ShopSecurity is not a single decision. It is a set of tradeoffs, and the tradeoffs that make sense for you depend on what you are protecting, from whom, and under what conditions. Threat modeling is the practice of thinking through those questions systematically — before you make decisions, not after.
Applied to Bitcoin self-custody, a threat model helps you move from vague anxiety ("what if someone hacks me?") to specific, addressable questions ("what attack vectors exist, which ones are realistic for my situation, and what defenses are proportionate?"). The goal is not to achieve perfect security — that does not exist. The goal is to make informed decisions about where to invest your attention and effort.
What Is a Threat Model?
A threat model is a structured way of thinking about security that starts with three questions:
- What am I protecting? The specific asset or information at risk.
- Who might try to take it, and how? The realistic adversaries and the methods available to them.
- What is the cost of different defenses? Every security measure has a cost — in time, money, friction, or the risk of self-inflicted loss. A good threat model helps you match defenses to threats rather than maximizing security at any cost.
Threat modeling is not unique to Bitcoin. Security engineers, cryptographers, and governments have used formal threat modeling frameworks for decades. Bitcoin self-custody introduces a specific version of the problem: you are holding a bearer asset with no chargebacks, no customer support, and no recovery path if keys are lost or compromised. The stakes are defined clearly, which makes threat modeling particularly useful.
What Are You Actually Protecting?
In Bitcoin self-custody, the fundamental thing you are protecting is your private key — or more precisely, the seed phrase that encodes it.
A private key is a 256-bit number that authorizes transactions from a specific Bitcoin address. Anyone who knows it can move the funds it controls. Your seed phrase — the 12 or 24 words generated when you set up a signing device or software wallet — is the human-readable form of the mathematical root from which that private key (and all others in your wallet) is derived.
This has an important implication: the private key does not care about your identity. It does not verify that you are who you say you are. Whoever holds the key controls the Bitcoin. This is different from a bank account, where your identity is tied to your account and a fraudulent transaction can sometimes be reversed. With Bitcoin, possession of the key is ownership. There is no appeal.
What this means for threat modeling: your primary objective is to keep your seed phrase secret and recoverable. Secret so that no attacker can access it. Recoverable so that you can access it if your device is lost, damaged, or stolen.
These two objectives are in tension. Hiding something effectively often makes it harder to recover. Distributing backups for resilience introduces more potential points of exposure. Good custody practice navigates this tension deliberately.
What Are the Main Threats to Bitcoin Security?
Threats to Bitcoin self-custody fall into three broad categories: remote attacks, physical attacks, and self-inflicted loss. Most custody failures come from the third category.
Remote Attacks
A remote attack is any attempt to access your private key over a network. This includes malware that monitors clipboard contents and substitutes attacker-controlled addresses, software that intercepts private keys stored on an internet-connected device, and phishing attacks designed to trick you into entering your seed phrase on a fraudulent site.
The primary defense against remote attacks is key isolation: keeping your private key on a device that never connects to the internet. A signing device stores keys in a secure element and only communicates with a coordinator (like Sparrow Wallet) through a constrained channel — MicroSD, QR code, or NFC — rather than a live network connection. An attacker with full control of your computer cannot extract a private key that never exists on that computer.
Remote attacks are the threat that receives the most attention, but for most individual holders they are not the most likely cause of loss.
Physical Attacks
A physical attack is any attempt to access your seed phrase or signing device through direct physical presence. This includes theft of a device or seed backup, coercion (being forced to hand over access), and supply chain attacks (receiving a tampered device).
Physical attacks are more constrained than remote attacks because they require proximity. Defenses include secure physical storage for seed backups (a locked safe, a geographically distributed backup strategy), devices with PIN protection and self-destruct features for coercion scenarios, and tamper-evident packaging to detect interference before first use.
Geographic distribution is the most underrated physical security measure. A fire, flood, or burglary that affects one location cannot destroy a backup stored in a separate location.
Self-Inflicted Loss
The most common cause of Bitcoin loss is not hacking or theft — it is self-inflicted: losing the seed phrase, forgetting a passphrase, accidentally destroying the only backup, or making a setup error that makes recovery impossible.
Self-inflicted loss does not get treated as a security threat because it feels like user error rather than an attack. But from a threat modeling perspective, it is the failure mode most likely to affect you. Defenses include: creating a physical backup of your seed phrase before ever receiving any Bitcoin, verifying that backup by restoring from it on a separate device before relying on it, and testing your recovery process periodically rather than assuming it works.
The security tradeoff in self-custody is often framed as "security vs. convenience." The more accurate framing is "protection from attackers vs. protection from self-inflicted loss." Measures that make your seed phrase harder to access for an attacker also make it harder to access for you in a recovery scenario. Good custody design holds both concerns simultaneously.
How Does Threat Modeling Change With Holdings Size?
The appropriate level of security investment scales with the value at risk. A threat model for someone holding $1,000 in Bitcoin looks different from one for someone holding $100,000.
At lower values, the main risks are operational: making a setup error, losing a backup, or accidentally sending to the wrong address. The proportionate defense is a solid basic setup — a reputable signing device, a physical seed backup in a secure location, and a recovery test before relying on the setup.
As holdings grow, the threat surface expands. A determined attacker is more likely to invest effort as the potential payout increases. Physical security becomes more important. Geographic distribution of backups becomes more important. Multisig setups — which require multiple keys to authorize a transaction, eliminating the single-point-of-failure risk of a single seed phrase — become worth the additional complexity.
The right question is not "what is the most secure possible setup?" It is "what threats are realistic for my situation, and what defenses are proportionate?"
How Does a Threat Model Lead to a Custody Decision?
Once you have identified your specific threats, custody choices become more legible.
Keeping Bitcoin on an exchange addresses the complexity of self-custody but introduces custodial risk — the exchange controls your keys, not you. Exchange failures, freezes, and hacks are documented [link to Article 2]. If the exchange fails, your claim to the Bitcoin may not be honored.
A basic single-signature self-custody setup with a signing device and a physical seed backup addresses the remote attack threat (the key never exists on an internet-connected device) and provides a recovery path for device loss. Its weakness is the single point of failure: the seed phrase. If the backup is lost or destroyed, there is no recovery.
A multisig setup — using two or three keys stored in separate locations, requiring two to authorize a transaction — eliminates the single-point-of-failure risk at the cost of additional setup complexity and operational overhead. For holders with significant value at risk, that tradeoff is usually worth making.
The threat model does not tell you which setup to choose. It gives you a principled basis for making that choice given your specific situation, holdings, and risk tolerance.
Key Takeaways
- A threat model is a structured way of identifying what you are protecting, who might try to take it, and what defenses are proportionate to those threats.
- In Bitcoin self-custody, the fundamental thing you are protecting is your seed phrase — the root from which all your private keys are derived.
- The three main threat categories are remote attacks (mitigated primarily by key isolation), physical attacks (mitigated by physical security and geographic distribution), and self-inflicted loss (mitigated by verified backups and periodic recovery tests).
- Self-inflicted loss is the most common cause of Bitcoin loss in self-custody — not hacking or theft.
- The appropriate level of security investment scales with the value at risk. The goal is not maximum security at any cost but proportionate defenses matched to realistic threats.