Not Your Keys, Not Your Coins——Decentralized freedom comes at the cost of absolute "private key security."

A Chainalysis report from July 2025 shows that 17%-23% of Bitcoin is permanently lost due to forgotten private keys or damaged devices. Since the private key represents asset ownership, once lost, it cannot be reset, and there is no customer service to help recover it. If someone else learns of it, stolen funds are almost impossible to recover. The on-chain world gives us freedom while completely returning the responsibility to us. As the on-chain ecosystem flourishes, we frequently encounter various asset theft incidents, but people often realize too late and find it difficult to determine which step went wrong—was the private key leaked? Did they click a phishing link? Did they download a trojan? Or was it some other operational mistake?

The OKX Web3 Security Team hopes to enhance everyone's awareness of private key security through this educational initiative, while also revisiting those easily overlooked security blind spots.

1. Why do private keys or mnemonic phrases get leaked?

First, let's correct a common misconception: many users believe that private key or mnemonic phrase leaks (hereinafter referred to as "private key leaks") usually occur during the use of wallets. In fact, if you download and use the official version of a major brand's wallet through legitimate channels, the private key generally will not be leaked during normal use. Most private key leaks occur due to improper storage and being obtained by others. Once someone has your private key, they can import it into any wallet and control the assets in that account.

In reality, there are many reasons for private key leaks, and the specific source is often difficult to fully trace. However, through the analysis of numerous industry cases and assistance in investigations, we have summarized some typical scenarios and clues. (See below)

Image: Difficulties in analyzing the reasons for private key theft shared by Slow Mist's Yu Xian.

2. Common private key leak scenarios and avoidance methods

(1) The most easily overlooked scenario: leaks during wallet creation

Case 1: Someone else creates the wallet on your behalf. Mr. Li just started exploring Web3 and created a wallet with the help of a "helpful mentor." The mentor helped him complete the wallet creation, set the transaction password, and guided him on deposits and transactions. Although the wallet had a transaction password, the mentor had already obtained his private key during the creation process. A few days later, the 5 ETH Mr. Li deposited was transferred away in a short time. He realized that the transaction password was only local verification, and anyone who has the private key can import it into any wallet and directly transfer his assets.

Security advice: Create the wallet independently and do not let anyone "help" or "handle it for you." If you suspect your private key may have been leaked, transfer your assets to a new wallet as soon as possible.

Case 2: Creating a wallet via video conference screen sharing. Ms. Zhang created a wallet under the guidance of a remote "teacher" through video conference screen sharing. The teacher demonstrated step by step: downloading the wallet, generating the mnemonic phrase, depositing Gas, and purchasing tokens. The whole process seemed very "thoughtful," and at the end, the teacher reminded her, "Never leak your private key to anyone." However, she did not know that at the moment of screen sharing, the mnemonic phrase might have already been recorded. Two weeks later, approximately $12,000 worth of USDT in her account was transferred away.

Security advice: When creating a wallet, turn off screen sharing, recording, or projection features. If you suspect your private key may have been leaked, transfer your assets to a new wallet as soon as possible. Additionally, OKX Wallet does not allow screenshots, screen recordings, or projections on the pages displaying private keys and mnemonic phrases, effectively enhancing security.

Image: When screen sharing is detected, OKX Wallet automatically hides the mnemonic phrase and private key, preventing others from seeing the text.

(2) The most common scenario: improper storage of private keys leading to leaks

Case 3: Fake apps, a nightmare for Android users. Mr. Wang is a cautious user. After creating a wallet, he took a screenshot of the mnemonic phrase and saved it to his local photo album, never uploading it to the cloud, thinking this was safer. However, he downloaded a so-called "enhanced version of Telegram" from a forum, which had an icon and interface almost identical to the official version. In reality, it continuously scanned his phone's photo album in the background, using OCR (Optical Character Recognition) technology to identify the mnemonic phrase and automatically upload it to a hacker's server. Three months later, Mr. Wang's account was emptied, with losses exceeding $50,000. Technical analysis showed that his phone also had several malicious apps disguised as imToken, MetaMask, Google Authenticator, etc.

Case 4: BOM malicious application leading to mnemonic phrase leaks. On February 14, 2025, multiple users reported theft of wallet assets. On-chain data analysis revealed that these theft cases exhibited typical characteristics of mnemonic phrase/private key leaks. Further follow-up with the affected users found that most had installed and used an application called BOM. In-depth investigation showed that this application was actually a carefully disguised scam software. Criminals illegally obtained access to mnemonic phrases/private keys by inducing users to authorize, enabling systematic asset transfers while attempting to conceal their actions.

Security advice: Many users develop habits out of "convenience" that are actually the most dangerous. Therefore, we recommend: 1) Do not take screenshots of mnemonic phrases! It is advisable to write them down on paper and store them in a safe place. 2) Always download apps from official channels, and do not easily try unknown "enhanced" or third-party modified versions. 3) If you notice device abnormalities or have taken screenshots of private keys, do not harbor any false hopes; immediately transfer your assets to a new wallet. 4) What has OKX done? To prevent users from taking screenshots on the private key and mnemonic phrase backup pages, we have disabled the screenshot function on these sensitive pages.

Image: OKX Wallet prohibits screenshots on the private key and mnemonic phrase pages.

Additionally, to reduce the risk of users installing fake apps, the Android version also provides a malicious app scanning feature.

Image: OKX Wallet Android version provides a malicious app scanning feature.

(3) The most common and easily deceived scenario: private keys being phished by others

Case 5: Fake airdrop phishing. A well-known NFT project announced on Twitter that it would airdrop new tokens to holders. Within just 10 minutes of the announcement, multiple phishing websites appeared at the top of Google search results (promoted through paid ads). These phishing sites had domain names differing by only one letter (e.g., opensae.io instead of opensea.io), and the page design was almost identical to the official site. When users connected their wallets, the page displayed a message: "Network congestion, connection failed, please manually enter your mnemonic phrase to claim the airdrop." On that day, over 50 users fell victim, with total losses exceeding $200,000. The fastest victim transferred their assets just 3.7 seconds after entering their mnemonic phrase.

Case 6: Social engineering attack. Ms. Zhao encountered an operational issue in a project's Discord group, and an administrator with a very "official" avatar and nickname privately messaged her, claiming to be customer service wanting to help her. They sent her a link to a "verification page." Ms. Zhao believed it to be true, clicked the link, and entered her mnemonic phrase as instructed; the page looked exactly like the official site. Minutes later, her wallet suddenly had multiple assets transferred out, and she realized that the so-called administrator was actually a scammer. It is important to note that in addition to impersonating official administrators, scammers may also impersonate friends, project staff, or other trusted identities.

Security advice: A legitimate DApp will never ask you for your private key, and a reliable person will not ask you for your private key. Remember: the private key is the key to your assets; it must be kept secure and not disclosed lightly.

3. Why is there little that wallet providers can do once a private key is leaked?

Some users, upon discovering that their private key may have been leaked and assets transferred away, will immediately contact the wallet team, hoping we can provide more assistance. However, the reality is that once the private key has been exposed, the intervention space for wallet providers is very limited.

Here, we can briefly outline our basic processing flow when we receive feedback about "stolen assets," and also explain why we often cannot directly "recover" on-chain assets:

First, we will assist users in tracing the flow of funds, analyzing whether the on-chain funds may be related to known hacker groups or address clusters. At the same time, we will advise users to transfer any remaining assets that have not been stolen as soon as possible to reduce the risk of further losses. For cases with significant amounts stolen, we will recommend that users promptly contact local law enforcement to seek help through judicial means. Our internal team will also conduct in-depth analysis of the incident, summarizing the hacker's methods to provide reference for future user protection.

As a tool provider, the wallet itself cannot and does not have the authority to freeze or roll back on-chain assets. Once a hacker obtains the private key, they typically complete the fund transfer within seconds using automated scripts, making it very difficult to intervene. Only when the stolen funds eventually flow into a centralized exchange can a temporary freeze be requested through judicial means.

When the funding chain is associated with hacker clusters we have identified, we will assist users in recalling whether they have recently engaged in any high-risk operations, thereby determining at which step the private key may have been exposed.

OKX has always prioritized user fund security, investing substantial resources over the years to establish a risk control system and design multiple verification mechanisms. Although these processes may seem cumbersome, they are all aimed at better protecting user asset security. It can be said that we are one of the teams in the industry that invests the most in security.

Image: OKX Wallet ranks first in security ratings.

As mentioned earlier, if users lack security awareness or have improper usage habits, they may still suffer losses due to phishing, private key leaks, and other reasons, regardless of which wallet they use. Therefore, properly safeguarding the private key is always the most critical security foundation. In addition to continuously enhancing the security capabilities of our products, we also strengthen case analysis and share security tips to help users better identify potential risk scenarios.

4. Summary of Private Key Security Tips

Disclaimer:

This article is for reference only. It is not intended to provide (i) investment advice or recommendations, (ii) offers, solicitations, or inducements to buy, sell, or hold digital assets, or (iii) financial, accounting, legal, or tax advice. Digital assets (including stablecoins and NFTs) are subject to market fluctuations, involve high risks, and may depreciate. For questions regarding whether trading or holding digital assets is suitable for you, please consult your legal/tax/investment professionals. The OKX Web3 Wallet is merely a self-custody wallet software service that allows you to discover and interact with third-party platforms; the OKX Web3 Wallet cannot control the services of such third-party platforms and assumes no responsibility for them. Not all products are available in all regions. You are responsible for understanding and complying with applicable local laws and regulations. The OKX Web3 Wallet and its related services are not provided by OKX Exchange and are governed by the terms of service of the OKX Web3 ecosystem.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。