Skip to main content

How to Keep Your Account Secure

  • Updated

How to keep acc safe.png

Keeping Your Account Safe

Never give out the secret recovery phrase (what we use to call the seed phrase). The secret recovery phrase is the 12 English words given to you by Ronin when you create your wallet. If you are using a Keyless/MPC wallet, never give out the recovery password you set for the wallet.

Use the 3-2-1 backup method for storing your seed phrase, this can be done as easy as writing your seed phrase 3 times in 3 pieces of paper. When you are in the page where your secret recovery phrase is shown for the first time, make sure you do not close this page until you have correctly made multiple secure backups of it. You can apply the method suggested as follows:

  1. Write each paper copying what you see on the screen, which makes each piece of paper independent of each other. Do not close this screen by any means until you have completed the process. If this happens it is safer to start all over again, creating a new wallet.
  2. Check if your 3 annotations are equal to each other. If so, save two of them in a place you consider safe from humidity, heat, etc. You can close the page now.
  3. Keep the third one with you, and then save it in another place that is not where the other 2 are stored. Keep in mind that whoever finds the seed phrase can operate your funds as it if was you, so place it in a very secret place. If you consider this to be a risk, you can skip this step.

Remembering that whoever finds the seed phrase can operate your funds as if it was you, so never send it to anyone and never enter it on any website.

Ronin mobile wallet introduced a new feature starting from version v1.14.0, which enables the option to securely back up your seed phrase on the Cloud. This functionality allows for convenient storage of your seed phrase on a protected online platform. However, it is important to emphasize that ensuring secure access to both your Cloud account and mobile device remains crucial to maintaining the security of your seed phrase.

If someone asks you for your secret recovery phrase, they are a scammer. Sky Mavis and other project developers will never ask you for your secret recovery phrase OR your recovery password. The Support team or anyone from Sky Mavis will never need your secret recovery phrase or recovery password. We will also never direct you to a page that will require you to enter your secret recovery phrase.

If you want the maximum security over your assets, you should consider to acquire Trezor hardware wallet or Ledger hardware wallet.

A hardware wallet, is the only way to have 2FA in your wallet transactions.

 

Your Account Password Does Not Prevent Access to Your Wallet

Access to your Ronin wallet is protected by keeping your secret recovery phrase (seed phrase), private key, and recovery password secure. An attacker only needs one of these to gift your NFTs/tokens or withdraw funds from your wallet. You must keep them safe, never give it to anyone and never enter it on any website.

Once a secret recovery phrase or private key is compromised, it is always compromised! Changing your account password will not secure the wallet. If your wallet is compromised, please make a new Ronin wallet and move your assets to it as soon as possible.

 

Common Scams

There are a number of very convincing scams, never give your secret recovery phrase/recovery password to anyone and never enter it into any site.

Below is a list of common scams:

  • Fake Ronin wallet: These websites let you generate a secret recovery phrase (seed phrase), but they also share it with the scammer. The scammer watches your wallet and then steals your assets.
  • Fake Ronin wallet app: These fake apps are published on mobile stores.
    • To avoid this scam, only install the official Ronin wallet by Sky Mavis Pte. Ltd. on Google Play Store and Apple Appstore. Our official wallet is the one available at: https://wallet.roninchain.com/ 
  • Fake smart contracts: When making transactions directly using contracts, always make sure you are using the official smart contracts. Bad actors might deploy smart contracts that looks like official contracts, but is designed to steal your tokens/NFTs instead.
    • Always verify that you are using the correct smart contracts, you can do this by checking any documentation from the project or by checking your previous transactions where you interacted with that contract through the official interface. To better protect yourself, only use the project's official site/interface and avoid directly interacting with smart contracts unless necessary.
    • For any smart contract you no longer use, it would be best to revoke any wallet permissions for these contracts. You may use the Revoke tool on the AxieDAO site to review and revoke smart contract permissions: https://ronin.axiedao.org/revoke/
  • Fake airdrop, giveaways, or award sites: These sites claim you have won a Mystic Axie, SLP, AXS, or other highly valued NFTs/tokens. When connecting your wallet, the scam site will ask for you to approve transfers of funds. The scammers then send away your assets.
    • To avoid this scam, never visit any fake giveaway or award sites. Always check and verify giveaways on the project's official social media channels.
  • Fake Twitch streams: These twitch channels will replay an old stream or attempt to copy official streams from different projects. The scammers will have bots connect to make it seem like people are chatting. They then announce a giveaway, which leads to the above bullet point.
    • To avoid this scam, always confirm you are on the official Twitch/Youtube/streaming accounts for each projects. You may verify through the project's official social media accounts or through their official websites.
  • Fake accounts: Scammers will use fake accounts and make announcement that will direct you to a site that will try to steal your secret recovery phrase/recovery password. They may also direct you to mint fake NFTs that is designed to steal your tokens through mint fees. These account usually have typos on their usernames, such as @axieinfinityy instead of @axieinfinity.
    • Always verify that you are interacting with the official social media accounts of projects. You can usually check the official accounts of the project by visiting their website. If an account has a typo on their username, it's likely a scammer. Always verify before you trust.
  • Fake Support Agents in Discord: Scammers will join the Discord and act as support agents. They will ask you to visit a site that requests your seed phrase/recovery password. The site will then send the information to the scammer.
    • To avoid this scam, never enter your secret recovery phrase into any website or share it with anyone. If someone sends you a message claiming to be the project's support team, it is a scam.
  • Fake interviews/job offers: Scammers will pretend to be content creators, media personnel, or recruiters, and ask you for an interview through a link or to visit a site. Scammers may also hack a content creator/known personality and use their official account to scam people.
    • Avoid immediately trusting random messages from anyone. Always verify if you are talking to the actual account owner, and check for any news/messages on different platform for any indication that the owner may have gotten hacked/compromised.
  • Fake emails: Scammers may send emails asking you to "verify your wallet" by entering your secret recovery phrase/recovery password on a scam website, or direct you to a site to "claim" an airdrop/rewards but is intending to steal your assets instead.
    • This types of emails are usually sent using email address that have typos or are using unofficial domains. Always verify the email address you received the email from, and make sure it actually came from the project's developers. Check the project's social accounts/Discord server as well to see if they announced anything stated on the emails. This type of scam usually adds a deadline to give you a sense of urgency; if you are feeling rushed to make a decision, take a step back and verify.
  • Malware/viruses: Some malware/virus are designed to steal/compromise blockchain wallets. These malware/viruses access your wallet through your device and then either send your secret recovery phrase to the scammers or initiate transactions on your device. Some malware also replaces any wallet address in your clipboard with a scammer's wallet address, essentially transferring assets to the scammer whenever you try to send assets to a wallet.
    • Avoid downloading files/apps from suspicious sources. Always download through official links, and only from developers you trust. If you need to download files on a device often, or if avoiding suspicious files/apps is not possible, it would be best to keep your wallet in a different, isolated device instead.

Related articles