AMLBot Academy

Crypto Wallet Security: Private Keys, Public Addresses, and Seed Phrases Explained

AMLBot Team

15 min read
Updated: May 27, 2026
Crypto Wallet Security: Private Keys, Public Addresses, and Seed Phrases Explained

A crypto wallet on a phone or in a browser often looks like any other finance app — there is a balance at the top, a "Send" button below it, and a list of recent transactions underneath. The difference sits one layer down. What a user actually controls is not the coins themselves but the data that authorizes movement of those coins on a public ledger. The Consumer Financial Protection Bureau, in its June 2022 Consumer Advisory on Cryptocurrency Risks, noted that funds lost from a self-custodial crypto wallet generally do not benefit from the same dispute and reversal protections that apply to bank accounts under Regulation E. In practical terms, this is why a small set of definitions matters so much.

📖
The three pieces of data that the average user most often confuses are the public address (safe to share when receiving funds), the private key (never share), and the seed phrase (never share). Mixing these up — or letting somebody else convince you to mix them up — is by far the most common path to a compromised wallet, and it does not require any flaw in the blockchain itself.

This article walks through how access to a crypto wallet actually works, what each of the four core terms means, which information is safe to pass around, how wallet credentials are typically compromised in 2026, and what to do if yours have been.

How Crypto Wallet Security Actually Works

When someone says "my crypto is in my wallet," that is not quite what the system actually does. Coins, tokens, and balances are recorded on the blockchain — a public ledger maintained simultaneously across thousands of independent nodes. The wallet on a phone, browser, or hardware device is software that sits on top of that ledger and does three things:

  • Reads Balances From the Chain. The wallet queries the network and shows the user what is associated with their account.
  • Receives Incoming Funds. The wallet exposes a public address that anyone can send to.
  • Authorizes Outgoing Transactions. The wallet produces a cryptographic signature that the network accepts as proof a transaction is legitimate.

Only the third item determines whether funds can leave an account. The ability to send does not depend on owning a particular device or having a particular app installed. It depends on whether you — or somebody else — control the private key, or the data that can rebuild that key. During an ordinary transfer, the private key is never sent to the recipient or to the blockchain. The wallet uses it locally to sign a message, and only the signature and the transaction details are broadcast. That is why someone who only sees a public address cannot, on its own, move the associated funds. The simplest way to keep the three core elements straight is this:

  • Public Address → Used to receive funds.
  • Private Key → Used to control and sign transactions.
  • Seed Phrase → Used to restore access to a wallet and the accounts derived from it.

Custodial vs Self-Custodial Wallets

Not every crypto user has ever seen a seed phrase, and the reason for that is worth understanding before going further. There are two structurally different ways to "hold crypto," and the security model is different in each.

In a self-custodial wallet, the user holds the private keys and the seed phrase directly. The application is just an interface — the credentials live on the user's device, on paper, or on a hardware device. If those credentials are lost, no one can restore the funds. If those credentials are stolen, no one can freeze the resulting transactions or roll them back.

In a custodial account — most commonly an exchange, broker, or licensed crypto platform — the platform technically controls the keys on the user's behalf. The user logs in with an email, a password, and usually a second factor. From the user's perspective it feels like a regular online account because, operationally, it is one. The platform may freeze accounts, reverse internal transfers, or cooperate with law enforcement, but the trade-off is that the user does not have unilateral control over the assets.

The rest of this article — particularly the parts about seed phrases — applies most directly to people using self-custodial wallets. Custodial-account users still need to think about phishing and credential reuse, but they do not personally hold or back up the underlying cryptographic keys.

Public Address, Public Key, Private Key, and Seed Phrase: What Is the Difference?

These four terms are related, but they are not interchangeable, and the differences are not cosmetic. They describe distinct pieces of data with very different security properties.

Three points are worth fixing in your head before going further:

  • Public Address and Public Key Are Not the Same Thing. They are cryptographically related, but they sit at different layers and have different uses.
  • Sharing a Public Address Does Not Let Anyone Withdraw Funds. It is the equivalent of giving out a bank account number for an incoming transfer, not the equivalent of giving out a card.
  • Private Keys and Seed Phrases Stay Secret Always. There is no scenario in normal use in which either should be typed into a website, sent in a chat, or read aloud.
⚠️
A useful rule of thumb is this: if a website, app, or "support agent" treats a seed phrase or private key the way a normal service treats a username — something you paste, type into an open field, or read out — the request is almost certainly hostile, regardless of how convincing the surrounding context looks.

What Is a Private Key and Why Must It Stay Secret?

A private key is the secret that controls everything about a self-custodial wallet account. The blockchain itself does not have a concept of "rightful owner" the way a bank's database does. It only checks that a transaction carries a valid signature for the account being debited. Whoever produces that signature can move funds — and they can produce it if, and only if, they have the private key.

In day-to-day use, the user does not type a private key in by hand. The wallet stores it (encrypted at rest in most modern apps, isolated in a secure element on hardware wallets) and uses it internally when the user confirms a transfer. That is why a private key being "exposed" usually does not look like typing it into a field. It looks like installing a tampered app, restoring a wallet onto a phone with malware on it, or pasting raw key material into something that asks for it under a plausible-sounding pretext. This has two consequences that matter for every self-custody user:

  • There Is No Reset Button. When a password to an ordinary online service leaks, the user contacts support, resets it, and the old credential becomes useless. A private key cannot be revoked. Funds tied to that account stay reachable by anyone holding the key until the funds are moved out or the wallet is abandoned.
  • The Blockchain Cannot Tell You From a Thief. A correctly signed transaction is final at the protocol level. From the network's point of view, the only thing that occurred was a valid transfer authorized by a valid key. The fact that the key was stolen is not, by itself, something the blockchain can observe.
💡
This is the structural reason why many high-profile losses, including the Private-Key Compromise after a Major Hyperliquid Trade, sit in this category. The protocol behaved correctly, the smart contracts were not exploited, and yet funds moved. The vulnerability lived one layer above the chain, where a private key was being handled.

What Is a Seed Phrase and How Is It Different from a Private Key?

A seed phrase, sometimes called a recovery phrase or mnemonic phrase, is the back-up secret that a self-custodial wallet shows you, usually once, during initial setup. It is typically a sequence of 12 or 24 words drawn from a standardized word list. The convention dates back to BIP-39, the Bitcoin Improvement Proposal that became the de facto industry standard for mnemonic backups across most modern wallets. The part that surprises users is what those words actually unlock. A single seed phrase is not tied to a single private key. Following BIP-32 and BIP-44 derivation, it can deterministically generate many keys: different chains, different accounts, different addresses, all rebuilt from the same starting secret. Anyone who learns the seed phrase can reconstruct the entire family of accounts on their own device, without ever touching the original wallet app.

This asymmetry is what makes a leaked seed phrase so damaging. A compromised private key for one account is already a serious event. A compromised seed phrase can mean that every account that particular wallet ever generated, including ones the user may have forgotten about, is now reachable by someone else.

A Seed Phrase Is Not a Password Reset Tool

The single most useful piece of mental hygiene around seed phrases is this: a seed phrase does not behave like a password recovery code. It is not something that gets emailed to a user. It is not something a "support team" needs in order to verify identity. It is not a routine field on a customer-service form.

The only place a seed phrase belongs is being deliberately entered, by the wallet's owner, into a trusted wallet application that was opened on a known device — and only when intentionally restoring that wallet. Outside of that scenario, any request for a seed phrase should be treated as an attempted theft, regardless of how the request is framed or how authoritative the source claims to be.

The same logic applies to how seed phrases are stored. The following look harmless, but each of them effectively expands the wallet's attack surface to every account and device that can reach the storage location:

  • Screenshots. Saved in the phone's gallery and frequently backed up to cloud photo services by default.
  • Cloud-Synced Notes Apps. Any provider, any platform, stored as plain text.
  • Email Drafts. "Save a note to myself" routes the seed phrase through whichever email account is signed in.
  • Self-Sent Messenger Messages. Including the "Saved messages" feature in chat apps.
  • Pages Opened From Random Links. Any site that prompts the user to "validate" or "re-import" their wallet.
💡
The Trust Wallet Browser Extension Compromise is a useful illustration of what happens once seed phrases reach the wrong process. The attackers in that incident did not need to break any cryptography. They received mnemonic data through the compromised extension, and from there they could rebuild the affected wallets anywhere they liked.

What Can Be Shared and What Must Never Be Shared?

A common practical question — "What is actually safe to send to someone, and what isn't?" — has a short answer if the categories above are clear.

Information You Can Share When Necessary

Three pieces of wallet-related data may legitimately be passed to other people in normal use, and none of them, by itself, allow anyone to spend the user's funds:

  • Public Wallet Address. The destination given to receive incoming funds. Functionally similar to a bank account number for a credit transfer — enough for someone to send funds to the user, not enough to withdraw funds from the user.
  • Transaction Hash. Sometimes called a TxID, a transaction hash is a public identifier anyone can look up on a block explorer. Sharing it lets a counterparty verify that a transfer was made, or lets the user describe an incident clearly to investigators.
  • Network Name. "USDT on the Tron network" or "ETH on Ethereum mainnet" tells the sender which chain to use. The network itself is public information.
⚠️
A caveat is worth attaching. A public address does not give a third party control of funds, but it does expose the user's on-chain activity. Anyone with the address can read the balance, the history, and the patterns of behavior on a block explorer. That is why handing out a high-balance address — for example, by posting it publicly on social media — frequently attracts targeted phishing attempts, fake-support contacts, and address-poisoning behavior, even though the address by itself cannot be used to drain the wallet.

Information You Must Never Share

Anything in the following list, in any format and under any pretext, should be treated as bearer access to the wallet — like handing over the only key to a safe:

  • Private Key. In any form — copied as text, exported as a file, shown in a QR code.
  • Seed Phrase, Recovery Phrase, or Mnemonic Phrase. The full sequence, in the original order. Even partial fragments are dangerous — real attackers can brute-force the missing words.
  • Wallet Backup File. Encrypted backup files such as .json keystore exports are private keys behind a password. They should be treated like the key itself.
  • QR Code Containing Key Material. A QR code is just a visual representation of data. If the underlying data is a private key or seed phrase, the image is the secret.
  • Screen or Device Access. Allowing someone to view, photograph, or remote-control a device while the wallet or recovery data is on screen is functionally equivalent to handing over the credentials.
  • Signature Requests or Token Approvals That Are Not Understood. These do not reveal the private key directly, but they can grant an attacker the ability to move tokens later. Treat unexplained "Sign" or "Approve" prompts as untrusted.

How Private Keys and Seed Phrases Are Commonly Compromised

The reasons people lose access to wallets in 2026 are surprisingly repetitive. Across post-incident reviews and industry threat reports, a small set of patterns accounts for the majority of cases. They are mostly social and operational, not cryptographic. The blockchain rarely fails. The handoff between the user and the credentials is where things break.

  1. Fake Customer Support. An attacker poses as the support team of a wallet provider, an exchange, or a DeFi protocol — frequently reaching out first in Telegram, Discord, X, or in the reply thread of a user's own public complaint. The conversation steers toward "verifying your wallet" or "re-syncing your account," which in practice means asking for the seed phrase or private key. No legitimate support process needs either.
  2. Phishing Websites. A user is directed to a site that imitates a wallet, a token launch, or an airdrop claim page. The page asks the user to "connect" or "re-import" their wallet, often by pasting the seed phrase outright. Modern variants do not even require the seed phrase — they ask the user to sign a transaction or approval that quietly hands over assets.
  3. Malicious Browser Extensions or Compromised Applications. A wallet extension, a clipboard manager, or a developer tool with elevated permissions can read mnemonic data, swap copied addresses on the fly, or relay key material out. Supply-chain compromises — a legitimate package or extension silently updated with malicious code — fall into this category and are particularly difficult to detect at the user level, because the icon and the publisher both look familiar.
  4. Unsafe Digital Backups. Seed phrases written into a notes app that syncs to the cloud, screenshotted onto a phone backed up to a cloud account, or stored in email drafts effectively expand the wallet's attack surface to every account and device that can reach those files. An attacker who breaches one cloud account can sometimes harvest several wallets in a single sweep.
  5. Unclear Signatures and Token Approvals. This last category does not require the private key to leak at all. A signature request can authorize a token transfer, a permit, or an approval that gives an attacker permission to pull tokens later. The user feels safe because the seed phrase was never typed in — and yet the funds are still gone.
💡
For a wider view of the patterns and red flags that show up across all of these categories, see How to Avoid Crypto Scams in 2026.

Practical Crypto Wallet Security Checklist

The points below are the short, scannable version of everything above. They are written to stand on their own without context, so that a user can come back to them in a moment of doubt.

  • Never Share Your Private Key or Seed Phrase. Not with support, not with a friend, not in any chat, form, or call.
  • Store Your Seed Phrase Offline. Paper, metal, or another offline medium in a physically secure place.
  • Keep Recovery Data Out of Cloud Services. No screenshots, no email drafts, no cloud-synced notes.
  • Verify Wallet Apps and Extensions Before Installing or Updating. Match publisher, official domain, and version. Be cautious of look-alikes.
  • Ignore Unsolicited "Support" Messages. If they reach out first, they are not support.
  • Check the URL Before Connecting a Wallet. Phishing sites work because the user did not look at the address bar.
  • Review Transaction Details Before Signing. Read the destination, the amount, and the network — not just the prompt.
  • Be Careful With Token Approvals and Unknown Connection Requests. Revoke approvals you no longer use.
  • Separate Daily-Use Wallets From High-Value Wallets. A "hot" wallet for routine activity, a separate wallet for assets that do not need to move often.
  • Consider a Hardware Wallet for Assets You Are Not Actively Using. It reduces some risks, but it does not cancel them.
  • Keep Wallet Software and Devices Updated. Security fixes matter and are released frequently.
  • Treat the Wallet as Compromised the Moment a Key or Seed Is Exposed. Do not "wait and see."

What to Do If Your Private Key or Seed Phrase May Be Compromised

If there is reason to believe a private key or seed phrase has been seen by someone else — including the user themselves having typed it into a suspicious site — the wallet should be treated as compromised from that moment forward. The next steps depend on whether funds are still in place.

If Funds Have Not Been Moved Yet

In practical terms, the user is racing against an attacker who already has the credentials. Speed matters more than perfection.

  • Treat the Old Wallet as Compromised. Stop using it for inbound or outbound activity.
  • Stop Using the Suspect Software or Device. Do not "log out" inside the same compromised environment — open a clean one instead.
  • Create a New Wallet in a Trusted Environment. A freshly installed, verified wallet, on a device that the compromised seed never touched, with a brand-new seed phrase.
  • Move Remaining Assets Promptly. Transfer what can still be moved. If gas needs to be funded first, do that.
  • Audit and Revoke Token Approvals. If the compromised address has interacted with dApps, revoke any open approvals connected to it.

These steps are first aid, not a complete recovery plan. The right sequence depends on the type of compromise — a lost device, a leaked seed phrase, a malicious approval, and a hijacked extension each suggest slightly different priorities.

If Funds Have Already Left the Wallet

When funds have already moved without authorization, the priority shifts from prevention to preserving evidence:

  • Save the Affected Wallet Address. And any related addresses involved in the incident.
  • Save Every Transaction Hash. Along with amounts, networks, and timestamps.
  • Document the Incident Channel. Screenshots of the message, link, email, fake site, or extension that led to the loss.
  • Move on to a Post-Incident Workflow. A general framework is described in how to recover stolen cryptocurrency.
  • Hold Realistic Expectations. Even with fast reaction, recovery cannot be guaranteed.

The chance of any meaningful recovery depends heavily on where the funds went next — whether they touched a regulated exchange, a mixer, a privacy-focused chain, or a bridge with limited tracing tooling. There are well-documented situations when crypto recovery is not possible, and acknowledging that boundary early helps a user direct their effort to the actions that actually move a case forward.

Crypto Wallet Security Starts With Understanding Access

Most crypto-wallet incidents are not failures of the underlying technology. They are failures at the seam between the user and the credentials. A public address is meant to be visible — it is how funds reach the user in the first place. A private key controls everything about an account and was never meant to leave the wallet. A seed phrase sits one level above the private key, regenerating it (and any sibling accounts) on demand, which is exactly why it must be guarded just as strictly as the key itself.

If anyone — by phone, by chat, by support form, by browser pop-up, or by a friendly-looking direct message — asks for a seed phrase or a private key, the correct response is to end the interaction. No legitimate counterparty needs that data, and no platform can reverse the consequences once it has been handed over. If credentials have already been exposed, or if funds have already moved, the priority changes: stop using the affected wallet, preserve every piece of evidence, and move into a post-incident workflow rather than continuing to transact from the same environment.

In practical terms, the difference between most users who keep their funds and those who lose them is not technical expertise. It is whether they understood, before anything went wrong, which piece of data they could safely show the world and which ones they could not.

FAQ

What Is the Difference Between a Public Address and a Private Key?

A public address is used to receive cryptocurrency and can be shared when needed. A private key controls the ability to authorize transactions from a wallet account and must never be shared. The two are connected cryptographically, but only the private key gives spending power; the public address only gives a destination.

Can Someone Steal My Crypto If They Know My Wallet Address?

No, a wallet address alone does not give anyone control over the funds in that wallet. However, the address reveals the user's public transaction activity and on-chain balance, which can be used to design targeted phishing, fake-support outreach, or address-poisoning attempts.

Is a Public Key the Same as a Wallet Address?

No. A public key is part of the cryptographic system used to verify transactions, while a wallet address is the destination users normally share to receive funds. They are mathematically related but serve different purposes and should not be used interchangeably.

What Happens If Someone Gets My Private Key?

Anyone who obtains a private key can authorize transactions from the associated wallet account, just as the legitimate owner could. In a self-custodial wallet there is no support process that can cancel an exposed private key — the only protective action is to move remaining funds to a new wallet that the compromised key cannot reach.

What Is a Seed Phrase Used For?

A seed phrase, also called a recovery phrase or mnemonic phrase, is used to restore access to wallet accounts created from it. Because it can regenerate multiple related accounts, it must be protected at least as strictly as a private key.

Is a Seed Phrase the Same as a Password?

No. A password protects access to an app or account interface; a seed phrase reconstructs the wallet itself and the keys underneath it. A legitimate support agent will never ask a user to send their seed phrase.

Should I Store My Seed Phrase in Screenshots or Cloud Notes?

No. Screenshots, cloud-synced notes, email drafts, and messenger conversations can all be exposed if an account or device is compromised. A seed phrase should be stored offline, in a physically secure location, ideally on a durable medium such as paper or metal.

Can a Hardware Wallet Completely Prevent Crypto Theft?

No. A hardware wallet reduces some risks by isolating signing credentials in a separate device, but it cannot protect a user who shares a seed phrase, approves a malicious transaction, or interacts with a fraudulent website. It is a layer of defense, not a guarantee.

What Should I Do If I Revealed My Seed Phrase but My Funds Are Still There?

Treat the wallet as compromised immediately. Create a new secure wallet in a trusted environment, move remaining assets out of the exposed wallet, and review any token approvals or dApp connections that may still allow an attacker to interact with the old address.

What Should I Do If Crypto Has Already Been Transferred From My Wallet Without Permission?

Preserve evidence first: wallet addresses, transaction hashes, amounts, timestamps, and any messages or links connected to the incident. Then follow a structured post-incident response process, and understand that recovery depends heavily on where the funds moved next and cannot be guaranteed in advance.

Sign up for more like this.

Enter your email
Subscribe