CZ 8000-word detailed explanation: How to ensure the security of your crypto assets?

Stay SAFU!

Written by: CZ

Translated by: Editor Jr., BlockTempo

Binance founder Changpeng Zhao (CZ) posted on social media platform X yesterday evening (24th), updating an article on cryptocurrency security advice to help users avoid hacker attacks. This article will fully translate and organize CZ's post.

Last week, on the 21st, cryptocurrency exchange Bybit was reported to have been hacked, resulting in a loss of approximately $1.46 billion, making it the largest theft in cryptocurrency history. Just yesterday (24th), the crypto payment project Infini was confirmed to have suffered a hacker attack, with losses nearing $50 million… A series of hacking incidents has once again sounded the alarm for crypto security.

In this context, Binance founder Changpeng Zhao (CZ) posted on social media platform X yesterday evening stating that he spent a day updating an article he wrote five years ago about security advice to help people in the crypto space avoid hacker attacks.

This article will translate CZ's full article as follows:

Keep Your Crypto Assets Safe (CZ's Advice)

Last Updated: 2025/2/24

Originally Published: 2020/2/25

It is truly disheartening to see that cryptocurrency users lack security awareness. It is equally painful to see experts recommending advanced setups that are difficult to follow and prone to errors.

Security is a broad topic. I am by no means an expert, but I have seen many security issues. I will do my best to explain in simple terms:

Why and how, or why not, do you choose to store cryptocurrency yourself?
Why and how, or why not, do you choose to store cryptocurrency on centralized exchanges?

First of all, nothing is 100% secure. Software has vulnerabilities, and people can fall victim to social engineering attacks. The real question is, is it "secure enough"?

If you are storing $200 in a wallet, you may not need ultra-high security. A mobile wallet is sufficient. If you are storing a lifetime's savings, then you need stronger security.

To protect your cryptocurrency, you only need to do three things:

Prevent others from stealing it.
Prevent yourself from losing it.
If you cannot use it, there must be a way to pass it on to your loved ones.

It's simple, right?

Why You Might or Might Not Want to Store Cryptocurrency Yourself

Your private key is your funds. Or is it not?

Many cryptocurrency experts firmly believe that only by holding cryptocurrency yourself can you ensure its security, yet they never consider your technical level. Is this really the best advice for you?

A Bitcoin private key looks like this:

KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p

That's it. Anyone with a copy of it can transfer Bitcoin from that address (if there is any).

To protect your cryptocurrency, you need to:

Prevent others from obtaining (a copy of your private key): Prevent hackers from intruding, protect your computer from viruses, network attacks, and other threats.
Prevent yourself from losing the private key: Make backups in case of device failure or loss, and ensure the backups are secure.
If an accident or death occurs, there must be a way to pass the private key to your loved ones. This is not a pleasant scenario, but as responsible adults, we must manage this risk.

Beware of Hackers

You've heard of hackers. They use viruses, trojans, and other malicious software. You don't want these things near your devices.

To achieve a certain level of confidence, ensure that your cryptocurrency wallet device is never connected to the internet. You also shouldn't download any files on this device. So, how do you use such a device?

Let's talk about the different devices you can use.

A computer is an obvious choice and is usually the device that supports the most cryptocurrencies. You should never connect this computer to any network. If you connect it to the internet, hackers may exploit vulnerabilities in the operating system or software you are using to invade your device. Software is never without vulnerabilities.

So, how do you install software? You use a USB flash drive. Make sure it is clean. Use at least three different antivirus software to thoroughly scan it. Download the software (operating system and wallet) you wish to install onto the USB flash drive. Wait 72 hours. Check the news to ensure that the website or software has not been attacked.

There have been official websites that were hacked, and the download packages were replaced with trojans. You should only download software from official websites. You should only use open-source software to reduce the risk of backdoors. Even if you are not a programmer, open-source software is reviewed by other developers, which lowers the risk of backdoors. This means you should use a stable version of Linux (rather than Windows or Mac) as the operating system and only use open-source wallet software.

Once everything is installed, you can use the clean USB flash drive to sign transactions offline. This process varies depending on the wallet and is not covered in this article. Many wallets for cryptocurrencies other than Bitcoin cannot perform offline signing.

You need to ensure the physical security of the device. If someone steals it, they may gain actual access to your device. Ensure that your hard drive is strongly encrypted; even if someone gets it, they cannot read it. Different operating systems provide different encryption tools. Again, tutorials on hard drive encryption are not covered in this article, but there are many resources available online.

If you can do the above, then you can make secure backups and do not need to read the rest of this article. If the above sounds like it's not for you, then there are other options.

You can use a mobile phone. An unrooted phone is usually more secure than a computer, thanks to the sandbox design of mobile operating systems. For most people, I recommend using an iPhone. If you are more technically inclined, I recommend using an Android phone with GrapheneOS installed. Similarly, you should only use one phone to manage the wallet and not mix it with your daily-use phone. You should only install wallet software and nothing else. Besides using the wallet for transfers, the phone should always be kept in airplane mode. I also recommend using a separate SIM card and only using 5G to connect to the internet. Never connect to WiFi. Only connect to the internet when signing transactions and updating software. If you do not have a large amount in your wallet, this is usually acceptable.

Some mobile wallets offer offline signing transactions (by scanning QR codes), allowing you to keep the phone completely offline from the installation of the wallet app to the generation of the private key. This way, your private key will never be on a phone connected to the internet. This can prevent the wallet from having backdoors and sending data back to developers, which has happened in the past, even with official versions of apps. You will not be able to update the wallet app or operating system. To perform software updates, you need to use another phone, install the new version of the app, set it to airplane mode, generate a new address, back it up (which will be mentioned later), and then transfer funds to the new phone. This is not very convenient. Additionally, the cryptocurrencies and blockchains supported by these wallet apps are limited.

These wallet apps typically do not support staking, yield farming, or investing in meme coins. If you are interested in these, you will have to sacrifice some security.

You need to ensure the physical security of the phone.

Hardware Wallets

You can use a hardware wallet. These devices are designed to keep your private keys "forever" on the device, so your computer does not have a copy of it. (As of 2025, new versions of Ledger may send private keys to servers for backup, so this may no longer hold true.)

Hardware wallets have also reported vulnerabilities in software and other areas. All hardware wallets need to interact with software running on a computer (or phone) to function. You still need to ensure that your computer is free of viruses. Some viruses can switch your transaction target address to a hacker's address at the last moment, etc. Therefore, always double-check the target address on the device.

Hardware wallets protect against many basic types of attacks, and if you want to store cryptocurrency independently, it is still a good choice. However, the weakest part of hardware wallets is often how backups are stored, which we will discuss in the next section.

Preventing Yourself

You may lose your device, or it may be damaged. Therefore, you need backups.

There are many methods here, each with its pros and cons. Fundamentally, you want to achieve multiple backups, stored in different geographical locations, and not easily visible to others (encrypted).

You can write it down on paper. Some wallets using seed wallets recommend doing this, as writing down 12 or 24 English words is relatively simple. For private keys, it is easy to make mistakes. Paper can also be lost in a pile of documents, damaged in a fire or flood, or chewed up by your dog. Others can easily read the paper—there is no encryption.

Some people use bank vaults to store paper backups. For the reasons mentioned above, I generally do not recommend this option.

Do not take a photo of the paper (or screenshot), sync it to the cloud, and think it is safely backed up. If hackers invade your email account or computer, they will easily find it. Cloud service providers have many employees who can view it.

Some metal tags are specifically designed to store seed backups. These tags should be nearly indestructible, which basically solves the problem of damage in fires or floods. But it does not solve the problem of loss or easy readability by others. Furthermore, some people store these tags in bank vaults, usually alongside their gold or other metals. If you use this method, you should understand the risks involved.

I recommend using at least 3 USB flash drives, but this requires more technical setup, which is a misconception aimed at experts.

There are now shockproof, waterproof, fireproof, and magnetic-proof USB flash drives. You can store encrypted versions of your private key backups on multiple such USB flash drives and distribute them in different locations (at friends' or relatives' places). This can address all the requirements mentioned at the beginning of this section: multiple locations, not easily damaged or lost, and not easily readable by others.

The key is strong encryption. There are many tools available for encryption, and they will continue to evolve over time. VeraCrypt is a beginner-friendly tool that offers a reasonable level of encryption. Do your own research to find the latest encryption tools that suit you best.

Take Care of Your Loved Ones

We won't live forever. A legacy plan is necessary. In fact, cryptocurrency allows you to pass on wealth to your heirs more easily and reduces third-party involvement.

Again, there are several ways to do this.

If you use low-security methods like paper wallets or metal tags, you can simply share this information with them. Of course, there are potential downsides. If they are young or not tech-savvy, they may lack the proper means to safeguard or protect backup copies. If they make a mistake in security, hackers can easily steal your funds through them. Additionally, they can take your money at any time. Depending on the trust relationship you have with them, you may or may not want this.

I strongly advise against sharing private keys between individuals, regardless of the relationship. If funds are stolen, it will be impossible to determine who moved them or who was hacked. This can lead to confusion.

You can store paper wallets or metal tags in a bank vault or give them to a lawyer. But as mentioned above, if any relevant person obtains a copy of the private key, they can move funds without leaving much trace. This is different from how a lawyer must go through a bank to transfer your bank account balance to your heirs.

If you use the USB flash drive method mentioned above, there are ways to pass on your wealth more securely. Again, this requires more setup.

There are online services called Deadman’s switches. These services will periodically send you emails (e.g., once a month), and you must click a link or log in to respond. If you do not respond within a certain period, they will assume you have passed away and send an email to your designated recipients. I do not recommend or guarantee any of these services; you should search for and test them yourself. In fact, Google itself is a Deadman’s switch. In Google’s settings, there is an option that allows someone to access your account if you do not log in for 3 months. Personally, I have not tested it and cannot guarantee its security. Please test it yourself.

If you are thinking, “Oh, great, I just need to send my private key to my child via email,” then please reread the beginning of this article.

You might also think, “I can put the password I use to encrypt the USB flash drive in these emails; that way, my child or spouse can unlock them.” This idea is closer, but still not good enough. You should not store backup passwords on online servers. This greatly undermines the security of your backups/funds.

If you are thinking, “I can encrypt an email containing the USB flash drive password with another password that I share with my loved ones,” then you are on the right track. In fact, you do not need a second password.

There is a time-tested email encryption tool called PGP (or GPG) that you should use. PGP is one of the earliest tools to use asymmetric encryption (the same as what Bitcoin uses). Again, I will not provide a complete tutorial on PGP here; there are many such tutorials online. In summary, you should have your spouse or child generate their own PGP private key, and then you encrypt the messages you send them with their public key, so only they can read the message content, and no one else can. This method is relatively secure, but it requires your loved ones to keep their PGP private keys safe and not lose them. Of course, they also need to know how to use PGP email, which is itself somewhat technical.

If you have followed the advice shared so far, then you have reached a basic (not advanced) level of being able to store a certain amount of cryptocurrency yourself. There are many other topics we can discuss that may also address some of the issues mentioned so far, including multi-signature, threshold signatures, etc., but these belong to more advanced guides.

In the next section, we will explore:

Using Exchanges

In this article, when we refer to exchanges, we mean centralized exchanges that hold your funds and help you manage them.

So, after reading the previous section, you might say, “Oh, this is really troublesome. I might as well keep my coins on an exchange.” Well, using exchanges is not without risks. While exchanges are responsible for safeguarding funds and ensuring system security, you still need to follow the right practices to secure your account.

Only Use Large and Reputable Exchanges

Yes, it’s easy for me to say this because Binance is one of the largest exchanges in the world. However, there is good reason for this statement. Not all exchanges are the same.

Large exchanges invest heavily in security infrastructure. Binance invests billions of dollars annually in security. This is reasonable given the scale of our business. Security encompasses a wide range of areas, including devices, networks, processes, employees, risk monitoring, big data, AI detection, training, research, testing, third-party partnerships, and even collaborations with global law enforcement agencies. Ensuring proper security requires significant funding, talent, and effort. Smaller exchanges simply do not have the scale or financial strength to achieve this. I may be criticized for saying this, but this is why I often say that for most ordinary people, using a trusted centralized exchange is safer than self-custodying coins.

There is counterparty risk. Many smaller/new exchanges are exit scams from the start. They take some deposits and then disappear. For this reason, stay away from exchanges that claim to be unprofitable or offer 0 fees, large rebates, or other negative profit incentives. If their goal is not commercial revenue, then your funds are likely their only target.

Proper security measures are expensive and require funding from a sustainable business model. Do not skimp on security for your funds. Large, profitable exchanges have no motivation to conduct exit scams. When you are running a profitable and sustainable billion-dollar business, why would you have the motivation to steal a few million dollars and then live in hiding, constantly on edge?

Large exchanges also undergo more security testing. Yes, this is also a risk. Hackers find it easier to attack large exchanges. However, hackers also target smaller exchanges, and some of them are even easier targets. Large exchanges typically have 5-10 external security firms that regularly conduct penetration testing and security assessments for them.

Binance goes further in security than most exchanges. We invest heavily in big data and AI to combat hackers and scammers. We have successfully prevented many users from losing funds during SIM swap attacks. Some users who use multiple exchanges have reported that when their email accounts were hacked, funds on other exchanges were stolen, while funds on Binance were protected because our AI system blocked the hackers' attempts to withdraw their funds. Even if small exchanges wanted to do these things, they could not because they simply do not have that much big data.

Protect Your Account

When using exchanges, it is still very important to protect your account. Let’s start with the basics.

Protect Your Computer

Once again, the computer is often the weakest link in the security chain. To access your exchange account, use a dedicated computer. Install commercial antivirus software on this computer (yes, invest in security), and only install the most basic other software. Set the firewall to the highest level.

Keep your gaming, browsing, downloading, and other activities on another computer. Even on this computer, keep the antivirus software running and set the firewall to the highest level. A virus on one computer can make it easier for hackers to access other computers on the same network, so keep your computer clean.

Do Not Download

Even if you only use centralized exchanges (CEX), I still recommend that you do not download any files on your computer. If someone sends you a Word document, ask them to send a Google Docs link instead. If they send a PDF file, open it in Google Drive rather than on your computer. If they send you a funny video, ask them to send a link to an online platform. Yes, I know this is a hassle, but security is not free, and losing funds is also not free. View everything in the cloud.

Turn off the “auto-save photos and videos” feature in instant messaging apps. Many apps default to downloading GIFs and videos, which is not a good security practice.

Keep Software Updated

I know all operating system updates are annoying, but they contain patches for recently discovered security vulnerabilities. Hackers also monitor these updates and often target those who are lazy about updating. So, make sure you always install these patches as soon as possible. Do the same for the wallets and other software you use.

Protect Your Email

I recommend using Gmail or Protonmail. These two email service providers are more secure than other platforms, and we see more security vulnerabilities on other platforms.

I recommend setting up a unique email account for each exchange you use, and make it hard to guess. This way, if one exchange is compromised, your Binance account will not be affected. This will also reduce the number of phishing or targeted email scams you receive.

Protonmail has a feature called SimpleLogin that allows you to create a unique email address for each website you visit. If you do not use other email forwarding services, I recommend using this feature.

Enable two-factor authentication (2FA) for your email service. I recommend using Yubikey for your email account. This is a powerful way to prevent various hacking attacks (including phishing sites, etc.). More details on 2FA will be provided later.

If you live in a country with reported SIM swap cases, do not use your phone number as a recovery method for your email account. We have seen many SIM swap victims have their email account passwords reset and hacked because of this. I no longer recommend linking your phone number to your email account; they should be kept separate.

Use a Password Manager

Use strong and unique passwords for each website. Do not bother trying to remember passwords; use a password manager tool. For most people, Keeper or 1Password may be sufficient. Both tools integrate well with browsers, phones, etc., and claim to only store passwords locally but sync them across devices via encrypted passwords.

If you are more serious, you can choose KeePass. It only stores information locally, so you do not have to worry about encrypted passwords being stored in the cloud. It does not sync across devices and has less support for mobile. It is open-source, so you do not have to worry about backdoor issues.

Do your own research and choose the tools that suit you. But do not try to save time by using simple or worse the same password everywhere. Ensure you use strong passwords; otherwise, the time you save may cost you dearly.

Even with these tools, if your computer has a virus, you will still be compromised. So, ensure your computer has good antivirus software.

Enable 2FA

It is strongly recommended that you enable 2FA (two-factor authentication) immediately after registering your Binance account. If you have not enabled it yet, please set it up right away. Since 2FA codes are typically stored on your phone, it can help prevent your email and password from being stolen to some extent.

However, 2FA does not protect you from all attacks. If your computer has a virus, malware that steals your email and password can also monitor your keystrokes when you enter the 2FA code and steal that code. You might interact with a phishing site, enter your email and password, and then input the 2FA code on a fake website. Hackers can then use this information to log into your real Binance account. There are many possible scenarios, and we cannot list them all.

Set Up U2F

U2F is a hardware device that generates unique, time-based domain-specific codes. Yubikey is the de facto standard device in this field.

U2F has three main advantages. First, they are hardware-based, making it nearly impossible to steal the keys stored on the device. Second, they are domain-specific. Even if you accidentally interact with a phishing site, it can still protect you. Third, they are easy to use. You just need to carry it with you.

For these reasons, I recommend binding a Yubikey to your Binance account. It provides one of the best protections against hackers.

You should also bind your Yubikey to your Gmail, password manager, and other accounts to secure them.

Stop Using SMS Verification

SMS verification was once widely promoted, but with the increase in SIM swap incidents, we recommend that you stop using SMS verification and rely more on the aforementioned 2FA or U2F.

Set Up Withdrawal Address Whitelisting

We strongly recommend that you use Binance's withdrawal whitelist feature. This feature allows you to quickly withdraw to approved addresses and makes it difficult for hackers to add new withdrawal addresses.

Enable a 24-hour waiting period for newly added whitelisted addresses. This way, if a hacker wants to add a new address, you will receive a 24-hour notification period.

API Security

Many of our users trade using APIs. Binance offers multiple versions of APIs that support asymmetric encryption. This means Binance only needs your public key. You generate the private key in your own environment and provide the public key to the platform. We use your public key to verify that orders come from you and never store your private key. You must protect your private key.

You do not need to back up your API keys like you would with cryptocurrency. If you lose your API key, you can create a new one at any time. Just make sure no one else has your API key.

Do not enable withdrawal functionality for your API keys unless you really know what you are doing.

Complete L2 KYC

One of the best ways to keep your account secure is to complete L2 KYC (Know Your Customer) verification. This way, we can know what you look like. When our big data risk engine detects anomalies in your account, we can use advanced automated video verification.

This is also important in case you can no longer use your account. Binance can assist family members in accessing the accounts of deceased relatives after proper verification.

Physically Secure Your Devices

Once again, keep your phone secure. You may have email apps, the Binance app, and 2FA codes on your phone. Do not root or jailbreak your phone, as this greatly reduces its security. You should also maintain the physical security of your phone and set appropriate screen locks. The same goes for other devices.

Protect Against Phishing Attacks

Be wary of phishing attacks. These attacks often come in the form of emails, text messages, or social media posts containing links to fake Binance websites. These sites will prompt you to enter your account credentials, which hackers will use to access your real Binance account.

Preventing phishing attacks requires vigilance. Do not click on links in emails or social media sites. Only access Binance by typing the URL or using bookmarks. Do not share your email with others. Do not use the same email on other sites. Be cautious when strangers (especially those named CZ or similar) suddenly contact you on platforms like Telegram or Instagram.

If you follow the above advice, your Binance account should be relatively secure.

So, which is better?

I generally recommend that people use a combination of centralized exchanges and self-custody wallets. If you are not very tech-savvy, I suggest keeping most of your funds on Binance and having your own spending wallet (like TrustWallet). If you are more technically inclined, you can adjust your fund allocation as needed.

Centralized exchanges occasionally undergo maintenance, so having a separate wallet is very convenient if you need to trade quickly.

If you follow the advice described here, you should be able to hold funds securely, whether self-custodied or through a CEX like Binance.