How to secure your crypto — The no-jargon guide (2026)
📋 En bref (TL;DR)
- In 2025, $3.4 billion in crypto was stolen — including $1.5B in the Bybit hack alone (the largest theft in history)
- 65% of thefts are caused by social engineering (phishing, scams) — not technical vulnerabilities
- France is the global epicenter of crypto kidnappings: 40+ cases since 2023, including Ledger’s co-founder (finger severed, $11M ransom)
- The 5 main threats: phishing (49% of losses), seed phrase theft, SIM swap, malicious approvals, fake wallet apps
- The best protection isn’t antivirus software — it’s a security model that eliminates the single point of failure: MPC, passkeys, or TEE + Shamir (no seed phrase to steal)
- Security checklist: app-based 2FA (never SMS), verify URLs, revoke permissions on revoke.cash, never share your screen with “support”
$3.4 billion stolen in 2025 — and it’s just the beginning
According to Chainalysis, $3.4 billion in cryptocurrency was stolen in 2025, across more than 158,000 incidents. That’s 55% more than in 2023. The Bybit hack in February 2025 — $1.5 billion siphoned by the Lazarus Group (North Korea) — is the largest crypto theft in history.
And here’s the number that should concern you: 65% of these thefts didn’t rely on technical vulnerabilities. No broken code, no sophisticated exploits. Just social engineering — people who clicked the wrong link, shared their seed phrase, or approved a transaction they didn’t understand.
Ready to get started? Fibo lets you buy and swap crypto with no seed phrase and the lowest fees.
Join the waitlist →This guide isn’t a cybersecurity course. It’s a practical playbook to avoid becoming a statistic.
The 5 threats you will encounter
Threat #1: Phishing — 49% of losses
Phishing is a fake site that looks exactly like the real one. A fake MetaMask, a fake Binance, a fake Uniswap. You enter your credentials or your seed phrase, and the attacker drains your wallet.
In 2024, $1.05 billion was stolen through phishing (CertiK). The “FreeDrain” campaign used 38,000 malicious subdomains impersonating legitimate wallet sites.
The most common variants:
- Fake emails — “Your account has been compromised — verify immediately” with a link to a cloned site
- Fake support on Discord, Telegram, Twitter — “Send us your seed phrase to resolve the issue”
- Google Ads placed above real results — you search for “MetaMask”, click an ad that leads to a fraudulent site
- Fake pop-ups — “Update your wallet” that ask for your seed phrase
The rule: no legitimate crypto company will ever ask for your seed phrase or private key. Ever. For any reason.
Threat #2: Seed phrase theft
Your seed phrase (12 or 24 words) is the master key to your wallet. Whoever has it controls everything — permanently and irreversibly.
How it gets stolen:
- Social engineering — fake support agents who ask you to “verify” your phrase
- OCR malware (SparkCat) — apps that scan your phone’s photo gallery looking for screenshots of seed phrases. 242,000+ downloads from official app stores
- Clipboard hijacking (GitVenom) — malware silently replaces the address you copy with the attacker’s address. 5 BTC (~$485,000) stolen in a single campaign
- Malicious browser extensions — $713 million lost through compromised extensions in 2025
The “free seed phrase” scam: a scammer posts a seed phrase on a forum or social media. You import it, thinking you’ve found a wallet with funds. You send gas to move the tokens, and the attacker — who controls the wallet — steals your gas instantly.
Threat #3: SIM swap
An attacker calls your phone carrier, impersonates you (using personal data found in leaks), and transfers your number to their SIM card. They then receive your texts — including your two-factor authentication codes.
In 2024, the FBI reported $28.4 million lost to crypto SIM swaps in the US. In the UK, SIM swaps increased by 1,055% between 2023 and 2024. T-Mobile was ordered to pay $33 million after a customer lost their crypto wallet through a SIM swap.
The problem: in 2024, 61% of crypto exchanges still used SMS as the default 2FA method.
The solution: never use SMS for crypto two-factor authentication. Use an authenticator app (Google Authenticator, Authy) or a hardware key (YubiKey).
Threat #4: Malicious approvals (token drainers)
When you use a DeFi protocol, you sign an approval that authorizes a smart contract to move your tokens. This is normal and necessary.
The problem: malicious sites request an unlimited approval. It looks like a normal transaction. You approve without reading. Days or weeks later, the attacker uses that permission to drain your entire wallet.
In 2024, $494 million was drained from 300,000+ wallets using this method (+67% vs 2023). The largest single drainer theft: $55.4 million. “Drainer-as-a-Service” kits are sold on the dark web, making the attack accessible to anyone.
The solution: regularly check your active permissions on revoke.cash and revoke any you don’t recognize.
Threat #5: Fake wallets
Clones of MetaMask, Phantom, and Trust Wallet circulate on app stores and the Chrome Web Store. They are visually identical to the real ones, complete with fake 5-star reviews. When you import your seed phrase, it gets sent to the attacker.
In April 2025, 40+ malicious Firefox extensions impersonating crypto wallets were discovered. In December 2025, a malicious update to the Trust Wallet Chrome extension drained $7 million from hundreds of accounts.
The rule: only download wallets from official links on their website — never through an app store search.
The security checklist — the 10 steps that matter
Google Authenticator or Authy. SMS is vulnerable to SIM swap ($28.4M lost in 2024)
No legitimate company will ever ask for it. Not by email, not by chat, not by phone. Never
Never click an email link or a Google ad. Type the URL manually or use your bookmarks
Check your approvals on revoke.cash. Revoke any you don’t recognize ($494M drained in 2024)
Hot wallet = everyday wallet. Cold wallet (Ledger, Trezor) = vault. Keep them separate
40+ fake browser extensions discovered in 2025. Use the direct link from the wallet’s website
A separate browser profile with minimal extensions. $713M lost through compromised extensions in 2025
Fake support agents on Discord/Telegram ask for screen sharing to see your keys. No real support does this
Send a small amount ($5) first to verify the address and network are correct. Crypto transactions are irreversible
40+ crypto kidnappings in France since 2023. Use pseudonyms online, no portfolio screenshots on social media
Security in France: the special case of kidnappings
This is not alarmist — it’s factual. France is the global epicenter of crypto-related kidnappings.
Since July 2023, more than 40 crypto kidnappings have taken place in France. 19 attacks in 2025 alone — more than any other country in the world (the US had 8). CertiK reported 72 physical attacks (“wrench attacks”) worldwide in 2025, up 75%.
The Ledger case (January 2025)
David Balland, co-founder of Ledger, and his wife were kidnapped in Vierzon, France. The kidnappers severed one of his fingers and sent the video to demand a ransom of 10 million euros (~$11M) in crypto. The GIGN (France’s elite tactical unit) freed him after 48 hours. 10 arrests were made.
What fuels these attacks
- Data leaks — in June 2025, an employee of the French tax authority (DGFIP) was caught supplying criminals with crypto investor data
- Waltio hack (January 2026) — the personal data of 50,000 users of the French crypto tax reporting service (emails, tax reports, gain/loss amounts) was leaked on the dark web. The hackers explicitly claimed a connection to the kidnappings
- Social media — displaying your gains, your NFTs, or your crypto balances is an invitation to become a target
How to protect yourself
- Use pseudonyms consistently in crypto communities
- Never display your holdings, gains, or hardware purchases (Ledger, etc.)
- Don’t share your real-time location on social media
- Consider a “duress wallet” (decoy wallet with a small balance) if you hold significant amounts
- Report any threat to law enforcement immediately
Scams in France: specific traps to know about
The tax authority SMS scam
Active scam in 2025-2026: an SMS impersonating the French tax authority (DGFIP) claims “Crypto transactions have been detected on your accounts. Declare them to avoid a 40% penalty.” The link leads to a fraudulent site (e.g., “-gouv-fr.com”).
How to spot the fake:
- Real French government sites ALWAYS end in .gouv.fr (not “.gouv-fr.com”)
- The French tax authority (DGFIP) exclusively uses email addresses ending in @dgfip.finances.gouv.fr
- Tax authorities NEVER request personal data via SMS
The French AMF blacklist
The French AMF (financial markets authority) regularly updates its blacklist of fraudulent platforms. In 2025, 71 names were added. French victims lost a total of 300 million euros on unauthorized platforms.
Before using any platform: check that it’s not on the French AMF blacklist, and that it is properly registered as a DASP (Digital Asset Service Provider) or licensed under MiCA.
Security models: which one is right for you?
All wallets are non-custodial, but the model for protecting your private key varies considerably. Here are the 4 approaches that exist in 2026:
| Model | How it works | Strengths | Limitations | Examples |
|---|---|---|---|---|
| Seed phrase | 12/24 words to write down on paper | Universal standard, works everywhere | Single point of failure. Lost = funds lost | MetaMask, Ledger, Trezor |
| MPC | Key split between your device and servers | No seed phrase, 0 wallets hacked at ZenGo | Depends on provider infrastructure | ZenGo, Fireblocks |
| Passkeys | Face ID / fingerprint. Key stored in secure enclave | Phishing-resistant by design | Depends on Apple/Google cloud for sync | Coinbase Smart Wallet |
| TEE + Shamir | Social login, key split inside a secure enclave | Invisible to the user, true self-custody | Depends on Privy infrastructure | Fibo (via Privy) |
| Hardware | Dedicated physical device. The key never leaves the device | Immune to remote attacks | $59-399, requires the physical device | Ledger, Trezor, Tangem |
What all seed phrase alternatives (MPC, passkeys, TEE) have in common: they eliminate attack vector #1 — seed phrase theft, which accounted for 43.8% of the total value of crypto stolen in 2024.
Emergency: what to do if…
Your wallet has been compromised
Act immediately — every second counts:
- Create a new wallet on a clean device (or a fresh browser profile)
- Transfer your remaining funds to the new wallet as fast as possible
- Revoke all permissions on the compromised wallet (revoke.cash)
- Disconnect all apps linked to the compromised wallet
- Full anti-malware scan on all your devices
- Never reuse the compromised wallet or its seed phrase
You clicked a suspicious link
- Close the tab immediately
- If you didn’t sign anything or enter any information: run an anti-malware scan as a precaution
- If you signed a transaction or entered your seed phrase: follow the “compromised wallet” protocol above
- Check and revoke your permissions on revoke.cash
Your seed phrase is lost
If you still have access to the wallet on a device:
- Create a new wallet immediately
- Write down the new seed phrase properly
- Transfer all your funds to the new wallet
If you no longer have any access (lost device + lost seed phrase): the funds are permanently lost. There is no “forgot password” in crypto. This is exactly why seedless wallets (Fibo, ZenGo, Coinbase Smart Wallet) exist.
The future of crypto security
The seed phrase is in decline. The industry is converging toward models that offer self-custody without the human risk:
- Social recovery (proposed by Vitalik Buterin) — trusted “guardians” can help you recover access to your wallet if you lose your key. Ethereum’s Hegota upgrade will integrate this functionality natively
- Mainstream passkeys — Apple, Google, and Microsoft are pushing passkeys as a password replacement. Crypto wallets are following suit
- Institutional-grade MPC — solutions like Privy (75M+ accounts created) and Fireblocks are becoming the standard for new wallets
The best security isn’t the one that demands the most effort from you. It’s the one that eliminates the single point of failure without sacrificing your control over your funds.
📚 Glossary
- Phishing : A scam technique that involves creating a fake website or email impersonating a legitimate service, to steal your credentials or seed phrase.
- Seed phrase : A sequence of 12 or 24 words that represents your private key. Whoever has it controls all your funds.
- SIM swap : An attack where a criminal transfers your phone number to their own SIM card, to intercept your texts and verification codes.
- Token drainer : A malicious smart contract that, once approved by the user, can automatically drain the tokens from a wallet.
- 2FA (Two-factor authentication) : An additional security layer on top of your password. Prefer an app (Google Authenticator) over SMS.
- Revoke : Canceling a permission previously granted to a smart contract. Recommended tool: revoke.cash.
- TEE (Trusted Execution Environment) : A secure enclave within a processor, isolated from the operating system. Used to generate and protect private keys.
- MPC (Multi-Party Computation) : A technology that splits the private key across multiple parties. No single party holds the complete key.
- Cold wallet : An offline wallet (Ledger, Trezor). Immune to remote attacks. Recommended for large holdings.
- Passkey : Biometric authentication (Face ID, fingerprint) tied to a device. Phishing-resistant by design.
- Wrench attack : A physical assault aimed at forcing the victim to transfer their crypto. Sharply rising in France.
Frequently Asked Questions
What is the biggest risk in crypto?
Phishing (fake sites and emails) accounts for 49% of losses by value in H1 2025. But the most devastating threat is seed phrase theft — whoever has your 12 words controls everything, permanently and irreversibly. Seedless wallets (Fibo, ZenGo, Coinbase Smart Wallet) eliminate this risk.
Is SMS-based 2FA enough?
No. The FBI and CISA officially advised against SMS-based 2FA in 2024 after the Salt Typhoon attacks. SMS is vulnerable to SIM swap ($28.4M lost in 2024 in the US). Use an authenticator app (Google Authenticator, Authy) or a hardware key (YubiKey).
How do I verify that a crypto site is legitimate?
Type the URL manually (never click an email link or ad). Check for the HTTPS padlock. Verify the domain name letter by letter (scammers use look-alikes). Bookmark the sites you use regularly. And check the French AMF blacklist before using any new platform.
What should I do if someone asks for my seed phrase?
Don’t give it. Ever. For any reason. No legitimate crypto company — MetaMask, Binance, Coinbase, Ledger, Fibo — will ever ask for your seed phrase. If someone asks for it, it’s a scam. 100%. Block the person and report the account.
How should I secure my seed phrase?
Write it down on paper (not digitally — no screenshots, no Notes app, no email). Store it in a safe place, ideally fire- and water-resistant (a safe). Some users engrave their seed phrase on a metal plate. Or better yet: choose a wallet that doesn’t use a seed phrase at all.
Do I need a hardware wallet?
If you hold more than $1,000-2,000 in crypto: yes, strongly recommended for long-term storage. A Ledger Nano S Plus costs ~$79. If you’re starting out with small amounts, a secure mobile wallet (seedless if possible) is sufficient. The ideal setup: both — a hot wallet for daily use, a cold wallet for savings.
Are crypto kidnappings in France really common?
It’s a real and rapidly growing phenomenon: 40+ cases since 2023, including the kidnapping of Ledger’s co-founder in January 2025. France accounts for ~80% of physical crypto attacks in Europe. Victims are often people who flaunt their crypto wealth on social media. Protection: pseudonyms, discretion, never display your holdings.
📰 Sources
This article is based on the following sources:
- Chainalysis — 2025 Crypto Crime Report
- FBI IC3 — Bybit Hack Attribution
- CertiK — Phishing Losses 2024
- Scam Sniffer — Wallet Drainer Report 2024
- AMLBot — Crypto Crime Report 2025
- Crypto.news — France 40+ Kidnappings
- Fortune — Ledger Co-Founder Kidnapping
- CyberNews — Waltio Data Breach
- Deepstrike — SIM Swap Statistics 2025
- French AMF — Crypto Blacklist
Comment citer cet article : Fibo Crypto. (2026). How to secure your crypto — The no-jargon guide (2026). Consulté le 18 March 2026 sur https://fibo-crypto.fr/en/blog/how-to-secure-your-crypto-guide
The simplest way to buy, swap and manage your crypto
Join the first users and get priority access. No seed phrase, fees 3.5x lower, built-in DeFi yield.
Join the waitlist →
