- >News
- >Ask CV: What Happens if Private Keys Are Exposed? Spoiler: It’s Bad
Ask CV: What Happens if Private Keys Are Exposed? Spoiler: It’s Bad
If you’re new to the world of crypto, you’ve likely encountered two phrases that are sometimes used synonymously: private keys and recovery phrase. An experienced crypto user knows the importance of these two things, as they’re akin to your credit card details. However, new users, or those less versed in the world of blockchain and cryptocurrency, may not realize just how important these two components of their wallet are.
With this lack of understanding, these individuals become prime targets for scammers, especially if a new user posts some sort of question or problem they are experiencing to a forum or Discord channel. This leads us to the discussion of this guide, what would happen if you decided to post your private keys or recovery phrase online?
What Do Private Keys Do?
Very simply, private keys are like your signature or pin code. They are what is required for you to send any transaction from your crypto wallet. Without your private keys, you can’t send any of your crypto, interact with a decentralized application like a decentralized exchange or NFT marketplace, or interact with a smart contract.
Within blockchain, anyone can send funds to any public address and can see the balances of any address. That is the transparency of a digital, publicly accessible ledger. While anyone can see the balances of all public addresses, only the person who holds the private keys for that address can move the balance. Note that the publicly visible balance aspect doesn’t apply to privacy coins like Monero (XMR), where all balances are hidden from others.
The reality is, you’ll likely never see your private key, and it’s hard to find intentionally. Instead, you create a password for your wallet and then your wallet automatically uses the private key behind the scenes when you input your password to sign a transaction.
What About My Recovery Phrase?
Your recovery phrase is a set of 12 or 24 words that is given to you when you create a new crypto wallet. It is used to recover your wallet should you lose access, or to generate the same wallet within a new application. They must be known in the correct order to “recover” your wallet.
For example, if you create a Cardano wallet with Daedalus you’ll be given a recovery phrase. If you then decide you don’t like Daedalus, you can then restore the wallet in a different piece of software like the Eternl browser extension. When you enter the recovery phrase that was given to you through Daedalus into Eternl, the exact same wallet, including all your transactions and balances, will then be accessible through Eternl.
It’s worth noting that this isn’t creating a new wallet in Eternl or destroying the wallet in Daedalus. You are simply creating access to the same wallet through another channel. The only difference would be your password, though you could use the same one for both channels if you chose to set it up like that. It’s sort of like having a spare set of house keys with a different color. Both sets open the house, you just have to decide which set you want to use.
Why Would I (Or Someone Else) Post My Private Keys in the First Place?
The reality is you’re unlikely to just decide to post your private keys or recovery phrase on a forum. It’s actually quite difficult to even find your private keys (recovery phrases are much more accessible). In reality it is generally through a phishing scam or fake authority figure scam that it occurs. If a newcomer to crypto doesn’t know any better, they’re more likely to fall for either of those two main situations.
A phishing scam can occur in a couple manners, but one of the main ones is a mass email sent out to a wide demographic of people. It could be something like an email saying your MetaMask (or another self-custodial) wallet has to be verified. If you click the links within to begin verification, it will then ask you to provide something like your recovery phrase.
What new users don’t realize is that the email they received was sent to thousands of users, irrespective of whether they have a MetaMask account. The scammers are simply throwing out a fishing line and seeing who bites. No wallet team will ever need your recovery phrase, or need to verify your account, as that would defeat the purpose of it being a decentralized service.
Fake authority figure scams are more likely to occur on a forum or something like Discord. A user will pose a question, say something isn’t working, ask about a release date, etc. A scammer will then DM the person (assuming they allow DMs from non-friends, which is the default setting) posing as an authority figure. They will ask for private keys or a recovery phrase in order to “help” the user who posed the question. Alternatively, they may send a link to a fake site that looks like the real one and you enter your information that they can see as it’s not actually a secure page.
So What Happens if I Give Away My Recovery Phrase or Private Keys?
To keep things simple, you’d ostensibly lose all your assets. By posting your private keys or recovery phrase, or giving it to someone else, you’re handing them your wallet. They can then recover your wallet and send your funds or NFTs to themselves. There would be no way to reverse any of these transactions and you’d likely have no legal recourse available to you. You’re pretty much giving them your credit card, security code, billing address, and expiration, just in the form of cryptocurrency.
If you take away one thing from this guide it should be that you should never give anyone your private keys, or recovery phrase, or post it anywhere, for any reason. You’re giving away your money.
