Cryptocurrency custody 101: Exchanges vs self-custody, wallets, seed phrases and scam prevention

When you hold cryptocurrency, you face a fundamental choice: trust someone else to secure your assets, or take full responsibility yourself. This is the custody decision, and it shapes everything about how you interact with digital assets.

Exchange custody (also called custodial storage) means a third party (a cryptocurrency exchange, broker, or custodian) holds your private keys and manages your crypto on your behalf. You log in with a username and password, much like online banking. It's convenient, familiar, and often includes customer support if something goes wrong.

Self-custody (also called non-custodial storage) means you alone control the private keys to your cryptocurrency. No company, no intermediary, no safety net. If you lose access, no one can help you. If you make a mistake, there's no undo button. But you also have complete sovereignty over your assets, immune to exchange failures, freezes, or third-party interference.

According to Chainalysis, the global crypto wallet market was valued at $13.77 billion in 2024 and is projected to reach $18.00 billion in 2025, with long-term forecasts expecting growth to $153.88 billion by 2033. Hot wallets (internet-connected) dominated with about 56% revenue share in 2024, while the hardware wallet market (cold storage) is smaller but growing fast, from $0.56 billion in 2025 to an expected $2.06 billion by 2030.

The UK's Financial Conduct Authority (FCA) has proposed comprehensive rules for cryptoasset custody, requiring custodians to segregate client assets from their own, hold assets on trust for clients, maintain accurate records, and implement robust governance. These regulations, expected to take effect by late 2026, reflect growing recognition that custody is a critical infrastructure layer for the crypto economy.

This article provides general educational guidance only. It is not personalised financial advice. Cryptocurrency is a high-risk asset class. You could lose all of your capital. Always conduct your own research and consider seeking advice from a qualified financial adviser before making investment decisions.

Understanding Private Keys and Seed Phrases

What is a Private Key?

A private key is a long string of numbers and letters (typically 256 bits of data) that acts as the cryptographic password to your cryptocurrency. It proves ownership and allows you to authorise transactions. Anyone with access to your private key has complete control over the associated funds.

Think of the blockchain as a global ledger. Your cryptocurrency doesn't live "in" a wallet, it exists as entries on this public ledger. Your private key is what allows you to update those entries, to send your crypto elsewhere. Without the private key, the crypto is inaccessible, permanently.

Private keys are generated using complex cryptographic algorithms. They are designed to be practically impossible to guess (there are more possible private keys than atoms in the observable universe). However, they are also impossible to recover if lost.

What is a Seed Phrase?

Because private keys are long, random strings that humans cannot easily remember or transcribe accurately, most modern wallets use a seed phrase (also called a recovery phrase, mnemonic phrase, or backup phrase). This is typically a sequence of 12 or 24 common words, generated according to a standard called BIP39.

The seed phrase is a human-readable representation of your private key (or, more precisely, the "seed" from which multiple private keys can be derived). If you lose access to your wallet device or software, you can restore full access by entering the seed phrase into a compatible wallet.

Your seed phrase is your private key in another form. Anyone who obtains your seed phrase can steal all your cryptocurrency. Never share it, never photograph it, never store it digitally unless encrypted, and never enter it into any website or app unless you are absolutely certain it is legitimate.

According to Ledger's security guidance, a major vulnerability of hot wallets is that they generate and display seed phrases in an online environment. Once your seed phrase appears on an internet-connected device, it is potentially exposed to malware, screen capture, or remote access attacks.

Hot Wallets: Convenience and Accessibility

What is a Hot Wallet?

A hot wallet is any cryptocurrency wallet that is connected to the internet. This includes:

• Mobile wallets: Apps on your smartphone (e.g., Trust Wallet, Coinbase Wallet, Exodus)
• Desktop wallets: Software on your computer (e.g., Electrum, Exodus desktop)
• Web wallets: Browser-based wallets (e.g., MetaMask, Phantom)
• Exchange wallets: Accounts on cryptocurrency exchanges (e.g., Coinbase, Binance, Kraken)

Hot wallets prioritise ease of use. They allow you to send and receive crypto quickly, interact with decentralised applications (DeFi, NFTs), and manage your portfolio from anywhere with an internet connection.

How Hot Wallets Work

When you create a hot wallet, the software generates a private key (and corresponding seed phrase) on your device or on the service provider's servers (in the case of custodial exchange wallets). This key is stored in a way that allows the wallet software to access it whenever you want to make a transaction.

When you send cryptocurrency, the wallet software uses your private key to create a digital signature proving you authorise the transaction. This signed transaction is then broadcast to the blockchain network for validation and inclusion in the ledger.

The convenience of hot wallets comes with a security trade-off. Because the private key exists on an internet-connected device, it is potentially vulnerable to:

• Malware and keyloggers: Software that records your keystrokes or screenshots
• Phishing attacks: Fake websites or apps that trick you into entering your seed phrase
• Remote access attacks: Hackers gaining control of your device
• Exchange hacks or failures: If using a custodial exchange wallet, the exchange itself could be compromised or go bankrupt

According to CoinLaw's 2025 statistics, hot wallets represent approximately 78% of all crypto wallets globally in 2025, with mobile wallets used by over 78% of hot wallet users. Desktop wallet usage has declined to only 9% of hot wallet usage.

Custodial vs Non-Custodial Hot Wallets

Custodial hot wallets are provided by exchanges or services that hold your private keys for you. You access your funds through a username and password. Examples include Coinbase, Binance, and Kraken exchange accounts.

Advantages:

• Familiar user experience (like online banking)
• Customer support if you forget your password
• Often include additional features like instant trading, staking, or lending
• May offer insurance or compensation schemes (though coverage is often limited)

Disadvantages:

• You don't control the private keys ("not your keys, not your crypto")
• Vulnerable to exchange hacks, freezes, or bankruptcy
• May require identity verification (KYC)
• Subject to terms of service that can change

Non-custodial hot wallets give you full control of your private keys. You are responsible for securing your seed phrase. Examples include MetaMask, Trust Wallet, and Exodus.

Advantages:

• Full control and ownership
• No third-party can freeze or seize your funds
• Often no identity verification required
• Can interact directly with DeFi protocols and dApps

Disadvantages:

• No customer support if you lose your seed phrase
• Higher responsibility for security
• Mistakes are irreversible

In 2025, approximately 41% of hot wallet users use custodial wallets, while 59% use non-custodial or self-custody wallets, according to CoinLaw data.

When to Use a Hot Wallet

Hot wallets are appropriate for:

• Small amounts you use for regular transactions or trading
• Active trading where you need quick access to buy and sell
• DeFi and NFT activities that require frequent interaction with smart contracts
• Learning and experimentation when you're new to crypto (with small amounts)

Risk disclosure: Hot wallets are more vulnerable to theft and loss than cold storage. Only keep amounts you can afford to lose in hot wallets. For significant holdings intended for long-term storage, cold storage is more secure.

Cold Wallets: Security and Long-Term Storage

What is a Cold Wallet?

A cold wallet (also called cold storage or an offline wallet) is any method of storing cryptocurrency private keys that is completely disconnected from the internet. Cold wallets include:

• Hardware wallets: Physical devices designed specifically for storing crypto keys (e.g., Ledger, Trezor, Bitkey)
• Paper wallets: Physical documents with private keys or seed phrases written or printed on them
• Metal wallets: Seed phrases engraved on metal plates for durability
• Air-gapped computers: Computers that have never been and will never be connected to the internet

Cold wallets prioritise security over convenience. Because the private key never touches an internet-connected device, it is immune to remote hacking, malware, and most forms of digital theft.

How Cold Wallets Work

Hardware wallets are small physical devices (often resembling USB drives) with secure chips that generate and store private keys. When you want to make a transaction:

1. You prepare the transaction on your internet-connected computer or phone using "bridge" software
2. You connect the hardware wallet (via USB, Bluetooth, or NFC)
3. The unsigned transaction is sent to the hardware wallet
4. You verify and approve the transaction on the hardware wallet's screen
5. The hardware wallet signs the transaction using the private key (which never leaves the device)
6. The signed transaction is sent back to your computer and broadcast to the blockchain

Your private key never leaves the hardware wallet. Even if your computer is infected with malware, the attacker cannot access your private key.

According to Tangem, hardware wallets use certified secure chips (often EAL6+ security standard, the same used in biometric passports) that are designed to resist physical tampering, side-channel attacks, and extraction attempts.

Paper and metal wallets are simply physical records of your seed phrase or private key. To spend funds:

1. You must enter the seed phrase into a software or hardware wallet
2. Once entered, the wallet can sign transactions
3. The seed phrase should then be considered "hot" (potentially compromised) and funds should be moved to a new cold wallet

Metal wallets are more durable than paper, resistant to fire, water, and physical damage. Various metal wallet solutions have been tested for durability, with prices ranging from a few dollars for DIY solutions to several hundred for premium products.

Hardware Wallet Security Features

Modern hardware wallets include multiple layers of security:

• Secure element chip: Tamper-resistant chip that stores private keys
• PIN protection: Required to unlock the device
• Passphrase option: Additional word you can add to your seed phrase for extra security
• Firmware verification: Ensures the device hasn't been tampered with
• Screen verification: Allows you to verify transaction details on the device itself, not just on your potentially compromised computer

The FCA's proposed custody rules require professional custodians to implement robust safeguarding arrangements, including segregation of client assets, use of cold storage for the majority of holdings, and multi-signature controls for accessing funds.

When to Use a Cold Wallet

Cold wallets are appropriate for:

• Large amounts you intend to hold long-term
• Savings and investment holdings you don't need to access frequently
• Inheritance planning (with proper documentation for heirs)
• Maximum security when you cannot afford to lose the funds

Risk disclosure: Cold wallets protect against digital theft but introduce physical risks. If you lose your hardware wallet and don't have your seed phrase backed up, your funds are permanently lost. If someone finds your seed phrase backup, they can steal your funds.

Multi-Signature Wallets: Shared Control and Enhanced Security

A multi-signature (multisig) wallet requires multiple private keys to authorise a transaction, rather than just one. For example, a 2-of-3 multisig wallet has three private keys, and any two of them must sign a transaction for it to be valid.

How Multisig Works

When you create a multisig wallet, you specify:

• The total number of keys (e.g., 3)
• The threshold required (e.g., 2)

The keys can be distributed among:

• Multiple people (e.g., business partners, family members)
• Multiple devices you control (e.g., your phone, your hardware wallet, and a backup device)
• A combination of your keys and a third-party service (e.g., you hold 2 keys, a custody service holds 1 as a backup)

Benefits of Multisig

• Reduced single point of failure: No single lost or stolen key can compromise your funds
• Shared custody: Useful for businesses, DAOs, or family trusts where multiple parties should have control
• Protection against coercion: Even if someone forces you to hand over one key, they cannot access funds without the others
• Backup and recovery: If you lose one key, you can still access funds with the others

Drawbacks of Multisig

• Complexity: More difficult to set up and use than single-signature wallets
• Coordination required: If keys are held by multiple people, you need to coordinate to make transactions
• Still vulnerable to seed phrase theft: If an attacker obtains enough seed phrases, they can steal funds

According to CoinLaw, approximately 36% of enterprises require multi-signature or shared custody solutions for their cryptocurrency holdings.

Decision Tree: Which Custody Solution is Right for You?

Start here: How much cryptocurrency do you hold or plan to hold?

Less than £500 (or your local equivalent)

Recommendation: Non-custodial hot wallet (mobile or browser extension)

Rationale: The convenience of a hot wallet outweighs the security risk for small amounts. The cost and complexity of hardware wallets may not be justified.

Suggested wallets: MetaMask (for Ethereum and EVM chains), Phantom (for Solana), Exodus (multi-chain)

Action: Write down your seed phrase on paper, store it securely at home, and never share it with anyone.

£500 to £5,000

Recommendation: Hardware wallet for the majority, small amount in hot wallet for spending

Rationale: At this level, the security benefits of cold storage justify the cost of a hardware wallet (£60-200). Keep a small amount (£50-200) in a hot wallet for convenience.

Suggested wallets: Ledger Nano S Plus or Ledger Nano X, Trezor Safe 3 or Trezor Safe 5

Action: Purchase a hardware wallet from the official manufacturer (never from third-party sellers). Set it up, transfer the majority of your holdings to it, and store the seed phrase securely (see backup guidance below).

£5,000 to £50,000

Recommendation: Hardware wallet with metal seed phrase backup, consider multisig

Rationale: At this level, you should invest in redundant backups. A metal seed phrase backup protects against fire, flood, and physical damage. Consider a 2-of-3 multisig setup for additional security.

Suggested wallets: Ledger or Trezor hardware wallet, plus metal backup (e.g., Cryptosteel, Billfodl, or DIY solution)

Action: Set up hardware wallet, create metal backup of seed phrase, store backups in separate secure locations (e.g., home safe and bank safety deposit box). Consider multisig if you have a trusted family member or advisor.

More than £50,000

Recommendation: Multisig cold storage with professional custody consideration

Rationale: At this level, you should treat your cryptocurrency like a significant financial asset. Consider professional custody services, multisig with geographically distributed keys, or a combination of self-custody and institutional custody.

Suggested solutions:

• 2-of-3 or 3-of-5 multisig with hardware wallets
• Professional custody service (e.g., Coinbase Custody, Fidelity Digital Assets, Copper)
• Hybrid approach: majority in cold storage, portion with regulated custodian for liquidity

Action: Consult with a financial adviser who understands cryptocurrency. Consider estate planning and ensure trusted individuals know how to access your holdings in an emergency.

Risk disclosure: This decision tree provides general guidance only. Your personal circumstances, risk tolerance, technical ability, and intended use of cryptocurrency should all inform your custody decisions. Higher amounts do not automatically mean you should use more complex solutions if you are not comfortable managing them.

Minimum Viable Security: Starter Checklist

If you're new to cryptocurrency, follow this checklist to establish basic security:

Before You Buy Any Crypto

• Educate yourself: Understand what cryptocurrency is, how it works, and the risks involved
• Decide on custody: Will you use an exchange (custodial) or self-custody?
• Research wallets: Read reviews, check security track records, verify official websites
• Beware of scams: Learn to recognise common scams (see section below)

If Using an Exchange (Custodial)

• Choose a reputable exchange: Use well-established, regulated exchanges (e.g., Coinbase, Kraken, Gemini in the UK)
• Enable two-factor authentication (2FA): Use an authenticator app (Google Authenticator, Authy), not SMS
• Use a strong, unique password: At least 16 characters, mix of letters, numbers, symbols. Use a password manager
• Verify the exchange is authorised: Check the FCA register for UK-regulated firms
• Understand the risks: Exchanges can be hacked, go bankrupt, or freeze accounts. Don't keep more on an exchange than you need for trading

If Using Self-Custody (Non-Custodial Wallet)

• Download from official sources only: Go directly to the wallet's official website, never click links in emails or ads
• Verify the download: Check file hashes or signatures if provided
• Write down your seed phrase: Use pen and paper, write clearly, double-check every word
• Store seed phrase securely: Keep it offline, in a secure location (safe, locked drawer), away from prying eyes and cameras
• Never share your seed phrase: No legitimate service will ever ask for it
• Test with a small amount first: Send a small transaction to verify everything works before transferring larger amounts
• Verify addresses carefully: Always double-check recipient addresses before sending (malware can swap addresses)

For Hardware Wallet Users

• Buy from official manufacturer: Never buy from third-party sellers (Amazon, eBay) due to tampering risk
• Verify packaging is intact: Check for signs of tampering
• Generate seed phrase on device: Never use a pre-generated seed phrase
• Create metal backup: For holdings over £5,000, engrave seed phrase on metal
• Store backups separately: Keep hardware wallet and seed phrase backup in different locations
• Test recovery process: Before storing significant funds, test that you can recover the wallet using your seed phrase

Ongoing Security Practices

• Keep software updated: Update wallet apps, operating systems, and antivirus software regularly
• Use dedicated devices: Consider using a separate phone or computer only for crypto transactions
• Be paranoid about phishing: Verify URLs, don't click links in emails, bookmark official sites
• Monitor your holdings: Check your wallet regularly for unauthorised transactions
• Plan for inheritance: Ensure trusted individuals can access your crypto if something happens to you (without compromising security while you're alive)

What NOT to Do: Common Mistakes That Lead to Loss

Never Share Your Seed Phrase or Private Key

With anyone. Ever. For any reason.

No legitimate company, support team, or service will ever ask for your seed phrase. If someone asks for it, they are trying to steal your cryptocurrency. This includes:

• "Customer support" representatives (even if they seem official)
• "Wallet validation" or "synchronisation" services
• "Airdrop" or "giveaway" websites
• "Investment opportunities" that require you to "connect your wallet"

Never Store Your Seed Phrase Digitally

Do not:

• Take a photo of it
• Store it in a note-taking app
• Email it to yourself
• Save it in cloud storage (Google Drive, Dropbox, iCloud)
• Store it in a password manager (unless the password manager itself is secured with a hardware key and you fully understand the risks)

Digital storage is vulnerable to hacking, malware, and unauthorised access. Paper or metal, stored physically and securely, is safer.

Never Buy Hardware Wallets from Third-Party Sellers

Hardware wallets purchased from Amazon, eBay, or other third-party sellers may have been tampered with. Attackers can:

• Replace the device with a fake that records your seed phrase
• Pre-generate a seed phrase and include it in the package
• Install malicious firmware

Always buy directly from the manufacturer's official website.

Never Enter Your Seed Phrase into a Website or App You Don't Trust

Phishing websites that look identical to legitimate wallet sites are common. Always:

• Type the URL directly into your browser (don't click links)
• Verify the URL is correct (check for misspellings, extra characters)
• Bookmark official sites and only use your bookmarks
• Be suspicious of any site asking for your seed phrase

Never Send Cryptocurrency to "Verify" Your Wallet or Claim a Prize

Common scams involve:

• "Send 0.1 ETH to verify your wallet and receive 1 ETH back"
• "Send gas fees to claim your airdrop"
• "Send a small amount to unlock your account"

These are always scams. Legitimate services never require you to send crypto first.

Never Ignore Small "Test" Transactions

If you see small, unexpected transactions in your wallet, investigate immediately. This could indicate:

• Your wallet has been compromised
• Someone is testing whether the wallet is active before attempting a larger theft
• A "dust attack" designed to track your transactions

Never Use Public Wi-Fi for Crypto Transactions

Public Wi-Fi networks are insecure and can be monitored by attackers. If you must access your crypto wallet while away from home:

• Use your mobile data connection instead
• Use a VPN (virtual private network)
• Better yet, wait until you're on a secure network

Never Ignore Software Updates

Wallet software updates often include critical security patches. Delaying updates can leave you vulnerable to known exploits.

However, be cautious:

• Only update from official sources
• Read update notes to verify legitimacy
• Be wary of urgent "security update" emails (verify independently)

Never Keep All Your Crypto in One Place

Diversify your storage:

• Don't keep everything on one exchange
• Don't keep everything in one wallet
• Consider multiple hardware wallets for very large holdings
• Keep backups in separate physical locations

Never Forget That Transactions Are Irreversible

Unlike bank transfers or credit card payments, cryptocurrency transactions cannot be reversed. If you:

• Send to the wrong address
• Fall for a scam
• Make a mistake

The funds are gone. There is no customer service to call, no chargeback mechanism, no undo button. This is why verification and caution are essential.

Common Cryptocurrency Scams and How to Avoid Them

Cryptocurrency scams are sophisticated, widespread, and constantly evolving. According to the FBI's 2024 Internet Crime Report, cryptocurrency-related scams accounted for $9.3 billion in victim losses in 2024, a 66% increase from the previous year. Chainalysis estimates that crypto scam revenue reached $9.9 billion in 2024, likely to be revised higher to $12.4 billion as more scam wallets are identified.

Pig Butchering Scams

What it is: A long-term scam where fraudsters build trust (often through romance or friendship) before convincing victims to invest in fake crypto platforms.

How it works:

1. Scammer contacts victim via dating app, social media, or "wrong number" text message
2. Builds relationship over weeks or months, often with fake photos and AI-generated content
3. Casually mentions their success with cryptocurrency investing
4. Offers to help victim invest, directing them to a fake trading platform
5. Platform shows fake profits, encouraging victim to invest more
6. When victim tries to withdraw, they're told they must pay taxes or fees first
7. Scammer disappears with all funds

Scale: Pig butchering scams stole $5.5 billion from crypto investors in 2024 across 200,000 identified cases, according to Cyvers. Revenue from these scams grew nearly 40% year-over-year, with the number of deposits growing 210%, indicating an expansion of the victim pool.

How to avoid:

• Be extremely suspicious of unsolicited investment advice, especially from new online contacts
• Never invest in platforms recommended by someone you've only met online
• Verify any trading platform independently (check FCA register, read reviews from multiple sources)
• Be wary of platforms that show unrealistic returns or make withdrawal difficult
• If someone you've never met in person is pushing you to invest, it's almost certainly a scam

Phishing and Fake Wallet Sites

What it is: Fraudulent websites or apps that impersonate legitimate wallets or exchanges to steal seed phrases or private keys.

How it works:

1. Scammer creates website that looks identical to a legitimate wallet or exchange
2. Uses similar URL (e.g., "metamask-wallet.com" instead of "metamask.io")
3. Victim enters seed phrase to "restore" or "validate" wallet
4. Scammer immediately drains all funds

Scale: Phishing remains one of the most common attack vectors. ScamSniffer reported that search engine ads have been a major vector, with scammers exploiting Punycode URLs (swapping characters with similar-looking Unicode characters) to create pixel-perfect fake websites.

How to avoid:

• Never click links in emails, texts, or social media messages
• Type URLs directly into your browser or use bookmarks
• Verify the exact URL before entering any information
• No legitimate service will ever ask for your seed phrase
• Use hardware wallets, which protect against phishing by verifying transactions on the device

Fake Giveaways and Airdrops

What it is: Scammers impersonate celebrities, companies, or projects, promising free cryptocurrency in exchange for a small payment or seed phrase.

How it works:

1. Scammer creates fake social media account or hacks a real one
2. Posts about a "giveaway" (e.g., "Send 0.1 BTC, get 1 BTC back")
3. Uses AI-generated deepfake videos of celebrities like Elon Musk or crypto executives
4. Victims send crypto, receive nothing in return

Scale: In July 2025, Ripple CEO Brad Garlinghouse warned of a wave of XRP giveaway scams on YouTube using AI-generated impersonations. One documented deepfake Elon Musk scam collected at least $5 million between March 2024 and January 2025.

How to avoid:

• No legitimate person or company will ask you to send crypto to receive more crypto
• Verify giveaways through official channels (company website, verified social media)
• Be suspicious of any offer that seems too good to be true
• Check account verification badges, follower counts, and post history
• Remember: if Elon Musk wants to give you Bitcoin, he doesn't need you to send him some first

Rug Pulls and Fake Projects

What it is: Developers create a new cryptocurrency or NFT project, attract investors, then disappear with the funds.

How it works:

1. Scammers create a new token or NFT collection
2. Build hype on social media, often with fake partnerships or celebrity endorsements
3. Investors buy in, driving up the price
4. Developers suddenly withdraw all liquidity or sell their holdings
5. Token becomes worthless, developers disappear

Scale: Rug pulls decreased in frequency by 66% year-over-year (7 incidents in early 2025 vs 21 in early 2024), but financial damage skyrocketed to nearly $6 billion in early 2025, up from $90 million in early 2024, according to Sumsub. The nature has shifted from DeFi protocols to predominantly memecoin-related rug pulls.

Notable example: The Meteora memecoin scam, where insiders used over 150 wallets to acquire up to 95% of the M3M3 token supply within 20 minutes of launch, artificially inflated the price, then sold off holdings, causing investors to lose over $69 million between December 2024 and February 2025.

How to avoid:

• Research projects thoroughly before investing
• Check if the team is doxxed (publicly identified) and has a track record
• Look for third-party audits of smart contracts
• Be wary of projects with anonymous teams or unrealistic promises
• Check token distribution (if a small number of wallets hold most of the supply, it's a red flag)
• Never invest more than you can afford to lose in new, unproven projects

Fake Customer Support

What it is: Scammers impersonate customer support for wallets, exchanges, or crypto projects to steal credentials or funds.

How it works:

1. Victim posts a question or complaint on social media or forum
2. Scammer quickly responds, posing as official support
3. Directs victim to fake website or asks for seed phrase to "fix the problem"
4. Steals funds

How to avoid:

• Never respond to unsolicited "support" messages on social media
• Always contact support through official channels (website, verified email)
• No legitimate support team will ever ask for your seed phrase or private key
• Be suspicious of anyone offering to "help" via direct message
• Verify support contact details independently

Pump and Dump Schemes

What it is: Coordinated efforts to artificially inflate the price of a cryptocurrency, then sell at the peak, leaving other investors with losses.

How it works:

1. Group acquires large amount of low-value cryptocurrency
2. Promotes it heavily on social media, creating FOMO (fear of missing out)
3. Price rises as new investors buy in
4. Group sells their holdings at the peak
5. Price crashes, leaving late investors with losses

Scale: According to Chainalysis, in 2024, 3.59% of all launched tokens showed patterns linked to pump-and-dump schemes. Solidus Labs found that 98.6% of tokens launched on Pump.fun were rug pulls or pump-and-dump schemes.

How to avoid:

• Be suspicious of sudden hype around unknown tokens
• Don't invest based on social media hype alone
• Research the project's fundamentals, not just price movements
• Be wary of "get rich quick" promises
• If everyone is talking about a token suddenly, you're probably too late

Crypto Drainers

What it is: Malicious scripts or smart contracts that trick users into authorising transactions that transfer all their funds to attackers.

How it works:

1. Victim connects wallet to a malicious website or dApp
2. Site requests permission to access wallet (appears as a normal transaction approval)
3. Victim approves, unknowingly granting unlimited access
4. Drainer automatically transfers all assets to attacker's wallet

Scale: Kaspersky reported a 135% surge in interest for crypto-stealing drainers on the dark web at the end of 2024. These have evolved into a "drainer-as-a-service" model, where ready-made malware kits are sold to criminals.

How to avoid:

• Only connect your wallet to trusted, verified websites
• Read transaction approval requests carefully before signing
• Use a hardware wallet, which requires physical confirmation for each transaction
• Regularly review and revoke token approvals (use tools like Revoke.cash for Ethereum)
• Keep only small amounts in hot wallets used for interacting with dApps

Incident Response: What to Do If Your Wallet is Compromised

If you suspect your cryptocurrency wallet has been compromised, act immediately. Every second counts.

Immediate Actions (First 5 Minutes)

1. Stop using the compromised wallet immediately
   • Do not make any more transactions
   • Disconnect from the internet if possible
2. Transfer remaining funds to a new, secure wallet
   • If you still have access and funds remain, create a new wallet on a different device
   • Transfer all remaining assets immediately
   • Use maximum transaction fees to ensure fast confirmation
3. Revoke token approvals
   • If you use Ethereum or EVM-compatible chains, go to Revoke.cash or similar service
   • Connect your compromised wallet
   • Revoke all token approvals (this prevents drainers from taking more funds)
4. Document everything
   • Take screenshots of your wallet, transactions, and any suspicious activity
   • Note the time you discovered the compromise
   • Record any suspicious emails, messages, or websites you interacted with

Next Steps (First Hour)

5. Identify how the compromise occurred
   • Did you enter your seed phrase into a website?
   • Did you click a suspicious link?
   • Did you approve a transaction you didn't understand?
   • Is your computer or phone infected with malware?
6. Secure your devices
   • Run a full antivirus scan
   • Change passwords for all accounts (email, exchange, etc.)
   • Enable or update two-factor authentication
   • Consider wiping and reinstalling your operating system if malware is suspected
7. Report the incident
   • UK: Report to Action Fraud (0300 123 2040)
   • Exchange-related: Contact the exchange's support team immediately
   • Blockchain analysis: Some services like Chainalysis can help trace stolen funds (though recovery is rare)
8. Warn others
   • If you fell for a scam, report it to help protect others
   • Share details (without revealing personal information) on crypto community forums
   • Report phishing sites to Google Safe Browsing

Longer-Term Actions

9. Accept the loss
   • Unfortunately, cryptocurrency transactions are irreversible
   • Recovery is extremely rare
   • Do not fall for "recovery services" that promise to get your funds back for a fee (these are usually secondary scams)
10. Learn and improve security
    • Understand what went wrong
    • Implement better security practices
    • Consider using hardware wallets for future holdings
    • Never reuse the compromised seed phrase
11. Monitor for identity theft
    • If you provided personal information to scammers, monitor your credit report
    • Be alert for phishing attempts using your information
    • Consider credit monitoring services

What NOT to Do

• Don't pay "recovery services": These are almost always scams targeting victims a second time
• Don't share more information: Scammers may contact you claiming to help, asking for more details
• Don't panic and make hasty decisions: Take time to think clearly and seek advice from trusted sources
• Don't give up on crypto entirely: Learn from the experience and implement better security

Risk Matrix: Custody Options Compared

Risk disclosure: This matrix provides general comparisons. Actual security depends on implementation. A poorly secured hardware wallet can be less secure than a well-secured hot wallet. Your technical ability, diligence, and specific circumstances matter more than the custody method alone.

Regulatory Landscape: UK Custody Rules

The UK is developing a comprehensive regulatory framework for cryptoasset custody. Understanding these rules is important for both users (to know what protections to expect) and businesses (to understand compliance requirements).

Current Status

As of December 2025, cryptocurrency firms operating in the UK must register with the FCA under the Money Laundering Regulations. However, this registration primarily addresses anti-money laundering and counter-terrorist financing, not custody standards or consumer protection.

Proposed Custody Regulations

The FCA published consultation paper CP25/14 in May 2025, proposing comprehensive rules for firms safeguarding cryptoassets. Key proposals include:

Segregation requirements:

• Custodians must keep client assets in different wallets from their own assets
• Client assets must be held on trust for clients
• Custodians must use independent third parties (unconnected to the custodian's group) to safeguard backing assets

Record-keeping and reconciliation:

• Custodians must maintain accurate records of assets held
• Daily reconciliations comparing client assets against records
• Excesses or shortfalls must be resolved within 1 business day

Governance and controls:

• Custodians can only use third parties if it's in clients' best interests
• The custodian's governing body must approve third-party arrangements
• Robust backing assets risk management framework required

Prudential requirements:

• CP25/15 proposes MiFID-style capital requirements for crypto firms
• Custodians must hold sufficient capital to absorb losses
• Liquidity requirements to ensure ability to meet obligations

Timeline

The UK Government is working towards introducing the new licensing regime by the end of 2026, subject to transitional measures. The draft legislation was published in April 2025, with final rules expected in late 2025 or early 2026.

What This Means for Users

Once implemented, these rules will provide stronger protections for users of UK-regulated custodians:

• Your assets should be segregated and protected in case of custodian failure
• Custodians will be required to maintain higher standards of security and governance
• You'll have clearer recourse if something goes wrong

However, these protections will only apply to FCA-authorised custodians. Many crypto services operate from overseas and may not be subject to UK regulation. Always check the FCA register to verify if a firm is authorised.

Risk disclosure: Regulation does not eliminate risk. Even regulated custodians can fail, be hacked, or mismanage assets. Regulation provides a framework and some protections, but cannot guarantee the safety of your funds.

Estate Planning and Inheritance

One often-overlooked aspect of cryptocurrency custody is what happens to your assets if you die or become incapacitated. Unlike traditional bank accounts, which have established processes for inheritance, cryptocurrency can be permanently lost if no one knows how to access it.

The Problem

• If you die without sharing your seed phrase, your cryptocurrency is lost forever
• If you share your seed phrase while alive, you risk theft
• Traditional estate planning tools (wills, executors) may not adequately address cryptocurrency
• Many solicitors and executors are unfamiliar with cryptocurrency custody

Solutions

1. Sealed envelope method:

• Write your seed phrase on paper
• Seal it in an envelope
• Store with your will or in a safety deposit box
• Include instructions in your will for how to access it
• Risk: Anyone with physical access can open the envelope

2. Multisig with trusted individuals:

• Create a 2-of-3 multisig wallet
• You hold 2 keys, a trusted family member or solicitor holds 1
• If you die, they can combine their key with one of yours (from your estate) to access funds
• Benefit: No single person can access funds without your consent while you're alive

3. Dead man's switch services:

• Some services (e.g., Casa, Unchained Capital) offer inheritance planning
• You set up a process where, if you don't check in for a specified period, access is granted to designated beneficiaries
• Risk: Relies on third-party service remaining operational

4. Detailed instructions:

• Write clear, step-by-step instructions for accessing your cryptocurrency
• Include:
  • What cryptocurrency you hold and where
  • How to access wallets (but not seed phrases directly)
  • Where seed phrases are stored
  • How to sell or transfer cryptocurrency
  • Contact information for crypto-savvy advisers who can help
• Store these instructions with your will

5. Professional custody with beneficiary designation:

• Some regulated custodians allow you to designate beneficiaries
• Similar to traditional financial accounts
• Benefit: Established process for inheritance
• Drawback: Requires trusting a third party with custody

Best Practices

• Tell someone you trust: At minimum, ensure someone knows you hold cryptocurrency and where to find instructions
• Update regularly: As you change wallets or custody methods, update your estate plan
• Test the process: Ensure your instructions are clear enough that someone unfamiliar with crypto could follow them
• Consider professional advice: Consult with a solicitor who understands cryptocurrency
• Balance security and accessibility: Your heirs need to be able to access funds, but not so easily that they're vulnerable to theft while you're alive

Risk disclosure: Estate planning for cryptocurrency is complex and evolving. There is no perfect solution. Any method that makes your crypto accessible to heirs also creates some risk of theft or loss. Seek professional legal and financial advice tailored to your specific circumstances.

Summary: Your Action Plan

Cryptocurrency custody is about balancing security, convenience, and control. There is no one-size-fits-all solution. Your choice should depend on:

• How much cryptocurrency you hold
• How often you need to access it
• Your technical ability and comfort level
• Your risk tolerance
• Your long-term plans for the assets

Immediate Actions (This Week)

1. Assess your current situation:
   • Where is your cryptocurrency currently stored?
   • Is it secure?
   • Do you control the private keys?
2. Implement minimum viable security:
   • If using an exchange, enable 2FA with an authenticator app
   • If using a hot wallet, ensure your seed phrase is written down and stored securely
   • If holding significant amounts, order a hardware wallet
3. Educate yourself on scams:
   • Review the common scams section above
   • Be suspicious of unsolicited investment advice
   • Never share your seed phrase with anyone

Medium-Term Actions (This Month)

4. Upgrade your custody solution if needed:
   • If holding more than £500, consider a hardware wallet
   • If holding more than £5,000, create a metal backup of your seed phrase
   • If holding more than £50,000, consider multisig or professional custody
5. Diversify your storage:
   • Don't keep all your crypto in one place
   • Use hot wallets for small amounts you need to access frequently
   • Use cold storage for long-term holdings
6. Create an estate plan:
   • Ensure someone you trust knows you hold cryptocurrency
   • Provide instructions for accessing your funds if something happens to you
   • Update your will to include cryptocurrency

Ongoing Practices

7. Stay vigilant:
   • Regularly review your security practices
   • Keep software updated
   • Monitor your wallets for unauthorised activity
   • Stay informed about new scams and threats
8. Verify everything:
   • Double-check addresses before sending transactions
   • Verify URLs before entering sensitive information
   • Confirm transaction details on your hardware wallet screen
9. Never stop learning:
   • Cryptocurrency technology and threats evolve constantly
   • Follow reputable security researchers and educators
   • Participate in crypto communities to stay informed

Final reminder: This article provides general educational guidance only. It is not personalised financial advice. Cryptocurrency is a high-risk asset class. You could lose all of your capital. The security of your cryptocurrency is ultimately your responsibility. Take it seriously, stay informed, and never invest more than you can afford to lose.

Key Sources:

• UK Financial Conduct Authority (FCA)
• FCA CP25/14: Stablecoin issuance and cryptoasset custody
• FCA CP25/15: Prudential regime for cryptoasset firms
• UK Treasury: Regulatory regime for cryptoassets
• Chainalysis: Crypto Crime Report 2025
• FBI Internet Crime Complaint Center (IC3) 2024 Report
• Ledger Academy: Hot Wallet vs Cold Wallet
• Forbes: Crypto Hot Wallets vs Cold Wallets
• CoinLaw: Cryptocurrency Hot Wallet Statistics 2025
• Sumsub: 8 Crypto Scams to Be Aware of in 2025
• CNBC: Crypto scams hit record in 2024
• California DFPI: Crypto Scam Tracker
• UK National Cyber Security Centre (NCSC)
• Action Fraud