Back to scales.baby

Wallet Security Best Practices

Last updated: June 28, 2026

General guidance, not advice. This is a community resource with general best practices. It is not financial advice or security advice for your specific situation. You are responsible for your own setup. When in doubt, slow down and verify before you sign anything.

Self-custody means you are your own bank. That is the point, and it is also the risk. There is no support line that can reverse a bad transaction, and no one can recover a lost seed phrase for you. The goal of this guide is simple: help you keep your own assets safe. Most losses do not come from someone breaking cryptography. They come from a person being tricked into signing something or revealing a secret. The habits below are built to prevent exactly that.

Split your wallets: hot, cold, and savings

Do not keep everything in one wallet. Use a small “hot” wallet for daily activity, minting, apeing, and connecting to new or unknown sites. Keep the bulk of your holdings somewhere you never connect to random apps.

  • Hot wallet. A browser or mobile wallet with only what you are willing to lose in a single bad signature. This is the wallet you connect to mints and new dapps.
  • Cold / savings wallet. Anything you cannot afford to lose belongs behind a hardware wallet. Never hold your savings in the wallet you connect to random sites.

If a hot wallet gets compromised, the blast radius is small. That separation alone prevents most catastrophic losses.

Use a hardware wallet for real money

A hardware wallet (for example, a Ledger or a Trezor) keeps your private keys on a dedicated device that never exposes them to your computer or phone. You confirm each transaction on the device itself, so malware on your computer cannot silently move funds. For anything you can’t afford to lose, a hardware wallet is the single biggest upgrade you can make. See Ledger Academy for a deeper primer on how this works.

Your seed phrase is everything

Whoever has your seed phrase (also called a recovery phrase) has your money. It is not a password you can change. Treat it as the single most sensitive thing you own.

  • Never type it into a website or app. No legitimate site or wallet will ever ask you to re-enter your seed phrase to “verify,” “validate,” or “sync” your wallet. That request is always a scam.
  • Never photograph or store it digitally. No photos, no screenshots, no notes app, no cloud drive, no password manager, no email to yourself. Anything online can be breached.
  • Never share it. No real support agent, team member, moderator, or “wallet validator” ever needs it.
  • Back it up offline. Write it down, and ideally stamp or engrave it on metal so it survives fire and water. Store copies in separate secure locations.
  • Consider a passphrase. Most hardware wallets support an optional extra word (sometimes called a 25th word or passphrase) on top of your seed. It adds a hidden layer, so someone who finds your written seed still cannot access the funds. Only use it if you are confident you can remember and protect it, because losing it means losing access.

Approval and delegation hygiene

When you use a dapp, you often grant it permission to move specific tokens on your behalf (an approval or delegation). Malicious or forgotten approvals are one of the top ways wallets get drained, because the permission keeps working long after you stop using the site.

  • Review the approvals and delegations on your wallet, and revoke anything you do not actively need.
  • Do this periodically, not just once. Every new dapp is a new permission to track.
  • On Solana, tools like Revoke.cash let you view and revoke token approvals and delegations across your wallets.

Phishing and drainers

A “drainer” is a malicious site or transaction designed to empty your wallet the moment you sign. The setup is almost always social, not technical: fake airdrops, fake mints, lookalike URLs, and “connect to claim” traps that rush you into signing.

  • Verify the URL. Drainers use lookalike domains with swapped letters or extra words. Bookmark the real sites you use and navigate from your bookmarks, not from search ads or links.
  • Do not click links from DMs. Unsolicited links in Discord, Telegram, or X DMs are a primary attack channel, even when they appear to come from a friend whose account was compromised.
  • Never sign a transaction you do not understand. If you cannot explain what a signature does, do not approve it. Urgency (“claim now, ends in 10 minutes”) is a manipulation tactic.

Simulate before you sign

Modern Solana wallets can preview what a transaction will actually do before you approve it. Use a wallet that simulates transactions, such as Phantom or Backpack, and read the preview every time.

  • If the preview shows your tokens leaving the wallet when you expected to receive something, stop.
  • If a transaction tries to move everything, or grants broad permissions over your tokens, stop and walk away. Legitimate mints and swaps do not need control of your whole wallet.

Smart wallets and multisig for larger holdings

For meaningful balances, a single private key is a single point of failure. Adding a second factor of approval means one bad signature cannot drain you.

  • Multisig. Requires multiple keys to approve a transaction. On Solana, Squads is a widely used multisig.
  • MPC smart wallets. An MPC smart wallet such as Fuse (built on Squads) splits signing authority so no single device or secret can move funds alone, while staying easy to use.

Fake support and impersonation

Treat unsolicited help as a scam. No legitimate team, exchange, or wallet will DM you first asking for your keys, your seed phrase, or to “validate” or “sync” your wallet.

  • Scammers watch public channels for people asking for help and then DM them pretending to be support.
  • Real support happens in official channels and never requires your secret recovery phrase.
  • When someone creates urgency or offers to “fix” your wallet for you, that is the scam.

Keep your software genuine and updated

  • Install wallet extensions and apps only from official sources: the wallet’s own website, the official browser web store listing, or the official mobile app store. Fake wallet extensions and apps are common.
  • Keep your wallet, browser, and operating system updated so known security fixes are in place.
  • Be cautious with browser extensions in general. A malicious extension can read what you see and do in the browser.

If you have been drained

Move fast. Once a key is compromised, every asset under it is at risk.

  • Move what remains. Transfer any remaining assets to a fresh, secure wallet (ideally a brand-new hardware wallet) created on a device you trust. Do not reuse the compromised seed.
  • Revoke approvals. Revoke the approvals and delegations on the affected wallet so an attacker cannot keep pulling tokens.
  • Document the incident. Record the transaction hashes, the destination address the funds went to, the time, and how it happened (which site, which link, which signature). This helps with reporting and tracing.
  • Assume the old wallet is burned. Stop using the compromised seed phrase entirely. Anything sent back to it later can be swept again.

How this connects to SCALES Protection

A strong setup is what makes coverage possible. SCALES Protection looks at your setup, your wallet history, and your identity, because the safer your habits already are, the more we can stand behind. The practices above are the same ones that make a wallet eligible and resilient in the first place.

Further reading