How-to

Stay safe day to day — the human habits that stop most real-world losses

Almost every real Bitcoin loss comes down to a human mistake, not broken math. A handful of calm, repeatable habits protect you from the great majority of them.

Here is the reassuring truth that gets buried under scary headlines: the cryptography protecting your Bitcoin is extremely strong. Attackers almost never break it. Instead, they trick you, or they target you in the physical world. That means your day-to-day habits, not your gear, are what actually keep you safe. This page walks through the handful of everyday practices that stop the losses that really happen. None of them require you to be technical. They just require you to slow down and follow a few simple rules every time.

Phishing is the number-one threat, so treat every unexpected message as a trap

Phishing is when someone pretends to be a company you trust (an exchange, your hardware wallet maker, "support") to trick you into giving up your secrets or approving a bad payment. It is by far the most common way people lose Bitcoin — the large majority of thefts trace back to some version of it.

A hardware wallet is a small physical device that holds your keys and signs payments offline. Your seed phrase is the list of 12 or 24 words that can restore your entire wallet. Anyone who gets those words can take everything.

Four rules defeat almost all phishing:

  • Never type your seed phrase into a website, app, or chat box. Ever. The only place those words ever go is into your hardware wallet during setup or recovery, and onto your paper or metal backup. No real company will ever ask you to type them anywhere else. If something asks, it is an attack.
  • Never trust a link in an email or text. Type the address yourself, or use a bookmark you saved earlier. A fake site at "ledqer.com" looks just like "ledger.com" to a tired human.
  • Check surprises through a separate channel. If your exchange "emails" you about urgent action, do not click. Open a fresh browser and go to the site directly. If "support" calls you, hang up and call back using the number on the official website.
  • Let a password manager do the checking for you. A password manager (like Bitwarden or 1Password) will refuse to fill in your login on a fake copycat site. When it won't autofill, that is your warning sign, not a glitch.

No legitimate company ever contacts you first asking for your password or seed phrase. If someone reaches out to you that way, treat it as a scam.

Always read the payment address on the device's own screen

There is a sneaky type of malware called a clipboard hijacker. When you copy a Bitcoin address, it silently swaps in the attacker's address instead. Addresses are long strings of letters and numbers, so the swap is easy to miss, and your payment sails off to a stranger.

The fix is simple and it is the single most valuable habit on this page: before you approve any payment, look at the address on your hardware wallet's own small screen and confirm it matches where you meant to send. Your computer or phone can be lied to; the hardware wallet shows you what is truly about to be signed. If the two don't match, stop.

  • For large amounts, read the address out loud, character by character, and compare.
  • Use QR codes to move addresses when you can. They are harder to tamper with than copy-and-paste.
  • Keep the computer or phone you use for Bitcoin clean: few apps, no random browser add-ons, and keep it updated.

Buy your hardware wallet directly, and check the seal

A supply-chain attack is when a device is tampered with before it reaches you, for example by a reseller who pre-loads it with keys the attacker already knows. If that happens, the device is compromised from day one.

You avoid this with three easy steps:

  • Buy only from the manufacturer's official website or an authorized seller. Never from eBay, third-party marketplace sellers, or anywhere a device could have been opened and re-sealed.
  • Check the tamper-evident packaging when it arrives. This is special sealing meant to show if the box was opened. If the seal looks broken, scratched, or already peeled, do not use the device. Contact the maker.
  • Set it up yourself. Your device should generate a brand-new seed phrase in front of you. If a device arrives already showing you a seed phrase or a "pre-set" wallet, that is a red flag. Never use one.

Also download wallet software only from the maker's official site. Fake wallet apps are a known trick.

Don't talk about your Bitcoin

Security expert Jameson Lopp, who keeps the most detailed record of real-world physical attacks on Bitcoin holders, emphasizes this above everything else: the most effective thing you can do to lower your risk of being targeted is to not talk about Bitcoin using your real name or face.

Here is why it works. People who get robbed or attacked for their Bitcoin are almost never random victims. Attackers have limited time, so they go after people they can identify. The way they identify targets is worth understanding, because there is a clear pipeline:

  • Exchanges and hardware wallet makers are required to collect your name, address, and phone number (this is called KYC, short for "know your customer"). Over the years, some of these databases leak. The 2020 Ledger leak exposed 270,000+ customers' names and home addresses, and criminals still use that list today.
  • Attackers combine leaked data with public clues: your posts tying your real name to Bitcoin, screenshots of balances, "just bought more" updates, Bitcoin stickers or shirts, or a friend mentioning "they hold a lot."
  • That combination turns you into a named address on a target list.

You break the pipeline by staying off it:

  • Don't post about your holdings under your real name. Don't share balance screenshots, ever.
  • Skip the Bitcoin-branded clothing, keychains, and laptop stickers in public.
  • Keep specific amounts to yourself, even with friends and family. Vague beats precise.
  • If you want to be part of the Bitcoin conversation, that is great. Discuss the ideas, the technology, and the economics freely. Just don't connect your real name to the size of your stack.

About the "$5 wrench attack," and the calm way to think about it

You may hear the phrase "$5 wrench attack." It comes from a cartoon and makes a serious point: no amount of encryption helps if someone simply threatens you in person to force you to hand over your Bitcoin. These physical confrontations have risen in recent years.

The good news is that the same habits above are your best protection, because they keep you off the target list in the first place. Prevention is far more reliable than heroics in the moment. Beyond staying private:

  • Spread your keys across different locations so that no single place, and no single moment, holds everything needed to move your funds. Then "I genuinely can't do that right now" is simply true, which is much safer than trying to refuse.
  • Don't carry your hardware wallet around unless you truly need to.
  • For most people, this is a small tail risk, not a daily worry. Keep it in perspective: staying quiet about your Bitcoin does most of the work.

Remember: the biggest risk is a rushed you

Across every expert source, the most common cause of lost Bitcoin is not an attacker at all. It is the owner making an avoidable mistake. Bitcoin payments cannot be reversed, so a slip cannot be undone. The defense is refreshingly ordinary:

  • Never operate your wallet when you're tired, stressed, upset, or being hurried. Legitimate payments can always wait an hour, or until morning.
  • Write your recovery details down on paper or metal, in plain language your future self (or your family) can follow. Don't rely on memory.
  • Never photograph your seed phrase or store it on any device. A "just for a minute" photo quietly syncs to the cloud and stays there for years.
  • Test your backup once by practicing a recovery before real money depends on it.
  • Don't invent clever custom schemes. Homemade tricks are the leading way people lock themselves out. Stick to standard, well-reviewed methods.
The one habit that stops the most theft

Before you approve any Bitcoin payment, read the destination address on your hardware wallet's own screen and confirm it matches where you meant to send. Your computer or phone can be fooled by malware; the device screen shows what is truly being signed. This single check defeats both the most common attack (phishing) and the sneakiest one (address-swapping malware). Never skip it to save a few seconds.

The short checklist
  • Never type your seed phrase into any website, app, or chat, and never store it as a photo or file.
  • Treat every unexpected email, text, or call as a scam; verify by typing the address yourself or calling back on the official number.
  • Read the payment address on your hardware wallet's own screen and confirm it before approving anything.
  • Buy hardware wallets only from the maker's official site, check the tamper seal, and set up a fresh seed yourself.
  • Keep your Bitcoin off your public identity: no balance screenshots, no branded gear, no specific amounts shared.
  • Only operate your wallet when calm and unhurried; a rushed payment can't be undone.
  • Write your recovery details on paper or metal in plain language, and test the backup once before you rely on it.

Last verified: July 15, 2026