Network security for crypto holders

You have crypto. Your network is the weakest link. What to fix, in what order, and what it costs.

Network security for crypto holders

You have a hardware wallet. Your seed phrase is safely offline. You’ve thought about what happens to your crypto if something happens to you.

But your router is still the thing your provider sent you three years ago.

This is the most common gap in crypto holder security: a lot of attention on the vault, not much on the door. This article explains the real risks at the network level and what to do about them — by budget, in order of priority.

What are the real risks?

DNS manipulation You type coinbase.com into your browser. Your router asks a DNS server: “what’s the IP address of coinbase.com?” If that DNS server is compromised — or if your router itself is hacked — you can be redirected to a perfect copy of the real site. You log in. Your password is gone.

Router compromise Most home routers run outdated firmware with known vulnerabilities. Attackers actively scan for routers with default passwords or unpatched software. Once in, they can intercept all your traffic — including login attempts at exchanges and wallet interfaces.

Network interception Traffic from your computer to an exchange or wallet interface goes through your router. If that traffic isn’t encrypted, or if an attacker is sitting between you and the server (man-in-the-middle), it can be intercepted or manipulated.

Devices on the same network A compromised smart TV, IP camera or games console on your network can be used as a stepping stone. They’re on the same network as your laptop. Separation doesn’t exist without VLANs.

What you can do now — free

These steps cost nothing but immediately reduce risk.

1. Change your router’s admin password It’s probably on a sticker right now, or it’s “admin/admin”. This is the first door attackers try. Change it to a strong, unique password and store it in a password manager.

2. Update the router firmware Go to your router’s admin page (usually 192.168.1.1 or 192.168.0.1), find the firmware update section, and install the latest version. Many vulnerabilities are already patched — but only if you update.

3. Switch DNS to a trustworthy resolver By default your router uses your provider’s DNS. Switch to:

1.1.1.1 (Cloudflare, fastest option)
9.9.9.9 (Quad9, blocks known malware domains)

This doesn’t fully protect against DNS attacks, but it’s better than the default.

4. Disable UPnP UPnP lets devices on your network automatically open ports in your router — without your permission. Turn it off unless you have a specific reason to keep it on.

5. Check which devices are on your network Go to your router and look at the list of connected devices. Do you recognise everything? An unknown device can be a sign of a breach or a device you’ve forgotten about.

Level 1 — €80-110: GL.iNet router

If you buy one thing for network security as a crypto holder, it’s a GL.iNet router.

Why:

OpenWrt pre-installed — the most tested open-source router OS
VPN client built in — all your devices automatically route through VPN
DNS-over-TLS — DNS traffic encrypted, much harder to manipulate
AdGuard Home — blocks known phishing domains at network level
Actively maintained, regular security updates

Model	Price	Suitable for
GL.iNet Beryl AX (MT3000)	~€80	Home, Wi-Fi 6, fast enough for everything
GL.iNet Flint 2 (MT6000)	~€100	Home, more ports, higher throughput

What to set up after purchase:

Activate VPN client (Mullvad, ProtonVPN or your own WireGuard server)
Set DNS-over-TLS to Quad9 (blocks malware domains)
Enable AdGuard Home for DNS filtering at network level
Create guest network for IoT devices (smart TV, cameras, etc.)

With this setup, all your crypto-related traffic runs through an encrypted tunnel. DNS attacks are significantly harder. Phishing domains are blocked before your browser ever reaches them.

Level 2 — €150-200: Firewalla Gold

If you also want network monitoring and a VPN server — so you can connect securely from a hotel or office — the Firewalla Gold is the next step.

What it adds over GL.iNet:

Real-time alerts when a device behaves strangely
Overview of all network traffic per device
VPN server so you can connect home securely from outside
App-based management — no CLI knowledge needed

Downside: closed platform. You depend on Firewalla for updates. For most crypto holders this is acceptable — for high-risk situations it is not.

Level 3 — €180-400: Protectli + OPNsense

If you want full control — open-source all the way down, no dependency on a company, complete logs of all your network traffic — a mini-PC with OPNsense is the right choice.

Hardware:

Protectli FW4B (~€180) — 4 network ports, fanless, Intel J3160
Protectli FW6 (~€350) — 6 ports, more powerful processor

What OPNsense adds:

Intrusion Detection (Suricata) — detects known attack patterns
VLANs — crypto laptop completely separated from other devices
Full DNS logging — see exactly which domains are being queried
WireGuard VPN server built in

Difficulty: high. Expect a weekend to set everything up. But once you have this running, you have more insight into your network than most small businesses.

Level 4 — €600+: Deciso DEC series

For those managing crypto as part of a business, asset management, or working in a high-risk environment: Deciso makes official OPNsense hardware.

Dutch manufacturer, used by governments and financial institutions. Plug-and-play OPNsense, professional support, long lifecycle.

This is outside the scope of most home users — but it exists, and if your budget allows it and you take the risks seriously, it’s the honest recommendation.

The order that matters

If you don’t know where to start:

Today, free: change router password + update firmware + switch DNS to Quad9
This week, ~€80: GL.iNet Beryl AX — VPN on router, DNS filtering
Later, when needed: Firewalla or Protectli + OPNsense depending on your threat level

The hardware wallet protects your seed phrase. The router protects the connections you make every day. Both are necessary.

Connection to your other security layers

Network security is one layer. The others:

Hardware wallet — seed phrase offline, you sign transactions on the device itself, never through software. A compromised network can’t empty a hardware wallet — but it can send you to a fake website.
Device isolation — ideally use a separate device for crypto transactions. Not the laptop you also torrent on, install games on, or receive work email on.
Software wallet on GrapheneOS — if you manage crypto on mobile, GrapheneOS provides sandboxing and network isolation per app.

A strong network doesn’t protect you if the device itself is compromised. And a clean device doesn’t help if you’re connecting through a hacked router. The layers reinforce each other.

See also:

Which network setup fits your threat profile? — complete overview of all options
VPN: what it does and what it doesn’t — honest overview of what VPN does and doesn’t solve
Threat profile: small business owner — if you manage crypto as a business
Trezor Safe 3 review — hardware wallet
NerdMiner ESP32 review — solo Bitcoin mining

← Back to guides