Bitcoin · 11 min read

The Complete Crypto Security Checklist: Every Layer, One Page

Crypto security isn't one big decision — it's forty small habits across six layers. This is the whole system on one page, built to be audited twice a year.

HomeBlog › The Complete Crypto Security Checklist: Every Layer, One Page

The custody, exchange, and scam articles each built one wall; this article assembles the fortress and hands you the inspection clipboard — because crypto security fails at whichever layer you forgot, and the layers are six: the device, the accounts, the wallet, the transaction, the human, and the estate. The format is deliberate: a consolidated checklist you can audit against twice a year (the maintenance schedule at the end makes it a system rather than a reading), with each item carrying its one-line why — enough to act on, with the deep dives living in their own articles. The framing that governs everything: your security budget should match your holdings (the tier logic — a monthly-DCA beginner needs the basics; a family's savings-layer position needs the full page), and the attacker's economics are your ally when you use them: most crypto theft is opportunistic and automated, harvesting the unhardened — every layer you close removes you from an entire category of hunt.

Layers one and two: the device and the accounts

The device layer — the ground everything stands on: ☐ the phone and computer that touch crypto run current OS updates (the patched device defeats the commodity malware that harvests most victims); ☐ screen lock plus full-disk encryption on by default; ☐ no crypto operations on shared, work, or public computers, ever; ☐ no sideloaded apps or browser extensions on the crypto device beyond the vetted minimum (extension malware is a leading wallet-drainer vector — every extension is a resident with your browser's keys); ☐ a separate browser profile (or separate device, at higher tiers) for financial operations — the isolation that keeps a poisoned ad on a news site three rooms away from your exchange session; ☐ the SIM hardened (carrier PIN/port-freeze set — SIM-swapping remains the account-takeover workhorse, and one call to your carrier closes it). The account layer — exchanges and email: ☐ the email behind your exchange is its own fortress (unique password, hardware or app 2FA — it's the master key to every reset flow, and attackers know it before you do); ☐ every exchange account: unique password from a password manager, app-based or hardware-key 2FA, never SMS where any alternative exists; ☐ withdrawal address whitelisting enabled with time-locked changes (the single highest-value setting most users never find: a thief with your full credentials still can't send funds anywhere new without a waiting period you'll see); ☐ anti-phishing codes set so real exchange emails carry your chosen phrase; ☐ exchange balances capped at transit amounts per the airport doctrine — the account layer's honest summary being that its best defense is holding little worth taking there.

Layers three and four: the wallet and the transaction

The wallet layer — where the savings live: ☐ savings-tier holdings in self-custody on a hardware wallet bought new from the manufacturer (marketplace-resold devices are a known tampering vector); ☐ the device's firmware verified and updated through official channels only; ☐ the seed phrase written on paper or stamped in metal — never typed, photographed, cloud-noted, or password-managed (every digital copy is an attack surface, and seed-harvesting malware exists precisely because people ignore this); ☐ seed storage geographically split at higher tiers (the two-location logic from the storage articles), with the passphrase option (the "25th word") deployed knowingly or not at all (it's powerful protection and a self-inflicted loss vector in equal measure — the drill below decides); ☐ the recovery drill performed before real funds move (restore from your written seed onto a wiped or spare device once — the only way to know your backup works is to have used it, and the drill's failure in practice is the cheapest lesson in crypto); ☐ a small hot wallet for any active use, funded like a pocket, never like a vault. The transaction layer — where irreversibility bites: ☐ every address verified on the hardware wallet's own screen (malware swaps clipboard addresses; the device screen is the truth); ☐ the test-send habit for any new destination or meaningful amount (small first, confirm received, then the balance — the two-transaction tax that has saved fortunes); ☐ fee awareness per the fees article (urgency priced deliberately, not defaulted); ☐ no signing of transactions or messages you don't understand (the DeFi-era drainer signature — "approve" prompts that grant spending rights — is the modern robbery's pen: if you can't explain what a signature does, it doesn't get made); ☐ settled means settled internalized: crypto sent is cash handed over, which is why every checklist item upstream of the send button exists.

Layer five: the human — scams, social exposure, and physical security

The scam taxonomy, with tells (the perimeter that catches what technology can't): ☐ the impersonation family — "exchange support," "wallet team," government agents: no legitimate entity ever initiates contact asking you to move funds, share seeds, or install software — the sentence that defeats the entire category; ☐ the romance-and-rapport family ("pig butchering") — months of relationship building toward an investment platform showing fake gains: the tell is the trajectory (any online relationship that arrives at a trading platform was always about the platform); ☐ the giveaway-and-doubling family — celebrity streams, "send one get two": arithmetic theater, zero exceptions; ☐ the fake-platform family — cloned exchange sites, poisoned search ads, fake wallet apps: defeated by bookmarks (never search-navigate to financial sites), official app stores with publisher verification, and URL paranoia as a lifestyle; ☐ the urgency tell that unites them all — every scam manufactures time pressure, and the standing rule (nothing in crypto is so urgent it can't survive one hour and one consultation with a second person) breaks the mechanism itself. The social and physical layer: ☐ the discretion doctrine — holdings discussed with no one beyond need-to-know (the storage article's rule: most targeted attacks begin with talk, online or at dinners); ☐ social media hygiene — no posts linking your identity to holdings, gains, or platforms (the screenshot of your portfolio is a target dossier); ☐ home operational security for higher tiers — hardware wallets and seed storage unlabeled and unremarkable, the "wrench attack" reality priced honestly (physical coercion defeats every digital defense, which is why discretion outranks encryption, decoy wallets exist as a tier-three tool, and the largest holdings arguably belong partly in wrappers that can't be handed over at gunpoint — the multisig and institutional-custody logic at the top tiers); ☐ the household briefing — the people who share your home know the scam tells too (the attacker who can't fool you will try whoever answers the phone).

Layer six and the schedule: the estate, and the audit that keeps it all true

The estate layer — the loss vector that isn't theft: ☐ the inheritance letter exists (per the Bitcoin-inheritance article: what exists, where, and how to access — sealed, stored, findable), because un-inherited coins are the quiet giant of crypto loss and no hardware wallet defends against silence; ☐ access is actually recoverable by your intended people (the letter names the steps a non-technical heir can follow, ideally with a trusted technical contact designated); ☐ the letter's location is known to the right people without its contents being exposed; ☐ exchange and platform accounts' inheritance processes checked once (custodial holdings pass through their procedures — know them before your family must discover them). The maintenance schedule — because security is a state, not an event:semi-annually (the audit this page exists for): every checkbox re-verified, software and firmware updated, the whitelist and 2FA settings confirmed intact, exchange balances re-capped, one recovery-drill refresher at the savings tier; ☐ annually (the review day's security module): the tier assessment (holdings grew? the security budget grows with them — the position that outgrew its protections is the checklist's most common real-world failure), the inheritance letter re-verified against reality (devices moved? platforms changed? the letter that describes last year's setup protects no one), and the scam-taxonomy refresh (the families evolve; the tells don't — but the household briefing deserves its annual retelling); ☐ immediately, on any trigger — a device compromise, a platform breach notice, a seed-exposure doubt: the standing response is migration (new seed, new wallet, funds moved — seeds are cheap; doubt is expensive), executed calmly by the runbook rather than researched in the panic. The page's closing philosophy, earned across the whole series: none of this is paranoia priced against the asset class's actual loss statistics — it's forty cheap habits standing between an irreversible asset and a world of automated harvest, and the households that audit twice a year are, in the loss data, simply absent.

Frequently asked questions

This is overwhelming. What's the minimum viable version for a small monthly DCA?

Ten items cover the beginner tier: updated phone, carrier SIM lock, password manager, unique exchange password, app-based 2FA, the fortress email, bookmarked exchange URL, balances swept to a properly-seeded wallet quarterly (or a reputable custodial arrangement chosen knowingly at small scale), the no-contact-initiated-by-them rule internalized, and the one-hour urgency rule. That set defeats the automated and opportunistic layer that accounts for the bulk of small-holder losses — and the rest of the page phases in as the stack grows, per the tier logic: security scales with holdings, and the only real error is letting the second outgrow the first.

Hardware wallet or multisig or custodian — how do the top-tier options actually rank?

By failure mode, not by ideology: a single hardware wallet concentrates risk in one seed (mitigated by passphrase and split storage — strong for most households), multisig distributes it across keys (defeating single-point theft and coercion at the cost of real operational complexity — the tier for savings that would change your family's life), and institutional custody trades sovereignty for professional security and inheritance ease (the ETF-and-custodian lane, legitimate at any scale where its trade-offs are chosen knowingly). The honest matrix: most readers are best served by hardware-plus-drill at the core, custodial wrappers for the convenience slice, and multisig entering the conversation exactly when the sleep test says one seed shouldn't carry everything.

How do I run the recovery drill without risking my actual funds?

The safe sequence: with your real wallet intact and untouched, take a spare or wiped device (or your same model after noting the reset implications), restore from your written seed, and verify the restored wallet derives the same receiving addresses (comparing addresses proves the backup works without moving a coin). Variants by tier: beginners can drill on a fresh practice seed first to learn the flow risk-free; passphrase users must drill the passphrase path specifically (the classic disaster is a backed-up seed and a memorized-then-forgotten passphrase — the drill is where that gets discovered cheaply). Schedule it before the first significant deposit, and refresh at the semi-annual audit: a backup you've never restored from is a hypothesis, not a backup.

What's the single most common way people actually lose crypto?

The loss ledger, honestly ranked from the available data: self-custody failures (lost seeds, forgotten passphrases, un-inherited wallets) and scams (the taxonomy above, with romance/platform frauds leading by value) dwarf exchange hacks in the modern era, with platform insolvencies as the episodic third. Which reorders the fear productively: the drill, the letter, and the urgency rule protect against the actual leading causes; the hacker-in-a-hoodie of the popular imagination sits well down the list. Security anxiety aimed at movie threats while the seed sits photographed in a cloud album is the checklist's whole reason for existing as a page rather than a vibe.

Key takeaways

The closing image: two holders bought the same coins in the same year. One did security as a mood — the strong password from 2019, the seed in a photo 'just in case,' the balance on the platform because moving it felt hard, the DM from 'support' that arrived on a stressful Tuesday. The other did it as a page: forty boxes, two audits a year, one drill, one letter — three evenings of total lifetime effort. A decade later, one of them holds a story about how risky crypto is. The other holds the coins. The asset never distinguished between them for a single block. The clipboard did.

How Wajib AI helps

Security lives on a schedule, and Wajib AI keeps it: the semi-annual audit as a recurring reminder, holdings tracked wrapper by wrapper so exchange exposure stays visibly capped, the inheritance letter's review date on the calendar — and the discipline that protects more than any single tool: positions sized and documented so no bad day, digital or human, can reach the whole stack.

Download Wajib AI free and keep every commitment, price, and payment in one place.

Never miss a commitment again

Track installments, cheques, and recurring payments — with smart reminders and an AI assistant that understands your money.

Get Wajib AI Free