Introduction

In recent years, with the rapid development of blockchain and Web3 technologies, crypto assets have been widely adopted worldwide, attracting numerous investors and institutions. However, security incidents have also emerged one after another, ranging from hacking attacks and internal breaches to phishing scams and irreversible asset losses due to lost private keys.

According to a report by blockchain analytics firm Chainalysis, the total amount of cryptocurrency stolen due to hacking increased by 21% in 2024, reaching $2.2 billion. This marks the fourth consecutive year that hacker thefts have exceeded $1 billion, with the number of incidents rising from 282 in the previous year to 303.

Against this backdrop, building a scientific, rigorous, and multi-layered security protection system has become essential for safeguarding digital wealth.

This article will provide a detailed discussion on various aspects, including the current state of Web3 security threats, self-custody of personal assets, security measures for centralized exchanges, device and network environment, zero-trust strategy, asset inheritance and emergency management, and global security incident statistics. It aims to offer an effective security prevention guide for industry professionals and investors.

Current State of Web3 Security Threats

According to the “Hack3d: 2024 Annual Security Report” released by Web3 auditing firm CertiK on January 2, 2025, there were 760 security incidents in the Web3 space in 2024, resulting in over $2.3 billion in losses. Compared to 2023, the total loss amount increased by 31.61%, and security incidents rose by 29 cases year-over-year. This highlights the severity of security challenges in the current Web3 landscape.

Social Engineering Attacks

Social engineering attacks are among hackers’ most common techniques. Attackers often impersonate acquaintances, customer service representatives, or well-known institutions, using emails, instant messaging platforms, or social media to send fake investment advice, meeting invitations, or phishing links. These tactics are designed to trick users into clicking malicious links or revealing sensitive information.

Source: FBIJOBS

According to the “FBI Cyber Division 2024 Crypto Crime Report” released by the Federal Bureau of Investigation (FBI) in early 2024, approximately 35% of crypto asset security incidents are directly related to social engineering attacks.

Therefore, when receiving any unverified instructions or information, users must verify the source through multiple methods, such as phone or video calls, to ensure its authenticity and reliability.

Insider Infiltration

Insider infiltration refers to hackers posing as job seekers or exploiting internal employees to gain access to a target organization’s internal systems, where they steal sensitive information or assets.

Source: CryptoSlate

According to the CipherTrace 2024 Report, from 2023 to early 2024, insider infiltration incidents accounted for approximately 18% of all crypto asset security breaches, with multiple cases resulting in significant institutional losses.

Since internal personnel often have access to highly sensitive information, any security failure can lead to severe consequences. To mitigate these risks, organizations must strengthen hiring screening, conduct regular background checks, and implement multi-layered monitoring and access control for critical positions.

Similar Address Attacks

Similar address attacks exploit software-generated wallet addresses that closely resemble a target address, differing only in a few leading or trailing characters. These attacks trick users into mistakenly sending funds to an incorrect address due to oversight during transactions.

According to Chainalysis’ 2024 Crypto Crime Report, misdirected funds due to similar address attacks exceeded $850 million in early 2024.

To prevent such losses, users must carefully verify at least 5 to 6 characters of the recipient’s address before confirming any transaction, ensuring absolute accuracy.

Public WiFi Risks

Public WiFi networks often lack adequate encryption protection, making them a prime target for hackers.

According to the FBI’s 2024 report, in 2023, nearly 30% of crypto security attacks originated from public WiFi networks. Conducting crypto transactions over public WiFi poses extreme risks, as hackers can use man-in-the-middle (MITM) attacks to steal user account credentials or intercept private key transmissions.

Therefore, users should avoid performing sensitive operations on public networks and prioritize using private or strongly encrypted network environments.

Security Measures for Self-Custody of Personal Assets

The principle “Not your keys, not your coins” grants users full control over their assets but also places the entire security responsibility on them. According to Foresight News, in 2024, private key leaks resulted in losses of up to $1.199 billion, accounting for 52% of all security-related losses.

Therefore, when managing assets independently, individuals must adopt strict security measures and follow professional advice to diversify risks.

Advantages and Risks of Self-Custody

The primary advantage of self-custody is full control over assets, eliminating concerns about third-party platform failures or security breaches. However, this method requires a high level of technical expertise—if a private key is lost or exposed, the asset loss is irreversible.

Industry leader CZ has repeatedly emphasized in public speeches that a well-balanced risk diversification strategy and strict security procedures are essential for asset protection. For users with limited technical expertise, a hybrid approach—combining partial self-custody with trusted custodial solutions—can help reduce overall risks.

Cold Wallets and Offline Signing

To mitigate the risk of online attacks, cold wallets (offline wallets) are a crucial tool for protecting private keys. Common cold wallet solutions include:

Dedicated Computer Cold Wallet
Set up a dedicated computer specifically for generating and storing private keys, ensuring that the device always remains offline. All operating systems and wallet software must be downloaded from official sources and scanned with multiple antivirus programs before installation. Transactions are signed offline and transferred via USB devices.

Dedicated Mobile Device
A dedicated mobile phone can be used for wallet management for users managing smaller funds. This device should be set to airplane mode when not in use and only connected to the internet briefly when necessary for transactions.

Hardware Wallet

Source: Coindesk

Hardware wallets are designed to securely store private keys within the device, ensuring they are never exposed, even when connected to a computer. However, regular firmware updates and proper backups remain essential for long-term security.

Multi-Layered Backup and Data Encryption

To prevent permanent private key loss due to device failure, loss, or unforeseen circumstances, establishing a robust backup system is essential. Recommended measures include:

Paper Backup
Write down seed phrases or private keys on fire-resistant and moisture-proof paper, storing them in high-security safes. However, paper backups are vulnerable to physical damage, making long-term preservation risky.

Metal Backup

Using fireproof, waterproof, and magnetic-resistant metal plates to store seed phrases provides better protection against natural disasters like fires and floods.

Encrypted USB Storage

Source: Elcomsoft

Store encrypted private key backups on USB devices, distributing them across multiple geographically separate locations. Additional encryption using tools like VeraCrypt ensures that even if the device is lost, the data remains highly resistant to hacking attempts.

Asset Inheritance and “Dead Man’s Switch”

A unique characteristic of crypto assets is that once a private key is lost or exposed, recovery is impossible. According to incomplete statistics, in 2024 alone, over 10% of permanent asset losses were caused by poor key management. Therefore, establishing a comprehensive asset inheritance plan is crucial. Key measures include:

Secret Sharing Technology
Split a private key or seed phrase into multiple parts and store them in separate secure locations. Even if some backups fail, the remaining pieces can still be used to recover assets.

“Dead Man’s Switch” Services
Some platforms offer a “Dead Man’s Switch” function, which automatically notifies a designated heir if a user fails to confirm their account status for a prolonged period. When using this feature, PGP encryption or similar tools should be implemented to ensure secure data transmission.

Legal Planning
Consult a professional lawyer in advance to formalize and legalize an asset inheritance plan, ensuring that family members can lawfully inherit the assets in case of unforeseen circumstances. As regulatory authorities worldwide continue to introduce new guidelines, staying updated on the latest legal developments is highly recommended.

Account Security Measures

For most users, fully self-managing assets ensures absolute independence but is complex and carries high risks. In contrast, entrusting part of the assets to a reputable centralized exchange (CEX) is a relatively stable option. However, even large platforms cannot eliminate security risks. Therefore, users should implement multiple protective measures when using exchanges.

The Importance of Platform Selection

Large exchanges typically have comprehensive security systems, including multi-layered risk control mechanisms, 24/7 monitoring, professional security teams, and partnerships with global security agencies. According to the CipherTrace 2024 report, security incidents involving exchanges resulted in a total loss of over $1.5 billion from 2023 to early 2024. Choosing an established exchange with a good reputation can significantly reduce the risk of asset theft or platform bankruptcy.

Account Security Measures

Ensuring account security is crucial when using centralized exchanges. The following measures are recommended:

Dedicated Device Login
Use a dedicated computer or mobile device to log into exchange accounts, avoiding mixing it with daily activities. Ensure that the device runs a genuine operating system, regularly updates security patches, and has reputable antivirus software and firewalls installed and running.

Email Security

When registering, use a highly secure email service such as Gmail or ProtonMail, and create a separate email account for each exchange to prevent cascading risks in case one email is compromised.

Strong Passwords & Password Managers

Set a unique and complex password for each account. Use a password manager such as 1Password or KeePass to securely store and manage passwords, eliminating the risk of reusing passwords across multiple platforms.

Two-Factor Authentication (2FA) & Hardware Security Keys

Enabling 2FA is a fundamental security measure. However, since SMS-based authentication is vulnerable to SIM swap attacks, it is recommended to use an authentication app (e.g., Google Authenticator) or a hardware security key (e.g., YubiKey). Additionally, when managing API keys, always disable withdrawal permissions to prevent major asset losses in case of key exposure.

API & Automated Trading Security

For users relying on API for automated trading, additional precautions should be taken:

Upload Public Keys Only
Ensure that private keys are always stored locally and never transmitted over the network.

Strict Permission Management
Set minimal necessary permissions for API keys, regularly rotate them, and avoid granting excessive privileges that hackers could exploit.

Real-Time Account Activity Monitoring
Implement a real-time monitoring system and configure alert notifications for abnormal activities. If suspicious transactions are detected, promptly freeze the account to prevent further losses.

Device & Network Security Protection

The security of devices and network environments is the weakest link in crypto asset protection and must be taken seriously.

Device Security

Antivirus protection is crucial. Install and keep reputable antivirus software and firewalls enabled, and perform regular system scans to prevent malware from stealing sensitive information.

Phishing Prevention

Directly Access Official Websites
To avoid phishing websites, users should manually enter the official website URL in the browser’s address bar or use pre-saved bookmarks instead of clicking on links from emails or social media.

Verify Information from Multiple Sources
For emails or messages involving sensitive operations, verify authenticity via official support channels or phone confirmation to prevent security incidents caused by misinformation.

Zero-Trust Principle & Risk Management

In today’s complex and ever-changing digital environment, the zero-trust principle is more important than ever. Zero trust requires users to remain highly vigilant about all operations and information sources—no request should be blindly trusted, and all must be verified through multiple layers of security.

As CZ emphasized, “Only strict risk management and multi-layered protection can truly ensure asset security.” Implementing a zero-trust strategy not only defends against external attacks but also addresses internal management vulnerabilities. Therefore, establishing a comprehensive risk management system and real-time monitoring mechanism is fundamental to securing crypto assets.

Global Security Incidents & Industry Status

To provide a clearer understanding of the security landscape in the Web3 space, the following data is sourced from the latest authoritative reports from 2024–2025:

Crypto Asset Theft Losses
According to the Chainalysis “Crypto Crime Report 2024” (published in March 2024), total losses from crypto theft, scams, and other security incidents exceeded $900 million globally from late 2023 to Q1 2024.

Private Key Losses
Recent BitInfoCharts data (updated in February 2024) indicates that approximately 22% of all Bitcoin has been permanently lost due to users misplacing their private keys (UTXOs untouched for five years are considered lost), with an estimated total value exceeding $35 billion.

Insider Breaches & Platform Bankruptcies
The CipherTrace 2024 report highlights that 18% of security incidents from 2023 to early 2024 were caused by insider breaches, with some leading directly to exchange bankruptcies or massive fund outflows.

Public Network Attack Risks
The FBI “Crypto Crime Report 2024” reveals that 35% of crypto security attacks are linked to public WiFi usage, underscoring the high risks associated with unsecured network environments.

Conclusion

In summary, security in the Web3 era involves not only technical vulnerabilities but also comprehensive management and risk planning. Only through a multi-layered, holistic security framework can we truly mitigate risks and prevent irreversible losses of digital assets due to a single oversight.

As regulatory policies continue to evolve and technology advances, crypto asset security will inevitably reach a more mature stage. Industry participants and investors should continuously update their security knowledge, enhance protective measures, and adjust strategies based on the latest authoritative reports—working together to uphold the principle of “KeepYourCrypto#SAFU.”

Additionally, with the potential threat of quantum computing, L2 quantum-resistant solutions are becoming a focal point. For instance, StarkNet is exploring enhancements to its ZK-SNARKs technology to strengthen its resilience against quantum attacks. Meanwhile, NIST is actively advancing the standardization of post-quantum cryptography, paving the way for a more robust cryptographic foundation. These efforts will help ensure a comprehensive and forward-looking security framework for the crypto ecosystem before the quantum era arrives.