December 1

We're Going To The Moon!

Good, you made it. We're going to the moon and we need your help!

Each day this month, you’ll journey to a new #MyCryptoWinter planet with a mission to complete. These missions make this industry safer, thus allowing us all to reach new heights.

They qualify you for prizes! Simply share what you learn on Twitter using the hashtag #MyCryptoWinter.

The more days you share, the more prizes you qualify for, thanks to our amazing partners: Ledger, Trezor, GridPlus, CoinGecko, MetaMask, Polygon, ENS, POAP, and Ponderware!

Your First Mission Starts Now:

Claim the kick-off POAP NFT on your MyCrypto Dashboard!

Then, share this tip so others can join us to create a safer, more secure industry!

December 2

Secure Your Discord Accounts and Servers

Everyone is using Discord these days—including scammers and hackers. Make sure your accounts and servers are secure.

In your Discord account settings:

  • Uncheck "Allow direct messages from server members"
  • Enable 2FA
  • Consider using Invisible mode to reduce the DMs from bots

In your Discord server settings:

  • Set up roles and permissions
  • Set a verification level
  • Enable server-wide 2FA
  • Require 2FA for moderation actions
  • Require new server members to gain a role before seeing other members

December 3

Don’t let FOMO trip you up!

We all get caught up in the FOMO—the Fear Of Missing Out—once in a while. It's especially prevelant in the crypto industry and can cause even the most seasoned veterans to act irrationally.

When emotions are driving your decisions and your actions, bad things can happen, quickly. In fact, you should immediately pause and reconsider your situation when your actions are driven primarily by an emotion like fear or greed.

FOMO'ing into something is a quick way to:

  • Get scammed
  • Get rugpulled
  • Lose all your money
  • Regrets

Look out for yourself and look out for your friends. Friends don't let friends FOMO.

December 4

Beware of Malicious Sites & Extensions

The internet is a magical place and also a place full of people who want to steal nothing more than to steal all your cryptocurrency.

Whether you receive an email, a DM, or are trying to go to your favorite wallet, always remember:

  • Don't trust links
  • Don't click links
  • Don't click the top result in Google aka a Google ad to a fake version of popular products
  • Bookmark your crypto and finance websites
  • Triple-check where you are before entering any information
  • Avoid copying/pasting, typing, or QR-coding your secret recovery phrase or private keys in general
  • Verify the authenticity of applications using checksums where you can
  • Train yourself to recognize and avoid phishing scams
  • Pay attention to phishing tactics and scams that are happening so you can more easily recognize them. Share with your friends and collegues.

December 5

Get and use a hardware wallet

Newcomers often confuse hardware wallets with USB drives. Nothing could be further from the truth.

Hardware wallets actually store your secret recovery phrases/private keys on a secure element within the device itself, ensuring no website or application ever has access to your your keys.

They handle multiple types of cryptocurrency and work with a multitude of wallets, including MyCrypto and MetaMask.

Hardware Wallet Recommendations

  • Get a Ledger
  • Get a Trezor
  • Get a GridPlus

Ledger and Trezor are longtime favorites while GridPlus is newer and takes and Ethereum / EVM-first approach. All are one of the best investments you can make to protect your crypto investments.

December 6

Lock Down Your Gmail / Google Accounts

Your Google account has your email, your photos, your cloud storage, even perhaps your Google Voice number—it needs to be secure. 😱

Go to myaccount.google.com/security

  • Click "2-Step Verification"
  • Set up a "security key" (a hardware key like a Yubikey), "authenticator app" (Google Authenticator), and "backup codes". Make sure to print or write down the backup codes & then delete them from your device.
  • While still on this page, scroll to "Devices that do not need a second step." Click "Revoke all".

Return to myaccount.google.com/security

  • Do not turn on "Recovery email." If it's already there, remove it by editing it, clearing all the text, and saving it.
  • Do not turn on "Recovery phone." If it's already there, remove it by editing it, clearing all the text, and saving it.
  • Under "Recently used devices" remove anything that isn't your primary phone and computer.
  • Review "Apps with access to your account." Remove anything you aren't actively using.

December 7

Never Share Your Screen (and don’t use remote desktop)

Sharing your screen is something you should never do once you hold cryptocurrency!

Alleycats are always on the prowl, so be sure you’re not accidentally showing someone you don’t know your Secret Recovery Phrases, Discord session key, or any other sensitive info when screensharing, or those tricky tabbies can abscond with your funds and NFTs.

Do not screenshare. Just don’t!

Additionally, don’t ever give anyone access to your computer via a remote desktop client. This is even MORE dangerous, because it’s not just viewing your screen - it’s complete control of your computer.

The MoonCats remind you to keep those diamond paws safe. Thanks to ponderware and the MoonCatRescue for this important safety tip!

December 8

Don’t trust links!

It's easy to let our guard down since most links we click take us exactly where we expect.

However, crypto is different. People are trying to trick you and steal your coins.

Clicking a link is more like blindly jumping into a random, windowless van and assuming you'll end up safely at home.

You should instead expect you may end up somewhere unfamiliar and potentially malicious.

Always try to use bookmarks or type in the URL instead of clicking the link or Googling it.

Hover over, or right click+copy the link to see actual URL rather than trusting what is displayed. (e.g. https://metamask.io.)

Above all, don't trust—verify. Apply a huge dose of skepticism before entering your username, password, secret recovery phrase, or any personal information on any site, but especially one linked to you by an unknown third-party.

December 9

Don't get rugged!

A rug pull is when the creators of a hyped-up project take all your money and ride off into the sunset while you stand there sad, stunned, and poor.

The only way to avoid getting rugged is to not throw your money these projects. Do your own research. Ask questions like:

  • Who is building it? How long have they been building it?
  • What do the creators have at stake? Their own money? Their own reputation?
  • Did they copy/paste a successful project or build something original?
  • Have they actually built anything or is it just empty promises?
  • Do the leaders spend more time hyping in Discord or pushing code to Github?

You can also learn from other people's mistakes and pain. One example is the recent Squid Game" token. It used the hype and popularity around the popular Netflix show to convince people to FOMO in. Then they got the rug pulled out from under them.

December 10

2FA ALL THE THINGS

Two-factor authentication, or 2FA, requires you to provide two distinct pieces of information to log in. e.g. a password + a 6-digit code. You should enable 2FA on all your accounts and use an app to generate your personal 2FA codes. Do not use 2FA via your phone number / a text message.

  1. Download Google Authenticator on iOS or Android.
  2. Go into EVERY account. Banks, centralized exchanges, utility providers, emails, everything.
  3. Find your password or security settings and turn on 2FA via a "TOTP" or "Google Authenticator" or "QR Code."
  4. Pat yourself on the back for being a little bit safer.

Already done this? Then it's time to buy a Yubikey and use that device for 2FA.

December 11

Secure Your Secret Recovery Phrase

Anyone with your secret recovery can steal ALL your coins and tokens and NFTs across ALL your accounts across ALL of the chains.

You need to ensure you always have access to it and only you have access to it.

✅ Do this:

  • 👍 Keep a physical backup (e.g. written on paper.)
  • 👍 Write it legibly, maybe multiple times, and store it in a secure place.
  • 👍 Make sure fire, water, and/or toddlers can't destroy it.
  • 👍 Consider a steel-based backup or offsite location.

❌Don't do this:

  • 👎 Don't put it on your computer, phone, or in the cloud.
  • 👎 Don't send it via Slack or Email.
  • 👎 Don't take a photo of it.

If you have an old secret recovery phrase that you've been less careful with, create a brand new account.

December 12

Spotting All The Red Flags

If you're in crypto, you're a target. People want to steal your coins and NFTs. Here are some red flags to look out for:

  • 🚩 Unexpected DMs (Discord/Telegram/Twitter)
  • 🚩 People posing as "support agents"
  • 🚩 Customer support asking you to share your screen
  • 🚩 Receiving random links or file attachments (DO NOT CLICK!)
  • 🚩 Promises that seem too good to be true
  • 🚩 Friends or colleges asking for a favor (usually "lending" them some crypto)

If any of these occur, you should stop what you're doing and verify the person is who they say they are. If you ignore these red flags, you'll likely end up losing all your money.

December 13

Join the Human-Readable Revolution

ENS, or the Ethereum Name Service, allows you to get a .eth domain name for your 0x address.

This transforms your impossible-to-memorize 0x address into one for humans!

For example, MyCrypto's donation address is 0x4bbeEB066eD09B7AEd07bF39EEe0460DFa261520 , but thanks to the ENS it's also mycrypto.eth

Just remember, anyone can see your ENS name. If you use your real name or long-held username, your friends, family, or random people may be able to connect your wallet's balance and transactions to you.

You can visit ens.domains to get your own ENS name today!

PS: If already have an ENS name, head over to your MyCrypto dashboard to see if any of your addresses were airdropped $ENS tokens. $ENS tokens allow you to shape the future of ENS—it's not only a token, it's the power of responsibility!

December 14

Being Private Is Still Possible

The blockchain is here to help you retain privacy, but you still have to work for it; blockchain gives you the ability to be private if you choose to be.

  • Get a VPN. This is not specifically related to blockchain, but to your entire internet presence. A VPN will give you an extra layer of security when perusing the interwebs.
  • Use custom/private nodes. Using default Ethereum nodes is completely fine, but some choose to opt in to more private or decentralized options like Pocket Network.
  • Create transactions offline. Conducting business offline is one of the best things you can do for your privacy. Products like MyCrypto allow you to create transactions while offline and then broadcast them via an internet-connected device later on.
  • Use a mixer. A mixer like tornado.cash allows you to anonymously send funds to another Ethereum address without leaving a trail.

Privacy is difficult, but it isn't impossible. Start building up good habits and hygiene with the tips above and you'll be well on your way!

December 15

Losing Your Crypto

It's basically a right of passage to lose funds in crypto-land. Whether you got rugpulled, shorted the wrong coin, or sent a bunch of coins into the abyss, it really sucks. 😥 Here are some pro-tips to help get past the worst of it.

  • Immediately pause, breathe, and make a plan for next steps before you take any further action. Don't double down on your trades or throw your computer.
  • If you're not sure what to do next (e.g. your coins were just stolen) try searching Reddit/Google/Twitter for folks who had a similar experience.
  • Remember that this happens more people than you think. You are not alone or stupid. This world is different and hard.
  • Consider taking some time away from crypto to go outside, hit the gym, or reconnect with IRL friends/family.
  • Write down your experience and takeaways. It'll help you process the experience and, if you're comfortable, sharing your experience with others helps them learn.

Loss isn't fun but it's only through experience that we learn and grow. Welcome to crypto. ❤️

December 16

Revoke Unnecessary Token Allowances

Every single time you want to do something with a token, whether it's to trade it, deposit it, anything, you have to give that dapp permission to access that token.

This is true for all tokens - for ERC20 tokens and for NFTs.

Dapps sometimes only request permission to use the specific amount of token you're accessing, but sometimes ask for unlimited permission to move any amount of that token.

These permissions are dangerous. Even if the dapp is legitimate and doesn't intend to ruin your day by stealing that token, there's a chance they could get compromised in the future and the hacker can then go steal all the tokens they can.

How do you fix this? Revoke old and unnecessary token allowances via revoke.cash (or another revoking dapp!)

December 17

Watch Out For Fake NFTs

Everyone loves NFTs now, and bad people love making fake/copycat NFTs to trick you and take your money. This primarily happens on OpenSea and is easy to avoid if you know what to look for.

When looking to purchase an NFT on OpenSea:

  • First of all, do some research! Make sure it's something you actually want to invest in.
  • Double check that the collection URL is the same one provided by the actual project's social media and website. (Check multiple sources - sometimes bad actors can replace real links with fake ones)
  • Verify the contract address and make sure it matches the same one that the project is using.
  • Look for the OpenSea verification check mark. This indicates that the collection has been at least somewhat vetted by OpenSea and is not fake.
  • If it's a verified collection, make sure the check mark is in the right position. Some fake collections will cleverly put the check mark in their profile picture to look legitimate.

December 18

Revoking vs Disconnecting Wallets

Lately people have been "disconnecting" MetaMask from dapps or unplugging their hardware wallets, thinking that doing so will prevent thieves from stealing their crypto assets. Unfortunately, this is not the case.

When you connect MetaMask to a dapp, you're only giving that dapp the ability to view your address. Disconnecting your MetaMask from that dapp removes their ability to see your address—nothing more.

It does not remove any approvals you've given to smart contracts. It also doesn't prevent anyone from taking your coins if they get your Secret Recovery Phrase.

While there's no harm in disconnecting your MetaMask or hardware wallet, don't let that give you a false sense of security. See Day 16 for more on revoking.

December 19

Don’t Let Them Hijack Your Phone

Someone somehow got access to all of your accounts, locked you out of everything, and started stealing your crypto. How has this happened?! There's a large chance it's a SIM swap - an attack where a bad actor uses social engineering to transfer your phone number to a phone they have with them.

Prevent a SIM-swap by:

  • Asking your cell phone provider to put an additional PIN on your account.
  • Using a Google Voice number for SMS verification for websites and services that insist on using SMS 2FA or otherwise require a phone number.
  • Securing your email accounts. This is the primary thing a bad actor wants access to after they've gotten control of your phone number, and the email often leads to everything else.
  • Reviewing your recovery options and backup emails. Make sure there are zero loose ends.

Above all else, one of the most important things you can do is to NEVER ever use text message (SMS) for 2FA - if you do, those text messages with codes will be sent directly to the bad actor after they've gotten a hold of your phone number.

December 20

Get A Password Manager

Don't be that person that uses the same password (or a form of it) for every account.

Don't be that person that has sticky notes all over the place with various passwords on it.

Don't be that person that uses account recovery once a week because they lost a password.

Be a person that uses a password manager. It does the hard work for you - it helps you safely create and store unique and strong passwords for everything.

Some great common options are LastPass and 1Password!

Some lesser-known but great open source options are KeePass and Bitwarden!

December 21

Remove Unnecessary Permissions

Application permissions are the back door that you always forget about.

Remember when you approved a "My Best Twitter Friends" or similar application? You gave this random app permission to tweet from your account.. then forgot about it. Imagine if the creators of that application got compromised – then the malicious actors can tweet anything they want from your mouth… and we've already seen the damage that a #TwitterHack can cause.

Make sure the permissions of everything (mobile apps, Twitter apps, Google apps, etc.) are absolutely necessary, and remove those permissions when you're done.

Start with Twitter: visit the Connected Apps page and review/remove all the permissions you've allowed.

December 22

Your Secret Recovery Phrase is Secret

Keep it secret, keep it safe. Your Secret Recovery Phrase is the one key to rule them all, and it's only safe in your hands—if you lose it or if someone else gets their hands on it, disaster will ensue.

Secret Recovery Phrases are equivalent to any other single point of failure, like a social security number or a master password to a web service.

Store your Secret Recovery Phrase safely and DO NOT TYPE IT IN ANYWHERE, EVER. If a site or application is asking for it, quadruple check that you're in the right place, because if you put it in the wrong place, you're done for.

Learn more about storing a Secret Recovery Phrase safely and surviving in crypto.

December 23

Encryption Is Your Friend

If you don't want someone accessing your funds, messages, or anything else that should be private, you want to utilize encryption.

After all, cryptocurrency utilizes encryption, so why not encrypt everything else?!

Encrypt your computers and/or phones so your data stays private.

  • Windows/Mac & iPhone/Android
  • Linux

Use end-to-end encrypted messaging services so prying eyes can't see what you're talking about. Popular services include:

  • Status (also a crypto wallet!)
  • Signal
  • WhatsApp (owned by Facebook, so take that as you will)
  • Telegram (encryption not enabled by default)

December 24

Don’t Trust Random, Unexpected Token Drops

If you've been here long enough, you've probably seen many random, unexpected tokens sent to your account.

For the most part, these are harmless and are also worth no money. However, it's important to remember that tokensare smart contracts and malicious actors can trick you into interacting with it and ultimately take your money:

  • Disable sending the token and display an error message that sends you to a phishing site.
  • Encourage you to buy more of the token, but disable selling the token so lose your money.
  • In rarer cases, a malicious token can exploit a non-standard found in some legitimate tokens, which then allows that malicioustoken to steal your other tokens.

The moral of the story: If you see a token in your wallet that you didn't expect, it's likely that you should notinteract with it.

We've made it! The #MyCryptoWinter 2021 moon mission was a success!

December 25

Thank you for joining MyCryptoWinter

Thank you for participating in MyCryptoWinter. We wouldn't have been able to get here without you, and we hope you learned some valuable lessons and acquired some tools along the way.

Additionally, thank you to our partners for equipping us with prizes and tips! Ledger, Trezor, GridPlus, CoinGecko, MetaMask, Polygon, ENS, POAP, and Ponderware were key to the success of this mission.

What's next? You still have until December 31st to share tips and join us on the moon. Once the new year begins, we'll gather up all your entries, distribute the POAPs, and announce the prize winners! Read the complete rules for all the information.