothing is 100% secure. Software has vulnerabilities, and people can fall victim to social engineering attacks. The real question is whether something is “secure enough”?

If you’re storing $200 worth of crypto in a wallet, you probably don’t need ultra-high security. A mobile wallet would suffice. But if you're storing your life savings, then you need much stronger security.

To protect your cryptocurrency, you only need to do three things:

Prevent others from stealing it.
Prevent yourself from losing it.
If you can no longer access it, there must be a way to pass it on to your loved ones.

Simple, right?

Why You Might or Might Not Want to Self-Store Cryptocurrency

Your private key is your money. Or is it?

Many crypto experts firmly believe that only self-custody ensures true security, yet they often fail to consider your technical skill level. Is this really the best advice for you?

A Bitcoin private key looks like this:

KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p

That’s it. Anyone who has a copy can transfer the Bitcoin from that address (if any exists).

To protect your cryptocurrency, you need to:

Prevent others from obtaining your private key: guard against hackers, protect your devices from viruses, network attacks, etc.
Prevent yourself from losing the private key: make backups in case of device damage or loss, and ensure those backups are secure.
In case of accident or death, there must be a way to pass the private key to your loved ones. This isn’t a pleasant scenario, but as responsible adults, we must manage this risk.

Beware of Hackers

You've heard of hackers. They use viruses, trojans, and other malware. You don't want these near your devices.

To gain a reasonable level of confidence, your crypto wallet device should never be connected to the internet. You also shouldn't download any files onto this device. So how do you use such a device?

Let’s discuss the different types of devices you can use.

A computer is an obvious choice and typically supports the most cryptocurrencies. This computer should never be connected to any network. If you connect it, hackers could exploit vulnerabilities in the operating system or software to gain access. Software will always have bugs.

How do you install software then? Use a USB flash drive. Make sure it's clean. Scan it thoroughly using at least three different antivirus programs. Download the software (OS and wallet) onto the USB drive. Wait 72 hours. Monitor news sources to ensure the website or software hasn’t been compromised.

Official websites have been hacked before, with downloads replaced by trojans. Always download software only from official sites. Use open-source software to reduce backdoor risks. Even if you’re not a developer, open-source code is reviewed by others, lowering the chance of hidden backdoors. This means using a stable version of Linux (not Windows or Mac) as your OS, and only open-source wallet software.

Once everything is installed, you can use a clean USB drive to sign transactions offline. The process varies by wallet and is beyond the scope of this article. Many wallets outside Bitcoin don’t support offline signing.

Ensure physical security of the device. If someone steals it, they could access your data directly. Make sure your hard drive is strongly encrypted so that even if stolen, the data remains unreadable. Different operating systems offer various encryption tools. Again, tutorials on disk encryption are widely available online and not covered here.

If you can do all of the above, you can securely back up your keys and don’t need to read the rest of this article. If this sounds too complex, there are alternatives.

You can use a phone. An unrooted phone is generally safer than a computer due to sandboxing in mobile operating systems. For most people, I recommend iPhones. If you're more tech-savvy, consider an Android phone running GrapheneOS. You should dedicate one phone solely to managing wallets, not mix it with daily-use devices. Install only wallet apps—nothing else. Keep the phone in airplane mode except when signing transactions. I also suggest using a separate SIM card and only connecting via 5G. Never connect to Wi-Fi. Only go online briefly to sign transactions or update software. This approach is usually acceptable if your wallet doesn’t hold extremely large amounts.

Some mobile wallets support offline transaction signing (via QR code scanning), allowing the phone to remain completely offline from the moment you install the app until generating the private key. This ensures your private key never touches a network-connected device, protecting against malicious backdoors that send data to developers—a problem that has occurred even with official apps. However, you won’t be able to update the wallet app or OS. To update, use another phone, install the new app version, set it to airplane mode, generate a new address, back it up (as discussed later), and transfer funds to the new device. This is inconvenient. Also, such wallets support limited coins and blockchains.

These wallet apps typically don’t support staking, yield farming, or meme coin investments. If you’re interested in these, you’ll need to sacrifice some security.

Ensure physical security of the phone.

Hardware Wallets

You can use a hardware wallet. These devices are designed so your private key “never” leaves the device, meaning your computer never holds a copy. (As of 2025, Ledger’s newer models may send private keys to servers for backup, so this no longer holds true.)

Hardware wallets have had reported vulnerabilities in firmware and software. All require interaction with software running on a computer or phone. You still need to ensure your computer is virus-free. Some malware can change the destination address of your transaction at the last second. Always double-check the recipient address on the hardware device itself.

Hardware wallets protect against many basic attack types and remain a solid choice for independent storage. However, their weakest point is often backup methods, which we'll discuss next.

Protecting Against Yourself

You might lose your device or it could get damaged. Therefore, backups are essential.

There are many backup methods, each with pros and cons. Fundamentally, you want multiple backups stored in different geographic locations, and kept hidden from others (encrypted).

You can write it down on paper. Some seed-based wallets recommend this, as writing 12 or 24 English words is relatively simple. With private keys, mistakes are easy. Paper can be lost among documents, damaged by fire or water, or chewed by your dog. Others can easily read it—no encryption.

Some use bank safety deposit boxes for paper backups. For the reasons above, I generally don’t recommend this.

Do not take photos or screenshots of paper keys, sync them to the cloud, and assume they’re safely backed up. If hackers breach your email or computer, they’ll find it easily. Cloud providers have many employees who could access it.

Special metal plates are designed for seed backups. These are nearly indestructible, solving fire and flood risks. But they don’t solve loss or readability by others. Some store these in bank vaults alongside gold or other metals. If you use this method, understand the risks involved.

I recommend using at least three USB drives, though this requires more technical setup—an expert-level approach.

Now there are shockproof, waterproof, fireproof, and magnet-proof USB drives. Store encrypted versions of your private key across multiple such drives and distribute them geographically (e.g., with friends or relatives). This meets all requirements mentioned earlier: multiple locations, durability, and protection against unauthorized access after loss.

The key is strong encryption. Many tools exist today and continue to improve. VeraCrypt is a beginner-friendly option offering decent encryption. Research and choose the best current tool for your needs.

Caring for Your Loved Ones

We won’t live forever. An inheritance plan is necessary. In fact, cryptocurrency makes wealth transfer to heirs easier and reduces third-party involvement.

Again, several methods exist.

If you use low-security methods like paper wallets or metal tags, you can simply share the information. But there are drawbacks. Young or less tech-savvy heirs may mishandle or fail to protect the backup. If they make a security mistake, hackers could steal your funds through them. Also, they could take your money at any time. Depending on trust levels, this may or may not be acceptable.

I strongly advise against sharing private keys with anyone, regardless of relationship. If funds are stolen, it’s impossible to determine who moved them or who was hacked. This creates chaos.

You could store paper wallets or metal tags in a bank vault or with a lawyer. But as noted, anyone with a copy of the private key can move funds discreetly. This differs from traditional banking, where lawyers must go through banks to transfer account balances.

If you use the USB drive method described earlier, there are safer ways to pass on your wealth. Again, this requires more setup.

There are online services called Deadman’s switches. These send you regular emails (e.g., monthly) requiring a click or login response. If you don’t respond within a set period, they assume you’ve passed away and notify pre-designated recipients. I won’t endorse or guarantee any such service—research and test them yourself. In fact, Google itself acts as a Deadman’s switch. In Google settings, you can allow someone access if your account remains inactive for three months. Personally, I haven’t tested it and can’t vouch for its reliability. Test it yourself.

If you think, “Great, I’ll just email the private key to my child,” please re-read the beginning of this article.

You might think, “I can put the password used to encrypt the USB drive in that email, so my child or spouse can unlock it.” That’s closer, but still not good enough. You shouldn’t store backup passwords on internet-connected servers. This significantly weakens your backup and fund security.

If you think, “I can encrypt the email containing the USB password with another password shared with my loved one,” you’re on the right track. Actually, you don’t need a second password.

There’s a time-tested email encryption tool called PGP (or GPG)—you should use it. PGP was one of the first tools to use asymmetric encryption (same as Bitcoin). I won’t provide a full PGP tutorial here—many exist online. In short, have your spouse or child generate their own PGP private key. Then encrypt your dead man’s message with their public key. Only they can decrypt it. This method is relatively secure, but requires your loved one to keep their PGP private key safe and not lose it. They also need to know how to use PGP email, which involves some technical knowledge.

If you’ve followed the advice shared so far, you’ve reached a basic (not advanced) level of self-custody suitable for holding a certain amount of cryptocurrency. There are many other topics we could cover, including multisig, threshold signatures, etc., but those belong in more advanced guides.

In the next section, we’ll explore:

Using Exchanges

In this article, when we refer to exchanges, we mean centralized exchanges that hold your funds and provide custodial services.

After reading the previous section, you might say, “Wow, this is complicated. Maybe I’ll just keep my coins on an exchange.” Fair enough, but exchanges aren’t risk-free either. While the exchange handles fund custody and system security, you still need to follow proper practices to secure your account.

Only Use Large, Reputable Exchanges

Yes, it’s easy for me to say this since Binance is one of the largest exchanges globally. But there’s good reason. Not all exchanges are equal.

Large exchanges invest heavily in security infrastructure. Binance spends billions annually on security. This is justified given our scale. Security spans many areas: hardware, networks, processes, staff, risk monitoring, big data, AI detection, training, research, testing, third-party partners, and even global law enforcement collaboration. Proper security requires massive funding, talent, and effort. Smaller exchanges lack the scale or financial strength to achieve this. I may be criticized for saying this, but it’s why I often say that for most ordinary people, using a trusted centralized exchange is safer than self-custody.

Counterparty risk exists. Many smaller/new exchanges are exit scams from the start. They collect deposits and disappear. For this reason, avoid exchanges claiming to be non-profit or offering zero fees, large rebates, or other negative-profit incentives. If they’re not aiming for business revenue, your funds are likely their sole target.

Proper security is expensive and requires sustainable business model funding. Don’t cut corners on security for your funds. Large, profitable exchanges have no incentive to pull an exit scam. When you’re running a billion-dollar, profitable, sustainable business, why risk stealing a few million and living in hiding, constantly afraid?

Larger exchanges undergo more security testing. Yes, this is also a risk—hackers target big exchanges more. But hackers also target smaller ones, sometimes finding them easier prey. Large exchanges typically work with 5–10 external security firms conducting regular penetration and security tests.

Binance goes further than most in security. We heavily invest in big data and AI to combat hackers and scammers. We’ve successfully prevented many users from losing funds during SIM-swapping attacks. Some users who use multiple exchanges report that when their email accounts were hacked, funds were stolen from other exchanges, but Binance funds remained protected because our AI system blocked withdrawal attempts. Even if small exchanges wanted to do this, they couldn’t—they simply don’t have enough data.

Protect Your Account

When using an exchange, securing your account remains crucial. Let’s start with the basics.

Protect Your Computer

Again, computers are often the weakest link. Use a dedicated computer to access your exchange account. Install commercial antivirus software (yes, invest in security) and only install essential software. Set firewall to highest level.

Use another computer for gaming, browsing, downloading, etc. Even on that machine, run antivirus and set firewall to maximum. A virus on one computer can give hackers easier access to others on the same network—keep devices clean.

Don’t Download

Even if you only use centralized exchanges (CEX), I recommend avoiding file downloads on your computer. If someone sends a Word doc, ask for a Google Docs link. For PDFs, open in Google Drive instead of downloading. For funny videos, request a link to an online platform. Yes, it’s inconvenient, but security isn’t free—and neither is losing funds. View everything in the cloud.

Turn off “auto-save photos and videos” in instant messaging apps. Many apps default to downloading GIFs and videos, which is poor security practice.

Keep Software Updated

I know OS updates are annoying, but they patch recently discovered security flaws. Hackers monitor these updates and often target those who delay patches. So always install updates promptly. Apply the same to your wallets and other software.

Protect Your Email

I recommend Gmail or ProtonMail. These providers are more secure than others, where we’ve seen more breaches.

Set up a unique, hard-to-guess email account for each exchange you use. This way, if one exchange is breached, your Binance account stays safe. It also reduces phishing and targeted scam emails.

ProtonMail offers SimpleLogin, letting you create unique email addresses for each site. If you don’t use other email forwarding services, I recommend using this feature.

Enable two-factor authentication (2FA) for your email. I recommend using a YubiKey for email—it strongly protects against various attacks, including phishing. More on 2FA later.

If you live in a country with reported SIM-swapping cases, don’t use your phone number as an email recovery method. We’ve seen many victims lose email access due to SIM swaps leading to password resets. I no longer recommend linking phone numbers to email accounts—keep them separate.

Use a Password Manager

Use strong, unique passwords for every site. Don’t try to memorize them—use a password manager. For most, Keeper or 1Password should suffice. Both integrate well with browsers and phones, claim to store passwords locally, and sync encrypted data across devices.

For higher security, consider KeePass. It stores data locally only, so you don’t worry about cloud-stored encrypted passwords. It doesn’t sync across devices and has limited mobile support. It’s open-source, so no backdoor concerns.

Do your research and pick what suits you. But don’t save time by using simple or repeated passwords. Use strong passwords—otherwise, the time saved may cost you dearly.

Even with these tools, if your computer has a virus, you’re still vulnerable. Ensure your computer runs reliable antivirus software.

Enable 2FA

Strongly recommended: enable 2FA (two-factor authentication) immediately after registering your Binance account. If not already enabled, set it up now. Since 2FA codes are usually stored on your phone, it offers some protection if your email and password are stolen.

However, 2FA doesn’t protect against all attacks. If your computer has a virus, malware that steals your email and password can also monitor keystrokes and capture your 2FA code. You might interact with a phishing site, enter your credentials, then input the 2FA code. Hackers then use this info to log into your real Binance account. Many scenarios exist—we can’t list them all.

Set Up U2F

U2F is a hardware device that generates unique, time-based, domain-specific codes. YubiKey is the de facto standard in this space.

U2F has three main advantages. First, it’s hardware-based, making it nearly impossible to extract the stored key. Second, it’s domain-specific—protecting you even if you accidentally interact with a phishing site. Third, it’s easy to use—just carry it with you.

For these reasons, I recommend binding a YubiKey to your Binance account. It offers one of the best protections against hackers.

You should also bind your YubiKey to Gmail, password manager, and other accounts for added security.

Stop Using SMS Verification

SMS verification was once widely promoted, but with rising SIM-swap incidents, we recommend moving away from SMS and relying more on 2FA or U2F as mentioned above.

Set Up Withdrawal Address Whitelist

We strongly recommend using Binance’s withdrawal whitelist feature. It allows quick withdrawals to approved addresses and makes it harder for hackers to add new ones.

Enable a 24-hour waiting period for newly added whitelist addresses. This gives you a 24-hour notification window if a hacker tries to add a new address.

API Security

Many users use APIs for trading. Binance offers multiple API versions supporting asymmetric encryption. This means Binance only needs your public key. You generate the private key in your environment and provide the public key to the platform. We use your public key to verify orders and never store your private key. You must protect your private key.

You don’t need to back up your API key like you do crypto. If lost, you can always generate a new one. Just ensure no one else has access to your API key.

Unless you fully understand what you’re doing, do not enable withdrawal permissions for your API key.

Complete L2 KYC

One of the best ways to secure your account is completing L2 KYC (identity verification). This lets us know what you look like. When our big data risk engine detects anomalies, we can use advanced automated video verification.

This is also important if you ever lose access to your account. Binance can help family members access a deceased relative’s account after proper verification.

Physical Security for Devices

Again, keep your phone secure. Your phone may host email apps, the Binance app, and 2FA codes. Don’t root or jailbreak it—this greatly reduces security. Also ensure physical security with a strong screen lock. Same applies to other devices.

Guard Against Phishing

Beware of phishing attacks. These often come as emails, texts, or social media posts with links to fake Binance sites. The site prompts you to enter login details, which hackers then use to access your real account.

Phishing defense requires vigilance. Don’t click links in emails or social media. Access Binance only by typing the URL or using bookmarks. Don’t share your email. Avoid using the same email on other sites. Be cautious when strangers (especially those named CZ or similar) suddenly contact you on Telegram, Instagram, etc.

If you follow the above advice, your Binance account should be reasonably secure.

So, which is better?

I usually recommend combining centralized exchanges with self-custody wallets. If you’re not very technical, keep most funds on Binance and have a personal spending wallet (like TrustWallet). If you’re tech-savvy, adjust allocations as needed.

Centralized exchanges occasionally undergo maintenance. If you need fast transactions, having an independent wallet is very convenient.

If you follow the advice outlined here, you should be able to securely hold funds, whether through self-custody or a CEX like Binance.

Stay SAFU!

Join TechFlow official community to stay tuned

Telegram:https://t.me/TechFlowDaily

X (Twitter):https://x.com/TechFlowPost

X (Twitter) EN:https://x.com/BlockFlow_News

Source

Add to Favorites

Share to Social Media

Author

@cz_binance