# Self-Custody 101: Staying Safe with Xaman This guide gives you the rules that will keep you safe. Read it. Take it seriously. The basics here will defeat almost every scam currently aimed at self-custody users. #### The one rule that matters above all others Your **Secret Numbers** (also called Family Seed or Mnemonic) are the keys to your account. Anyone who has them can control your funds. Completely. Irreversibly. > **Never share your Secret Numbers with anyone. Not Xaman. Not a website. Not an xApp. Not a developer, validator, exchange. Not anyone, anywhere, for any reason.** If someone asks for them, they are trying to steal from you. That is the entire test. There is no exception, no special case, no real support process that ever needs them. Xaman does not have a copy of yours and cannot recover them for you, because that is the whole point of self-custody. This single rule blocks the majority of scams hitting self-custody users today. #### What self-custody actually means When you keep money in a bank, the bank holds it. When you keep crypto on an exchange like Coinbase or Binance, the exchange holds it. In both cases, someone else has custody of your funds, and they can freeze, block, or restrict your access whenever they decide to. Xaman is different. Your private key (your Secret Numbers) is encrypted and stored only inside a separate secure, encrypted chip on your phone, inside a secure area we call the Vault. No bank, no government, no exchange, and not even XRPL Labs can touch it. We do not have a copy. We cannot reset it. We cannot recover it for you. That is the freedom. The responsibility is that there is no one to call if something goes wrong. Once a transaction is signed and confirmed on the ledger, it is permanent. No one can reverse it. Not us, not Ripple, not the government. This is not meant to alarm you. It is meant to set the right expectations, so you treat your Secret Numbers and your sign approvals with the seriousness they deserve. #### How to spot the scams hitting self-custody users You do not need to memorize every variant. They almost all follow the same shapes: * **Fake support accounts.** Someone on X, Telegram, Instagram, Discord, or YouTube claims to be from Xaman. They DM you offering help. **We do not provide support on social media. Ever.** Anyone DMing you as "Xaman Support" is a scammer. * **Fake airdrops and giveaways.** A post or DM says you have won, qualified, or been selected, and you just need to "verify your wallet". Real airdrops never ask for your Secret Numbers. * **Fake websites.** A site that looks identical to a real one, sometimes with a single letter changed in the URL. Often promoted through paid ads. Bookmark the real ones. Do not search and click. * **Impersonations of well-known people in crypto.** Fake founders, fake developers, fake team members. The real ones do not DM you first. * **"Account compromised" panic messages.** A message claims your funds are at risk and demands you act immediately. Real account issues are never resolved by handing over your keys. * **Spam transactions with malicious memos.** A small unsolicited transaction lands in your account with a link or instructions. The transaction itself is harmless. Following the instructions is not. #### The rules that keep you safe Six rules, applied consistently, will protect you from almost everything. 1. **If you did not start it, do not engage.** Unsolicited messages, transactions, offers, and "support" reaching out to you should all be treated as hostile by default. 2. **If it sounds too good to be true, it is.** Guaranteed yields, free money, exclusive allocations. Real opportunities exist. None of them arrive in your DMs from a stranger. 3. **Slow down.** Every scam manufactures urgency. The few seconds you take to think kill almost every attempt. 4. **Read every transaction before you sign it.** Xaman shows you exactly what a transaction will do. Look at the destination, the amount, the type. If anything is unclear, do not approve. 5. **Verify URLs character by character.** Our only official domain is **xaman.app** (and its subdomains, sometimes xumm.app). Our developer docs live at **docs.xaman.dev**. 6. **Protect your phone.** Keep it updated. Install apps only from the official App Store or Google Play. Avoid public WiFi for wallet activity. Set a strong device passcode. For larger balances, consider a Xaman (Tangem) card, where your key is generated inside the card chip and physically cannot be extracted or shared. #### If you think you have been scammed Move quickly. Calmly. 1. **Stop.** Close the site. Stop replying. Do not sign anything else. 2. **Move whatever funds remain to a new account.** If your Secret Numbers may have leaked, treat the old account as lost. Create a new account in Xaman and transfer your remaining assets there. (You can also re-key and disable the master key; both options are in our help center.) 3. **Report it to your local police.** Most countries now have cyber crime or financial crime units that handle blockchain cases. The ledger is public and traceable; law enforcement has tools we do not. 4. **Identify how it happened** before you continue using the same device. If you cannot, wipe your phone and reinstall apps fresh from official sources. Do not restore from backup. We cannot reverse transactions. No one can. What we can do is help you secure what is left. #### How to actually reach Xaman This is the gap scammers exploit most: * **The only official Xaman support is the Xaman Support xApp**, inside the Xaman app. Tap **xApps** at the bottom of the screen, then **Xaman Support**. * We do not offer support on X, Telegram, Instagram, email, or phone. * Our official X accounts (announcements only, not support) are **@XamanWallet**, **@XamanHelp**, and **@xrpllabs**. If a "support agent" reaches out to you anywhere else, it is not us. #### Final word Self-custody is freedom. Bad actors are always lurking, and you are the target, but they are also predictable. Once you know the shapes, you can spot them in seconds. Hold on to your freedom carefully. Stay sharp. Protect each other. — The Xaman team --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.xaman.app/app/getting-started-with-xaman/self-custody-101-staying-safe-with-xaman.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.