Crypto basics — wallets, keys, transactions, scams

Why this skill matters

Crypto staking, lending, and DeFi yield products all assume you’ve solved one prerequisite: you can hold crypto without losing it to a mistake. That prerequisite is harder than the income strategies built on top of it. The number of EU and US retail investors who’ve lost five-figure crypto allocations to phishing sites, clipboard malware, fake support agents, or forgotten seed phrases is uncomfortably large — and almost all of it was preventable with 20-40 hours of basic education.

This is the minimum-viable curriculum.

What you actually need to know

1. The difference between custodial and self-custody. When your crypto sits on Coinbase, Kraken, or Binance, the exchange holds the keys. You log in with email and password; the exchange controls the underlying tokens. When you self-custody, you hold the keys; no third party can freeze, delist, or fail with your assets. Custodial is simpler; self-custody is genuinely yours. Most retail users should start custodial, learn the mechanics, and migrate part of the holdings to self-custody once comfortable.

2. Seed phrases are the actual asset. Self-custody wallets are protected by a 12 or 24-word “seed phrase” (also called recovery phrase). Whoever knows the seed phrase owns the wallet — including its full balance, instantly, anywhere in the world. Two rules: write it down on paper or stamped metal, never store it digitally; never type it into any website or app except the one you’re recovering the wallet from.

3. Public addresses are public; private keys are not. Your wallet address (starts with 0x for Ethereum, 1 / 3 / bc1 for Bitcoin) is safe to share. It’s how you receive crypto. The private key behind it never leaves the wallet software. If anyone asks you for your “wallet password” or “private key,” it’s a scam — no legitimate service ever needs it.

4. Transactions are irreversible. Sending crypto to the wrong address is permanent. There is no chargeback, no customer service that can reverse it. Verify the destination address before signing every transaction. The standard scam pattern is malware that swaps a copied address with the attacker’s address on paste — always visually verify the first 6 and last 6 characters before approving.

5. Smart contracts you sign with can drain your wallet. When DeFi sites ask for “approval” to spend your tokens, you’re signing a contract that lets them transfer the tokens. Malicious contracts can be coded to drain everything once approved. Use a separate wallet for new DeFi sites; revoke approvals at revoke.cash quarterly.

Hardware wallets — when and why

A hardware wallet (Ledger, Trezor) holds your private keys on a physical device that never connects to the internet directly. To send crypto, the device signs the transaction internally and outputs the signed transaction; the private key itself never leaves the device.

When to use one:

• Holdings above ~$1,000 USD-equivalent.
• Long-term holdings (1+ year horizon) that aren’t actively traded.
• Any time you’ve been targeted by a phishing attempt — the assumption is your software wallet is compromised, regardless of evidence.

The two rules of hardware wallets:

1. Buy directly from the manufacturer, never from Amazon, eBay, or third-party resellers. Pre-tampered devices are a known attack vector.
2. The seed phrase you generate during setup is the only backup. If you lose the device, the seed restores. If you lose both the device and the seed, the assets are gone.

Hardware wallets are the single highest-impact security improvement an active crypto user can make. The ~$80-150 one-time cost is trivial against any non-trivial holding.

The scam patterns that actually drain accounts in 2026

Phishing sites that look like real exchanges or DeFi protocols. Attackers buy ad placements on Google for keywords like “Coinbase login,” “Uniswap,” “Lido staking.” The fake site looks identical; you log in or connect your wallet, and credentials/approvals are captured. Defense: bookmark the real URLs, never click ads for crypto-related searches.

“Support agent” DMs on Telegram and Discord. No legitimate exchange or protocol contacts users via Telegram or Discord DMs. Any DM offering to “help with your stuck transaction” or “verify your account” is a scam. Block, don’t engage.

Wallet drainers in malicious dApps. Connecting your wallet to a new DeFi site and signing a “free mint” or “claim airdrop” transaction can grant the dApp full spending approval over your tokens. Defense: use a dedicated “burner” wallet with minimal funds for experimenting with new dApps; revoke approvals you don’t need.

Clipboard hijacking malware. When you copy a crypto address to your clipboard, malware can detect the format and replace it with the attacker’s address. Defense: visually verify the first 6 and last 6 characters of every recipient address before signing the transaction.

SIM-swap attacks on 2FA-protected exchange accounts. Attackers convince mobile carriers to port your phone number, then use SMS-based 2FA to take over exchange accounts. Defense: use authenticator apps (Authy, Google Authenticator, hardware keys like YubiKey) for 2FA, never SMS.

Fake KYC / “account verification” emails. Scam emails impersonating Coinbase, Binance, or banks ask you to verify your account by clicking a link. The link leads to a phishing site. Defense: log in directly via the bookmarked URL; never click links in unsolicited emails.

Recommended setup for a beginner in 2026

1. Open a Coinbase or Kraken account for fiat on/off-ramp and beginner staking. Use email + authenticator-app 2FA (not SMS).
2. Download MetaMask or Rabby as your first software wallet. Practice sending small amounts between your exchange account and the wallet.
3. Buy a hardware wallet (Ledger Nano X or Trezor Model T) once your total holdings exceed $500. Move the long-term portion of your crypto to the hardware wallet.
4. Bookmark real URLs for every service you use. Never search Google for them again.
5. Set up address whitelisting on the exchange. Most exchanges allow you to whitelist specific withdrawal addresses with a 24-hour cooldown for adding new ones — this single setting blocks most stolen-credential attacks.

What does NOT work

• Memorizing your seed phrase instead of writing it down. People forget; phrases get permanently lost. Paper or stamped metal in a fire-safe location is the only viable backup.
• Storing seed phrases in password managers. This converts the protection model from “physical access to paper” to “compromised computer.” Either is fine for low-value wallets; for serious holdings, paper.
• Using the same wallet for spot trading, staking, and DeFi experiments. A drainer contract from a single bad signing wipes the whole wallet. Separate the spot wallet, the staking wallet, and the experimentation wallet.
• Trusting hardware wallets bought used or from unknown sellers. Pre-tampered devices are a known attack pattern. Only purchase from the manufacturer.

What to learn next

Once the basics are second nature, the next layer of skill is reading smart-contract approvals before signing them, understanding DeFi protocol mechanics (liquidity pools, lending markets, liquid staking), and evaluating new tokens beyond price action. The /skills/investing-fundamentals page covers the financial-analysis side; the /best/ guide on crypto staking platforms is the natural first income-strategy page after this one.

The best crypto-security upgrade most retail users can make is two hours of careful reading of the resources above and the $79 hardware-wallet purchase. That’s the entire prerequisite for participating in crypto income strategies safely.