Hello everyone! Kiwi here! I have written this guide with help from uwu Labs and the Killer GF team to educate the communities we have direct contact with the best we can on how to stay safe. Thank you so much to Jules Blanc for the super cute custom cover art for this guide. Jules was actually a victim to a phishing scam and with some help were able to recover some of the lost assets.

There is a lot of different information shared about how to stay safe. I see many people who are fearful of using Web3/Metamask that can instead learn more and use it with confidence and understanding.

Importance of Self-Custody

A vital side to Cryptocurrencies is having custody over your assets and property. This means you have total ownership and power over your accounts and assets. But this power comes with responsibility as well. You are the only one responsible for keeping your wallet safe, and you are responsible for protecting your property in this digitally-native world. There are many adversaries, but when it comes to your wallet, you have to ultimately approve the signature, transaction, or hack at the end of the day.

Being overly scared and doing nothing with your wallet and not clicking any websites is not a proper way to stay safe. Proper safety means understanding what you are doing, practicing constant vigilance, and learning as much as possible to confidently detect if something is suspicious or may be a scam. If you cannot confidently keep yourself safe, I believe being scammed/hacked is inevitable.

That said, I encourage everyone scared of being scammed/hacked to read through this program. Due to the amount of important information needed to communicate, I have tried my best to split this guide into a few parts. I encourage (and beg) everyone to take their time and closely read each segment. The intention is to educate and improve the personal security of the uwucrew and Killer GF community and many more in the future. Please read and understand every line you will read, inform yourself, and learn to protect yourself, and most importantly, stay safe.

Security Lessons

The security lessons here will start with the most fundamental topics, escalating to more complex ways people may try to breach your security.

1. 12/24 words phrase
2. Private key
3. Ledger
4. Using Metamask
5. Discord Safety
6. Financial Safety
7. Manipulation scams
8. Discord Safety
9. Swapping/trading safety

12 or 24 Word Secret Seed Phrase

The first thing you will receive when you make a wallet on Metamask or your Ledger is your extremely secret phrase consisting of 12 words (for Metamask) or 24 words (for Ledger/Trezor). Those 12 are the confidential source of all accounts that Metamask will give you if you click “create account”, including the first account created. For Ledger, the 24 words are the source of every account for every type of wallet, including other blockchains like Bitcoin. Several accounts can come from these 12/24 words and you can read more about the concept behind them and how they work here. https://en.bitcoin.it/wiki/Seed_phrase.

If someone gets access to your 12/24 secret words, it will mean they have full control over all your accounts from that seed phrase. This includes all the individual eth accounts (each Ethereum address), such as all accounts on the Metamask account that uses those 12 words, or all the individual eth accounts you have on your Ledger that uses those 24 words. The accounts created when clicking “Create Account” in a logged in Metamask are included as well.

YOU MUST NEVER GIVE ANYONE THE 12/24 WORDS OR ENTER THEM ANYWHERE UNLESS YOU KNOW EXACTLY WHAT YOU ARE DOING. IT IS ESSENTIALLY HANDING THE SCAMMERS EVERYTHING YOU OWN.

On the other hand, you should also never lose this phrase. Not having this 12/24 phrase backed up means you will lose access to your entire assets, if for some reason your device becomes inaccessible, damaged, or lost.

Always back up your 12/24 word phrase in a way that is safe. Not a note on your desktop. Not a draft in your email. Not a picture saved in iCloud backup or Google Drive. There is safe and secure password management software you can use. For optimal safety, you should use 2-Factor Authentication for every account you can, especially if it has anything to relate to your personal data (Gmail), security (Password manager), or finances (Coinbase).

For those who may like alternatives to digital services, there are a few useful products to help protect your seed phrase in an offline and physical manner. The CryptoSteel and the BillFodl are both products that let you use engraved metal to store your seed phrase.
If you decide to store these words in a physical location, please store them somewhere that is not easily flooded or possibly exposed to risky/destructive elements (water, fire, break-ins). These words should be protected well from any possible home accidents.

Recommended 2-Factor Authentication App: Authy

Recommended storage for 12/24 words: CryptoSteel Capsule Solo, BillFodl

Recommended secure note/password manager: BitWarden

Private Key

While a secret seed phrase refers to the origin of all accounts that someone's wallet can create, the private key usually refers to the individual accounts (Addresses like 0x8d8… (kiwi.eth), morello.eth, etc). This is a private piece of data that must never be accessed, like your 12 words. Access/ownership to this data means full custody.

However, programs like Metamask (hot wallets, meaning this important data is stored on an online computer) are susceptible to getting your private key or seed phrase stolen through scripts/hacks. Some scams involve scammers tricking an artist into downloading and opening an image file without them realizing they are actually opening a .scr or .bat file. The moment this file is opened by the user, it will run scripts to take your private keys stored on your computer and send them to the hacker. Compromising all the accounts on your system.

If a hacker obtains your private keys or seed phrase, it means they can steal EVERYTHING on all accounts attached. If your Metamask private keys get hacked, “create account” option on there is NOT enough to keep you safe. You will need an entirely new seed phrase, reusing accounts from the same compromised seed phrase will lead to further loss. Please be careful.

The security benefit that comes with a Ledger or Trezor (cold wallets, which are a separate device and not connected to the internet), is that the private key is no longer easily accessible on an internet-connected computer. These cold wallets are devices that store this important and secret data SEPARATELY from the computer so that even if the user’s computer is compromised and their Metamask accessed, it is impossible for hackers to access the actual private key of a Ledger since the private keys are stored on a different device entirely.

PEOPLE WILL DO THE FOLLOWING TO TRICK YOU AND STEAL YOUR PRIVATE KEY:

• Avoid .scr files under all means possible. They are essentially hacking scripts!
• Scammers will try to act like a crypto support team and ask you to insert some code into your Google Chrome, NEVER DO THIS, NEVER INSERT ANY SCRIPT OR CODE INTO YOUR BROWSER.
• Scammers will ask you to open a file in a seemingly harmless way (Photoshop, Chrome) to trick you into opening a .scr file. Always make sure you read the file extension entirely! Check the tip below!
• Be VERY careful running .exe files! Be confident that its origin is reliable!
• NEVER SHARE YOUR 12/24 WORDS. There may be fake services that ask you for your 12/24 words or private key. Never ever share this information.
• If you type “metamask” on Twitter, there will be several fake Metamask Support bots trying to trick you for your 12 words/private key (as an example). NEVER GIVE ANYONE THIS INFORMATION

TO PREVENT BEING TRICKED BY .SCR AND MORE, show all file extensions for your computer. This will help you when downloading any files you may not recognize and maybe viruses.

TL;DR: Private key typically refers to a private string of data representing your account’s private info. If a person or device or hacker/scammer gets access to this, they have complete control of your accounts, and you can no longer safely use them. If your computer is hacked and your private key is ever compromised, you must change to using a new 12 word seed phrase entirely.

Purpose of a Ledger/Trezor/Cold Wallet

People improperly treat ledgers strictly as wallets they can never touch. People pledge to transfer everything they own into a “vault” wallet and never use it assuming that is proper safety. And while a Ledger has several technical safety benefits over a standard Metamask hot wallet, just buying a Ledger won’t make you safer as a user. If you approve a transaction… then it is still your approval and action. A Ledger will not change that. The Ledger adds a bit more time and gives you a chance to change your mind after clicking “confirm” on Metamask, which is extremely helpful, but if you don’t understand what you are doing, a Ledger will change nothing.

Hot Wallet vs. Cold Wallet

People commonly refer to a Metamask wallet as a hot wallet, while a Ledger wallet is referred to as a cold wallet.

Hot wallet means the private key/seed phrase is stored on any internet-connected device meaning if this device is compromised or someone finds a way to access its data through a virus or trick, your private keys will be extracted and sent to the hacker, with everything you store in those wallets being taken from you.

Cold Wallet means the private key/seed phrase is NOT stored on an internet-connected device, so technically safer to use. Devices like Ledgers/Trezors store the private key on a separate device that lets you plug it into your computer to use but keep the private key entirely safe. This way you have the safety of a cold wallet but you can connect it to your internet-connected device without any risk.

A hot wallet (like Metamask) is more dangerous to use for multiple reasons, but it is also the most accessible and straightforward wallet and works with most websites. At the same time, a cold wallet (like Ledger) encourages safety in several ways, outside of the normal technical savings.

Ledger/Trezor is a worthy investment

If you are reading this, you probably know Metamask already, so I will continue going over the Ledger. Owning a Ledger changes your relationship with your wallet and makes it more personal. The Ledger set-up is performed in a way that you can’t just snap a pic of your 24 words; you have to note them one-by-one yourself.

Connecting your Ledger directly to Metamask and clicking “confirm” on Metamask, sends the action to your Ledger and requires your physical approval by clicking 2 buttons with both hands. It also requires you to read through every line of information about your transaction before you can click the 2 buttons to confirm your action. This change of action alone can help you stay safer and improve your relationship with your wallet.

Account setups with Ledgers

“Vault” accounts are accounts used to protect sacred assets into a more secure and less used account. I personally use an account on my Ledger as a vault for protecting the NFTs I never ever want to lose or even sell, so my valuable or prized “forever hold” NFTs go into an account on my Ledger that I am always extra careful with whenever I interact with it.

My personal rules for vault accounts:

1. Never list on OpenSea from that account
2. Never Set Approval For All on anything from that account. Should never be needed.
3. If you ever decide to sell or trade anything on that vault account, you can send it to your hot wallet and sell it from there.
4. This is an account to protect your treasured assets. You shouldn’t be performing any risky actions/mints from there that might trick you to SetApprovalForAll.

Standard accounts: you can use a Ledger as a normal wallet for nearly everything! Metamask actually supports performing transactions from the Ledger directly! With the Metamask support, using your Ledger with any website that supports Metamask is simple and secure! Even artists could use a Ledger+Metamask to mint and sell NFTs on Foundation. Every website that supports Metamask will work with a Ledger.

I strongly recommend EVERYONE to buy a Ledger/Trezor and set up an account. The process of setting it up is a ritual that improves your understanding of crypto custody and security. I encourage everyone to purchase a Ledger and use it!

TL;DR: While a Ledger won’t stop you from making harmful transactions that might scam you, they encourage better safety, and the ritual of creating one is important and valuable. Ledgers are fantastic; please get one and at the least keep your valuable or important “forever hold” NFTs safe off of a computer where your wallet can be compromised if you make a mistake or get tricked somehow.

Other Recommended Setups for ETH Accounts

Wallet Diversification: We all have individual preferences and our own way to organize things, but if you are new to Web3 and thinking of being an active user, consider having 2 or 3 addresses to split up your crypto tokens/NFTs and prevent 1 point of failure.

ETH Address 1: Active wallet with lowest value possible to be used to trade actively, mint and interact with contracts. This wallet is your “fun” wallet in which you can explore the NFT space while risking a low amount in case anything happens to this address.

ETH Address 2: Vault wallet with the least amount of interaction. This wallet is where you’d hold your long term and most valuable crypto. While you keep learning about the space, and develop better safety practices on your own, you can keep your NFTs safe in this wallet with little activity. Do not be afraid to use it if you need to, but ensure that you completely understand everything you perform with this wallet.

RECOMMENDED COLD WALLETS: Ledger, Trezor

Understanding Metamask

A lot of “hacks” or “scams” that steal someone's NFTs are people confirming transactions that Metamask states as SetApprovalForAll. If people knew what these transactions were doing, surely they wouldn’t perform them and be able to protect their assets. This section of the guide will go over all the information Metamask shows you about the transaction you are about to confirm.

To be CLEAR, Metamask is your gateway to the world of crypto. It is essential you understand all of its features and usages. I recommend you open every page of the settings of Metamask and read through everything it shows you even if you don’t understand it, for the sake of growing more familiar with the wallet you use so often. You should also thoroughly read every advisory it gives you. Think of Metamask as your Web3 vehicle, if you don’t know how to drive, it can be dangerous!!!

Metamask shows you a lot of information when making a transaction, and you, as a user, can use this information to help you stay safe and understand how important your wallet actions are. If using Metamask desktop is difficult for you normally, unfortunately no other wallets provide this much information when transacting. Please stay on safe websites.

Read the information provided by Metamask!

Metamask always shows you as much information as possible, including the name of the action you are performing. If the contract is verified on Etherscan, Metamask will always show you this information. Please ALWAYS read it before you click confirm. Once you click confirm, the transaction is broadcast to the network, and may not be possible to cancel.

A lot of transactions are very safe, given the proper context. If you are trying to transfer an NFT to a friend, then you should see a Transfer From or Safe Transfer From when trying to send it; this is good and safe. But if you go on Fake Krazy Kiwis dot org, and try to mint some Krazy Kiwis, and see the website ask you to “Transfer From” or Set Approval For All, then that is a dangerous website and it is directly lying to you. You should never perform Transfer From or Set Approval For All on websites you don’t trust, stick to reliable and trustworthy websites, like if you are sending someone an NFT or approving OpenSea to list your NFTs.

Don’t click confirm on these DANGEROUS transactions, and you will be more safe!

Usually, when a Discord server is compromised, the scammers will put up a fake website that looks like something is minting, announce it to everyone, and use FOMO to trick a community into believing their fake website is authentic. This is the MOST COMMON kind of scam when a server is compromised. They make their own version of a known website, and instead of passing the transaction you think you’re doing, they tell Metamask to create a SetApprovalForAll transaction and people don’t read and confirm due to FOMO and other reasons.

RECOMMENDED EMERGENCY ACTION IF SET APPROVAL FOR ALL’D: GO TO revoke.cash and revoke any addresses you do NOT recognize (approvals for OpenSea will say “OpenSea” on the site, those are safe to leave). In most SetApprovalForAll scams the damage is usually done quickly, but the account is still safe to use as long as you revoke everything malicious. It does not need to be disposed of like if you lose your private key.

HELPFUL TOOL TO STAY SAFE: The wonderful team at Revoke.cash has made a Chrome extension to help warn you when you are about to SetApprovalForAll! Check it out here!

PLEASE BACK UP YOUR PHRASE: To everyone using Metamask, please confirm you have a backup of your 12 words. It’s easy just to skip all that, so please double-check you have it backed up somewhere. Or else you could lose it all forever. BACK UP YOUR PHRASE, PLEASE. You can go into the Metamask settings to retrieve them if you have your password.

Financial Safety

Safely managing crypto finances is a topic most people may not entirely address or recognize as a problem until it is too late. Cryptocurrencies like Ethereum are very volatile, and the situation of the market can very suddenly change overnight. It would be best if you made sure situations in the financial markets do not put you at risk for your own safety and/or health. Maybe a lot of NFT traders are used to taking profit off of NFTs and securing the ETH profit, but ETH profit isn’t the same when it dumps 30-40%! A lot of artists receive income in ETH as well from selling art, some of those ETH earnings should be sold regularly! If you want to build up a savings, it should not consist of ETH alone, but also some stablecoins just in case ETH dumps, secure your net worth!! You’ll also have some USDC to buy more ETH if it does dump :D

Stablecoins

Stablecoins are cryptocurrency tokens with the goal to maintain a stable price, most stablecoins peg to the US Dollar. Examples of these stablecoins are USDC, DAI, USDT, GUSD, and more. While there are many different ways stablecoins can maintain their price of $1 USD, to prevent confusion, we will only be talking about the stablecoins backed by a government registered entity, such as USDC. USDC stands for USD Coin, and it is a token backed by a corporation named Circle, who is close partners with Coinbase, one of the leading cryptocurrency exchanges in the crypto industry.

How to sell ETH for USDC

Most people may think of an exchange like Coinbase or Binance to sell, but that isn’t needed at all. You can use a decentralized exchange called Uniswap! Anyone from anywhere can use Uniswap to sell/buy any ETH or any tokens! USDC is my immediate go-to token for any stablecoin needs. Make sure you sell some ETH for USDC if needed!This is not financial advice, and there may be certain laws around trading based on where you live, but I personally keep at least 30-40% of my crypto net worth in stablecoins! Also, don’t forget to secure ETH profits every now and then, nothing wrong with selling some ETH! Having USD is very important! Don’t be reckless and neglect your financial safety!

To sell on Uniswap, you can go to their swapping website https://app.uniswap.org. The instructions to sell are as follows:

1. Connect your wallet.
2. Click “select your token” on the bottom segment and type USDC. Click it.
3. Type the amount of ETH you wish to sell on the top segment.
4. Click “Swap” and confirm. the transaction.
5. After the transaction completes, the ETH amount has been sold for USDC.

With this knowledge, you will be able to sell your volatile ETH for stable USDC, for you to be able to build a savings in USD without having to withdraw your ETH to Coinbase or Binance. Uniswap is a product of Decentralized Finance (DeFi), which is a whole other community side of Ethereum! Just like how there are NFT people, there are DeFi people! Feel free to explore more if it interests you! :)

Discord Safety

Discord is an incredibly essential platform in Crypto and Web3. You must treat your Discord account with extreme care. Getting your account compromised can lead to Discord servers being deleted, your friends being DM’d and tricked to send the scammer money, and if you are in charge of a product or community, they may abuse your power to put out scam announcements and scam your community and possibly steal large amounts of peoples funds.

ENABLE Copying Discord User ID

Discord shows every user their “Kiwi#7331” username with the 4 digits, but every Discord user actually has a permanent User ID that you can always rely on checking. However, this is always disabled by default, you can enable it by following the instructions here. Enabling this is useful in the future so you can easily retrieve the ID of the person needed to verify who they are or easily give to mods to ban them.

Disable DMs from as many Discord servers as possible

Disabling direct messages on as many Discord Servers as possible is also one way to keep yourself safer, on top of reducing distracting spam messages. By disabling DMs you are reducing the chances of scammers being able to contact you, and reducing ways for you to be scammed. To keep it as strict and safe as possible, you can also change your Discord settings to enforce that only friends you have added are allowed to send you direct messages.

SPOT THE SUS

Crypto/NFT Discord communities rely on a lot of tools we trust; Mee6.xyz (anti-bot verification and more), Collab.land (verifying your wallet), Captcha.Bot (anti-bot verification), Dyno Bot (anti-bot and more). Discord users may learn to just “trust” any bot they see in a server, but there are actually people who can spoof and fake server member counts, create fake account and wallet verification bots, and create fake accounts that look like familiar people/team members. All for the purpose to trick you and steal your Discord account to abuse whatever permissions you may have.

Handy Tip for Verifying: You can find the official Twitter for services and make sure the information lines up, Discord servers can easily be faked, but Twitter accounts are more difficult to impersonate.

BE CAREFUL WITH FAKE/PHISHING VERIFY BOTS

Some scam/fake Discord servers place fake or deceiving MEE6 and Collab.land bots in their verification channels to trick you. If you move forward with this scam bot, usually it tries to ask you for your 12 words, but they can also ask you to sign a signature to “verify” and then actually show you a Set Approval For All transaction… BE CAREFUL DONT TRUST RANDOM BOTS 100% KNOW YOUR OWN SAFETY.

Some bots can even show you entire websites that look legitimate, but ask you to perform malicious acts or other actions you may not understand. Please be very careful opening links, continuing further in what they display or following the instructions they show you might mislead you and cause dramatic loss of funds. Please consider everything with maximum scrutiny.

BE CAREFUL WITH FAKE CAPTCHA BOTS

This Discord bot might look real, but it is a scammer trying to get into your Discord account. The only true URL for this discord bot is captcha.bot. This is a series of screenshots of me observing this bot carefully and checking if the link it will take me to is actually what it looks like or should go. It is also not using the proper verified “BOT” tag, as detailed earlier. Please be careful!

Some people will create fake bots that seem real to send you to a fake website and steal your Discord account, since they expect you to log into your Discord to verify your account for the server, once you are in that position it is too late. Please be very careful using your Discord account on any website/service besides Discord itself. Please verify you are using the correct website before you do any dangerous actions!

In order to safely check websites from within Discord, you may Right Click -> Copy Link, and paste the link somewhere else to verify what they are trying to do without opening it your browser.

NEVER SCAN DISCORD QR CODE

Some Discord servers even have fake verification bots that ask you to scan a QR code from within the Discord App. NEVER scan any QR code using the Discord app unless you are trying to actually log into your Discord account!

Discord offers a feature to let you easily log into your account if you have access to your Discord account on your phone. Instead of typing your username/password, you scan this QR code from within the Discord app and it logs you into Discord immediately.

PLEASE BE CAREFUL USING THIS DISCORD QR SCANNER OR ELSE YOU WILL LITERALLY LET OTHER PEOPLE INTO YOUR ACCOUNT.

EMERGENCY RESPONSE IF YOUR DISCORD ACCOUNT IS HACKED: CHANGE YOUR PASSWORD IMMEDIATELY TO KICK OUT THE HACKER

Phishing Scams

AVOID FAKE DMS, NO SERVER WILL EVER ACTUALLY NOTIFY YOU VIA DMs.

These are extremely common, it is effortless for scammers to make a website and configure it to trick the user somehow. No server or team will ever DM news to you. Please practice extreme vigilance when speaking to random DMs. They may be an attempt to social engineer you or trick you into one of the methods I mention in my guide. Usually the website is very poorly done or appears different from the actual website. But if you especially see a mint website doing “Set Approval For All”, then that means you need to GTFO that website.

Swap/Trade Safely

People may contact you asking to trade with other NFTs you hold. Please be very careful with these people! If someone refuses to use OpenSea, they are most likely trying to scam you. If you are trying to trade with other people, please be careful with any fake links they will send you. They may send you extremely long URLs that don’t even start the correct way (sudoswap.xyz-31313.id vs. sudoswap.xyz).

They may also try to create fake NFTs or WETH tokens to trade with you and take your funds by tricking you. Try to verify as much as you can using the contract addresses and checking Etherscan.

Due to the dangerous nature of trading directly with another person, I advise staying away from swapping or trading like this as much as possible. There is always another option anyways.

I recommend you always use OpenSea, if you absolutely need to do a trade then I recommend https://swap.kiwi or https://nfttrader.io. Please be careful with fake links as well!!!

Kiwi Tips Summary

Get a password manager! Recommended password manager: BitWarden

Use 2-Factor! Recommended 2-Factor Authentication App: Authy

Get a Cold Wallet Device! Recommended Cold Wallets: Ledger, Trezor

Store your 12/24 words safely! Recommended storage for 12/24 words: CryptoSteel Capsule Solo, BillFodl

Read Metamask!!! It shows you what you are about to do when possible, never EVER click Set Approval For All or Safe Transfer From on websites you don’t trust!

Don’t hold only ETH! Holding some USD stablecoins can help you protect your net worth! Swap with Uniswap

Be extremely careful on Discord! Disable DMs per server and be cautious clicking any links or interacting with random bots!

Extra: Use CoinGecko over CoinMarketCap for checking prices! (Preference)

Thank you so much for reading everyone! I hope this guide was insightful and helped you have a better understanding of the Web3 world and tools around you! :)

Enjoyed reading this?

Hi guys!! I guess this is really my most recent blog post haha, I wrote a new one without even realizing it 😅

For those from outside of my communities reading this, I’m Kiwi! I’m the co-founder and dev of uwucrew NFT and Killer GF NFT! I also advice for Persona Lamps and Aiko Virtual! Nowadays I'm creating art focused communities and building web3 products that encourage positive art culture!

You can follow me on (@0xKiwi_) Twitter to keep up with what I do!