How to protect your crypto assets

Many cryptocurrency losses occur due to compromised accounts, scams, or easy-to-avoid mistakes. Recognizing common fraud schemes, choosing the right custody structure for you, and adopting safe transaction habits can help reduce your risk and protect your crypto assets.  

Crypto transfers are generally irreversible. Banks and card networks, which may have dispute and fraud-recovery processes, can sometimes freeze or return funds. With crypto, once a transaction is confirmed on the blockchain, it typically cannot be reversed.

The underlying blockchain and cryptography are generally robust, but losses can occur through compromised accounts or devices, social engineering, and vulnerabilities in third-party platforms. Attackers typically target people, not the blockchain—frequently using false pretenses to trick you into sharing login details, approving transfers, or, for those who self-custody, revealing “seed” (recovery) phrases or “private keys,” the secret credentials that can restore wallet access or authorize cryptocurrency transactions.

Crypto custody shapes both how easily you can access your crypto and how much of the security burden sits with you. When you understand the most common custody models, you can quickly spot what you’re responsible for, what a provider handles, and where the biggest risks tend to show up.

Exchange or brokerage accounts

An exchange or brokerage account is a platform where you log in to trade. Typically, that platform or its digital assets infrastructure provider custodies your crypto so you don’t have to maintain a separate crypto “wallet” or manage the private keys used to authorize transactions.

Beginning in 2026, eligible clients will be able to place spot crypto trades in Bitcoin, Ethereum, and Solana through E*TRADE, powered by zerohash. Digital asset transactions and custody occur through a separate, non-brokerage account with zerohash, so you do not have to manage your own self-custody wallet or private keys.

Good for:

• Active trading: You get fast market access and can place orders in one app.
• Outsourced security: You don’t have to worry about the technical complexity and security burden of safeguarding wallets, seed phrases, or private keys.

Watch out for:

• Account takeover: Threat actors may use phishing and other social engineering techniques to trick you into installing malware on your device or revealing your account credentials.

Tips:

• Customize alerts: Enable alerts so you can react quickly if something looks wrong. You can customize your E*TRADE account to get instant notifications for transactions in your account by setting your delivery preferences to receive your alerts via email and SMS.  
• Multi-Factor Authentication (MFA): Enable the strongest forms of MFA available to protect access to your E*TRADE account. Options include one-time verification codes and the use of an authenticator app. Learn about using your mobile device for added security here.

Self-custody

In a self-custody setup, you are responsible for protecting your wallet and the credentials that control access to it, including your private keys and seed phrases. While some traders prefer the ease and convenience of using an exchange or brokerage, others value the autonomy and control offered by a self-custody approach.

For those who do self-custody, the two most common forms are hardware wallets, which keep private keys isolated on a dedicated device, and software wallets—apps or internet-connected devices (e.g., mobile wallets, desktop wallets, or browser extension wallets), which may be more convenient for some users.

Good for:

• Direct wallet control: This may suit you if you prefer to manage access to your digital assets directly through your own wallet (e.g., controlling wallet credentials and initiating transfers yourself), rather than using an account-based access model offered by a brokerage or other provider.

Watch out for:

• Risk of permanent loss: If you lose access to your wallet, private keys, or recovery phrase, there is typically no third party able to help you restore access to your assets.
• Operational complexity: You need to follow careful setup and security protocols, which may require some technical sophistication.

Tips:

• Create an emergency recovery kit: An emergency recovery kit is an offline, securely stored backup that should contain (1) your wallet’s seed phrase or other recovery backup, (2) the wallet provider or app name and device type/model, and (3) clear instructions on how to restore wallet access and which accounts to re-add. Store your emergency recovery kit in a secure, offline location (e.g., a fire- or water-resistant safe), and periodically test its recovery ability. If you use an additional passphrase, back it up securely and consider storing it separately from the seed phrase.
• Use a dedicated device: For extra security, consider using a dedicated device (e.g., a tablet) just for your crypto investment activities and avoid installing unnecessary apps and extensions or performing any other high-risk activities on that device. Physically separating your devices can help protect your high-consequence activities like crypto trading from threat actors. 

No matter your custody approach, follow these cybersecurity best practices to help protect your digital assets from hackers and scammers:

1. Update devices: Install software updates on your devices as soon as they are released. Developers create “patches” to fix security flaws, and if you don’t update regularly, you may leave yourself vulnerable to hackers.
2. Secure logins: Use strong, unique passwords for your accounts—ideally generated and stored in a password manager—and use the strongest MFA option available. Use phishing-resistant methods like an authenticator app or a hardware security key (i.e., a physical device, often designed like a key fob or USB stick) rather than SMS (i.e., a one-time code sent via text message) when available.
3. Be wary of unexpected messages: Don’t click on links or scan QR codes from unsolicited text messages, emails, and social media. Be selective about downloads, apps, and browser extensions; add-ons from third parties and unofficial websites are a common way attackers get in. To minimize risk when usings apps and extensions you intentionally choose to install, only grant permissions necessary for them to function (e.g., a crossword app probably shouldn’t need your location).

If you suspect your account was compromised...

If you are able, temporarily disable withdrawals or request an account lock, and contact the platform’s fraud team. You can contact E*TRADE’s Customer Service Line at 800-387-2331.

Sign out of your account on all devices and reset passwords for the affected accounts immediately. Look in your account settings and revoke any third-party access connections (e.g., APIs or login integrations) or authorized devices you don’t recognize. Remove any unrecognizable or old apps and browser extensions on your personal devices.

If your seed phrase or private keys may have been exposed...

Create a new wallet, and move any remaining assets promptly. Restoring the old wallet does not fix compromised wallet credentials—anyone with the recovery phrase or private key can still access the assets.

Document and report the incident as appropriate, including to the FBI’s Internet Crime Complaint Center (IC3).

If you lose access to your self-custody wallet or private keys...

Use your “emergency recovery kit,” follow recovery steps, and avoid “quick-fix” third parties that request sensitive info.

If your device is stolen...

Secure your email and phone accounts first (as these are the gateway for much of your digital life) and then update passwords and authentication options for accounts, especially financial accounts, that may be accessible from the device. Document and report the incident.

In today’s rapidly evolving digital-asset landscape, following strong cybersecurity best practices is essential to help reduce the risk of irreversible crypto loss.

And always remember, if you get an “urgent” message claiming to be a family member, an IT professional, or even an E*TRADE representative, independently confirm it through a trusted channel. 

CRC# 5360103  04/2026