Can You Touch Your Crypto on Public WiFi? The Real Risks in an Airport Cafe

It is four in the morning at the airport, and your transfer flight is still six hours away. You sit at the cafe across from the gate, order an americano, and pull out your laptop to clear a small on-chain task — an airdrop deadline is closing in, and you also want to move some USDT off the exchange into your own address. The WiFi list shows an open hotspot called “Airport_Free_WiFi.” You click connect, a captive portal pops up, you type in an email, and you are in. Everything feels smooth.

The problem is that “everything feels smooth” is exactly the most dangerous sensation in crypto. You do not know who else is on this network, and you do not know whether the dApp you just opened is really the domain it claims to be. On your home connection, the attack surface mostly shrinks down to the wallet itself; the moment you join a public hotspot, several layers normally absorbed by your home ISP land squarely on you.

Surface one: man-in-the-middle

The classic threat on public WiFi is the man-in-the-middle (MitM) attack. The logic is simple: the attacker sits between you and the service you are trying to reach. You think you are talking to an exchange or an RPC node, but every byte first passes through their device.

People often respond: sites use HTTPS now, what could the middle see? It is worth being precise. HTTPS does make it very hard to directly read the contents of encrypted packets, but a middleman can do far more than peek:

• Downgrade attacks that push your HTTPS down to HTTP or coax you into accepting a forged certificate.
• Traffic analysis that infers which exchange you are talking to and what kind of action you are running from timing, target domains, and packet sizes — even when the body is opaque.
• Session hijacking when, at some step, you accept a fake certificate, letting the attacker steal a logged-in cookie and skip your password entirely.

For crypto users, this means even without leaking your seed phrase, the attacker may quietly hold your exchange session, modify a withdrawal address, or place orders on your behalf.

Surface two: rogue hotspots

A more aggressive move is when the attacker runs the WiFi themselves. At an airport, a cafe, or a hotel lobby, they only need to name the hotspot something like “Starbucks_Free” or “Airport_Guest,” and tired travelers connect on their own. The instant you join their hotspot, the man-in-the-middle position is theirs by default, because they are the network.

A sneakier variant is the Evil Twin: they mimic the real hotspot’s name and signal strength, and your laptop, thinking it is the same network, auto-reconnects. You will not even notice that the exit point changed. When two hotspots share a name in a public place, suspicion should beat convenience as a default response.

Surface three: DNS hijacking

DNS is the phonebook that turns “binance.com” into an IP address. On public networks, DNS resolution is often unencrypted, and the attacker can interfere here — you type the real exchange domain and DNS resolves it to a pixel-perfect copy of the site. Visually nothing looks off; even the green HTTPS lock in the address bar may show up, because the lookalike site happily provisioned its own certificate.

What makes DNS hijacking nasty is that it does not break any cryptographic protocol; it sends you through the wrong door from the start. Whatever password you type, QR code you scan, or approval you sign goes straight into the attacker’s pocket.

Surface four: HTTPS is not safety

Many guides repeat “see the lock, you are safe.” On public WiFi that sentence requires a long list of caveats. HTTPS guarantees the channel between you and the server you are actually reaching is encrypted, but it does not guarantee:

• That the server is the one you think it is (see DNS hijack above).
• That your browser carries no malicious root certificate (some corporate or attacker-installed roots let the browser silently trust forged sites).
• That you did not click “ignore certificate warning” along the way (captive portals at airports routinely train users to accept exceptions).

In short, HTTPS is necessary, not sufficient. When the network around you is untrusted, the lock alone cannot carry the safety budget.

Surface five: extension wallets add their own exposure

The last layer is often forgotten. Browser extension wallets live inside the browser process, which means they share the same network environment as every page you open. On public WiFi:

• A phishing site can exploit DNS hijacking to route you to a lookalike dApp where you believe you are interacting with a real protocol.
• The default RPC node an extension auto-connects to may be replaced by the attacker’s node along the way, returning forged balances or forged contract call results.
• The instant you “casually” sign once on a public network, that on-chain moment is irreversible.

If you are still picking between extension and mobile wallets, start with mobile vs browser wallet tradeoffs; for the broader hygiene picture, see basic security habits.

This table helps you sort actions by risk level on public WiFi:

Three habits to take on the road

You do not need to memorize every term above, but please turn these three into reflexes:

• Prefer 4G/5G over public WiFi: a phone hotspot is far more trustworthy than the open cafe network; a few megabytes of cellular data is not worth a drained wallet.
• No “money-touching” actions on public networks: reading is fine, but pushing withdrawals, changing settings, or signing approvals waits until you are back on a trusted line.
• Big wallets stay home, not in your bag: long-term holdings sit on an address that never interacts online; the laptop you travel with carries only the bare minimum. See common cold wallet safety myths for the reasoning.

This article is educational and does not constitute investment or security advice. On-chain actions are irreversible, and every signature on a public network costs more than you think.