Author: CZ, Founder of Binance Translator: Editor Jr., BlockTempo
CZ, the founder of Binance, posted an article on the social media platform X yesterday (24th) evening, updating a piece on cryptocurrency security advice to help users avoid hacker attacks. This article will fully translate and compile CZ's article.
The crypto exchange Bybit was reportedly hacked last week on the 21st, with a loss of around $1.46 billion, making it the largest crypto theft in history; and just yesterday (24th), the crypto payment project Infini was also confirmed to have been hacked, with a loss of nearly $50 million... A series of hacker incidents have once again sounded the alarm for crypto security.
Against this backdrop, CZ, the founder of Binance, posted on the social media platform X yesterday (24th) evening, stating that he had spent a day on Sunday updating an article he wrote five years ago regarding security recommendations to help the crypto community avoid hacker attacks.
This article will fully translate CZ's article as follows:
Keeping Your Crypto Assets Secure (CZ's Recommendations)
Update Time: 2025/2/24
Initial Release Time: 2020/2/25
The lack of security awareness among crypto users is truly heartbreaking. It's also painful to see experts recommend advanced settings that are difficult to follow and error-prone.
Security is a broad topic. I'm not an expert, but I've seen many security issues. I'll try to explain in plain language:
Why and how, or why not, do you choose to self-custody your crypto?
Why and how, or why not, do you choose to store your crypto on a centralized exchange?
First, nothing is 100% secure. Software has vulnerabilities, and people can also fall victim to social engineering attacks. The real question is, is it "secure enough"?
If you're storing $200 in a wallet, you may not need super high security. A mobile wallet would be enough. If it's your life savings, then you'll need stronger security.
To protect your crypto, you only need to do three things:
Prevent others from stealing it.
Prevent yourself from losing it.
If you can't use it, there must be a way to pass it on to your loved ones.
Simple, right?
Why You Might or Might Not Want to Self-Custody Crypto
Your private key, that's your money, right?
Many crypto experts firmly believe that only by holding crypto yourself can you guarantee its security, without considering your technical level. Is this really the best advice for you?
A Bit private key looks like this:
KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p
That's it. Anyone with a copy of it can move the Bit (if any) on that address.
To protect your crypto, you need to:
Prevent others from getting (a copy of your private key): Protect your computer from hacks, viruses, network attacks, etc.
Prevent yourself from losing the private key: Backup properly in case of device damage or loss, and ensure the backup's security.
If something happens to you or you pass away, there must be a way to pass the private key to your loved ones. This is not a pleasant scenario, but as responsible adults, we must manage this risk.
Beware of Hackers
You've heard of hackers. They use viruses, Trojans, and other malware. You don't want these things near your devices.
To have a certain level of confidence, you need to ensure your crypto wallet device is never connected to the internet. You also shouldn't download any files on this device.
Let's talk about the different devices you can use.
A computer is an obvious choice and usually supports the most coin types. You should never connect this computer to any network. If you do, hackers may exploit vulnerabilities in the operating system or software you use to infiltrate your device. Software will never be without vulnerabilities.
So how do you install software? You use a USB drive. Make sure it's clean. Use at least three different antivirus software to thoroughly scan it. Download the software (operating system and wallet) you want to install onto the USB drive. Wait 72 hours. Check the news to make sure the website or software hasn't been attacked.
There have been cases where official websites were hacked, and the downloaded package was replaced with malware. You should only download software from official websites. You should only use open-source software to reduce the risk of backdoors. Even if you're not a programmer, open-source software is reviewed by other developers, reducing the risk of backdoors. This means you should use a stable Linux (not Windows or Mac) as the operating system and only use open-source wallet software.
Once everything is installed, you can use the clean USB drive to sign transactions offline. The process varies depending on the wallet, and is not within the scope of this article. Aside from Bit, many coin wallets cannot perform offline signing.
You need to ensure the physical security of the device. If someone steals it, they may be able to physically access your device. Make sure your hard drive is strongly encrypted, so even if someone gets it, they can't read it. Different operating systems provide different encryption tools. Again, hard drive encryption tutorials are not within the scope of this article, but there are many resources available online.
If you can do the above, then you can securely back up and don't need to read the rest of this article. If the above sounds not for you, then there are other options.
You can use a phone. An unrooted phone is usually more secure than a computer, thanks to the sandbox design of mobile operating systems. For most people, I recommend using an iPhone. If you're more tech-savvy, I recommend an Android phone with GrapheneOS installed. Again, you should only use one phone to manage the wallet, not mix it with your daily-use phone. You should only install the wallet app and nothing else. Except for using the wallet to make transfers, the phone should always be in airplane mode. I also recommend using a separate SIM card and only connecting to 5G. Never connect to WiFi. Only connect to the network when using the phone to sign transactions and update software. This is usually fine if you don't have huge amounts in your wallet.
Some mobile wallets offer offline transaction signing functionality (via QR code scanning), so you can keep your phone completely offline from the time the wallet app is installed to the private key generation. This way, your private key will never be on a phone connected to the internet. This can prevent the wallet from having a backdoor and sending data back to the developers, which has happened in the past, even in official app versions. You won't be able to update the wallet app or the operating system. To update the software, you'll need to use another phone, install the new app version, set it to airplane mode, generate a new address, back it up (more on that later), and then transfer the funds to the new phone. This is not very convenient. Additionally, these wallet apps have limited support for coins and blockchains.
These wallet apps usually don't support staking, yield farming, or meme coin investing. If you're interested in these, you'll have to sacrifice a bit of security.
You need to ensure the physical security of the phone.
Hardware Wallets
You can use a hardware wallet. These devices are designed to keep your private key "forever" within the device, so your computer never has a copy of it. (As of 2025, new Ledger versions may send the private key to a server for backup, so this is no longer the case.)
Hardware wallets have also had reported vulnerabilities in software and other areas. All hardware wallets need to interact with software running on a computer (or phone) to function. You still need to ensure your computer is virus-free. Some viruses can switch the target address of your transaction at the last moment to the hacker's address. So be sure to carefully verify the target address on the device.
Hardware wallets protect against many basic types of attacks, and if you want to store cryptocurrencies independently, it is still a good choice. However, the weakest part of hardware wallets is usually how to store backups, which we will discuss in the next section.
Protect Yourself
You may lose the device or the device may be damaged. Therefore, you need to back up.
There are also many methods, each with its own advantages and disadvantages. Fundamentally, you want to achieve multiple backups, and the backups are stored in different geographical locations, and are not easily visible to others (encrypted).
You can write it down on paper. Some wallets that use seed wallets suggest doing this, as writing down 12 or 24 English words is relatively simple. For private keys, it's easy to make mistakes. Paper can also be lost in a pile of documents, damaged in a fire or flood, or chewed by your dog. Others can also easily read the paper - no encryption.
Some people use bank safe deposit boxes to store paper backups. For the reasons mentioned above, I generally do not recommend this option.
Do not take photos (or screenshots) of the paper and sync it to the cloud, thinking it is safely backed up. If hackers breach your email account or computer, they will easily find it. Cloud service providers have many employees who can view it.
Some metal tags are specifically designed to store seed backups. These tags should be almost indestructible, which basically solves the problem of damage in fires or floods. But it doesn't solve the problem of loss or being easily read by others. Furthermore, some people store these tags in bank safe deposit boxes, usually along with their gold or other metals. If you use this method, you should understand the risks involved.
I recommend using at least 3 USB drives, but this requires more technical setup, which is a pitfall for experts.
There are now USB drives that are shock-proof, waterproof, fireproof, and magnetic-proof. You can store encrypted versions of your private key backups on multiple such USB drives and distribute them in different locations (with friends or relatives). This can solve all the requirements mentioned at the beginning of this section: multiple locations, not easily damaged or lost, and not easily readable by others after loss.
The key is strong encryption. There are now many tools that can be used for encryption, and they will improve over time. VeraCrypt is an entry-level tool that provides a reasonable level of encryption. Please research on your own to find the latest encryption tools that best suit you.
Take Care of Your Loved Ones
We won't live forever. You need an inheritance plan. In fact, cryptocurrencies allow you to more easily pass on your wealth to your heirs and reduce third-party involvement.
Again, there are some ways to do this.
If you use paper wallets or metal tags, which have low security, you can simply share this information with them. Of course, there are also some potential drawbacks. If they are young or not tech-savvy, they may lack the proper means to maintain or protect the backup copies. If they make a mistake in security, hackers can easily steal your funds through them. Furthermore, they can take your money at any time. Depending on the level of trust between you, you may or may not want this.
I strongly advise against sharing private keys with others, no matter the relationship. If the funds are stolen, it will be unclear who moved them or who was hacked. This will be very messy.
You can store paper wallets or metal tags in a bank safe deposit box or entrust them to a lawyer. But as mentioned above, if any relevant person gets a copy of the private key, they can move the funds without much trace. This is different from a lawyer having to go through the bank to transfer the balance of your bank account to your heirs.
If you use the USB drive method mentioned above, there are some ways to more safely pass on your wealth. Again, this requires more setup.
There are some online services called Deadman's switches. These services will periodically send you an email (e.g., once a month) and you must click a link or log in to respond. If you don't respond within a certain period, they will assume you have passed away and send an email to your pre-set recipient. I won't recommend or vouch for any of these services, you should search and test them yourself. In fact, Google itself is a Deadman's switch. In Google's settings, there is an option to let someone access your account if you haven't accessed it for 3 months. Personally, I haven't tested it, so I can't guarantee its security. Please test it yourself.
If you're thinking, "Oh great, I just need to email my private key to my kids," then please re-read the beginning of this article.
You may also think, "I can put the passwords to encrypt my USB drives in those emails; that way, my kids or spouse can unlock them." This is closer, but still not good enough. You should not store backup passwords on internet-based servers. This would greatly weaken the security of your backups/funds.
If you're thinking, "I can use another password that my loved one and I share to encrypt the email containing the USB drive passwords," then you're on the right track. In fact, you don't even need a second password.
There is a time-tested email encryption tool called PGP (or GPG) that you should use. PGP was one of the earliest tools to use asymmetric encryption (the same as used in Bitcoin). Again, I won't provide a full PGP tutorial here, as there are many such tutorials online. In summary, you should have your spouse or children generate their own PGP private keys, and then you can encrypt the messages you send them with their public keys, so that only they can read the contents and no one else. This method is relatively secure, but it requires your loved ones to be able to keep their PGP private keys secure and not lose them. Of course, they also need to know how to use PGP email, which has a certain level of technicality.
If you have followed the suggestions shared so far, then you have reached a basic (not advanced) level of being able to self-custody a certain amount of cryptocurrencies. There are many other topics we could discuss that may also solve some of the issues mentioned so far, including multi-signature, threshold signatures, and more, but those would be for more advanced guides.
In the next section, we will explore:
Using Exchanges
In this article, when we refer to exchanges, we mean centralized exchanges that hold your funds and help you custody them.
So after reading the previous section, you might say, "Whew, that's a lot of work. I'll just keep my coins on an exchange." Well, using exchanges is not without risk either. While exchanges are responsible for safeguarding funds and securing the system, you still need to follow proper practices to ensure the security of your account.
Only Use Large and Reputable Exchanges
Yes, I say this easily because Binance is one of the largest exchanges globally. However, there are good reasons for saying this. Not all exchanges are created equal.
Large exchanges invest heavily in security infrastructure. Binance spends billions of dollars on security every year. This is reasonable for the scale of our business. Security covers a wide range of areas, including hardware, networks, processes, personnel, risk monitoring, big data, AI detection, training, research, testing, third-party partnerships, and even global law enforcement cooperation. Ensuring proper security requires a lot of capital, talent, and effort. Smaller exchanges simply don't have the scale or financial strength to do this. I may be criticized for saying this, but this is why I often say that for most ordinary people, using a trusted centralized exchange is safer than self-custodying coins.
There is counterparty risk. Many smaller/newer exchanges are exit scams from the start. They collect some deposits and then disappear. That's why you should stay away from exchanges that claim to be unprofitable or offer zero fees, large rebates, or other loss-leading incentives. If their goal is not commercial revenue, your funds are likely their only target.
Appropriate security measures are expensive and require funding from a sustainable business model. Do not skimp on security for your funds. Large, profitable exchanges have no incentive to engage in exit scams. When you are already running a profitable, billion-dollar business, why would you have any motivation to steal a few million dollars and live in hiding, constantly looking over your shoulder?
Large exchanges also undergo more extensive security testing. Yes, this is also a risk. Hackers are more likely to target large exchanges. However, hackers will also target smaller exchanges, and some of them may be even easier targets. Large exchanges typically have 5-10 external security companies regularly conducting penetration testing and security audits for them.
CZ has gone further on security than most exchanges. We have invested heavily in big data and AI to combat hackers and scammers. We have successfully prevented many users from losing funds when they were targeted by SIM swap attacks. Some users who use multiple exchanges have also reported that while their email accounts were compromised and funds stolen from other exchanges, their CZ funds were protected because our AI system prevented the hackers from withdrawing their funds. Even if smaller exchanges wanted to do these things, they simply cannot, as they do not have the same amount of big data.
Protect Your Account
Protecting your account is still very important when using an exchange. Let's start with the basics.
Secure Your Computer
Again, the computer is often the weakest link in the security chain. Use a dedicated computer for accessing your exchange account. Install a commercial antivirus software (yes, invest in security) on this computer and only install the most basic other software. Set the firewall to the highest level.
Conduct your gaming, browsing, and downloading activities on another computer. Even on this computer, enable the antivirus software and set the firewall to the highest level. Viruses on one computer can make it easier for hackers to access other computers on the same network, so keep your computers clean.
Don't Download
Even if you only use centralized exchanges (CEXs), I still recommend not downloading any files on your computer. If someone sends you a Word document, ask them to send a Google Docs link instead. If they send a PDF file, open it in Google Drive rather than on your computer. If they send you a funny video, ask them to send a link to an online platform. Yes, I know this is inconvenient, but security is not free, and losing your funds is also not free. View all content in the cloud.
Turn off the "auto-save photos and videos" feature in your instant messaging apps. Many apps default to downloading GIFs and videos, which is not a good security practice.
Keep Software Updated
I know all operating system updates are annoying, but they contain patches for recently discovered security vulnerabilities. Hackers also monitor these updates and often target those who are lazy to update. So, make sure you install these patches as soon as possible. Do the same for the wallets and other software you use.
Protect Your Email
I recommend using Gmail or Protonmail. These email service providers are more secure than other platforms, where we have seen more security vulnerabilities.
I suggest setting up a unique email account for each exchange you use, and make it hard to guess. This way, if one exchange is compromised, your CZ account will not be affected. It will also reduce the number of phishing or targeted email scams you receive.
Protonmail has a feature called SimpleLogin that allows you to create a unique email address for each site you access. If you don't use other email forwarding services, I recommend using this feature.
Enable two-factor authentication (2FA) for your email service. I recommend using a Yubikey for your email account. This is a strong way to prevent various hacking attacks, including phishing sites. More on 2FA later.
If you live in a country with reported SIM swap incidents, do not use your phone number as the recovery method for your email account. We have seen many SIM swap victims have their email accounts compromised and reset by hackers because of this. I no longer recommend linking your phone number to your email account; keep them separate.
Use a Password Manager
Use strong, unique passwords for each site. Don't bother trying to remember passwords; use a password manager tool. For most people, Keeper or 1Password may be sufficient. Both of these tools integrate well with browsers, phones, etc., and claim to only store passwords locally, but sync the encrypted passwords across devices.
If you are more serious, you can choose KeePass. It only stores the information locally, so you don't have to worry about encrypted password storage in the cloud. It doesn't sync across devices and has less mobile support. It is open-source, so you don't have to worry about backdoors.
Do your own research and choose a tool that suits you. But don't try to save time by using the same simple or worse passwords in multiple places. Make sure you use strong passwords, or the time you save may cost you dearly.
Even with these tools, if your computer is infected with a virus, you will still be compromised. So, make sure your computer has good antivirus software.
Enable 2FA
I strongly recommend enabling 2FA (two-factor authentication) on your Binance account immediately after registration, if you haven't already. Since 2FA codes are usually stored on your phone, it can prevent your email and password from being stolen to some extent.
However, 2FA does not protect you from all attacks. If your computer is infected with malware, the malware that steals your email and password can also monitor your keystrokes when you enter the 2FA code and steal that code. You may interact with a phishing site, enter your email and password, and then enter the 2FA code on the fake site. The hackers can then use this information to log in to your real Binance account. There are many possible scenarios, and we cannot list them all.
Set Up U2F
U2F is a hardware device that can generate unique, time-based, domain-specific codes. Yubikey is the de facto standard device in this space.
U2F has three main advantages. First, they are hardware-based, so it is almost impossible to steal the keys stored on the device. Second, they are domain-specific. Even if you accidentally interact with a phishing site, it will still protect you. Third, they are easy to use. You just need to carry it with you.
For these reasons, I recommend binding a Yubikey to your Binance account. It provides one of the best protections against hackers.
You should also bind your Yubikey to your Gmail, password manager, and other accounts to secure them.
Stop Using SMS Verification
SMS verification was once widely promoted, but with the increase in SIM swap incidents, we recommend you no longer use SMS verification and instead rely more on the 2FA or U2F methods mentioned above.
Set Up a Withdrawal Address Whitelist
We strongly recommend you use Binance's withdrawal whitelist feature. This feature allows you to quickly withdraw to approved addresses and makes it difficult for hackers to add new withdrawal addresses.
Enable a 24-hour waiting period for new whitelisted addresses. This way, if a hacker tries to add a new address, you will receive a 24-hour notification period.
API Security
Many of our users use APIs for trading. Binance provides multiple versions of APIs that support asymmetric encryption. This means Binance only needs your public key. You generate the private key in your own environment and provide the public key to the platform. We use your public key to verify that orders are coming from you, and we never store your private key. You must protect your private key.
You don't need to back up your API keys like you would for holding cryptocurrencies. If you lose your API keys, you can always create new ones. Just make sure no one else has your API keys.
Do not enable the withdrawal functionality on your API keys unless you really know what you are doing.
Complete L2 KYC
One of the best ways to keep your account secure is to complete L2 KYC (identity verification). This way, we can know what you look like. When our big data risk engine detects account anomalies, we can use advanced automated video verification.
This is also important in case you can no longer access your account. Binance can help family members access the accounts of deceased relatives after proper verification.
Physically Protect Your Devices
Again, keep your phone secure. You may have email apps, the Binance app, and 2FA codes on your phone. Do not root or jailbreak your phone, as this will greatly reduce its security. You should also maintain the physical security of your phone, setting appropriate screen locks. The same goes for other devices.
Beware of Phishing Attacks
Beware of phishing attacks. These attacks often come in the form of emails, SMS, or social media posts containing links to fake Binance websites. These sites will prompt you to enter your account credentials, which hackers will then use to access your real Binance account.
Defending against phishing attacks only requires vigilance. Do not click on links in emails or social media. Only access Binance by typing the URL or using a bookmark. Do not share your email with others. Do not use the same email on other websites. Be cautious when strangers (especially those named CZ or similar) suddenly contact you on platforms like Telegram, Instagram, etc.
If you follow the above recommendations, your Binance account should be relatively secure.
So, which is better?
I usually recommend people to use a combination of centralized exchanges and self-custody wallets. If you're not very tech-savvy, I suggest keeping most of your funds on Binance and having a personal spending wallet (like TrustWallet). If you're more technically inclined, you can adjust the fund allocation as needed.
Centralized exchanges occasionally undergo maintenance, and having an independent wallet is very convenient if you need to trade quickly.
If you follow the advice described here, you should be able to securely hold your funds, whether you hold them yourself or through a CEX like Binance.
Stay SAFU!
CZ
