How Investors Can Keep Crypto Assets Safe

It’s too easy to lose everything. Here’s a guide to where—and how—to store digital currencies, NFTs and more.


As crypto assets gain popularity with everyday investors, keeping them safe takes on increased importance.
One of the obstacles to doing that, though, is that with crypto assets—such as digital currencies and NFTs—there’s nothing physical to hold onto. Often, you must depend on a code, known as a key, to gain access to your holdings, and if you lose that key, or if it’s stolen, the assets are gone.
Another issue is that scammers are actively coming up with new ways to steal crypto assets. Cryptocurrency-based crime soared to a new high last year, with scammers garnering $14 billion in total cryptocurrency value, up from $7.8 billion in 2020, according to data provider Chainalysis.
No matter how much precaution you take, there’s never a 100% guarantee your crypto assets will be safe. Still, there are several best practices that industry experts recommend.
Choose the right type of storage
There are multiple options to store crypto assets, and how you go about it depends largely on factors such as how often you trade and how much crypto you hold. One option is the custodian method. This is where companies like Coinbase Custody and Gemini are in charge of securely storing your funds, similar to how a bank keeps your money in a checking or savings account. These services are known as custodial wallets, and they take charge of your private keys—long, randomly generated passwords made up of numbers and letters—that allow crypto transactions to occur. You log in to your account with an email and password—ideally with multifactor authentication set up—and
you’re good to buy, sell and trade crypto.

These custodian services charge an annual custody fee that generally runs less than 1% of the assets under custody, and there may be other fees related to account setup and withdrawals. All of these costs can eat into your profits, and there’s always the possibility that these services can be hacked or go bankrupt.

Still, custodians offer an easy entry point for beginners and those who don’t want the responsibility of having to keep track of their private keys or much more than a password. “Ultimately, you’re trusting that third party to behave reputably,” says David L. Yermack, the Albert Fingerhut professor of finance and business transformation at the NYU Stern School of Business.
Another option is a self-custody, or noncustodial, wallet, which means there’s no third party holding your private keys. With noncustodial wallets, you’re responsible for holding on to the sensitive information used to access your crypto and for keeping it safe from prying eyes, Dr. Yermack says.
Many experts recommend storing private keys on a small piece of hardware that plugs into your computer, similar to a USB drive. Your actual holdings, meanwhile, are stored on the blockchain—where they can’t be accessed without your codes. That also means you don’t have to worry if you lose, break or damage the device.

Be aware, though, that a replacement device will let you gain access to your holdings only if you have your recovery seed—a security method used on hardware wallets that acts as a kind of master password to access your crypto. So you must be sure to safely store a copy of your seed—a string of 12 to 24 words—somewhere. Well-known hardware-wallet makers include Trezor and Ledger.

Spread out your holdings
Many experts say people who hold significant crypto assets should spread out their holdings. There’s no magic number, but the larger the holdings start to be as part of your net worth, the more you’re going to want to split them up and store the chunks in different places, says Steve Larsen, a certified financial planner and partner at Columbia Advisory Partners in Spokane, Wash., who also teaches classes in cryptocurrency at Gonzaga University.

One method involves using two wallets: a hot wallet, which is accessible online, to be used on a day-to-day basis for spending or trading; and a cold wallet, such as a piece of hardware, which remains offline. “The hot wallet is perhaps more vulnerable to theft. So you put just enough for your predicted expenses in that one,” says Damon McCoy, associate professor of computer science and engineering at New York University’s Tandon School of Engineering. “It’s a balancing act,” he says.
Safeguard your private keys
People who use self-custody for their crypto need to guard their private keys appropriately from theft and accidental loss. A popular recommendation is to write down your private keys on paper and store them in a secure place such as a fireproof safe, a safe-deposit box at a bank, or an offline computer with no Wi-Fi or internet access. And, as before, If you’ve got a hardware wallet, be sure to keep your seed phrase secure and back it up.
Don’t store this sensitive information on a computer connected to the internet, mobile
phone or the cloud, where it can be susceptible to hacking, says Howard Greenberg, President of the American Blockchain and Cryptocurrency Association. Also don’t take pictures of your keys or send them over email, which can also be vulnerable to cyber
thieves. “You really have to go old school,” he says.

For safekeeping, you might also consider splitting up a private key and distributing it among a few trusted individuals, though it’s advisable to have a backup plan in case one of the parts gets lost. You could also splinter your seed phrase.

“Just remember, the more complicated you make the retrieval process, the more likely you are to forget or lose something—and therefore lose access to your funds,” says Ben Weiss, chief executive and co-founder of CoinFlip, a bitcoin ATM operator.

There’s some debate among experts over whether crypto owners should use a password manager such as LastPass or KeePass, which many people use for storing passwords for all sorts of financial and online accounts. This decision can come down to personal comfort level with a particular password manager and how much crypto you hold. “I know that there are a lot of people who do this for convenience, and if you have two-factor authentication enabled, it is seen as ‘safe enough,’ ” says Adam Morris, co-founder of Crypto Head, a platform that helps crypto users learn about the industry. “But when dealing with potentially life savings, we wouldn’t recommend it.”

Consider tougher measures
When you’re using a custodian, experts recommend sticking with multifactor authentication—meaning you need more than just a password to verify your identity and access your account.

Many services allow you to authenticate your identity by text message, but Dr. McCoy recommends a software-based authenticator such as Google Authenticator or a U2F token, a physical device that allows users to securely access online services. This avoids the problem of SIM swapping, where scammers usurp a person’s phone number to gain access to their device and accounts.