Security Alerts
Active threats, platform advisories, and asset warnings — updated as new findings emerge.
Hackers have been actively exploiting vulnerabilities in SonicWall VPN devices, putting crypto users at risk of compromise.
In January 2023, security researchers warned of multiple critical vulnerabilities in SonicWall VPN devices that were being actively exploited by hackers. These flaws could allow attackers to bypass authentication, execute arbitrary code, and gain access to sensitive data, including cryptocurrency wallets and accounts. Crypto users and companies relying on SonicWall VPN infrastructure were advised to urgently patch or mitigate these vulnerabilities to prevent potential compromise.
Quantum computing: post-quantum cryptography migration will be needed within 10-15 years.
NIST estimates cryptographically relevant quantum computers are 10-15 years away. Bitcoin and Ethereum are researching post-quantum algorithms. No action needed now, but watch for migration announcements from chains you hold.
AI-powered phishing: deepfake voice calls and AI-written emails impersonating support.
Attackers use AI to generate convincing support calls and emails. No legitimate platform will call you first or ask for your seed phrase, 2FA codes, or passwords. Always initiate contact through official channels.
Fake mobile apps: counterfeit wallet and exchange apps appear on app stores regularly.
Always download apps from links on the official website, not from app store search results. Verify the developer name and check review counts before installing.
Clipboard malware: software that silently replaces copied crypto addresses.
After pasting a wallet address, always verify the first and last 6 characters match. This malware is common on Windows and Android. Use address books/whitelists when possible.
SIM-swap attacks: attackers port your phone number to steal SMS-based 2FA codes.
Call your carrier and add a PIN/passphrase to your account. Switch from SMS 2FA to an authenticator app or hardware key immediately. SIM-swaps are the #1 method for targeted crypto theft.
Self-custody browser/mobile wallet — you hold your own keys.
Multi-chain NFT marketplace (Solana, Bitcoin Ordinals, Ethereum).
Backed by Coinbase exchange balance. USD holdings are FDIC-insured.
Insured custody through BitGo — assets up to $375M covered.
Regulatory scrutiny in some jurisdictions — review local compliance status.
UK-based, FCA-registered. EU/UK regulatory compliance.
Largest NFT marketplace — high-value target for attackers.
Does not hold crypto long-term — funds are transferred after purchase.
Fiat on-ramp service with mandatory KYC for all transactions.
Swap transactions are irreversible. Triple-check destination addresses.
Self-custody device — you control your private keys directly.
Fully open-source firmware — community audited and transparent.
Swap service — funds transit briefly, not held in long-term custody.
CRO staking for card tiers exposes you to token price volatility.
Your card tier depends on the USD value of staked CRO. If CRO price drops significantly, your tier may be affected at renewal.
2024: Bug bounty researcher discovered critical flaw, demanded ransom instead of reporting properly.
A security researcher exploited a bug to mint funds, then demanded payment. Kraken recovered the funds. The incident highlights that even well-secured platforms face ongoing threats.
Acquired by Robinhood in 2024 — monitor for changes in terms and custody model.
Ownership changes can affect custody arrangements, fee structures, and regulatory status. Review updated terms of service.
2024: Trezor support portal breach exposed contact info of 66k users.
A third-party support system was compromised. No funds or seeds were at risk, but affected users received phishing attempts impersonating Trezor support.
2023: Ledger Connect Kit supply-chain attack affected third-party dApps.
A compromised npm package injected malicious code into dApps using Ledger Connect Kit. Ledger devices themselves were not affected, but always verify transaction details on your device screen.
SEC lawsuit ongoing — certain listed tokens may be deemed unregistered securities.
The SEC filed suit in June 2023 alleging tokens like SOL, ADA, and MATIC are securities. If the SEC wins, these tokens could face trading restrictions or delisting on US platforms.
Binance has faced regulatory challenges in multiple jurisdictions.
The DOJ settlement ($4.3B in 2023), SEC lawsuit, and restrictions in multiple countries create ongoing regulatory uncertainty.
Settled with SEC over staking services — some features restricted in certain jurisdictions.
Kraken paid $30M in Feb 2023 and discontinued staking-as-a-service for US customers. Non-US users are unaffected.
2023: Coinbase employee targeted in social engineering attack.
An attacker convinced a Coinbase employee to provide credentials via SMS phishing. Limited internal data was exposed. No customer funds were affected.
Crypto.com publishes proof-of-reserves, independently audited.
Proof-of-reserves methodology has been questioned by auditors.
Unlike fully audited exchanges, Binance's proof-of-reserves reports have faced scrutiny over completeness and methodology.
ConsenSys (MetaMask parent) collects IP addresses during transactions by default.
When using the default Infura RPC endpoint, your IP address is logged. You can switch to a privacy-preserving RPC provider in MetaMask settings.
FDIC insurance covers USD balances only (up to $250k), NOT crypto holdings.
Many users assume their crypto is insured — it is not. In a bankruptcy scenario, crypto holders are unsecured creditors (as stated in Coinbase's 2022 10-K filing).
2022: Phishing attack exploited contract migration to steal NFTs from 17 users.
During a contract migration, attackers sent phishing emails that mimicked OpenSea's migration process. Users who signed the malicious transaction lost their NFTs.
Kraken publishes proof-of-reserves audits — independently verifiable.
2022: $35M stolen in hot wallet breach. Crypto.com reimbursed all affected users.
Attackers bypassed 2FA on ~500 accounts. The breach led Crypto.com to implement mandatory 2FA migration and enhanced withdrawal security.
Coinbase is publicly traded (NASDAQ: COIN) with mandatory financial reporting.
2021: ~6,000 accounts drained via SMS 2FA recovery vulnerability.
Attackers exploited a flaw in Coinbase's SMS-based account recovery to bypass 2FA and drain funds. Coinbase reimbursed affected users, but recovery took months. This is why authenticator-based 2FA is critical.
2020: Customer database leaked — 270k users' names, emails, and addresses exposed.
The breach did not affect device security or funds, but led to targeted phishing campaigns. If you bought a Ledger before 2021, assume your email and address may be public.
Physical extraction attacks possible on older firmware — keep firmware current.
Researchers have demonstrated that with physical access and outdated firmware, seed extraction is possible. Always update to the latest firmware.
Browser extension wallets are the #1 target for phishing attacks.
Attackers create fake MetaMask popups on malicious sites. Always verify you're on the correct site. Never enter your seed phrase into a website.
Coinbase reports to the IRS — your trading activity is not private.
Coinbase issues 1099 forms for US users. All buy/sell/swap transactions are reported. Plan for tax obligations.
2015: 19,000 BTC stolen in a hot wallet breach ($5M at the time).
Bitstamp was hacked via a social engineering attack targeting employees. They have since overhauled security practices.
EU-regulated and one of the oldest exchanges (est. 2011).
Strong security track record — no known breaches resulting in customer fund loss.
One of the longest-running exchanges (est. 2011) with no major fund losses.
Bitcoin — most established cryptocurrency. High volatility but deep liquidity and strong security track record.
Ethereum — Proof-of-Stake network. Broad ecosystem but smart contract risk applies to all ERC-20 interactions.
Solana — has experienced multiple network outages. High throughput but centralization concerns.
Solana has had several outages since launch. While performance has improved, this is a risk factor for time-sensitive transactions or DeFi positions.
USDC — Circle publishes regular reserve attestations. Briefly depegged during SVB collapse (March 2023).
USDC dropped to $0.87 when Circle revealed $3.3B of reserves were held at collapsed Silicon Valley Bank. Reserves have since been fully backed. Consider this risk for large stablecoin positions.
Tether (USDT) — largest stablecoin by market cap but persistent transparency concerns around reserves.
Tether has faced ongoing criticism over the composition and auditability of its reserves. Consider diversifying stablecoin exposure across USDC, DAI, or others.
BNB — Binance ecosystem token. Value closely tied to Binance regulatory standing.
The DOJ settlement and global regulatory actions against Binance could directly impact BNB's value and utility. Monitor Binance developments closely.
Cardano (ADA) — peer-reviewed blockchain. Lower liquidity on some exchanges may affect large trades.
Polygon (MATIC) — L2 scaling solution. Cross-chain bridge risks apply when moving assets.
Bridges have historically been targets for exploits (Ronin: $600M, Wormhole: $320M). Be cautious with large bridge transfers and verify bridge contract addresses.
Uniswap (UNI) — DeFi governance token. Subject to smart contract risk and regulatory scrutiny of DeFi.
Wrapped ETH — smart contract dependent. Adds a layer of contract risk on top of ETH.
WETH is an ERC-20 representation of ETH. While the wrapping contract is well-audited, it adds smart contract risk that native ETH does not have.
Fiat (EUR) — protected by provider terms and applicable financial regulations.
Fiat (USD) — may be FDIC-insured depending on provider. Check your provider's terms.
The U.S. Securities and Exchange Commission (SEC) has issued a warning to investors about the risks associated with investing in the cryptocurrency Dogecoin (DOGE).
On March 16, 2023, the SEC published an investor alert highlighting the speculative and volatile nature of Dogecoin. The regulator warned that Dogecoin is not backed by any underlying assets or revenues, and its price is largely driven by social media hype and speculation, making it a high-risk investment. The SEC advised investors to exercise caution when considering Dogecoin and other cryptocurrencies that lack intrinsic value.