Written by: CZ, Binance founder compiled by: Editor Jr., BlockTempo

Binance founder Zhao Changpeng (CZ) posted on social platform X yesterday evening (24th) to update an article about cryptocurrency security suggestions to help users avoid hackers. This article compiles and organizes the full text of CZ.

The cryptocurrency exchange Bybit was shocked on the 21st last week, with a loss of about US$1.46 billion, making it the largest theft in cryptocurrency history; and just yesterday ( On the 24th), the crypto payment project Infini was confirmed to have been hacked again, with the loss of nearly US$50 million... A series of hacking incidents once again sounded the alarm for encryption security.

Under this background, Binance founder Zhao Changpeng (CZ) posted on social platform X on the evening of yesterday (24th) that he spent a day on Sunday Time, an article he wrote about security advice five years ago to help people in the currency circle avoid hackers.

This article compiles the full text of CZ article as follows:

Keep your crypto assets secure (CZ's suggestion)

Update time: 2025/2/24

Initial release time: 2020/2/25< /em>

It's really heartbreaking for cryptocurrency users to lack security awareness. It is also painful to see experts recommend advanced settings that are difficult to follow and error-prone.

Security is a wide range of topics. I'm by no means an expert, but I've seen many security issues. I will try my best to explain in plain language:

Why and how, or why, choose to store your own cryptocurrency?

Why and how, or why not, choose to store cryptocurrencies on a centralized exchange?

First of all, nothing is 100% safe. If the software has loopholes, people may also encounter social engineering attacks. The real problem is,Is it "safe enough"?

If you store $200 in your wallet, you may not need super high security. A mobile wallet is enough. If you save a lifetime of savings, you need stronger security.

To protect your cryptocurrency, you only need to do the following three things:

Prevent others from stealing.

Prevent yourself from losing.

If you can't use them, there must be a way to pass them on to your loved ones.

It's very simple, right?

Why may or cannot you want to store cryptocurrencies yourself?

Your private key is your funds. Or is it not?

Many cryptocurrency experts firmly believe that only by holding cryptocurrencies themselves can they ensure their security, but have never considered your technical level. Is this really the best advice for you?

A bitcoin private key is like this:

KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p

That's it. The person who owns a copy of it can transfer the Bitcoin (if any) on that address.

To protect your cryptocurrency, you need to:

to prevent others from getting (your Private key copy): prevent hackers from intrusion and protect your computer from threats such as viruses and network attacks.

Prevent yourself from losing your private key: Make a backup to prevent the device from being damaged or lost, and ensure the backup is safe.

If an accident or death occurs, there must be a way to pass the private key to your loved ones. It is not a pleasant situation, but as adults responsible for their loved ones, we must manage this risk.

Beware of hackers

You have heard of hackers. They use viruses, Trojans and other malware. You don't want these things to be close to your device.

To achieve a certain level of confidence, make sure your cryptocurrency wallet device is never connected to the Internet. You should not download any archives on this device. So, how to use such a device?

Let's talk about the different devices you can use.

Computers are an obvious choice and are usually the device that supports the most currency. You should never connect this computer to any network. If you connect it to the network, hackers may use it through Vulnerabilities in the operating system or software you use to hack your device. The software will never be free of vulnerabilities.

So, how to install the software? You use one USB drive. Make sure it is clean. Use at least three different antivirus software to thoroughly scan it. Download the software you wish to install (OS and wallet) to the USB drive. Wait 72 hours. Check the news, Make sure that the website or software is not attacked.

Once there was an official website hacked, and the download package was replaced with a Trojan. You should only download software from the official website. You should only use open source software to reduce the risk of backdoor. Even if you are not a programmer, open source The software will be reviewed by other developers and the backdoor risk is lower. This means you should use a stable version of Linux (rather than Windows or Mac) as your operating system and use only open source wallet software.

Once everything is installed, you can use a clean USB drive to sign transactions offline. This process will vary depending on the wallet and is not within the scope of this article. Except for Bits Coins, wallets of many currency types cannot be signed offline.

You need to ensure the physical security of the device. If someone steals it, they may actually access your device. Make sure your hard drive is already strongly encrypted and they can't read it even if someone gets it. Different The operating system provides different encryption tools. Again, the tutorial on hard disk encryption is not within the scope of this article, and there are many related resources on the Internet.

If you can do the above operations well , then you will be able to make a secure backup and do not need to read other parts of this article. If you listen to the aboveIt's not your food, so there are other options.

You can use your phone. A phone that is not rooted is usually safer than a computer, thanks to the sandbox design of the phone's operating system. For most people, I recommend using an iPhone. If you are better at technology, I recommend using an Android phone with GrapheneOS installed. Again, you should only use one phone to manage your wallet, rather than mixing it with your everyday phone. You should only install wallet software and don't install anything else. In addition to using your wallet for transfers, the phone should always be kept in airplane mode. I also recommend using a separate SIM card and using only 5G to connect to the network. Never connect to WiFi. Connect to the network only when signing transactions and updating software using your phone. If you don't have an oversized amount in your wallet, it's usually OK to do so.

Some mobile wallets provide offline signature transactions (by scanning QR codes), so that you can completely keep your phone offline, from installing the wallet to generating private keys Before. In this way, your private key will never be on a phone connected to the internet. This prevents the wallet from having a backdoor and sending data back to the developer, which has happened in the past, even official versions of the app. You will not be able to update your wallet app or operating system. To perform a software update, you need to use another phone, install a new version of the app, set it to flight mode, generate a new address, backup (mentioned later), and transfer the funds to the new phone. This is not very convenient. In addition, these wallet applications support limited currencies and blockchains.

These wallet applications usually do not support pledge, earnings mining, or investment in meme coins. If you are interested in these, you will have to sacrifice some security a little.

You need to ensure the physical security of your phone.

Hardware wallet

You can use a hard wallet. These devices are designed to keep your private key "never" away from the device so that your computer won't have a copy of it. (As of 2025, a new version of Ledger may send the private key to the server for backup, so this does not hold anymore.)

Hardware wallet in software, etc. There have also been reports of loopholes. All hardware wallets need to interact with software running on your computer (or mobile phone) to function. You still need to make sure your computer is free of viruses. Some viruses will switch your transaction target address to the hacker's address at the last minute, etc. Therefore, you must carefully check the settingsThe target address is prepared.

Hardware wallets are guarded against many basic types of attacks, and it is still a good choice if you want to store cryptocurrencies independently. However, the weakest part of a hard wallet is usually how backups are stored, which we will discuss in the next section.

Beware of yourself

You may lose your device or the device may be damaged. Therefore, you need to backup.

There are many methods here, each with its advantages and disadvantages. Fundamentally, you want to implement multiple backups, and the backups are stored in different geographical locations and are not easily seen by others (encrypted).

You can write it on paper. Some wallets that use seed wallets recommend doing this, because it is relatively simple to write down 12 or 24 English words. With private keys, you can easily make mistakes. Paper can also be lost in a pile of documents, damaged in a fire or flood, or bitten by your dog. Others can read paper easily too – no encryption.

Some people use bank vaults to store paper backups. For the above reasons, I usually do not recommend this option.

Don't take a photo (or screenshot) of the paper, sync it to the cloud, and think it's safely backed up. If a hacker hacks into your email account or computer, they will easily find it. Cloud service providers have many employees who can view it.

Some metal labels are specially designed to store seed backups. These tags should be nearly indestructible, which basically solves the problem of damage in fire or floods. But it doesn't solve the problem of losing or being read easily by others. Furthermore, some people store these tags in bank vaults, usually with their gold or other metals. If you use this method, you should understand the risks.

I recommend using at least 3 USB drives, but this requires more technical settings, which is a misunderstanding for experts.

There are now shock-proof, water-proof, fire-proof and magnetic-proof USB drives. You can store encrypted versions of your private key backups in multiple such USB drives and scatter them in different locations (friends or relatives). This solves all the requirements mentioned at the beginning of this section: multiple locations, not easily damaged or lost, not easily read by others.

The key lies in strong encryption. There are many tools available for encryption now, and they will progress over time. VeraCrypt is an entry-level tool that provides a reasonable level of encryption. Please research on your own and find the latest encryption tool that is best for you.

Take care for your love

We will not be alive forever. An estate plan is needed. In fact, cryptocurrencies make it easier for you to pass on your wealth to your heirs and reduce third-party intervention.

Again, there are ways to do this.

If you use paper wallets or metal labels, you can simply share this information with them. Of course, this also has some potential drawbacks. If they are young or unskilled, they may lack the appropriate means to store or protect backup copies. If they make a mistake on security, hackers can easily steal your funds through them. Also, they can take your money at any time. Depending on the trust relationship you have with them, you may or may not want this.

I strongly recommend not sharing private keys between people, regardless of the relationship. If funds are stolen, it will be impossible to determine who moved them or who was hacked. This will be very confusing.

You can store paper wallets or metal labels in bank vaults or hand them over to lawyers. But as mentioned above, if anyone involved gets a copy of the private key, they can move the funds without much trace. This is different from the fact that the attorney has to go through the bank to transfer your bank account balance to your heirs.

If you use the USB drive method mentioned above, there are ways to pass on your wealth more securely. Again, this requires more settings.

There are some online services called Deadman's switches. These services will send you regular emails (for example, once a month) and you must click on the link or log in to respond. If you do not respond for a certain period of time, they assume that you have passed away and send an email to your preset recipient. I will not recommend or guarantee any of these services that you should search and test on your own. In fact, Google itself is a Deadman's switches. In Google's settings, there is an option if you haven't accessed yours for 3 monthsAccount, then allows someone to access it. Personally, I have not tested it and cannot guarantee its safety. Please test it yourself.

If you are thinking, "Oh, that's great, I just need to send my private key to email my child", then please reread this article The beginning of

You may also think, "I can put the password I use to encrypt USB drives in these emails; so that my child or spouse You can unlock them. "This idea is closer, but it is still not good enough. You should not store your backup password on a server on the Internet. This can greatly weaken the security of your backup/funds.

If you are thinking, "I can use another password I share with my beloved to encrypt the email containing the USB drive password", then you're gone On the right path. In fact, you don't need a second password.

There is a time-tested email encryption tool called PGP (or GPG), which you should use. PGP is one of the first tools to use asymmetric encryption (the same as Bitcoin uses). Again, I won't provide a complete tutorial on PGP here, there are many tutorials like this online. In summary, you should have your spouse or child generate their own PGP private key, and then you encrypt the message you sent to their dead person with their public key so that only they can read the message content and others cannot read it. Pick. This approach is relatively safe, but requires your beloved to keep their PGP private keys secure and not lose them. Of course, they also need to know how to use PGP email, which is technical in itself.

If you follow the advice shared so far, you have reached the basic (rather than advanced) level of being able to store a certain amount of cryptocurrency by yourself. There are many other topics that we can discuss, which may also address some of the issues mentioned so far, including multi-signature, threshold signature, etc., but these are more advanced guides.

In the next section, we will discuss:

Using the exchange

In this article, when we When it comes to exchanges, it refers to centralized exchanges that hold your funds and help you custody.

So, after reading the previous part, you might say, "Oh, this is really troublesome. Then I'll save the coinOn the exchange." Well, using an exchange is not without risk. While the exchange is responsible for keeping funds and keeping the system safe, you still need to follow the right practices to keep your account safe.

Use only large and reputable exchanges

Yes, it's easy for me to say that, because Binance is one of the largest exchanges in the world. However, there is a good reason to say this. Not all exchanges are the same.

Large exchanges have invested heavily in security infrastructure. Binance invests billions of dollars in security every year. This is reasonable for the scale of our business. Security involves a wide range of areas, including equipment, network, processes, employees, risk monitoring, big data, artificial intelligence testing, training, research, testing, third-party partners, and even partnerships between global law enforcement agencies. Ensuring proper security requires a lot of money, talent and effort. Smaller exchanges simply don't have enough size or financial strength to do this. I might be criticized for saying this, but that's why I often say that for most ordinary people, using a trusted centralized exchange is safer than keeping coins themselves.

There is an opponent's risk. Many smaller/new exchanges are exiting the scam from the beginning. They collected some deposits and ran away. Because of this, stay away from exchanges that claim to be unprofitable or exchanges that offer 0 fees, large rebates or other negative profit incentives. If their target is not commercial income, then your funds are likely to be their sole goal.

Appropriate security measures are expensive and require financial support from sustainable business models. Don't save money on your money for safety. Large profitable exchanges have no incentive to exit fraud. When you already run a profitable and sustainable billion-dollar business, how could you have the motivation to steal millions of dollars and live a hidden life, worrying?

There are also more security testing on large exchanges. Yes, this is also a risk. Hackers are more likely to attack large exchanges. However, hackers will also attack smaller exchanges, and some of them are even more likely to be targeted. Large exchanges usually have 5-10 external security companies that regularly conduct penetration and security testing on them.

Binance goes further than most exchanges in terms of security. We invest heavily in big data and artificial intelligence to fight hackers and scammers. We have successfully prevented many users from losing money when encountering SIM card exchange attacksfunds. Some users using multiple exchanges also reported that when their email accounts were hacked, funds from other exchanges were stolen, while funds from Binance were protected because our AI systems blocked them. Hackers attempt to withdraw their funds. Even if small traders want to do these things, they can't do it because they don't have that much big data at all.

Protecting your account

Protecting your account is still very important when using an exchange. Let's start with the basics.

Protect your computer

Remind again that computers are often the weakest link in the security chain. To access your exchange account, use a dedicated computer. Install commercial antivirus software on this computer (yes, invest in security) and install only the most basic other software. Set the firewall to the highest level.

Put your games, internet access, download and other activities on another computer. Even on this computer, turn on the antivirus software and set the firewall to the highest level. Viruses on one computer will make it easier for hackers to access other computers on the same network, so keeping the computer clean.

Don't download

Even if you only use a centralized exchange (CEX), I still recommend that you not download any files on your computer. If someone sends you a Word document, ask them to send a link to Google Docs. If they send a PDF file, open it in Google Drive, not on your computer. If they send you funny videos, ask them to send links to the online platform. Yes, I know it's a cumbersome to do this, but safety is not free, and losing funds is equally not free. View everything in the cloud.

Turn off the "auto-save photos and videos" function in the instant messaging app. Many apps will download GIFs and videos by default, which is not a good security practice.

Keep the software updating

I know all the operating system updates are annoying, but they contain patches for recently discovered security vulnerabilities. Hackers also monitor these updates and often target those who are lazy to update. So, make sure you always install these patches as soon as possible. The same should be done with the wallet and other software you use.

Protect your email

I recommend using Gmail or Protonmail. These two email service providers are more important than other platformsMore secure, we've seen more security vulnerabilities on other platforms.

I recommend setting up a unique email account for each exchange you use and making it less likely to be guessed. This way, if an exchange is hacked, your Binance account will not be affected. This will also reduce the number of online phishing or targeted email scams you receive.

Protonmail has a feature called SimpleLogin that allows you to create a unique email address for each website you visit. If you are not using other email forwarding services, I recommend you to use this feature.

Enable two-factor authentication (2FA) for your email service. I recommend using Yubikey for your email account. This is a powerful way to prevent various hacker attacks (including phishing websites, etc.). 2FA will be detailed later.

If you live in a SIM exchange case, do not use your mobile phone number as a recovery method for your email account. We have seen a lot of SIM exchange victims who have caused their email account password to be reset and hacked. I no longer recommend binding my mobile phone number to my email account, they should be separated.

Use password manager

use a strong and unique password for each website. Don't bother remembering your password; use the password manager tool. For most people, Keeper or 1Password may be sufficient. Both tools are well integrated with browsers, mobile phones, etc. Both claim that they will only store passwords locally, but will synchronize between devices by encrypting passwords.

If you are more serious, you can choose KeePass. It only stores information locally, so you don't have to worry about storing encrypted passwords in the cloud. It won't sync between devices and has less support for the phone. It is open source, so you don't have to worry about backdoor issues.

Do your own research and choose the tools that suit you. But don't try to save time by using the same passwords that are simple or worse everywhere. Make sure you use a strong password or the time you save may cost you a lot.

Even if you have these tools, you will be destroyed if there is a virus on your computer. So, make sure your computer has good antivirus software.

Enable 2FA

It is strongly recommended that you enable 2FA (two-factor authentication) immediately after registering a Binance account, and if you have not enabled it, set it up now. Since 2FA codes are usually stored on your phone, it can prevent your emails and passwords from being stolen to some extent.

However, 2FA does not protect you from all attacks. If there is a virus on your computer, the virus that steals your email and password can also monitor your typing as you enter the 2FA code and steal that code. You may interact with phishing sites, enter your email and password, and then enter a 2FA code on the fake site. The hacker then uses this information to log in to your Binance real account. There are many possible situations here that we cannot list them one by one.

Setting U2F

U2F is a hardware device that generates unique, time-based domain-specific code. Yubikey is the de facto standard equipment in this field.

U2F has three main advantages. First, they are hardware-based, so it is nearly impossible to steal keys stored in the device. Secondly, they are domain-specific. It protects you even if you accidentally interact with a phishing website. Third, they are easy to use. You just have to carry it with you.

For the above reasons, I suggest you bind Yubikey to your Binance account. It provides one of the best protections against hackers.

You should also bind Yubikey to your Gmail, password manager, and other accounts to keep them safe.

Stop using SMS verification

SMS verification was once widely promoted, but with the increase in SIM exchange events, we recommend that you no longer use SMS verification, but more Rely on the above mentioned 2FA or U2F.

Set the whitelist of withdrawal addresses

We strongly recommend that you use Binance's withdrawal whitelist function. This feature allows you to quickly withdraw cash to approved addresses and makes it difficult for hackers to add new withdrawal addresses.

Enable the 24-hour waiting period for newly added whitelist addresses. This way, if the hacker wants to add a new landYou will receive a 24-hour notification period.

API Security

Many of our users use the API to trade. Binance provides multiple versions of the API, supporting asymmetric encryption. This means that Binance only requires your public key. You generate a private key in your own environment and provide the public key to the platform. We use your public key to verify that the order comes from you and never store your private key. You must protect your private key.

You don't have to back up your API keys like you hold a cryptocurrency. If you lose your API key, you can create a new one at any time. Just make sure no one has your API key.

Don't enable the withdrawal of API keys unless you really know what you are doing.

Finish L2 KYC

One ​​of the best ways to keep your account secure is to complete L2 KYC (Authentication). In this way, we can know what you look like. When our big data risk engine detects an account exception, we can use advanced automated video verification.

This is also important for situations where you can no longer use your account. Binance can help family members access their deceased relative’s accounts after proper verification.

Physical security protects your device

Reiterate, keep your phone safe. You may have email apps, Binance apps, and 2FA codes on your phone. Do not root or jailbreak your phone, as it will greatly reduce its security. You should also keep your phone physically secure and set up appropriate screen locks. The same goes for other devices.

Beware of phishing attacks

Beware of phishing attacks. Such attacks usually appear in the form of emails, newsletters or social media posts, with links to fake Binance websites. The site will invite you to enter your account credentials, which hackers will use to access your real Binance account.

Being careful of phishing attacks requires only alertness. Do not click on links in emails or social media sites. Access Binance only by entering a URL or using a bookmark. Don't share your email with others. Do not use the same email on other websites. Being a stranger (especially called CZor similar) Be cautious when suddenly contacting you on Telegram, Instagram and other platforms.

If you follow the above suggestions, your Binance account should be safer.

So, which one is better?

I usually recommend that people use a combination of centralized exchanges and owned wallets. If you don’t know much about technology, then I recommend keeping most of your money in Binance and having your own spending wallet (like TrustWallet). If you are technically strong, you can adjust the fund allocation as needed.

Centralized exchanges are occasionally maintained, and if you need to trade quickly, it is very convenient to have a separate wallet.

If you follow the advice described here, you should be able to hold funds safely, whether owned by yourself or through CEXs like Binance.

Keep SAFU!

CZ