The Vault Is Only
as Strong as the
Person Holding the Key.
Core Capital's platform security is institutional grade. But platform security has a boundary โ and that boundary is your device, your credentials, and your behaviour.
The majority of digital asset losses are caused by individual security failures. Core Capital cannot protect you from decisions you make outside the platform. This guide exists so you make the right ones.
By the end of this guide, you will understand what each level requires and how to reach Fully Secured status.
01 โ Credential Integrity
"In digital asset security, your credentials are not a login mechanism. They are the legal title deed to your capital. Treat them accordingly."
Your Master Password โ The First Line
Length Is More Important Than Complexity
A 20-character password of random words is stronger than 10 characters of symbols. Core Capital requires 12 characters minimum โ use 20.
Your Password Must Be Unique
If used on any other platform, it is compromised by proxy. One platform, one password. No exceptions.
Use a Password Manager
Bitwarden, 1Password, or Dashlane. Memorize the manager's master key โ never write it down digitally.
Never Store in Plain Text
No notes app, email, or spreadsheet. If you must write it down, use paper and store it physically separate from your recovery phrase.
Change After Any Suspicion
If you suspect compromise, change it immediately from a trusted device. Change first, investigate second.
Two-Factor Authentication โ The Non-Negotiable Second Layer
Use App-Based 2FA
Avoid SMS. SMS is vulnerable to SIM-swapping. Use Google Authenticator, Authy, or Microsoft Authenticator.
Back Up Your Codes
Write down the 2FA backup seed key on paper. Store it securely offline. Without it, losing your device means losing account access.
Never Share Codes
Core Capital support will NEVER ask for your 2FA code. If anyone asks, you are under a social engineering attack.
Your Recovery Phrase โ The Master Key
Write it down immediately. Use pen and paper. Number every word in order.
Store it offline. No photos. No cloud. No digital storage of any kind.
Store it physically secure. A fireproof safe is recommended. Locked drawers are the minimum.
Store separately from your password and device. Do not create a single point of failure.
Never type it into any website, app, or form. The only legitimate use is on the official Core Capital recovery flow.
Consider a metal backup. Paper is vulnerable to fire and water. Engraved metal plates are the institutional standard.
Critical Warning
Core Capital support will never ask for your recovery phrase. If anyone asks for it โ under any pretext, in any context โ your assets are the target. Do not comply.
02 โ Threat Vectors
"The most sophisticated blockchain cannot protect you from clicking the wrong link. Awareness is the layer math cannot provide."
Phishing Attacks
What it is
An attempt to deceive you into surrendering credentials by impersonating Core Capital via fake emails or websites.
How to protect
Always type corecapital.io directly into your browser. Never use links from email or search ads. Bookmark the official URL.
Red Flags
- Emails asking to 'verify account' via link
- URLs with hyphens or misspellings
- Communications creating false urgency
Social Engineering
What it is
Manipulation into revealing information through false authority or manufactured trust, often via Telegram or Discord.
How to protect
Core Capital communicates through official channels only. We never use Telegram or DMs. Treat unsolicited contact with suspicion.
Red Flags
- 'Support agents' contacting you first
- Requests for passwords or 2FA codes
- Investment 'opportunities' via DMs
Clipboard Hijacking
What it is
Malware that replaces copied wallet addresses with an attacker-controlled address in your clipboard.
How to protect
Always verify the first and last six characters of any pasted address against the original source. Never skip this check.
Red Flags
- Unknown software installed on device
- Pasted addresses that look 'different' but similar
Fake Applications
What it is
Fraudulent apps distributed through unofficial stores or ads that capture your credentials.
How to protect
Download exclusively from corecapital.io official links. Verify developer name and review count before installing.
Red Flags
- Apps with very few reviews
- Generic, unspecific review content
- Apps downloaded from social media links
Dusting & Poisoning
What it is
Sending tiny amounts (dust) or fake history entries to trick you into copying an attacker's address.
How to protect
Never copy addresses from transaction history. Use Core Capital's address book for all regular counterparties.
Red Flags
- Tiny, unexpected deposits from unknown sources
- History entries with addresses nearly identical to yours
| Threat | Primary Defence |
|---|---|
| Phishing | Type URL directly, verify every session |
| Social Engineering | Trust official channels only, suspect unsolicited contact |
| Clipboard Hijacking | Verify first & last 6 characters always |
| Fake Applications | Official website downloads exclusively |
| Dusting Attacks | Use address book, ignore unknown small deposits |
03 & 04 โ Infrastructure & Resilience
"Your wallet's security is only as strong as the device it runs on. And your recovery plan is the difference between an incident and a loss."
Securing the Device
Enable Full-Disk Encryption
Use FileVault (macOS), BitLocker (Windows), or system encryption on mobile to protect cached data.
Strict Auto-Lock
Set device to lock within 30 seconds of inactivity. An unlocked unattended device is an open wallet.
Keep Software Updated
Do not defer security patches. An unpatched OS is a running vulnerability. Enable auto-updates.
Never Jailbreak/Root
Bypassing OS security controls removes application sandboxing and permission safeguards.
Strong Device Passcode
A 12-character alphanumeric passcode is the institutional standard. 6 digits is the minimum.
Install Antimalware
Run reputable, updated protection on all desktop and Android devices used for access.
Network Hygiene
Never Use Public Wi-Fi
Airports, cafes, and hotels have unknown security. Use your mobile data or a reputable VPN (Mullvad, ProtonVPN) when away from home.
Secure Your Home Gateway
Change default router admin credentials. Use WPA3 or WPA2 encryption. Disable WPS. Regularly update router firmware.
Scenario Response Planning
Scenario 1
Lost or Stolen Device
Response Plan
From a new device, terminate all active sessions in Security Settings immediately. Change master password. Restore 2FA using backup seed key.
Scenario 2
Forgotten Master Password
Response Plan
Use 'Forgot Password' to verify via email and 2FA. If 2FA is also lost, contact support for identity re-verification.
Scenario 3
Unauthorized Access Detected
Response Plan
Change password and terminate sessions within seconds. Contact security@corecapital.io immediately to freeze outbound transfers.
Scenario 4
Lost Recovery Phrase (Active Access)
Response Plan
Generate a new phrase immediately from Security Settings. The old phrase is invalidated. Store the new one offline immediately.
Scenario 5
Lost Recovery Phrase (No Access)
Response Plan
This is the terminal scenario. Contact support for identity re-verification. Recovery is not guaranteed; prevent this at all costs.
Security Readiness Checklist
Review this posture quarterly. Maintain it continuously.
Credential Security
- Master password is 20+ chars, unique, in manager
- 2FA enabled with app (not SMS)
- 2FA backup key stored offline
- Recovery phrase on paper, in fireproof safe
- Phrase stored separate from device/password
Threat Awareness
- Official URL is bookmarked only
- Phishing risks shared with family/team
- Antimalware active on all access devices
- Address verification (1st/last 6) is a habit
Infrastructure
- Auto-updates enabled on all devices
- Full-disk encryption active
- Auto-lock set to <30 seconds
- Public Wi-Fi never used for wallet
Resilience
- Emergency contact saved: security@corecapital.io
- Session termination procedure known
- Recovery plans understood & documented
SECURITY IS NOT A TASK.
IT IS A POSTURE.
The checklist above is a recurring standard โ a posture that serious digital asset investors maintain continuously. Be the most disciplined version of yourself.
"The strongest security system ever built has one vulnerability: the person who holds the key."