🇬🇧 Updated MAY 2026
The UK Crypto
Security Checklist
Tick off 25 steps across 7 key areas and find out exactly how secure your crypto really is. Most UK investors are missing at least five of these.
✅ 25 actionable steps 🛡️ 7 security areas 💷 UK-specific guidance ⚡ Takes about 5 minutes
Most people who get into crypto focus on buying the right coins at the right time. Security is usually an afterthought, right up until the moment something goes wrong. And unfortunately, things do go wrong. Phishing attacks, SIM swap scams, exchange hacks, seed phrase theft and HMRC penalties have cost UK investors hundreds of millions of pounds in recent years.
The good news is that protecting yourself properly is not complicated. It mostly comes down to a handful of habits and the right tools. This checklist covers everything a UK retail investor should have in place in 2025, from the basics right through to more advanced steps for people with larger holdings.
How to use this guide: Work through each section and tick the items you have already completed. Your score updates in real time. Anything you have not ticked yet is an action point. The whole thing takes about five minutes.
⚠️ New for 2026: HMRC can now see your crypto
From January 2026, UK-registered exchanges must automatically share your full transaction history with HMRC under the Cryptoasset Reporting Framework (CARF). This includes every buy, sell, swap and transfer. The days of crypto operating under the radar are over. Section 6 of this checklist covers exactly what you need to do to stay on the right side of HMRC.
This checklist links to our full product guides. If you need to act on any recommendation, start here:
🔒
Best Hardware Wallets UK
Ledger, Trezor, Tangem, BitBox, Keystone and more — all compared.
Read the guide →
🏦
Best Crypto Exchanges UK
Coinbase, Kraken, Crypto.com, Bybit, OKX, Binance and KuCoin reviewed.
Read the guide →
⛓️
Best DEX Platforms UK
Hyperliquid, Jupiter, GMX and Aster — the top DeFi platforms explained.
Read the guide →
🔒
1. Cold Storage and Hardware Wallets
Keeping significant crypto on an exchange is the single biggest risk most retail investors carry. These steps cover moving to proper self-custody.
✓
I own a hardware wallet for long-term storage
Any crypto you plan to hold for more than a few weeks should live in a hardware wallet, not on an exchange. Even entry-level options like the
Tangem (~£43) or
Blockstream Jade Plus (~£65) offer dramatically better security than leaving funds on a platform.
Essential
✓
I bought my hardware wallet directly from the official manufacturer
Second-hand hardware wallets from eBay or Amazon marketplace listings are a serious risk. A tampered device can be pre-loaded with malicious firmware that silently sends your funds elsewhere. Buy only from the official store. Every brand in this guide sells direct. Essential
✓
I have tested my recovery process from scratch
Setting up a wallet is not enough. You need to know your recovery actually works. The test: set up your wallet, record your recovery method, wipe the device completely, and restore from your backup. Only when you have confirmed a full recovery can you trust the backup is solid. Essential
✓
My recovery phrase or backup is stored offline and physically secure
Your seed phrase (the 12 or 24 words given during setup) is the master key to your entire wallet. It should never be stored in a photo, a notes app, an email, or in cloud storage. Write it on paper or stamp it into metal, and keep it somewhere physically secure. If you use a
Tangem wallet, your backup is a physical card rather than a seed phrase, which reduces this risk considerably.
Essential
✓
For larger holdings, I use an air-gapped wallet
Air-gapped wallets never connect to a computer or phone via cable. They communicate only through QR codes or microSD cards, making remote attacks essentially impossible. Worth considering for any holding above £10,000.
Important
💡 Not sure which hardware wallet to buy?
We have compared all nine major brands in detail, including prices, security ratings and who each wallet suits best. Read our full hardware wallet guide →
🏦
2. Choosing the Right Exchange
Where you buy and trade matters almost as much as what you buy. These checks help you make sure your exchange is legitimate, regulated, and set up correctly.
✓
My main exchange is FCA-registered
FCA registration means the platform follows UK anti-money laundering rules and operates legally for UK residents. You can verify any exchange on the
FCA Financial Services Register. The fully FCA-registered options from our list include
Coinbase,
Kraken and
Crypto.com.
Essential
✓
My exchange publishes Proof of Reserves
Proof of Reserves is a cryptographic audit that confirms the exchange actually holds the assets it claims to. Without it, you are trusting the platform's word.
Kraken and
OKX publish strong proof of reserves.
Bybit and
Binance also provide reserve reports.
Important
✓
I do not keep more than I can afford to lose on any exchange
Exchanges can freeze withdrawals, get hacked, or fail. None of the platforms in this guide offer FSCS protection on crypto. A sensible rule of thumb: keep only what you plan to trade actively on an exchange. Move everything else to your hardware wallet. This applies even to well-regarded platforms like
Coinbase and
Kraken.
Essential
✓
I use the Pro or Advanced interface rather than the standard buy/sell view
Standard instant-buy interfaces include hidden spreads that can cost 1% to 2.5% on top of trading fees. Switching to Coinbase Advanced, Kraken Pro or equivalent cuts your effective costs by 50% to 70% on most trades. It is the same platform and the same funds. There is no extra cost to switch.
Saves Money
Not sure which exchange to use? We have compared every major platform for UK users in detail, including FCA status, fees and GBP support.
Read the exchange guide →
🔐
3. Account Security and 2FA
Account takeovers are the most common way UK investors lose funds on exchanges. These steps make your accounts significantly harder to compromise.
✓
I use an authenticator app for 2FA (not SMS)
SMS-based two-factor authentication is vulnerable to SIM-swap attacks, where a fraudster persuades your mobile provider to transfer your number to a SIM they control. This is more common than most people realise, and UK mobile providers have been targeted specifically for this. Switch to an authenticator app (Google Authenticator, Authy or similar) on every crypto account you hold. Essential
✓
Every crypto account uses a unique, strong password
Reusing passwords across accounts is one of the most common causes of crypto account takeovers. When a non-crypto website gets breached (which happens constantly), attackers test those credentials against every major exchange. Use a password manager like 1Password or Bitwarden to generate and store unique passwords. The annual cost is genuinely trivial compared to the risk. Essential
✓
I have set up withdrawal address whitelisting on my exchanges
Most major exchanges, including
Coinbase,
Kraken,
Bybit and
Binance, allow you to whitelist specific withdrawal addresses. Once enabled, withdrawals to any address not on your list are blocked. Even if an attacker gains access to your account, they cannot move funds to an address you have not pre-approved.
Important
✓
My 2FA backup codes are stored securely offline
When you set up 2FA, most services provide backup codes in case you lose access to your authenticator app. These codes are just as powerful as your actual 2FA. Store them somewhere physically secure, not in a screenshot on your phone or in a cloud folder. Important
🚨 SIM swap scams are rising in the UK
Action Fraud reported a significant increase in SIM-swap related crypto theft in 2024 and 2025. Your mobile number is not a secure second factor for crypto accounts. If you have SMS 2FA enabled on any exchange account, changing it to an authenticator app is the single most impactful security improvement you can make today.
🎣
4. Phishing, Scams and Safe Browsing
The majority of crypto theft in the UK does not involve hacking. It involves tricking people into handing over access. These habits protect you from the most common attack vectors.
✓
I always type exchange URLs directly rather than clicking links
Phishing sites that impersonate Coinbase, Kraken, Binance and other exchanges are sophisticated and convincing. The URL may differ by just one character. Always type the address directly: coinbase.com, kraken.com, crypto.com, binance.com, bybit.com. Better still, bookmark the legitimate URLs and use only those bookmarks. Essential
✓
I verify DeFi platform URLs before connecting my wallet
Fake versions of
Hyperliquid,
Jupiter,
GMX and
Aster are frequently shared in Discord servers and social media posts. Connecting your wallet to a fake site can drain it completely in a single transaction. Only visit DEX platforms by typing the URL yourself or using a saved bookmark. Never click a link in Telegram, Discord, Twitter or email to access a DeFi platform.
Essential
✓
I regularly review and revoke token approvals on my DeFi wallet
When you interact with a DeFi protocol, you often grant it permission to spend tokens from your wallet. These approvals persist indefinitely unless revoked. Over time, accumulating old approvals increases your attack surface. Tools like Revoke.cash (for EVM chains) or the approval manager in your Phantom wallet (for Solana) let you see and remove unused permissions. Important
✓
I use a hardware wallet as a signer for DeFi activity
Connecting a
Ledger,
Trezor or
Keystone to MetaMask or Phantom means every transaction on
Hyperliquid,
Jupiter or
GMX requires a physical button press on your hardware device. Even if your computer is compromised by malware, it cannot execute transactions without that physical confirmation.
Advanced
Exploring DeFi? Our DEX guide covers Hyperliquid, Jupiter, GMX and Aster with honest security notes for each platform.
Read the DEX guide →
⚖️
5. Diversification and Risk Management
Security is not just about protecting your crypto from theft. It is also about not concentrating risk in a way that a single failure can wipe you out.
✓
My crypto holdings are spread across at least two exchanges
Even the most reputable exchanges can freeze withdrawals or go offline. Using more than one platform means a problem with one does not lock you out of everything. A sensible combination for UK users is one FCA-registered platform (
Coinbase or
Kraken) for primary use, and a second for broader altcoin access (
KuCoin or
OKX).
Important
✓
The majority of my long-term holdings are in self-custody
The rule of thumb used by experienced crypto holders: exchanges are for trading, wallets are for storing. The proportion that should be in self-custody rises with the size of your portfolio. If you hold more than £5,000 in crypto and most of it is on exchanges, this is the most important item on this entire list to address. Essential
✓
I do not use leverage unless I fully understand liquidation risk
Perpetuals trading on platforms like
Hyperliquid,
Aster and
GMX can liquidate your entire position in minutes if the market moves against you. Leverage amplifies losses just as much as gains. If you use leveraged products, position sizing and stop-losses are not optional.
Important
📋
6. HMRC Compliance and Tax Records
From January 2026, HMRC receives your full transaction history automatically from UK-registered exchanges. These steps make sure you are prepared and not facing unexpected penalties.
🏛️
CARF is now live for UK exchanges
The Cryptoasset Reporting Framework (CARF) came into force on 1 January 2026. Every UK-registered exchange including Coinbase, Kraken and Crypto.com now automatically reports your identity, transaction history and portfolio value to HMRC. If you have unreported gains from previous years, the HMRC Cryptoasset Disclosure Service allows voluntary disclosure, which typically results in lower penalties than being investigated.
✓
I keep records of every crypto transaction with the GBP value at the time
HMRC requires you to report the GBP value of each transaction at the time it occurred. Swapping one cryptocurrency for another is a taxable disposal. Spending crypto on goods or services is a disposal. Moving between your own wallets is not. Without good records, calculating your actual gains (and losses) becomes extremely difficult and time-consuming. Essential
✓
I use a crypto tax tool to generate my HMRC Self Assessment report
Tools like Koinly and Recap connect directly to your exchange accounts and on-chain wallet addresses, pull your full transaction history automatically, apply HMRC's Section 104 pooling rules, and generate a completed Capital Gains Summary ready to enter into your Self Assessment return. The annual subscription cost is far less than an accountant, and far less than an HMRC penalty. Essential
✓
I understand which activities are taxable in the UK
Taxable events under UK law include: selling crypto for GBP, swapping one crypto for another, spending crypto on goods or services, and receiving crypto as income (staking rewards, airdrops, mining, yield from
GMX or similar). Non-taxable events include: buying crypto with GBP, moving between your own wallets, and receiving crypto as a gift (though the gift giver may have a CGT liability).
Important
✓
I have used my annual CGT allowance efficiently
The Capital Gains Tax annual exempt amount for 2025/26 is £3,000. Gains up to this threshold are tax-free. If your gains are likely to exceed this, taking partial profits in a tax year where you have unused allowance, or offsetting against losses, are legitimate planning strategies. A qualified crypto-specialist accountant can help with this if your situation is complex. Tax Saving
⛓️
7. DeFi and DEX Safety
If you use or are thinking about using decentralised exchanges, these additional steps apply. DeFi introduces a different set of risks from centralised platforms.
✓
I only use DEX platforms that have been independently audited
Smart contract bugs can drain liquidity pools instantly. Every platform in our DEX guide has been independently audited:
Hyperliquid,
Jupiter,
GMX and
Aster have all had multiple third-party security reviews. Avoid using unaudited protocols regardless of how high the advertised yields are.
Essential
✓
I use a separate hot wallet for DeFi activity
Keep a dedicated wallet (sometimes called a "burner wallet") for interacting with new or unfamiliar DeFi protocols. Fund it with only what you need for that specific activity. Your main wallet, where the bulk of your holdings live, should never be connected to anything you are not completely certain about. Important
✓
I record all DeFi activity for tax purposes
On-chain activity is just as visible to HMRC as centralised exchange activity, especially now that CARF data includes on-chain transactions reported by regulated on-ramps. Swaps on
Jupiter, trading profits on
Hyperliquid, and yield from
GMX liquidity pools are all potentially taxable. Connect your wallet addresses to your crypto tax tool to capture these automatically.
Important
💡 Want a full breakdown of the DEX platforms?
Our DEX guide covers Hyperliquid, Jupiter, GMX and Aster in detail, including how they work, who they suit and the specific risks to know about. Read the full DEX guide →
If you have worked through the checklist and identified gaps, here is a practical order of priority for addressing them. Start with the items tagged "Essential" before moving on to "Important" and "Advanced" steps.
1
Get a hardware wallet if you don't already have one
2
Switch SMS 2FA to an authenticator app today
Takes about ten minutes per exchange account. Log into
Coinbase,
Kraken,
Bybit and any other platforms you use, go to security settings, and replace SMS verification with an authenticator app.
3
Set up a crypto tax tool before your next Self Assessment
With CARF now in force, HMRC has your exchange data. You need to make sure your own records match. Connect Koinly or Recap to your exchange accounts and wallets now, well before the January 2026 Self Assessment deadline.
4
Make sure you're using the right exchange for your needs
If you have not reviewed your choice of exchange recently, it is worth doing. FCA registrations have changed, fees vary significantly, and newer platforms like
Bybit have relaunched in the UK with competitive offerings. See our
full exchange comparison guide.
Common questions
How do I know if my exchange is actually FCA-registered?
Check the FCA Financial Services Register at register.fca.org.uk. Search for the exchange name and look for either a cryptoasset registration or a full authorisation. Coinbase (CB Payments Ltd, FRN 900635), Kraken (Payward Ltd, FRN 928768) and Crypto.com (Foris DAX MT) are all listed. If a platform is not on the register, it is operating outside FCA rules for UK customers.
What happens if I have unreported crypto gains from previous years?
HMRC has an active nudge letter programme and is using CARF data to identify gaps between exchange records and Self Assessment returns. The best course of action is to come forward voluntarily using the HMRC Cryptoasset Disclosure Service. Voluntary disclosure usually results in penalties of 15% to 30% of the tax owed. Waiting for HMRC to find you typically results in penalties of 30% to 100%, plus interest.
Is moving crypto between my own wallets a taxable event?
No. Moving cryptocurrency between wallets you own (for example, from your Coinbase account to your Ledger hardware wallet) is not a disposal and does not trigger Capital Gains Tax. You do need to keep a record of the transfer so you can prove the coins stayed in your ownership. The gas fee paid for the transfer can be added to your cost basis, which reduces any future gain.
Can HMRC see my DeFi activity on Hyperliquid or Jupiter?
All blockchain transactions are publicly visible by design. HMRC uses blockchain analytics tools and receives data from centralised on-ramps you use to fund DeFi activity. While purely on-chain DEX activity may not be captured directly by CARF yet, HMRC has made clear that DeFi income and gains are taxable and that they expect accurate reporting. The practical recommendation is to treat all DeFi activity as visible and record it accordingly.
I've just bought my first hardware wallet. What should I do first?
Follow this exact sequence: (1) Set up the device using only the official app from the manufacturer's website. (2) Record your recovery phrase on paper or stamp it into metal. Do not photograph it or type it anywhere. (3) Do a full recovery test: wipe the device and restore from your backup. Confirm it works. (4) Only then transfer any significant amount of crypto to it.
Not sure which wallet to get? Our hardware wallet guide covers every major brand with honest pros and cons.
Ready to sort your storage? Compare every major hardware wallet brand in our full UK guide, including prices, security ratings and who each wallet suits best.
See the hardware wallet guide →
Affiliate Disclosure and General Disclaimer: This article contains affiliate links. If you purchase a product or open an account through our links, we may earn a commission at no additional cost to you. All information is provided for educational purposes only and does not constitute financial, tax or legal advice. Tax rules are subject to change. Always verify current HMRC guidance at gov.uk and consider taking advice from a qualified accountant or tax adviser for your specific situation. Cryptocurrency is a high-risk asset class. The value of crypto can fall as well as rise, and you could lose all capital invested. No products mentioned in this article are covered by the Financial Services Compensation Scheme (FSCS). Always do your own research before making any financial decision.
