Generation Bitcoin
node 001 // education terminal
module 070 track // safety priority: read first

Wallet safety, written before anything is installed.

Wallet safety is the page we most want every reader to finish. Most people lose Bitcoin not to clever cryptographic attacks but to ordinary mistakes that are easy to avoid once the underlying ideas are clear. Read this before downloading anything.

Read first. Nothing on this page recommends a specific wallet product, exchange, or custodian. The aim is concepts, not picks. Picks change every year; the underlying risks do not.

What a wallet actually is

A Bitcoin wallet is software that manages keys. Those keys are used to sign messages that authorise spending of Bitcoin already recorded on the network. The wallet does not literally hold any Bitcoin. There is no file inside the app that "is" your money. The money is the entry on the global ledger; the wallet is the thing that can prove you are allowed to spend it.

This is the single distinction that prevents the most common beginner mistakes. People who think the wallet "contains" their funds back up the wrong things, panic about the wrong screen, and trust the wrong recovery process. People who understand the keys-and-ledger relationship rarely lose funds through their own software.

The four words that matter most

Wallet
The software (or hardware) that manages your keys and signs transactions.
Key
A secret number that authorises spending of a specific piece of Bitcoin.
Recovery phrase
A short list of ordinary words that can recreate your keys on compatible software.
Funds
The entries on the global ledger that your keys are allowed to move.

Re-read those four definitions. If any of them feels fuzzy, stop. Trying to manage real keys without clean definitions is how losses happen.

Custodial versus self-custodial

In a custodial setup, a company holds the keys on your behalf. You log in with a username and a password, and the company moves Bitcoin in response to your instructions. This is closer to a bank account than to "holding Bitcoin yourself". You inherit the company's risk: their security, their solvency, their staff, and their regulator.

In a self-custodial setup, you hold the keys directly. There is no support line that can reset anything. If the recovery phrase is lost or stolen, the funds are usually gone. You inherit full responsibility, which is genuinely heavier than most beginners expect.

There is no right answer between the two. Each comes with a different shape of risk, and neither is a beginner default. The honest version of this conversation includes the trade-offs, not just a slogan.

The phishing pattern that catches almost everyone

Most Bitcoin theft is not technical. It is social. The pattern usually looks like this:

  1. You search for help with a wallet or exchange.
  2. A result appears that looks like official support: a website, an app store listing, a chat handle, or a phone number.
  3. The "support" agent asks you to "verify" your wallet by entering your recovery phrase, or to send a small test transaction.
  4. Funds disappear.

There is no scenario in which a real support team needs your recovery phrase. None. There is no verification step that requires you to type your phrase into a website, paste it into a chat, scan it with a QR reader, or read it aloud on a call. If anyone asks for your recovery phrase, the conversation is over.

Recovery phrase handling

Recovery phrases are usually twelve or twenty-four words. They are the single most important secret a self-custody user has. A few practical rules survive trends:

  • Write it on paper, or stamp it into metal. Never store it in a screenshot, photo, cloud document, password manager note, email draft, or text message.
  • Store it where it survives fire, flood, and you forgetting where you put it. Two copies in two locations beats one perfect copy in one location.
  • Never split the phrase casually. "I'll keep half here and half there" usually increases risk, not security.
  • Tell at least one trusted person it exists. Inheritance failure is a real, unromantic source of losses.
  • Never type the phrase into a website. Real wallet software does not ask for it on a normal day.

Device security basics

The computer or phone running a wallet is now a security-critical device. A few habits matter much more than any single product choice.

  • Keep the operating system and wallet software updated.
  • Avoid installing wallet software from links sent to you. Find it through the project's main site after typing the address yourself.
  • Treat browser extensions like new roommates: each one can read what you type.
  • Use a screen lock and a strong device passcode.
  • Be cautious with public Wi-Fi for anything related to wallets.

Test transactions and small amounts

It is common advice to "send a small test transaction first". That advice is correct, but it can also be misread. A test transaction proves the address you used works and that the path through your software does what you think it does. It does not prove that the address belongs to the right counterparty. If the address came from a phishing message, the test transaction is the loss; it is just the first instalment of it.

Treat addresses as you would treat IBANs given over the phone: verify them through a second channel, and never accept them only from a chat window or an email.

What to learn before moving real money

  1. The four definitions at the top of this page, in your own words.
  2. The difference between custodial and self-custodial, and which one you are using.
  3. The phishing pattern and a clear personal rule about recovery-phrase requests.
  4. Where your recovery phrase is, in physical reality, and who else knows that.
  5. What you will do if your phone or computer is lost, stolen, or damaged.

If any of those five answers is "I'm not sure", do not move funds yet. None of this is a moral failing. It is a checklist, and the checklist beats most attackers.

What this page deliberately does not include

We do not list wallet brands, hardware vendors, exchanges, or custodial services. Picking a specific product would require keeping up with audits, ownership changes, and policy shifts at a pace that does not match a small education site. The conceptual layer above outlives any of those picks, which is why we focus there.

External reference

For readers who want a primary reference on cryptographic key management beyond Bitcoin, the United States National Institute of Standards and Technology publishes broadly accessible documentation on cryptographic standards and key handling. It is dense, but it is the reference behind a lot of the good security writing in the field.

Source: NIST cryptographic standards and guidelines.

What to read next

Pair this page with FAQs for the small questions, courses for the structured curriculum, the glossary for shared vocabulary, and the support page if something on this page raises a personal situation that needs a careful next step.