Back to blog
Staying Safe in Web3: How not to Get Hacked

In crypto, risk is part of the ride. We’ve all seen the swings — and most of us are okay with them.

But there’s one risk you should never get used to: getting hacked.

We think of hacks as genius-level exploits or black-hat wizardry. But, frankly, usually, it’s a small oversight. A rushed approval. Clicking the wrong link. Trusting too fast.

So how do you stay safe without starting to wear this tinfoil hat?

In this article, we’ll break down the most common ways people get hacked in crypto and the easiest ways to be safe against them.

Know What You’re Signing — Every Single Time

For everyone, signing a transaction usually automatically means “send tokens”. But, in fact, that’s not the case. Before signing a transaction, users provide dapp with allowances, usually, they are limited to viewing balances and initiating transactions. But sometimes, you're unknowingly giving a dapp permission to spend tokens on your behalf — without limits and without further notice.

That’s not a bug. It’s how approvals work: once you approve a contract, it can access your assets until you manually revoke it. And that’s what attackers exploit.

According to Hackdrain, phishing scams and malicious dapps caused losses of over $1.4B in 2024 — and many of those were the result of users signing malicious token approvals.

YTD Losses Source: Immunefi

But there are also ways to counter this type of attack.

Best practices:

  • Stick to trusted protocols. If a random site is asking for token approval, pause and reconsider.
  • Use tools like Rabby Wallet or Blowfish that simulate what you’re signing.
  • Regularly revoke old approvals with tools like Revoke.cash.

Segment Your Wallets — Don’t Put All Your Crypto in One Basket

When all the assets are stored in one wallet, it may seem really convenient. Yet, the risk of losses is also bigger. One of the most effective practices in Web3 security is diversifying your wallets by purpose. This approach helps minimize the potential damage if one wallet is ever compromised.

According to Chainanalysis, over $12 billion was lost to hacks and scams in 2024. In most cases, the victims were individual users who approved malicious transactions or interacted with unverified dapps.

When one's assets are spread across multiple wallets with different purposes, the risks and exposure are minimal and isolated. It’s a simple habit that offers an extra layer of protection across your crypto activity. For instance, the wallets may have storage, trading and testing purposes.

What wallet diversification could look like:

1. Main wallet = your vault. Long-term storage for high-value assets.Use a hardware wallet (Ledger, Trezor, etc.) with minimal online exposure.✅ Best for: holding, not touching.

2. Hot wallet = your spending account. Small balances for daily use — perfect for DeFi, dapps, IDOs, mints, and short-term moves.✅ Best for: fast access and flexibility.

3. Test wallet = your sandbox. Use this for new or unverified projects. Keep it isolated from your main stack.✅ Best for: Exploring safely without putting everything at risk.

Two-Factor Authentication: Yes, But Not All 2FA Is Equal

Using SMS-based two-factor authentication (2FA) offers decent protection, but in the context of crypto, it’s not considered secure enough. One of the most dangerous attack methods in Web3 is the SIM swap — where an attacker convinces a mobile provider to transfer your phone number to their SIM card. Once successful, the hacker can intercept SMS codes, reset passwords, and gain access to exchange accounts, wallets, and email.

According to the FBI’s Internet Crime Report, SIM swapping led to more than $72 million in reported losses in the U.S. in 2022. Many of those affected were crypto users.

If you are looking for stronger protection, you should use app-based 2FA options like Google Authenticator. They generate codes directly on your device — without relying on SMS notification. For additional security, think about using hardware-based 2FA devices, which are basiacally a physical key to verify access and prevent unauthorized logins.

Various 2FA tokens

Treat Links and DMs with Extreme Caution

It won’t be a surprise, but messages on Discord, Telegram, X, and email are a common entry point for social engineering attacks. Hackers often impersonate trusted projects, clone official profiles, or hack official accounts to appear legit.

Over 50% of major phishing incidents in Web3 during 2023 started as a friendly message or interaction with fake support teams. Attackers send links to fake airdrops, urgent updates, or requests to verify wallet access — all with a sense of urgency and qucick action needed without time for a careful review.

One of the cases occurred in July 2022 when over $8 million was stolen through a fake Uniswap airdrop. Information about it was distributed via Twitter DMs and Discord messages. The phishing site was designed just like the real interface. All you needed to do to be drained is give just one approval.

That’s why, to reduce risk, it’s important to verify domain names carefully before interacting with any website:

Some phishing sites even pre-fill users’ wallet addresses to appear authentic.

Fake Uniswap Allocation Source: PCrisk

Stay Updated

Even widely used and reputable crypto tools can be exposed to risk — not always through direct zero-day hacks but via supply chain attacks. In these cases, the compromise doesn’t occur at the user level, but during the software development or update process.

What is a supply chain attack?

In Web3, a supply chain attack typically involves a malicious actor injecting harmful code into a third-party dependency — such as an npm (Node Package Manager) package — used by wallets, dApps, or browser extensions. If the malicious update is published and integrated, the malware can infect devices through routine software updates without the developers or end users noticing.

Example:

In July 2023, a widely used component called Ledger’s ConnectKit was compromised. The attacker uploaded a modified version of the npm package, which was then integrated into multiple dApps. For several hours, users risked unknowingly interacting with malicious contract approvals before the issue was identified and resolved.

You can easily reduce supply chain attack risks by:

  • Regularly updating wallets, extensions, and security tools
  • Limiting installed apps and browser extensions to only those that are necessary and trusted

Security Should Be Built-In

Security in Web3 should be built into the tools you use — not something that requires constant effort from the user’s side. And Kolo is developed with a security-first approach. Actually, we have protective measures at every layer of the user experience.

What’s inside Kolo:

  • Web3-native wallet protection, such as 2FA, clear transaction previews and allowances scanner
  • Card-level safeguards, including fraud detection, configurable spending limits, and the opportunity to freeze your card any moment
  • Audited & Compliant with global regulations — so you can always be sure that your funds are safe and sound wherever you are.

Final Thoughts

Crypto gives you freedom, but that also means protecting yourself.

In 2023, users lost over $1.7 billion to phishing and wallet drains. Most of it wasn’t from advanced hacks — just small mistakes. Plus, $72 million was stolen via SIM-swap attacks. And it was easy to avoid with just a few simple steps.

Let’s summarize the key principles:

  • ✅ Review what you’re signing
  • ✅ Use different wallets for different tasks
  • ✅ Store your keys offline
  • ✅ Use app- or hardware-based 2FA
  • ✅ Be careful with links, DMs, and airdrops
  • ✅ Keep your tools updated

These habits don’t take much time, but they protect everything you’ve built

© 2025. All rights reserved.
WalletExchangerBusinessTermsPrivacyBlogSupport

We use cookies to provide a more relevant experience for you. For more information, please review our Cookie Policy and Privacy Policy.

DenyAllow