◆ What To Actually Do

Self-Custody

"Not your keys, not your coins" is not a slogan — it's an operational instruction. This page tells you what to actually do, sized to the amount of Bitcoin you hold. Tier 1 if you have less than $10k. Tier 2 if you have meaningful savings. Tier 3 if you have generational wealth on the line. Including the mistakes that have cost real people real coins.

Contents

Why self-custody at all
The risk-tier framework
Tier 1: Exchange custody (≤ $10k)
Tier 2: Single-sig hardware wallet ($10k–$100k)
Tier 3: 2-of-3 multisig ($100k–$1M)
Tier 4: Multi-sig + geo-distributed + lawyered (> $1M)
Hardware wallet comparison
Seed phrase practices
Inheritance planning
The mistakes that have lost coins

1. Why self-custody at all

Bitcoin's central design feature is bearer ownership — whoever controls the private key controls the coins, full stop. There is no central registry of who-owns-what. There is no entity you can sue to recover stolen coins. There is no mechanism by which a third party can prove they own coins they don't have the keys for.

Self-custody means you hold the keys. Exchange custody means you hold a database entry — an IOU from the exchange — that you can redeem for coins as long as the exchange exists and is willing. The history of crypto is littered with exchanges that suddenly weren't: Mt. Gox, QuadrigaCX, Cryptopia, FTX, Celsius, BlockFi. Each one had customers who thought their coins were safe. None of them were.

The core argument for self-custody is not "I don't trust [specific exchange]" — it's "the entire category of trusting third parties with bearer assets is structurally fragile." Self-custody isn't paranoia. It's matching the technology to its design.

2. The risk-tier framework

Self-custody at every level has a real cost: complexity, time, error risk. The right setup matches the value at stake. Below your operational comfort zone, you'll fat-finger something. Above it, you're spending time and money on protection you don't need.

Use this as a starting heuristic — the dollar thresholds are loose, not absolute. Adjust based on your jurisdiction, your technical comfort, and how much volatility you can absorb on the way to a rebalance.

3. Tier 1 — Exchange custody (up to ~$10k)

Low complexity · 30 minutes setup

When this is fine

If you hold less than ~$10k of Bitcoin, the operational complexity of self-custody often exceeds the marginal protection. Use a regulated exchange in your jurisdiction — Coinbase, Kraken, Gemini, Strike, or Cash App in the US; Bitstamp, Kraken EU, or Relai in Europe. They're insured up to certain limits, KYC'd, and have formal compliance regimes that real exchange failures almost always violated.

The non-negotiables

Authenticator-app 2FA (Authy, 1Password, Google Authenticator, Yubikey) — never SMS. SIM-swap attacks are how high-net-worth crypto holders lose accounts.
Unique strong password generated by a password manager — not anything reused from another site.
Withdrawal allowlist if the exchange supports it — restrict outbound transfers to addresses you've pre-approved.
Email + phone hardened — these are the recovery vectors. Treat them like the keys.

The exit path

Tier 1 is a stepping stone, not a destination. When your holdings cross ~$10k, move them to Tier 2. Don't wait for "the right moment" — moments don't repeat. The exchange has their own incentives that don't always align with yours.

4. Tier 2 — Single-sig hardware wallet ($10k–$100k)

Medium complexity · 1-2 hours setup · ~$80-200 device

The mental model

A hardware wallet is a small, dedicated device that holds your private key in a secure element and never lets it leave the chip. All transaction signing happens inside the device — you confirm what you're signing on the device's own screen. The host computer sees only the signed transaction, never the key. This protects you from malware, phishing, and most software-side attacks.

The setup procedure

Setting up a hardware wallet has a specific sequence that matters. Don't skip steps:

Buy direct from the manufacturer. Never from Amazon, eBay, or third-party resellers. Supply-chain attacks have shipped pre-compromised devices that look factory-fresh.
Verify packaging integrity. Tamper-evident seals, checksum-verified firmware. If anything looks off, send it back and buy a new one.
Generate the seed entirely on the device. 12 or 24 words, generated by the hardware's RNG, displayed only on the device's own screen. The seed should never appear on a computer or phone screen.
Write the seed by hand on paper (or directly to a metal backup — see section 8). Verify each word against the BIP39 wordlist. Never photograph, type, or paste the seed.
Set a strong device PIN. 6-8 digits. Independent of the seed.
Send a small test transaction from your exchange to the new wallet. Verify the receiving address on the hardware screen — never trust the computer alone.
Wipe the device and recover from your written seed. Confirm the same address regenerates. This proves the backup actually works before you trust real money to it.
Move the rest of your holdings in tranches, verifying each receive address on the hardware screen.

Operational hygiene from here on

Keep the hardware wallet physically separate from the seed backup. If a thief gets one, they need the other to steal funds.
Use a fresh receive address for each incoming payment (your wallet software handles this). Don't reuse addresses.
Verify outgoing addresses on the hardware screen before signing — clipboard-replacement malware is real.

5. Tier 3 — 2-of-3 multisig ($100k–$1M)

Higher complexity · half-day setup · ~$300-600 in hardware

What multisig actually does

Multisignature is exactly what it sounds like: spending requires multiple signatures from separate keys. A 2-of-3 setup means you create three keys and any two of them can authorize a transaction. One key can be lost, stolen, or compromised — funds remain safe.

For Tier-3 holdings, single-sig is a single point of failure. A house fire, a misplaced backup, or a sophisticated targeted attack against one device can wipe you out. Multisig eliminates the single point of failure at the cost of higher setup complexity.

The standard layout

Three hardware wallets, ideally from different vendors (so a hypothetical Ledger zero-day or Trezor zero-day doesn't compromise your whole setup). Common combination: Coldcard + Trezor + BitBox02, or Coldcard + Ledger + Foundation Passport.

The keys live in three physically separate locations:

Key 1: home safe — bolted-down fireproof safe
Key 2: bank safe deposit box or a trusted family member's safe
Key 3: lawyer's office or another geographically distant location

Day-to-day spending uses Key 1 + Key 2 (two of three). Key 3 is the disaster-recovery key, only used if Key 1 or 2 is lost.

Coordinator software

Multisig requires coordinator software to combine the keys and construct transactions. Options:

Sparrow Wallet — open-source, Bitcoin-only, best in class for self-managed multisig. Free.
Specter Desktop — open-source, Bitcoin-only, well-maintained. Free.
Casa — collaborative custody service. They hold one key in escrow, walk you through setup, and provide inheritance support. Annual fee.
Unchained Capital — similar collaborative custody. Loans against BTC available.
Nunchuk — open-source, friendly UX, mobile-first.

Self-managed (Sparrow / Specter) gives you full sovereignty but requires technical comfort with PSBT files and address derivation. Collaborative custody (Casa / Unchained / Nunchuk) trades some sovereignty for hand-holding and inheritance services.

6. Tier 4 — Generational wealth (> $1M)

High complexity · multi-day setup · involves attorney

Beyond multisig basics

At this tier the considerations expand beyond technical setup into legal, tax, and inheritance structure. Get an attorney experienced in digital-asset estate planning. The technical setup typically escalates to:

3-of-5 multisig — additional resilience against partial losses; allows for a designated trustee or family member to participate.
Geographic distribution across countries — keys held in multiple jurisdictions to avoid single-state seizure risk.
Time-locked spending paths using Bitcoin's `OP_CHECKLOCKTIMEVERIFY` for inheritance — coins automatically become spendable by an heir's key after a defined period of inactivity.
Formal trust structures that hold the BTC, with clear succession and dispute-resolution rules.
Onchain decoy keys for plausible deniability under physical coercion (the "$5 wrench attack" concern).

This is the level where Casa's Premium tier, Unchained's Trust services, or a relationship with a digital-asset-specialty law firm becomes genuinely valuable. The cost is high; so is the consequence of getting it wrong.

7. Hardware wallet comparison

No "best" hardware wallet — best one is the one you actually use correctly. Trade-offs along three axes: open-source-ness (transparency vs. closed secure element), Bitcoin-only vs. multi-coin (focus vs. flexibility), and UX (ease of use vs. air-gapped paranoia).

Wallet	Bitcoin-only?	Source	Connection	Price	Notes
Coldcard Mk4	Yes	Open	Air-gap (microSD/QR)	~$160	Most paranoid option. Bitcoin-only by design. Air-gapped via PSBT files on microSD or QR. Steeper learning curve. The choice for serious holders.
BitBox02 BTC-only	Yes	Open firmware	USB-C	~$150	Swiss-made, open firmware, microSD backup, simple touch UX. Great Tier-2 default for new self-custodians.
Foundation Passport	Yes	Open	Air-gap (QR)	~$300	Premium air-gapped, beautiful hardware, QR-only. Excellent for multisig. Higher price reflects build quality.
Trezor Safe 5	No (multi-coin)	Open	USB-C	~$170	Open-source firmware, secure element added in Safe series. Touchscreen. Long history, well audited.
Ledger Nano S+ / X	No (multi-coin)	Closed SE	USB / BLE	~$80-150	Most popular by far. Secure element source code closed; the 2024 Recover feature was controversial. Excellent UX, broad coin support — but trades transparency for polish.
Blockstream Jade	Yes	Open	USB or QR	~$70	Affordable, open-source, supports multisig and Liquid sidechain. Good budget Bitcoin-only choice.

8. Seed phrase practices

The seed phrase is your real wallet. The hardware device is just a temporary holder; if it's lost, stolen, or destroyed, the seed is what restores access. Lose the seed and you lose the coins — permanently.

The non-negotiables

Never digital. No photos, no cloud backup, no password manager, no email-to-self, no copy-paste. The seed never touches an internet-connected device.
Metal beats paper. Steel and titanium plates (Cryptosteel Capsule, Blockplate, Stamp Seed, Tinhead Bitkey) survive fire, flood, and time. Paper does not. Cost: $50-100, one time. Worth it.
Geographic distribution. A single backup at home is one fire away from total loss. Multisig makes this easier because you can split actual keys across locations rather than splitting a single seed (which is fragile).
BIP39 passphrase ("25th word") — only if you really need it. An additional passphrase appended to the seed creates a separate wallet. Useful for plausible deniability, but also a single point of failure: forget the passphrase and the wallet is permanently inaccessible. Most users should not use passphrases.

Splitting a single seed (and why to be careful)

Some people split a seed into halves stored in different places — this is generally a bad idea. Each half is still enough information for an attacker to brute-force the rest. Use Shamir's Secret Sharing (SLIP-39, supported by Trezor) for cryptographically sound splitting, or just use multisig — which naturally distributes risk across keys.

9. Inheritance planning

The single most ignored aspect of self-custody. Most Bitcoin holders have no plan for what happens to their coins when they die. The default is permanent loss — heirs find a hardware wallet they can't unlock, with a seed phrase they don't know exists, and no idea of how to recover. Thousands of BTC are estimated to be in this state already.

The minimum viable plan

A letter of instructions (printed, with your important documents) that does not contain the seed but explains: that Bitcoin exists, the type of wallet, where to find the seed backup, what software to use, who to contact for help.
A trusted person who knows the letter exists and where to find it — typically a spouse or sibling. They don't need to understand Bitcoin; they need to know where the instructions are.
Don't put the seed in your will. Wills become public record. Use the will to point to where the instructions are — not to embed the keys.

Multisig inheritance

Multisig changes the inheritance problem in a useful way: you can give heirs one key (which is useless alone) plus a way to contact a trustee or service that holds another key. The setup survives a single key being known to anyone — including your heirs before you intend them to spend.

Casa, Unchained, and Nunchuk all offer formal inheritance paths. Specter and Sparrow can be combined with `OP_CHECKLOCKTIMEVERIFY` (CLTV) outputs that automatically become spendable by an heir's key after a defined inactivity window — a "deadman's switch" written into the script itself.

10. The mistakes that have lost coins

◆ Mistake

Buying a "factory-sealed" hardware wallet from Amazon. Multiple documented cases of devices arriving with a pre-set seed phrase the attacker generated, included on a "set up your wallet with this seed" insert. Buy direct from the manufacturer. Always.

◆ Mistake

Verifying receive addresses on the computer screen instead of the hardware screen. Clipboard-replacement malware substitutes the destination address after you copy it. Bitcoin addresses look long enough that nobody notices. Always verify on the hardware device's own screen.

◆ Mistake

Storing the seed phrase as a photo or in a password manager. Cloud-synced devices are remotely compromisable. Photos get auto-uploaded to iCloud or Google Photos. Password managers have been breached. The seed is bearer-asset access — treat it like physical bearer paper, not like a password.

◆ Mistake

Reusing a Bitcoin address. Each address should be used once. Reuse breaks privacy (all transactions to that address are linked) and exposes the public key on first spend, weakening quantum resistance. Modern wallet software handles this automatically — let it.

◆ Mistake

Trusting "Bitcoin support" calls or DMs. No legitimate exchange, wallet vendor, or service will ever DM you, call you, or ask for your seed phrase under any circumstance. Anyone who does is trying to steal your coins. Ignore them entirely.

◆ Mistake

Not testing the seed-phrase recovery before trusting the backup. "I wrote it down" is not enough. Wipe the device, type the seed back in, and confirm it generates the same addresses. Discover transcription errors when there's no money on the line, not after.

◆ Mistake

Letting holdings outgrow the security tier. Tier 1 setup with $200k of BTC is asking to lose it. Re-evaluate your tier whenever holdings double — or before. Better to over-secure than under-secure.

Get started today

The single highest-value move on this page, for almost everyone, is buying a hardware wallet from the manufacturer's website and going through the setup procedure in section 4. It takes an afternoon and one $80-200 order. Once it's done, your Bitcoin is no longer dependent on any third party, and you're never one exchange-failure-headline away from waking up at 3am.

The tiering up to multisig and beyond can wait until your holdings grow. The first hardware wallet is the lever that closes the biggest gap.

Pair this with the glossary if any term is new, the critiques page if you want the honest other-side, or the signals dashboard to see live network state. None of this is investment advice — only a starting framework. Your situation, jurisdiction, and risk tolerance should drive the actual decisions.