Wallet Security Checklist | Hodler's Handbook

Your checkbox state lives only in the browser on this device — nothing is uploaded, nothing is logged, and refreshing the page resets it. This is not a test, it is a reminder: tick off what you have already done, and whatever is left unchecked is your homework for next.

Progress 0 / 0

Nothing ticked yet. Start with the group you know best.

Group one

Seed phrase / private key

My seed phrase is backed up offline — written on paper, or better, engraved on a steel plateSteel survives fire and water; paper fears both. For large amounts, do both. I have never screenshotted it, photographed it, or saved it to any cloud drive or chat historyYour phone and cloud photo libraries sync automatically — that is the same as uploading your seed. I have never told my seed phrase to anyone — not support, not someone in a group chat, not anyone claiming to be officialReal support will never ask for your seed phrase. Anyone who does is a scammer, every single time. My backups are kept in two separate physical locations, not the same drawerIf one is lost to fire or theft, the other survives; do not let a single accident wipe out everything.

Group two

Account security

My exchange / wallet account has 2FA on, using an authenticator app rather than SMSSMS codes can be hijacked via SIM swapping; an authenticator app is far harder to break remotely. This account uses a unique, strong password, not shared with anywhere elseOne leaked password, and credential stuffing opens every account where you reused it. My wallet / app was downloaded from the official domain or an official app storeLookalike sites and fake links in search ads are a major source of stolen coins — go straight to the official site.

Group three

Transfer safety

Before sending, I check the first and last few characters of the receiving address, not just the startClipboard-hijacking malware swaps addresses; only trust it when both ends match. Before sending, I confirm the right network / chain is selected (the wrong chain with USDT is the classic mistake)Pick the wrong chain and the coins may be gone for good; do not mix up TRC20, ERC20 and BSC. Before a large transfer, I send a small test amount firstA few cents in fees buys you the confirmation that the address and network are both correct. I have set up a withdrawal address whitelist on the exchangeEven if the account is breached, coins can only go to the safe addresses you set in advance.

Group four

Long-term upkeep

I periodically revoke contract / token approvals I no longer useA DApp you approved years ago can still move your coins; if you are done with it, revoke it. I have a fallback plan in case my hardware wallet is discontinued or breaksA seed phrase works across brands — count on that, and any wallet supporting the same standard can restore it. Every so often, I actively go back through all the items aboveSecurity is not a one-time job; your devices, habits and approvals all change over time.

A note: this checklist covers the most common and most critical actions, but it cannot cover every situation. A full set of ticks does not mean you are perfectly safe — it just pulls you out of the holes most people fall into. This tool is not investment or financial advice.