Skip to content

Module 01 — Security, wallets and custody

Goal: before buying a single euro of crypto, know how to keep it safe. In crypto there is no bank to reverse transactions and no support phone line to recover your funds. One mistake = total, irreversible loss.

🔊 Listen to this module (Spanish audio, 9 min 22 s)

Narrated version of the full module — perfect for reviewing while you do something else.

1. Custody: the most important decision

Type Who holds the keys Main risk
Custodial (exchange: Binance, Coinbase, Kraken) The exchange Exchange bankruptcy/hack (Mt.Gox 2014, FTX 2022)
Self-custody (your own wallet) You Yourself: losing the seed, signing something malicious

Practical rule: - Small amounts / active trading → a regulated exchange is fine. - Serious long-term savings → self-custody with a hardware wallet. - "Not your keys, not your coins": whatever sits on an exchange is legally an entry in their database, not yours.

2. Types of wallet

Type Examples Use
Hardware (cold) Ledger, Trezor Long-term savings. Keys never touch the internet
Software (hot) MetaMask, Rabby, Phantom Interacting with DeFi/dApps. Only "everyday use" amounts
Exchange (custodial) account on Binance/Kraken Buying/selling, trading

2.5 Public address vs private key: the mailbox and the key

Think of your wallet as a transparent mailbox. The ADDRESS (something like 0x71C7...9F3a, or bc1q... on Bitcoin) is like the mailbox number: you hand it out freely to anyone who wants to send you money, just like you give out your bank account number so people can transfer to you. Anyone can SEE how much is inside (the blockchain is public), but no one can open it without the key. The SEED PHRASE / private key is the only key to the mailbox: whoever has it empties it. That is why you share the address without fear and never the seed.

What it is What it's for Is it shared?
Public address Receiving funds ✅ YES, share it, no problem
Private key / seed Controlling and moving the funds ❌ NEVER shared or written down digitally
Balance and transactions They are public on the blockchain 👀 Anyone can see them with your address (privacy ≠ secrecy)

Memory trick

The address STARTS with something short you can paste into a chat; the seed is 12-24 words that only live on your paper. If anyone ever asks you for the 12-24 words "to send you money", it's a scam: to receive, all you need is your address.

Careful: the address isn't the only thing that matters

The same coin can live on different networks. Sending to the wrong network is like mailing a package: even if the street has the same name, if you send it to the wrong city it won't arrive — and here there's no mail carrier to return it. More detail in section 5.

3. The seed phrase

When you create a self-custody wallet you receive 12 or 24 words (the BIP-39 standard). Those words ARE your money: anyone with them can empty your wallet from any device in the world.

Absolute rules: 1. Write it on paper (or a metal plate). NEVER digital: no photo, no phone note, no email, no cloud password manager, no "Telegram draft". 2. No legitimate party will EVER ask you for it. Not "Ledger support", not "MetaMask support", not an airdrop. Whoever asks for it is a scam. No exceptions. 3. Keep a copy in a second physical location (a relative's house, a safe). 4. Test it: restore the wallet on another device before putting serious funds in.

3.5 Signing and approving: how they empty you WITHOUT your seed

Here is the misunderstanding that ruins the most beginners: they think that with the seed safely stored on paper they are untouchable. False. The most common theft TODAY doesn't need your seed at all.

Analogy: connecting your wallet to a website is like giving a valet the keys to your car — they don't own the car, but they can drive it as long as you leave them the key. And an "approval / allowance" goes further: it's like signing a permanent permission for a store to charge your card whenever it wants and for whatever amount it wants. When that permission says "Unlimited", you are giving it free rein to empty your entire account, as many times as it likes.

The attack flow, step by step:

  1. You go to a fake "airdrop" website (it came to you via DM, Twitter or an ad).
  2. You click "Claim".
  3. A MetaMask popup appears asking you to "Sign" or "Approve".
  4. You accept without reading, in a hurry to claim the prize.
  5. What you signed was a permission for a scammer's contract to move your USDT or your NFTs.
  6. Seconds later your wallet is empty… and your seed never left the paper. No one asked you for it. You were robbed because YOU authorized the transfer.

Actionable defense before signing

  1. ALWAYS read what the popup is asking for: which token, what amount. If you see "Unlimited" → 🚩 red flag.
  2. Use Rabby instead of MetaMask: it simulates the transaction and shows you the result ("you're going to lose X USDT") BEFORE you sign.
  3. If an NFT shows "Set Approval For All"STOP. That grants permission over your ENTIRE collection.
  4. Review and revoke old permissions at revoke.cash periodically.

The phrase you have to burn into your memory

Your seed on paper protects you from having your whole wallet stolen; approvals protect you from authorizing the theft YOURSELF. You need both.

4. Common scams (you'll see them ALL)

Scam How it works Defense
Phishing Website/email identical to your exchange or wallet Use browser bookmarks; never click links from emails/DMs
Fake support "I'm from X support, give me your seed so I can help you" Real support NEVER asks for your seed and never messages you first
Malicious approvals You sign a transaction that grants a contract permission to empty your wallet Read what you sign; use Rabby (it simulates transactions); revoke permissions at revoke.cash
Rug pull New token, the creators pull the liquidity and disappear Don't buy freshly created tokens without an audit/track record
Pump & dump A group inflates a price and sells to those who enter late Distrust "signals" and Telegram groups
Fake giveaway "Send 1 ETH and I'll send you back 2" (with Elon Musk's face) Nobody gives away money. Ever
SIM swapping They steal your phone number and reset your accounts 2FA with an app (not SMS) or a physical key

5. Minimum security hygiene

  • 2FA on everything, with an app (Aegis, Google Authenticator) or a physical key (YubiKey). Not SMS (sim swapping).
  • A dedicated email just for crypto, not reused anywhere.
  • Unique passwords (a password manager).
  • A whitelist of withdrawal addresses on the exchange.
  • A small test transaction before any large transfer.
  • ALWAYS verify the first and last 4 characters of an address before sending (there is malware that swaps addresses on the clipboard).
  • Verify the NETWORK, not just the address. The same coin exists on several networks (e.g. USDT lives on Ethereum/ERC-20, Tron/TRC-20 and BSC/BEP-20). An address may "look valid" but belong to a different network. If you withdraw from an exchange or send to a friend, the SOURCE network and the DESTINATION network must match exactly. Sending over the wrong network = funds lost forever, with no support to recover them. When in doubt, do a small test transaction first.

Exercises

  1. Install MetaMask or Rabby in a browser. Create a wallet, write the seed on paper, delete it from the browser and restore it from the paper. (No real funds; it's practice.)
  2. Get testnet ETH (Sepolia) from a free faucet and make a test transaction between two of your own addresses. Look it up on sepolia.etherscan.io.
  3. Turn on app-based 2FA for your main email today.
  4. Visit revoke.cash and understand what it shows (you won't have any approvals yet; you'll come back here in module 6). First review section 3.5 to understand what those approvals are and why you revoke them.

Checkpoint ✅

  1. What does "not your keys, not your coins" mean, and what happened to FTX's customers?
  2. Three places where you should NEVER store your seed phrase?
  3. Why is SMS-based 2FA a bad idea?
  4. "Ledger support" messages you asking to verify your seed because of a hack. What do you do?
  5. When does it make sense to leave funds on an exchange vs a hardware wallet?
  6. A friend wants to send you 20 USDT. What exactly do you give them, and what do you NEVER give them?
  7. You're about to withdraw USDT from an exchange to a friend's wallet. What must you confirm besides the address, and why?
  8. You connect your wallet to a website and it asks you to "Approve unlimited spending of USDT". What does that mean and what do you do?

→ Next: Module 02 — Markets and exchanges