The moment you run a bot, connect a broker, or hold an API key, you are a target.
Trading accounts are pure liquidity — attackers love them. This is the playbook that
keeps your capital and your credentials out of the wrong hands.
The mindset: assume every key will eventually leak, every account will be probed,
and every "support" message is a trap. Security is not paranoia — it is the difference
between a bad day and a wiped account. Build the layers below so one mistake is not fatal.
1
API Keys & Secrets
Your API keys are your money and your compute. Treat a leaked key like a leaked debit card.
Never put a key in client-side code, a public repo, a screenshot, or a webpage. Anything the browser can see, an attacker can take. (This site's AI assistant proves the rule — the key lives only in a server-side Worker secret, never in the page.)
Do store keys in a server-side secret store or environment variable — never hard-coded. On disk, lock the file: chmod 600 creds.json.
Scope every key to least privilege. A bot that only trades should hold a trade-only key with withdrawals disabled. Never give a bot a key that can move money out.
Set spend limits on every key that bills you (AI APIs, data APIs) so a leak can't drain you.
Rotate keys on a schedule and immediately if a machine is lost, a contractor leaves, or anything feels off. One key per service — never reuse.
2
Broker & Exchange Accounts
This is where the actual money sits. Layer it so a stolen password alone gets an attacker nothing.
2FA on everything — and use an authenticator app or a hardware key (YubiKey), never SMS. SIM-swap attacks defeat SMS codes.
Withdrawal address whitelist. Lock withdrawals to addresses/banks you pre-approved. Even with full account access, an attacker then can't send funds anywhere new.
API keys: disable the withdraw permission. Trade + read only. If the exchange supports it, IP-whitelist the key to your bot's address.
Separate the trading account from your long-term holdings. Only the capital you're actively trading should be reachable by a bot or a key.
Don't keep more in a hot trading account than you'd accept losing on the worst possible day.
3
Crypto Wallets
Crypto is irreversible — there is no chargeback, no fraud department. The bar is higher.
Hardware wallet (cold storage) for anything you're holding. A hot/exchange wallet holds only active trading funds.
Verify the full withdrawal address every time — check the first and last characters. Beware address-poisoning: attackers seed your history with look-alike addresses hoping you copy the wrong one.
Never type your seed phrase into anything. No real wallet, exchange, or "support" will ever ask for it. A seed phrase request is always an attack.
4
Your Bot & Its Machine
The bot's host is an attack surface. A compromised machine means compromised keys.
Least privilege everywhere — the bot account can do only what the strategy needs, nothing more.
Never expose a control endpoint to the public internet. If the bot has an API or dashboard, gate it, authenticate it, and prefer localhost-only.
Keep the OS and dependencies patched. Most break-ins use known, already-fixed holes.
Monitor. Alert on every trade, every login, every withdrawal attempt — so you see an intrusion in minutes, not at month-end.
Don't run trading and random browsing on the same machine/user. A dedicated, boring environment for trading is worth the friction.
5
Phishing & Social Engineering
Most accounts aren't "hacked" — the owner is tricked into opening the door. You are the last line.
Type URLs yourself or use bookmarks. Phishing pages are pixel-perfect clones one typo away.
Real support never DMs you first, never asks for your password, key, seed, or 2FA code. Anyone who does is an attacker — every time.
Audit browser extensions — a malicious one can read every page, including your broker. Install few, from known publishers.
Use a password manager — unique long passwords everywhere. It also refuses to autofill on a fake domain, which catches phishing for you.
6
Audit Your Own Exposure
Don't guess — scan. This leak scanner sweeps your code, files, git history and even a
live website for exposed API keys, tokens and private keys. Run it on your machine, on your
repo, and against your deployed site. Pick your language:
Run it three ways: on your project folder (catches hardcoded keys), with --url against your live site (catches client-side exposure — the worst kind), and after every change. A leaked key in a webpage is found by attackers in hours.
Your Security Checklist
Tick these off — your progress saves on this device.
Educational security guidance, not legal or financial advice. No guide makes you
unhackable — these layers make a single mistake survivable instead of fatal.
· Premium desks · The Bot Lab · Journal ·