Crypto Security from A to Z: Everything you need to know before letting your money "sleep" anywhere

Seed phrase – can a supercomputer guess it?

Your seed phrase consists of 12, 18, or 24 words, randomly selected from a list of 2,048 BIP-39 standard words. The number of possible combinations is astronomical: roughly between 2¹²⁸ and 2²⁵⁶.

To put it in perspective: if you combined all the computers on Earth and each second they could test a trillion trillion combinations, it would still take longer than the age of the universe to brute-force a 12-word seed.

Latest news on quantum computing: At the end of March 2026, Google announced it could break pending Bitcoin transactions in about 9 minutes. But that means extracting a private key from the public key of an unconfirmed transaction – not guessing a 12-word seed phrase. To directly guess a 12-word seed, even with quantum computing, would still require 2⁶⁴ attempts – far beyond current capabilities. A quantum computer powerful enough to do that does not exist yet.

For a bit of humor: the probability of guessing a 12-word seed correctly is still much lower than winning Vietlott Mega 6/45 (1 in 8 million) or the US Powerball (1 in 292 million).

The real danger isn't a hacker "guessing" your seed – it's you being tricked into entering your seed on a fake website, or taking a photo of your seed and saving it to the cloud.

Does a wallet only have one address? Not at all

• One crypto wallet (from a single seed phrase) can generate millions of different addresses. For example, Metamask allows you to create multiple "accounts" within the same wallet – each account is a separate address, but all are recoverable from the same seed.
• Many people use multiple addresses to separate purposes: one address for receiving DeFi salary, one for NFTs, one "clean" address that only receives money from strangers. That's a good privacy habit.

Hot wallet: open source vs. closed – what's the difference?

• A hot wallet is a software wallet connected to the internet – convenient but riskier if your device gets malware.
• Fully closed-source wallets (older Trust Wallet, some exchange wallets): you cannot inspect the code. You must trust the development team completely. If they plant a backdoor, you're out of luck.
• Partially closed-source wallets (Metamask): the core is open source, but the browser extension you install could be tampered with if downloaded from an unofficial source.
• Fully open-source wallets (OpenKey, Sparrow Wallet): the community can audit the code. Backdoor risk is much lower – but you must still download from the official website.
• Simple rule: always download wallets from the official site, verify digital signatures if available. Open source doesn't automatically mean safe – what matters is that you install the correct version.

Hardware-secured phones (Samsung Knox, iPhone Secure Enclave) – how are they different from regular phones?

• Regular phones store sensitive data (keys, passwords) in shared memory – if the operating system is compromised, attackers can extract that data.
• Phones with hardware-backed security like Samsung Knox or iPhone's Secure Enclave have a dedicated chip that operates independently of the main OS. Encryption keys never leave that chip – even if the OS is rooted or infected with malware, the keys cannot be extracted.
• For crypto, if you use a software wallet on a phone, a secure enclave significantly reduces the risk of private key exposure – but it still doesn't replace a hardware wallet if you're holding large amounts.

TRC-20, ERC-20, BEP-20 – why are transaction fees so different?

• When you send USDT, the token doesn't "physically move" – the transaction is recorded on a specific blockchain. Each blockchain has its own fees:
  • ERC-20 (Ethereum): fees typically $5–30, sometimes higher during network congestion. The original USDT network, most secure but expensive.
  • TRC-20 (Tron): fees typically under $1, sometimes free if you have enough "bandwidth". Very popular in Vietnam because it's cheap.
  • BEP-20 (BNB Chain / Binance): fees around $0.1–1. Popular within the Binance ecosystem.
• Extremely important warning: sending USDT on the wrong network (e.g., sending ERC-20 to an address that only accepts TRC-20) usually results in permanent loss. Always check the network on both ends before sending.

Can you send cryptocurrency assets directly between different blockchain networks?

No. You should never send assets directly from one network to an address on another network (for example, from Bitcoin to Ethereum, or between TRC-20, BEP-20, and ERC-20 standards). Doing so will likely result in permanent loss of your assets, because each blockchain operates independently and cannot automatically read data from another.

Solutions for transferring assets between networks (Cross-chain)

To transfer assets safely, you need an intermediary "bridge." Here are 3 common methods:

• Use a centralized exchange (CEX)
  • How to do it: Deposit funds to the exchange (select the correct sending network) → Wait for the balance to appear → Withdraw to your new wallet (select the correct receiving network).
  • Advantages: Simplest method, safe for beginners, the exchange handles the network conversion for you.
• Use a Bridge
  • How to do it: Connect your personal wallet to a bridge platform (e.g., Binance Bridge, Stargate, Orbiter). You "lock" your assets on Network A and receive an equivalent amount on Network B.
  • Advantages: No need for a centralized exchange, you keep control of your personal wallet.
• Use Cross-chain Swap
  • How to do it: Some multi-chain wallets (like Trust Wallet, Coin98) have a built-in "Swap" feature that lets you directly exchange a coin from one network to another with a single action.

Golden rules to avoid losing money:

• Sending network = Receiving network: Always double-check that the network name when sending matches exactly the network name when receiving.
• Gas fees: Each network requires its own type of fee (e.g., Tron network needs TRX, Binance needs BNB, Ethereum needs ETH). Make sure you have a small amount of that native coin in your wallet to pay the fee.
• Test first: For large amounts, always send a small test amount (e.g., $5–$10) first to confirm that the assets arrive safely, then transfer the rest.

I have USDT – how can I swap it for digital gold (PAXG, XAUT)?

• PAXG (Pax Gold) and XAUT (Tether Gold) are tokens representing physical gold – each token equals 1 troy ounce of gold. A way to hold gold without needing a safe.
• The simplest method: use a CEX like Binance, Kraken, or KuCoin that has PAXG/USDT or XAUT/USDT pairs. You sell USDT, buy PAXG/XAUT, then withdraw to your own wallet.
• The second method: use a DEX like Uniswap if you're already familiar with DeFi. You'll need ETH to pay gas fees.

Is keeping money on a CEX (Binance, Coinbase, etc.) safe?

• Centralized exchanges (CEXs) use a custodial model – they hold the private keys, you only have an account. Advantage: convenient, has support, easy to use. Disadvantage: if the exchange gets hacked, goes bankrupt, or freezes your account – you're completely dependent on them.
• Binance and Coinbase are large, long-standing exchanges, but no exchange is "too big to fail". FTX – once the third largest in the world – collapsed in 2022, and users lost billions.
• A practical rule: only keep on exchanges the amount you need for short-term trading. Long-term funds should be withdrawn to a self-custody wallet.
• Most importantly: you must prioritize exchanges that are legally permitted to operate in the country where you live. Trading on an exchange that doesn't comply with local laws could lead to withdrawal blocks, account freezes, or even administrative or criminal penalties. Always research the regulations in effect when you start.

Which exchanges have been hacked? What are the lessons?

• The list is longer than you think: Mt. Gox (2014, 850,000 BTC), Bitfinex (2016, 120,000 BTC), Binance (2019, 7,000 BTC), Coincheck (2018, 500 million NEM), FTX (2022, collapse due to internal fraud).
• The recurring lesson: not your keys, not your coins. Even the largest exchange can be hacked or go bankrupt. Diversification and self-custody are the only safeguards.

What is a hardware wallet? Why do whales use them?

• A hardware wallet is a physical device (like a USB stick or smart card) that stores private keys completely offline. When you sign a transaction, everything happens inside the chip – the private key never touches your computer or the internet.
• Popular brands: Ledger (Nano X, Nano S Plus), Trezor (Model T, Model One), Coldcard (Bitcoin-only).
• Whales use hardware wallets because with large amounts of money, even a 1% risk of malware on a computer equals losing hundreds of thousands of dollars. Hardware wallets eliminate nearly all of that risk. Spending $100–200 on a hardware wallet is the cheapest insurance you can buy.

Can a hardware wallet break after 5 years? Will I lose my money?

• Yes – electronic devices can break, get lost, or have chips die after many years. But here's the good news: your money is not stored inside the hardware wallet. Your money is on the blockchain.
• The hardware wallet merely holds your private key. As long as you still have your seed phrase (12/18/24 words), you can buy any new hardware wallet (or use a software wallet), enter the seed phrase, and regain access to all your assets.
• The seed phrase is what's truly precious. The hardware wallet is just a tool. Losing the hardware wallet is fine – losing the seed phrase is a disaster.

Buying a used hardware wallet online – what's the biggest risk?

• Never do this. The biggest risk isn't physical damage – it's that the device has been tampered with (software or hardware) before reaching you.
• Typical scenario: the seller installs malicious firmware, or worse, pre-generates a seed phrase and leaves it in the box – you unknowingly use that seed, deposit funds, and later they use the known seed to steal your money.
• Only buy hardware wallets from the official website (Ledger.com, Trezor.io) or an authorized reseller. Never buy secondhand.

Paper wallet – printing the seed phrase and locking it in a safe – is it safer than a hardware wallet?

• Paper wallets have an advantage: completely offline, no cost. But they have major downsides:
  • When you want to spend from a paper wallet, you must enter the seed into software – at that moment, if your machine has malware, the seed can be exposed. Hardware wallets sign transactions inside the device, never exposing the seed externally.
  • Paper can burn, get wet, or fade. A safe is good but not impenetrable.
• Conclusion: a paper wallet is safer than storing the seed on your phone, but less safe than a hardware wallet if you need to use your assets regularly.

Using a hardware wallet but visiting a fake website – can I lose money?

• It depends on what you do on that website.
  • If you just "connect" the wallet to view your balance – usually safe, the hardware wallet won't sign transactions automatically.
  • If you approve a transaction on the hardware wallet's screen without reading carefully – that's when it's dangerous. A fake website could ask you to sign an "approve" transaction that allows them to drain all your tokens.
• A hardware wallet protects you from malware on your computer – but it does not protect you from yourself. Always carefully read what's shown on the hardware wallet's screen before pressing confirm.

Do I need to update firmware on a hardware wallet?

• Yes. Old firmware may contain known security vulnerabilities. Manufacturers release patches to fix them.
• How to update safely: go directly to the official website (not via email links or social media), download the latest version of Ledger Live or Trezor Suite from there, connect your hardware wallet, and follow the instructions. Before updating, make sure you have your seed phrase stored in a safe place – because the update process can sometimes reset the device.

"Don't put all eggs in one basket" – how many wallets and exchanges should I split my funds across?

Over-diversification can also be messy (managing many seed phrases, many accounts, easy to forget). A practical framework for most users:

• Basket 1 – Long-term (60–80%): hardware wallet, offline, not frequently connected. This is your "safe".
• Basket 2 – Medium-term (15–30%): open-source software wallet on a dedicated device, used for DeFi, staking. Connect only when needed.
• Basket 3 – Short-term (5–10%): CEX, used for frequent trading, buying/selling, deposits/withdrawals.

3 baskets are enough for most people. 5 baskets if you manage very large amounts or operate across many different ecosystems. Simple and consistent is better than complex and messy.

I only have 5 million VND – is it worth buying a hardware wallet?

• Not necessarily – but it depends on your plan.
  • If 5 million VND is all the crypto you have and you don't plan to increase it much: an open-source software wallet (Exodus or Metamask) on a clean phone (no unknown apps, not rooted) is sufficient. The risk exists, but it's acceptable compared to the cost of a hardware wallet (~2–4 million VND).
  • If you plan to accumulate long-term and the amount will grow: buying a hardware wallet from the start is the right decision. Good security habits should be formed early, not only when you already have a lot of money.

Spotting a rug pull with just 3 simple signs

A rug pull is when a DeFi project's development team suddenly withdraws liquidity or sells tokens, leaving users with worthless tokens.

• Sign 1 – The smart contract hasn't been audited: serious projects usually have a security audit report from an independent firm (CertiK, Hacken, PeckShield). No audit = extremely high risk.
• Sign 2 – Liquidity is unlocked: use tools like Token Sniffer or RugDoc to check. If the development team can withdraw liquidity at any time – that's a design meant for a rug pull.
• Sign 3 – Anonymous team + extremely high APY: anonymity isn't inherently bad (many good projects are anonymous), but when combined with APY above 1,000% and pressure to "invest now or miss out" – that's the classic rug pull recipe. Real yields are never sustainably that high.

Crypto doesn't have to be complicated – but it does need to be taken seriously. Start with the simplest things: keep your seed phrase safe, don't put all your eggs in one basket, and always understand what you're signing before clicking confirm.

This article is educational and not financial advice. Always do your own research, understand the legal regulations in your country of residence, and consult with professionals before making any decisions regarding digital assets.