Module 5

Defending Yourself

This is not theory. Every section below ends with specific steps you can take today. Read Module 4 first for context on what you're defending against. This module tells you how.

Video Narration: Q3 2026

Video narration arrives Q3 2026. Full written lesson available below.

SIM Swap Defense

SIM swaps are preventable. Most victims had no account-level protections on their carrier account. These steps, done once, protect against the most common vector:

Set a carrier account PIN or passcode

Call your carrier (Verizon, AT&T, T-Mobile) and request a port protection PIN or passcode on your account. This requires anyone attempting to port or swap your number to provide the PIN. Without it, carrier staff can be social-engineered or bribed to complete the swap.

Enable number lock where available

Some carriers offer explicit 'number lock' or 'port protection' features. T-Mobile has SIM lock. Verizon has Number Lock. Enable these in your account settings - they require additional verification before any SIM change.

Switch to Google Fi or a NumberShield carrier

Google Fi offers NumberShield, which provides stronger anti-porting protections. It's not perfect, but Google's verification requirements are more rigorous than traditional carriers for account changes.

Remove your phone number from every crypto account

Go to every exchange and service you use. Navigate to security settings. Remove SMS 2FA entirely. Replace it with a TOTP authenticator app (Google Authenticator, Authy) or a hardware key. If a service only offers SMS 2FA and nothing else, that is a service risk you should factor into what you store there.

Never use real answers to security questions

Your mother's maiden name, your high school, your first car - these are guessable or findable with basic research. Use random, nonsensical answers stored in your password manager. The answers don't need to be true; they need to be memorable only to you.

Hardware Wallet Setup

Setup security varies by brand. The principles are universal but the specific steps matter.

Universal rules for all hardware wallets

Only buy from the manufacturer directly or from authorized resellers. Never buy secondhand.
When the device arrives, verify the packaging for signs of tampering (broken seals, unusual tape, evidence of opening).
Set up the device yourself, from scratch. Never use a device that was already initialized by someone else.
Generate a new seed phrase on the device itself. Never import a seed that was generated on a computer or phone.
Write the seed phrase on paper during setup. Never take a photo. Never type it into a computer.
Set a PIN that you will actually remember but is not obvious to someone who knows you.
Enable PIN protection immediately. The PIN prevents unauthorized physical access.

Ledger-specific setup

Download Ledger Live exclusively from ledger.com. Not from any other site, not from an email link.
Verify addresses on the device screen before sending. Never trust the address shown on your computer screen only.
If you use Bluetooth (Nano Gen5, Flex, Stax): connect in a private location, disconnect when done.
Do not enable Ledger Recover unless you specifically want cloud-based seed recovery.

Trezor-specific setup

Download Trezor Suite from trezor.io only.
Enable the passphrase feature (25th word) for your main holdings. This creates a hidden wallet that requires both the seed and the passphrase to access.
Store the passphrase separately from the seed phrase. If someone finds your seed, they cannot access your main wallet without the passphrase.
Write down the passphrase as carefully as the seed. Losing the passphrase is equivalent to losing the wallet.

Air-gapped wallets (ELLIPAL, Keystone)

The device must never be connected to a computer via USB data mode during normal operation. Keystone: USB charges only. ELLIPAL: USB is power only.
For Keystone, firmware updates come via microSD. Verify the firmware hash from Keystone's official site before applying.
For ELLIPAL, firmware updates come via QR code from the ELLIPAL app. Do not scan QR codes from any other source.
The signing workflow (create on phone, scan to device, sign, scan back) is the security property. Don't shortcut it.

Seed Phrase Storage

The seed phrase is the single most important thing to protect. Lose it and you lose everything. Have it stolen and you lose everything. There is no recovery support, no customer service, no second chance.

Never do this with your seed phrase

Take a photo of it (photos sync to iCloud, Google Photos, and other cloud services automatically)
Type it into any app, website, or computer (legitimate hardware wallets never ask for it on a computer)
Store it in a notes app (Notes, Evernote, Notion, Apple Notes - all are cloud-synced)
Email it to yourself 'for backup'
Store it in a password manager (password managers are high-value targets)
Tell anyone what the words are, even people you trust

Steel and titanium backup plates

Products like Cryptosteel Capsule, Billfodl, and CoinPlate allow you to engrave or stamp your seed words onto metal. Stainless steel resists temperatures above 1400°C. Titanium is even more resistant. Both survive floods, fires, and corrosion that would destroy paper in minutes.

The metal backup is not more secure by itself - it's the same 24 words. But it survives catastrophic physical events that paper doesn't. For a portfolio worth protecting, metal backup is not optional.

SLIP-39 Shamir's Secret Sharing

SLIP-39 (available natively on Trezor devices) lets you split your seed into shares using Shamir's Secret Sharing. In a 3-of-5 configuration: 5 shares are generated. Any 3 are sufficient to reconstruct the wallet. Any 2 shares reveal nothing mathematical about the seed.

This lets you distribute backups geographically without creating a single point of failure. Store one share at home, one in a safety deposit box, one with a lawyer, one with a trusted family member, and keep one offsite backup. An attacker who finds your lawyer's share has nothing. A house fire that destroys your home share doesn't destroy your access.

The downside: SLIP-39 shares are more complex to use and understand than a standard seed phrase. If family members need to recover after your death, they need instructions and at least 3 of the 5 shares. Documentation is essential.

Geographic distribution

Regardless of whether you use SLIP-39 or standard BIP-39, don't keep all seed phrase backups in one location. A fire, flood, or burglary that destroys one location should not destroy all copies. At minimum: one copy secured at home (in a safe if possible), and one copy in a different physical location (safety deposit box, trusted relative in another city). Safety deposit boxes are accessible by your bank but provide strong protection against home-level disasters.

Password and 2FA Hierarchy

Not all 2FA is equal. The three-tier hierarchy, from strongest to weakest:

1. Hardware security key (YubiKey 5 series)

Best

FIDO2/WebAuthn. Cryptographically bound to each website's domain. Phishing-proof: even a perfect clone site at a different domain cannot trigger authentication. The YubiKey generates a unique key pair per site during registration. Physical possession required. $50-$70 per key; buy two (primary and backup).

2. TOTP authenticator app (Google Authenticator, Authy)

Good

Time-based 6-digit codes refreshing every 30 seconds. Not interceptable via SIM swap (codes generate locally, no SMS). But they can be phished: a real-time phishing attack can capture your code and replay it within the 30-second window. Better than SMS; not as strong as hardware keys.

3. SMS 2FA

Weak

6-digit code sent to your phone via text message. Vulnerable to SIM swaps (the attack covered in Module 4). Better than nothing; substantially weaker than the options above. Remove SMS 2FA from any account that holds significant value and replace with tier 1 or 2.

Pair your 2FA with a password manager (1Password, Bitwarden). Use a unique, generated password for every account. The password manager itself should be protected by a hardware key. This setup means that compromising any single credential is not enough to access your accounts.

Browser Hygiene

Your browser is the most attacked surface in crypto. Malicious extensions, compromised bookmarks, and phishing tabs live there. Separation is the primary defense.

Create a dedicated browser profile (or use a separate browser entirely) for crypto only. Nothing else runs in this profile.

Install only one wallet extension in your crypto profile. Every additional extension is an additional attack surface that can intercept your wallet interactions.

Bookmark every exchange and DeFi protocol you use. Navigate from bookmarks, never from links in emails, Discord, or Telegram.

Check the URL every time. Homograph attacks replace standard letters with Unicode lookalikes: 'bìnance.com' is a different domain than 'binance.com', displayed identically in most fonts.

If a site asks you to disable your browser's security warnings to proceed, close it immediately.

Keep your browser and extensions updated. Wallets push security patches that address known vulnerabilities.

Transaction Verification

Most crypto losses involve a transaction the victim authorized. The transaction was valid. The authorization was obtained through deception or error. Verification at signing time catches the deception.

Always verify the destination address on your hardware wallet's screen, not your computer screen. The computer screen can be compromised; the hardware wallet screen shows what the device will actually sign.

Check the first 6 AND last 6 characters of any address. Address poisoning attacks copy the first and last characters - the middle differs.

Send a small test transaction for any new recipient or any transfer above a threshold you're comfortable losing.

Wait for the recipient to confirm receipt of the test transaction before sending the main amount.

For large transfers, wait for 6 confirmations on Bitcoin or 12-15 on Ethereum before considering them final.

Approval Management

Token approvals accumulate silently. Every DeFi interaction you've ever done has likely left at least one approval active. Some of those protocols no longer exist. Some have been compromised. The approvals remain valid until you revoke them.

Visit revoke.cash monthly. Connect your wallet. The interface shows every active approval: which contract, which token, and the approved amount.

Revoke any approval for protocols you no longer use. The revocation is a small on-chain transaction (gas cost).

When approving a new protocol: if the interface allows setting a specific amount, use it. Approve only what you need for the immediate transaction.

After completing an interaction with a protocol you won't use again, revoke its approval before you close the tab.

Ethereum, Arbitrum, Optimism, Base, Polygon, BSC, and 100+ other networks are supported. Run the audit on every network where you're active.

Beyond classic ERC-20 approvals, watch for Permit and Permit2 signature requests. These are off-chain signatures that grant token-spending authority without an on-chain transaction. A malicious dApp can request a Permit2 signature that looks innocuous in a wallet popup, then use it to drain your wallet without you ever signing a transaction in the conventional sense. revoke.cash supports viewing and revoking active Permit2 allowances. If a site asks you to sign a Permit or Permit2 message you do not fully understand, refuse. The wallet drainer scripts dominating losses in 2024 to 2026 work primarily through this mechanism.

Air-Gapped Signing for High-Value Transactions

For any transaction large enough that you'd regret it if something went wrong, air-gapped signing ensures the private keys never touch an internet-connected device during the signing process.

Create the unsigned transaction

On your online computer, create the transaction using your wallet software (Trezor Suite, Keystone Companion App, or ELLIPAL app). The software outputs an unsigned transaction encoded as a QR code or data file.

Transfer to the air-gapped device

Display the unsigned transaction QR code on your online computer. Scan it with the air-gapped signing device's camera. The private keys have not moved. The unsigned transaction data has.

Review and sign on the device

The device decodes the transaction and displays the details: recipient address, amount, network fee. Verify these on the device screen. Confirm on the device. The device signs the transaction internally.

Transfer back to the online computer

The signed transaction appears as a QR code on the device screen. Scan it with your online computer's camera. The signed transaction is now ready to broadcast.

Broadcast from the online computer

Broadcast the signed transaction to the network from your online computer. The private keys have never been exposed to any internet connection.

This workflow applies to ELLIPAL Titan 2.0, Keystone 3 Pro, and NGRAVE ZERO. It is also possible with Trezor (using Trezor Suite's offline mode) and some Ledger configurations. The friction is worth it for transactions where losing the funds would be a serious financial event.

Multisig for High-Value Holdings

For holdings significant enough that a single hardware wallet feels like too much concentration, multisig is the next defense layer. A multisig wallet requires multiple keys to authorize a transaction. The most common configuration is 2-of-3: three keys exist, any two can sign. An attacker who compromises one key gets nothing. The user retains operational flexibility if one key is temporarily unavailable.

The two practical paths to multisig are self-custody and collaborative custody. Self-custody multisig means you hold every key. The setup uses Sparrow Wallet or similar coordinator software with three different hardware wallets, ideally from different vendors: Trezor, Ledger, and Coldcard, for example. Vendor diversity defends against a single-vendor compromise. Each key gets stored in a different physical location with its own backup.

Collaborative custody means a third party holds at least one key on your behalf. Casa offers a 2-of-3 or 3-of-5 service where Casa holds a recovery key. Unchained Capital offers similar service starting at $250 per year plus 0.50% per trade. The collaborator key cannot move funds alone, but its existence means you have a recovery option if you lose your other keys. The trade-off: the collaborator becomes a target for legal compulsion or social engineering, so you accept some custodial risk in exchange for recovery insurance.

Common multisig thresholds

2-of-3Most individuals at high holdings

Operational flexibility (one key can be in storage), strong defense (attacker needs 2 separate compromises)

3-of-5Inheritance and dead-man scenarios

Five keys distributed across trusted parties; three required to sign; heirs have a workable recovery path that does not depend on any single trusted person being available

3-of-3Joint accounts, paranoid setups

Strongest theft defense (every key required), but blocks transactions if any key is unavailable

Multisig adds operational friction. Every transaction requires coordinating two or more signatures across two or more devices in two or more locations. For day-to-day spending, multisig is overkill. For long-term storage of significant holdings, the friction is the feature. Document the recovery process and key locations. Without documentation, a 3-of-5 setup is a puzzle your heirs cannot solve.

Tax Compliance as Defense

The category of loss most people forget to defend against is not theft. It is an IRS examination triggered by a Form 1099-DA mismatch. The remedy can cost more than a hardware wallet drain because it includes back taxes, interest, and accuracy-related penalties.

Form 1099-DA is the broker reporting form for digital assets. As of January 1, 2025, US-based custodial brokers (Coinbase, Kraken, Gemini, and others) must report gross proceeds from digital asset sales to the IRS. Cost basis reporting becomes mandatory January 1, 2026. The IRS receives the same data you do, and the cross-match is automated. CP2000 letters, the automated under-reporting notices, started arriving in mid-2025 for the 2024 tax year. If your tax return shows a different number than what the broker reported, you receive a notice.

Revenue Procedure 2024-28, also effective January 1, 2025, made wallet-by-wallet cost basis tracking the default. Aggregating everything into a universal cost basis pool is no longer permitted. Each wallet, each exchange account, must track its own lot-level cost basis. The safe-harbor allocation deadline for assigning historical lots was December 31, 2024. If you missed it, your pre-2025 holdings default to first-in-first-out without specific identification.

Tax tracking software (set up before your first transaction)

Koinly

Connects to centralized exchanges via API, self-custody wallets via read-only addresses. Generates IRS Form 8949 and Schedule D output. ~$100-$400/year at individual volumes.

CoinTracker

Similar feature set to Koinly. Strong on automatic cost basis reconciliation across wallets. Coinbase has a partnership integration.

TaxBit

Enterprise-grade backbone. The most rigorous on Rev. Proc. 2024-28 wallet-by-wallet tracking. Used by some exchanges for their own 1099-DA generation.

ZenLedger and CoinLedger are the closest competitors. Reconstructing cost basis from years of unindexed transaction history across multiple wallets and exchanges is a multi-day exercise that costs more in your time than any tool subscription costs in cash.

Two reporting traps to know about

Crypto held on foreign exchanges (non-US-based platforms like Binance International, Bybit, or OKX) may trigger FBAR reporting on FinCEN Form 114 if your aggregate foreign account value exceeds $10,000 at any point in the year. FinCEN's specific rule for digital assets has been proposed but not finalized as of early 2026, so treat the threshold conservatively if you have material foreign-exchange exposure. The Form 8938 reporting requirement under FATCA applies separately and at higher thresholds.

Staking rewards, airdrops, and hard fork receipts are ordinary income at fair market value on the date of receipt, not on the date you sold. The cost basis going forward is that fair market value. Failing to record the receipt produces a future capital gains calculation that overstates gains and overpays tax, or understates them and triggers an audit risk.

One nuance worth knowing

The wash-sale rule that applies to securities does not currently apply to digital assets. As of 2026, multiple bills have proposed extending wash-sale to crypto, but none have been enacted. Loss harvesting at year-end is still a legitimate planning tool. Treat that as subject to change, because it is the most consistently proposed crypto tax change in Congress.

The DeFi broker reporting rules that Treasury published in late 2024 were withdrawn in early 2025 after industry pushback. Form 1099-DA applies only to centralized custodial brokers. DeFi protocol activity is still your responsibility to track and report. Nothing reaches the IRS automatically from on-chain activity.

Knowledge Check

Module 5 - 9 questions

SLIP-39 Shamir's Secret Sharing allows a seed to be split into shares. In a 3-of-5 scheme, what is the minimum number of shares needed to reconstruct the wallet?

The YubiKey 5 series supports which authentication standard that makes it phishing-proof?

For air-gapped signing of high-value transactions, which medium carries the transaction between the online computer and the air-gapped signing device?

revoke.cash is used for what specific security purpose?

Setting a passphrase (the '25th word') on a Trezor wallet creates what?

Why should you send a small test transaction before transferring a large amount to a new address?

For seed phrase physical storage, which material format best protects against fire and flood?

In a 2-of-3 multisig wallet, which scenario describes correct behavior when one of your three keys is in a safety deposit box you cannot access this month?

As of January 1, 2025, what changed in how the IRS receives information about your crypto activity from US-based exchanges?