Zhao Changpeng's 8,000-word article: How to ensure the security of your crypto assets?

Binance founder Zhao Changpeng (CZ) posted on the social platform X yesterday evening (24), updating an article about cryptocurrency security advice to help users avoid hacker attacks. This article compiles and organizes the full text of CZ's article.

On the 21st of last week, the cryptocurrency exchange Bybit was hacked, with losses of approximately US$1.46 billion, becoming the largest theft in the history of cryptocurrency; and just yesterday (24th), the crypto payment project Infini was confirmed to have been hacked, with losses approaching US$50 million... A series of hacking incidents once again sounded the alarm for crypto security.

In this context, Binance founder Zhao Changpeng (CZ) posted on social media platform X yesterday evening (24) that he spent a day on Sunday updating an article he wrote five years ago on security advice to help people in the cryptocurrency world avoid hacker attacks.

This article compiles the full text of CZ's article as follows:

Keep your crypto safe (CZ’s advice)

Update time: 2025/2/24

Originally published: 2020/2/25

It’s sad to see the lack of security awareness among cryptocurrency users. It’s also painful to see experts recommending advanced settings that are hard to follow and prone to errors.

Security is a broad topic. I am by no means an expert, but I have seen many security issues. I will try to explain it in layman's terms:

1. Why and how do you, or why not, choose to store your cryptocurrency yourself?

2. Why and how do you, or why not, choose to store your cryptocurrencies on centralized exchanges?

First, nothing is 100% secure. Software has vulnerabilities, and people can be vulnerable to social engineering attacks. The real question is, is it "secure enough"?

If you are storing $200 in a wallet, you probably don’t need super security. A mobile wallet is enough. If you are storing your life savings, then you need stronger security.

To protect your cryptocurrency, you only need to do three things:

1. Prevent others from stealing.

2. Prevent yourself from getting lost.

3. If you can’t use them, there has to be a way to pass them on to your loved ones.

Pretty simple, right?

Why might you or might not want to store your own cryptocurrency?

Your private key is your funds. Or not?

Many cryptocurrency experts firmly believe that holding your own cryptocurrency is the only way to keep it safe, without ever considering your skill level. Is this really the best advice for you?

A Bitcoin private key looks like this:

KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p

That's it. Anyone with a copy of it can transfer the bitcoins held at that address (if any).

To protect your cryptocurrency you need to:

1. Prevent others from obtaining (a copy of your private key): Prevent hackers from intruding and protect your computer from threats such as viruses and network attacks.

2. Protect yourself from losing your private keys: make backups in case your device is damaged or lost, and keep your backups safe.

3. In the event of an accident or death, there must be a way to pass the private keys to your loved ones. This is not a pleasant situation, but as adults responsible for our loved ones, we must manage this risk.

Beware of hackers

You've heard of hackers. They use viruses, Trojans, and other malware. You don't want these things anywhere near your device.

To achieve a certain level of confidence, make sure your cryptocurrency wallet device is never connected to the Internet. You should also not download any files on this device. So, how do you use such a device?

Let’s talk about the different devices you can use.

A computer is an obvious choice and is usually the device that supports the most currencies. You should never connect this computer to any network. If you connect it to the Internet, hackers may be able to hack into your device by exploiting vulnerabilities in the operating system or the software you use. Software is never free of vulnerabilities.

So how do you install software? You use a USB stick. Make sure it is clean. Scan it thoroughly with at least three different antivirus programs. Download the software you wish to install (OS and wallet) to the USB stick. Wait 72 hours. Check the news to make sure the site or software has not been hacked.

Official websites have been hacked and the download packages have been replaced with Trojans. You should only download software from official websites. You should only use open source software to reduce the risk of backdoors. Even if you are not a programmer, open source software is reviewed by other developers and has a lower risk of backdoors. This means that you should use a stable version of Linux (not Windows or Mac) as your operating system and only use open source wallet software.

Once everything is installed, you can use a clean USB drive to sign transactions offline. This process will vary from wallet to wallet and is beyond the scope of this article. Many wallets, other than Bitcoin, cannot perform offline signing.

You need to ensure the physical security of your device. If someone steals it, they may have physical access to your device. Make sure your hard drive is strongly encrypted so that even if someone gets hold of it, they cannot read it. Different operating systems offer different encryption tools. Again, a tutorial on hard drive encryption is beyond the scope of this article, there are many resources online for this.

If you can do the above, then you have a safe backup and don't need to read the rest of this article. If the above doesn't sound like your cup of tea, there are other options.

You can use your phone. A non-rooted phone is usually more secure than a computer, thanks to the sandbox design of the phone's operating system. For most people, I recommend an iPhone. If you are more technical, I recommend an Android phone with GrapheneOS installed. Similarly, you should only use one phone to manage your wallet, and not mix it with the phone you use for daily use. You should only install the wallet software and nothing else. In addition to using the wallet to transfer money, you should always keep your phone in airplane mode. I also recommend using a separate SIM card and only using 5G to connect to the Internet. Never connect to WiFi. Only connect to the Internet when using your phone to sign transactions and update software. If you don't have a very large amount of money in your wallet, this is usually okay.

Some mobile wallets offer the ability to sign transactions offline (by scanning a QR code), so you can keep your phone completely offline, from the time you install the wallet app until you generate your private keys. This way, your private keys are never on a phone connected to the internet. This prevents the wallet from having backdoors and sending data back to the developer, which has happened in the past, even with official versions of the app. You won’t be able to update the wallet app or the operating system. To do a software update, you need to use another phone, install the new version of the app, put it in airplane mode, generate new addresses, back it up (more on that later), and then transfer your funds to the new phone. This isn’t very convenient. Additionally, these wallet apps have limited support for coins and blockchains.

These wallet apps generally don’t support staking, yield mining, or investing in memecoins. If you’re interested in doing any of these, you’ll have to sacrifice a little bit of security.

You need to ensure the physical security of your phone.

Hardware wallet

You can use a hardware wallet. These devices are designed so that your private key never leaves the device, so your computer doesn't have a copy of it. (As of 2025, new versions of Ledger may send private keys to servers for backup, so this is no longer true.)

Hardware wallets have also had reported vulnerabilities in software and more. All hardware wallets need to interact with software running on a computer (or phone) in order to work. You still need to make sure your computer is virus-free. Some viruses will switch your transaction destination address to a hacker's address at the last minute, etc. Therefore, always double-check the destination address on your device.

Hardware wallets protect against many basic types of attacks and are still a good choice if you want to store your cryptocurrency independently. However, the weakest part of hardware wallets is often how they store backups, which we will discuss in the next section.

Protect yourself

You may lose your device or it may get damaged. Therefore, you need a backup.

There are many approaches here, each with its own pros and cons. Basically, you want to have multiple backups, stored in different geographical locations, and not easily visible to others (encrypted).

You can write it down on paper. Some wallets that use seed wallets recommend this because it’s relatively easy to write down 12 or 24 English words. With private keys, you can easily make a mistake. Paper can also get lost in a pile of documents, get damaged in a fire or flood, or get chewed up by your dog. It’s also easy for someone else to read the paper — there’s no encryption.

Some people use a bank vault to store paper backups. I generally don't recommend this option for the reasons listed above.

Don't take a photo (or screenshot) of the paper, sync it to the cloud, and think it's safely backed up. If a hacker breaks into your email account or computer, they can easily find it. The cloud service provider has many employees who can view it.

There are metal tags designed specifically to store seed backups. These tags are supposed to be virtually indestructible, which essentially solves the problem of damage in a fire or flood. But it doesn't solve the problem of loss or being easily read by someone else. Furthermore, some people store these tags in bank vaults, often with their gold or other metals. If you use this method, you should understand the risks.

I recommend using at least 3 USB sticks, but this requires a more technical setup and is a myth for experts.

There are shockproof, waterproof, fireproof, and magnetically resistant USB flash drives available today. You can store encrypted versions of your private key backups on multiple such USB flash drives and spread them out in different locations (friends or relatives). This solves all the requirements mentioned at the beginning of this section: multiple locations, and not easily damaged or readable by others if lost.

The key is strong encryption. There are many tools available for encryption, and they get better over time. VeraCrypt is an entry-level tool that provides a reasonable level of encryption. Do your own research to find the latest encryption tool that works best for you.

Take care of your loved ones

We won’t live forever. An estate plan is needed. In fact, cryptocurrencies make it easier to pass on wealth to your heirs and reduce the involvement of third parties.

Again, there are ways to do this.

If you use a low-security method like a paper wallet or metal tag, you can simply share this information with them. Of course, this has some potential disadvantages. If they are young or unskilled, they may lack the proper means to keep or protect backup copies. If they make a mistake in security, hackers can easily steal your funds through them. In addition, they can take your money at any time. Depending on the trust relationship you have with them, you may or may not want this.

I strongly advise against sharing private keys between people, regardless of relationship. If funds are stolen, there will be no way to determine who moved them or who was hacked. It will be confusing.

You can store your paper wallet or metal tag in a bank vault or give it to a lawyer. But as mentioned above, if anyone involved gets a copy of the private key, they can move the funds without much of a trace. This is different than a lawyer having to go through a bank to pass on your bank account balance to your heirs.

If you use the USB drive method mentioned above, there are ways to pass on your wealth more securely. Again, this requires a bit more setup.

There are some online services called Deadman's switches. These services will periodically send you an email (e.g., once a month) and you must click a link or log in to respond. If you don't respond within a certain period of time, they assume you are dead and send an email to your intended recipient. I would not recommend or endorse any of these services, and you should research and test them on your own. In fact, Google itself is a Deadman's switch. In Google's settings, there is an option that allows someone to access your account if you haven't accessed it for 3 months. Personally, I have not tested it and cannot vouch for its security. Please test it on your own.

If you’re thinking, “Oh great, I just need to email the private key to my kid,” then please re-read the beginning of this article.

You might also be thinking, "I can put the password I use to encrypt my USB drives in these emails; that way, my kids or spouse can unlock them." That's closer, but still not good enough. You should not store your backup password on a server on the Internet. This will greatly weaken the security of your backups/funds.

If you're thinking, "I could just encrypt the email containing the USB drive password with another password that I share with my loved ones," then you're already on the right track. In fact, you don't need a second password.

There is a time-tested email encryption tool called PGP (or GPG) that you should use. PGP was one of the first tools to use asymmetric encryption (the same as Bitcoin). Again, I won't provide a full tutorial on PGP here, there are plenty of them online. In summary, you should have your spouse or child generate their own PGP private key, and then you encrypt the messages you send to their dead person with their public key so that only they can read the contents of the message and no one else can. This method is relatively secure, but requires that your loved ones be able to keep their PGP private keys safe and not lose them. Of course, they also need to know how to use PGP email, which is a bit technical in itself.

If you’ve followed the advice shared so far, you’ve reached a basic (but not advanced) level of being able to store a reasonable amount of cryptocurrency on your own. There are many other topics we could discuss that might also address some of the issues mentioned so far, including multi-signatures, threshold signatures, etc., but these belong in more advanced guides.

In the next section, we will explore:

Using an Exchange

In this article, when we talk about exchanges, we are referring to centralized exchanges that hold your funds and help you with custody.

So, after reading the previous section, you might be saying, "Oh, that's a hassle. I'll just keep my coins on an exchange." Well, using an exchange is not without risk. While the exchange is responsible for safekeeping your funds and securing their systems, you still need to follow proper practices to keep your account safe.

Only use large and reputable exchanges

Yes, it is easy for me to say that since Binance is one of the largest exchanges in the world. However, there is a good reason for saying that. Not all exchanges are the same.

Large exchanges invest heavily in security infrastructure. Binance invests billions of dollars in security every year. This is reasonable for the size of our business. Security covers a wide range of areas, including equipment, networks, processes, employees, risk monitoring, big data, AI detection, training, research, testing, third-party partners, and even partnerships with global law enforcement agencies. Ensuring proper security requires a lot of money, talent, and effort. Smaller exchanges simply don't have the scale or financial strength to do this. I may be criticized for saying this, but this is why I often say that for most ordinary people, it is safer to use a trusted centralized exchange than to keep your coins yourself.

There is counterparty risk. Many smaller/new exchanges are exit scams from the start. They take some deposits and run. Because of this, stay away from exchanges that claim to be unprofitable or that offer 0 fees, large rebates, or other negative profit incentives. If their goal is not commercial revenue, then your funds are likely their only goal.

Proper security is expensive and needs to be funded by a sustainable business model. Don’t skimp on security for your funds. Large profitable exchanges have no incentive to run exit scams. Why would you have an incentive to steal a few million dollars and live in hiding and fear when you already run a profitable and sustainable billion dollar business?

Large exchanges also have more security testing. Yes, this is also a risk. It is easier for hackers to attack large exchanges. However, hackers also attack smaller exchanges, and some of them are even easier targets. Large exchanges usually have 5-10 external security companies that perform penetration tests and security tests on them regularly.

Binance goes further than most exchanges in terms of security. We invest heavily in big data and AI to fight hackers and scammers. We have successfully prevented many users from losing funds in SIM swap attacks. Some users who use multiple exchanges have also reported that when their email accounts were hacked, funds from other exchanges were stolen, while Binance's funds were protected because our AI system blocked the hacker's attempt to withdraw their funds. Even if small exchanges wanted to do these things, they couldn't do it because they simply don't have that much big data.

Protect your account

It is still very important to protect your account when using an exchange. Let’s start with the basics.

Protect your computer

Again, the computer is often the weakest link in the security chain. Use a dedicated computer for accessing your exchange account. Install commercial antivirus software on this computer (yes, invest in security) and only the most basic additional software. Set your firewall to the highest level.

Keep your gaming, surfing, downloading, etc., on another computer. Even on this computer, turn on your antivirus software and set your firewall to the highest level. A virus on one computer makes it easier for hackers to access other computers on the same network, so keep your computer clean.

Don't Download

Even if you only use centralized exchanges (CEX), I still recommend not downloading any files on your computer. If someone sends you a Word document, ask them to send a Google Doc link. If they send you a PDF file, open it in Google Drive instead of on your computer. If they send you a funny video, ask them to send a link to the online platform. Yes, I know it's a hassle, but security isn't free, and neither is losing your money. View everything in the cloud.

Turn off the "auto-save photos and videos" feature in instant messaging apps. Many apps will download GIFs and videos by default, which is not a good security practice.

Keep your software updated

I know all OS updates are annoying, but they contain patches for recently discovered security vulnerabilities. Hackers also monitor these updates and often target those who are too lazy to update. So, make sure you always install these patches as soon as possible. Do the same with wallets and other software you use.

Protect your email

I recommend using Gmail or Protonmail. These two email service providers are more secure than other platforms, where we have seen more security breaches.

I recommend setting up a unique email account for each exchange you use, and making it hard to guess. This way, if one exchange gets hacked, your Binance account won't be affected. This will also reduce the number of phishing or targeted email scams you receive.

Protonmail has a feature called SimpleLogin that allows you to create a unique email address for each website you visit. I recommend using this feature if you don’t use another email forwarding service.

Enable two-factor authentication (2FA) for your email service. I recommend using a Yubikey for your email account. This is a strong defense against all kinds of hacks (including phishing sites, etc.). More on 2FA later.

If you live in a country where SIM swapping has been reported, do not use your mobile number as a recovery method for your email account. We have seen many SIM swap victims who have had their email account passwords reset and hacked. I no longer recommend linking your mobile number to your email account, keep them separate.

Use a password manager

Use strong, unique passwords for every website. Don’t bother trying to remember passwords; use a password manager tool. For most people, Keeper or 1Password are probably sufficient. Both tools integrate well with browsers, phones, etc., and both claim to only store passwords locally, but sync across devices with encrypted passwords.

If you're more serious, KeePass is the way to go. It only stores information locally, so you don't have to worry about encrypted passwords stored in the cloud. It doesn't sync between devices, and has limited support for mobile phones. It's open source, so you don't have to worry about backdoors.

Do your own research and choose the tool that works for you. But don't be tempted to save time by using the same password everywhere, either simple or worse. Make sure you use strong passwords, or the time you save may cost you big.

Even with these tools, if you have a virus on your computer, you can be devastated. So make sure you have good antivirus software on your computer.

Enable 2FA

It is highly recommended that you enable 2FA (two-factor authentication) as soon as you sign up for a Binance account, and if you haven’t already done so, set it up now. Since 2FA codes are usually stored on your phone, it can provide some protection against your email and password being stolen.

However, 2FA doesn’t protect you from all attacks. If you have a virus on your computer, the same virus that steals your email and password can also monitor your typing as you enter your 2FA code and steal that code. You might interact with a phishing site, enter your email and password, and then enter your 2FA code on the fake site. The hacker then uses that information to log into your real Binance account. There are so many possible scenarios here that we can’t list them all.

Setting up U2F

U2F is a hardware device that generates a unique, time-based, domain-specific code. Yubikey is the de facto standard device in this space.

U2F has three main advantages. First, they are hardware-based, so it is almost impossible to steal the keys stored in the device. Second, they are domain-specific. This protects you even if you accidentally interact with a phishing site. Third, they are easy to use. You just carry it with you.

For the reasons above, I recommend you bind a Yubikey to your Binance account. It provides one of the best protections against hackers.

You should also tie the Yubikey to your Gmail, password manager, and other accounts to keep them secure.

Stop using SMS verification

SMS verification was once widely promoted, but with the increase in SIM swapping incidents, we recommend that you no longer use SMS verification, but rely more on the 2FA or U2F mentioned above.

Set up a withdrawal address whitelist

We strongly recommend that you use Binance's withdrawal whitelist feature. This feature allows you to quickly withdraw to approved addresses and makes it difficult for hackers to add new withdrawal addresses.

Enable a 24 hour waiting period for newly added whitelisted addresses. This way, if a hacker wants to add a new address, you will receive a 24 hour notice period.

API Security

Many of our users trade using the API. Binance provides multiple versions of the API that support asymmetric encryption. This means that Binance only needs your public key. You generate a private key in your own environment and provide the public key to the platform. We use your public key to verify that the order is from you and never store your private key. You must protect your private key.

You don't have to back up your API key like you do with cryptocurrency. If you lose your API key, you can always create a new one. Just make sure no one else has your API key.

Do not enable withdrawals for your API key unless you really know what you are doing.

Complete L2 KYC

One of the best ways to keep your account safe is to complete L2 KYC (identity verification). This way, we know what you look like. When our big data risk engine detects anomalies in an account, we can use advanced automated video verification.

This is also important in the event that you no longer have access to your account. Binance is able to help family members access the accounts of deceased relatives after proper verification.

Physical security protects your equipment

Again, keep your phone secure. You probably have your email app, Binance app, and 2FA codes on your phone. Don’t root or jailbreak your phone, as this will greatly reduce its security. You should also keep your phone physically secure with a proper screen lock. The same goes for other devices.

Prevent phishing attacks

Beware of phishing attacks. These attacks usually come in the form of emails, text messages, or social media posts with a link to a fake Binance website. The website will invite you to enter your account credentials, which the hacker will use to access your real Binance account.

Protecting against phishing attacks simply requires vigilance. Don't click on links in emails or on social media sites. Only access Binance by typing in the URL or using a bookmark. Don't share your email with anyone else. Don't use the same email on other sites. Be cautious when strangers (especially those named CZ or similar) contact you out of the blue on platforms such as Telegram, Instagram, etc.

If you follow the above advice, your Binance account should be relatively safe.

So, which one is better?

I usually recommend people to use a combination of centralized exchanges and their own wallets. If you are not very technical, then I recommend storing most of your funds on Binance and having your own spending wallet (such as TrustWallet). If you are technically strong, then you can adjust the fund allocation as needed.

Centralized exchanges occasionally go under maintenance, and having a standalone wallet can be very handy if you need to make a transaction quickly.

If you follow the advice described here, you should be able to hold your funds safely, either yourself or through a CEX like Binance.

Stay SAFU!

CZ