Bitcoin Security Threat Models

A "threat model" is a framework for examining what you are protecting, who might try to take it, and what security measures are proportionate for the risks involved.

In Bitcoin, building one is the first step to making custody decisions that match your actual situation rather than generic advice.

What is a threat model?

A Bitcoin threat model is a structured way of asking three questions.

What am I protecting?
Who might try to take it?
What measures are proportionate to those specific risks?

In Bitcoin security, these questions have answers that vary by holder, and those answers determine which security decisions actually make sense.

In a literal sense, what you are protecting are your private keys and the seed phrase that derives them. These are what give you the ability to spend your bitcoin: whoever holds them controls the funds, and losing them or exposing them to the wrong person means losing access permanently. The more significant your holdings are to you, the more carefully these threat model questions deserve to be considered.

The second question is where threat models diverge most significantly, because the realistic adversary varies considerably by holder. For the majority of individuals, the primary adversarial threat is remote. Malware on an internet-connected device and phishing schemes engineered to extract private keys or seed phrases are the most common vectors. These attacks are automated and scalable, and are a persistent threat to be wary of for all bitcoiners.

For holders with meaningful public profiles or substantial holdings, a physical adversary becomes a realistic threat. This could be someone who knows you hold bitcoin and is willing to act through theft or coercion. For businesses and institutional-level holders, the threat profile expands further to encompass insider risk, more sophisticated targeted attacks, and operational security across teams and systems.

It's important to also consider that a significant threat to losing your bitcoin may not be an external adversary, but your own error. Careless key management, a seed phrase lost to fire or forgotten, or a recovery phrase entered into a phishing site through a moment of inattention are responsible for a significant portion of Bitcoin loss. A threat model that ignores user error is an incomplete one.

The answer to the third question brings the first two together. Every custody arrangement has an attack surface: the total set of points through which an adversary could reach your bitcoin. A software wallet on your internet-connected phone has a broader attack surface than a hardware wallet that never touches the internet, and a seed phrase stored in one location has a different vulnerability profile than a multi-signature setup that is distributed across multiple sites.

Certain baseline practices apply regardless of threat level: withdrawing to self-custody, using a dedicated hardware device for any amount you would not be comfortable losing, keeping software updated, and storing seed phrase backups durably and offline. Beyond that baseline, the right measures depend on who your realistic adversary is, what you are holding, and how.

What are the main threats to Bitcoin security?

Bitcoin security threats fall into distinct categories, each with a different profile of likelihood, severity, and available mitigation. Understanding the categories is the foundation of any useful threat model.

Threat Category	Example	Primary Mitigation
Remote / digital attack	Malware or phishing targeting an internet-connected device	Hardware wallet, air-gapped signing
Custodial failure	Exchange hack, insolvency, mismanagement, or fraud	Self-custody
Physical theft	Device stolen by an opportunistic thief	PIN protection; seed phrase backup stored separately from device
Physical coercion	Targeted adversary forces key disclosure	Geographic distribution of seed phrase, multisig setup, limited public disclosure, trick PINs
Loss or destruction	Fire, flood, or hardware failure	Steel seed phrase backup, multisig with geographic distribution
User error	Seed phrase lost, misplaced, or forgotten; keys entered into a phishing site	Steel seed phrase backup, careful key management practices
Inheritance and access	Heirs cannot access funds in the event of death or incapacitation	Inheritance planning, documented access procedures stored securely
Supply chain attack	Tampered device delivered before setup	Purchase directly from manufacturer, verify device integrity at setup

Remote or digital attack. Malware, keyloggers, and phishing schemes target private keys stored on internet-connected devices. This is the most common category of Bitcoin theft for individual holders. The primary mitigation is a hardware wallet: a dedicated signing device that keeps the private key on an offline device eliminates the attack surface that software wallets leave exposed. Among hardware wallets, those with air-gapped operations prevent remote attacks at the architectural level and are the gold-standard for security. Why bitcoiners choose hardware wallets covers why this is the standard security upgrade for holders with meaningful savings.

Custodial failure. Exchange hacks, insolvency, mismanagement, and fraud target bitcoin held on exchanges or custodial services. In this scenario, the customer never holds their own private keys, so when the institution fails, the bitcoin held in their custody is potentially lost or subject to lengthy legal proceedings to recover. The primary mitigation is self-custody. A history of Bitcoin exchange failures documents the pattern across more than a decade of cases.

Physical theft. A device is stolen by a thief. For a software wallet on a phone or laptop, a thief who gains access to the device may be able to access the private keys and send bitcoin to their own wallet. Stealing a hardware wallet does not grant access to the private key without the device PIN. Firmware on well-designed signing devices limits brute-force PIN attempts, making blind access effectively impossible. The primary mitigations are PIN protection and keeping the seed phrase backup separate from the device.

Physical coercion. An adversary with knowledge of a holder's bitcoin uses physical force or threats to compel disclosure of keys or the seed phrase. The name "wrench attack" captures the idea plainly: no amount of cryptographic protection prevents someone from threatening to hit you with a wrench until you hand over your keys. The primary mitigations are geographic distribution of the seed phrase backup, multisig arrangements that require keys from multiple locations, and limited public disclosure of holdings. Some signing devices also support a trick PIN: a secondary PIN that unlocks a separate wallet holding a small decoy balance, giving a coerced holder something plausible to hand over while the main holdings remain protected under a different PIN.

Loss or destruction. A fire, flood, or hardware failure makes the seed phrase backup unreachable. This threat targets the backup rather than the device. The primary mitigations are durable offline backup materials, such as steel seed phrase, and geographic distribution of the backup across multiple locations.

User error. Careless or incomplete key management is a significant and underacknowledged source of Bitcoin loss. A seed phrase written on paper and lost in a move, stored digitally in a compromised cloud account, or simply forgotten over time has the same consequence as any external attack: the bitcoin becomes permanently inaccessible. The primary mitigations are durable offline backups, redundant storage across multiple locations, and disciplined habits around key management.

Inheritance and access planning. This is less a threat than a gap in most holders' planning. In the event of death or incapacitation, do the people who should have access to your bitcoin know how to get it? Without documented, secure instructions, even a well-backed-up seed phrase may be inaccessible to your heirs.

Supply chain attack. A tampered device is delivered through the supply chain before reaching the holder. This is a lower-probability threat for most individual holders. The primary mitigations are purchasing directly from the manufacturer and verifying device integrity at setup.

The most important pattern across these categories: the large majority of Bitcoin theft occurs through remote digital attacks and custodial failures. These are also the two categories that hardware wallets and self-custody directly address. For most individual holders, mitigating these two categories resolves the dominant portion of their actual risk.

How do you calibrate the right security level?

The right threat model is not necessarily the most paranoid one. It is the one that matches your actual holdings, your actual adversary, and the security measures you will reliably maintain.

Four variables shape the model.

How much bitcoin do you hold? A few hundred dollars in a software wallet faces a different threat profile than significant savings in self-custody. The appropriate security measures scale with what is at stake.
Who knows you hold bitcoin? Holders who are public about their bitcoin ownership face a meaningfully different physical threat profile than those who are not. The wrench attack requires a targeted adversary who knows you are worth targeting.
How is it currently held? Bitcoin on an exchange carries custodial risk regardless of how much it is. Bitcoin in a software wallet carries remote attack risk. Bitcoin in a hardware wallet with a single seed phrase has eliminated remote attack but retains the risk of seed phrase loss. Each arrangement has its own profile.
What are you most likely to do wrong? A significant portion of Bitcoin loss is self-inflicted: a seed phrase written on paper and lost in your home clutter or thrown out, a backup stored digitally and exposed in a cloud breach, a key typed into a phishing site by a holder who thought they were accessing their wallet. The realistic adversary for many holders is themselves.

Proportionality is how you can approach these variables in a reasonable way. Security measures should address the realistic adversary, not the theoretical worst case. A holder with $500 in a software wallet does not need to buy multiple hardware devices for a multisig setup. A holder with a year's savings in self-custody should not rely on a single seed phrase stored in one location. And any security measure so complex that it will not be maintained reliably creates risk rather than reducing it. A poorly maintained multisig setup can be more dangerous than a well-maintained single-key setup.

What does a threat model lead you to?

A clear threat model does not produce a single correct answer. It produces criteria for evaluating custody options against what you actually need to protect against.

For most individual holders, the analysis points in a consistent direction. Remote attack is a primary threat, and a hardware wallet eliminates it by keeping the private key off internet-connected devices. Custodial risk is the secondary concern for anyone still holding on an exchange, and self-custody removes it entirely. These two decisions, moving to self-custody with a signing device, address the dominant risk categories for the majority of Bitcoin holders. What is Bitcoin self-custody? covers how that transition works in practice.

Within dedicated hardware wallets, the most secure options are those that are bitcoin-only, air-gapped, and built on open-source firmware. Bitcoin-only devices have a narrower codebase and fewer attack surfaces, air-gapped operation removes any network interface from the signing process entirely, and open-source firmware allows independent verification of what the device does. Coldcard signing devices are built around all three of these properties.

From there, the remaining decisions follow from the variables listed above. If physical loss is a primary concern, the seed phrase backup strategy matters most. If holdings are significant enough that physical coercion is a realistic threat, geographic distribution of keys and limited public disclosure become relevant. If the holdings are substantial enough that a single seed phrase represents an unacceptable single point of failure, multisig is worth the added complexity.

For most holders, the progression follows a fairly standard path. Small amounts can be reasonably held in a software wallet, the same way you might carry a modest amount of cash in your pocket. As holdings grow to amounts you would not want to lose, a dedicated hardware wallet and a steel seed phrase backup becomes the essential next step.

Beyond that, multisig arrangements distribute keys across multiple devices and locations, eliminating the single point of failure that any single-key setup carries. And throughout all of it, inheritance planning ensures that in the event of death or incapacitation, the people who should have access can actually get it.

The spectrum of Bitcoin custody options maps the full range of arrangements and the threat profiles each one addresses.

Key Takeaways

→A threat model matches security to risk. Generic security advice is either overkill or insufficient. A personal threat model gives you criteria that fit your actual situation.
→Most Bitcoin theft is remote and digital. Malware and custodial failure account for the large majority of losses. Both are addressed by hardware wallets and self-custody.
→Physical coercion is targeted, not opportunistic. It requires an adversary who knows you hold bitcoin. Geographic distribution of keys and limited public disclosure of holdings reduce this risk.
→Loss through user error is underestimated. Seed phrases lost to fire, flood, or forgotten location are as consequential as any external attack. Backup reliability is part of the threat model.
→Inheritance planning is part of the picture. If your heirs cannot access your bitcoin when you are gone, the outcome is the same as losing it.