If you are new to crypto, the mistakes you need to worry about are not the ones you see most of in articles. The viral horror stories are usually about traders who blew up their margin positions or got rugged on a memecoin. Those are trading mistakes. They matter, but the Trading pillar covers them. This guide is about the other kind. The operational mistakes. The ones that make you lose money because of how you handled the keys, the addresses, the wallets, and the transactions. Six patterns cover almost all of them.
What makes a crypto mistake worse than other money mistakes?
Most money mistakes are reversible. A wrong bank transfer can be clawed back. A bad credit-card charge can be disputed. A misplaced check can be reissued. A crypto mistake is different. The transaction signs, it broadcasts, and it confirms on a public ledger that no party controls. There is no chargeback. There is no support number that gets it back. The mistake stands.
That permanence is the reason this guide exists. The kinds of mistakes covered below all have the same shape: a single wrong action, a permanent loss, no recourse. The good news is they are all avoidable, and most of them are avoidable with a single rule per mistake.
Across Blofin's support inbox, the pattern is unmistakable. The mistakes that produce ticket volume are not the ones beginners worry about. Beginners ask us about hot-versus-cold wallets, multisig setups, and security audits. The actual tickets are about wrong-network deposits, impersonation messages claiming to be Blofin support on Telegram, and seed phrases users typed into "wallet validator" sites that asked for them. The mistakes are simpler than the worry would suggest, which is why they keep happening.
This article walks through six. Each one gets the mechanism that breaks (so you can spot the pattern in any new form), a clear way to avoid it, and a bridge to a companion guide for the full depth. For background on what self-custody actually requires before you take any of this on, see what is self-custody.
Mistake 1: Sending crypto to the wrong address or wrong network
The most common loss event we see. It comes in two flavours. The first is a typo in the address. You change one character, the new address happens to be valid because most random strings of hex characters are valid Ethereum addresses, the transaction signs and confirms, and the funds are now at an address nobody controls. They are permanent because there is no private key for that address. Nobody made it. It just is.
The second flavour is the wrong-network version. EVM-compatible chains (Ethereum, Polygon, Arbitrum, Optimism, BSC, Base, and many others) share the same address format. The same 0x address is technically valid on all of them. If you send USDC on Polygon to a friend who is expecting it on Ethereum, the transaction works perfectly. The USDC just arrives on the wrong chain. If your friend's wallet supports Polygon, they can switch networks and see the funds. If it does not, they need to add Polygon first. The funds are not lost. They are on the wrong chain for the wallet's current configuration.
Wrong-family sends (Bitcoin to Ethereum, Solana to Bitcoin) usually fail at the wallet stage because the address shapes do not match. The wallet rejects the input before signing. The dangerous case is wrong-network within the EVM family, because the address shape is correct and the transaction goes through.
The defence is the test transaction. Send a small amount first. Confirm it arrives at the right place on the right chain. Then send the rest. The cost of one extra transaction is a rounding error compared to the cost of explaining to your friend that their stablecoin is now on Polygon when they expected it on Ethereum. For the full address explainer including the three failure modes covered above, see what is a blockchain address.
Mistake 2: Backing up the seed phrase the wrong way
A seed phrase written on paper that lives in your house is a backup. A photo of the same seed phrase in your cloud storage is a leak. Beginners drift from the first to the second because the photo feels convenient. Then a cloud account gets compromised six months later and the wallet drains overnight.
The migration looks like this. Step one, you generate a seed phrase during wallet setup and write it down by hand on a piece of paper. Step two, you put the paper in a drawer and feel relieved that the backup is done. Step three, weeks later you think "what if the drawer burns down?" and you take a photo "just as a second copy." Step four, the photo syncs to iCloud or Google Photos automatically without your asking. Step five, sometimes you put the photo into a cloud notes app for easier searching. Step six, maybe you save it to a password manager because that feels like the most secure place.
By step six, the seed phrase is in: your phone's camera roll, the cloud photo backup of that camera roll, the notes app on every device synced to the same account, and the password manager's encrypted vault. The seed phrase is exactly as safe as the weakest place it has ever lived. The cloud account that holds the photo backup is now the entire security perimeter. If that account is breached, phished, or compromised through a recovered backup code from years ago, the wallet drains.
The fix is not "use a better password manager." The fix is keep the seed phrase entirely offline. Paper backup in a sealed envelope. Two copies in geographically separated locations. Optional upgrade to a metal seed plate for fire and flood resistance. Never photograph. Never type. Never email. Never share. Our full backup guide walks through the procedure step-by-step: see how to back up a seed phrase.
Mistake 3: Falling for fake support agents and impersonation scams
The single most reliable scam pattern in crypto. A "support agent" sends you a direct message on Telegram, Discord, X, or Reddit. They offer to help with an issue you have, or they invent one. They sound professional, use the right brand colours, and may even reference public information about your wallet or account. Then they ask you to "verify your wallet" by entering your seed phrase, or to "approve the recovery transaction" by signing something they send.
The variations are endless. "We noticed an issue with your account. Click this link to verify." "Your wallet was flagged for review. Send your seed phrase so we can clear it." "We can recover the funds you lost last week. There is a small verification fee." "Congratulations on your airdrop eligibility. Connect your wallet here to claim."
Real Blofin support does not DM users on Telegram, Discord, X, or anywhere else first. We do not ask for seed phrases under any circumstance. We do not promise to recover lost funds for a fee. Every single account-takeover support ticket we have ever opened began with the user accepting a DM from "support" they did not initiate. The rule is the rule: support requests go through the platform's official channel, not the other direction.
The defence is simple and absolute. Ignore unsolicited DMs from anyone claiming to be support. Do not click their links. Do not enter your seed phrase anywhere a chat agent points you to. If you actually need support, go to the platform's official help page, find the ticket system, and open a ticket yourself. That direction is the only direction that is safe. The seed phrase question deserves its own rule: nobody on Earth legitimately needs your seed phrase. If anyone asks, it is a scam.
Mistake 4: Signing a wallet drainer transaction
Wallet drainers are phishing sites that ask you to sign a transaction. The transaction does not look like a theft. It looks like "verify your wallet" or "claim your airdrop" or "approve to enter the app." What you actually sign is a permission for the attacker's contract to move your tokens. Within seconds of your signature, the funds are gone. Your seed phrase was never compromised. You signed the loss directly.
The mechanism is worth knowing because it trips up even experienced users. The most common drainer pattern uses a signature type called Permit or Permit2, defined by EIP-2612 (source: Ethereum Improvement Proposals — EIP-2612). The signature looks innocuous in the wallet's approval pop-up. The data it actually authorises grants the attacker withdrawal rights to the token you signed against. No further confirmation is needed. The attacker's contract pulls the tokens out, often immediately.
ScamSniffer's 2025 annual report puts numbers on this. $83.85 million was stolen across 106,106 victims during the year. Permit and Permit2 signatures drove 38 percent of the big losses (source: Scam Sniffer — 2025 Annual Phishing Report). Those numbers are down 83 percent from 2024, thanks to better wallet warnings and more aware users. But it is still the biggest loss class for self-custody software-wallet users.
The defence is at the moment of signing. Read the approval pop-up before you confirm anything. Check the contract address against the official app's documentation. Treat any "claim free tokens" or "verify your wallet" prompt as suspect until you have independently verified the source. A hardware wallet helps because it shows the approval on a separate screen the host computer cannot rewrite, but the same vigilance applies to both software and hardware. For the broader software-wallet context including the safer install flow, see software wallets guide.
Mistake 5: Buying hardware from the wrong place, or skipping the recovery test
Two setup-phase mistakes that compound. Either one is bad. Together they are how beginners lose newly-purchased hardware wallets weeks or months later, without realising what happened.
The first mistake is buying hardware from a third-party reseller. Marketplaces sometimes sell devices that look new but have already been initialised by the seller. The seller wrote down the seed phrase before sealing the box. The device works normally for months. You fund it with confidence because the hardware wallet is supposed to be the safest option. Then one day the balance crosses some threshold the seller was waiting for, and the wallet drains in a single transaction signed by the keys they have been holding since they shipped the box. The defence is to buy directly from the manufacturer's official website. Verify the tamper seal on arrival. The price difference is usually $5 to $15 against a $100 device. It is not worth the supply-chain exposure.
The second mistake is skipping the recovery test. After you generate a fresh seed phrase on a real hardware wallet and write down the words, the discipline says to wipe the device, restore from your written backup, and confirm the same address appears. Then and only then transfer real funds. Almost every beginner skips this step because the device works after setup and "the words look right." Then six months later the device fails, they go to restore from the paper, and discover word seven is misspelled or word fifteen is missing. The funds are gone because the backup never worked.
These two mistakes paired are how beginners lose newly-purchased hardware wallets within a year. Each alone has decent odds; together the odds are bad. The full setup discipline is in our hardware wallet guide and the recovery-test procedure is in our how to back up a seed phrase.
Mistake 6: Treating crypto like a regular savings account
Crypto is not a checking account, not a savings account, and not a brokerage. The model differences matter. Three specific mistakes follow from treating it like one of those things, and each has its own mechanism.
The first is leaving long-term holdings on an exchange. Reputable exchanges are designed for active trading and short-term holding. They are not designed as long-term storage. The 2022 FTX collapse made the platform-failure risk vivid even for well-known names. The Securities and Exchange Commission's investor bulletin frames the custody model question directly: who actually holds the keys to your assets (source: SEC Investor Bulletin — Crypto Asset Custody Basics). If the answer is the exchange, you carry platform risk. For most users that is fine for trading capital and wrong for long-term savings.
The second is having no inheritance plan. Self-custody is designed so that nobody but you can move your funds. The same design that keeps the funds safe from outsiders keeps them safe from your spouse, your children, and your executor. Without a plan, your crypto becomes inaccessible the moment something happens to you. The minimum plan is a sealed letter with your important documents that tells a trusted person the backup exists, where it lives, and how to use it. For the full depth on this often-overlooked dimension, see our crypto inheritance planning guide.
The third is using one wallet for everything. Active trading capital and long-term storage should not share keys. A wallet that connects to decentralized apps for daily use also has the highest exposure to drainer transactions. A wallet that holds long-term savings should sit in a separate setup that does not connect to apps and rarely transacts. Mixing the two means a drainer signature on the trading wallet drains your savings too. The fix is segregation: one wallet for the daily flow, a separate one for the long-term holdings, each with its own seed phrase backed up independently.
The pattern across all three sub-mistakes: crypto requires deliberately deciding where the funds live and why. The default of "all in one account because it is easier" is the design pattern of bank accounts and brokerages, neither of which carry the same permanence risk. For the broader framing on this, see our companion piece on self-custody, and for the contrast with platform-held custody, see custodial wallet versus self-custody.
Frequently asked questions about common crypto mistakes
What is the biggest crypto mistake to avoid?
The single biggest mistake is sharing the seed phrase. Every other mistake on this list has limits. Wrong-network sends sometimes recover. Wallet drainers might miss tokens you have hidden elsewhere. A bad backup leaves the device working until it fails. Sharing the seed phrase, voluntarily, with anyone who asked, including "support agents," ends with the entire wallet drained. The rule is absolute: the seed phrase is yours alone.
How do most beginners lose their crypto?
Pattern data from the 2025 ScamSniffer report and consistent support-ticket observation point to three dominant loss modes: signing wallet-drainer transactions at phishing sites (~38% of large losses), seed phrase exposure through bad backups or shared seeds, and wrong-network sends. Together these account for the majority of beginner losses. Chip-level hardware attacks, exotic protocol exploits, and similar advanced threats account for very little.
Can I get my crypto back after a mistake?
It depends on the mistake. Wrong EVM-chain deposits are usually recoverable through cross-chain bridges or wallet reconfiguration. Wrong-family sends (Bitcoin to Ethereum and similar) are usually unrecoverable. Wallet-drainer losses are unrecoverable because the transaction was a valid signed approval. Seed phrase exposure losses are unrecoverable. The realistic recovery rate across all mistake types combined is low, which is why prevention matters more than remediation.
Are crypto exchanges safe to use?
Reputable, regulated exchanges are safe for the use case they serve: active trading and short-term holding. They are not designed as long-term storage. The 2022 FTX collapse made the platform-failure risk vivid even for reputable-looking platforms. The honest pattern is to use exchanges for what they do well (trading, on-ramps, liquidity) and self-custody for long-term holdings, with the seed phrase backed up per the discipline in our hot wallet versus cold wallet comparison.
How do I spot a fake support agent?
Four reliable signals. They DMed you first. Real support does not. They are on Telegram, Discord, X, or Reddit. Real Blofin support runs through the platform's support ticket system. They ask for your seed phrase, password, or two-factor code. Real support never asks. They offer to recover funds for a fee. Real recovery, if it is possible at all, never works this way. Any one of these signals is enough to walk away.
What should I do if I have already made one of these mistakes?
The right action depends on which mistake. Wrong-network send means checking whether your wallet supports the chain the funds actually landed on. Drainer signature means moving any remaining tokens to a fresh wallet immediately, and checking unrevoked approvals on a tool like Revoke.cash. Seed phrase exposure means moving funds to a freshly generated wallet immediately. Lost device with working backup means restore from the backup on a new device. Lost device without backup means the funds are not recoverable.
Will making one of these mistakes ruin my crypto journey?
Almost certainly not. Most beginners make at least one of these mistakes at small scale during their first year, learn from it, and continue without repeating it. The mistakes that ruin people are the ones that happen at scale. Large balances on poor backups, full-portfolio drainer signatures, etc. The defensive posture is to make your inevitable mistake while your stakes are small, then carry the discipline forward as the stakes grow.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include EIP-2612 (Permit signature specification), the Scam Sniffer 2025 annual phishing report, the SEC Investor Bulletin on Crypto Asset Custody Basics, BIP-39 (mnemonic specification), and consistent support-ticket pattern observation. All facts independently verified against cited documentation current as of May 2026. This article covers operational and security mistakes specifically; trading-strategy and investment-decision mistakes are out of scope and covered separately in the Blofin Trading pillar.
This article is for informational purposes only and does not constitute financial, legal, or investment advice. Cryptocurrency operations carry permanent consequences for mistakes; you should conduct your own research and consult qualified professionals before making custody decisions involving meaningful balances. Blofin Academy content reflects the state of public information at time of publication; security best practices and the threat landscape change frequently.