Bitcoin.diy
Bitcoin Basics · Lesson 28

Bitcoin Security Mistakes: 12 Costly Errors and How to Avoid Them

Bitcoin.diy Editorial·

Bitcoin Security Mistakes: 12 Costly Errors and How to Avoid Them

Bitcoin gives you the power of a bank. It also gives you the responsibility of one.

That sounds dramatic until you read the numbers. FTX customers lost $8 billion. Mt. Gox users lost 850,000 bitcoin. Celsius filed for bankruptcy owing $4.7 billion. The FBI reported $9.3 billion in cryptocurrency fraud losses in 2024 alone. None of those losses happened because Bitcoin's code was broken. They happened because people made avoidable mistakes with how they stored, secured, and managed their bitcoin.

This guide covers the 12 most common security mistakes, each with a real-world example and a clear fix.

Bitcoin.diy may earn a commission on products linked in this article at no extra cost to you. See our [affiliate disclosure](/disclosure) for details.

1. Leaving Your Bitcoin on an Exchange

The mistake: Buying bitcoin on an exchange and leaving it there, treating the exchange like a bank account.

What actually happened: In November 2022, FTX collapsed overnight. The exchange had used customer deposits to fund risky bets through sister company Alameda Research. The shortfall: $8 billion. CEO Sam Bankman-Fried was convicted of fraud and sentenced to 25 years in prison in March 2024.

FTX was not the first. Mt. Gox lost 850,000 bitcoin in 2014. Celsius filed for bankruptcy in July 2022 with $4.7 billion in liabilities. BlockFi and Voyager followed the same year. The pattern repeats: the exchange looks trustworthy right up until the moment it isn't.

How to avoid it: Move your bitcoin to a wallet you control. A hardware wallet keeps your private keys — the cryptographic codes that prove ownership of your bitcoin — offline and in your hands. Buy on an exchange, then withdraw to your own wallet. The only bitcoin that's truly yours is bitcoin where you hold the keys. Read our full self-custody guide to get started.

2. Screenshotting or Digitally Storing Your Seed Phrase

The mistake: Saving your seed phrase (the 12 or 24 word recovery backup for your wallet) by taking a photo, screenshot, or typing it into a notes app, then storing it on your phone or in cloud storage.

What actually happened: Screenshots often get uploaded automatically to iCloud, Google Photos, or OneDrive. Cloud services get breached. Phones get stolen. Malware scans photo libraries for text that looks like seed phrases.

In 2022, LastPass suffered a breach that exposed encrypted customer vaults. Attackers cracked weak master passwords and drained crypto from users who stored seed phrases in their vaults. By April 2025, security researchers estimated over $435 million in cryptocurrency had been stolen from LastPass users — including a $150 million theft from Ripple co-founder Chris Larsen in January 2024, which the FBI later linked to the breach. If a dedicated password security company can be compromised this catastrophically, your photo library is not safer.

How to avoid it: Write your seed phrase on paper with a pen. Better yet, stamp it into a metal plate that survives fire, floods, and corrosion. Never type it into any app, website, or document. The only place your seed phrase should ever be entered is directly into your hardware wallet during recovery.

3. Keeping Only One Backup in One Location

The mistake: Writing down your seed phrase and keeping that single piece of paper in one spot, like a desk drawer or a single safe.

What actually happened: House fires destroy roughly 350,000 US homes every year. Floods, burglaries, and natural disasters don't care about your seed phrase. If your only backup is in your house and your house is gone, your bitcoin is gone too.

Forums are full of people who lost their only backup to water damage, fires, or simply misplacing the paper during a move. No customer support. No "forgot my password" link. One copy means one point of failure.

How to avoid it: Keep at least two backups in separate physical locations. One in a home safe and one in a bank safety deposit box, or one with a trusted family member in a sealed envelope. Use metal backups so your seed phrase survives disasters that destroy paper. For extra protection, look into Shamir's Secret Sharing or multisig setups, which split control so no single location holds everything needed to move your funds.

4. Buying a Hardware Wallet from a Third-Party Seller

The mistake: Purchasing a hardware wallet from Amazon, eBay, or another third-party marketplace instead of the manufacturer's official website.

What actually happened: In 2021, scammers exploited the Ledger data breach (which exposed 272,000 customer mailing addresses) by shipping tampered hardware wallets to victims' homes. The fake devices came with a letter from "Ledger's CEO," instructing users to set up the "replacement" and enter their seed phrase. The internal circuit boards were modified to steal credentials.

Reddit users also documented Ledger devices from Amazon that arrived with pre-filled recovery phrase cards. A legitimate hardware wallet generates a fresh seed phrase during setup. If words are already printed on the card, someone else already has your keys.

How to avoid it: Only buy directly from the manufacturer. Trezor and Coldcard sell through their official websites with tamper-evident packaging. Check our hardware wallet recommendations for models we've reviewed. Verify packaging seals are intact on arrival. The device should generate a new seed phrase during setup. If it arrives with a pre-written recovery sheet, do not use it. Read our full hardware wallet setup mistakes guide for more.

5. Falling for Phishing Attacks

The mistake: Clicking a link in an email, text, or social media message that impersonates a wallet company, exchange, or Bitcoin service, then entering your credentials or seed phrase.

What actually happened: After Ledger's 2020 data breach exposed over 1 million email addresses, phishing campaigns exploded. Victims received emails identical to official Ledger communications, warning of "unauthorized activity" and urging them to "verify" their wallets. The links led to clone websites that harvested seed phrases.

Scammers also sent text messages, phone calls, and physical letters with QR codes. Some victims received extortion threats referencing their home addresses (exposed in the breach). Every attack shared one goal: get the victim to enter their seed phrase somewhere other than their hardware wallet.

How to avoid it: Bookmark official websites and go directly to them. Never click links in emails or texts about your crypto. The golden rule: no legitimate company will ever ask for your seed phrase. Not by email, not by phone, not by mail. If someone asks for your 12 or 24 words, it is a scam. Every time. See our guide to common bitcoin scams for more red flags.

6. Broadcasting Your Bitcoin Holdings

The mistake: Sharing details about your bitcoin holdings on social media, at meetups, or even with friends and acquaintances.

What actually happened: Physical attacks on crypto holders have surged. In 2025, assailants in Paris kidnapped a crypto entrepreneur's father and severed his finger to pressure a ransom. In Las Vegas, teenagers kidnapped a man after a crypto conference, stealing $4 million. In London, organized groups carried out knifepoint robberies in 2021–2023, forcing victims to transfer crypto on the spot.

The community calls this the "$5 wrench attack." Your encryption is irrelevant if someone threatens you or your family. The targeting almost always starts the same way: the victim told someone, posted about it, or was spotted at a crypto event.

How to avoid it: Do not share your holdings. Not the amount, not the percentage, not vague hints. At Bitcoin events, keep specifics private. Consider multisig, where multiple keys in different locations are required to move funds, making coercion less effective since you physically can't comply on the spot. A decoy wallet with a small balance can buy time in an emergency. Read our Bitcoin privacy guide for more on protecting your identity.

7. Skipping Backup Verification

The mistake: Writing down your seed phrase during wallet setup, then never verifying that it actually works.

What actually happened: This is the silent killer. The disaster only reveals itself when you need your backup. You wrote a word wrong. Mixed up the order. The paper got water damaged. You used a passphrase but forgot to record it.

Forums are full of these stories: "I wrote my seed phrase three years ago. Word 14 is wrong and I can't figure out what it should be." By then, it's a guessing game with terrible odds.

How to avoid it: Test your backup within the first week. After writing down your seed phrase, reset the device to factory settings and restore using only your written backup. If your funds appear, the backup works. If not, you still have time to fix it. Repeat this test once a year. It takes 10 minutes and could save your entire stack. See Mistake 7 in our hardware wallet setup guide for a step-by-step process.

8. Reusing Passwords and Skipping Two-Factor Authentication

The mistake: Using the same email and password combination across your exchange account, email, and other services, or relying on SMS for two-factor authentication (2FA).

What actually happened: Credential stuffing attacks are automated and constant. Hackers take email and password combos leaked from one breach and try them on crypto exchanges. LinkedIn was breached in 2012, exposing 117 million accounts. If your exchange password matched your old LinkedIn password, attackers found the match.

Studies consistently find that over 60% of people reuse passwords across accounts. When one service leaks, every account sharing that password becomes a target. Credential stuffing attacks against crypto exchanges run at millions of attempts per day.

How to avoid it: Use a unique, strong password for every account. A password manager like Bitwarden (free, open-source) generates and stores them. Enable 2FA on every exchange and email account using an authenticator app (Authy, Google Authenticator) or a hardware key (YubiKey), not SMS. Protect your email account most of all — password resets for almost everything route through your inbox.

9. Ignoring SIM Swap Risks

The mistake: Relying on your phone number as a security layer for exchange accounts and email, without realizing how easily phone numbers can be hijacked.

What actually happened: In a SIM swap, a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. They might bribe a carrier employee, use social engineering, or exploit weak identity verification. Once they own your number, they receive your 2FA codes, password reset texts, and verification calls.

In 2018, investor Michael Terpin lost $24 million in crypto after attackers SIM-swapped his AT&T account. The FBI tracked $28.4 million in crypto-related SIM swap losses in 2024. The attack requires no technical hacking — just social engineering a phone store employee.

How to avoid it: Remove SMS-based 2FA from every account that supports app-based alternatives. Call your carrier and add a PIN or passphrase for account changes. Many carriers offer "port freeze" or "number lock" features. For high-value accounts, use a hardware security key (YubiKey) that cannot be intercepted remotely.

10. Downloading Fake Wallet Apps

The mistake: Downloading a bitcoin wallet app from an app store or website without verifying it is the genuine product from the real developer.

What actually happened: Fake wallet apps are a persistent problem on both Google Play and the Apple App Store. In 2023, a fake Trezor app appeared on the Apple App Store and stole $600,000 worth of bitcoin from a single victim. The app looked legitimate, had positive reviews (likely fake), and appeared in search results alongside the real product.

Fake wallet apps work in two ways. Some generate seed phrases the attacker already knows, so any bitcoin you deposit is immediately accessible to the thief. Others ask you to "import" an existing wallet by entering your seed phrase, which gets sent to the attacker. Both result in total loss.

How to avoid it: Only download wallet apps from links on the manufacturer's official website. Do not search app stores directly — fake results frequently appear alongside real ones. Verify the developer name and check recent reviews for warnings. For hardware wallets like Trezor or Coldcard, companion software is available only through their official sites. Check our wallet recommendations for verified links to every wallet we review.

11. Ignoring Clipboard Malware

The mistake: Copying and pasting a bitcoin address without double-checking it before hitting send.

What actually happened: Clipboard hijacking malware (sometimes called "clippers") quietly runs in the background on your computer or phone. When it detects a bitcoin address copied to your clipboard, it silently replaces it with an address controlled by the attacker. You paste what you think is your own address, confirm the transaction, and your bitcoin goes straight to a thief.

In 2024, Kaspersky identified clipboard malware hidden inside fake Microsoft Office installers distributed on SourceForge. Earlier variants like CryptoShuffler (discovered in 2017) stole over $150,000 in bitcoin by doing nothing more than swapping clipboard contents. The attack is effective because it's invisible: no crashes, no pop-ups, just silently redirected funds.

How to avoid it: Always verify the first and last several characters of a bitcoin address after pasting. Compare it against the original source. Hardware wallets with screens (like the Coldcard Mk4 or Trezor Safe 5) display the address on the device, giving you a verification point malware cannot tamper with. Keep your OS and antivirus updated, and avoid software from unofficial sources.

12. Having No Inheritance Plan

The mistake: Holding bitcoin in self-custody without any plan for your family to access it if something happens to you.

What actually happened: An estimated 3 to 4 million bitcoin are permanently lost, worth hundreds of billions of dollars at current prices. A significant portion is locked away because the owner died without leaving access instructions. Gerald Cotten, founder of QuadrigaCX (once Canada's largest exchange), died unexpectedly in December 2018. Up to $190 million in customer crypto was reportedly inaccessible because only Cotten held the passwords. The case was later ruled a fraud, but it illustrates what happens when one person holds all the keys with no backup plan.

Ordinary holders face the same risk. If nobody knows your seed phrase exists, your bitcoin becomes a permanent donation to the network. Your family gets nothing.

How to avoid it:

  1. Document what you own. Write a letter explaining that you hold bitcoin, which wallets you use, and the general location of your seed phrase backups. Do not include the actual seed phrase in this letter.
  2. Store seed phrase access separately. Your seed phrase should be in a sealed envelope in a safe or safety deposit box. The letter explaining how to use it can go with your will or be given to your executor.
  3. Teach at least one person. Show a trusted family member how hardware wallets work at a basic level. They don't need to become experts. They need to know enough to not get scammed during an emotional time.
  4. Consider a multisig setup. A 2-of-3 multisig wallet means three keys exist, and any two can move the funds. Give one to a family member, keep one yourself, and store one with a lawyer or in a safety deposit box.
  5. Review annually. Update your plan when you change wallets, move funds, or experience major life changes.

For a comprehensive approach, see our dedicated Bitcoin inheritance planning guide.

Your Bitcoin Security Checklist

Print this out. Go through it today.

  • ] **Move bitcoin off exchanges.** If it's on an exchange, it's not yours. Withdraw to a [hardware wallet you control.
  • ] **Buy hardware wallets from the manufacturer.** [Trezor and Coldcard sell direct. Skip Amazon and eBay.
  • [ ] Write your seed phrase on metal. Paper burns. Metal doesn't.
  • [ ] Store backups in 2+ locations. Home safe plus bank safety deposit box, or two geographically separated spots.
  • [ ] Test your backup. Reset your hardware wallet, restore from your written seed phrase, and verify your funds appear.
  • [ ] Use unique passwords everywhere. Get a password manager (Bitwarden). Turn on 2FA with an authenticator app, not SMS.
  • [ ] Protect your phone number. Add a carrier PIN. Remove SMS 2FA from crypto accounts.
  • [ ] Bookmark official sites. Never click links in emails about your crypto. Go directly to bookmarked URLs.
  • [ ] Verify addresses after pasting. Check the first and last characters before confirming any transaction.
  • [ ] Never share your seed phrase. No company will ever ask for it. If someone does, it's a scam.
  • [ ] Don't talk about your holdings. Not the amount, not the percentage, not hints.
  • [ ] Create an inheritance plan. Write a letter, store it separately from your seed phrase, teach one trusted person the basics.

Frequently Asked Questions

Is it safe to keep bitcoin on an exchange temporarily?

For brief periods while you're learning, a reputable exchange is reasonable. But "temporarily" should mean days, not months. The longer your bitcoin sits on an exchange, the more exposed you are to hacks, freezes, or bankruptcy. Move to a hardware wallet as soon as you're comfortable.

What is the safest way to store a seed phrase?

Write it by hand on paper, then stamp or engrave it into a metal plate for durability. Store copies in at least two separate physical locations. Never store it digitally: no photos, no cloud storage, no password managers, no text files. See our seed phrase guide for details.

Can someone steal my bitcoin if they know my public address?

No. A public address is designed to be shared and only allows people to send bitcoin to you. To move your bitcoin, someone would need your private key or seed phrase. Think of it like an email address: people can send you messages, but they can't read your inbox. For more on how addresses work, see our explainer.

What should I do if I think my seed phrase has been compromised?

Act immediately. Create a brand new wallet with a new seed phrase on a trusted device, then transfer all your bitcoin from the old wallet to the new one. Do not delay. Attackers who obtain seed phrases often use automated bots that sweep funds within minutes.

Are hardware wallets worth the cost?

Yes. A hardware wallet typically costs between $60 and $250. Compare that to the value of the bitcoin you're protecting. It's the single most effective security upgrade you can make. Even a basic model from Trezor or Coldcard keeps your private keys in a secure, offline environment that malware on your computer cannot reach.

How do I know if a wallet app is legitimate?

Never search for wallet apps directly in an app store. Instead, go to the manufacturer's official website and follow their download link. Check the developer name, verify the app has a substantial number of downloads, and read recent reviews for scam warnings. Our wallet reviews link directly to verified wallet software.

What is multisig and do I need it?

Multisig (multi-signature) requires multiple private keys to authorize a transaction. A 2-of-3 multisig needs any two of three keys to move funds, eliminating any single point of failure. It's excellent for larger holdings and inheritance planning. Services like Unchained offer guided multisig solutions. It may be overkill for small amounts, but it's worth exploring as your stack grows.

Is Bitcoin itself secure, or are these problems with Bitcoin?

Bitcoin's protocol and cryptography have never been broken in over 16 years of operation. Every loss in this article happened at the human layer: exchanges mismanaging funds, people exposing seed phrases, social engineering, and malware. Bitcoin gives you full control — and that includes the responsibility to protect your own keys.

Can I recover bitcoin sent to a scammer?

In almost all cases, no. Bitcoin transactions are irreversible by design. Once confirmed on the blockchain, no central authority can reverse them. Report scams to law enforcement (FBI's IC3 at ic3.gov) and the relevant platform, but manage your expectations about recovery. See our scams guide for what to do if you've been scammed.

How often should I review my security setup?

At minimum, once a year. Check that backups are intact and legible, test a wallet recovery, update passwords, review which accounts still use SMS 2FA, and confirm your inheritance plan is current. Set a calendar reminder. Security isn't a one-time setup — it's an ongoing practice.

The Bottom Line

Every mistake on this list has cost real people real money. The difference between them and you is that you're reading this before it happens.

Bitcoin security isn't complicated. It's a handful of habits practiced consistently. Move your coins off exchanges. Guard your seed phrase like cash. Verify addresses before sending. Don't trust links, don't trust strangers with your holdings, and don't assume it can't happen to you.

Take 30 minutes today. Set up a hardware wallet. Write your seed phrase on metal. Test your backup. Tell a family member where to find it. Those four steps put you ahead of the vast majority of bitcoin holders.

Next steps:

Related Articles

Guide
Bitcoin DCA Strategy — How Dollar-Cost Averaging Works
Learn how dollar-cost averaging into Bitcoin works, why it beats timing the market, and how to set up automatic DCA with real historical return data.
Guide
How to Set Up a Hardware Wallet: Your First Cold Storage
Set up your first hardware wallet step by step. This beginner guide covers Trezor Safe 5 setup, seed phrase backup, PIN security, and moving Bitcoin off an exchange.
Guide
How to Buy Bitcoin in 2026 — Step by Step
Learn how to buy bitcoin in 2026 with this practical step-by-step guide. Compare exchanges, understand fees, avoid beginner mistakes, and start stacking today.
Guide
Lightning Network Explained — Bitcoin's Payment Layer
Understand the Lightning Network in plain English: how it works, which wallets to use, real-world examples, and honest pros and cons. No jargon, no hype.