Easing into Crypto, Part 25: Staying safe, preparing your taxes, avoiding scams, upgrading your security, and judging new projects

Michael CalozCryptoLeave a Comment

crypto logos

Welcome to my free cryptocurrency educational series. Each part builds on the previous ones, so I suggest starting at the beginning and moving through part by part:

Cryptocurrency 101 series (core principles, social justice, blockchain tech, Bitcoin):

Cryptocurrency 201 series (intermediate principles, Ethereum, NFT’s, DAO’s):

Cryptocurrency 301 series (advanced principles, DeFi, reinventing the finance world):

Cryptocurrency 401 series (investing, making money in crypto):

Part 25 Reading Time: 29 min

Want to listen to this post instead?

(Disclaimer: I’m not an investment advisor and I don’t know your individual situation. I’m certainly not a tax expert either. I’ll share what’s worked for me, but please figure out what makes sense for you.)

This is part 25 in my cryptocurrency educational series.

It’s so easy to focus our attention on the more “fun” aspects of crypto like discovering intriguing new dapps and finding ways to make more money.

But today, I want to focus on a few things that will make everything a whole lot less fun if you neglect them.

First, let’s talk about scams.

Two things have happened in my life recently that make me want to write about this again: my friend lost tens of thousands of dollars from a scam, and I did a major upgrade to my general crypto security practices.

There are so many ways people are being scammed in crypto, but here’s the thing: Yes, people are sometimes hacked or fall victim to some kind of technical exploit; but, more often than not it seems, what’s actually getting people into real trouble is social exploits (i.e., social engineering).

In other words, I think you’re less likely to lose your money by having a hacker break into your computer or a burglar steal your physical private key backup than you are by having someone trick you online and convince you to do something you shouldn’t.

My friend fell victim to a “romance scam,” which the FBI reports are increasingly common and have resulted in over $1B lost.

To help spread the word about how these things play out, I’m going to describe the key points:

  1. An attractive-looking woman contacted my friend on an online dating platform and expressed interest (I’m sure this happens with different gender configurations as well, but men are twice as likely to hold crypto as women).
    1. My friend is a middle-class guy without obvious wealth and who doesn’t mention anything about crypto in his profile. For whatever reason, he was still targeted.
    2. I know what you’re thinking: He was probably just an idiot for clicking some scam link that “she” sent him or for wiring “her” some money, right? No, it wasn’t nearly that obvious. The scammer spent many weeks chatting with him for hours at a time, and “she” expressed real interest in his hobbies and talked about “her” overlapping passions and dreams. The scammer didn’t mention crypto at all for a long time. In other words, for many weeks this seemed like a perfectly ordinary online dating match.
  2. At some point, the scammer explained that “her” father in China works in finance and taught “her” a lot about day-trading, so “she” picked it up as a hobby and got really good at it.
    1. But, “she” didn’t make a big deal of this—”she” just casually mentioned it.
    2. Then, since “she” supposedly liked my friend a lot, “she” offered to help him make money—but only if he was interested, no pressure. He was a bit doubtful but decided to at least give “her” a chance since they’d spend so much time talking already.
  3. The scammer sent him a link to a very simple website along with some account credentials (since this platform was supposedly invite-only).
    1. At this point, my friend wisely called me for counsel. I took one look at the website and told him there’s a 95% chance this is a scam. It was one of the shadiest-looking websites I’d ever seen.
    2. By the way, to be safe, I only opened the website on my phone (not my laptop that I use for crypto) and in an incognito window of my non-main browser.
  4. Unfortunately, as my friend kept talking with this person, “she” eventually convinced him that it wouldn’t hurt to just put a small amount of money in to try it out.
    1. He called me a few days later to say that “she” had been coaching him in real-time about when to buy and sell, and he’d made a good amount of money.
    2. This is where I regret not doing more to stop him. I asked him to tell me more about what that trading looked like, and it sounded to me like there was a chance that “she” might be using common Technical Analysis techniques to time her trades. So, if “she” really did grow up being trained by her father, there was some small chance that this was legit.
    3. And, even though the site looked super scammy, if she was Chinese, it seemed like it wasn’t impossible that this was a platform being run out of China that just had a really bad user interface (after all, many crypto dapps don’t have great user experience design). So, although I did tell him that this was very likely still a scam, I regret that I didn’t advise him even more strongly to back out immediately.
  5. Sadly, he called me again several days later to say that his small trades were making so much money that he had decided to put several tens of thousands of dollars into it.
    1. At this point, he wisely decided that he should probably take out at least half his profits before continuing on.
    2. Unfortunately though, the website seemed to have some kind of bug around withdrawing. As he chatted with “technical support,” they explained that it wasn’t working because he had to send them some money to pay some tax-related withdrawal fees before he could remove his money. At this point, my friend was starting to doubt what was going on and called to ask my opinion.
    3. As soon as I heard about the “bug” around withdrawing, I knew without a doubt that this was a scam. As you can probably guess, no matter what he tried from that moment on, the company and the scammer came up with various excuses, and the scammer eventually stopped responding to his messages on the dating platform.

You might be thinking that you would never fall for that, but remember that this person spent many weeks building trust before even bringing up crypto.

Here’s a similar story I just saw on Reddit today where the scammer spent three months building the relationship.

This wouldn’t happen to more savvy people though, right?


Even founders of crypto projects aren’t immune to social engineering scams

The founder of Arrow DAO, Thomasg.eth, explained in February how he was very nearly scammed out of $125M USD worth of ETH.

He lays it all out in detail in this Twitter thread, but the short summary is that a user joined his team’s Discord channel and volunteered to contribute to the project. Over the next couple of weeks, the scammer actively participated and delivered high-quality graphic designs that contributed real value (which the scammer was probably farming out to an actual designer).

From the Twitter thread: “I can’t overstate how committed and authentic [the scammer] has seemed through this entire process. We’re super aligned on vision and I’m feeling great that he’s so enthusiastic about what we’re working on.”

The social engineering process here involved real relationship-building, including multiple thoughtful emails, long chat conversations, and real work delivered.

Eventually, by preying on the human desire for fairness and reciprocity, the scammer asked if the founder would be willing to try out the NFT project that the scammer been working on. That’s where the malicious smart contract would have sprung the trap if Thomas had accessed it on his main Ethereum wallet instead of a burner one.

From his Twitter: “Scammers are getting smarter. Before now, the best scam I’ve really encountered is basically ‘hi this is tech support please share your private key so we can help.’… Always verify, no matter how much you trust. These guys spent two weeks targeting my own specific weaknesses, and I was extremely close to falling for it. You can’t be too paranoid.

He also offers some specific advice: “Token approvals can be super dangerous. I’m always going to be extremely cautious with them going forward. It makes sense to always put a cap on approvals when you can.

Here’s an article explaining exactly how to do that.

Based on all that, here are a few of my takeaways for you:

  1. If you hear about a new investment opportunity, do a lot of Googling—check if people are talking about it on Reddit, Twitter, etc. If no one is discussing it (or if it’s just a few loud voices saying how amazing an opportunity it is), it’s probably not because you’re lucky enough to have gotten in early—it’s probably a scam.
  2. Ignore pretty much all direct messages on Twitter, Discord, and other platforms where people discuss crypto, especially if someone is trying to tell you about a brand new token or that they can help fix your MetaMask or whatever else.
  3. If you do decide to invest in a dapp or platform that I haven’t mentioned in any of my posts in this series, do so on a completely separate wallet (with a limited supply of ETH or whatever blockchain coin in it) and maybe even on a different browser too.
  4. Most importantly, only invest a small amount of money at first, and confirm that you can actually withdraw it (and any profits you’ve made) before you put more money in. This was the main place my friend failed—and I failed him. I wish I had explicitly told him that any money he thought he was making wasn’t actually real until he confirmed that he was able to withdraw it into a wallet or bank account he controlled. Otherwise, it doesn’t matter even if a platform claims you’ve quadrupled your investment.

What about new crypto projects, tokens, and dapps? What should you be looking for to know it’s legit?

Here’s a checklist to start your research:

  • How professional is the project’s website?
  • How polished and consistent is their social media presence?
  • Are there a lot of discussions happening about this project on Reddit or Twitter, or have not many people heard about this?
  • Who’s on the team? How much experience do they have? How well have their past projects done? Have you looked them up on social media and/or LinkedIn?
  • Has the project been audited by a third party?
  • How active is the project’s community? Do they have a solid group of mods in their Discord?
  • How strong is the whitepaper? How professional does it look? Does it seem like they copied any of it from other projects?
  • Does the project have a revenue model? How are they intending to make money? What does sustainability look like here?
  • What form are rewards paid in?
  • Is there a reasonable supply of the token? How much of the token supply is the development team keeping for themselves? What kind of tokenomics are in place?
    • (Remember the formula from Part 18 to calculate what a token’s market cap is based on the token price and circulating supply; is that market cap reasonable for this project?)

Here’s a helpful chart of what kind of ideal token distribution to look for (from @Cooopahtroopa):


Ok, I’ve discussed staying safe in terms of avoiding scams and picking good projects. But that’s not enough if you have a lot of money in crypto.

Now that I’m lucky enough to be making substantial passive income through crypto (mostly through StrongBlock), I decided to upgrade my security even further.

I’d had this on my todo list for months but I’d kept putting it off. Then it finally hit me one day that I had a large amount of money in a single account on a single Ledger hardware wallet. If that were compromised, I would feel absolutely gutted.

When I look at a large dollar amount in my traditional bank account app, I feel totally safe. I know that the bank has a huge number of security and insurance policies in place to protect my money. And since that’s how things have been for my entire adult life, it’s hard to snap my mind out of that paradigm to realize that none of that applies to crypto.

There’s no team of security experts or insurance plan protecting my MetaMask wallet. The large number value in there could just change to zero one day and there’s nothing at all I could do about it.

As you heard when I wrote about scams earlier, there are a whole lot of people out there right now actively working to steal your crypto. And not only individual people, but state actors as well. This is a very dangerous time in geopolitics, and countries like Russia or China could very well target United States citizens via hacking.

I finally realized it was time to take serious action.

Here are the three major steps I took:

Step #1: I bought a whole new MacBook Air solely to be used for crypto, and I won’t connect to dapps on any other device.

This might be the most paranoid thing on this list, but I kept seeing Twitter threads where people I respect were saying that if you’re making tens of thousands of dollars on crypto, it’s insane to not spend $1,000 on a separate computer to protect yourself against viruses or nefarious programs (especially if you ever visit any potentially shady parts of the Internet like porn websites, movie pirating websites, etc.).

On this new computer, I disabled anything related to iCloud, Google Drive, or anything else involving syncing files. I even created a brand new Apple account just for this MacBook, which might have been a bit overboard.

Literally the only software I’ll be using on there is Ledger Live and Brave browser.

I created bookmarks for all the common crypto platforms I use (SpookySwap, Beefy, StrongBlock, Matcha, etc.), and I made a rule for myself that I’ll no longer manually type in URL’s or Google those websites—I’ll only click the bookmarks.

There have been so, so many scams lately where slightly-misspelled versions of popular dapps somehow make it to the top of the Google search results. Be careful out there.

On Brave, I installed the following extensions:

On all my other computers, I uninstalled MetaMask and everything else related to crypto. My new rule is that I’ll literally never do anything related to crypto (other than research) on any computer other than the new one I’ve designated specifically for crypto.

Step #2: I took more serious action toward preserving my private keys and strengthening my passwords.

This is not only for my own peace of mind in case something happens to my computer, but it’s important for my inheritance as well. If something happens to me, my loved ones will need a way to access my crypto.

Remember that no one—even the police or the companies behind Ledger or MetaMask—can help your family access your crypto if you die or get in an accident that results in brain injury or memory loss.

For security reasons, I won’t lay out exactly what I did for my passwords and private keys, but I’ll tell you that I made at least two copies of everything and wrote everything out by hand without any electronic copies or photographs.

Then, I left detailed instructions for my partner—not only about how to access my private keys but about which wallets I use, how to access them on my computer, how to pay the maintenance fees on my StrongBlock nodes so they don’t disappear, how to cash those out, etc.

Also, I upgraded some of my passwords in general, particularly for my Google accounts since it would be dangerous for hackers to get access to my email. Check this out: How quickly to crack passwords

Step #3: I bought an additional Ledger and split up my assets across both devices and multiple accounts within.

There are two separate aspects to staying safe with a hardware wallet like Ledger: (a) the device itself and (b) the accounts within. While I’m certainly not an expert on the tech here, my understanding is this:

(a) Having two separate Ledger devices, each with their own private key, will protect me from my private key somehow being compromised. This is pretty unlikely. As far as I can tell, it should be virtually impossible for someone to obtain my private key through digital means since I haven’t typed it anywhere on my computer. The only way they should theoretically be able to get it is by breaking into my house and stealing one of the pieces of paper I have it written on.

(b) Within each Ledger, having multiple wallets is much more important. Splitting up my assets across multiple wallet accounts protects me from hacks, bad smart contracts, or dapps tricking me. If I have all my ETH in only one account, a malicious smart contract in a dapp could technically steal it all from me if I accidentally give it access. But, if I have half my ETH in one account and half in another—even on the same Ledger device—it should technically only be possible for the half on the account I connected with to be stolen.

By the way, in case it’s unclear to you, two accounts on the same Ledger have totally different private and public keys. Note though that the private keys are both derived from the same seed phrase, so both would be compromised if a thief stole the paper where you’d written that down.

I also made sure that every single account in my MetaMask is a Ledger-based one, not just one that lives in MetaMask alone—notice the difference (one has the word “LEDGER” next to it): Ledger-based accounts have the word Ledger

So, my strategy now is to regularly split my coins and tokens into new accounts once I’ve accumulated a large enough amount in one place, especially ETH. And, whenever I’m about to use a new dapp that I don’t explicitly trust, I’ll move ETH (or whichever coin, depending on the blockchain I’m on) into a new account to connect from there.

Especially now that gas prices are regularly dramatically lower than they were a few months ago, this has become a lot more feasible. It might cost $5-10 USD to transfer ETH to a new account, which in my mind is a perfectly reasonable tax to pay to avoid losing it all.

Ok, one last topic for today:

Crypto taxes are a nightmare. Hopefully, I can make it a little less painful for you.

Well, here we are in late March. I procrastinated on getting this post out there so you might have already filed your taxes—sorry about that!

Just in case this is still relevant to you though (or to better prepare for next year), let’s talk about taxes.

The basics:

First of all, yes, you really need to mention your crypto on your taxes—at least in the United States, unless you only bought and held coins or tokens and never sold any, converted them, or invested them in some yield-generating strategy.

If you generated pretty much any yield, even if you didn’t convert it to US dollars, you have to report it.

(The exceptions I’m aware of are [a] staking yield or [b] writing something off as a business expense, such as using StrongBlock rewards to buy an additional StrongBlock node. Regarding staking yield, the precedent from the IRS seems to be that the staking rewards aren’t taxed at the time of receipt but rather at the time of sale. However, this probably doesn’t apply to things like Crypto.com Earn since you’re technically lending the centralized exchange your coins/tokens rather than staking them yourself. Again though, I’m definitely not a tax expert; please hire one if you’ve put a lot of money into crypto.)

In my case, thanks to all the investing I did with DeFi platforms, I had thousands of crypto transactions, so I definitely had to report. And dealing with that number of transactions manually is virtually impossible, so I turned to software to help me. 

After a lot of research, my two favorite platforms were CoinTracking.info and Koinly.io.

I eventually settled on CoinTracking. What’s great is you can connect directly to a wide variety of centralized exchanges and DeFi wallets to have your transactions automatically imported and categorized.

Sadly, it’s not perfect, which meant dozens of hours of extra work for me to polish things up; but again, I was dealing with over 4,000 transactions, so your situation might not be so bad.

Here are my best tips for using CoinTracking:

Tip #1: Here’s a great short video to get you started from Crypto Tax Girl:

Tip #2: Something I wish I’d known sooner:

After you’ve imported everything, change all your automatic import jobs to have a start date of today. For example, if you set up an automatic import (and automatic continual updates) for Coinbase Pro, you’d go to Enter Coins > Exchange Imports (API) > Coinbase Pro and then edit “Your running Coinbase Pro jobs” to make the “start date” today. 

If you don’t do that, then if you delete incorrect transactions, it’ll automatically re-add them. But if you tell it to only look from today onward, it’ll leave your old transactions alone.

Tip #3: Editing transactions:

After you’ve imported everything, to do your editing and polishing, you’re going to be spending most of your time on the Enter Coins > Overview & Manual Import page.

You can select multiple items at once by hitting the checkbox on the top one in the set you want then shift-clicking on the bottom one—that will select all the items in between as well.

As you go through your transactions, I recommend keeping both zapper.fi and debank.com open in other tabs and comparing when something looks off. In my experience, those other services sometimes show things more clearly or include transactions that somehow weren’t imported from your Ethereum wallet into CoinTracking.info automatically.

Tip #4: Remember that you might have tokens in your wallet that you didn’t choose to receive.

Check your transaction history for airdrops of scam tokens. In my experience, I found a variety of tokens in my wallet that I’d never seen before. Some quick Googling revealed that, as I suspected, they were not legitimate. 

This can be especially problematic in CoinTracking when a scam token claims to have a value of many thousands of dollars. Make sure that you change that value to 0 so you’re not taxed on it.

(When I first ran my numbers in CoinTracking.info, it thought I’d made a profit of over $2M USD, but that turned out to be because of two stupid scam tokens that each claimed to be worth around a million dollars.)

Tip #5: Three ways to make sure everything looks good:

After you’ve edited your transactions to make sure everything aligns with what Zapper or Debank report, how can you check if everything is good to go?

I’m no expert here, but these are the three ways that worked best for me:

  1. Go to Reporting > Balance by Exchange and check if everything in there makes sense. Do any coins or tokens in any of your exchanges have very high positive or negative values?
  2. Go to Reporting > Realized & Unrealized Gains. Sort by highest Unrealized Gain/Loss, then by lowest Unrealized Gain/Loss, then by highest Realized Gain/Loss, and finally by lowest Realized Gain/Loss. Do all of those look right? 
  3. Finally, go to Tax Report > Tax Report and generate your report. Then, notice if there are any warnings in the yellow triangle in the Total Trades column. Click Load Report > Show Warnings to find items that don’t have a cost basis.

Tip #6: Don’t go it alone.

This stuff gets really complicated. If you’ve done anything more than basic buying and holding of crypto, I highly recommend finding a tax accountant who understands crypto.

Here are some of the best-looking crypto tax experts I’ve found (I haven’t worked with each one personally, but I researched each one and they ticked all my boxes for credibility):

If you did as much DeFi investing as I did, taxes are not going to be easy. I suggest you set aside several full days to work on them.

One last thing: How to reduce your tax burden and maximize your earnings using S Corps, Self-Directed IRA’s, and Solo 401(k)’s

Once you have a lot of money in crypto (and/or you’re dealing with complex investments like StrongBlock), it’s important to operate within the right legal/tax structures.

For example, as I explained in Part 21, if you’re making more than $50K-$60K/year USD in profits from StrongBlock, you’ll probably want to create an S Corp if you live in the United States. Please check with your tax accountant and/or tax lawyer though. This will very much depend on your specific situation.

Then there are IRA’s.

As you probably know, IRA’s in general help you invest while paying less on taxes. With a Roth IRA in particular, you pay tax on your income at the beginning, but then the investment grows tax-free, meaning that when you take it out down the line (presumably when you’re wealthier and in a higher tax bracket), you won’t have to pay tax on your profits. That can make a huge difference.

Here are two special types of retirement accounts:

First, a Self-Directed IRA is like a Traditional IRA or Roth IRA except you can own other types of assets. Regular IRA’s typically only allow things like stocks and bonds, but a Self-Directed IRA allows you to invest in things like real estate and crypto.

Second, a Solo 401(k) is a retirement plan for people who own businesses (e.g., an LLC) that don’t have any employees other than themselves (and potentially their spouse). It’s better than a Traditional IRA in several ways, but here are the three most important ones:

  1. You get to contribute up to $62,000/year instead of $6,000.
  2. You get to choose exactly where and how your money is invested, including the ability to put it into things like real estate or crypto.
  3. You can borrow up to $50,000 or 50% of your account value (whichever is less), and you can use that money for anything.

The process takes around two months from initial application to actually having your money ready to go in the Solo 401(k). You can start with either the money in your Traditional IRA (not Roth) or a regular checking/savings account, and what you’ll end up with is:

  1. A new business bank account under your Trustee name, which is basically just a legal entity that represents you (I chose Titan Bank, but I don’t think this part matters much since you won’t be leaving money here for long);
  2. A new business account at a stock brokerage company to buy stocks, bonds, ETF’s, mutual funds, etc., which is also under your Trustee name (I chose TD Ameritrade);
  3. A new business account at a crypto on-ramp, which is also under your Trustee name (I chose Kraken).

If you want to go this route, here are some places to start:

This stuff gets complicated, and I personally hate bureaucracy like this; but, it can save you a lot of money.

Good luck!

Next time, I’m aiming to focus on where to get crypto advice, who to trust, whether technical analysis works, and more:

Part 26: How to decide who to trust in the crypto world, technical analysis & market cycles, and an update on my longish-term portfolio

P.S. Crypto is one of my newest passions, but my overarching focus in life is personal growth and intentional living. Do you want help with challenges like confidence, decision-making, or idea overwhelm? I’m a transformation coach who helps analytical thinkers get unstuck, find consistent motivation to take action, and design their life purpose. Read more about me here or my coaching practice here.

Notify of

Inline Feedbacks
View all comments