Paper wallet on Android phone

[Welsh]

But yes, I agree. Even if you decide you trust the Google apps which are bundled with Android (which is insane given their consistent history of invading your privacy and harvesting your data at every level), the amount of third party bloatware on most new phones is staggering. And as I said above, while the average user can uninstall some of it, much of it cannot be removed without root access.

It's one of the reasons I always suggest installing custom ROM on it, which remove the bloatware, and Google applications if you wish. I personally, have a phone that doesn't have Google installed on it. I use Aurora store or F-Droid to get the applications I absolutely need, which quite honestly isn't many at all. Usually, Firefox, and a few open source applications from F-droid.

At the very least, use adb to remove some of the bloatware if you don't want the instability which sometimes comes with custom ROMS.

That's quite an assumption! The thing is: you can never know for sure. And when creating cold storage, being wrong means losing your money.

It's also a rather dangerous assumption, knowing that manufacturers have installed bloatware in their modified android operating system, which they almost always advertise as stock Android. Here's just a few examples:

https://www.wired.co.uk/article/android-phones-hiding-pre-installed-malware
https://www.cnet.com/tech/mobile/android-malware-that-comes-preinstalled-are-a-massive-threat/
https://www.independent.co.uk/tech/android-malware-phones-infected-samsung-galalaxy-s7-nexus-5x-models-before-sale-a7626726.html

Anyway, that's just a few examples that a quick search yielded.

Btw if I had to create a bitcoin wallet where I would hold a lot of bitcoin for a long time, I would use old PC, with old monitor, reinstall old OS from old disks/flash cards and create an address from that computer.

A few questions;
- Can you be sure that those old devices haven't already been compromised
- Can you be sure that the disks/flash cards are secure
- Are you generating them offline, because I'd be more confident with an updated operating system if it was going online, however again probably better offline in the first place

[1715485089]

1715485089

[1715485089]

1715485089

[1715485089]

1715485089

[1715485089]

1715485089

[1715485089]

1715485089

[o_e_l_e_o]

It's one of the reasons I always suggest installing custom ROM on it, which remove the bloatware, and Google applications if you wish.

It's not always as simple as that, though, and installing a custom ROM can open you up to a variety of other risks instead: https://www.privacyguides.org/en/os/android-overview/

A fer better option is simply not to use a phone for any serious amounts of money at all. It is very easy to download and flash Tails to a USB drive and use a live OS with your internet disconnected, which will be exponentially more secure than any hot wallet on any phone, stock or custom ROM.

- Are you generating them offline, because I'd be more confident with an updated operating system if it was going online, however again probably better offline in the first place

You should obviously keep your OS up to date, but if you are generating keys on an online computer then you should consider those keys as having as low a security as any hot wallet, regardless of your OS. I wouldn't use an old OS since there have been plenty of examples of ones with bugs or vulnerabilities in their random number generators. Better to use Tails (or some other reputable Linux distro) as above.

[Welsh]

It's not always as simple as that, though, and installing a custom ROM can open you up to a variety of other risks instead: https://www.privacyguides.org/en/os/android-overview/

Right, ideally you want to be using a custom ROM tailored for security, and privacy, that doesn't go against the security practices of Android. They tend to have some nice features about them, but ultimately you're trusting the developer, however usually you'd want to use one that has published their modifications to the AOSP. A lot of the newer custom ROMS support over the air updates also, which wasn't really a thing for a long time.

However, there's are some additional risks with custom ROMS, and you'd be sacrificing the Google protection if you remove the Google applications, make that what you will though. However, even some stock android that comes with the your phone could potentially be going against the security practices of Android, since they're typically modified by the manufacturer, and there's no guarantee that they implement everything correctly. Unless, they ship with 100% stock Android, which they typically don't.

A fer better option is simply not to use a phone for any serious amounts of money at all. It is very easy to download and flash Tails to a USB drive and use a live OS with your internet disconnected, which will be exponentially more secure than any hot wallet on any phone, stock or custom ROM.

Yeah, I'd agree with that. I personally don't use a phone for accessing my Bitcoin, however if you must I'd consider all the above personally. Although, a lot of it can probably be safely ignored. However, the privacy cocnern is definitely worth highlighting.

then you should consider those keys as having as low a security as any hot wallet

Yeah, I'm not sure I'd ever be comfortable with generating a private key on a online computer, honestly. If I wanted a hot wallet, I'd use a hardware wallet. It just prevents a lot of the issues you can come across when accessing your Bitcoin on a online computer.

[paid2]

If you bought smartphone in store, if you have never visited malicious websites and have never downloaded malwares manually

That's quite an assumption! The thing is: you can never know for sure. And when creating cold storage, being wrong means losing your money.

I am 100 % agreeing with you.
Moreover, buying a phone in a store has absolutely no guarantee, whether it is an online store or a physical store. In the case of refurbished phones it seems to me particularly dubious as to the security of the funds if one uses it as a cold wallet. I will never believe such a device personally.

Personally if I were to use an Android smartphone to store my bitcoin, the first thing I would do is change the base OS, or at least install one in parallel if I were to keep Android features like calling/SMS.

I guess my choice would be a Debian-kit. This is clearly the safest option from my point of view. Once this is installed I imagine I will generate privates keys offline from a safe device, and import them to an Electrum.

For those interested in Debian-kit, you can find more information here: https://f-droid.org/packages/org.dyndns.sven_ola.debian_kit/

I don't know if it would be possible to install Debian or Ubuntu with LTS encryption on a smartphone, but that would be an extremely efficient solution too.

[Welsh]

But how many custom ROM tailored for both security, and privacy? Usually they only offer some privacy (e.g. doesn't include google apps by default and few extra permission toggle).

I don't know how many, I tend to prefer the vanilla variants which don't add any additional customization or toggles as you say, and just remove the Google related stuff. These are much less common unfortunately, as every custom ROM has gone down the path of trying to add as much customization as possible.

Generally, if a custom ROM has a ton of customization features, there's more room for error, and they very likely implement a lot of the customization via hacky ways, which go against the core Android security principles. So, ideally you want a custom ROM which hasn't added too much to the code, but instead removed the Google services, and dependent applications. There's a security risk with this also, as obviously Google claims to protect your device with these services.

There's a list of a collection of various GSI's (Generic System Images). There's also others out there that aren't included on that list. There's also the potential that you do it privately for yourself also.

Although, custom ROMS are better for improving privacy, rather than security since there's likely a trade off of removing the Google applications in the first place, due to them being tied in intrinsically to the Android operating system.

One example, of a popular custom ROM that claims better privacy, and security features is GrapheneOS. However, to achieve that it's heavily modified, and you'll ideally review the code yourself to see how they've implemented those features. Plus, this only works on certain hardware, which is typically the most used phones, therefore that could be an additional risk too. Hence, why a lot of users that haven't got mainstream phones opt for GSI's.

For example, here they strongly recommend Google devices:

We strongly recommend only purchasing one of the following devices for GrapheneOS due to better security and a minimum 5 year guarantee from launch for full security updates and other improvements:

    Pixel 7 Pro
    Pixel 7
    Pixel 6a
    Pixel 6 Pro
    Pixel 6

Which, for me suggests they're ignoring the possibility that Google doesn't compromise your security or privacy via their hardware, which is a little bit hard to believe when they're so against the software of Google. So, there's a ton of different options out there, and ultimately everyone has to make their own decision, since as above one of the most popular custom ROMS suggest something that I don't entirely agree with. Although, we're getting to the tinfoil stage here (I think we've been there for a while to be honest, most users aren't worrying about this soft of stuff).

[Synchronice]

If you bought smartphone in store, if you have never visited malicious websites and have never downloaded malwares manually

That's quite an assumption! The thing is: you can never know for sure. And when creating cold storage, being wrong means losing your money.

How many accidents have ever been where the scenario was similar to what I described and users' wallets still got hacked?
I don't say that it's the safest option out there but it's not the dangerous one too.

I think that your friend will be fine by resetting it and creating a wallet.

I think so too. But I prefer to know for sure, which means not taking any risks.

What do you use to create bitcoin address? Computer or what?
Any chances that your hardwares aren't backdoored?

I see no reason to be less careful with 1 Bitcoin than with 100 Bitcoins.

While I agree with you that everything needs high security, regardless of what, I think that there is a difference between 1 Bitcoin and 100 Bitcoins. The bigger the treasure, the bigger the attack is. No cabin has security guards but mansions? They are on different level.

A few questions;
- Can you be sure that those old devices haven't already been compromised
- Can you be sure that the disks/flash cards are secure
- Are you generating them offline, because I'd be more confident with an updated operating system if it was going online, however again probably better offline in the first place

I think there is a high chance that modern hardwares are backdoored. It's personal choice but I trust old hardware and software more than modern ones in terms of safety and in this case I mean offline, yeah, offline. If you wish, we can discuss more why I talk about offline security.

Another reason why I would choose old device in offline mode is that even if they were compromised 15 years ago, who cares? I think no one is focus on old devices and probably the person who hacked your computer 15 years ago, isn't alive or doesn't use the same pathways he was using back then.

[dkbit98]

I guess my choice would be a Debian-kit. This is clearly the safest option from my point of view. Once this is installed I imagine I will generate privates keys offline from a safe device, and import them to an Electrum.

I would never do that when there is perfectly good open source alternative called GrapheneOS, only problem is that you can use that OS only on g00gle devices.
In ideal scenario smartphones should be like computers and you should be able to install any operating system you want, but doing that is much easier said than done.
Second best option is using something like LineageOS, DivestOS or CalyxOS that can be installed on different smartphone models, but they inferior in many ways compared to GrapheneOS.
One more plus for GrapheneOS is that you can support development and updates with Bitcoin donations.

[Welsh]

I think there is a high chance that modern hardwares are backdoored. It's personal choice but I trust old hardware and software more than modern ones in terms of safety and in this case I mean offline, yeah, offline. If you wish, we can discuss more why I talk about offline security.

Another reason why I would choose old device in offline mode is that even if they were compromised 15 years ago, who cares? I think no one is focus on old devices and probably the person who hacked your computer 15 years ago, isn't alive or doesn't use the same pathways he was using back then.

Technically, if your hardware is backdoored, they could potentially be using a way of communicating without being connected to the wifi etc. I'm thinking, potential hidden sim cards, however this would be easily verified by checking the hardware of your computer. Honestly, it should be a part of everyone's security practices to take a look at what's under the hood to make sure there's no unexplained parts or modified components, at least obviously modified. The chip itself is likely compromised, there's been several accusations in the past, but as far as I know there's been no real evidence showing backdoors.

Personally, I don't like recent developments in the CPU with the ME engine, and AMD equivalent. Opens up a ton of attack vectors, so a CPU that doesn't have that capability is definitely preferable. The issue is; often it's no longer supported, and therefore there's no way of updating the interfaces that interact with it.

In terms of phones; it's much less likely someone's checked their hardware on a phone, due to the nature of how they're manufactured. However, I'd probably trust the latest versions of Android more than the older one's, for one they have much better isolation implementations, which the older Android versions didn't even have any isolation if you go back a while.

[LoyceV]

If you bought smartphone in store, if you have never visited malicious websites and have never downloaded malwares manually

That's quite an assumption! The thing is: you can never know for sure. And when creating cold storage, being wrong means losing your money.

How many accidents have ever been where the scenario was similar to what I described and users' wallets still got hacked?

That's an unfair question: you're asking about the scenario in which no malware has been downloaded, and my point is you can't ever be sure you haven't visited a malicious website.

I don't say that it's the safest option out there but it's not the dangerous one too.

It's probably safe. But I wouldn't call it cold storage so it's not ideal for long-term holding.

What do you use to create bitcoin address? Computer or what?

I have different systems and wallets for different purposes.

Any chances that your hardwares aren't backdoored?

When using cold storage, that still doesn't leak private keys.

While I agree with you that everything needs high security, regardless of what, I think that there is a difference between 1 Bitcoin and 100 Bitcoins. The bigger the treasure, the bigger the attack is. No cabin has security guards but mansions? They are on different level.

Mansions look different than cabins. Unless there's a targeted attack, an attacker can't know how many Bitcoins a system holds.

I think there is a high chance that modern hardwares are backdoored. It's personal choice but I trust old hardware and software more than modern ones in terms of safety and in this case I mean offline, yeah, offline.

It's not just backdoors, phones are basically designed around spyware nowadays.

Another reason why I would choose old device in offline mode is that even if they were compromised 15 years ago, who cares?

My 15 years old computer works fine (as long as I can find a 32 bit wallet), but my 15 year old phone can't handle any wallets.
TL;DR: my take: get a laptop. It may not be as easy in some countries, but here I just checked the local version of Craigslist and for €10 to €25 I can choose from a dozen laptops with 1 to 4 GB RAM. I must say I barely use my 1 or 2 GB RAM systems anymore, in my experience 8 GB is the minimum for smooth running from Live DVDs. But 4 GB can definitely work.

Technically, if your hardware is backdoored, they could potentially be using a way of communicating without being connected to the wifi etc. I'm thinking, potential hidden sim cards, however this would be easily verified by checking the hardware of your computer. Honestly, it should be a part of everyone's security practices to take a look at what's under the hood to make sure there's no unexplained parts or modified components, at least obviously modified. The chip itself is likely compromised, there's been several accusations in the past, but as far as I know there's been no real evidence showing backdoors.

My laptop indeed has a sim card slot. I never went full paranoid, but I've considered it: remove the network module, remove the Wifi module, remove the camera, remove the microphone, remove the microphone jack and glue everything else in place.
It could be a fun project on one of those €25 laptops.

[o_e_l_e_o]

Mansions look different than cabins. Unless there's a targeted attack, an attacker can't know how many Bitcoins a system holds.

There is also the cost basis involved. It costs a lot of money to set up a high tech security system and pay armed security guards to protect your mansion 24/7. It costs nothing to download and use Tails with your internet connection disabled (although obviously better on a permanently airgapped device).

I never went full paranoid, but I've considered it: remove the network module, remove the Wifi module, remove the camera, remove the microphone, remove the microphone jack and glue everything else in place.

I have pretty much this exact set up for interacting with some of my cold wallets. One thing to remember though - unless you want to transcribe your transactions from the raw hex by hand, you need some way to transfer them electronically. So either leave the camera in but cover it with tape when not in use, or remember not to glue a SD card slot or USB port.

[LoyceV]

unless you want to transcribe your transactions from the raw hex by hand

I haven't done this for transactions yet, but it shouldn't be so hard. The key is to use a large font to avoid reading mistakes. I know this from experience typing private keys: misreading some letters happens much more than hitting the wrong key. I use md5sum to ensure I made no mistakes, and if there is a mistake, I can use a hash on part of the text to pinpoint it's location. I just tried: the most annoying part is that transactions don't use Base58, so there's an 0O problem. But even if it takes 10 minutes to copy a transaction, that's a small price to pay for something you don't do too often. And an extra reason to HODL

But how long you can stay on old hardware/software? You'll miss newer feature (e.g. Taproot feature) or unable to install more recent version of modern OS/Bitcoin wallet software.

You can of course have both: old hardware for your cold storage on legacy addresses, and modern hardware for your daily transactions.

[o_e_l_e_o]

It's certainly doable, just not very convenient. Fine if your wallet really is long term cold storage though with very few (if any) outgoing transactions.

I just tried: the most annoying part is that transactions don't use Base58, so there's an 0O problem.

What format are you using? Raw transactions should be in hex, so 0-9 and A-F. There are no easily confused characters there.

But how long you can stay on old hardware/software? You'll miss newer feature (e.g. Taproot feature) or unable to install more recent version of modern OS/Bitcoin wallet software.

For my long term cold storage, I probably don't want many new features such as Taproot and Lightning. Keep everything as simple as possible to reduce any attack surface to an absolute minimum.

[LoyceV]

I just tried: the most annoying part is that transactions don't use Base58, so there's an 0O problem.

What format are you using? Raw transactions should be in hex, so 0-9 and A-F. There are no easily confused characters there.

I did a quick test with Electrum. This is what an unsigned transaction looks like:

Code:

cHNidP8BAFUCAAAAAalLG753riwXjfbrILvWziJl5n5x+Ehd1zMv4dvFZPj8FAAAAAD9////AbyOBgAAAAAAGXapFOwhqgJix6m4LEJSsroIfs4AFS/aiKwL6AsAAAEA/XADAgAAAAABAerUHZFCPk9bpXybeHrgut93LIh10kLYu8avIJ/tykFnCgAAAAD+////FnYYAgAAAAAAGXapFHvDeLTCRrVzGzkodzjkktOrPKjxiKzS5wEAAAAAABYAFHMf6Dm+MPh8n4/0JYwFYN7mk8AI/wswAAAAAAAXqRRk0yuOZ0agXatsbBDjJohpfp8N4YcpcQMAAAAAABepFAe+Ae2BW4sm6rUKsUem8a4/4fQ6h70ydwAAAAAAFgAUhKwmELsHYeKN4mU37awN6GA1z+pXDQ8AAAAAABYAFPDmPsAE97Zf+UIDZwfO765GeUhxetcIAAAAAAAiACCM0E1d7y3TgpOPS8B3bRRh9BukU9KtxL422zTue3IgQ7I1AAAAAAAAF6kUaeV4krRDLcEof4Q2+6c3TRsrHzyHLeipDQAAAAAWABQ8wq1unxuY/5FtR1aZ8ZGWHbcuEle/BQAAAAAAFgAUqj7Vp3W+eGWgDtQVGmehqyvacfE1fAQAAAAAABl2qRRC+FjOCqADqnehajDxVQKyfWdEnoisUFEAAAAAAAAWABRzDMQn84WFTcp7Iv1q9qaKq6/44ZYXLAAAAAAAFgAUJJYBCWWidJZJ+ugqOtlXVWiN23QHyQUAAAAAABl2qRS66rbPeCBwR4HTiihTdKxHTjBcxoisKjwMAAAAAAAWABSBK8hMGIFrMyqCrEh6FT4wlRT4/cyiPgAAAAAAGXapFJ3S0wu3JVv7XtaeVcmk3lxbpY3niKxKYQIAAAAAABYAFNAPMCX27kSXN+SbZm+P8NXhQctu1jz8AAAAAAAXqRTltekrI6s/f8fHD50Vc8x+kMRy7ofA7pgAAAAAABepFPLV+4mswH/MVPT0ybiBRtJnl+ynh8yW+QAAAAAAGXapFKgKj/h7EAP3Wl87nKskw8M3dOtUiKy8kQYAAAAAABl2qRTsIaoCYsepuCxCUrK6CH7OABUv2oisGNokAAAAAAAZdqkUZ4rRCVMa+kRyUadAJDhtwHXYJ46IrAJHMEQCIAw6tRBdeW5Ud71u+F8wASS0FNBdeG+0Xyw5kSz0uHvZAiBQZD0Z2n7zlQ9LHlCj2lhBi0iW4PhYUuIm2pR8GJp40QEhA9IiN9vuOFlbvrRyu9WFQ3xoozkHq7ktwFLn9S4VuemQD7ELAAAA

Typing a legacy transaction is a lot more work than Segwit.

[o_e_l_e_o]

I did a quick test with Electrum. This is what an unsigned transaction looks like:

Ahh, right. You are talking about PSBTs, which are in Base64, rather than a raw transaction in hex. I don't think Electrum lets you export unsigned transactions in hex anymore. So yeah, if you want to use hex encoding rather than Base64, you'll need to use different software.

You'll also save yourself a lot of time. Your PSBT has 1,308 characters. A similar one-input one-output legacy-to-legacy transaction in raw hex has "only" 382 characters.

[Welsh]

I didn't know existence of GSI. But i have some doubt about it's stability and support towards specific feature (e.g. multiple camera, dual SIM). But i guess it's still good choice if you use unpopular brand or variant.

Some implement it correctly, some of them don't. It depends on the brand of the phone too, as some manufactures do weird things that aren't conventional.

I've had issues with a SIM card a few times, but the current OS I'm using all features work, but it's pretty much a stock version, with Google services removed. Nothing, special added.

But how long you can stay on old hardware/software? You'll miss newer feature (e.g. Taproot feature) or unable to install more recent version of modern OS/Bitcoin wallet software.

When running a offline wallet, I'd prefer not to connect that computer to the internet, and just download, and verify the Bitcoin wallet on another computer or within a different Qube if you're using Qubes OS, and then install it in a offline environment. Checking the signature of the file on the offline computer again, just to make sure that the first computer wasn't compromised, and was displaying a fake signature.

If someone is confident enough to generate their private key via a manual process, then that can avoid some of the issues with hardware being compromised, but at the end of the day when you come to importing it, you still need to trust that hardware, so it's a difficult one.

[Synchronice]

If you bought smartphone in store, if you have never visited malicious websites and have never downloaded malwares manually

That's quite an assumption! The thing is: you can never know for sure. And when creating cold storage, being wrong means losing your money.

How many accidents have ever been where the scenario was similar to what I described and users' wallets still got hacked?

That's an unfair question: you're asking about the scenario in which no malware has been downloaded, and my point is you can't ever be sure you haven't visited a malicious website.

Okay, I'm genuinely confident that if you visit only websites like Google, Youtube, Wikipedia, Instagram, Twitter, Facebook, Reddit, news websites like CNN, BBC, FoxNews, Deutsche Welle, Amazon, eBay, PayPal, Your bank's website, etc. I hope you got the point, if you visit that websites, I genuinely believe that your wallets won't be compromised.

I don't say that it's the safest option out there but it's not the dangerous one too.

It's probably safe. But I wouldn't call it cold storage so it's not ideal for long-term holding.

OP's friend is limited to options. He wants to hold long-term but his only option is android smartphone. I didn't receive answer on how long or how much bitcoin he wants to hold, also OP hasn't answered to any response, not only my posts but including others too. And since he talks that he can't buy a new smartphone and doesn't have computer, I made an assumption that he is not going to hold a lot of bitcoins.

I think we should end this here Unless we hear response from OP

[LoyceV]

Okay, I'm genuinely confident that if you visit only websites like Google, Youtube, Wikipedia, Instagram, Twitter, Facebook, Reddit, news websites like CNN, BBC, FoxNews, Deutsche Welle, Amazon, eBay, PayPal, Your bank's website, etc. I hope you got the point, if you visit that websites, I genuinely believe that your wallets won't be compromised.

Allow me to destroy your feeling of security by showing you the first Google hit I get when I search "malware in ads":
Hackers abuse Google Ads to spread malware in legit software.
There are no safe websites.

[o_e_l_e_o]

Okay, I'm genuinely confident that if you visit only websites like Google

Google!? As in, the same Google that are infamous for hosting scams and malware, for accepting money from scammers to boost their scam sites to the top of search results, for accepting money from scammers to place scam ads everywhere, for hosting malicious apps on their playstore, and for harvesting data from your microphone and keyboard and storing it on their servers? Even if you think using Google is safe, all it takes is one wrong click to end up on one of the scams that they are quite happy to promote in exchange for payment. I'm not trusting the security of my wallets to one wrong click.

And even if you don't browse any websites at all, your device still has an internet connection meaning it is still a viable target for attacks.

He wants to hold long-term but his only option is android smartphone.

Hence the instructions I gave in the first post on this thread. These instruction, while still not perfect, are the best that can realistically be achieved using only a single smartphone and are far better than keeping coins in a hot wallet and hoping that you don't get any malware.

[Synchronice]

Okay, I'm genuinely confident that if you visit only websites like Google, Youtube, Wikipedia, Instagram, Twitter, Facebook, Reddit, news websites like CNN, BBC, FoxNews, Deutsche Welle, Amazon, eBay, PayPal, Your bank's website, etc. I hope you got the point, if you visit that websites, I genuinely believe that your wallets won't be compromised.

Allow me to destroy your feeling of security by showing you the first Google hit I get when I search "malware in ads":
Hackers abuse Google Ads to spread malware in legit software.
There are no safe websites.

That is not what I meant, if you google random things and don't look at the url of website, definitely you'll become a victim of malwares but in Google usage I meant simply searching music in google and visiting specifically youtube, spotify urls, searching biography of famous people and visiting specifically wikipedia. Google just speed ups the process, you should have a list of specific urls and website that you are gonna move from Google or type manually, no one should visit websites other than specific ones.
If you, I and others get malwares from these famous websites, then the whole world should be worried.

He wants to hold long-term but his only option is android smartphone.

Hence the instructions I gave in the first post on this thread. These instruction, while still not perfect, are the best that can realistically be achieved using only a single smartphone and are far better than keeping coins in a hot wallet and hoping that you don't get any malware.

I don't say that what you or Loycev say are wrong. Definitely not! I just say that you two are very cautious. While it's a good thing, it's not always that much necessary. For instance, I have created bitcoin wallet in 2021, on a laptop that was connected to the internet. I have some $$$$ into it. Till today, nothing suspicious has happened and I am in total control of my funds, at least no one has stolen them from me.
I agree with you, everyone should be very cautious overall but I always thought that it was very exaggerated, so I risked and let's see how will it end up. 2 years have passed without problems, my behavior will stay the same on that laptop, I never visit an URL that I don't trust. I use that wallet as a hot wallet.

To sum up and make it clear again, I agree that your methods are way safer, I just say that being so cautious is not that necessary unless you hold significant amount of money.

[LoyceV]

I have created bitcoin wallet in 2021, on a laptop that was connected to the internet. I have some $$$$ into it. Till today, nothing suspicious has happened and I am in total control of my funds, at least no one has stolen them from me.

From all the users who created a Bitcoin wallet in 2021, the ones who didn't take proper security precautions must have had more wallets hacked than the users who took proper precautions.
It's like saying you've been driving around without a seat belt for years, so you don't need it. The thing is: you don't know for sure until it's too late, that's why you take precautions.