Bitcoin Transaction Security

Most self-custody security attention focuses on the seed phrase, including how to create it, back it up, and protect it from disclosure. But security considerations extend beyond recovery and include transactions themselves.

Every send transaction involves security decisions, from address verification to fee selection to how the transaction reaches the signing device.

What Threats Does a Bitcoin Transaction Face?

A bitcoin transaction can fail to reach its intended recipient through several mechanisms distinct from key theft. Address replacement, fee manipulation, UTXO linkage, and blind signing are the primary transaction-layer risks.

• Address replacement attacks: These are the most direct threat to transactions. Malware running silently on the host computer monitors the clipboard and replaces any Bitcoin address that is copied with an attacker's address at the moment of pasting. The sender builds the transaction, signs it, and pays the attacker, realizing after the fact that the intended address was replaced. The only reliable defence is reading the destination address on the signing device's screen, to ensure it matches the actual intended destination. Read more about address management.

• Fee-related risk: This threat comes in two directions. Setting fees too low creates a transaction that stalls in the mempool and may sit unconfirmed for hours or days. Setting fees too high wastes funds. Both are avoidable with basic mempool awareness before sending. Read more about fee management.

• UTXO linkage: This is a privacy and security consideration that most users overlook. When two unspent transaction outputs (UTXOs) are used as inputs in the same transaction, chain analysis tools treat them as belonging to the same entity. Combining a UTXO from a KYC exchange with a UTXO from a private source in the same transaction permanently links those two coin histories on-chain, a connection that cannot be undone after broadcast. Read more about UTXO management.

• Blind signing: means approving a transaction on a hardware wallet without reading what is displayed on the device screen. A user who confirms without verifying the destination address and amount is trusting the coordinator software, which is connected to the internet and is not a trusted surface.

What is Address Verification and Why Does It Matter?

The most important action in any bitcoin send is verifying the destination address on the hardware wallet screen before signing. A correct private key, a clean signing device, and a well-constructed transaction all fail if the address displayed on the computer has been substituted before the transaction was built.

Clipboard malware can run invisibly on your computer. When it detects that a bitcoin address has been copied to the clipboard, it replaces the clipboard contents with the attacker's address. The sender pastes what they believe is their own address into the coordinator software, the transaction is built with the attacker's address embedded in the output script, and if the transaction is signed, the funds are gone.

The signing device screen is the only reliable way to catch this attack. The device reads the destination address directly from the PSBT data, not from the coordinator screen, so it shows the actual transaction destination regardless of what the coordinator displays.

If the PSBT contains the attacker's address, the device displays the attacker's address, even if the coordinator software is displaying your intended recipient's address. A user who reads the device screen before confirming will see an address they do not recognise and can cancel before signing.

At minimum, check the first four and last four characters of the displayed address against the address you obtained from your intended recipient through a trusted channel. For large or irreversible sends, compare the full string character by character. For very large sends, confirm the address via a separate communication channel before building the transaction.

Coldcard displays the destination address and amount for every transaction and requires on-device confirmation before signing. The screen is the trusted display, not the computer.

How to Verify Bitcoin Transactions covers the full on-device verification workflow.

What are UTXO Management and Address Hygiene?

Unlike a bank account, which tracks a single running balance, bitcoin works more like paper cash in your wallet. When you transact, you select which paper notes to pay with, and often you receive new paper notes returned to you as "change."

Bitcoin's blockchain records discrete unspent transaction outputs (UTXOs), each one a specific amount of bitcoin locked to a specific address. When you initiate a transaction, you select which of those UTXOs to spend as inputs, and that selection determines the fee you pay, which coin histories become linked on-chain, and whether a change output is created and returned to you.

• UTXO selection affects fees: Each input requires a signature to spend and fees are based on the amount of data required, not the monetary value of the transaction. A Native Segwit transaction with ten small inputs is approximately 600 vbytes larger than a transaction with one large input for the same payment amount. At 50 satoshis per virtual byte (sats/vbyte), that difference is 30,000 satoshis in additional fees. Consolidating small UTXOs into larger ones during low-fee periods reduces this cost before it arises.

• UTXO selection affects privacy: Inputs combined in the same transaction are permanently linked on-chain as controlled by the same entity. Chain analysis firms apply this common-input-ownership heuristic while monitoring Bitcoin's public blockchain, which assumes that all inputs spent together in a single transaction belong to the same entity. Mixing UTXOs from a KYC exchange with UTXOs from a private source in the same transaction destroys any privacy separation between them.

• Address reuse creates linkage at the receive side: When the same address receives multiple payments, those transactions are provably linked as belonging to the same owner by cryptographic fact. The correct practice is to always use the wallet's Receive function for a new address, never copying from a prior transaction.

These practices apply at wallet management time, not only at send time. Labelling UTXOs at the point of receipt makes coin selection meaningful as the wallet grows.

Bitcoin UTXO Management covers coin control, consolidation, and dust handling in full. Bitcoin Address Reuse and Management covers the privacy consequences of address reuse and how to avoid it.

What Does Fee Selection Have to Do with Security?

Transaction fees are priced in a free market as people compete to get their transaction confirmed in limited block space. A fee rate below the current market rate means the transaction may stall in the mempool, where it can sit for hours, days, or be evicted entirely if rates rise sharply.

Fees are measured in sats/vbyte (satoshis per virtual byte), not as a percentage of the transaction's value. A transaction with many inputs requires more data, occupies more blockspace, and pays a higher absolute fee as a result. This means a fee that looks large in satoshi terms can actually represent a very low rate on a large multi-input transaction, while a fee that looks small can be perfectly adequate for a compact single-input transaction. What matters is the rate, not the raw satoshi amount.

Because block space is intentionally limited. When many people are trying to transact at the same time, the market rate to get a transaction confirmed in the next block (roughly 10 minutes) can exceed 200 sat/vbyte. During quiet periods, that same next-block confirmation can cost as little as 1 to 2 sat/vbyte. You can check mempool.space to see current depth, fee-rate tiers, and what it costs to get into the next block.

If you set a fee rate well below the current market rate, miners have no incentive to include your transaction in the next block. It sits in the mempool, unconfirmed, waiting for either congestion to clear or for you to intervene. Two fee-bumping mechanisms can help:

1. Replace-by-fee (RBF) lets the sender replace the original transaction with a new version paying a higher rate.

2. Child-pays-for-parent (CPFP) lets the recipient spend an unconfirmed output in a new transaction with a fee high enough to incentivize miners to include both.

Both require additional signing steps, so getting the fee right before broadcasting is simpler than fixing it afterward.

UTXO count also affects fees: more inputs mean a larger transaction and a higher fee at any given rate.

What is the Bitcoin Mempool? covers the fee market in full. What are Bitcoin Transaction Fees? covers sat/vbyte calculation and fee strategy.

What is the Most Secure Transaction Signing Workflow?

The most secure way to sign a Bitcoin transaction uses a hardware wallet operating as an air-gapped signer, the PSBT format to separate transaction construction from signing, and on-device verification of all details before confirming.

The workflow has two clearly separated roles:

1. The coordinator software (Sparrow Wallet is the standard recommendation) running on your computer constructs the unsigned transaction, gathers the UTXO data needed for on-device display, and handles broadcast after signing.

2. The signing device (Coldcard, operating air-gapped) receives the PSBT via QR code, microSD card, or NFC, displays the full transaction details, and signs only after the user confirms on-device. It never connects to the internet.

A USB-connected signing device has a persistent channel to any network the computer reaches. That channel is the attack surface for malware attempting to extract signing data or manipulate the device. Removing that channel eliminates those attack vectors. On-device verification remains the final control regardless of signing method.

The signing device sees the actual transaction data via the PSBT input fields, not what the coordinator reports. It displays accurate destination addresses and fee information independent of what the connected computer shows. On-device verification is meaningful regardless of how the PSBT reaches the device, though the air gap eliminates a class of threats that affects USB connectivity.

Coldcard supports all three air-gap channels: QR code on the Q model, microSD card on the Mk5 and Q, and NFC on the Mk5 and Q. All three pass the full PSBT to the device. Coldcard displays the destination address, change address, amount, and fee before signing. The user confirms each field on the device screen before the device produces the signed transaction.

What is Air-Gapped Signing? covers the full PSBT workflow and transport channel comparison. How to Verify Bitcoin Transactions covers the on-device verification step in detail.