Preface

“Not Your Keys, Not Your Coins” is the most important principle for protecting crypto assets.

Crypto assets are becoming part of everyday life. Your blockchain wallet is not just an app for managing tokens. It is your gateway to Web3, tied to your identity, assets, and on-chain activity. Yet one reality is hard to ignore: most people are still not prepared to use it safely.

We keep seeing the same types of losses:

· saving a Recovery Phrase in cloud storage,

· downloading a fake wallet,

· tapping a suspicious airdrop link,

· signing approvals carelessly.

Most of these losses are not caused by technology failing. They are caused by misunderstanding, complacency, or neglect.

This manual does not pile on jargon or try to create fear. It explains the security points that truly matter in plain language. It is an entry-level wallet security handbook that you can use both as a quick reference and as a practical guide to building risk awareness and avoiding common traps.

Why did we write this manual?

Many users do not start with a safe foundation when they first use a wallet. For example: 

· They only partly understand the difference between a Recovery Phrase and a Private Key.

· They do not understand the basic logic of on-chain transactions and account behavior.

· They underestimate the risks of approvals, signatures, and other critical actions.

· When something goes wrong, they do not know whether recovery is still possible or what to do next.

We hope this *Wallet Security Manual* can accompany you from the very beginning and help you gradually build both confidence and control in the way you use wallets.

Who is this manual for?

· If you just downloaded a wallet and do not know how to take the first step;

· If you have already made on-chain transactions but are still confused about approvals, signatures, and contracts;

· If you worry about how to recover your assets after losing a wallet or damaging a device;

· If you have run into problems but never found a clear explanation;

then this manual is for you.

You do not need to become a blockchain expert, but you should build the basic security skills needed to protect your on-chain assets.

What will you gain from this manual?

· Learn how to create and back up a wallet correctly and securely.

· Learn how to identify fake links, fake wallets, and phishing approval requests.

· Learn how to avoid common traps in transfers, approvals, and DApp interactions.

· Build security habits that fit your own needs.

· Develop basic judgment and response skills when problems arise.

We hope this manual is practical, clear, and easy to revisit—something you can keep as a long-term reference throughout your digital journey.

Final note

As the *Blockchain Dark Forest Self-Help Manual* puts it:

Always maintain zero trust, and keep verifying everything you suspect.

Even if you do not finish reading the entire manual, remembering those two points alone will greatly improve your ability to protect your assets.

We invite you to explore this world of opportunity and risk with steadier steps. That is why this manual exists.

                                                                       Part I: 100 Wallet Security Questions

Chapter 1 | Wallet Basics: Essential Security Knowledge You Need

1.1 What Is a Wallet? How It Protects Your Crypto Assets

Q1: What is a blockchain wallet? Is it the same as a bank account?

A: A blockchain wallet is different from a bank account. It is more like a keychain or an identity credential manager. It does not store your crypto assets themselves. Instead, it stores a set of Private Keys used to access and manage your assets on the blockchain. Your crypto assets always remain on-chain. The wallet simply helps you hold the keys securely and provides an interface for using them.

Q2: What is the relationship between a wallet and crypto assets?

A: Crypto assets always exist on the blockchain, not inside the wallet. A wallet generates and stores your Private Keys and helps you use those keys to sign transactions, so you can transfer assets or grant approvals. The real value lies in the assets on-chain. A wallet is the security tool you use to manage them.

Q3: Why is control more important than ownership in a wallet?

A: In the blockchain world, whoever controls the Private Key effectively controls the assets. From the chain’s perspective, the only thing that matters is whether a transaction is signed with the correct Private Key. Holding a wallet does not automatically mean your assets are safe. Once the Private Key is exposed, someone else can make a valid on-chain transfer, and the system cannot tell who the “real owner” is or recover the funds for you. Exclusive and complete control of the Private Key is the true foundation of ownership.

Q4: How does a wallet connect to the blockchain?

A: A wallet is not the blockchain itself. It is a tool that helps you “talk” to the blockchain. When you make a transfer, you use your Private Key to digitally sign the transaction. The wallet then sends the signed transaction to nodes in the blockchain network. After the nodes verify the signature, the transaction is included in a block and written to the chain. Your on-chain asset state is then updated.

Q5: What is a custodial wallet? What are its features?

A: A custodial wallet is a wallet where a platform manages the Private Keys for you, such as an exchange account. You can register with a phone number or email address, send and receive crypto, and often recover your password. The experience is similar to online banking or a payment app. The trade-off is that the Private Keys are not in your hands. If the platform is hacked, becomes insolvent, freezes your account, or misuses funds, you share that risk.

Q6: What is a non-custodial wallet? What is the biggest difference between it and a custodial wallet?

A: A non-custodial wallet is a wallet where you control your own Private Keys. The keys are generated and stored locally, are not uploaded to a server, and cannot be recovered by the platform for you. The biggest difference from a custodial wallet is that you truly hold the keys and therefore truly control your on-chain assets. At the same time, you are fully responsible for backing up and protecting your Recovery Phrase or Private Key. If it is lost or exposed, there is no customer service channel that can restore it for you.

Q7: How should I choose between a custodial wallet and a non-custodial wallet?

A: A simple comparison is:

Custodial wallet

Best for beginners, small balances, and frequent trading. It is easy to use, supports account recovery, and usually offers customer service. The risk is that you must highly trust the platform, which may be hacked, freeze accounts, or misuse assets.

Non-custodial wallet

Best for long-term holding, larger balances, and users who value privacy and sovereignty. You keep the Private Keys yourself and have more independent control over your assets. The risk is that if your Private Key or Recovery Phrase is lost or exposed, the assets cannot be recovered.

Recommendation: Consider splitting assets by purpose. Keep smaller, frequently used funds on custodial platforms, and store larger long-term holdings in a non-custodial wallet.

1.2 Private Keys, Recovery Phrases, Public Keys, and Addresses Explained

Q8: What is a Private Key?

A: A Private Key is a secret string generated by cryptographic algorithms. It is often represented as a 64-character hexadecimal string, for example: `56f759ece75f0ab1b783893cbe390288978d4d4ff24dd233245b4285fcc31cf6` (example only; do not copy). It proves your control over a blockchain address and the assets associated with it. When you initiate a transaction, the wallet uses the Private Key to sign it.

Key points:

· Only you should know your Private Key. Never expose it.

· A Private Key is not stored on the blockchain. It is generated and stored locally on your device.

· Whoever holds the Private Key controls the assets at that address. You can also restore access on a new device by importing the Private Key or Recovery Phrase. 

Q9: What is a Recovery Phrase? How is it related to a Private Key, and why is it better for backup?

A: A Recovery Phrase is a set of 12, 18, or 24 English words generated according to a standard algorithm. It is a human-readable backup form of your wallet’s root seed. From it, all of your Private Keys, Public Keys, and addresses can be derived. If you back up the Recovery Phrase securely, you can fully restore the wallet on a new device even if your phone is lost or replaced. Compared with backing up a Private Key directly, a Recovery Phrase is shorter, easier to write down, and less prone to mistakes, so it has become the mainstream backup method.

Important notes:

· A Recovery Phrase is not just any random group of words. It must come from a specific word list, such as BIP39, and follow the standard.

· Whoever has the Recovery Phrase controls all assets in that wallet.

· Never save a Recovery Phrase in screenshots, cloud storage, or email. Use offline backup methods instead, such as writing it down on paper or storing it in a dedicated metal backup device.

Q10: I only backed up my Recovery Phrase. If I lose the Private Key, can I still recover my assets?

A: Yes. The Recovery Phrase is the root seed of your wallet and can regenerate the corresponding Private Keys and addresses. As long as it was backed up accurately and securely, you can import it into any wallet that supports the same standards, such as BIP39 or BIP44, and fully regain control of the original wallet and its on-chain assets.

Q11: What is a Public Key? What is it mainly used for?

A: A Public Key is derived from a Private Key using a one-way cryptographic algorithm, such as elliptic curve cryptography. A Public Key can be derived from a Private Key, but it is almost impossible to reverse the process and derive the Private Key from the Public Key. Public Keys are mainly used to verify signatures generated by the Private Key and to serve as the basis for generating wallet addresses. A Public Key can be shared safely. It cannot be used to derive your Private Key or move your assets.

Q12: What is a wallet address? How is it related to a Public Key? Can I share it publicly?

A: A wallet address is a string generated from the Public Key through hashing and other processing. It is your public identifier on the blockchain and can be understood as your receiving account. It is derived one-way from the Public Key, and it is almost impossible to reverse it back to the Public Key or Private Key. You can safely share your wallet address so others can send assets to you. By itself, it cannot be used to control or move your assets. What you must protect are your Private Key and Recovery Phrase.

Q13: What is a Keystore? How is it different from a Private Key and a Recovery Phrase?

A: A Keystore is an encrypted Private Key file, usually in JSON format. Its purpose is to protect the Private Key with a password, so even if someone gets the file, they still need the correct password to unlock it.

Features:

· It must be unlocked with a password, so its security depends on password strength.

· If you forget the password, the Private Key cannot be decrypted, and no platform can recover it for you.

· In essence, it is still another way of storing a Private Key.

Recommendations:

· Set a strong and unique password for the Keystore.

· Back up both the Keystore file and its password carefully. You need both. 

Q14: Can I share my Recovery Phrase or Private Key with someone else?

A: Absolutely not. Your Recovery Phrase and Private Key are the highest-level credentials for your assets. Anyone who gets them can move all of your assets without your consent. Whether they claim to be customer support, an official representative, technical support, or an “airdrop” or “event,” anyone asking for your Recovery Phrase or Private Key is a scam—without exception.

Q15: Can I share my wallet address with others?

A: Yes. A wallet address is like your receiving account. Others can use it to send assets to you or view transaction records associated with that address, but they cannot use it to control your assets. A wallet address does not contain Private Key information, so it is safe to share publicly.

1.3 Wallet Types and Their Use Cases

Q16: What is a software wallet?

A: A software wallet is a blockchain wallet that exists in the form of an application, including mobile apps, desktop clients, and browser extensions. It is convenient to use, easy to get started with, and suitable for daily transfers and DApp interactions. The downside is that the Private Key is stored on an internet-connected device, making it more vulnerable to malware, viruses, phishing sites, and similar threats. It is generally less secure than a hardware wallet.

Q17: What is a hardware wallet?

A: A hardware wallet is a physical device specifically designed to manage crypto assets. It usually contains a secure chip for generating and protecting Private Keys, ensuring that the keys do not touch the internet during use and typically cannot be exported or accessed remotely. Unlike software wallets, a hardware wallet completes transaction signing in an offline environment. Even if it is connected to an infected computer, the Private Key will not be exposed.

Main security features:

· The Private Key is stored only inside the device and does not connect to the internet.

· The secure chip provides tamper resistance.

· Transaction signing happens inside the device, and only signed data is sent out.

· You do not need to enter the Private Key on a computer or phone.

Because of this, a hardware wallet is one of the best options for storing large balances or long-term holdings.

Q18: What is a browser wallet (extension wallet)?

A: A browser wallet, also called an extension wallet, exists as a browser extension, such as MetaMask. It can be called directly from webpages, making it convenient for interacting with DApps. It is quick to install and useful for frequent on-chain interaction. Because it depends on the browser environment, however, it is more exposed to malicious sites, fake pages, phishing pop-ups, and extension vulnerabilities. Pay extra attention to download sources and approval requests.

Q19: What are cold wallets and hot wallets?

A: A cold wallet is a wallet whose Private Keys always remain offline and do not connect to the internet, such as a hardware wallet or software wallet on an offline device. It offers stronger security and is suitable for large balances or long-term holdings. A hot wallet stores Private Keys on an internet-connected device, such as a mobile wallet, browser extension wallet, or exchange account. It is convenient to use and suitable for small balances, daily transactions, and frequent interactions. The core difference is whether the Private Key is stored and used in an online environment.

Q20: How do I choose the right wallet for myself?

A: General recommendations:

· For small balances or daily use, choose an easy-to-use and reputable mobile wallet or browser wallet, such as imToken or MetaMask, and back up your Recovery Phrase properly.

· For medium to large balances or long-term holding, use a hardware wallet such as imKey to reduce theft risk through cold storage.

· For multi-chain asset management, use a combined setup such as a multi-chain software wallet plus a hardware wallet. Keep larger balances in the hardware wallet and smaller balances in the software wallet for daily use.

The core principle is to allocate assets based on size, usage frequency, and risk tolerance. Balance security and convenience, and do not keep everything in one place.

Chapter 2 | Wallet Creation and Backup: Reduce Risk at the Source

2.1 Creating a Wallet: Details You Must Pay Attention To

Q21: Where should I download and install a wallet app to avoid fake wallets?

A: To avoid downloading a fake wallet, follow these three rules:

1. Start from the official website only. Use the download link provided on the wallet’s official site to reach the app store or download page. For example, imToken’s official website is `token.im`.

2. Verify the developer name. In the App Store or Google Play, make sure the developer information matches the official website. For imToken, for example, the developer is `IMTOKEN PTE. LTD.`

3. Do not tap unknown links. Do not install wallets through search ads, chat groups, private messages, forums, or other untrusted links. Fake wallets are common on those channels.

Remember: The safest and simplest method is to start from the official website and click through from there. Decentralized wallets do not require your personal identity information.

Q22: If I create one wallet, does that mean I can manage every cryptocurrency on every blockchain?

A: Not necessarily. What a wallet can manage depends on which chains and token standards it supports.

· Wallet support is limited. Many wallets, such as imToken, MetaMask, and TokenPocket, support multiple chains, but not all of them. MetaMask, for example, mainly supports EVM-compatible chains such as Ethereum, Polygon, and BNB Chain. It does not support BTC or TRX directly.

· Address rules differ by chain. EVM chains can often use the same address format, but chains such as Bitcoin and Tron use different address rules. Even with the same Recovery Phrase, the derived addresses may differ.

· Token lists are not complete by default. Even if a wallet supports a chain, it may not preset every token on that chain. New or smaller tokens may need to be added manually by contract address.

 Before choosing a wallet, make sure it explicitly supports the chain and tokens you want to use.

Q23: What details should I pay attention to when creating a wallet for the first time?

A: Build a strong security foundation from the very beginning:

1. Use a secure device. Make sure your phone or computer is free of malware and unknown plugins. If necessary, run a full scan and install system updates first.

2. Write down the Recovery Phrase by hand and check it repeatedly. Write it down with pen and paper. Check every word at least twice to make sure the order and spelling are completely correct. Do not take screenshots, photos, or save it in albums or cloud storage.

3. Record the wallet address for future verification. Save the current wallet address so you can compare it when restoring the wallet on a new device.

4. Set a strong password or PIN. Use a sufficiently long password or PIN with numbers, letters, and symbols. Avoid easy-to-guess information such as birthdays or phone numbers.

From the moment you create a wallet, you become the final person responsible for your assets.

Q24: How can I identify a fake wallet app or website?

A: Check from three angles:

1. Verify official information

   - Domain: Make sure the domain matches the one published on the official website. Watch out for extra letters, strange suffixes, or suspicious combinations such as `imtoken-app-download.com`.

   - Developer: In the app store, check whether the developer name matches the official information.

2. Look at the quality of details

   - Icon and interface: Fake products often use blurry icons, rough layouts, or poor machine-translated text.

   - Downloads and reviews: Official apps usually have higher download numbers and more natural reviews. Fake apps often have very low downloads or repetitive, unusual reviews.

3. Ask the official team directly

   - If you are unsure, go back to the official website and use the published email address or official social account to ask whether the link or app is official.

If you discover a fake link or fake app, stop immediately. Never import your Recovery Phrase or Private Key.

Q25: Why do I need to set a PIN or password when creating a wallet?

A: A PIN or password is the lock for the wallet on your local device. Even if someone gets your phone or computer, they still cannot directly open the wallet or make a transfer. But a PIN or password is not the same as a Recovery Phrase. It only protects local access to the wallet on that device. It cannot replace a secure backup of your Recovery Phrase.

2.2 Recovery Phrase Storage Strategy: The Key to Protecting Your Assets

Q26: Why is it so strongly recommended not to take photos or screenshots of a Recovery Phrase, and never store it in the cloud?

A: Because these methods can leak your Recovery Phrase without you noticing.

· Photos and screenshots: Many apps can read your photo library. Malware, cloud albums, and backup services may scan or upload those images.

· Cloud storage: Online drives, email, and chat history can all be exposed through account compromise, service vulnerabilities, or internal abuse.

Once a Recovery Phrase is exposed, the assets are usually impossible to recover. Recovery Phrases should be backed up offline, in purely physical form only.

Q27: What is the most recommended way to store a Recovery Phrase?

A: The most recommended method is offline physical backup:

· write the Recovery Phrase neatly on paper and store it in a safe place; or

· use a reliable metal backup tool to improve resistance to fire, water, and moisture.

The core principle is simple: offline, durable, and understandable to you.

Q28: What should I pay attention to when backing up a Recovery Phrase on paper?

A: Paper backup is simple and effective, but keep these points in mind:

· Use suitable paper and pens. Choose thicker paper and pens with ink that does not bleed or fade easily.

· Write clearly. Record each word carefully and make sure spelling and order are correct. Avoid messy handwriting and corrections.

· Store copies in different places. You may make two or three copies and keep them separately in safe, discreet, fire-resistant, and moisture-resistant locations.

· Avoid obvious labels. Do not write “Recovery Phrase” or “wallet backup” on the paper in a way that immediately reveals what it is.

 Never photograph the paper or upload it to the cloud.

Q29: What are the advantages of a metal Recovery Phrase backup compared with paper?

A: A metal Recovery Phrase backup stores your words on fire-resistant, water-resistant, and corrosion-resistant metal. Compared with paper, it has clear advantages:

· Greater durability: It can resist fire, water damage, moisture, tearing, and similar hazards.

· Better for long-term storage: It is less likely to fade or deteriorate over the years, making it suitable as one of the main backups for core assets.

There are many mature products on the market, including imKey’s products:

· Cryptobox S1: built with 304 stainless steel and able to store two sets of 12-word Recovery Phrases (or one set of 24 words).

· Cryptobox P1: includes the features of the S1 and also supports more flexible key storage with character-block combinations, making it more suitable for advanced users.

Whichever solution you choose, combine it with a safe storage location and a sensible access strategy so it is not lost or recognized too easily.

Q30: What is secondary encryption for a Recovery Phrase?

A: Secondary encryption means adding a self-designed layer of protection on top of the original Recovery Phrase backup, so that even if someone sees the backup, they still cannot directly reconstruct the real phrase.

Common methods include writing down only part of it and memorizing the rest, replacing some words according to a custom rule, or combining the Recovery Phrase with a Passphrase.

 Important reminders:

· Secondary encryption is best suited to users with backup and security experience.

· If you forget your own rule or extra secret, no one can recover the assets for you. 

If you are a beginner, first make sure you have a proper plain-text offline backup of the Recovery Phrase before considering advanced methods.

Q31: How can I apply secondary encryption to a Recovery Phrase?

A: The most common methods fall into two categories:

1. Add a Passphrase

   - How it works: In addition to the standard Recovery Phrase, you add an extra secret known only to you. Only the correct combination of the Recovery Phrase and the Passphrase will generate the real wallet.

   - How to use it: In wallets that support this feature, enable the Passphrase or Advanced Options setting when creating or importing a wallet.

   Warning: If the Passphrase is forgotten or entered incorrectly, the assets cannot be recovered even if the Recovery Phrase itself is correct.

2. Physical obfuscation or split storage

   - How it works: You disrupt the order, split the phrase into separate parts, or mix in decoy words so that other people cannot understand the real rule even if they see the backup.

   - Examples: Split a 12-word phrase into two parts and store them in different places; or insert a few fake words that only you can identify.

Secondary encryption is for experienced users. Any rule that “only you know” becomes a risk if you forget it. Beginners should prioritize a correct, standard offline backup first.

Q32: If I forget the wallet password or PIN, can I still recover my assets?

A: Yes, as long as you have correctly backed up your Recovery Phrase or Private Key.

· The local password or PIN only protects access to the wallet on that particular device.

· What truly determines control is the Recovery Phrase or Private Key, because the assets are on-chain, not inside the app.

If you forget the local password, you can:

· delete the wallet from the app or reinstall the app;

· re-import the wallet using the previously backed-up Recovery Phrase or Private Key;

· set a new local password or PIN.

Remember this core point: if the Recovery Phrase or Private Key is still safe, the assets are still recoverable. If they are lost, knowing the local password does not help.

Q33: What is second verification of a Recovery Phrase, and why is it so important?

A: Second verification means performing a recovery test with the Recovery Phrase you wrote down before you formally start using the wallet, so you can confirm that it is correct and usable.

A common approach, using imKey as an example, is:

1. reset the original hardware wallet or use a new one;

2. import the Recovery Phrase you just wrote down;

3. confirm that the generated wallet address matches the original one.

Why it matters:

· It confirms that there are no spelling mistakes, missing words, or ordering mistakes.

· It prevents the disaster of discovering a backup error only after the original device is lost or damaged.

Treat second verification as a required step in Recovery Phrase backup, not an optional one.

Q34: If I wrote a few words incorrectly or put them in the wrong order, can I still recover my assets?

A: In most cases, recovery is almost impossible. Every word and its order participate in generating the wallet. If even one word is wrong, missing, or out of order, the result is effectively a different wallet. That is why this manual repeatedly emphasizes careful writing and second verification before you transfer any assets in.

In very rare cases involving very large amounts and strong clues—such as knowing roughly where the mistake occurred or retaining an original draft—some professional security teams may attempt technical recovery. But the success rate is still low, the cost is usually high, and the market is full of “Recovery Phrase recovery” scams. Be extremely cautious.

Q35: If someone saw my Recovery Phrase but no funds have been lost yet, what should I do?

A: Treat it as already exposed and change wallets immediately.

1. Use a brand-new device, or create a new wallet in the current app, to generate a completely new Recovery Phrase and back it up securely.

2. Move all assets from the old wallet to the new wallet address at once.

3. Stop using the wallet associated with the old Recovery Phrase permanently.

Once someone has seen your Recovery Phrase, they can transfer your assets at any time. Do not wait and do not take chances.

2.3 Importing a Wallet: A Guide to Avoiding High-Risk Mistakes

Q36: What should I be most cautious about when importing a wallet?

A: The biggest risk is entering your Recovery Phrase or Private Key into a fake website or fake app.

Common scams include:

· fake official websites or fake download pages that ask you to “verify your account,” “upgrade your version,” or “unlock an airdrop” by entering the Recovery Phrase;

· fake wallet apps with names and icons that look similar to the real app, but are designed to steal your credentials.

Safety tips:

· download the wallet only from the official website or official app store;

· verify the domain, app name, and developer information carefully;

· never import a Recovery Phrase or Private Key through ad links, private-message links, or unfamiliar webpages.

When importing a Recovery Phrase, always make sure the wallet app is the genuine official one.

Q37: Do I need an internet connection when importing a wallet?

A: In most practical scenarios, yes.

The import itself happens locally: the wallet is generated from your Recovery Phrase or Private Key on the device. The internet connection is mainly used to:

· sync balances and transaction history from the blockchain;

· confirm that the address and assets display correctly.

Use a trusted network, such as your home Wi‑Fi or mobile data, not public Wi‑Fi. Also make sure you are operating on a safe device without suspicious software installed.

Q38: If my assets do not appear after import, or the balance looks wrong, what could be causing it?

A: Common causes include:

1. The Recovery Phrase or Private Key was entered incorrectly. A spelling error or word-order mistake may generate a different wallet address.

2. The wrong network is selected. For example, if the assets are on BNB Chain but the wallet is currently set to Ethereum, the balance may appear as zero.

3. The token has not been added to the display list. Some wallets do not automatically show every token, so you may need to add it manually using the correct contract address.

4. You imported the wrong wallet. You may have more than one Recovery Phrase or address. Compare with the original wallet address you recorded earlier.

If you still cannot confirm the issue, do not blindly retry or import into a suspicious app. Seek help through a trusted channel first.

Q39: I received a text message or email from a stranger telling me to import my wallet. Is that safe?

A: No. This is extremely unsafe and is a classic phishing attack.

Scammers often pretend to be “official customer support,” a “security notification,” or an “upgrade notice” and try to get you to:

· click a link;

· enter your Recovery Phrase, Private Key, or Keystore on a fake page.

Remember these three hard rules:

1. Official teams will never ask for your Recovery Phrase or Private Key by text or email, and they will never ask you to “import the wallet for verification” through a link.

2. If you receive any link, go back to the official website or official app and verify it yourself. Do not operate inside message links.

3. If you suspect phishing, take a screenshot and report it to the wallet team to help block further risk.

Once you type a Recovery Phrase into a suspicious page, the chance of theft is close to 100%.

Q40: Can I use the same wallet on multiple devices?

A: Technically yes, but it increases security risk.

Advantages: You can access the same wallet on multiple devices, such as a phone and a computer, which is more convenient.

Risks: If any one of those devices is infected, lost, or unlocked by someone else, your Private Key may be exposed or the wallet may be abused. 

Safety recommendations:

· limit the number of devices into which you import the wallet;

· use it only on trusted devices;

· keep large balances on a single secure device or in a hardware wallet;

· separate a small daily-use wallet from a long-term large-balance wallet.

Chapter 3 | Everyday Wallet Security: Small Details, Big Protection

3.1 Receiving and Sending Assets: Security Blind Spots Behind Simple Actions

Q41: Why must I verify the address before sending assets?

A: Because if you send to the wrong address, the funds usually cannot be recovered. Address verification is therefore essential. Common risks include clipboard hijacking, where malware silently replaces the address you copied with the attacker’s address, and manual typing mistakes, where even one wrong character can change the destination completely. After pasting, check at least the first few characters, some middle characters, and the last few characters. Better yet, save verified addresses in your wallet’s address book and use those instead of copying them repeatedly.

Q42: What is a clipboard hijacking attack, and how can I defend against it?

A: Clipboard hijacking is when malicious software tampers with your clipboard and replaces the wallet address you copied with the attacker’s address, causing you to send funds to the wrong place without noticing. To defend against it:

· manually verify the address after pasting;

· do a small test transfer before sending a large amount;

· keep your device clean and install apps only from official sources;

· enable system security protections or reputable security software;

· if you use a hardware wallet such as imKey, verify the recipient address on the device screen before confirming.

Q43: Why is a small test transfer important, and how should I do it?

A: A small test transfer is the simplest way to verify that the address, network, and token type are all correct before sending a larger amount. A practical flow is:

1. send a small amount first, such as the equivalent of USD 1–5;

2. wait for confirmation, then check the result in a block explorer or the recipient’s wallet;

3. only after that send the larger transfer using the exact same details.

For large transfers or first-time recipients, this should become a habit.

Q44: Is it enough to check only the first and last few characters of an address before sending?

A: No. Attackers can generate addresses that share the same first and last few characters as the real address. This technique is often called address poisoning or address spoofing. Check more than just the beginning and end, and whenever possible use the address book feature so you can select a verified address directly instead of copying it from history.

Q45: Why do I sometimes receive tiny tokens I never bought?

A: These are often part of a dusting attack or a phishing airdrop. The goals may include tracking your on-chain behavior or luring you to visit a malicious website or interact with a malicious contract. The correct response is:

· do not interact with the token at all;

· hide it in your wallet if the wallet supports that feature;

· If you think it may be a legitimate airdrop, verify it through the project’s official website or official community channels, not through links in direct messages (DMs).

Q46: The address I copied has the same beginning and ending as the transfer target, but the middle is different. Is that normal?

A: No. This is a typical sign of address poisoning. Attackers send a tiny transfer from a fake address that looks similar to a frequently used one so it appears in your history. If you later copy from the history list carelessly, you may send funds to the attacker by mistake. Always inspect the full address, save verified addresses in your address book, and still do a small test transfer before large transfers.

Q47: Why is my transaction taking a long time to confirm?

A: Common reasons include:

· the gas fee is too low, so validators or miners prioritize higher-fee transactions;

· the network is congested;

· the wallet node did not broadcast or sync the transaction correctly.

Use a block explorer such as Etherscan to check whether the transaction is on-chain and whether it is still pending. If your wallet supports speeding up or replacing a transaction, you may raise the gas fee and resend. If the transaction does not appear on the block explorer at all, it may never have been broadcast successfully.

Never enter your Recovery Phrase or Private Key into an unknown site that claims it can “speed up” the transaction.

Q48: If I send tokens to the wrong address, can I recover them?

A: On most public blockchains, once a transaction is confirmed on-chain, it cannot be reversed or recovered. The main exception is when the destination is a custodial platform deposit address, such as an exchange address. In that case, you may contact the platform and ask for manual assistance, although success is not guaranteed. The best protection is prevention: verify the address and network carefully, use a small test transfer for large amounts or new recipients, and never rush under pressure.

Q49: My wallet shows multiple network options when I send a token. Which one should I choose, and what happens if I choose the wrong one?

A: The same token may exist on multiple networks. USDT, for example, exists on Ethereum, BNB Chain, Polygon, and others. If you choose the wrong network, the assets may be sent to the recipient’s address on a different chain, and the recipient may not see them unless they add that network and know how to recover them. Ask the recipient to clearly specify the required network, such as ERC-20, and select that exact network in your wallet. If you are unsure, stop and verify first.

Even when EVM-compatible addresses look the same across networks, balances do not automatically move across chains. 

Q50: My wallet says I need to approve a token. What does that mean, and is it safe?

A: Approval means you allow a smart contract to move a certain amount of a token from your wallet. This is common in DEXs, DeFi protocols, and NFT marketplaces.

There are two main types:

· Limited approval: the contract can move only a specified amount, which is relatively safer.

· Unlimited approval: the contract can move any amount of that token, which creates major risk if the contract is malicious or later compromised.

Best practices:

· approve only trusted official contracts;

· when possible, choose a limited amount instead of unlimited approval;

· review and revoke approvals you no longer need using an approval management tool such as Revoke.cash;

· be especially cautious when a strange website actively prompts you to approve something.

Approval is not the same as an immediate transfer, but approving the wrong contract can be just as dangerous.

3.2 DApp Interactions and Approvals: Blind Actions Can Cost You

Q51: What are approval and signature in a DApp, and what is the difference?

A: In DApps, you commonly see two kinds of actions:

· Approval: You allow a smart contract to move a certain amount of one of your tokens. Once the approval is active, the contract can transfer the token within the approved amount without prompting you every single time.

· Signature: You use your Private Key to sign a message. This is often used for logging in, confirming an order, or voting. Most signatures do not directly move assets on their own.

The core difference is this: approval gives a contract permission to spend your tokens later, while a signature confirms that you agree to a certain message or action. But malicious contracts or complex signing content can still be used to gain indirect control over your assets. If you do not understand what you are signing, do not sign it. 

Q52: Why should I be cautious about DApp approvals? What is the risk of unlimited approval?

A: Every approval gives a smart contract the ability to spend your tokens. If the contract is malicious or later exploited, it may directly drain tokens up to the approved amount.

Unlimited approval is the most dangerous because it allows the contract to move any amount of a specific token from your wallet. If the contract is compromised, all tokens of that type in your wallet may be stolen without another confirmation.

How to reduce the risk:

· read the approval details carefully, including the token, purpose, and amount;

· choose limited approvals whenever possible;

· stay alert to unfamiliar DApps and promises of unusually high returns.

Q53: How can I tell whether a DApp website or approval request is safe?

A: Check the following:

1. URL: Make sure the domain exactly matches the official website. Phishing sites often use very similar domains.

2. Contract address: In the approval window, verify that the smart contract address matches the project’s official contract.

3. Approval or signing content: Read what the popup actually says. If the content is vague, unreasonable, or does not match what you expected to do, stop immediately.

4. Project reputation: Look up security history and community feedback through trusted crypto communities or reputable media.

If you do not understand it or cannot verify it, do not continue.

Q54: What should I do if I accidentally approved a high-risk DApp or granted unlimited approval?

A: Revoke the approval immediately. That is the key step for reducing risk.

Typical steps:

1. use an approval management tool or your wallet’s built-in approval manager, such as Revoke.cash;

2. connect your wallet and review the current approval list for your address;

3. find the suspicious or unnecessary approval and click Revoke.

Revoke is an on-chain transaction, so it requires a small network fee.

Q55: Why does my wallet keep asking me to sign messages during DApp use? How should I handle that?

A: Many DApps use signatures for login verification, order confirmation, or message proof. Frequent signature requests are not necessarily abnormal. The right way to handle them is:

· read each request carefully;

· check whether it matches what you are actually doing;

· treat any request you do not understand, did not trigger, or that contains suspicious addresses or links as dangerous.

Principle: it is better to reject a few extra times than to casually sign an unfamiliar request.

3.3 Security Settings for Devices and Wallet Apps

Q56: Do my phone or computer system settings affect wallet security?

A: Yes—very significantly. Your operating system is the base environment in which the wallet runs. If the system has vulnerabilities, or if malware or trojans are installed, attackers may steal your Recovery Phrase or Private Key or remotely control your wallet. Device security is one of the first and most important layers of wallet security.

Q57: How should I configure my phone or computer to better protect my wallet?

A: Enable these baseline protections:

· set a strong device password or PIN;

· enable fingerprint or facial recognition when appropriate;

· turn on the system firewall on computers;

· disable automatic connection to Wi‑Fi and Bluetooth networks;

· keep the operating system and apps updated with official security patches;

· do not jailbreak or root the device casually, because doing so weakens the system’s security model.

Q58: I am already careful. Do I still need antivirus or security software?

A: It is recommended, especially on computers. Security software can help detect and block:

· trojans and backdoors;

· clipboard hijacking malware;

· keyloggers that record passwords or Recovery Phrases;

· malicious files or links from suspicious websites or downloads.

It is not a perfect shield, but for ordinary users it is a cost-effective layer of added protection, especially when using browser extension wallets or desktop wallets.

Q59: If I lose my phone, can the wallet app password protect my assets?

A: The wallet app password can stop someone from opening the app directly, but it does not solve all risks. Problems may still arise if:

· the device was jailbroken or rooted and system protections were weakened;

· you stored digital backups of the Recovery Phrase or Private Key on the phone, such as screenshots, photos, notes, or synced cloud files;

· an attacker uses advanced methods or physical access to extract app data.

If your phone is lost, the safest response is:

1. import the wallet on another trusted device using the backed-up Recovery Phrase or Private Key;

2. move all assets to a newly created wallet;

3. treat the old wallet and its Recovery Phrase as potentially exposed and stop using them.

 This only works if you already have a secure backup.

Q60: Is it safe to operate a wallet app on public Wi‑Fi?

A: No. Public Wi‑Fi carries high risk. Free networks in malls, airports, cafés, and hotels often lack strong protection and can expose you to:

· data eavesdropping,

· man-in-the-middle attacks,

· malicious code distribution. 

For any sensitive action—creating a wallet, importing a Recovery Phrase, making a large transfer, or approving a DApp—use a secure and trusted network, such as your home Wi‑Fi or mobile data. If you must work while traveling, consider using your own hotspot and reduce the sensitivity of the actions you perform.

Chapter 4 | Anti-Scam Practice: Not Getting Tricked Is the Best Security

4.1 20 Common Wallet Scams Explained

Q61: What is a vanity wallet address scam?

A: In this scam, someone sells a wallet address with “lucky” or personalized patterns, such as repeated 8s or 6s. The danger is that the scammer usually generated the address and kept the corresponding Private Key. Once you send assets to that address, they can steal them. Never buy wallet addresses from unknown sources. Always generate wallet addresses yourself through a legitimate wallet so the keys remain fully under your control.

Q62: How does a fake wallet app scam work?

A: Scammers imitate well-known wallet apps or websites and trick users into downloading the fake app or importing a Recovery Phrase into it. Common signs include similar names, icons, domains, fake official download pages, and fake ads. To avoid this, download the wallet only from its official website or official app store listing, verify the developer information carefully, and remember that official teams will not contact you by private message, text, or phone asking you to download software or provide sensitive information.

Q63: Why are “Recovery Phrase collision tools” a scam?

A: These tools claim they can brute-force someone else’s Recovery Phrase and steal their assets. In reality, mainstream wallets follow standards such as BIP39, and the phrase space is so large that brute-force guessing is not practical. The usual trick is that the software shows fake “successful” results, tries to sell you a paid version, or even contains malware designed to steal your own credentials. Never believe claims about “cracking” Recovery Phrases.

Q64: How do phishing links trick you into revealing your Recovery Phrase?

A: Phishing pages often pretend to be an airdrop claim, a red packet giveaway, a system upgrade, or an account-security verification page. They imitate official branding and ask you to enter your Recovery Phrase or Private Key “for security” or “to unlock a feature.” Once you do, the information is sent directly to the scammer and the wallet may be emptied quickly. Official pages will never ask for your Recovery Phrase or Private Key just to claim an airdrop or verify an account.

Q65: How do crypto scams succeed on second-hand trading platforms?

A: Some second-hand marketplaces do not have real protections for crypto transactions. Scammers exploit that gap with fake trades and refund abuse. A typical pattern is that the scammer builds trust, places an order, pays, and gets the seller to send the crypto. Then the scammer claims they “did not receive the item” and requests a refund from the platform. Because the platform often does not understand on-chain settlement, the refund may be granted, and the seller loses both the crypto and the payment. Use professional, compliant trading platforms instead of informal peer-to-peer channels.

Q66: What is a fake official loan scam?

A: In this scam, criminals create a fake investment platform and claim to offer “officially authorized loans” or high returns. The victim is then told to pay a fee first—such as 2% of the loan amount—in order to unlock the loan, raise the limit, or release the funds. Real institutions do not casually recruit borrowers through Telegram or private messages, and any process that asks you to pay money first to receive a loan is a scam.

Q67: What is a romance investment scam?

A: This is a “pig butchering” scam in which the criminal builds trust through an online romantic relationship and then introduces the victim to a fake high-return investment platform. The victim sees fake profits and is encouraged to invest more. Eventually the platform locks the funds, blocks withdrawals, or disappears. Stay highly cautious about investment advice from people you met online, verify both the person and the project independently, and never let emotion override judgment.

Q68: What is a multisig scam, and why might I see a SIGERROR when sending from a TRX wallet?

A: This scam uses blockchain multisig permissions to take control of the victim’s wallet. If your TRX wallet shows a signature error (SIGERROR) during transfer and you never intentionally set account permissions yourself, your wallet permissions may have been modified. The scammer first steals your Recovery Phrase or Private Key, then changes the account into a multisig account that requires the scammer’s signature for transfers. You can still deposit funds, but you cannot move them out independently. Download wallets only from official sources, do not click suspicious links, and regularly check TRX account permissions.

Q69: What is the transfer trap in energy-rental services?

A: On Tron, transfers consume energy and bandwidth. Some people offer to “rent energy” or “pay gas for you” at a low price. After building trust through several successful small transactions, they wait for you to become careless and then lure or trick you into sending valuable tokens such as USDT to the wrong address. If you need such services, use wallet-integrated features or trusted official platforms, not unknown individuals.

Q70: What is a second-round scam targeting victims of previous investment schemes?

A: Scammers buy or obtain information about users who were previously cheated by Ponzi-like investment schemes. They then pretend to be official customer support and claim they can help recover the stolen assets. The real goal is to trick the victim into sending more money or downloading a fake app. Official institutions will never proactively contact you by email, text, or phone to ask you to pay first in order to recover or unlock assets.

Q71: What is an address phishing scam, also called the “same ending” scam?

A: This scam exploits the habit of checking only the first and last few characters of an address. The attacker creates an address that looks similar to one you use often, sends you a zero-value or tiny transfer so it appears in your history, and waits for you to copy it by mistake later. Use the wallet’s address book, verify the full address character by character, and be wary of unexplained tiny transfers.

Q72: What are common OTC USDT scam patterns?

A: Large OTC USDT trades carry serious risk both online and offline. 

Online scams may begin with low-price offers and small successful trades to build trust. When the amount gets larger, the scammer may claim they need your Private Key or Recovery Phrase to “verify wallet security” or “check multisig status,” then take over the wallet. 

Offline scams may involve hidden cameras, direct access to your phone, fake settlement, contract breaches, or even physical intimidation and robbery. The safest approach is to avoid informal OTC channels and use regulated exchanges instead. Never share your Recovery Phrase, Private Key, or wallet password under any pretext. 

Q73: What is the EIP-7702 authorization trap?

A: EIP-7702 is meant to simplify DApp interaction by allowing delegated wallet operations, such as batch transfers or gas sponsorship. But that convenience can also be abused. If a user signs a malicious authorization, they may effectively hand over control to malicious code or another address. Attackers may then deploy a sweeper bot that monitors the compromised wallet and immediately transfers out any newly received funds. Treat any unfamiliar authorization or delegation request with extreme caution, regularly review and revoke permissions, and avoid blindly signing hashes or prompts you do not understand.

Q74: What is a social engineering attack against a hardware wallet?

A: This refers to scams that manipulate people rather than directly breaking the device. Examples include fake giveaway campaigns, tampered devices sold through unofficial channels, preconfigured wallets with preset Recovery Phrases or PINs, or altered instructions that tell you to restore a wallet from a phrase supplied by the seller. Always buy hardware wallets only through official authorized channels, verify that the device is unactivated, generate the Recovery Phrase yourself during setup, and never use a device that comes with a preset phrase or PIN.

Q75: Why can even a cold wallet still be stolen?

A: A cold wallet is only truly “cold” if the Private Key or Recovery Phrase never touches an internet-connected environment. Once you type the Recovery Phrase into a phone, computer, email, cloud storage service, or any other online environment, that safety premise is broken. The wallet is no longer effectively cold, and malware can steal the phrase. Download software only from official channels, never click ad links, and if you suspect a device was infected after you entered a Recovery Phrase on it, treat the phrase as exposed and move your assets to a new wallet immediately.

4.2 What Can You Still Do After Being Scammed or Losing Funds?

Q76: Besides network attacks, what other risks can affect a wallet?

A: Physical theft is also a real risk. Someone might access your unlocked device when you step away, secretly photograph your Recovery Phrase, or handle your device or backup during cleaning, repairs, or hotel stays. Protect your devices physically, lock them even when stepping away briefly, spread assets across multiple wallets, use hardware wallets for important funds, and never reveal your Recovery Phrase or Private Key to anyone—not even friends, family members, or partners.

Q77: What is a fake staking or mining investment scheme?

A: In this scam, criminals impersonate wallet support or official teams and guide users to a fake staking or mining website that promises very high returns. The real goal is to get the user to approve a large or unlimited token allowance. Once the approval is signed, the scammer can transfer out the corresponding tokens. Be highly suspicious of “guaranteed returns” and any site that asks for unusually large approvals.

Q78: What new information traps and security threats have become more common with the rise of AI?

A: AI tools can make bad information look authoritative. AI search may surface phishing websites, outdated information, or incorrect official links because the model depends on its source data and cannot always verify what is current or real. Social media is also heavily polluted with fake “official” accounts, recycled announcements, and false tutorials. Any important information—such as an official website, a contract address, or a claimed airdrop—should be verified through known official channels, not through AI answers or social posts alone.

Q79: What is AI voice-cloning fraud?

A: Criminals can synthesize a familiar person’s voice and use messaging apps or calls to pretend that a friend or colleague urgently needs funds. Because the cloned voice sounds convincing, victims may transfer money before verifying the request. Any transfer request involving urgency should be verified through another channel, such as a direct phone call, video call, or in-person confirmation.

Q80: Why can malicious browser extensions lead to asset theft?

A: Browser extensions often request powerful permissions, such as reading website data, modifying cookies, accessing the clipboard, or reading sensitive browser information. A malicious extension can steal session cookies, track your activity, tamper with transactions, or help attackers log in as you. Install extensions only from official sources, keep your trading browser clean, log out when you are done, and keep large balances in a self-custodial wallet or hardware wallet rather than in exchange accounts.

Q81: What should I do first if I discover that wallet assets have been stolen?

A: Stay calm and act in order:

1. Protect remaining assets. If the Recovery Phrase may have been exposed, all addresses derived from it may be at risk. Move any remaining funds immediately.

2. Create a brand-new secure wallet. Preferably use a hardware wallet and back up its Recovery Phrase properly.

3. Preserve evidence and think through the cause. Save transaction hashes, wallet addresses, chats, phishing links, and any related evidence. Review whether you recently clicked suspicious links, approved risky DApps, entered a Recovery Phrase on an unfamiliar site, or used public Wi‑Fi.

Q82: How can I query on-chain records to track where stolen assets went?

A: Use the correct block explorer for the relevant chain, such as Etherscan for Ethereum, Tronscan for Tron, or mempool.space for Bitcoin. Search using your wallet address or the suspicious transaction hash. Then review the sender, recipient, amount, time, and most importantly the movement path of the funds—whether they were moved through multiple addresses, swapped, bridged, or sent to a known platform.

Q83: Besides self-help and on-chain tracking, what outside help can I seek after funds are stolen?

A: You can try several external paths:

· File a police report and provide full evidence, including transaction hashes, scammer addresses, screenshots, and phishing links.

· Contact centralized exchanges if you can see that the stolen funds reached one of them. Most exchanges will require a formal law-enforcement process before taking action.

· Flag addresses through block explorers or security communities that support scam reporting.

· Seek help from professional blockchain security firms for tracing services, while remaining cautious about second-round scams and high fees.

Be extremely skeptical of anyone who promises a 100% recovery rate.

Q84: Why are stolen assets so difficult to recover in most cases?

A: Recovery is hard for several reasons:

· if the Recovery Phrase or Private Key was exposed directly, the theft is immediate and on-chain transactions are irreversible;

· stolen assets may be swapped on a DEX, mixed, fragmented, or bridged across chains;

· the funds may end up in private wallets without KYC;

· even if they reach a centralized exchange, the exchange may not assist without law-enforcement involvement.

Q85: Besides emergency loss control and reporting to the police, what other checks should I perform after a theft?

A: Complete a full post-incident security review:

1. scan all wallet-related devices for malware, keyloggers, and trojans;

2. change all important passwords, including email, social media, cloud services, exchanges, and any related accounts;

3. switch to stronger two-factor authentication, preferably app-based methods such as Google Authenticator or Authy rather than SMS;

4. inspect and remove suspicious or unused browser extensions;

5. warn friends and family in case scammers impersonate you;

6. after securely backing up any needed information, consider resetting affected devices and rebuilding a clean environment.

Chapter 5 | Advanced Protection: Build Your Security Fortress

5.1 Advanced Hardware Wallet Guide

Q86: How does a hardware wallet protect the security of a Private Key?

A: The biggest advantage of a hardware wallet is that the Private Key stays offline throughout its lifecycle. The key is generated and stored inside a secure chip, and all signing happens inside the chip as well, so it never touches the network environment. This fundamentally reduces the risk of trojans, viruses, and remote attacks. Compared with hot wallets, which store keys on internet-connected phones or computers, hardware wallets significantly improve key security through a secure chip and offline signing. For high-value assets, a hardware wallet is strongly recommended. Protect both the PIN and the Recovery Phrase carefully—they are essential to the safety of the assets.

Q87: After receiving a hardware wallet, how can I tell whether it is safe and untampered?

A: Focus on three checks:

· Check the packaging: Make sure the outer packaging and seals are intact and all accessories are present.

· Check authenticity: Verify the SN on the official website and confirm that the device shows as unactivated.

· Check the setup flow: On first use, you should set the PIN yourself and generate the Recovery Phrase yourself. There should never be a preset PIN or preset Recovery Phrase.

 Buy only from the official website or authorized channels. If you discover any suspicious preset information, stop using the device immediately and contact official support.

Q88: If I lose the device, can I still restore the wallet?

A: Yes—if you kept the Recovery Phrase completely and correctly. You can restore the assets in any wallet that supports the same standard, such as BIP39. But the recovery process must be done carefully:

· restore only in a trusted wallet or trusted app;

· never enter the Recovery Phrase on an unknown website, app, extension, or mini-program;

· note that different wallets may use different derivation paths, so the first address you see may not match.

Prefer restoring with the original wallet or a compatible wallet, verify that the restored address matches the old one, and if possible enter the Recovery Phrase on an offline device rather than in an online environment.

Q89: What is a derivation path, and why can the same Recovery Phrase generate different addresses in different wallets?

A: A derivation path is the rule set used to derive addresses for different chains, accounts, and indexes from the same Recovery Phrase. Standards such as BIP44, BIP49, and BIP84 define common path formats, but different wallets may use different defaults. That is why the same Recovery Phrase may display different addresses in different wallets. When restoring, use the original wallet first or a wallet that lets you customize the derivation path. If the address does not match, check whether the wallet supports switching paths.

5.2 Coordinated Management with Multisig Wallets and Cold Wallets

Q90: What is a multisig wallet?

A: A multisig wallet requires multiple Private Keys to sign a transaction before it can take effect. It improves both security and fault tolerance by spreading authority across multiple signers.

Common setups include:

· 2 of 3: three keys exist, and any two are required to complete a transfer;

· 3 of 5: five keys exist, and any three are required.

This design means the loss or compromise of a single key does not immediately endanger the funds, making multisig suitable for family asset management, team treasury management, and similar scenarios. Good multisig practice includes setting sensible rules, distributing keys across different devices, and using mainstream compatible products such as Gnosis Safe, Keystone, and imKey.

 For more information, please refer to the tutorial: imKey Hardware Wallet × Gnosis Safe: Guide to Creating and Using Multi-signature Wallets: https://support.imkey.im/hc/en-us/articles/47827714802457

Q91: What are common misconceptions about multisig wallets?

A: Common misunderstandings include:

· Thinking multisig is the same as a cold wallet. It is not. Multisig is about requiring multiple signatures; a cold wallet is about keeping keys offline.

· Keeping all signer keys on one device. This defeats the entire purpose of multisig because a single compromise can expose all keys.

· Ignoring backup and role handover. If signers lose devices or keys and there is no fallback plan, the assets can become permanently inaccessible.

 Spread keys across devices, keep backup signers or mechanisms for adjusting permissions, and periodically review the health of signer devices and settings.

Q92: What problems do multisig and cold wallets solve respectively?

A: They address different dimensions of security:

· Multisig reduces the risk of single-person control by requiring multiple parties to approve a transfer.

· Cold wallets reduce technical exposure by keeping Private Keys offline and away from malware, phishing, and remote attacks.

Combining them creates governance security plus technical security.

Q93: In what situations is it appropriate to operate through a cold wallet?

A: Cold wallets are particularly suitable for:

· long-term storage of large balances;

· enterprise treasury management;

· NFT custody;

· multisig setups requiring high-assurance signers.

Although signing with a cold wallet is less convenient than using a hot wallet, modern hardware wallets support smoother flows such as QR signing and Bluetooth signing. Keep small daily-use funds in a hot wallet, but place larger balances in a cold wallet and verify transaction details carefully on the device screen every time.

Q94: How can I combine a cold wallet with multisig to build a stronger security system?

A: You can set one or more signers in the multisig scheme to be cold wallets. For example, in a 2-of-3 setup:

· one signer could be an offline software wallet,

· one signer could be a hardware wallet such as imKey,

· and the final signer could be a backup signer for emergencies.

 Keep each signing device physically separated and avoid sharing the same network or computer. Verify each transaction multiple times before signing, and back up the multisig rules and permission documents securely.

 Q95: If I use multisig, do I still need a hardware wallet?

A: Yes. A hardware wallet remains a core device in a multisig security model. It isolates the Private Key inside an offline chip and requires physical confirmation at signing time, greatly reducing the chance of key theft. In a multisig setup, it serves as a highly reliable signer and helps resist external attacks and single points of failure. Choose a hardware wallet that supports secure communication methods such as Bluetooth or QR codes, use it with a trusted app, and keep the firmware updated.

5.3 Recommended Tools and Trusted Resources

Q96: Why should I manage contract approvals, and what tools can I use to revoke them?

A: When you use DeFi protocols, NFT platforms, or wallet extensions, you may have approved contracts to spend your assets. If those approvals remain open indefinitely, a compromised or malicious contract may move your assets without you noticing. Regular approval cleanup is therefore an important security habit.

Recommended tool:

· Revoke.cash: lets you view and revoke contract approvals on Ethereum, BNB Smart Chain, Polygon, and other major networks.

Check your approvals at least once a month, revoke permissions for unfamiliar or unused DApps promptly, and choose limited approvals rather than unlimited ones whenever possible.

Q97: How can I identify phishing websites or malicious projects? Are there practical tools that can help?

A: Many scammers imitate airdrops or whitelist campaigns with websites that look almost identical to official ones. Visual appearance alone is often not enough for users to judge authenticity. Useful tools include:

· ScamSniffer: an anti-phishing extension that detects risky code and suspicious addresses and provides real-time warnings while you browse;

· Tenderly, Blocksec, MetaSuites, and similar security plugins that provide risk prompts for smart contract interactions.

Use security plugins as a first browser firewall, get links only through official project channels, and avoid finding wallet or airdrop websites through search engines whenever possible because SEO phishing is common.

Q98: How can I know whether the wallet app I downloaded is the official version? Is there a reliable way to verify it?

A: Downloading a fake wallet app is one of the most common causes of asset theft. To reduce this risk:

· always start from the wallet’s official website;

· in the App Store or Google Play, verify that the developer name matches the official developer, such as `IMTOKEN PTE. LTD.` for imToken;

· when available, verify the APK hash, such as a SHA256 checksum, against the value published by the official team.

Do not download wallets through strange links or third-party ad pages. On first use, watch for suspicious behavior such as forced web redirects or requests for unnecessary permissions like contacts or location. 

Q99: If I need official customer support or technical support, what are the correct channels?

A: Fake support scams are common. Criminals often impersonate project support on Telegram, X, TikTok, or in private messages and try to guide users into “verification” steps that end with stolen Recovery Phrases or stolen funds. The correct method is to use support entry points only through the official website or the app’s Help Center. Official teams will not proactively message you to request information or tell you how to operate your wallet. Any request involving a Recovery Phrase or Private Key is a scam.

Q100: What other security tools or navigation sites are worth bookmarking for advanced users?

A: Useful security tools and resources include:

Security tools

· Revoke.cash: approval management and revocation;

· ScamSniffer: phishing detection and suspicious-link monitoring;

· Pocket Universe: transaction simulation and anti-phishing prompts;

· Chainlist.org: verified chain information for major EVM networks.

On-chain data and analytics

· Arkham: address labels and entity analysis;

· DeBank: multi-chain asset aggregation;

· Zerion: portfolio and transaction tracking;

· Dune: on-chain data analysis and dashboards;

· DefiLlama: TVL rankings and multi-chain statistics;

· CryptoFees: protocol fee rankings;

· Blocknative: Ethereum gas monitoring;

· Token Terminal: project financial metrics.

Security reminder:

· do not blindly trust third-party airdrop or navigation sites, especially pages that ask for approval at first contact;

· for any page that asks you to connect a wallet, sign, or approve, verify its legitimacy through multiple trusted channels such as the official website, official X account, or GitHub;

· bookmark the official websites of the tools you use often instead of finding them again through search engines.

Part II: 100 Security Self-Test Questions

Chapter 6 | Security Self-Test

Q01–Q25: Creation and Backup

True or False

Q01: A digital wallet is essentially a vault used to store cryptocurrency. ( )

Q02: Whoever holds a wallet’s Private Key has full control over the on-chain assets. ( )

Q03: A Recovery Phrase is a seed that can derive all Private Keys, so backing up the Recovery Phrase alone is enough. ( )

Q04: If you forget the wallet PIN or password, you can still recover the assets as long as the Recovery Phrase is intact. ( )

Q05: After creating a new wallet, you should first test with a small amount before making a large transfer. ( )

Q06: A wallet address is generated directly from a Private Key. ( )

Q07: If you photograph the Recovery Phrase and save it in your phone album, a phone password makes it absolutely safe. ( )

Q08: You can use the same Recovery Phrase to restore assets in different wallet apps. ( )

Q09: A Recovery Phrase and a Private Key are the same concept and can be used interchangeably. ( )

Q10: Writing a Recovery Phrase on paper is a common backup method, but it still needs extra protection against fire, water, and loss. ( )

Q11: If a hardware wallet is connected to a virus-infected computer, the Private Key is at risk of being stolen. ( )

Q12: If you switch from one wallet app to another, importing the Recovery Phrase directly into the new app is the correct way to restore the wallet. ( )

Multiple Choice

Q13: What is the most recommended way to back up a Recovery Phrase? ( )

A. Save a screenshot or photo in the phone album

B. Write it down on paper and store it in a safe place

C. Upload it to cloud storage

D. Send it to your own email or chat app

Q14: Which of the following is second verification of a Recovery Phrase? ( )

A. Import the newly created phrase into another device right away and confirm that it restores correctly

B. Ask a friend to help verify that you copied it correctly

C. Rewrite the phrase three times

D. Upload a photo of it to the cloud for future checking

Q15: If a stranger accidentally sees your Recovery Phrase before you make a transaction, what should you do? ( )

A. Do not worry—as long as the Private Key is not exposed, it is fine

B. Immediately transfer all assets from that wallet to a brand-new secure wallet

C. Immediately change the wallet password

D. Uninstall and reinstall the wallet

Q16: When downloading a wallet app from an app store, what should you check to avoid fake wallets? ( )

A. Download count and reviews

B. Whether the icon looks clear

C. The developer name

D. All of the above

Q17: What is the safest environment for generating a Recovery Phrase? ( )

A. A computer connected to public Wi‑Fi

B. A trusted offline device in a private environment without cameras

C. A friend’s phone

D. An open network in a café

Q18: Why should you never photograph, screenshot, or upload a Recovery Phrase to the cloud? (Multiple choice)

A. The phone or computer may be infected and the image can be stolen

B. Cloud storage may be hacked or leak

C. Screenshots or photos may remain in cache or albums even after deletion

D. Digital backup is always safer than paper backup

Q19: When importing a wallet, where does the biggest security risk come from? ( )

A. Entering the words in the wrong order

B. Importing on an unfamiliar device

C. Using a fake wallet app or phishing website

D. Network instability during import

Q20: If someone offers to help you import a wallet, what are the biggest risks? (Multiple choice)

A. They steal your Recovery Phrase or Private Key and then all of your assets

B. They install malware on your device for long-term monitoring and theft

C. They move your assets to an address they control without you noticing

D. They may leak personal information such as your phone number or home address

Q21: Before importing a Recovery Phrase, why should you ask yourself whether the device is safe? (Multiple choice)

A. The device may contain malware or trojans that steal the phrase

B. A jailbroken or rooted system is more exposed to malicious programs

C. As long as the device has enough storage, import is safe

D. A stable network connection guarantees import security

Q22: Besides paper backup, which method can store a Recovery Phrase more safely for the long term? ( )

A. Save it on a USB drive

B. Use a professional stainless-steel Recovery Phrase backup device and store it safely

C. Save it in an email draft

D. Save it in a phone notes app

Q23: What is the main purpose of setting a strong PIN? (Multiple choice)

A. To make the wallet run faster

B. To prevent direct access when someone physically touches the device

C. To increase the difficulty of cracking the device if it is lost

D. To reduce online attack risk

Q24: Why is it not recommended to import a Recovery Phrase on a public or unfamiliar device? (Multiple choice)

A. The device may have malware preinstalled that records the phrase

B. Browser extensions or cache may be abused to steal wallet data

C. Public devices may contain keyloggers

D. Changing the PIN right after import eliminates the risk

Q25: Why is a professional stainless-steel backup box recommended for Recovery Phrase backup? (Multiple choice)

A. It resists fire and water better than paper

B. It is better for long-term preservation and less likely to blur or break

C. It will not easily fade or grow mold over time

D. It is physically isolated from electronic leakage risks

Q26–Q50: Transfers and Approvals

True or False

Q26: It is safe to verify only the first and last few characters of a wallet address before a transfer. ( )

Q27: Disconnecting a wallet from a DApp inside the wallet is the same as revoking all on-chain approvals. ( )

Q28: If you use a DApp frequently, it is fine to keep it connected all the time for convenience. ( )

Q29: Using a browser extension wallet for DApp interaction is more secure than using a mobile wallet. ( )

Q30: If you use a smaller approval amount, your assets are completely safe. ( )

Q31: When you receive a tiny airdrop, it is best not to interact with it at all—not even to transfer it away. ( )

Q32: To reduce transfer mistakes, the safest method is to use the wallet’s address book. ( )

Multiple Choice

Q33: Before connecting to a DApp, what should you check carefully? (Multiple choice)

A. Whether the DApp is official and trustworthy

B. Whether the website link is correct and secure, including HTTPS and no spoofed domain

C. Whether the wallet requests unnecessary high permissions after connection

D. Whether the entry point came from an official channel

E. No need to check—just connect directly

Q34: What is a phishing website? ( )

A. A fake website that imitates an official site and tricks you into entering a Recovery Phrase or Private Key

B. A website used only for trading niche tokens

C. A website that only provides information and does not support transactions

D. A website that offers free airdrops

Q35: During approval, the wallet shows a token name that does not match the token displayed in your wallet. What should you do? (Multiple choice)

A. Ignore the warning and approve directly

B. Cancel the approval immediately and disconnect from the site

C. Try to edit the token name manually

D. Reconnect the wallet

E. Verify the contract address in a block explorer and confirm whether it is the official token contract

Q36: What is a token approval lookup tool? ( )

A. A tool for checking historical token prices

B. A tool for checking all token approvals in a wallet

C. A tool for checking token issuer information

D. A tool for checking transaction status on-chain

Q37: Why is the transaction confirmation step the core security protection of a hardware wallet? ( )

A. Because confirmation happens online

B. Because the hardware wallet screen displays complete transaction details so you can physically confirm while the Private Key stays offline

C. Because a hardware wallet can block every transaction

D. Because the confirmation button is harder to press

Q38: What is a clipboard hijacking attack? ( )

A. Malware modifies the destination address in your clipboard

B. An attacker tricks you into clicking a fake approval link

C. A phishing email tricks you into entering the Recovery Phrase

D. A stranger sends tiny tokens to your wallet to track your activity

Q39: If the wallet prompts you to approve a contract during transfer, what does that mean? ( )

A. You are directly sending assets to that contract

B. You are allowing that contract to transfer a specified amount of tokens from your wallet in the future

C. You are confirming an off-chain instruction

D. You are sharing your Private Key with the contract

Q40: When you grant unlimited approval to a DApp, what risk are you taking? ( )

A. Your wallet may be remotely controlled by a hacker

B. The contract can move all tokens of that type in your wallet without another confirmation

C. The contract can steal your Private Key

D. There is no risk because you can revoke it at any time

Q41: When you receive an unknown token in a very small amount, what is the correct response? ( )

A. Transfer it away immediately to avoid being tracked

B. Sell it for another token

C. Ignore it and do not interact with it

D. Contact the sender and ask what it is

 Q42: If your last approval or transfer has been pending for a long time, how should you handle it safely? ( )

A. Use the speed-up function in the same wallet to raise the gas fee for that transaction

B. Repeatedly resubmit the same transaction until one succeeds

C. Switch to another wallet or unknown DApp and resubmit there

D. Import the Recovery Phrase into a third-party site that claims instant confirmation

Q43: Before making a large transfer, what is the safest practice? ( )

A. Ask the recipient for their Private Key to verify identity

B. First make a small test transfer and confirm receipt before sending the large amount

C. Turn off all network connections during the transaction

D. Take a screenshot of the transfer record

Q44: If a stranger sends you an airdropped token and asks you to approve it to claim rewards, what should you do? ( )

A. Approve it immediately so you do not miss out

B. Ignore the airdrop and do not approve or trade it

C. Move the token to another wallet first

D. Contact the project to verify it first

Q45: In a Web3 wallet, what is the main purpose of the signature function? ( )

A. To confirm the uniqueness of a transaction

B. To verify identity and prove that you control the wallet

C. To directly move assets

D. To encrypt the Recovery Phrase

Q46: Why must you be especially cautious about unlimited approvals during DApp interaction? ( )

A. Because unlimited approvals consume more gas

B. Because unlimited approvals may lead to remote wallet control

C. Because a malicious contract that gets unlimited approval can move your assets at any time

D. Because unlimited approvals expose your Private Key

 Q47: If a DApp website looks suspicious even though the page runs smoothly, what should you do? (Multiple choice)

A. Connect the wallet immediately and try it

B. Close the webpage at once and check or disconnect wallet connections

C. Contact the site’s customer service

D. Verify authenticity through the project’s official channels or community

Q48: What is the essence of approval risk? ( )

A. Giving away your Private Key

B. Allowing a malicious contract or wallet address to move your assets

C. Giving away your personal information

D. Giving away your transaction history

Q49: If the wallet prompts you to pay a very high gas fee, what should you do? (Multiple choice)

A. Cancel the transaction immediately

B. Check network congestion or wait for gas to come down

C. Contact customer support to ask why

D. Pay it immediately to ensure fast confirmation

Q50: Which practice is most effective for reducing approval risk? ( )

A. Always give unlimited approval to frequently used DApps to reduce repeated prompts

B. Regularly review and revoke unnecessary approvals with approval-management tools

C. Save the Recovery Phrase in a password manager to make approvals easier

D. Ignore the contract address and only check whether the token name looks right

Q51–Q75: Anti-Scam and Risk Response

True or False

 Q51: If you forget the wallet’s local password or fingerprint, the assets are permanently lost. ( )

Q52: Anyone who asks for your Recovery Phrase by any means is a scammer. ( )

Q53: If someone has seen your Recovery Phrase but no assets have been stolen yet, the wallet is still safe. ( )

Q54: If you clicked a phishing site but did not enter any information, there is definitely no risk. ( )

Q55: A wallet address can be made public because it cannot transfer assets by itself. ( )

Q56: It is unnecessary to make a small test transfer before a large one. ( )

Q57: Only computers can be infected; phones do not affect wallet security. ( )

Q58: If you choose the wrong network for a token transfer, the recipient will still receive it as long as the address is correct. ( )

Q59: Clipboard hijacking only affects text messages and does not affect wallet addresses in the clipboard. ( )

Q60: Keeping your phone or computer system and apps updated helps defend against known vulnerabilities. ( )

Q61: Because blockchain transactions are irreversible, there is no need to take any action after a wallet is stolen. ( )

Multiple Choice

Q62: After joining a project’s Discord or Telegram, you receive a private message from an “admin” asking you to click a link to verify your wallet or sync assets. What should you do? ( )

A. Click the link and connect the wallet immediately

B. Ask them to show ID before proceeding

C. Ignore and block them, then check the project’s official pinned announcements and report them if needed

D. Try a small signature or approval first

Q63: A stranger claims they can remotely solve your wallet problem and asks you to download remote-control software. What is the correct response? (Multiple choice)

A. Accept the remote assistance

B. Stop the conversation immediately and report it to the platform

C. Negotiate with them

D. Download it but allow view-only access

E. Seek help only through official support or a verifiable ticket system

Q64: When you see a project that claims capital protection, high yield, and zero risk, how should you judge and handle it? (Multiple choice)

A. It is highly likely to be a Ponzi-style scam, so stay alert

B. Test with a small amount and add more after recovering your principal

C. Trust only official channels and do not connect, approve, or transfer on unfamiliar pages

D. Audit reports and profit screenshots are enough to join

Q65: What are the core risks of vanity address scams? (Multiple choice)

A. The seller may retain or record the Private Key or Recovery Phrase and move the funds at any time

B. The addresses may be generated in bulk by scripts and archived for later theft

C. If the address can be found on-chain, it must be safe

D. Changing the Private Key and resetting the Recovery Phrase after purchase makes it safe

Q66: What are common OTC scam patterns? (Multiple choice)

A. Sudden cancellation of the trade

B. Receiving the crypto but refusing or reversing payment

C. Installing malware on your device

D. Forging or altering payment receipts or on-chain proof screenshots

Q67: Which situations suggest that you are facing a fake official loan scam? (Multiple choice)

A. Someone claiming to be official support promises low interest and instant approval but asks for a deposit or unfreeze fee first

B. You are told to download unofficial software or visit an unfamiliar site to apply

C. You are told to transfer funds into a “supervisory account” with a promise of immediate return

D. You are told to enter a Recovery Phrase because of a system upgrade or frozen limit

E. They only ask for bank-card and personal information

Q68: What is a hardware-wallet supply-chain attack? (Multiple choice)

A. Malicious firmware or chips are implanted before the wallet is sold

B. The price of the hardware wallet is raised by a dishonest seller

C. Attackers pretend to be the official team and offer free tampered devices

D. Genuine devices are repackaged after being tampered with and sold cheaply through unauthorized channels

Q69: What are good habits when using a browser extension wallet to interact with DApps? (Multiple choice)

A. Grant unlimited approvals immediately

B. Verify the domain, HTTPS, and official entry point

C. Enter the Recovery Phrase on the webpage for verification

D. Close the browser and restart the computer

E. Use only the minimum necessary approval and revoke it afterward

Q70: What is a multisig scam? (Multiple choice)

A. Scammers steal your Recovery Phrase or Private Key through a fake wallet or phishing site and then change the account into a multisig wallet that requires their signature

B. A SIGERROR in a TRX wallet often indicates that permissions were modified and the account was set to multisig, so you can no longer transfer out alone

C. This scam only happens on Bitcoin and has nothing to do with TRX

D. The scammer lures you to keep depositing assets and then steals them later using the permission control

Q71: Besides checking the address carefully, what is a safer way to defend against address poisoning? ( )

A. Type the address manually every time

B. Add frequently used verified addresses to an address book or whitelist and select only from there

C. Send only to acquaintances

D. Use only centralized exchanges

Q72: While browsing a webpage, the wallet suddenly asks you to sign something even though you were not performing an operation. What should you do? ( )

A. Sign it immediately

B. Close the page, disconnect the wallet, and check or clear approvals

C. Refresh the page

D. Contact the website’s customer service

Q73: If the recipient address shown during a transfer does not match the address you copied, what is the most likely reason? ( )

A. The trading platform has a system error

B. The device clipboard has been hijacked or infected with malware

C. The network is unstable

D. The wallet itself has been hacked

Q74: Why is it not recommended to back up wallet data or a Recovery Phrase in the cloud? ( )

A. It takes up space

B. It may be hacked or leaked and may sync automatically across multiple devices

C. It slows the device down

D. It costs money

Q75: If you receive a text message from an unknown number claiming that your wallet service will stop and telling you to click a link to update the account, what should you do? (Multiple choice)

A. Click the link immediately and follow the instructions

B. Immediately call the official support number to verify the message

C. Ignore and delete the message, because a decentralized wallet team would not know your phone number

D. Use your usual browser to visit the official website directly and check the account yourself

 Q76–Q100: Advanced Usage and Correcting Misconceptions

True or False

Q76: Even if a hardware wallet is connected to a virus-infected computer, the assets remain safe. ( )

Q77: A Recovery Phrase is the same thing as the wallet. As long as it is not leaked, the assets are safe. ( )

Q78: If a DApp website found through a search engine or AI search looks official, you can connect your wallet and sign or approve directly. ( )

Q79: If I gave a DApp unlimited approval, my assets are safe as long as I do not trade. ( )

Q80: If the popup says “Sign” rather than “Transfer,” it is always safe because signing does not create asset risk. ( )

Q81: Any decentralized wallet can fully restore all of my assets as long as the Recovery Phrase is correct. ( )

Q82: A multisig wallet is mainly intended for personal daily spending. ( )

Q83: Writing the Recovery Phrase on paper and locking it in a safe is an absolutely secure backup method. ( )

Q84: Official customer support will never proactively contact you by private message, phone call, or SMS. ( )

Q85: In an OTC trade, even if the counterparty provides proof of payment, you should wait for on-chain confirmation before releasing the assets. ( )

Q86: Even if I forget the wallet’s local password, I can still restore the assets by re-importing the wallet as long as my Recovery Phrase backup is intact. ( )

Q87: A block explorer such as Etherscan can be used to track transaction status and review the tokens and historical transactions under an address. ( )

Q88: If a phone is infected, uninstalling and reinstalling the wallet app can remove all security risk. ( )

Q89: When using a hardware wallet, the transaction signature is completed inside the device’s secure chip. ( )

Q90: As long as a downloaded wallet app is official, you can ignore all other security reminders. ( )

Multiple Choice

Q91: What is a derivation path? ( )

A. The random algorithm used by a wallet to generate the Recovery Phrase

B. A tool for tracking the path of a transaction on-chain

C. A path rule that determines how addresses are derived and arranged in a wallet

D. The algorithm that turns a Recovery Phrase into a Private Key

Q92: When confirming a transaction on a hardware wallet, the transaction details on the device screen do not match the computer screen. What should you do? ( )

A. Ignore the hardware wallet screen and trust the computer screen

B. Stop immediately and disconnect the hardware wallet

C. Refresh the computer page and see whether it syncs

D. Continue the transaction and ask official support afterward

Q93: What is a multisig wallet? ( )

A. A wallet that manages assets on multiple blockchains at once

B. A wallet that requires multiple Private Keys to sign before a transaction can be executed

C. A wallet that can be used simultaneously on multiple devices

D. A wallet that supports trading multiple currencies at the same time

Q94: What is the role of a security-tool navigation site? ( )

A. To check approvals, monitor risk, and improve security

B. To generate tokens

C. To claim free airdrops

D. To increase internet speed

Q95: What should you do first after discovering that wallet assets have been stolen? ( )

A. Immediately move the remaining assets to a safe address

B. Call the police and contact wallet support right away

C. Delete the wallet app and disconnect from the internet

D. Stay calm and analyze the reason for the theft

Q96: Why is it not recommended to keep all large balances in one hot wallet? ( )

A. Because hot wallets are slower than cold wallets

B. Because hot wallets are more exposed to online threats such as network attacks

C. Because hot wallets do not support multiple tokens

D. Because hot wallets always have higher transaction fees

Q97: If you use a browser extension wallet that has not been officially verified, what is the biggest risk? ( )

A. It may be a phishing tool designed to steal your Recovery Phrase or Private Key

B. Your browser will run more slowly

C. You will not be able to interact with DApps

D. It cannot save your transaction records

Q98: What is an on-chain label or on-chain flag? ( )

A. Marking a suspicious address on-chain or in an explorer to warn other users

B. Creating a permanent token label on-chain

C. Recording the names of all tokens in your wallet

D. Recording the timestamp of a transaction being packed into a block

Q99: In DApp interaction, what is the main difference between signature and approval? ( )

A. Signature confirms intent, while approval grants asset-spending permission

B. Signature can be revoked but approval cannot

C. Signature requires gas but approval does not

D. Signature is only for login and approval is only for trades

Q100: Which of the following is not an advantage of a cold wallet? ( )

A. Assets remain stored offline for long periods, giving a higher security level

B. It is less likely to be hacked

C. The transaction process is relatively complicated and not suitable for high-frequency use

D. It is suitable for long-term storage of large balances

Part III: Appendix

Common Terms

Consensus

The mechanism by which blockchain nodes agree on the validity and order of transactions. Common models include Proof of Work (PoW) and Proof of Stake (PoS).

Node

A device or server connected to a blockchain network that stores, verifies, and relays data. Light nodes sync only block headers and verify transactions in a simplified way.

Mainnet / Testnet

Mainnet is the live production blockchain where real assets circulate. Testnet is a testing environment used for development and experimentation.

On-chain / Off-chain

On-chain refers to data or actions recorded directly on the blockchain. Off-chain refers to data or actions handled outside the blockchain.

Smart Contract

A self-executing program deployed on a blockchain. When predefined conditions are met, it executes automatically according to code.

Trustless

Not “trust-free,” but a model that shifts trust from people or institutions to publicly verifiable code and consensus rules.

Private Key

A high-entropy secret used to generate signatures and prove control over assets. Whoever holds it controls the assets at the corresponding address.

Public Key

Derived one-way from the Private Key. It is used to verify signatures and as the basis for generating addresses.

Address

A public identifier on the blockchain used to receive assets. It is derived from the Public Key and does not itself grant spending rights.

Recovery Phrase / Mnemonic

A sequence of 12, 18, or 24 words generated according to standards such as BIP39. It can derive the full set of wallet keys and addresses.

Keystore

An encrypted JSON file that stores a Private Key protected by a password.

Signature

A cryptographic proof created with a Private Key to prove authenticity and integrity without revealing the key.

Derivation Path

The rule set used by an HD wallet to derive Private Keys, Public Keys, and addresses from the same Recovery Phrase.

Cold Wallet

A wallet whose Private Key remains offline throughout use.

Hot Wallet

A wallet whose Private Key is stored on an internet-connected device.

Hardware Wallet

A typical form of cold wallet that uses a secure element to generate, store, and sign with the Private Key inside the device.

Multisig

A mechanism that requires multiple Private Keys to sign a transaction before it can be executed.

Binding Code

A unique identifier generated during first-time pairing of a hardware wallet to confirm the device identity and establish a secure connection.

PIN Code

A local password set on a hardware wallet or device to unlock it and confirm operations.

Transaction (TX)

Any on-chain action that changes blockchain state, including transfers, contract calls, approvals, and contract deployment.

Gas Fee

The network fee paid to execute a transaction or smart contract operation.

Nonce

A sequential counter attached to each transaction from an address to enforce order and prevent replay.

Confirmations

The number of blocks built on top of the block that contains a transaction. More confirmations usually mean stronger finality.

Slippage

The difference between the expected trading price and the actual executed price.

Ethereum

A decentralized blockchain platform that supports smart contracts and DApps. Its native token is ETH.

EVM

The Ethereum Virtual Machine, the execution environment for Ethereum smart contracts and many EVM-compatible chains.

Layer 1 (L1)

The base blockchain layer with its own consensus and security model.

Layer 2 (L2)

A scaling layer built on top of an L1 to improve throughput, speed, and cost while inheriting part of the L1’s security.

RPC

Remote Procedure Call. In blockchain usage, an RPC endpoint lets clients communicate with a node to query data and send transactions.

Bridge

A mechanism used to transfer assets or messages between different blockchains or layers.

Token

A blockchain-based digital asset created through smart contracts. It may represent value, rights, tickets, or real-world assets.

Native Token

The original coin of a blockchain network, such as ETH on Ethereum.

ERC-20

The standard for fungible tokens on Ethereum.

ERC-721

The standard for non-fungible tokens (NFTs) on Ethereum.

ERC-1155

A multi-asset token standard that can represent both fungible and non-fungible assets.

Approval / Allowance

A permission that allows a contract to transfer a specified amount of your tokens.

DEX

A decentralized exchange that lets users trade without depositing funds into a centralized platform.

AMM

Automated Market Maker. A trading mechanism based on liquidity pools rather than traditional order books.

Liquidity

The availability of assets in a market or pool that allows trades to be executed efficiently.

NFT

A non-fungible token representing a unique digital asset or ownership record.

MEV

Maximal Extractable Value, the value that can be captured by controlling the order, inclusion, or exclusion of transactions.

WYSIWYS

“What You See Is What You Sign.” A core hardware-wallet principle: the details shown on the device screen are exactly what you are authorizing.

Official Links

Wallets

· imToken — https://token.im

· imKey — https://imkey.im

· MetaMask — https://metamask.io

· Rabby — https://rabby.io

· OneKey — https://onekey.so

Security / Operations

· SlowMist — https://www.slowmist.com

· Revoke.cash — https://revoke.cash

· Gnosis Safe — https://safe.global

· ScamSniffer — https://scamsniffer.io

· ChainList — https://chainlist.org

Data / Analytics

· DeBank — https://debank.com

· Zerion — https://zerion.io

· CoinMarketCap — https://coinmarketcap.com

· CoinGecko — https://www.coingecko.com

· Dune — https://dune.com

· DeFiLlama — https://defillama.com

· Arkham — https://arkm.com

· CryptoFees — https://cryptofees.info

· Token Terminal — https://tokenterminal.com

· Blocknative Gas Estimator — https://www.blocknative.com/gas-estimator

Exchanges and DeFi / NFT Platforms

· Binance — https://www.binance.com

· OKX — https://www.okx.com

· Coinbase — https://www.coinbase.com

· Bybit — https://www.bybit.com

· Kraken — https://www.kraken.com

· Gate.io — https://www.gate.io

· Uniswap — https://app.uniswap.org

· SushiSwap — https://www.sushi.com

· PancakeSwap — https://pancakeswap.finance

· Curve — https://www.curve.finance

· Aave — https://aave.com

· Lido — https://lido.fi

· Tokenlon — https://tokenlon.im

· OpenSea — https://opensea.io

Common Blockchain Explorers

Mainstream Layer 1 explorers

• Bitcoin (BTC):
  • mempool.space — https://mempool.space
  • Blockchair — https://blockchair.com/bitcoin
• Ethereum (ETH):
  • Etherscan — https://etherscan.io
• Tron (TRX):
  • Tronscan — https://tronscan.org/#
  • OKLink — https://www.oklink.com/zh-hans/tron
• Solana (SOL):
  • https://solscan.io
• Litecoin (LTC):
  • Litecoin Space — https://litecoinspace.org
  • Blockchair — https://blockchair.com/litecoin
• Dogecoin (DOGE):
  • Dogechain Info — https://dogechain.info
• Bitcoin Cash (BCH):
  • Blockchair — https://blockchair.com/bitcoin-cash
• Toncoin (TON):
  • Tonscan — https://tonscan.org
• Polkadot (DOT):
  • Subscan — https://assethub-polkadot.subscan.io/
• Kusama (KSM):
  • Subscan — https://assethub-kusama.subscan.io
• Cosmos (ATOM):
  • Mintscan — https://www.mintscan.io
• Filecoin (FIL):
  • Filfox — https://filfox.info/zh
  • Filscan — https://filscan.io
• Nervos (CKB):
  • Explorer — https://explorer.nervos.org
• Tezos (XTZ):
  • Tezblock — https://tezblock.io
• Vaulta (原 EOS):
  • EOS Explorer — https://eosflare.io
  • EOS Authority — https://eosauthority.com
  • Vaulta Explorer — https://unicove.com/zh/vaulta
• Osmosis (OSMO):
  • Mintscan — https://www.mintscan.io/osmosis

Layer 2 and EVM-compatible network explorers

• BNB Chain: https://bscscan.com
• Polygon (PoS): https://polygonscan.com
• Base: https://basescan.org
• Arbitrum One: https://arbiscan.io
• Optimism: https://optimistic.etherscan.io
• Scroll: https://scrollscan.com
• Linea: https://lineascan.build
• zkSync Era: https://explorer.zksync.io
• Taiko: https://taikoscan.io
• Blast: https://blastscan.io
• opBNB: https://opbnb.bscscan.com
• Avalanche (AVAX C-Chain): https://snowtrace.io 
• Mantle: https://mantlescan.xyz
• Conflux eSpace: https://evm.confluxscan.net
• Metis Andromeda: https://andromeda-explorer.metis.io
• Fantom: https://explorer.fantom.network
• X Layer: https://www.oklink.com/x-layer
• Merlin Mainnet: https://scan.merlinchain.io
• Gnosis Chain: https://gnosisscan.io
• Celo: https://celoscan.io
• Harmony: https://explorer.harmony.one
• Kaia: https://kaiascan.io
• Arbitrum Nova: https://nova.arbiscan.io
• Manta Pacific: https://manta.socialscan.io
• HyperEVM: https://www.hyperscan.com
•  Sonic: https://sonicscan.org
• Plasma: https://plasmascan.to
• Monad: https://monadscan.com

Security Starts with Action

Wallet security does not depend on a single tool, but on your daily decisions. Stay skeptical, verify critical information from official channels, and build habits that make attacks harder to succeed.

Q01-Q25: Creation / Backup

True or False

Q01: The essence of a digital wallet is a vault used to store cryptocurrency. ( )

Correct Answer: False

Analysis:

Key takeaway: A wallet does not store your coins. Your assets always remain on the blockchain. A wallet is simply a tool for managing your Private Key / Recovery Phrase.

Best practice: Store your Recovery Phrase (or Private Key) safely offline. Even if you change devices or apps, you can still restore your assets in a legitimate wallet with your Recovery Phrase.

Q02: Whoever controls a wallet's private key has full control over the on-chain assets in that wallet. ( )

Correct Answer: True

Analysis:

Key takeaway: Private Key = asset control. If anyone gets your Private Key / Recovery Phrase, they can move your assets on any device.

Best practice: Never photograph, screenshot, or store your Recovery Phrase online. Never enter it into unknown apps or websites.

Q03: A Recovery Phrase is a seed that can derive all private keys, so backing up the Recovery Phrase alone is enough. ( )

Correct Answer: True

Analysis:

Key takeaway: It is essentially a seed that can derive all private keys, public keys, and addresses through a deterministic algorithm. Therefore, as long as you keep your Recovery Phrase safe, you can fully restore your wallet and assets even if your device is lost or replaced.

Backup tips: Write it down offline and store copies separately (paper / metal backup). Do not photograph it, screenshot it, or save it in cloud drives or chat tools.

Q04: If you forget your wallet PIN or password, you can still recover your assets as long as you still have the Recovery Phrase. ( )

Correct Answer: True

Analysis:

Key takeaway: A wallet password only protects local access and decryption on that device. Your assets can still be restored in any compatible wallet with the Recovery Phrase.

Best practice: Download the wallet app only from official sources, restore the wallet by entering the Recovery Phrase offline, and then set a strong password and biometric protection again.

Q05: After creating a new wallet, you should first deposit a small amount for testing, and only send a large amount after confirming everything is correct. ( )

Correct Answer: True

Analysis:

Key takeaway: A small test transfer verifies whether the address is correct, whether the right network is selected, and whether the wallet can send and receive normally.

Best practice: Test with a small amount first, confirm receipt, and then move larger amounts in batches. Enable your address book and whitelist, and for important transfers, verify the details on a hardware wallet screen whenever possible.

Q06: A wallet address is generated directly from a private key. ( )

Correct Answer: False

Analysis:

Key takeaway: The standard process is Private Key -> Public Key -> Address (derived through hashing / encoding). The address is not generated directly from the Private Key.

Best practice: Remember that public keys and addresses can be shared, but your Private Key and Recovery Phrase must never be exposed.

Q07: If you photograph your Recovery Phrase and save it in your phone's photo album, it is absolutely safe as long as your phone has a password. ( )

Correct Answer: False

Analysis:

• Why it's unsafe: Photos in albums are often automatically synced to the cloud or read by apps with media permissions.
• Risks: Cloud sync (iCloud/Google), app permissions, malware, or accidental sharing/screen mirroring.
• Best practice: Reject digitization. Write it down on paper or engrave it on metal. Keep it clear, waterproof, and fireproof.

 Q08: You can use the same Recovery Phrase in different wallet apps to restore your assets. ( )

Correct Answer: True

Analysis:

Key takeaway: Most mainstream wallets follow BIP39 / BIP44 rules, so cross-wallet recovery is usually possible.

Best practice: Download wallets only from official channels, and confirm the chain and derivation path match before proceeding.

Q09: A Recovery Phrase and a Private Key are the same thing and can be used interchangeably. ( )

Correct Answer: False

Analysis:

Recovery Phrase: A set of words used to generate a seed, which can then derive a full set of private keys and addresses through derivation paths (across multiple chains and accounts).

Private Key: Usually corresponds to a single address and is used to sign transactions for that address.

Relationship:

Recovery Phrase -> Seed -> Derivation path (such as BIP44) -> many Private Keys / addresses.

You can derive a Private Key from a Recovery Phrase, but you cannot recover the original Recovery Phrase from a single Private Key.

Common misconceptions:

Backing up one Private Key does not equal backing up the entire wallet. After switching wallets, you may not see your other addresses.

Losing the Recovery Phrase may mean losing an entire set of addresses and assets, not just one.

Best practice:

Back up and store the Recovery Phrase safely (offline on paper / metal, in separate locations). If needed, also record the derivation path and whether a passphrase is used.

After importing into a new wallet, compare the addresses first and run a small test before further use. Never enter your Recovery Phrase casually into websites or unknown apps.

Q10: Writing a Recovery Phrase on paper is a common backup method, but you still need extra protection against fire, water, and loss. ( )

Correct Answer: True

Analysis:

Key takeaway: Paper is flammable, vulnerable to moisture, easy to tear, and can fade over time. A single storage location also creates fire, flood, or moving-related risks.

Best practice: Seal paper backups in moisture-proof bags, keep at least two copies in separate locations, upgrade to metal backups for critical use cases, and control access with a safe or secure deposit box. 

Q11: When a hardware wallet is connected to a computer, if the computer is infected with malware, my private key may be stolen. ( )

Correct Answer: False

Analysis:

Key takeaway: A hardware wallet is designed to isolate the Private Key. Even if it is connected to an infected computer, the Private Key remains safely stored inside the secure chip of the hardware wallet.

Best practice:

Trust only the device screen: Verify the recipient address and amount character by character on the hardware wallet itself, rather than relying on the computer screen.

Refuse blind signing, disable unnecessary unlimited approvals, and revoke old approvals regularly.

Q12: If you switch from one wallet app to another, importing the Recovery Phrase directly into the new app is the correct approach. ( )

Correct Answer: True (with conditions)

Analysis:

Key takeaway: Recovery Phrases generally follow standards such as BIP39 / BIP44, so cross-wallet recovery is valid. However, the new app must be trustworthy. If you import into a fake wallet, your assets may be stolen immediately.

Best practice:

Download only from the official store or official website.

Verify the developer name, version number, and signature.

Use a clean device or an offline environment.

Run a small test first after recovery.

Multiple Choice

Q13: When backing up a Recovery Phrase, which method is most recommended? ( )

A. Save a screenshot or photo in your phone gallery

B. Write it on paper and keep it in a secure place

C. Upload it to cloud storage service

D. Send it to your own email or chat app

Correct Answer: B

Analysis:

Why: Offline physical backups such as paper or metal have the lowest overall risk because they are not exposed to the internet.

Best practice: Use paper with moisture-proof/fireproof protection, or upgrade to a metal backup. Store copies in multiple locations and control access carefully.

Q14: Which of the following counts as secondary verification of a Recovery Phrase? ( )

A. After creating the wallet, import the Recovery Phrase into another new device to confirm it can restore the wallet

B. Ask a friend to help check whether you copied the Recovery Phrase correctly

C. Copy the Recovery Phrase three times to make sure it is correct

D. Photograph the Recovery Phrase and upload it to the cloud for easy checking

Correct Answer: A

Analysis:

Why: The point of secondary verification is to perform a real recovery test and confirm that no words were copied incorrectly or omitted.

Best practice: Test the import on a clean, offline second device, and only start formal use after confirming it works.

Q15: If a stranger accidentally sees your Recovery Phrase before a transaction, what should you do? ( )

A. Do not worry. As long as the Private Key is not exposed, it is fine.

B. Immediately transfer all assets in that wallet to a brand-new, secure wallet.

C. Immediately change the wallet password.

D. Uninstall and reinstall the wallet immediately.

Correct Answer: B

Analysis:

Why: Once the Recovery Phrase is exposed, an attacker can restore the wallet on any device at any time and move your assets.

Best practice: Create a new wallet on a new device immediately. After a small test, migrate all assets out of the old wallet.

Q16: When downloading a wallet app from an app store, what should you check to avoid fake apps? ( )

A. Download volume and reviews

B. Whether the app icon looks clear

C. The developer name

D. All of the above

Correct Answer: D

Analysis:

Why: Cross-checking multiple signals significantly reduces risk: whether the developer matches the official website, whether download volume and reviews look reasonable, how often the app is updated, and whether the official site links to the store page.

Best practice: Use the official website landing page to jump to the store, verify the developer and signature, and review permissions and update logs. 

Q17: What is the safest environment for generating a Recovery Phrase when creating a wallet? ( )

A. A computer connected to public Wi-Fi

B. A trusted device kept offline, in a private space with no cameras

C. A friend's phone

D. An open network in a coffee shop

Correct Answer: B

Analysis:

Why: Seed generation should be fully offline to avoid eavesdropping, synchronization, or malware reporting.

Best practice: Use a cold environment such as an offline phone or hardware wallet, back up the Recovery Phrase physically right away, and verify that it can restore the wallet.

Q18: Why should you never photograph, screenshot, or upload a Recovery Phrase to the cloud?  ( ) [Multiple Choice]

A. Your phone or computer may be infected, and the photo could be stolen

B. Cloud storage may be hacked or leaked

C. Even if deleted, screenshots or photos may still remain in cache or albums

D. Digital backups are safer and more reliable than paper backups

Correct Answer: A / B / C

Analysis:

Why: Digital backups leave plaintext traces that can be copied, such as in galleries, cache, cloud storage, and chat history. Once leaked, the damage is irreversible.

Best practice: Use offline physical backups (paper / metal) and store them separately. If digital storage is absolutely necessary, use offline encrypted media that never goes online and apply strict access control.

Q19: When importing a wallet, where does the biggest security risk come from? ( )

A. Entering the Recovery Phrase in the wrong order

B. Importing on an unfamiliar device

C. Using a fake wallet app or phishing website

D. Unstable internet during import

Correct Answer: C

Analysis:

Key takeaway: The greatest risk during import is a fake wallet or phishing site. If you enter your Recovery Phrase there, your root credentials are exposed instantly, and the attacker can restore the wallet on any device and move your assets.

Best practice:

Download through the official website landing page to the official app store, and verify the developer and domain.

Never enter a Recovery Phrase into a web form. Use only a local app or hardware device.

Use your own clean, non-jailbroken device. If needed, check addresses in watch-only mode first before taking action.

Q20: If someone offers to help you import your wallet, what is the biggest risk you may face?  ( ) [Multiple Choice]

A. They may steal your Recovery Phrase or Private Key and take all your assets

B. They may install malware on your device for long-term monitoring and theft

C. They may move your assets to a new address they control without your knowledge

D. They may leak your personal information, such as your phone number or home address

Correct Answer: A / B / C

Analysis:

Key takeaway: Letting someone else import or operate your wallet means handing over control. A, B, and C can all directly lead to asset theft and are the biggest risks. D is also bad, but it is not the primary control-risk issue.

Best practice:

Never lend out or display your Recovery Phrase.

Import the wallet yourself on a clean, offline device.

If the phrase has already been exposed, migrate your assets to a new wallet immediately and retire the old Recovery Phrase.

Q21: Why should you ask yourself whether a device is secure before importing a Recovery Phrase? ( ) [Multiple Choice]

A. The device may contain malware or trojans that can steal the Recovery Phrase

B. The system may be jailbroken or rooted, making it more vulnerable to malicious software

C. As long as the device has enough storage, it is safe to import

D. As long as the network connection is stable, the import process is safe

Correct Answer: A / B

Analysis:

Key takeaway: Malware, credential-stealing plugins, and the weaker isolation on jailbroken or rooted devices can leak your Recovery Phrase in plaintext as soon as you enter it.

Best practice:

Use a clean device that is not jailbroken or rooted, has the latest system patches, and contains only necessary apps.

Disconnect from the internet to inspect the environment beforehand, and keep the device offline during import when possible.

Run a small test right after import.

Q22: Besides paper backups, which method can store a Recovery Phrase more securely for the long term? ( )

A. Save it on a USB flash drive

B. Use a professional stainless-steel Recovery Phrase backup and keep it in a secure place

C. Save it in an email draft

D. Save it in a phone note app

Correct Answer: B

Analysis:

Key takeaway: Offline physical storage, or offline encrypted media, is better suited for long-term preservation. A stainless-steel backup protects against fire and water and offers stronger durability.

Best practice: Use a professional stainless-steel Recovery Phrase backup and store copies separately.

Q23: What is the main purpose of setting a strong PIN? ( ) [Multiple Choice]

A. To improve wallet performance speed

B. To prevent someone with physical access to the device from opening your wallet directly

C. To increase the difficulty of cracking the wallet even if the device is lost

D. To reduce the risk of network attacks

Correct Answer: B / C

Analysis:

Key takeaway: A PIN, local screen lock, and biometrics mainly protect against physical access and slow down offline brute-force attacks.

Best practice:

Set a strong PIN and avoid birthdays or simple sequences.

Enable device encryption and auto-lock.

Combine local protection with offline Recovery Phrase protection to form a dual defense.

Q24: Why is it not recommended to import a Recovery Phrase on a public computer or an unfamiliar device? ( ) [Multiple Choice]

A. These devices may already contain pre-installed trojans that record your Recovery Phrase

B. Browser plugins or cached data may be exploited to steal wallet information

C. Public devices may have keyloggers that monitor your input

D. As long as you change the PIN right after import, the risk is avoided

Correct Answer: A / B / C

Analysis:

Key takeaway: Public or unfamiliar devices are not under your control. Entering a Recovery Phrase on them makes plaintext interception very likely. Changing the PIN only affects local unlocking, not a seed that has already been exposed.

Best practice: Import only on your own clean device, run a small test after import, and use a hardware wallet when appropriate.

Q25: Why is it recommended to back up a Recovery Phrase with a professional stainless-steel backup? ( ) [Multiple Choice]

A. It is fireproof and waterproof,and more durable than paper

B. It can be stored for a long time without becoming blurry or damaged

C. It will not fade or grow mold over time

D. It is physically isolated and avoids the leakage risk of electronic devices

Correct Answer: A / B / C / D

Analysis:

Key takeaway: A professional stainless-steel Recovery Phrase backup is heat-resistant, corrosion-resistant, pressure-resistant, and durable, making it suitable for long-term storage of critical credentials. It also does not rely on electronic systems, so it is naturally isolated from network exposure.

Q26-Q50: Transactions / Approvals

True or False

Q26: It is safe to verify only the first and last few characters of a wallet address before transferring funds. ( )

Correct Answer: False

Analysis:

Key takeaway: Checking only the beginning and end of an address makes you vulnerable to "Address Poisoning" or "Similar Address" scams.

Best practice: Verify the full address character by character, pay special attention to several characters in the middle, enable your address book or whitelist, and send a small test amount before large transfers.

Q27: Disconnecting a wallet from a DApp is the same as revoking all on-chain approvals. ( )

Correct Answer: False

Analysis:

Key takeaway: Disconnecting only ends the front-end session and automatic prompts. It does not change on-chain state. An approved contract may still transfer your tokens. To revoke approval, you must do it on-chain, for example with Revoke.cash.

Best practice: Review each Token + approved Spender + allowance in an approval management tool, revoke unnecessary or unlimited approvals, and wait for on-chain confirmation.

Q28: If you use a DApp frequently, it is fine to keep it connected all the time for convenience. ( )

Correct Answer: False

Analysis:

Key takeaway: A connection alone does not move your funds, but keeping a DApp connected lets the site request signatures or approvals at any time. If the site is compromised or hijacked, you are more likely to sign something by mistake.

Best practice: Disconnect after use, clear permissions regularly, and use separate addresses or accounts for sensitive operations.

Q29: Interacting with DApps through a browser extension wallet is more secure than using a mobile wallet. ( )

Correct Answer: False

Analysis:

Key takeaway:

The browser environments have a larger attack surface: the extension shares the browser environment with webpages and is more exposed to malicious extensions, phishing pages, and script injection.

Desktop isolation is weaker: desktop systems often contain many apps and extensions, and clipboard hijacking or keylogging is more common. Mobile wallets operate inside a sandbox, so exposure is generally more limited.

The form factor itself is not inherently safer: an extension is not automatically safer, and mobile is not absolutely safe either. Security depends on your habits and whether you use hardware signing.

Best practice:

Use a hardware wallet for large amounts and verify the address, chain, and amount on the device screen before signing.

Minimize exposure: use extension wallets in a dedicated browser or separate profile, install only essential extensions, and avoid pirated software.

Minimize connections: give only limited approvals, review and revoke them regularly with a revoke tool, and start with a small test each time.

Q30: When approving a token, entering only a small approval amount fully guarantees asset safety. ( )

Correct Answer: False

Analysis:

Key takeaway: A small allowance only reduces the maximum loss per drain attempt. It is not absolute protection, because it cannot prevent repeated requests, upgraded approvals, or logic flaws in the contract. If the contract is malicious or later hacked or backdoored, even a small approval may still put all of your holdings of that token at risk.

Best practice: Approve only when needed, with limited amount and limited duration, and revoke approvals promptly after use.

Q31: When you receive a very small amount of airdropped tokens (Dust), the best thing to do is nothing, not even transferring them away.  ( )

Correct Answer: True

Analysis:

Key takeaway: Dusting or phishing airdrops often try to lure you into interacting with a malicious contract, which may trigger approvals or other traps.

Best practice: Ignore or hide the token. Do not approve it, swap it, or transfer it. If needed, block it from display in your wallet.

Q32: The most reliable way to reduce transfer errors is to use the wallet's address book feature.  ( )

Correct Answer: True

Analysis:

Key takeaway: An address book or whitelist stores verified recipient addresses and reduces the risk of clipboard tampering or manual mistakes during temporary copy-and-paste.

Best practice: Add frequently used addresses to the address book, enable extra confirmation for sensitive recipients, and run a small test transfer before large transfers.

Multiple Choice

Q33: Before connecting to a DApp, what should you check carefully? ( ) [Multiple Choice]

A. Whether the DApp is official and from a trusted source

B. Whether the website link is correct and secure (HTTPS, no look-alike domain)

C. Whether the wallet asks for unnecessary high-level permissions upon connection

D. Whether you reached it only through official channels

E. You do not need to check anything - just connect directly

Correct Answer: A / B / C / D

Analysis:

Key takeaway: Trusted entry point, correct domain, and least privilege are the three core checks.

Best practice: Enter through the official website, verify the domain certificate and spelling, and review each permission request carefully.

Q34: What is a phishing website? ( )

A. A fake website that imitates an official website and tricks you into entering your Recovery Phrase or Private Key

B. A site used only for trading obscure tokens

C. A site that only provides information and does not support trading

D. A site that offers free airdrops

Correct Answer: A

Analysis:

Key takeaway: A phishing site is designed to steal your credentials, signatures, or approvals.

Best practice: Never enter a Recovery Phrase on a website, verify the domain carefully, and use anti-phishing lists or browser protections.

Q35: What should you do if the token name prompted by the wallet during authorization does not match the name shown in your wallet? ( ) [Multiple Choice]

A. Ignore the warning and approve it anyway

B. Cancel the approval immediately and disconnect from the site

C. Try to edit the token name manually

D. Reconnect the wallet

E. Verify the contract address and token contract on a block explorer to confirm it is official

Correct Answer: B / E

Analysis:

Key takeaway: A mismatch in token name is a high-risk signal. Stop immediately and verify the contract address.

Best practice: Check the contract address, symbol, and official announcement on a block explorer. Only proceed with the minimum required approval after confirming it is safe.

Q36: What is a token approval management tool? ( )

A. A tool for checking historical token prices

B. A tool for checking all token approvals in your wallet

C. A tool for checking token issuer information

D. A tool for checking on-chain transaction status

Correct Answer: B

Analysis:

Key takeaway: A token approval management tool lets you review all token approval records for your wallet, and usually supports revoking approvals or reducing allowances.

Best practice: Review approvals regularly and revoke anything unnecessary or excessively large.

Q37: Why is transaction confirmation the most important security protection provided by a hardware wallet? ( )

A. Because transaction confirmation is done online

B. Because the hardware wallet screen shows complete transaction details, letting you confirm physically while the Private Key stays offline

C. Because a hardware wallet can block any transaction

D. Because the confirmation button is harder to press

Correct Answer: B

Analysis:

Key takeaway: A hardware wallet isolates the Private Key inside the device and shows critical transaction details on its own screen, including the address, chain, amount, and permissions. Only after you physically confirm on the device will it sign offline. This prevents you from signing something different from what you see on a compromised computer or webpage.

Best practice: Always verify the address, amount, chain, and contract on the hardware wallet screen before confirming.

Q38: What is a "Paste Hijacking" attack? ( )

A. Malware changes the address you copied in your clipboard

B. An attacker tricks you into clicking a fake approval link

C. A phishing email asks you to enter your Recovery Phrase

D. A stranger sends a small amount of tokens to your wallet to track your transactions

Correct Answer: A

Analysis:

Key takeaway: Clipboard hijacking means malware modifies clipboard contents and swaps the address you copied with the attacker's address.

Best practice: Verify the address character by character after pasting, prefer your address book or QR codes, and scan for malware regularly.

Q39: If your wallet prompts you to approve a contract during a transfer, what does that mean? ( )

A. You are sending assets directly to that contract

B. You are allowing that contract to transfer a specified amount of tokens from your wallet in the future

C. You are confirming an off-chain instruction

D. You are sharing your Private Key with that contract

Correct Answer: B

Analysis:

Key takeaway: An approval grants a contract future spending permission within the amount you set, so it can transfer that token from your wallet later without prompting you every time.

Best practice: Use the minimum required approval, keep it limited in amount and duration, and revoke it after use.

Q40: What risk do you take when you give a DApp an unlimited approval? ( )

A. Your wallet may be remotely controlled by a hacker

B. The contract can transfer all tokens of that type from your wallet without asking again

C. The contract can steal your Private Key

D. Unlimited approvals carry no real risk because they can always be revoked later

Correct Answer: B

Analysis:

Key takeaway: An unlimited approval means the contract can move an unlimited amount of that token without asking for permission again.

Best practice: Limit approval amounts, approve only when needed, revoke after use, and keep core assets in separate wallets.

Q41: If you receive an unknown token in a very small amount, what should you do? ( )

A. Transfer it out immediately to avoid being tracked

B. Sell it for another token

C. Ignore it and do not interact with it in any way

D. Contact the sender and ask what it is

Correct Answer: C

Analysis:

Key takeaway: Interacting with it may trigger malicious approvals or contract traps.

Best practice: Ignore or hide it. Do not interact.

Q42: If your last approval or transfer remains Pending for a long time, how should you handle it safely? ( )

A. Use the speed-up function in the same wallet to increase gas and prioritize the same transaction

B. Submit the same transaction repeatedly until one succeeds

C. Switch to another wallet or unknown DApp and resubmit the same transaction

D. Import your Recovery Phrase into a third-party website or tool that promises instant confirmation

Correct Answer: A

Analysis:

Key takeaway: A long Pending state is usually caused by low fees or network congestion. The safest method is to use the speed-up function in the same wallet and raise the fee moderately so validators prioritize that transaction.

Best practice:

Use Speed Up on the earliest pending transaction in the original wallet. If needed, top up a small amount of native token first to cover the higher fee.

If you want to cancel it, send a 0-value self-transfer or cancellation transaction with the same nonce and a higher fee.

Avoid operating the same account from multiple wallets or devices at the same time.

Never import your Recovery Phrase into unfamiliar websites or tools.

Check the mempool or network congestion and wait for fees to fall if necessary.

Q43: Before making a large transfer, what is the safest thing to do? ( )

A. Ask the recipient for their Private Key to verify identity

B. Send a small test transfer first, then send the larger amount after confirming receipt

C. Disconnect all network connections during the transaction

D. Save a screenshot of the transfer record

Correct Answer: B

Analysis:

Key takeaway: A small test transfer confirms that the address, network, and tags are correct.

Best practice: Confirm with a small transfer first, then move larger amounts in batches.

Q44: What should you do when you receive an airdropped token from a stranger that requires authorization to claim?  ( )

A. Authorize and claim immediately to avoid missing out

B. Ignore the airdrop; do not perform any authorization or transaction

C. Transfer the token to another wallet first

D. Contact the project team to confirm whether it is real

Correct Answer: B

Analysis:

Key takeaway: Claiming an airdrop by approving a contract is a high-risk action and is often a phishing contract.

Best practice: Ignore it and do not interact. Participate only in trusted activities through official channels.

Q45: What is the main purpose of the signing function in a Web3 wallet? ( )

A. To confirm the uniqueness of a transaction

B. To verify identity and prove that you control the wallet

C. To transfer assets directly

D. To encrypt the Recovery Phrase

Correct Answer: B

Analysis:

Key takeaway: A signature proves that you control an address and confirms your intent. Both transactions and messages rely on signatures to verify origin.

Best practice: Sign only requests you fully understand, and stay alert to blind signing and approval-related signatures.

Q46: Why should you be especially cautious about unlimited approvals when interacting with a DApp? ( )

A. Because unlimited approvals consume more gas

B. Because unlimited approvals may let someone remotely control your wallet

C. Because a malicious contract, once granted unlimited allowance, can drain your assets at any time

D. Because unlimited approvals expose your Private Key

Correct Answer: C

Analysis:

Key takeaway: An unlimited approval gives the contract ongoing power to move that token.

Best practice: Use limited approvals, revoke after use, and keep core tokens in separate wallets.

Q47: If a DApp looks suspicious even though the page feels smooth and polished, what should you do? ( ) [Multiple Choice]

A. Connect your wallet immediately to test it

B. Close the page immediately and review / disconnect your wallet connection

C. Contact the site's customer service

D. Verify authenticity through the project's official channels or communities

Correct Answer: B / D

Analysis:

Key takeaway: A polished interface does not mean the site is safe. Fake sites often imitate the user experience closely.

Best practice: Disconnect and clear permissions first, then verify the domain and official announcements through the official website, X account, Discord, or Telegram. 

Q48: What is the essence of approval risk? ( )

A. Authorizing your Private Key

B. Authorizing a malicious contract to transfer your assets

C. Authorizing your personal information

D. Authorizing your transaction history

Correct Answer: B

Analysis:

Key takeaway: What you are authorizing is spending power over your tokens, not your Private Key or personal privacy.

Best practice: Use the minimum approval necessary, approve only when needed, revoke after use, and review your approval list regularly.

Q49: What should you do if the wallet prompts you to pay high gas fees during a transaction? ( ) [Multiple Choice]

A. Cancel the transaction immediately

B. Check network congestion or wait for gas fees to drop

C. Contact customer support to understand the reason

D. Pay it immediately to make sure the transaction goes through fast

Correct Answer: B / C

Analysis:

Key takeaway: When a wallet shows high gas fees, do not act blindly. This is usually caused by network congestion or incorrect fee settings, such as an overly high priority fee.

Best practice:

Check the reason first: confirm current congestion and real-time gas levels on the relevant block explorer. If the network is congested, wait for fees to fall.

Contact support if you are confused by the fee prompt or settings, or if you suspect the wallet itself may have an issue.

Q50: Which of the following is the most effective way to reduce authorization risk?  ( )

A. Give unlimited approvals to all commonly used DApps to avoid repeated confirmations

B. Use approval management tools regularly to review and revoke unnecessary approvals

C. Save your Recovery Phrase in a password manager so approvals are more convenient

D. Ignore the contract address and look only at whether the token name matches

Correct Answer: B

Analysis:

Key takeaway: An approval gives a contract permission to spend your tokens. Regularly reviewing and revoking unnecessary approvals is one of the most important habits for reducing long-term risk.

Best practice:

Use minimum approvals: approve only when needed, with limits on amount and duration.

Review and revoke regularly: use approval management tools to revoke approvals you no longer use or that have excessive allowances.

Verify the target: check whether the contract address and token contract are official before approving.

Separate accounts / use hardware wallets: keep high-value assets in separate addresses and verify transaction details on a hardware wallet screen.

Q51-Q75: Scam Prevention and Risk Response

True or False

Q51: If you forget your wallet's local password or fingerprint, your assets will be permanently lost. ( )

Correct Answer: False

Analysis:

Key takeaway: A local password only restricts access on that device. Your Recovery Phrase / Private Key is the final source of control.

Best practice: Restore the wallet in a compatible wallet with your Recovery Phrase or Private Key, and keep your Recovery Phrase stored safely offline.

Q52: Anyone who asks for your Recovery Phrase by any method is a scammer. ( )

Correct Answer: True

Analysis:

Key takeaway: Official staff, customer support, and administrators will never ask for your Recovery Phrase. Exposure means losing control of your assets.

Best practice: Never reveal it. If it has been exposed, migrate your assets to a new wallet immediately.

Q53: If someone has seen your Recovery Phrase but your assets have not yet been stolen, the wallet is still safe. ( )

Correct Answer: False

Analysis:

Key takeaway: Once seen, it can be restored on any device at any time. The attacker may simply not have acted yet.

Best practice: Immediately transfer your assets to a wallet created with a new Recovery Phrase and retire the old one.

Q54: If you accidentally visit a phishing website but do not enter any information, there is no risk. ( )

Correct Answer: False

Analysis:

Key takeaway: You may still trigger a wallet connection, blind signature request, permission grant, or malicious script injection.

Best practice: Close the page, disconnect the site in your wallet, clear permissions, and check for unusual approvals to revoke.

Q55: A wallet address can be made public because it does not grant permission to transfer assets. ( )

Correct Answer: True

Analysis:

Key takeaway: A wallet address is like your bank account number. Its only purpose is to receive assets. The spending power belongs to your Private Key, which is like the account password.

Best practice: Wallet addresses can be shared. Private Keys and Recovery Phrases must never be shared.

Q56: It is redundant to perform a small test transfer before a large one. ( )

Correct Answer: False

Analysis:

Key takeaway: A small test can reveal the wrong chain, wrong address, or missing Memo / Tag before a major mistake becomes expensive.

Best practice: Send a small test first, confirm it, and then move larger amounts in batches.

Q57: Only computers can get viruses. Phones do not affect wallet security. ( )

Correct Answer: False

Analysis:

Key takeaway: Phones can also be affected by trojans, clipboard hijacking, fake apps, and similar threats.

Best practice: Do not jailbreak or root the device, install as few unknown apps as possible, grant only necessary permissions, and use security or anti-phishing tools when appropriate. 

Q58: If you choose the wrong network for a token transfer, the recipient will still receive the asset as long as the address is correct. ( )

Correct Answer: False

Analysis:

Key takeaway: Different chains are not automatically interoperable. Sending on the wrong network is often difficult or impossible to recover directly.

Best practice: Confirm the chain, network, and any Memo / Tag requirements before sending.

Q59: Paste hijacking only affects text messages and does not affect wallet addresses in the clipboard. ( )

Correct Answer: False

Analysis:

Key takeaway: Replacing copied transfer addresses is one of the most common forms of clipboard hijacking.

Best practice: Verify the address after pasting, prefer your address book or QR codes, and scan your device regularly for malware.

Q60: Keeping your phone or computer system and apps up to date helps defend against known security vulnerabilities. ( )

Correct Answer: True

Analysis:

Key takeaway: Security patches fix known vulnerabilities and significantly reduce risk.

Best practice: Use only official firmware and official app stores, and update through the official website or store entry.

Q61: Since blockchain transactions are irreversible, there is no need to take action after assets are stolen.  ( )

Correct Answer: False

Analysis:

Key takeaway: Irreversible does not mean helpless. Although confirmed on-chain transfers are difficult to reverse, you can still reduce further loss through containment, tracking, freezing, and evidence preservation, and sometimes improve the odds of partial recovery or legal enforcement.

Best practice:

Contain the loss immediately: move remaining assets to a brand-new wallet with a new Recovery Phrase or new hardware wallet.

Report quickly: organize the theft transaction hash, destination addresses, and flow of funds, then contact exchange risk teams and wallet support to request on-chain labels or blacklisting where possible.

Preserve evidence: keep screenshots of transaction links, chat records, recipient addresses, and the timeline, and submit them in police reports or platform tickets.

Investigate the cause: review your device, browser extensions, approvals, recent signatures, and connected DApps; remove malicious extensions or apps; update your system and wallet to the latest official version.

Strengthen security afterward: separate hot and cold storage, use a multisig vault for large holdings, keep approvals minimal and reviewed regularly, enable whitelists, run small tests, and verify details on trusted device screens.

Multiple Choice

Q62: You receive a DM from an "admin" on Discord/Telegram asking you to click a link to "verify your wallet" or "sync assets." What is the correct action?  ( )

A. Click the link and connect your wallet immediately

B. Ask for the admin's ID badge before proceeding

C. Ignore and block the sender, then return to the project's pinned official announcement to verify the link, and report if necessary

D. Try signing with a small amount first

Correct Answer: C

Analysis:

Key takeaway: Official teams do not ask for wallet operations in private messages. Verification or synchronization requests are often phishing.

Best practice: Trust only official websites and public announcements. Block and report suspicious private-message links.

Q63: A stranger claims they can remotely help solve your wallet problem and asks you to install remote-control software. What should you do? ( ) [Multiple Choice]

A. Accept the remote support

B. Stop communication immediately and report to the platform

C. Try to negotiate first

D. Download the software but only allow view access

E. Seek help only through verifiable official customer support channels or ticket systems

Correct Answer: B / E

Analysis:

Key takeaway: Remote control is extremely high risk and is commonly used to steal credentials or induce malicious approvals.

Best practice: Cut off contact, report the account, and use only verifiable official support channels.

Q64: How should you handle a project claiming "guaranteed high returns" and "zero risk" ( ) [Multiple Choice]

A. It is highly likely to be a Ponzi or scam, so stay cautious

B. Test it with a small amount first and add more after breaking even

C. Trust only the official website and public announcements, and never connect, approve, or transfer on an unfamiliar page

D. If it shows an audit report and profit screenshots, it is safe to join

Correct Answer: A / C

Analysis:

Key takeaway: Promises like guaranteed principal, high yield, or daily returns are classic Ponzi-style language.

Best practice: Use only official entry points. Never connect, approve, or transfer on unfamiliar pages.

Q65: What are the core risks of "Vanity Address" (premium address) scams? ( ) [Multiple Choice]

A. The seller may keep or record the Private Key or Recovery Phrase and take the funds at any time

B. Such addresses are often mass-generated by scripts and archived for later theft

C. If the address can be found on-chain, it proves the purchased vanity address is safe

D. After purchase, you can simply change the Private Key or reset the Recovery Phrase and keep using the address safely

Correct Answer: A / B

Analysis:

Key takeaway: If someone else generated it, someone else knows the key.

Best practice: Generate your own Recovery Phrase and addresses. Never buy pre-made addresses.

Q66: What are common scams in over-the-counter (OTC) trading? ( ) [Multiple Choice]

A. Suddenly canceling the  transaction

B. Receiving the asset but refusing to pay / chargeback after payment

C. Planting malware on your device

D. Forging or tampering with payment screenshots or on-chain proof

Correct Answer: B / C / D

Analysis:

Key takeaway: Fake proof, technical compromise, and refusing payment after receiving assets are the most common patterns.

Best practice: Rely on actual on-chain confirmation or confirmed fiat settlement, and use escrow or trusted intermediaries whenever possible.

Q67: Which of the following are signs that you are facing a fake official loan scam? ( ) [Multiple Choice]

A. Claiming to be official support, promising low interest and instant approval, but asks you to pay a "security deposit" or "unfreezing fee"  first

B. Asking you to download non-official software or visit unknown websites

C. Asking you to transfer funds to a "regulatory account" for verification

D. Asking for your Recovery Phrase due to a "system upgrade" or "limit freeze."

E. Only asking for your bank card and personal info.

Correct Answer: A / B / C / D

Analysis:

Key takeaway: Anyone claiming to be official support while asking you to transfer funds to a so-called supervision or verification account, download software through unofficial channels, visit unfamiliar sites, or provide your Recovery Phrase or verification codes is definitely running a scam. Legitimate institutions will not ask you to transfer funds off-platform or reveal your Recovery Phrase.

Best practice:

Use only official channels: operate only through the official app or the official website of a known platform. Do not click unknown links or download unknown software.

Protect sensitive information: never reveal your wallet's Recovery Phrase or Private Key to anyone under any circumstances.

Q68: What is a hardware wallet "Supply Chain Attack"? ( ) [Multiple Choice]

A. A hardware wallet is tampered with by malicious parties before sale, such as through malicious firmware or chips

B. A dishonest seller raises the price maliciously

C. An attacker impersonates the official brand and offers free tampered devices in a giveaway

D. A scammer sells tampered and repackaged genuine devices through unauthorized channels at a low price

Correct Answer: A / C / D

Analysis:

Key takeaway: If the device is compromised at the source, later caution may not be enough to save you.

Best practice:

Buy only from official channels.

Inspect the tamper seal and serial number, and verify activation time through the official check where available.

Initialize the device yourself from scratch, generate the Recovery Phrase on the device itself, and never photograph or upload it.

If you notice anything abnormal, such as a pre-set Recovery Phrase or suspicious packaging, stop using the device and contact official support immediately.

Q69: What are the correct habits when using a browser extension wallet with DApps? ( ) [Multiple Choice]

A. Approve unlimited allowances immediately

B. Verify the domain, HTTPS, and official entry point

C. Enter your Recovery Phrase on the webpage for verification

D. Close the browser and restart the computer

E. Use only the minimum required approvals and revoke them promptly after use

Correct Answer: B / E

Analysis:

Key takeaway: Trust the entry point and minimize permissions.

Best practice: Use only the official domain, grant limited approvals, and revoke them after use.

Q70: What is a "Multi-signature Scam"? ( ) [Multiple Choice]

A. Scammers use fake wallets/phishing to get your key, then change your account to a multi-sig so you can't move funds without them.

B. In a TRX wallet, a transfer error such as SIGERROR may indicate the permissions were tampered with and changed to multisig, so you can no longer transfer alone

C. This scam happens only on Bitcoin and has nothing to do with TRX

D. The scammer tricks you into continuing to deposit assets, then uses co-signature or permission control to steal them all at once later

Correct Answer: A / B / D

Analysis:

Key takeaway: A multisig scam is an advanced fraud pattern. The scammer steals your wallet control or Private Key, then changes the account permissions to multisig. After that, you can no longer transfer funds alone, and your assets are effectively under their control.

Best practice: If transfers start failing abnormally, especially with errors like SIGERROR, and you suspect your key may be exposed, stop transferring funds into that wallet immediately. Create and use a new secure wallet address as soon as possible, and move any other assets you still control on other chains.

Q71: Besides checking the address, what is a safer way to prevent "Address Poisoning"?  ( )

A. Enter the address manually every time

B. Add frequently used addresses to an address book / whitelist and choose only from there

C. Transfer only to people you know

D. Use only centralized exchanges

Correct Answer: B

Analysis:

Key takeaway: An address book or whitelist significantly reduces the risk of look-alike addresses and clipboard tampering.

Best practice: Build a trusted address book and send a small test amount before large transfers. 

Q72: While browsing a webpage, your wallet suddenly pops up a signature request even though you were not taking any action. What should you do? ( )

A. Sign immediately

B. Close the webpage, check and disconnect the wallet connection, then review and clear approvals

C. Refresh the page

D. Contact the webpage's support team

Correct Answer: B

Analysis:

Key takeaway: A signature request that appears when you did nothing is often caused by a malicious script, phishing front end, or deep-link trick. Close the page immediately, disconnect the site in your wallet, clear the connected-session history, and review suspicious approvals with an approval tool such as Revoke.cash.

Best practice: Disconnect, clear permissions, and investigate the source, including installed plugins.

Q73: If the recipient address shown during a transfer is different from the one you copied, what is the most likely cause? ( )

A. A system error on the trading platform

B. Device is infected with "Paste Hijacking" malware

C. An unstable network

D. The wallet has been hacked directly

Correct Answer: B

Analysis:

Key takeaway: If the pasted address differs from the one you copied, the most likely cause is clipboard-hijacking malware on your device. This type of malware monitors your clipboard and replaces wallet addresses with the scammer's address as soon as it detects one.

Best practice:

Build the habit of checking: after pasting an address, always verify the beginning and end characters and, ideally, more of the address.

Keep the device secure: scan your phone or computer regularly, install apps only from official channels, and avoid suspicious links.

Use a hardware wallet for large transfers so final address verification and signing happen on the trusted device.

Q74: Why is it not recommended to back up wallet data or Recovery Phrases to the cloud? ( )

A. It takes up space

B. It may be hacked or leaked, and it can automatically sync across multiple devices

C. It slows the device down

D. It costs money

Correct Answer: B

Analysis:

Key takeaway: Cloud storage means online exposure. Once leaked, you lose control.

Best practice: Store Recovery Phrases offline on paper or metal, and keep copies separately when needed.

Q75: You receive a text from a stranger claiming your wallet will stop service and asking you to click a link to "update." What should you do? ( ) [Multiple Choice]

A. Click the link immediately and follow the instructions to restore withdrawals

B. Contact the official customer service to verify the message

C. Ignore and delete the message, because a decentralized wallet would not know your phone number

D. Visit the official website via your browser for a self-check

Correct Answer: B / C

Analysis:

Key takeaway: This is a classic phishing text scam. Any message claiming suspended withdrawals or frozen accounts and demanding urgent action through an unknown link is a scam.

Best practice:

Recognize the scam: your assets are recorded on the blockchain, and no third party can suspend your withdrawals.

Verify through trusted channels: official teams do not proactively contact users by text or phone. If you have doubts, use the official channel you already know, not the information in the text message.

Protect your assets: delete the message, do not click any links, and do not call any numbers provided in the message.

Q76-Q100: Advanced Practices and Concept Corrections

True or False

Q76: Even if a hardware wallet is connected to a virus-infected computer, the assets remain safe. ( )

Correct Answer: True

Analysis:

Key takeaway: The core design of a hardware wallet is to fully isolate the Private Key from internet-connected devices. Even when connected to an infected computer, the Private Key never leaves the secure chip inside the hardware wallet.

Best practice: Stay alert anyway. The hardware wallet itself may remain secure, but malware on the computer may tamper with the displayed transaction details and try to trick you into confirming the wrong transaction. Always verify the address and amount on the hardware wallet screen.

Q77: A Recovery Phrase is equivalent to the wallet itself. As long as it is not leaked, the assets are safe. ( )

Correct Answer: False

Analysis:

Key takeaway: A Recovery Phrase is the master key to your wallet, but it does not protect you from malicious signature or approval scams. Even if the Recovery Phrase is not leaked, your assets can still be at risk if your wallet address is tricked into approving a malicious contract.

Best practice:

Protect the Recovery Phrase: keep it offline in a secure location. Do not photograph it, put it online, or store it on any electronic device.

Be cautious with approvals: every transfer and transaction needs your signature. Before approving anything, verify the details carefully and make sure you are interacting with a trusted official contract.

Review approvals regularly: use approval tools such as Revoke.cash to check your wallet address and remove unnecessary or high-risk approvals in time.

Q78: DApp links found via Search Engines/AI can be trusted as long as they look official. ( )

Correct Answer: False

Analysis:

Key takeaway: Search engine or AI results may contain ads or phishing sites disguised as official websites. Once you connect your wallet and sign or approve, you may be giving permissions to a malicious contract or confirming a high-risk transaction that drains your assets.

Best practice: Verify official links through multiple channels, check the domain carefully, and review every signature / approval request before confirming. Cancel anything you do not understand.

Q79: If I give a DApp an unlimited approval, my assets are safe as long as I do not make any transactions. ( )

Correct Answer: False

Analysis:

Key takeaway: A contract with unlimited approval can transfer that token at any time, whether or not you actively initiate a transaction.

Best practice: Use limited approvals, revoke them after use, and grant only the necessary amount to trusted contracts.

Q80: If a pop-up says Sign rather than Transfer, it is safe to confirm because signing does not create asset risk. ( )

Correct Answer: False

Analysis:

Key takeaway: Sign does not mean safe. A signature may still be used to authorize a contract, grant transfer permissions, or confirm a high-risk action that can drain assets or give long-term control over the wallet.

Best practice:

Check the source and domain first: sign only through official or trusted links.

Review the content carefully: if you do not understand the request, cancel it.

When in doubt, refuse: reject any signature request that did not come from an action you intentionally initiated, disconnect the site, and review approvals if needed.

Q81: Any decentralized wallet can fully restore all my assets as long as the Recovery Phrase is correct. ( )

Correct Answer: False

Analysis:

Key takeaway: Different wallets may use different derivation paths or default chain support. Not everything can always be restored automatically from a single Recovery Phrase alone.

Best practice:

Confirm the derivation path: most wallets follow BIP39 / BIP44, but when switching wallets, confirm that the same derivation path is used.

Add tokens manually if needed: some wallets do not display all tokens automatically, so you may need to add token contract addresses yourself.

Watch for special cases: if the wallet used a BIP39 passphrase or a multisig setup, you must also provide that additional information during recovery.

Q82: Multi-sig wallets are primarily suitable for individual daily transactions. ( )

Correct Answer: False

Analysis:

Key takeaway: Multi-sig focuses on risk control and shared custody. It is better suited to team treasuries or large-value storage than to frequent small daily spending.

Best practice: For everyday personal use, use a hot wallet or hardware wallet instead.

Q83: Writing down a Recovery Phrase on paper and locking it in a safe is an absolutely secure backup method. ( )

Correct Answer: False

Analysis:

Key takeaway: Paper is vulnerable to fire, water, and decay.

Best practice: Use a metal backup or store multiple copies in separate locations.

Q84: Official customer support will never proactively contact you through private messages, phone calls, or text messages. ( )

Correct Answer: True

Analysis:

Key takeaway: Genuine official support communicates only through the official website, in-app support channels, or ticket systems. They will not contact you first by private message or phone.

Best practice: No matter who contacts you, verify them independently on the official website first. Never provide your keys or click unfamiliar links.

Q85: In OTC trading, even if the counterparty provides proof of payment, you should still wait for on-chain confirmation before releasing assets. ( )

Correct Answer: True

Analysis:

Key takeaway:

Proof does not equal settlement: bank screenshots, receipts, and even TXID links can be forged. Fiat transfers may be frozen or reversed, and on-chain screenshots can also be faked.

Use actual confirmation as the standard: rely on the block explorer result you verify yourself, and release assets only after the funds have reached your address and the usual confirmation count is met.

Best practice: Use escrow or a trusted guarantee service, and do not release assets before confirmed settlement.

Q86: Even if I forget my wallet's local password, I can still recover my assets by re-importing the wallet as long as my Recovery Phrase backup is intact. ( )

Correct Answer: True

Analysis:

Key takeaway: The Recovery Phrase is the final recovery credential.

Best practice: Restore with the Recovery Phrase in a compatible wallet and keep the phrase stored safely offline.

Q87: A blockchain explorer such as Etherscan can be used to track transaction status and view all tokens and history under an address. ( )

Correct Answer: True

Analysis:

Key takeaway: A block explorer provides public data such as transactions, token holdings, approvals, and history.

Best practice: Learn how to use an explorer to check transaction status, approvals, and token contracts.

Q88: If a phone is infected, uninstalling and reinstalling the wallet app will remove all security risks. ( )

Correct Answer: False

Analysis:

Key takeaway: Malware often persists at the system level, so removing the wallet app is not enough. Once credentials are exposed, asset loss may already be possible.

Best practice:

Create a new wallet with a new Recovery Phrase on a brand-new clean device or hardware wallet, and move assets to the new address.

On the infected phone, perform a factory reset or reinstall official firmware, remove suspicious profiles or certificates, update the system fully, and install apps only from official stores.

Afterward, revoke high-risk approvals, change important account passwords, and enable 2FA.

Q89: When using a hardware wallet to make a transaction, the signature is completed inside the device's secure chip. ( )

Correct Answer: True

Analysis:

Key takeaway: The Private Key is generated and used for signing inside the secure chip and never leaves the device.

Best practice: Verify the information on the device screen before confirming.

Q90: As long as a wallet app is official, you can ignore other security warnings. ( )

Correct Answer: False

Analysis:

Key takeaway: Even an official app can still be used unsafely and remains exposed to phishing links, malicious approvals, and clipboard hijacking.

Best practice: Download from the official entry point, approve cautiously, revoke regularly, and keep system security updates enabled.

Multiple Choice

Q91: What is a "Derivation Path"? ( )

A. The random algorithm used by a wallet to generate a Recovery Phrase

B. A tool for tracking the path of a transaction on the blockchain

C. A path rule used to determine how addresses are derived and arranged in a wallet

D. The algorithm that turns a Recovery Phrase into a Private Key

Correct Answer: C

Analysis:

Key takeaway: A derivation path, such as m / 44' / 60' / 0' / 0 / 0, defines the position rule from a seed to a specific address or Private Key. Common standards include BIP32 and BIP44.

Best practice: Keep the same derivation path when restoring across wallets so the addresses remain consistent.

Q92: What should you do if the transaction info on your hardware wallet screen doesn't match the computer?? ( )

A. Ignore the hardware wallet screen and trust the computer screen

B. Stop immediately and disconnect the hardware wallet

C. Refresh the computer page and see whether it syncs

D. Complete the transaction first and ask official support for help later

Correct Answer: B

Analysis:

Key takeaway: The hardware wallet screen is the final trusted source because it shows transaction data parsed by the device itself in an offline, trusted environment. The computer, browser, and DApp front end can all be tampered with by malicious scripts, phishing pages, or man-in-the-middle attacks. If the two displays do not match, treat it as a risky transaction and stop immediately.

Best practice:

Unplug the cable or disconnect Bluetooth, and cancel the signing request.

Close suspicious webpages or extensions, clear cache and review installed plugins, and re-enter only through the official website.

Compare the recipient address, amount, chain, and contract method carefully through a block explorer and the hardware wallet screen.

If necessary, switch to a clean computer or browser profile and update firmware and the official app.

If you already signed by mistake, revoke approvals as soon as possible, move assets to a new address, and monitor for abnormal activity.

Q93: What is a "Multi-signature Wallet"? ( )

A. A wallet that can manage assets across multiple chains at the same time

B. A wallet that requires multiple Private Keys to co-sign a transaction

C. A wallet that can be used simultaneously on multiple devices

D. A wallet that supports many tokens for trading

Correct Answer: B

Analysis:

Key takeaway: A multisig wallet requires multiple Private Keys to sign together before a transfer can be completed. Common setups include 2-of-3 or 3-of-5.

Best practice:

Set a reasonable threshold and separate signers across different people, devices, and locations, ideally using hardware wallets as signing devices.

Back up each key and all recovery parameters separately, including the threshold, signer addresses / public keys, contract address, and chain.

Run small drills to verify the signing flow, signer replacement, and recovery process before using it for large funds.

Q94: What is the purpose of a security-tool navigation site? ( )

A. To check approvals, monitor risk, and improve security

B. To generate tokens

C. To claim free airdrops

D. To increase internet speed

Correct Answer: A

Analysis:

Key takeaway: It provides a central entry point for approval scanning, blacklist or phishing monitoring, risk assessment, incident response guides, and other security tools.

Best practice: Review your wallet regularly with approval scans and risk alerts, revoke suspicious permissions promptly, and use these tools only through official entry points.

Q95: What should you do first after discovering that assets have been stolen from your wallet? ( )

A. Immediately transfer the remaining assets to a secure address

B. Report to the police and contact wallet support immediately

C. Delete the wallet app and disconnect from the internet

D. Stay calm and analyze the cause first

Correct Answer: A

Analysis:

Key takeaway: Once theft is detected, the Recovery Phrase or Private Key should be treated as exposed. All addresses under the same Recovery Phrase may be unsafe. Your first priority is to stop further loss by moving the remaining assets.

Best practice:

Move the assets: create a new wallet with a new Recovery Phrase on a clean device, ideally with a hardware wallet, and transfer all remaining assets to the new address.

Record evidence: save the transaction hash, suspicious links or chat records, and the related addresses.

Investigate and respond: revoke high-risk approvals, update your device and wallet, and avoid importing the old Recovery Phrase on the old device again.

Seek external help: report to law enforcement and contact any involved exchanges or platforms to request assistance with tracking or freezing.

Improve future protection: separate storage, use hardware wallets or cold-signing for important funds, and review approvals regularly.

Q96: Why is it not recommended to keep all large-value assets in a single hot wallet? ( )

A. Hot wallets are slower than cold wallets

B. Hot wallets are more exposed to online threats and network-based attacks

C. Hot wallets do not support multiple tokens

D. Hot wallets have higher transaction fees

Correct Answer: B

Analysis:

Key takeaway:

A hot wallet stays connected to the internet and often interacts with websites and contracts, so its attack surface is larger.

Its Private Key is stored locally on the phone. If the phone is compromised by malware, malicious apps, or system vulnerabilities, local data such as the Private Key, Recovery Phrase, or clipboard content may be stolen.

Putting all large funds into one hot wallet creates a single point of failure.

Best practice: Separate hot and cold storage.

Store large or long-term holdings in a hardware wallet or multisig vault.

Keep only smaller daily-use amounts in a hot wallet for payments and DApp interactions.

Install apps only from official sources, keep the system updated, and review and revoke approvals regularly.

Q97: What is the greatest risk of using an unverified browser extension wallet?  ( )

A. The extension may be a phishing tool designed to steal your Recovery Phrase or Private Key

B. Your browser may become slow

C. You may be unable to interact with DApps

D. Your transaction history may not be saved

Correct Answer: A

Analysis:

Key takeaway: An untrusted or unofficial extension may contain malicious code that shows fake approval prompts, forges signature pages, or tricks you into entering your Recovery Phrase or Private Key, leading directly to asset theft.

Best practice: Use only officially released or openly audited wallets, and access them through the official website landing page. 

Q98: What is an "On-chain Label/Tag"? ( )

A. A note attached to a suspicious address on the blockchain to warn users

B. A permanent label created for a token on the blockchain

C. A record of all token names in your wallet

D. A record of the timestamp when a transaction was included

Correct Answer: A

Analysis:

Key takeaway: On-chain labels are commonly added by security teams, block explorers, or the community to identify scam addresses, hacker addresses, money-laundering addresses, and other suspicious entities.

Best practice:

Check before sending: search the counterparty address in a block explorer or security tool and look for risk labels or unusual history.

Review after receiving: if you receive assets from an unknown address with a risk label, do not interact with them and report if necessary.

Cross-check multiple sources: labels may be delayed or imperfect, so compare several trusted sources before making a decision.

Maintain anti-scam habits: be careful with dusting transactions and unknown sources.

Q99: In DApp interactions, what is the main difference between a signature and an approval? ( )

A. A signature confirms intent, while an approval grants spending permission over assets

B. A signature can be revoked, but an approval cannot

C. A signature requires gas, but an approval does not

D. A signature can be used for login, while an approval can only be used for trading

Correct Answer: A

Analysis:

Key takeaway:

Signature: you use your Private Key to confirm or acknowledge a piece of content, such as logging in, agreeing to terms, or initiating a transaction. By itself, it does not grant token spending rights.

Approval: you allow a contract or address to spend a specific token from your wallet within a defined allowance. Once it takes effect, that party can transfer your tokens according to the rule until you change or revoke the approval.

Best practice:

Use minimum approvals: if a one-time or limited approval works, do not choose unlimited approval.

Review and revoke regularly: set unused or unknown approvals back to 0.

Read signatures carefully: for EIP-712 pop-ups, verify the domain, contract, method, amount, and duration. On a hardware wallet, trust the device screen.

If you do not understand it, do not sign it.

Q100: Which of the following is NOT an advantage of a Cold Wallet? ( )

A. Assets are stored offline for the long term, providing a high level of security

B. It is less vulnerable to hackers

C. The transaction process is relatively complex and not suitable for high-frequency use

D. It is suitable for long-term storage of large-value assets

Correct Answer: C

Analysis:

Key takeaway:

A Cold Wallet is advantageous because it stays offline, is harder to attack, and is suitable for storing large-value assets for the long term.

A more complex transaction process and lower convenience for frequent use are disadvantages, not advantages. That is why C is not an advantage.

Best practice:

Separate hot and cold storage: keep large, long-term assets in a Cold Wallet and use a hot wallet for small, frequent interactions.

When transferring, verify the address and amount on the device screen, back up your Recovery Phrase and any passphrase properly, and update firmware and apps only through official channels.

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

Project Overview

imKey provides blockchain security products and solutions. Founded in 2018, imKey’s core team members come from blockchain wallet, financial institutions, and secure hardware industries, with complementary expertise in embedded security and cryptocurrency. From the beginning, imKey received angel investment from the globally renowned blockchain wallet imToken, and has been dedicated to research in the field of crypto asset security.

Scope of Work

• Websites and Applications: imkey.im
   
• Source Code (GitHub):
  • https://github.com/consenlabs/imkey-core
  • https://github.com/consenlabs/imkey-manager
• Physical Hardware: imKey Hardware Wallet
   

Reward Rules

The bounty amount will be determined by the imKey team based on factors such as severity, qualification, and impact.

• Publicly disclosed vulnerabilities are not eligible for a bounty. Submissions must be sent via support@imkey.im.
• If a vulnerability has already been reported or is known, it will not qualify for rewards.
• Documentation or reproducible steps are required to validate the reported issue.
   

Reward Tiers

Additional Evaluation Criteria

Besides severity, the following factors also influence the bounty amount:

• Clear and detailed description of the vulnerability
• Reproducible test code or instructions
• Clear suggestions or methods to fix the issue
   

Reporting Guidelines

• Rewards are given only if the imKey Security Team can reproduce and verify the issue and confirm a clear security impact.
• Reproduction steps must be clear and specific — screenshots, videos, or scripts are encouraged.
• Do not engage in social engineering or phishing.
• Do not disclose vulnerability details publicly.
• Avoid large-scale scanning using automated tools; any resulting system or network damage will be handled according to law.
• During testing, avoid directly modifying pages, creating continuous pop-ups, stealing cookies, or retrieving sensitive payloads (use DNSLog for blind XSS validation).
• Testing must remain proof-of-concept (PoC) only — destructive testing is strictly prohibited. Any accidental damage must be reported immediately.
• Sensitive operations (deletion, modification, etc.) performed during testing should be clearly documented in the report.
    

Handling Process

Reporting Stage
The reporter contacts the imKey team via email or official submission channel. (Status: Pending Review)

• Email: support@imkey.im

Processing Stage

• Within 3 business days, imKey confirms receipt and begins evaluation, forwarding details to the technical team. (Status: Under Review)
• Within 7 business days, the imKey Technical Team assesses and scores the issue. (Status: Confirmed / Ignored)
• The reporter may be contacted for clarification.

Fixing Stage

• The imKey product team fixes verified issues and schedules deployment. (Status: Resolved)
• Fix timelines depend on severity:
  • Critical / High: within 24 hours
  • Medium: within 3 business days
  • Low: within 7 business days
  • Client-side issues depend on app release schedules.
• The reporter reviews and confirms whether the fix is effective. (Status: Verified / Disputed)
• Once confirmed, the imKey Technical Team communicates the results and bounty score to the security partner (PeckShield) for reward distribution. (Status: Closed)
    

Reward Distribution Principles

• Rewards will be paid in cryptocurrency equivalent to USD value.
• Supported stablecoins: USDT, USDC

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

Dear imKey User,

Since its launch in 2018, imKey has spent seven years focused on security and user-centric design—safeguarding digital assets for users around the world.
To express our heartfelt gratitude, we’re officially launching the imKey Renewal Program — an exclusive benefit channel for long-time users, helping you upgrade your old device and continue managing your assets with confidence.

🔄 About the Program

Time is the ultimate proof of security. imKey has always adhered to offline key storage and hardware isolation, building a long-term and trusted asset protection framework.
Through this renewal program, eligible users are invited to upgrade to the new imKey Type-C hardware wallet, enjoy enhanced connectivity, and continue their secure crypto journey.

🎯 Eligibility

This program is an exclusive benefit for Gold-tier HODLer users:

• Devices activated before May 18, 2022 (based on your device’s SN activation date)
• Check your device activation time here:
  👉 https://imkey.im/pages/sn-check
   

🎁 Renewal Benefits

Eligible users will receive:

• A 50% off renewal discount code for the new imKey Type-C version
• Each SN code is valid for one redemption only and cannot be reused
    

📝 How to Participate

1. Fill out the renewal application form with your device SN code and email
2. Once verified, imKey will send a unique discount code to your email
3. Use the code at checkout to purchase the new imKey Type-C wallet at a discounted price
    

📩 Apply now:

• Jinshuju Form (for Chinese users)：https://jinshuju.com/f/l1USXY
   

📅 Program Duration

• Starts May 18, 2025, and will be available on an ongoing basis
• imKey will review applications and distribute codes on a rolling basis
   

Thank you for seven years of trust and support. imKey will continue to stand by your side—protecting your assets and shaping a safer, more open Web3 future together.

With appreciation,
The imKey Team

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

From secure beginnings to trusted protection, imKey sincerely thanks alluser for your continued support.
To celebrate our 7th anniversary, we are excited to launch the new imKey Membership Program.
Your time with imKey now unlocks access to exclusive rewards across different tiers!

🔸 Membership Tiers Overview

🧭 How to Check Your Membership Level?

It only takes 3 simple steps:
1️⃣ Visit the verification page → https://imkey.im/pages/sn-check
2️⃣ Enter your imKey SN code
3️⃣ Check your activation date and match it to the chart above

🎁 The Higher Your Tier, the More Perks You Unlock!

Each membership tier unlocks exclusive benefits, including but not limited to:

🎉 Access to  members-only events
💰 Exclusive discounts and benefit packs
🛍 Limited-edition merchandise
🚀 Early access to new products
👑 Surprise gifts for Gold Members

📄 Register to Receive Your Perks

To ensure you receive personalized benefits and updates, please fill out the membership registration form: 👉 [Register now] 

 (Optional and voluntary; data will only be used for benefit distribution and event notifications.)

Thank you for choosing and trusting imKey.
We will continue to safeguard your digital assets with the highest standards of security and service.

Sincerely,
The imKey Team
📅 Release Date: May 18, 2025

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

Introduction

To continuously enhance the security, compatibility, and overall user experience of your imKey hardware wallet, we regularly release firmware updates. Keeping your device’s firmware up to date is essential for maintaining the safety of your digital assets and enjoying the latest features.

Firmware updates typically include:

• Security Enhancements: Strengthen device protection against potential threats.
• New Feature Support: Add support for new coins, signing algorithms, or interaction capabilities.
• Performance Improvements: Enhance device speed and responsiveness.
• Bug Fixes: Resolve known issues and improve system stability.
    

Important: The imKey firmware update process is carefully designed to be secure and reliable. Updating the firmware does not access, modify, or delete your private keys or recovery phrase stored on the device. Your core asset information remains fully protected and isolated throughout the update process. We strongly recommend checking for and installing the latest firmware regularly.

Version History

COS v1.9.05

Release Date: 2024-08-22
Applicable Device: imKey Pro

New Features

• Schnorr Signature Algorithm Support: Added support for the Schnorr signing algorithm, strengthening compatibility with future blockchain upgrades such as Bitcoin Taproot.
• Mnemonic Verification: Users can now verify their backed-up recovery phrase directly on the device for improved safety and peace of mind.
    

COS v1.9.00

Release Date: 2023-11-08
Applicable Device: imKey Pro

Optimizations & Improvements

• Bluetooth Co-Update: Integrated Bluetooth module firmware update to version v3.0.03, improving connection performance.

Bug Fixes

• Bluetooth Stability: Fixed an issue where connecting certain phones via Bluetooth could cause the device to restart unexpectedly, significantly enhancing stability and compatibility.

COS v1.8.09

Release Date: 2022-04-21
Applicable Device: imKey Pro

New Features

• BLS Signature Algorithm Support: Added support for BLS signatures, expanding compatibility with emerging blockchain technologies.

Optimizations & Improvements

• WebUSB Compatibility: Improved protocol compatibility for USB connections via browsers (WebUSB), enhancing interactions with DApps and web wallets.
• Device Identification: Updated USB device descriptor to ensure “imKey Pro” displays correctly when connected to a computer.

Bug Fixes

• Mnemonic Input: Fixed an issue that could occur under specific conditions when entering the recovery phrase.
• Activation Flow: Resolved an issue where the device might not automatically return to the main interface after activation.

COS v1.6.03

Release Date: 2021-02-01
Applicable Device: imKey Pro

New Features

• Ed25519 Signature Algorithm Support: Added support for the Ed25519 signing algorithm, expanding supported assets and applications.

Optimizations & Improvements

• Storage Efficiency: Optimized internal secure-chip storage usage.

COS v1.5.10

Release Date: 2021-08-30
Applicable Device: imKey Pro

Key Features

• Initial imKey Pro Release: First official firmware version for imKey Pro.
• Secp256k1 Support: Supports the widely used Secp256k1 signing algorithm (e.g., Bitcoin, Ethereum).
• USB Firmware Updates: Introduced USB-based firmware upgrade capability via computer connection.

COS v1.0.00

Release Date: 2019-12-31
Applicable Device: imKey Standard Edition

Key Features

• Initial Firmware Release: First official firmware version for the imKey Standard Edition.
• Secp256k1 Support: Supports the Secp256k1 signing algorithm.

Note: This version does not support firmware updates via USB.

How to Update Your imKey Firmware

Please refer to the official imKey firmware upgrade guide. Typically, the update requires connecting your imKey device to the companion mobile app or the desktop management tool.

If you encounter any issues during the update process, feel free to contact our support team:
📩 support@imkey.im

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

Introduction

The imKey hardware wallet supports various cryptocurrencies and features through the installation and updating of specific Applets (Java Card Applets). Each Applet is designed to handle operations related to a particular blockchain, such as transaction signing, address generation, and other protocol-specific interactions.

Regularly updating your imKey Applets allows you to:

• Support newly added coins or tokens: Gain compatibility with new digital assets.
• Stay updated with the latest protocols: Keep up with blockchain network upgrades (e.g., new transaction types, address formats).
• Enhance functionality: Access new Applet features or improvements.
• Fix issues: Resolve known problems that may occur when interacting with certain blockchains.

Important: Updating an Applet is a secure process. It does not access, modify, or delete the private keys or recovery phrase stored on your device. Applet updates only affect the Applet’s own functional code. Your core asset information remains fully protected at all times.
We recommend updating Applets promptly through the imKey companion management tools (such as the mobile app) to ensure the best compatibility and user experience.

(PAID = Package Application ID, the unique technical identifier of each Applet.)

Applet Version History

Bitcoin (BTC) Applet

PAID: 696D6B65792E627463

Version 1.6.10

Release Date: 2025-01-17 (Note: This is a future date. Please verify.)

New Features:

• Added support for Dogecoin (DOGE) transaction signing and address parsing.

Version 1.6.00

Release Date: 2024-08-22

New Features & Enhancements:

• Added support for Native SegWit (Bech32) address format, enabling lower transaction fees.
• Added support for Taproot (P2TR) transactions, improving BTC privacy and efficiency.
• Added support for PSBT (Partially Signed Bitcoin Transaction) workflows, enhancing compatibility with multisig and advanced transaction scenarios.
• Implemented BIP-322 message signing, improving interoperability within the Bitcoin ecosystem.

Version 1.5.10

Release Date: 2021-03-24
Update: General maintenance and optimization.

Version 1.4.10

Release Date: 2020-11-05
Update: General maintenance and optimization.

Version 1.4.00

Release Date: 2019-11-25
Update: General maintenance and optimization.

Version 1.3.10

Release Date: 2019-09-05
Update: General maintenance and optimization.

Version 1.3.00

Release Date: 2019-06-27
Update: General maintenance and optimization.

Version 1.2.00

Release Date: 2019-01-19

New Features:

• Initial release with basic support for Bitcoin (BTC) transactions.

Ethereum (ETH) Applet

PAID: 696D6B65792E657468

Version 1.5.01

Release Date: 2023-03-17

Fixes:

• Fixed an issue that could cause the device to reboot unexpectedly when processing specific transaction types.

Version 1.5.00

Release Date: 2022-12-09

Fixes:

• Resolved a display overlap issue on the imKey screen when confirming NFT transactions.

Version 1.4.00

Release Date: 2022-03-16

Optimizations:

• Improved button confirmation flow when interacting with DApps via WebUSB.

Version 1.3.00

Release Date: 2021-11-25

New Features:

• Added support for new transaction types introduced by EIP-1559 (London Upgrade).

Version 1.2.00

Release Date: 2019-01-19

New Features:

• Initial release with basic support for Ethereum (ETH) and ERC-20 token transactions.

imKey Core (IMK) Applet

PAID: 696D6B65792E696D6B

This Applet manages secure communication and core management functions between the imKey device and external applications (mobile app, desktop tools).

Version 1.3.00

Release Date: 2021-04-20

New Features:

• Added multi-platform binding support, allowing a single imKey device to be securely paired with both the mobile app and desktop / web interfaces simultaneously.

Version 1.2.00

Release Date: 2019-01-19

New Features:

• Initial release with basic secure communication and device management capabilities.

Cosmos (ATOM) Applet

PAID: 696D6B65792E636F736D6F73

Version 1.0.10

Release Date: 2022-12-09

Optimizations:

• Improved the display of Cosmos registered token names.

Version 1.0.00

Release Date: 2019-01-19

New Features:

• Initial release with basic support for Cosmos (ATOM) transactions.

EOS Applet

PAID: 696D6B65792E656F73

Version 1.2.00

Release Date: 2019-01-19

New Features:

• Initial release with basic support for EOS transactions.

How to Update Your imKey Applets

Use the official imKey mobile app or other designated management tools. With the device connected, check for available updates and follow the on-screen instructions to complete the Applet upgrade.

If you encounter any issues during the update process, please feel free to contact our support team.

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

To meet user demands and expand support for more cryptocurrencies, we are excited to announce that the imKey hardware wallet now officially supports Dogecoin (DOGE) accounts in the imToken 2.16.3 version.

About Dogecoin
Dogecoin (DOGE) is a cryptocurrency launched in December 2013 by Billy Markus and Jackson Palmer. It was initially created as a lighthearted and humorous response to the rise of mainstream cryptocurrencies like Bitcoin. The iconic image of Dogecoin is based on the popular internet meme featuring a Shiba Inu dog, which quickly garnered a large, loyal community of supporters. Although Dogecoin didn't initially have a clear use case, over time it has evolved into a widely accepted digital asset and has received support from prominent figures like Elon Musk, CEO of Tesla.

How to Add a Dogecoin Account

1. Please ensure that your imToken version is 2.16.3 or higher.
2. Ensure your phone's Bluetooth is successfully connected to the imKey hardware wallet.

3. Open imToken, tap "Me" - " Manage wallets", select the paired imKey hardware wallet, and enter the "imKey Management" page.

   

4. Tap "App Management (can add/upgrade tokens)" - select "DOGE" - tap "Install".

   

5. Once the installation is successful, return to "imKey Management", tap "Add Account", and select Dogecoin from the list to add the account.

   

6. To add multiple accounts in bulk, tap the three dots in the top right corner of the account and select "Advanced ".

   

Important Note
Before using the Dogecoin wallet feature, please ensure your imKey firmware is updated to version 1.9.05. For detailed instructions on firmware upgrades, please refer to the COS upgrade guide in the imKey Manager user manual.

Thank you for your continued support and trust in imKey. We will keep working hard to provide you with more features and better service.

If you have any questions, please feel free to contact imKey support at support@imkey.im.

imKey Team

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

1. The 127,000 BTC Mystery: What Really Happened?

In December 2020, the Bitcoin mining pool Lubian lost approximately 127,000 BTC in just two hours, over 90% of its holdings. These coins remained dormant on-chain for years and were widely regarded as part of the largest mining-pool hack in history.

In October 2025, the U.S. Department of Justice announced the seizure of roughly the same amount—127,000 BTC—identifying them as laundered proceeds from a Southeast Asian fraud ring, allegedly funneled through the Lubian mining pool. On-chain analysis showed a striking overlap between the seized wallets and the original Lubian loss.

The industry erupted. Debate spiraled around two questions:

• Was Lubian really hacked, or is there a deeper story?
• If a top-tier mining pool can lose everything, is my wallet still safe?

As speculation grew, security researchers converged on a more fundamental truth:

Regardless of who stole the BTC, the core issue was Lubian’s deeply flawed private-key generation algorithm — a pseudo-random scheme with insufficient entropy, making key prediction feasible.

In other words:

• The Bitcoin protocol did not fail.
• Cryptographic algorithms did not fail.
• Implementation-level randomness failed.

This is not a one-off accident. From the Blockchain Bandit attacks (hundreds of thousands of weak keys scanned and drained), to the Milk Sad incident (wallets using a tiny, enumerable entropy pool), the lesson repeats:

If your private key isn’t truly random, the “astronomical” 2²⁵⁶ security space collapses into a tiny puddle a script can brute-force in minutes.

2. The “Cosmic Number” Behind Your Private Key: What Randomness Really Protects

To most users, “random” means the seed phrase looks messy and different every time. But in cryptography, randomness is far more demanding.

What is a private key?

In Bitcoin and Ethereum, a private key is a 256-bit number, i.e., one value out of:

0→2256−10 rightarrow 2^{256} - 10→2256−1

This space—about 1.16 × 10⁷⁷—is larger than the estimated number of atoms in the universe.

If chosen truly at random, the chance of guessing it is like:

Finding one specific grain of dust somewhere in the Milky Way.

The Three Iron Rules of “Good Randomness”

As explained in imKey’s article “True Chip, True Randomness”:

1. Statistical randomness
   No visible bias; all numbers appear with similar frequency.
2. Unpredictability
   Even if you know part of the output and the algorithm, you cannot infer the rest.
3. Non-repeatability
   Unless you deliberately save the seed, you cannot regenerate the same sequence.

Meeting only 1 + 2 = PRNG (Pseudo-Random Number Generator).
Meeting all 1 + 2 + 3 = TRNG (True Random Number Generator).

For games and lotteries, PRNG is fine.
For private keys worth millions, only TRNG is acceptable.

3. When Randomness Fails, Attackers Aren’t Guessing—They’re Checking

What made the Lubian incident terrifying is this:

The attacker wasn’t exploring the vast 2²⁵⁶ universe—they were operating in a tiny, predictable subspace created by the weak RNG.

And this has happened many times:

Blockchain Bandit (2015–)

Attackers scanned Ethereum for weak keys, identifying 700k+ vulnerable wallets and stealing 50,000+ ETH.

Milk Sad & similar RNG failures

Some wallet implementations accidentally shrank the entropy pool into a 32-bit or similarly tiny space, making brute-forcing trivial.

The pattern is always the same:

• Protocol is fine.
• Math is fine.
• Randomness source is not fine.

Once your entropy collapses, so does your security boundary.

4. PRNG vs TRNG: Why Hardware Wallets Insist on Physical Noise

The principle is straightforward:

True randomness requires entropy taken directly from the physical world.

PRNG: Convenient but Never Truly Random

A PRNG:

• starts with a seed (e.g., timestamp, counter, PID),
• feed it into a deterministic algorithm to generate “random-looking” numbers.

Secure PRNGs (CSPRNGs) are acceptable for hot wallets, but they suffer from two structural weaknesses:

1. Predictable seed = predictable output
   A small seed space can be enumerated.
2. No physical entropy guarantee
   Very few RNGs offer externally validated entropy claims such as AIS 31.

For high-value private keys with multi-decade lifespans, this is unacceptable.

TRNG: Turning Physical Noise Into Security

• extracts entropy from physical noise (thermal noise, jitter, metastability),
• post-processes the signal,
• applies online health checks,
• and outputs provably unpredictable values.

Standards such as NIST SP 800-90B and BSI AIS 31 define how to validate a TRNG.

Only TRNGs meeting these standards are fit to generate master private keys.

5. How imKey’s AIS 31 PTG.2-Certified TRNG Redefines the Security Boundary

imKey’s philosophy is simple:

Instead of trusting the host OS or app to generate randomness, offload the entire process to a secure element with independently verified entropy.

Chip level: SLE 78 platform + AIS 31 PTG.2

The imKey Pro uses the Infineon SLE78CLUFX5000PH secure element (SE), whose built-in TRNG is certified to AIS 31 PTG.2.

This guarantees:

• Physical entropy sources (not timestamp hacks)
• Independent evaluation under AIS 31
• Certified resistance (CC EAL6+, EMVCo) to side-channel, tampering, glitching

This is not a microcontroller.
It is a purpose-built cryptographic vault.

Key generation never leaves the secure boundary

When you tap Create Wallet:

1. The TRNG fires inside the SE.
2. Entropy is gathered and processed internally.
3. The master private key and mnemonic are generated inside the chip.
4. Only the mnemonic is shown; raw keys never leave the SE.

This offers major advantages:

• Dramatically reduced attack surface
• Resilience against OS compromise
• Entropy backed by certification, not assumptions
• Long-term cryptographic robustness

Regulatory advantage: audit-friendly key generation

Auditors typically ask:

• Where were the keys generated?
• Did they ever leave the secure boundary?
• How is entropy validated?

With SE + TRNG:

• You can point to AIS 31, CC EAL6+, EMVCo documents
• You can prove zero exposure of private keys
• You can show continuous entropy health monitoring

This makes SE-generated keys the preferred choice for custodians and institutions.

6. Why So Many Teams Fail at Randomness

Lubian’s disaster reveals several recurring patterns:

• Teams often assume “the system RNG must be safe.”
• Test RNGs or demo seeds accidentally ship to production.
• Operational convenience gets prioritized over cryptographic rigor.
• The attack surface is underestimated—until millions are at stake.

In reality, attacks like these arise not from geniuses but from:

A series of small compromises that eventually become catastrophic.

7. Final Thoughts: Every Peaceful Night’s Sleep Comes from Taking Randomness Seriously

For users, creating a wallet seems trivial:

open app → tap “create wallet” → write down a phrase.
But for the builders behind that process, the deeper questions are:

• Would you trust your life savings to this random number?
• Will it remain secure 10 or 20 years from now?
• If an incident makes headlines, can we confidently say we did everything correctly?

Incidents like Lubian, Blockchain Bandit, and Milk Sad remind us:

The biggest failures in crypto often stem not from broken cryptography but from neglecting the foundations of randomness.

At imKey, we chose a different path:

• Generate keys entirely inside a certified secure element
• Provide audited, mathematically validated randomness
• Treat randomness not as an implementation detail, but as the foundation of asset security

This approach may not make headlines.
It won’t go viral.
But it delivers something much more important:

The peace of mind to put down your hardware wallet and truly sleep well at night.

And ultimately, that peace of mind is the real test any Web3 security system must pass.

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

— A Brief Discussion on True Random Numbers and Their Application in imKey Pro

Introduction
For those who have had some exposure to blockchain, most have heard cryptographic terms such as “asymmetric encryption” and “hash algorithm,” but not everyone knows the cornerstone behind these cryptographic algorithms — “random numbers.”

During the process of creating a wallet, a user can “randomly” obtain a private key. By using cryptography, an address is computed from the private key. With the address, one can receive digital currency, and the private key can, and uniquely does, control the digital assets at this address. Therefore, whoever holds the private key owns the on-chain assets at the corresponding address.

So, will private keys one day be exhausted? Is it possible to brute-force them by database collision?

To dispel these concerns, you first need to understand random numbers.

I. The Importance of Random Numbers

In computer science, random sequences play important roles in many fields, such as computer simulation, statistical sampling, cryptography, and online games. Different fields have different requirements for the quality of random sequences. For example, there are a large number of random events in online games—critical-hit rate calculations and lotteries, etc. These scenarios generally use specific pseudo-random mechanisms to reduce the probability of consecutive critical hits or no critical hits, or strategies like a guaranteed hit in ten draws, all to provide a better gaming experience. But in the field of information security, which is essentially about offense and defense, random numbers that do not satisfy “randomness” and “unpredictability” are obviously unusable, as this may cause irreparable vulnerabilities in the security system.

Whether in the design of cryptographic protocols or in more fundamental cryptographic algorithms, random numbers are the core dependence in resisting attacks. According to Kerckhoffs’s principle, the security of a cryptosystem should rely entirely on the key rather than on secrecy of the system design. Keys are usually generated from random sequences; therefore, the quality of random numbers is extremely important in a cryptosystem. Ideally, a completely random key should only be crackable via brute-force attack.

Random numbers are widely used in applications such as key generation, digital signatures, authentication and identification, as well as in various protocols related to secure communications, for example:

• In key distribution schemes, random sequences are usually used as handshake information to prevent replay attacks.
    
• In the SSL/TLS protocol process, random sequences are not only used to prevent replay attacks, but are also fundamental elements for generating session keys.
    
• In the key generation and signature process of asymmetric algorithms, public mathematical algorithms + random sequences provide engineering-level security.
    

II. Random Number Generators

Generally speaking, random numbers have the following three testing criteria:
Randomness
A random sequence should have good statistical properties, exhibit no statistical bias, and be a completely scrambled series of numbers. The distribution of random numbers in the sequence should be uniform, and the frequencies of occurrence approximately equal. Numbers that satisfy this requirement appear “random at a glance” to humans.
Unpredictability
Given a portion of a random sequence and the random algorithm, it should not be possible to effectively compute the other parts of the random sample.
Non-repeatability
Unless the random sequence itself is saved, it should be impossible to produce the same sequence again.

​In general, we say that a random number generator satisfying 1 and 2 is a pseudo-random number generator, and one that satisfies all three conditions is a true random number generator.

Pseudo-Random Number Generator (PRNG)
In computers, if the initial conditions are fixed and a deterministic algorithm is used to produce random numbers, then the produced random numbers will always follow some pattern within a period. This means that after reaching the period they will repeat. Even if they satisfy certain distribution requirements as defined by statistical randomness, because the results are visible and predictable within a specific period, the random numbers generated by this method are not truly “random”; we call them pseudo-random numbers, and the corresponding method is a pseudo-random number generator. In engineering practice, the period usually needs to be set sufficiently long (far greater than the length of random numbers that might be collected), but in theory it is indeed regular and predictable.

True Random Number Generator (TRNG)
The conditions for true randomness are stringent. Under given boundary conditions, it can be considered that random numbers generated under classical mechanics are all pseudo-random, because physical noise, temperature changes, etc. are observable. However, for practical applications, if boundary conditions are complex and difficult to capture, they can be regarded as true random.

So how does a computer generate true random numbers?
It usually needs to introduce external entropy sources so that the periodicity of the generated random sequence is greatly weakened. The UNIX kernel’s random number generator (/Dev/Random) and the Windows kernel’s RtlGenRandom are such implementations. UNIX maintains an entropy pool, continuously collecting non-deterministic device events as seeds to generate random numbers; Windows collects information such as processes, threads, time, and internal high-precision CPU counters as internal entropy sources.

True random numbers can be described in this way: TRNG is a function or device based on an unpredictable physical phenomenon (called an entropy source) used to generate non-deterministic data (for example, a sequence of consecutive numbers), with the goal of providing seeds (Seed) for cryptographic algorithms.

After generating large amounts of true random numbers and pseudo-random numbers and visualizing them, as shown in the figure below, one can intuitively see that true random numbers have no pattern at all, whereas pseudo-random numbers are arranged according to certain regularities.

           True random numbers                    pseudo-random numbers        

III. True Random Number Generators in Secure Chips

Typically, the true random number generator in a secure chip consists of an entropy source and an entropy extraction or sampling unit. The sampled data must also undergo quality control through a post-processing unit or cryptographic conditioning unit. The quality of the generated random numbers depends heavily on the original entropy output by the entropy source. Usually, one or more random-source circuits based on physical noise are built in. Each random-source circuit samples independently. After extracting the analog signals into usable digital form, they are handed over to the post-processing unit for processing, such as eliminating bias in the original output or enhancing the signal, etc. Random numbers obtained in this way are mainly used in cryptographic technology, and having a high-quality TRNG is also an indispensable functional point of a secure chip.

To ensure the reliability of the random number generator, the secure chip performs a self-test on the random number generator each time it powers on, and usually also supports initiating tests at any time.

(Note: A typical architecture of a noise-based TRNG)

IV. TRNG Testing

Domestically and internationally, there are certification bodies and specifications to verify whether the output of a TRNG meets the three standards of true random numbers: randomness, unpredictability, and non-repeatability.

For example, NIST’s SP 800-90 A/B/C standards provide corresponding test suites; section 4.9.2 of (FIPS) 140-2 stipulates “continuous random number generator tests,” etc., and the testing standard is the SP 800-90B standard, as shown in the figure below.

V. How imKey Pro Uses True Random Number Functionality

The core of the imKey Pro product is Infineon’s SLE78CLUFX5000PH, which provides comprehensive error detection, dual-CPU self-tests, and fully encrypted data for “integrity protection” in digital security solutions, including cryptographic computation inside the CPU.

(Note: RZH1532 represents the production batch number of the SLE78CLUFX5000PH chip)

This chip meets the Common Criteria EAL6+ (high) and EMVCo certifications.

The corresponding certificate can be viewed on the CC official website:
https://www.commoncriteriaportal.org/files/epfiles/0879V4c_pdf.pdf

The Public Security Target document indicates that the random number module of this chip has passed the SP 800-90B standard; for details, see:
https://www.commoncriteriaportal.org/files/epfiles/0879V4b_pdf.pdf

Having a high-quality true random number generator still requires using it correctly in engineering practice. imKey Pro uses TRNG throughout the entire product lifecycle, including but not limited to the following aspects:

• Generation of the device’s unique certificate key pair
   
• Generation of connection authorization codes
   
• Entropy generated when creating a wallet
   
• Generation of ciphertext storage keys
   
• Random numbers used during the signing process, such as the K value in 256K1 signatures (RFC 6979 can also be selected)
   
• Establishment of the SCP11C secure channel for device management
   

Source: Feitian Technologies Product R&D Department

If you would like to learn about the imKey hardware wallet, you can contact us:

Official email: support@imkey.im

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

Introduction

When it comes to securing your crypto, many people fixate on whether Bluetooth or QR codes are “safer.” But the truth is: security doesn’t hinge on the connection method. It comes down to one simple habit — checking what you sign on your device’s screen.

The small screen on your hardware wallet is where the real decision is made:

• Is the amount exactly what you intended to send?
• Is the address precise, down to the last digit?
• Is the network the correct one?

Think of it like receiving a delivery: whether the courier arrives on a bike or on foot (Bluetooth or QR code) doesn’t determine if the package is genuine. You only know for sure when you open the box and inspect it yourself.

In security terms, this is known as WYSIWYS (What You See Is What You Sign) — the private key never leaves the device, you review the transaction on its screen, and you physically press a button to approve.

The Real “Failure Moments”

Instead of debating connection types, ask yourself: “Did I check the screen last time I made a transfer?”

Here are two all-too-familiar stories from users:

• At home, late at night: You’re rushing to catch a price level. The room is dim, your phone’s screen protector reflects glare, and the QR code won’t focus. Frustrated, you finally scan and instinctively hit confirm — without glancing at the wallet screen. The wrong amount or address slips through.
• At the office with a partner: You skim the preview on your phone, assume it’s correct, and proceed. But on the device screen, a single extra zero went unnoticed. Luckily, your partner spotted it in time.

In both cases, the issue wasn’t Bluetooth or QR codes. The problem was skipping the final confirmation.

Audit reports and wallet vendor reviews consistently show the same trend: mis-signing, blind-signing, and fake pages cause far more losses than Bluetooth hacks or QR code exploits. The communication channel should be secure, yes — but the real brake pedal is your device screen.

Why Bluetooth and QR Codes Both Work

Bluetooth
Bluetooth is the most common choice because it’s convenient and smooth — ideal for frequent transactions.

• On first use, you pair your phone and device with a code, securing the connection.
• A binding code maintains a one-to-one link.
• Encryption protects against man-in-the-middle attacks.

The weak point isn’t Bluetooth itself — it’s whether you verify what you’re signing.

QR Codes
QR codes give users a sense of “offline safety.” Screen-to-screen transfer feels reassuring, but QR has its quirks too:

• Fake sources, spoofed pages, or overlay codes (“quishing”) can lead you astray.
• If the host device is compromised, even “offline” QR codes can be swapped.
• Low light or reflections can cause mis-scans.

QR feels safe, but without verifying on the device screen, it’s only psychological comfort — not actual protection.

Choosing the Right Method

Ultimately, the choice comes down to your habits:

• Frequent transfers, multi-chain activity, efficiency-focused → Bluetooth is easier.
• Infrequent use, offline contexts, preference for peace of mind → QR codes are fine.

But regardless of the method, the key is to build muscle memory around screen verification.

Here’s a simple 10-second, three-step ritual before hitting confirm:

1. Amount — check digits, currency, and decimals.
2. Address — compare the first 6, any 4 in the middle, and the last 6 characters.
3. Network — confirm you’re on the right chain (mainnet, sidechain, lookalike tokens).

Do all three on the device screen, then press the physical button. Those 10 seconds are worth far more than the Bluetooth vs. QR debate.

Manage Risk With “Small First, Then Large”

Keep costs of mistakes low by scaling carefully:

• New address/new scenario: first transfer ≤ $10 to confirm arrival.
• Large transfers: add “two-person review” or even read the address aloud for verification.
• Frequent addresses: whitelist them in a trusted wallet to reduce manual entry errors.
    

Clearing Up Two Common Myths

• “Can Bluetooth carry malware?”
  No. Bluetooth is just a data channel, not a malware incubator. As long as your phone isn’t jailbroken or rooted, apps are sandboxed, making cross-app infection very unlikely.
• “Aren’t QR codes always safer?”
  Not necessarily. The “offline” aspect provides psychological comfort, but QR codes still face risks like spoofed sources, fake pages, or scanning errors in poor lighting. Both methods are safe when used correctly — and unsafe when used carelessly.

Final Thoughts

There’s no such thing as 100% security. Security isn’t a single “connect” button — it’s a system built on architecture, processes, and habits.

Instead of obsessing over Bluetooth vs. QR codes, focus on continuous verification.

If you remember nothing else, remember these three rules:

Follow these three steps, and whether you use Bluetooth or QR codes, your hardware wallet will serve you well.

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

When it comes to digital assets, mnemonic phrases are the most critical security information. It is essential to keep the following in mind when safeguarding your mnemonic phrases:

1. If a mnemonic phrase is lost, no one can recover the lost digital assets.
2. If a mnemonic phrase is leaked, others will have full control over your digital assets.

According to relevant data, 66.3% of digital asset attacks are caused by mnemonic leaks through remote attacks in online environments, leading to stolen assets. So how can we prevent such attacks and ensure the security of our assets?

The Optimal Asset Management Solution

Store small amounts in software wallets and large amounts in hardware wallets.

This is the industry-recognized best practice. Hardware wallets generate and store private keys in a completely offline environment while presenting them as a set of randomly generated mnemonic phrases for easy backup and recovery. This approach significantly reduces the risk of asset theft and ensures the safety of your funds.

imToken recommends the dual-layer offline asset management solution provided by imKey to offer comprehensive protection for your digital assets:

First Layer: Generate and Store Private Keys in a Fully Offline Environment

The imKey Pro hardware wallet (cold wallet) is designed to operate completely offline, offering an excellent solution for offline asset management:

• Offline Private Key Generation: Private keys are generated in a completely offline environment, eliminating the risk of key leaks.
• Offline Private Key Storage: Sensitive data, such as private keys, is securely stored in the secure chip of the hardware wallet, fully isolated from the internet to ensure data safety.
• Physical Transaction Confirmation: When making a transaction, users must confirm it by physically pressing buttons on the hardware wallet. This mechanism, similar to the security features of a bank's USB security token, ensures each operation is secure and reliable.

[Purchase Now]

Second Layer: Physically Backup Mnemonic Phrases Offline

Even if private keys are generated and stored in a hardware wallet, it’s still crucial to back up your mnemonic phrases offline. The imKey Mnemonic Storage HeirBox is an ideal physical backup tool with the following features:

• High Durability: Made of stainless steel, it is waterproof, fireproof, and corrosion-resistant, effectively withstanding extreme environments.
• Multiple Protections: Ensures offline storage of mnemonic phrases while safeguarding against accidental loss or damage due to disasters

[Purchase Now]

The Best Practice for Offline Asset Management

Offline asset management is currently the gold standard in digital asset security. By using the imKey Pro hardware wallet along with the Mnemonic Storage HeirBox, you can effectively prevent your private keys and mnemonic phrases from being leaked, providing comprehensive protection for your digital assets.

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

Introduction

With the widespread adoption of digital assets, users face increasing threats from cyberattacks. Ensuring the security of digital assets has become one of the most pressing concerns for many. Among various solutions, hardware wallets are considered the most reliable way to protect digital assets. In this article, we will explore the basic principles of hardware wallets, the importance of secure chips, risks associated with hardware wallets, and preventative measures to help you better understand their functionality and security features.

How Hardware Wallets Work

A hardware wallet is a physical device designed to generate and manage private keys. Unlike software wallets that store private keys locally on computers or mobile devices, hardware wallets keep private keys in an isolated environment. Every interaction requires physical confirmation via the device, effectively reducing the risks of hacks and malware attacks.

The Role of Private Keys

In asymmetric cryptography, private and public keys work together. When signing a transaction with a wallet, the private key encrypts the transaction summary to create a digital signature. This signature, along with the transaction, is broadcast to the blockchain. Validators use the public key to verify the signature's authenticity, ensuring only valid transactions are executed.

Control over a wallet address is entirely dependent on access to its private key, making private key backups absolutely essential.

Here’s an example of how a private key looks:
56f759ece75f0ab1b783893cbe390288978d4d4ff24dd233245b4285fcc31cf6

Since private keys are difficult to memorize or manage manually, the BIP-39 proposal introduced seed phrases. A seed phrase is a human-readable representation of a private key, making backups easier. Having the seed phrase allows you to restore the private key and regain access to your wallet.

How Are Private Keys Generated?

Private key generation depends on two factors: a random number (X) and a cryptographic algorithm (f). Private keys are created using the formula:
Private Key = f(X)

This process is offline and does not require an internet connection. The quality of randomness in X determines the security of the private key.

Random Number Quality

High-quality random numbers must meet these criteria:

1. Randomness: Numbers should have uniform distribution without statistical bias.
2. Unpredictability: Knowing part of the sequence and the algorithm should not allow predictions of the rest.
3. Irreproducibility: Without storing the original sequence, identical results cannot be reproduced.

Hardware wallets generate true random numbers using physical processes like electronic noise or quantum effects, unlike software wallets that rely on pseudo-random numbers from variables like mouse movements or timestamps.

Where Are Private Keys Stored?

Wallets are categorized into two types based on private key storage:

1. Hot Wallets: Private keys are generated and stored on internet-connected devices. While convenient, hot wallets are vulnerable to hacking, malware, and phishing attacks. Examples include software wallets like MetaMask and imToken.
2. Cold Wallets: Private keys are generated and stored offline, typically in secure chips within hardware wallets. This isolation prevents exposure to network threats. Hardware wallets like Ledger and imKey fall under this category.

Broadcasting Transactions While Staying Offline

Hardware wallets use secure chips to generate and store private keys offline. Acting as "offline signers," these devices require an internet-connected device to broadcast transactions to the blockchain.

Here’s how it works:

1. Transaction data is sent from the online device to the hardware wallet via USB, Bluetooth, or QR code.
2. The hardware wallet signs the transaction with the private key and sends the signed data back.
3. The online device broadcasts the signed transaction to the blockchain.

Throughout this process, the private key remains in the secure chip, never exposed to the online environment.

The Importance of Secure Chips

What Is a Secure Chip?

A secure chip is a microcomputer designed for data protection and encryption. At its core is a Secure Element (SE), which provides:

1. Data Protection: A secure storage area for sensitive information like private keys.
2. Secure Operations: High-quality random number generation and cryptographic computations in a physically isolated environment.

How Do Secure Chips Protect Data?

Secure chips employ multiple layers of defense against attacks:

• Electronic Attacks: Access control and encryption ensure only authorized software can interact with the chip.
• Physical Attacks: Chips are designed to resist physical tampering, including extreme environmental conditions, power analysis, and electromagnetic interference.

Secure chips are evaluated using the Common Criteria (CC) standard. Most hardware wallets use CC EAL 5+ chips, while advanced devices like the imKey Pro employ CC EAL 6+ chips, offering military-grade security.

Risks Facing Hardware Wallets

While hardware wallets provide robust security, they are not immune to risks such as:

1. Supply Chain Attacks

Attackers may tamper with hardware wallets during production or distribution. To minimize this risk:

• Purchase wallets only from official or certified distributors.
• Inspect original packaging, tamper-proof seals, and perform activation checks.

2. Phishing and Hacking

Even with a hardware wallet, phishing attacks and social engineering can compromise security. Protect your seed phrase and private key by:

• Backing up seed phrases offline.
• Never sharing sensitive information with others.
• Avoiding clipboard use or transmitting seed phrases over the internet.

3. Firmware Vulnerabilities

Keep your hardware wallet firmware up to date to patch security flaws. Follow official announcements for updates and security advisories.

Open-Source vs. Closed-Source Debate

Open-source software promotes transparency, enabling community-driven audits and improvements. However, it can also expose vulnerabilities if malicious actors exploit publicly available code. Closed-source wallets rely on independent security audits, with brand reputation and trust playing a critical role in user confidence.

Conclusion

Hardware wallets are one of the most reliable tools for managing digital assets securely. By isolating private keys from internet exposure and leveraging secure chips for offline storage and transaction signing, they significantly reduce risks associated with hacking and malware. However, users must remain vigilant about supply chain security, phishing attempts, and firmware updates to fully benefit from the security features of a hardware wallet.

When choosing a hardware wallet, consider trusted brands with a strong reputation and recognized security certifications to protect your digital assets effectively.

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.

As the blockchain industry continues to expand, security has become a fundamental concern for every digital asset holder. As a leading hardware wallet provider, imKey is dedicated to delivering reliable and uncompromising security. By developing a four-pillar security framework, imKey not only excels in hardware and software design, but also sets industry benchmarks in supply chain integrity, user education, and trusted certifications.

Let’s take a deep dive into how imKey’s comprehensive security framework protects your crypto assets consistently and effectively.

I. Security Design

From Secure Chips to System Architecture — Built for Maximum Protection

imKey hardware wallets are powered by secure chips from Infineon, a world-renowned semiconductor manufacturer. Within this isolated security environment, private keys and other sensitive data are generated and stored entirely offline. The chip is certified at CC EAL6+ High and EMVCo, providing one of the highest available levels of assurance for smart security hardware.

Infineon secure chips are widely deployed across high-security applications:

1. Financial payment systems: Banking cards, debit/credit cards
2. Digital identity: ePassports, national ID, social security and health cards
3. Public transit: Metro/bus ticketing that requires fast, secure transactions
4. Access control: Building access cards, parking systems
5. Mobile/NFC payments: Secure mobile wallets and contactless payment modules

Single-Chip Secure Architecture — Reduced Attack Surfaces, Enhanced Trust

The imKey Pro hardware wallet features a single secure-element architecture, integrating all critical functionalities into one high-performance secure chip. This design:

• Simplifies the hardware structure
• Minimizes potential attack surfaces
• Restricts all sensitive operations to a sealed internal environment
• Eliminates external bus transmissions, preventing eavesdropping or MITM attacks

This approach provides strong resistance to both physical and digital attacks.

Layered Security Reinforcement — A Hardened Defense Perimeter

In addition to trusted secure-element hardware, imKey implements robust multi-layer protection across both firmware and hardware environments.

1. Secure PIN Protection

• All wallet operations require correct PIN authentication
• Auto-lock after 5 minutes of inactivity
• After five incorrect attempts, all sensitive data is permanently erased, preventing brute-force attacks
   

2. Binding Code Mechanism

During initial pairing, imKey and imToken perform:

• Mutual public-key binding
• Binding code verification
• Secure anti-MITM validation for Bluetooth communication

This ensures both ends of the communication channel remain authentic and trusted.

3. Device Authenticity Verification

On first-time setup, imKey performs a secure cloud-based authenticity check using hardware security modules (HSMs). Only genuine, officially manufactured imKey devices will pass.

Two additional in-app verification methods help prevent social engineering attacks:

✔ Check initial boot state

Ensure the device displays the standard activation flow: Activation → Set PIN → Create Wallet → Backup Seed Phrase.

⚠ If the device asks for a PIN on first boot, it may be unsafe. Stop using it immediately and contact support. ⚠

✔ Check activation status

Users can quickly verify device activation via:
👉https://imkey.im/pages/sn-check

4. Secure Communication — SCP11 Protocol

imKey uses SCP11, a state-of-the-art secure channel protocol based on asymmetric cryptography and PKI.
It ensures:

• Mutual authentication
• Data integrity
• Confidentiality protection

SCP11 is widely regarded as one of the most secure communication protocols for modern secure elements.

5. Applet Integrity Verification (DAP)

To prevent unauthorized applications:

• imKey enforces mandatory DAP (Data Authentication Pattern) verification
• Only audited, cryptographically signed applets can be installed
• Verification public keys are permanently provisioned into the secure chip
• No tampered or untrusted code can enter the device

This guarantees the security and authenticity of all on-device applications.

6. What-You-See-Is-What-You-Sign (WYSIWYS)

imKey parses every transaction and displays the actual details on its screen:

• Amount
• Address
• Fee

Signing occurs only after your physical confirmation, ensuring:

✔ No app-side data manipulation
✔ No intercepted Bluetooth transmission
✔ No hidden payloads injected into the signature

Together with imKey’s advanced risk-control system, every signed transaction is fully transparent and trustworthy.

Overall, imKey’s layered architecture and permission-based restrictions effectively prevent remote control, unauthorized access, and malicious interference—ensuring your assets remain secure at all times.

II. Secure Supply Chain

Component Traceability — Authenticity Starts at the Source

imKey partners with Feitian Technologies (300386), a globally recognized provider of digital security solutions. Feitian ensures:

• Full traceability of every electronic component
• Strict screening to eliminate counterfeit materials
• Complete manufacturing and inspection records

Every imKey component can be traced back to its origin, ensuring authenticity and quality.

Controlled Manufacturing — Security at Every Stage

Throughout production, imKey follows secure hardware manufacturing standards:

• Public keys are securely inserted during initialization
• Data is injected with cryptographic signatures
• The secure element verifies all signatures before finalization
• Each device undergoes rigorous data-integrity checks

This prevents unauthorized data modification or backdoor insertion during manufacturing.

Transparent Logistics — Secure Delivery

To prevent device tampering during transport:

• Only trusted logistics providers like SF Express and JD Logistics are used
• Each device includes a laser-engraved serial number
• Users can verify device activation status at any time

III. Security Education

Step-by-Step Guidance — Clear, User-Friendly Support

imKey offers comprehensive onboarding support:

• Multi-language manuals
• Illustrated step-by-step guides
• Video tutorials covering activation, backups, and daily usage
• Continuously updated content aligned with product evolution

Strengthening User Awareness — Security as a Habit

Security is not only technological—it’s behavioral. imKey empowers users through:

• Regular security alerts (phishing, scam prevention, fake websites)
• A learning hub with videos, documents, and interactive FAQs
• Online security quizzes with rewards (discounts, points, etc.)

Community-Driven Support — Building a Knowledge Ecosystem

imKey cultivates an active user community:

• Online forums for sharing best practices
• imKey team participation in community discussions
• Responsive customer support trained in security
• Online workshops and security webinars
• Feedback loops that continuously improve product quality and safety

IV. Security Certifications

Globally Recognized Security — Verified by Industry Standards

imKey’s core components have passed multiple international certifications:

• CC EAL6+ (High)
• EMVCo
• FCC (USA)
• CE (EU)
• TELEC (Japan)

Feitian provides architecture design, hardware customization, and secure code reviews. imToken performs independent testing across multiple stages.

Additionally, imKey undergoes comprehensive audits by KnownSec, covering:

• Product design
• Hardware boards
• API and communication flows
• Application logic
• Security testing
• Supported asset applications

Audit conclusion: “Secure.”

Regulatory Compliance — Trusted Worldwide

imKey adheres to international regulations and industry requirements, ensuring legality and confidence across global markets.

Conclusion

Through its four-pillar security architecture and six years of real-world validation with zero security incidents, imKey has earned enduring trust and reputation.

Going forward, imKey will continue to focus on security innovation, ensuring that users have access to the most reliable protection. In the digital future ahead, imKey will remain at your side—safeguarding your assets with unwavering security.

Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.