Cybersecurity for Bitcoiners

Last updated: 2026-07-09

Your seed words live offline, but your life does not. Exchanges, email, phones, browsers, cloud accounts, and fake support messages are how attackers usually get close enough to hurt you.

What should you secure before holding serious bitcoin?

Before holding serious bitcoin, secure your email, phone number, password manager, devices, and exchange accounts. Use unique passwords, hardware security keys or authenticator apps, full-disk encryption, software updates, and a clean browser. Never store seed words in photos, notes, email, chat, or cloud drives.

AreaMinimum moveWhy it matters
EmailUnique password + security keyEmail resets most accounts
PhoneSIM-swap protectionPhone numbers are weak identity proofs
DevicesUpdates + disk encryptionStolen laptops should not expose wallet files
BrowserFew extensionsExtensions can read pages and swap addresses
CloudNo seeds, no wallet photosCloud sync turns one mistake into many copies

Email Is the Master Key

Your email account resets exchange logins, password managers, cloud storage, and sometimes phone-provider accounts. Treat it like a signing key.

Use a strong unique password. Turn on a security key or passkey if your provider supports it. Save recovery codes offline, not in the same mailbox they protect.

If you use exchanges, create a dedicated email address for them. Do not use the same email you use on social media, forums, newsletters, or shopping sites.

Password Manager

Use a real password manager and give every account a different password. Do not make clever variations of the same password. Humans are bad at this.

Good rule: if an account can identify you, hold money, reset another account, or expose your address, it belongs in the password manager.

Back up the password manager recovery method on paper. If it uses an emergency kit, print it and store it with important documents, not with your seed words.

Security Keys and Passkeys

Use a hardware security key where possible, especially for email, password manager, exchange, and domain registrar accounts. A security key will not type a one-time code into a phishing site.

Passkeys are also good when backed by your device hardware. The tradeoff is recovery: know what happens if your phone and laptop are both gone.

SMS is the fallback you want to remove, not the safety net you want to rely on.

Phone Number Hygiene

Call your mobile carrier and ask for port-out protection, a transfer PIN, or account takeover protection. The names vary. The point is simple: make it harder for a stranger to move your number to their SIM.

Then remove SMS recovery from accounts that matter. A phone number should not be the master key to your bitcoin life.

Use an authenticator app or security key instead. Keep backup codes offline.

Device Hygiene

Keep your operating system and browser updated. Enable full-disk encryption. Lock your screen automatically. Do not share the same computer account with kids, guests, or employees.

For large transactions, use a clean computer profile or a dedicated laptop. It does not need to be fancy. It needs to have fewer random apps, fewer browser extensions, and fewer chances for malware to sit between you and the address you meant to pay.

Your COLDCARD signs offline, but the computer still builds the transaction. Treat it with respect.

Browser Extensions

Browser extensions can read and change pages. That is exactly what you do not want around exchange withdrawals, wallet downloads, or addresses.

Keep only the extensions you truly need. Remove coupon extensions, unknown PDF tools, screen recorders, AI sidebars, and anything you installed once and forgot.

When downloading wallet software, type the URL yourself or use a saved bookmark. Search ads are a common trap.

Phishing and Fake Support

Bitcoin companies do not need your seed words. Wallet apps do not need your seed words. Support agents do not need your seed words. Nobody does.

Common traps:

  • Fake wallet download pages
  • Fake support DMs after you post a problem
  • Phone calls claiming urgent account risk
  • Browser popups asking you to “verify” a wallet
  • Emails that push you to act before you can think

If someone contacts you first, assume it is a scam. Close the tab. Hang up. Go to the known website yourself.

Cloud Storage Rule

No seed photos. No seed notes. No wallet backup screenshots. No “encrypted” zip of seed words in iCloud, Google Drive, Dropbox, email, Slack, or Telegram.

Cloud accounts are useful for normal files. They are a terrible place for wallet secrets.

For wallet metadata like output descriptors or watch-only files, cloud storage may be acceptable if it contains no private keys and you understand the privacy leak. Label it clearly so your future self knows what it is.

What To Do This Week

  1. Put your email and password manager behind a security key or passkey.
  2. Remove SMS recovery from accounts that support better options.
  3. Delete seed photos or notes if you ever made them.
  4. Remove browser extensions you do not need.
  5. Turn on full-disk encryption and automatic updates.
  6. Save recovery codes offline.

This is boring work. Good. Boring defenses are the ones you keep using.