Zhao Changpeng's 8,000-word article: How to ensure the security of your crypto assets?

Written by: CZ, founder of Binance & Translated by: Editor Jr., BlockTempo

Changpeng Zhao (CZ), founder of Binance, posted an article on social platform X yesterday evening (24th), updating an article about cryptocurrency security advice to help users avoid hacker attacks. This article compiles and organizes the full text of CZ's article.

Cryptocurrency exchange Bybit was hacked on the 21st of last week, with a loss of approximately US$1.46 billion, becoming the largest theft in the history of cryptocurrency; and just yesterday (24th), the encrypted payment project Infini was confirmed to have been hacked again, with a loss of nearly US$50 million... A series of hacking incidents once again sounded the alarm for encryption security.

Against this backdrop, Binance founder Changpeng Zhao (CZ) posted on social media platform X yesterday evening (24) that he spent a day on Sunday updating an article he wrote five years ago on security advice to help people in the cryptocurrency world avoid hacker attacks.

This article compiles the full text of CZ's article as follows:

Keep your crypto assets safe (CZ's advice)

Updated: 2025/2/24

Original release: 2020/2/25

It's painful to see cryptocurrency users lack security awareness. It's also painful to see experts recommend advanced settings that are hard to follow and prone to errors.

Security is a broad topic. I am by no means an expert, but I have seen many security issues. I will try to explain it in layman's terms:

1. Why and how, or why not, do you choose to store your crypto yourself?

2. Why and how, or why not, do you choose to store your crypto on a centralized exchange?

First, nothing is 100% secure. Software has vulnerabilities, and people can be subject to social engineering attacks. The real question is, is it "secure enough"?

If you are storing $200 in a wallet, you probably don't need super high security. A mobile wallet will suffice. If you are storing your life savings, then you need stronger security.

To protect your cryptocurrency, you only need to do three things:

1. Prevent others from stealing it.

2. Prevent yourself from losing it.

3. If you can’t use it, there has to be a way to pass it on to your loved ones.

Simple, right?

Why might or might not you want to store your cryptocurrency yourself?

Your private keys are your funds. Or not?

Many cryptocurrency experts firmly believe that only by holding your own cryptocurrency can you keep it safe, without ever considering your technical skills. Is this really the best advice for you?

A Bitcoin private key looks like this:

KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p

That's it. Anyone with a copy of it can move the Bitcoins at that address (if any).

To protect your cryptocurrency, you need to:

1. Prevent others from getting (your copy of your private key): Prevent hackers from getting in, and protect your computer from viruses, cyber attacks, and other threats.

2. Prevent yourself from losing your private key: Make backups in case your device is damaged or lost, and keep your backups safe.

3. In the event of an accident or death, there has to be a way to pass the private key to your loved ones. It's not a pleasant situation, but as adults responsible for our loved ones, we have to manage this risk.

Beware of hackers

You've heard of hackers. They use viruses, trojans, and other malware. You don't want these things anywhere near your devices.

To achieve a certain level of confidence, make sure your cryptocurrency wallet device is never connected to the Internet. You should also not download any files on this device. So, how do you use such a device?

Let's talk about the different devices you can use.

A computer is an obvious choice, and is usually the device that supports the most currencies. You should never connect this computer to any network. If you connect it to the internet, hackers can potentially break into your device by exploiting vulnerabilities in the operating system or the software you use. Software is never free of vulnerabilities.

So, how do you install software? You use a USB stick. Make sure it is clean. Scan it thoroughly with at least three different antivirus programs. Download the software you wish to install (operating system and wallet) to the USB stick. Wait 72 hours. Check the news to make sure the website or software has not been hacked.

Official websites have been hacked and the download package replaced with a trojan. You should only download software from official websites. You should only use open source software to reduce the risk of backdoors. Even if you are not a programmer, open source software is reviewed by other developers and has a lower risk of backdoors. This means you should use a stable version of Linux (not Windows or Mac) as your operating system, and only use open source wallet software.

Once everything is installed, you can use a clean USB drive to sign transactions offline. This process will vary from wallet to wallet and is beyond the scope of this article. Many wallets, except for Bitcoin, do not allow offline signing.

You need to make sure your device is physically secure. If someone steals it, they may have physical access to your device. Make sure your hard drive is strongly encrypted so that even if someone gets hold of it, they cannot read it. Different operating systems provide different encryption tools. Again, a tutorial on hard drive encryption is beyond the scope of this article, there are many resources online.

If you can do the above, then you will be able to make a safe backup and do not need to read the rest of this article. If the above does not sound like your cup of tea, there are other options.

You can use your phone. A non-rooted phone is generally more secure than a computer due to the sandbox design of the phone's operating system. For most people, I recommend an iPhone. If you are more technical, I recommend using an Android phone with GrapheneOS installed. Again, you should only use one phone to manage your wallet, and not mix it with the phone you use for daily use. You should only install the wallet app and nothing else. You should always keep your phone in airplane mode except when using the wallet to transfer money. I also recommend using a separate SIM card and only using 5G to connect to the Internet. Never connect to WiFi. Only connect to the Internet when using your phone to sign transactions and update software. This is usually okay if you don't have a very large amount in your wallet.

Some mobile wallets offer the ability to sign transactions offline (by scanning a QR code), so you can keep your phone completely offline, from the time the wallet app is installed to before generating private keys. This way, your private keys are never on a phone that is connected to the Internet. This prevents the wallet from having backdoors and sending data back to the developer, which has happened in the past, even with the official version of the app. You will not be able to update the wallet app or the operating system. To do a software update, you need to use another phone, install the new version of the app, put it in airplane mode, generate new addresses, back it up (more on that later), and then transfer your funds to the new phone. It’s not very convenient. In addition, these wallet apps have a limited range of supported coins and blockchains.

These wallet apps generally don’t support staking, yield mining, or investing in meme coins. If you’re interested in those, you’ll have to sacrifice some security a bit.

You’ll need to keep your phone physically secure.

Hardware wallets

You can use a hardware wallet. These devices are designed so that your private key “never” leaves the device, so your computer won’t have a copy of it. (As of 2025, new versions of Ledger may send private keys to servers for backup, so this is no longer true.)

Hardware wallets have also had reported vulnerabilities in software and other areas. All hardware wallets need to interact with software running on your computer (or phone) to work. You still need to make sure your computer is virus-free. Some viruses can switch your transaction destination address to a hacker's address at the last minute, etc. So always double-check the destination address on your device.

Hardware wallets protect against many basic types of attacks and are still a good choice if you want to store your cryptocurrency independently. However, the weakest part of hardware wallets is usually how you store backups, which we will discuss in the next section.

Protect Yourself

You can lose your device or it can get damaged. Therefore, you need backups.

There are many ways to do this, each with its own pros and cons. Basically, you want to have multiple backups, stored in different geographical locations, and not easily visible to others (encrypted).

You can write it down on a piece of paper. Some wallets that use seed wallets recommend this because writing down 12 or 24 English words is relatively simple. With private keys, you can easily make a mistake. Paper can also get lost in a pile of documents, get damaged in a fire or flood, or get chewed up by your dog. It's also easy for someone else to read the paper - it's not encrypted.

Some people use bank vaults to store paper backups. For the reasons mentioned above, I generally don't recommend this option.

Don't take a photo (or screenshot) of the paper, sync it to the cloud, and think it's safely backed up. If a hacker breaks into your email account or computer, they can easily find it. The cloud service provider has many employees who can look at it.

There are metal tags designed specifically to store seed backups. These tags are supposed to be virtually indestructible, which basically solves the problem of damage in a fire or flood. But it doesn't solve the problem of loss or easy reading by others. Again, some people store these tags in bank vaults, often with their gold or other metals. If you use this approach, you should understand the risks.

I recommend using at least 3 USB sticks, but this requires a more technical setup and is a myth for experts.

There are shockproof, waterproof, fireproof, and magnetic-proof USB sticks. You can store encrypted versions of your private key backups on multiple such USB sticks and spread them out in different locations (friends or relatives). This addresses all the requirements mentioned at the beginning of this section: multiple locations, not easily damaged or readable by others if lost.

The key is strong encryption. There are many tools available for encryption, and they are getting better over time. VeraCrypt is an entry-level tool that provides a reasonable level of encryption. Do your own research to find the latest encryption tool that works best for you.

Take Care of Your Loved Ones

We won't live forever. An estate plan is needed. In fact, cryptocurrencies make it easier to pass on wealth to your heirs and reduce the involvement of third parties.

Again, there are ways to do this.

If you use a low-security method such as a paper wallet or metal tag, you can simply share this information with them. Of course, there are some potential disadvantages. If they are young or unskilled, they may lack the proper means to keep or protect backup copies. If they make a mistake in security, hackers can easily steal your funds through them. In addition, they can take your money at any time. Depending on the trust relationship you have with them, you may or may not want this.

I strongly recommend not sharing private keys between people, regardless of the relationship. If the funds are stolen, it will be impossible to determine who moved them or who was hacked. It will be very confusing.

You can store the paper wallet or metal tag in a bank vault or give it to a lawyer. But as mentioned above, if anyone involved gets a copy of the private key, they can move the funds without much of a trace. This is different from a lawyer having to go through a bank to pass your bank account balance to your heirs.

If you use the USB stick method mentioned above, there are ways to pass on your wealth more securely. Again, this requires more setup.

There are some online services called Deadman's switches. These services will email you periodically (for example, once a month) and you have to click a link or log in to respond. If you don't respond within a certain period of time, they assume you are dead and send an email to your intended recipient. I would not recommend or vouch for any of these services, you should search and test them yourself. In fact, Google itself is a Deadman's switch. In Google's settings, there is an option to give someone access to your account if you haven't accessed it for 3 months. Personally, I haven't tested it and can't vouch for its security. Please test it yourself.

If you are thinking, “Oh great, I can just email the private key to my kids,” then please re-read the beginning of this article.

You may also be thinking, “I can put the password I use to encrypt the USB drives in these emails; that way, my kids or spouse can unlock them.” That’s closer, but still not quite there. You should not store your backup passwords on a server on the Internet. This will significantly weaken the security of your backups/funds.

If you are thinking, “I can encrypt the email containing the USB drive password with another password that I share with my loved ones,” then you are already on the right track. In fact, you don’t need a second password.

There is a time-tested email encryption tool called PGP (or GPG) that you should use. PGP was one of the first tools to use asymmetric encryption (the same as Bitcoin). Again, I will not provide a complete tutorial on PGP here, there are many such tutorials online. In summary, you should have your spouse or child generate their own PGP private key, and then you encrypt the messages you send to their dead person with their public key so that only they can read the contents of the message and no one else can. This method is relatively secure, but requires that your loved ones keep their PGP private keys safe and not lose them. Of course, they also need to know how to use PGP email, which is somewhat technical in itself.

If you have followed the advice shared so far, you have reached a basic (not advanced) level of being able to store a reasonable amount of cryptocurrency on your own. There are many other topics we could discuss that may also address some of the issues mentioned so far, including multi-signature, threshold signatures, etc., but these belong in more advanced guides.

In the next section, we will explore:

Using an Exchange

In this article, when we talk about exchanges, we are referring to those centralized exchanges that hold your funds and help you with custody.

So, after reading the previous section, you might be saying, "Gee, that's a hassle. I'll just keep my coins on an exchange." Well, using an exchange is not without risk. While the exchange is responsible for safekeeping your funds and securing their systems, you still need to follow the right practices to keep your account safe.

Only use large, reputable exchanges

Yes, it's easy for me to say that, since Binance is one of the largest exchanges in the world. However, there's a good reason for that. Not all exchanges are the same.

Large exchanges invest heavily in security infrastructure. Binance invests billions of dollars in security every year. This makes sense for the size of our business. Security covers a wide range of areas, including equipment, networks, processes, employees, risk monitoring, big data, AI detection, training, research, testing, third-party partnerships, and even partnerships with law enforcement agencies around the world. Ensuring proper security requires a lot of money, talent, and effort. Smaller exchanges simply don't have the scale or financial muscle to do it. I may get criticized for saying this, but that's why I often say that for most regular people, it's safer to use a trusted centralized exchange than to hold their coins themselves.

There is counterparty risk. Many smaller/newer exchanges are exit scams from the start. They take some deposits and run. Because of this, stay away from exchanges that claim to be unprofitable or that offer 0 fees, large rebates, or other negative profit incentives. If their goal is not commercial revenue, then your funds are likely their only goal.

Proper security is expensive and requires funding from a sustainable business model. Don't skimp on security for your funds. Large profitable exchanges have no incentive to run exit scams. How can you have an incentive to steal a few million dollars and then live in hiding and fear when you already run a profitable and sustainable billion dollar business?

Bigger exchanges also have more security testing. Yes, this is a risk. Bigger exchanges are more vulnerable to hackers. However, hackers also attack smaller exchanges, and some of them are even easier targets. Bigger exchanges usually have 5-10 external security companies that regularly perform penetration tests and security tests for them.

Binance goes further than most exchanges in terms of security. We invest heavily in big data and artificial intelligence to fight hackers and scammers. We have successfully prevented many users from losing funds in SIM swap attacks. Some users who use multiple exchanges have also reported that when their email accounts were hacked, funds from other exchanges were stolen, while Binance's funds were protected because our AI system blocked the hacker's attempts to withdraw their funds. Even if smaller exchanges wanted to do these things, they couldn't do it because they simply don't have that much big data.

Protect Your Account

While using an exchange, it is still very important to protect your account. Let's start with the basics.

Protect Your Computer

Again, the computer is often the weakest link in the security chain. Use a dedicated computer for accessing your exchange account. Install commercial antivirus software on this computer (yes, invest in security) and only the most basic other software. Set your firewall to the highest level.

Keep your gaming, surfing, downloading, etc. on another computer. Even on this computer, turn on your antivirus software and set your firewall to the highest level. A virus on one computer makes it easier for hackers to access other computers on the same network, so keep your computer clean.

Don’t download

Even if you only use centralized exchanges (CEX), I still recommend not downloading any files on your computer. If someone sends you a Word document, ask them to send a Google Doc link. If they send a PDF file, open it in Google Drive instead of on your computer. If they send you a funny video, ask them to send a link to the online platform. Yes, I know it’s a hassle, but security isn’t free, and neither is losing your funds. View everything in the cloud.

Turn off the “auto-save photos and videos” feature in your instant messaging apps. Many apps will download GIFs and videos by default, which is not a good security practice.

Keep your software updated

I know all the OS updates are annoying, but they include patches for recently discovered security vulnerabilities. Hackers also monitor these updates and often target those who are lazy about updating. So, make sure you always install these patches as soon as possible. Do the same for wallets and other software you use.

Protect your email

I recommend using Gmail or Protonmail. These two email service providers are more secure than other platforms, and we have seen more security breaches on other platforms.

I recommend setting up a unique email account for each exchange you use, and make it difficult to guess. This way, if an exchange is compromised, your Binance account will not be affected. This will also reduce the number of phishing or targeted email scams you receive.

Protonmail has a feature called SimpleLogin that allows you to create a unique email address for each website you visit. If you don't use another email forwarding service, I recommend using this feature.

Enable two-factor authentication (2FA) for your email service. I recommend using a Yubikey for your email account. It's a strong protection against all kinds of hacks, including phishing sites, etc. More on 2FA later.

If you live in a country where there have been reported cases of SIM swapping, don't use your mobile number as a recovery method for your email account. We've seen many SIM swap victims have their email account passwords reset and hacked because of this. I no longer recommend tying your mobile number to your email account; they should be kept separate.

Use a password manager

Use strong, unique passwords for every website. Don't bother trying to remember your passwords; use a password manager tool. For most people, Keeper or 1Password will probably be enough. Both tools integrate well with browsers, phones, etc., and both claim to only store passwords locally, but sync between devices with encrypted passwords.

If you're more serious, KeePass is the way to go. It only stores information locally, so you don’t have to worry about encrypted passwords stored in the cloud. It doesn’t sync between devices and has limited support for mobile phones. It’s open source, so you don’t have to worry about backdoors.

Do your own research and choose the tool that works for you. But don’t try to save time by using the same password everywhere, or worse, simple. Make sure you use strong passwords, or the time you save may cost you a lot.

Even with these tools, if you have a virus on your computer, you will be devastated. So, make sure you have a good antivirus software on your computer.

Enable 2FA

It is highly recommended that you enable 2FA (two-factor authentication) as soon as you sign up for a Binance account, and if you haven’t already, set it up now. Since 2FA codes are usually stored on your phone, it can protect your email and password from being stolen to a certain extent.

However, 2FA doesn't protect you from all attacks. If you have a virus on your computer, the same virus that steals your email and password can also monitor your typing as you enter your 2FA code and steal that code. You might interact with a phishing site, enter your email and password, and then enter your 2FA code on the fake site. The hacker then uses that information to log into your real Binance account. There are so many possible scenarios here that we can't list them all.

Set Up U2F

U2F is a hardware device that generates a unique, time-based, domain-specific code. Yubikey is the de facto standard device in this space.

U2F has three main advantages. First, they are hardware-based, so it's almost impossible to steal the keys stored in the device. Second, they are domain-specific. This protects you even if you accidentally interact with a phishing site. Third, they are easy to use. You just carry it with you.

For the reasons above, I recommend you bind a Yubikey to your Binance account. It provides one of the best protections against hackers.

You should also bind a Yubikey to your Gmail, password manager, and other accounts to keep them safe.

Stop using SMS verification

SMS verification used to be widely promoted, but with the increase in SIM swapping incidents, we recommend that you no longer use SMS verification and rely more on 2FA or U2F as mentioned above.

Set up a withdrawal address whitelist

We strongly recommend that you use Binance's withdrawal whitelist feature. This feature allows you to quickly withdraw to approved addresses and makes it difficult for hackers to add new withdrawal addresses.

Enable a 24-hour waiting period for newly added whitelisted addresses. This way, if a hacker wants to add a new address, you will receive a 24-hour notice period.

API Security

Many of our users trade using the API. Binance offers multiple versions of its API that support asymmetric encryption. This means that Binance only needs your public key. You generate a private key in your own environment and provide the public key to the platform. We use your public key to verify that the order is from you and never store your private key. You must protect your private key.

You do not have to back up your API key like you would cryptocurrency. If you lose your API key, you can always create a new one. Just make sure no one has your API key.

Don't enable withdrawals on your API key unless you really know what you are doing.

Complete L2 KYC

One ​​of the best ways to keep your account secure is to complete L2 KYC (identity verification). This way, we know what you look like. When our big data risk engine detects anomalies in an account, we can use advanced automated video verification.

This is also important in the event that you no longer have access to your account. Binance is able to help family members access the accounts of deceased relatives after proper verification.

Physically secure your devices

Again, keep your phone secure. You probably have an email app, the Binance app, and 2FA codes on your phone. Don’t root or jailbreak your phone, which will greatly reduce its security. You should also keep your phone physically secure, with a proper screen lock. The same goes for other devices.

Avoid Phishing Attacks

Beware of phishing attacks. These attacks usually come in the form of an email, text message, or social media post with a link to a fake Binance website. The site will invite you to enter your account credentials, which the hacker will use to access your real Binance account.

Avoiding phishing attacks just requires vigilance. Don't click on links in emails or social media sites. Only access Binance by typing in the URL or using a bookmark. Don't share your email with others. Don't use the same email on other websites. Be cautious when strangers (especially those named CZ or similar) contact you out of the blue on platforms such as Telegram, Instagram, etc.

If you follow the above advice, your Binance account should be relatively safe.

So, which is better?

I generally recommend people to use a combination of centralized exchanges and own wallets. If you are not very technical, then I recommend keeping the majority of your funds on Binance and having your own spending wallet (like TrustWallet). If you are more technically savvy, then you can adjust your funding allocation as needed.

Centralized exchanges occasionally go through maintenance, and having a separate wallet is very convenient if you need to make a trade quickly.

If you follow the advice described here, you should be able to hold your funds safely, either on your own or through a CEX like Binance.

Stay SAFU!

CZ