Crypto security is your responsibility in a way that bank accounts are not. If your bank account is hacked, the bank typically reimburses you. If your crypto wallet is compromised, it’s gone — no reversal, no insurance, no refund. Here’s how to protect yourself.
For amounts over $2,000: move Bitcoin to a hardware wallet (Ledger or Trezor) — your crypto is stored offline under your control. Write your 24-word seed phrase on paper, store multiple copies in separate secure locations, and never enter it online. Enable 2FA (authenticator app, not SMS) on all exchange accounts. Never share your seed phrase — not even with "support staff."
The Spectrum of Crypto Security
From lowest to highest security (and complexity):
| Storage method | Security level | Best for |
|---|---|---|
| Exchange hot wallet | Low | Small amounts, frequent trading |
| Software wallet (phone/computer) | Medium | Regular users, mobile access |
| Hardware wallet (offline) | High | Long-term holders, $2,000+ |
| Multi-sig cold storage | Very high | Large amounts, institutions |
Hardware Wallets
A hardware wallet is a small physical device (looks like a USB stick) that stores your private keys offline. To approve a transaction, you physically press a button on the device — no hacker can approve transactions remotely.
Ledger
- Models: Ledger Nano S Plus (~$100 NZD), Ledger Nano X (~$180 NZD)
- Supports: 5,500+ cryptocurrencies including Bitcoin, Ethereum, Solana
- App: Ledger Live (desktop + mobile)
- NZ availability: Available on Ledger’s website (ships to NZ), or via NZ retailers
- 2023 data breach: Ledger’s customer email/address database was leaked in 2020 — your crypto was NOT compromised (private keys were safe), but watch for physical phishing
Trezor
- Models: Trezor Model One (~$80 NZD), Trezor Model T (~$200 NZD)
- Supports: 1,000+ cryptocurrencies (fewer than Ledger)
- App: Trezor Suite (desktop)
- NZ availability: Ships to NZ, or buy second-hand from reputable sellers with factory reset
- Open source: Trezor’s firmware is open-source — reviewed by the global security community
Which to choose: Either Ledger or Trezor. Ledger supports more coins; Trezor is open-source. Both are industry-standard.
Important: Only buy hardware wallets from official manufacturer websites or authorised retailers. Second-hand or third-party devices could be compromised.
The Seed Phrase: The Most Critical Security Element
When you set up a hardware wallet or software wallet, you receive a seed phrase (also called recovery phrase or mnemonic) — usually 12 or 24 random words. This seed phrase IS your crypto. Anyone who has your seed phrase can access all your crypto, on any device, forever.
Seed phrase do’s:
- ✅ Write it on paper with a pen — multiple copies
- ✅ Store copies in separate secure physical locations (e.g., home + bank safe deposit box)
- ✅ Consider metal backup solutions (Cryptosteel, Bilodreaux) for fire/water resistance
- ✅ Tell a trusted person where it is (or keep with your will) so your estate can access crypto
Seed phrase don’ts:
- ❌ Never photograph your seed phrase
- ❌ Never type it into any computer, phone, or website
- ❌ Never store it in cloud (email, Google Drive, iCloud, notes apps)
- ❌ Never share it with “support staff” — legitimate support will never ask for it
- ❌ Never enter it on any website — the only time you enter a seed phrase is into your physical hardware wallet during recovery
If your seed phrase is compromised: Move your crypto to a new wallet immediately. Set up a fresh hardware wallet with a new seed phrase, and transfer funds there.
Exchange Account Security
Even if you use a hardware wallet for long-term storage, you’ll likely keep some crypto on an exchange for trading. Protect your exchange account:
Two-factor authentication (2FA)
Always enable 2FA. Use an authenticator app (Google Authenticator, Authy, 1Password) — not SMS.
Why not SMS? SIM-swapping attacks have compromised NZ crypto holders — attackers convince your mobile carrier to transfer your number to a new SIM, then intercept your 2FA SMS. Authenticator apps are tied to the device, not the SIM.
Strong unique password
Use a password manager (Bitwarden is free and open-source). Generate a 20+ character random password for each exchange. Never reuse passwords.
Withdrawal allowlists
Most exchanges let you whitelist specific wallet addresses for withdrawals. If enabled, funds can only be withdrawn to pre-approved addresses — even if an attacker logs in, they can’t send funds to a new address.
Email security
Your exchange account is only as secure as your email. Enable 2FA on your email account. Use a dedicated email address for crypto that you don’t use for anything else.
Common Crypto Scams Targeting NZ Users
Investment scams (“pig butchering”)
Someone contacts you online (social media, dating apps, WhatsApp) and builds trust over weeks or months before introducing a “can’t-miss” crypto investment platform. The platform shows fake profits; when you try to withdraw, you’re told to pay “taxes” or “fees” first. Once you stop paying, you lose everything.
How to spot it: Unsolicited contact; guaranteed returns; urgency to invest; platforms you can’t verify independently.
Fake exchange websites
Google ads (and social media) for crypto exchanges sometimes lead to near-perfect copies of legitimate exchanges. You log in with your real credentials, and attackers capture them.
Prevention: Bookmark exchanges directly. Don’t click Google ads for crypto. Check the URL carefully (easycrypto.com vs easycrypt0.com).
Fake Ledger/Trezor emails
After the Ledger customer data breach, many NZ users received emails claiming their Ledger device was compromised and asking them to “enter your seed phrase to secure your wallet.” These were phishing attacks.
Prevention: Ledger and Trezor will never ask for your seed phrase. Ever. Report and delete these emails.
Airdrop/giveaway scams
“Send 0.1 ETH and receive 0.5 ETH back” — these are always scams. No legitimate project or person doubles crypto you send them.
What Happens If I Die? Crypto Estate Planning
Crypto with no documented seed phrase is effectively lost at death. NZ succession laws cannot help heirs access a wallet without the private key.
Options:
- Write the seed phrase location into a sealed letter held by your solicitor
- Include crypto access instructions in your will (but wills become public — be careful about security)
- Use a multi-signature setup where a trusted person has a co-signing key
At minimum: tell someone you trust that you hold crypto and where the seed phrase is stored.
Frequently Asked Questions
Can I lose crypto if my hardware wallet is lost or stolen? Not if you have your seed phrase. A hardware wallet is just a device — it contains no unique information. If you lose it, buy a new one, enter your seed phrase, and your crypto is recovered. The thief cannot access your crypto without the PIN and physically breaking the device.
What if the company behind my hardware wallet goes bankrupt? Your crypto is safe. The seed phrase is yours — it’s based on open standards (BIP39). If Ledger or Trezor ceased to exist, you could restore your wallet on any compatible wallet app using your seed phrase.
Is software wallet (MetaMask, Exodus) secure enough? For small amounts (under $1,000–2,000), software wallets are reasonable. They are “hot wallets” — connected to the internet — and at higher risk from malware or browser exploits than hardware wallets.