Web3 Safety Protocols

Scammers create look-alike domains that are nearly indistinguishable from legitimate exchanges. Common techniques include homograph attacks (using visually similar Unicode characters), subdomain spoofing (e.g., secure.ledger.attacker.com), and typosquatting (lledger.com, ledgr.com).

Before connecting your wallet to any site, check the full domain in the address bar — not just the favicon or page title. Use bookmark-based navigation for exchanges you use regularly. Never click links from DMs, Telegram messages, or social media ads. Verify URLs against the official project's verified social channels.

Our indexcrypto engine automatically cross-references domains against known phishing clusters, giving you a Trust Score before you engage.

For any amount of crypto you cannot afford to lose, cold storage is not optional — it is the minimum standard. Hot wallets (MetaMask, Phantom, Trust Wallet) are connected to the internet by design, which means they are permanently exposed to browser-based exploits, malicious dApp approvals, clipboard hijacking, and supply chain attacks on browser extensions.

Hardware wallets (Ledger, Trezor, Coldcard) keep your private keys in an isolated secure element that never touches the internet. Even if your computer is fully compromised by malware, a hardware wallet cannot be drained without physical confirmation.

For maximum security, use air-gapped signing devices (Ellipal Titan, Keystone Pro) which require QR code transaction signing with zero USB/Bluetooth exposure.

Your 24-word (or 12-word) BIP-39 seed phrase IS your wallet. Anyone who has it controls all your funds — forever, across all blockchains derived from that seed. There is no recovery process if it is stolen. No company can help you. The blockchain is immutable.

Real support teams — from Ledger, Trezor, MetaMask, Coinbase, or any legitimate project — will NEVER ask for your seed phrase. Ever. Under any circumstance. This includes "verification," "wallet migration," "airdrop claims," and "security upgrades." These are always scams.

Never photograph your seed phrase. Never store it in iCloud, Google Drive, or any cloud service. Never type it into any website, app, or "verification form." Your seed phrase should exist only on physical media (steel plates preferred) stored in multiple secure locations.

Token approvals are one of the most dangerous attack vectors in DeFi. When you sign an approval for a dApp, you may be granting unlimited spending rights to a smart contract address. If that contract is malicious, or is later exploited, your entire token balance can be drained in a single transaction.

Before interacting with any new dApp, check the contract address on block explorers (Etherscan, BSCScan) to verify it is the official deployment. Check the audit history — legitimate protocols are audited by firms like Trail of Bits, Certik, or Halborn. Use our indexcrypto engine to check the Trust Score for the protocol before connecting.

Revoke unnecessary approvals regularly using tools like Revoke.cash or De.Fi Shield. Never sign transactions you do not fully understand.

Centralized exchanges (CEXs) are custodial — they hold your private keys. "Not your keys, not your coins" is a foundational principle: if the exchange is hacked, goes insolvent (as with FTX), or freezes withdrawals, your funds may be inaccessible or gone entirely.

If you must hold funds on an exchange for trading, use the strongest available 2FA (hardware key like YubiKey, or TOTP app — never SMS 2FA). Enable whitelist withdrawal addresses so that only your pre-approved wallets can receive funds. Use a unique, strong password generated by a password manager. Enable email confirmation for all withdrawals.

Regularly check your exchange account for unrecognized login locations and immediately revoke all API keys you no longer use.

The Web3 space is rife with predatory schemes designed to extract value from retail investors. Understanding these patterns is essential for survival.

A rug pull occurs when developers abandon a project and drain liquidity after attracting investment. Warning signs include anonymous teams, no audit, locked liquidity for very short periods, and aggressive marketing with unrealistic APY promises.

A honeypot is a smart contract designed to allow buying but block selling. The contract code contains a conditional that prevents transfers unless triggered by the deployer address. Always check token contracts on honeypot detection tools before buying.

Pump-and-dump schemes involve coordinated buying by insiders who then sell into retail demand. Watch for sudden volume spikes, coordinated social media campaigns, and unrealistic price targets from "influencers."

Your operating environment is the first line of defense. Most crypto thefts are not blockchain exploits — they are social engineering and malware attacks against the user's device and browser.

Use a dedicated browser (or browser profile) exclusively for crypto. Install only essential wallet extensions. Disable all other extensions when interacting with high-value transactions. Regularly audit your installed extensions — malicious extensions can capture clipboard content (replacing your copy-pasted wallet address with the attacker's address).

Avoid using public WiFi for crypto transactions. Use a VPN with a no-log policy. Keep your operating system and wallet software updated. Consider a dedicated hardware setup (low-cost Chromebook or dedicated laptop) for large transactions.