The ten classic mistakes

The pattern behind lost crypto

Spend time in recovery forums — where people post after the disaster — and a pattern emerges fast. Almost nobody loses crypto to exotic attacks. They lose it to the same short list of ordinary mistakes, repeated by newcomers and ten-year veterans alike. Here is that list. Each one is cheap to prevent and expensive to learn personally.

1. The phone photo

The most common digital exposure, because it feels so harmless in the moment. That photo syncs to the cloud, lands in backups, and sits in the exact place malware looks first. Fix: the phrase never meets a camera. If you've already taken one, treat the phrase as exposed: set up a fresh wallet and move the funds.

2. Typing the phrase into "support"

Fake wallet sites, fake support chats, fake "validation" pop-ups — social engineering drains more wallets than malware does. The script always ends the same way: enter your recovery phrase. Fix: hard rule from Lesson 03 — any request for the words, from anyone, in any context, is the attack itself.

3. The unverified backup

Written quickly during setup, never checked, discovered to have a misspelled word or swapped order years later — when the device is dead and the backup is the only copy. Fix: verify letter by letter against your wallet's check feature on day one. An unverified backup is a guess.

4. One copy, one location

The flood that takes the house takes the drawer too. Fix: at minimum, a backup durable enough to survive the disaster (steel, not paper — Lesson 04); for larger holdings, consider geographic separation done carefully.

5. The clever homemade cipher

Reversed word order, a secret offset, words hidden in a novel's margins. Five years later the inventor can't remember the trick — and these schemes barely slow down thieves who've seen them all. Fix: store the phrase plainly in a genuinely secure place. If you want a hidden layer, use the standardized passphrase feature, not improvisation.

6. Skipping the test transaction

Sending an entire balance to a new wallet in one transfer, sometimes to a mistyped or malware-swapped address. Fix: small amount first, confirm it arrives, send a little back out, then move the rest. Always verify the first and last characters of any address on the hardware wallet's own screen.

7. Marketplace hardware

A discounted device from an online marketplace or auction site, occasionally arriving with "helpful" pre-printed recovery cards — a pre-loaded theft. Fix: manufacturer-direct only, and any device that arrives knowing its own seed phrase goes straight back.

8. Telling the internet what you hold

Portfolio screenshots, balance brags in Discord, the laser-eyed bio with a net-worth hint. Targeted phishing — and occasionally worse — starts with target selection. Fix: nobody needs to know. Privacy is a security control, and it's free.

9. The setup nobody else can operate

A flawless fortress with one fatal property: it dies with its architect. Fix: an inheritance path that a stressed, non-technical loved one could actually walk — Lesson 05 builds it.

10. Set-and-forget, forever

The backup made in 2019, never looked at since. Wallets migrate, plates get moved during renovations, memories of hiding spots blur. Fix: a one-hour annual check — which happens to be the final lesson of this course.