Bitcoin Security: The Complete Guide to Protecting Your Holdings from Physical and Digital Threats

Bitcoin ownership has always come with a degree of responsibility. But the nature of that responsibility is changing fast, and for most holders, the risks are far more serious than they realize.

In 2024, researchers documented 41 verified physical attacks targeting Bitcoin and cryptocurrency holders. By early 2025, that figure had already surpassed 70. These are not cyber crimes carried out from a distance. These are kidnappings, home invasions, robberies, and targeted violence, in some cases against people who simply appeared on a publicly available purchaser list from a hardware wallet company.

"By 2025, documented physical attacks on Bitcoin holders had surpassed 70 in a single year, more than one per week."

At the same time, digital attack vectors have exploded in scale and sophistication. SIM swap fraud increased 1,055% between 2023 and 2024 in the UK alone. A single data breach at a major exchange or hardware wallet company can expose hundreds of thousands of holders' personal information, names, addresses, purchase histories, to criminal networks overnight.

This guide covers the full threat landscape: how attacks happen, why common security approaches fall short, and what a more resilient custody model actually looks like.

Why Bitcoin Holders Are Uniquely Exposed

Most financial assets are held inside intermediated systems (banks, brokerages, custodians) that provide both technical security and legal recourse. If someone steals from your brokerage account, the transaction can be reversed. Fraud protections apply. Insurance covers losses.

Bitcoin operates differently. Transactions are irreversible by design. There is no recourse infrastructure. Once funds move on-chain without your authorization, they are gone. This makes Bitcoin holders attractive targets precisely because the crime, if successful, is permanent.

Compounding this, the Bitcoin blockchain is transparent. While addresses are pseudonymous, on-chain analysis tools (freely available to anyone) can often link addresses to real-world identities, especially when those holders have used exchanges that collect KYC data. A determined attacker who identifies a wallet holding significant Bitcoin has a verifiable, immutable record of that wealth.

Combine transparent wealth with irreversible transactions and a growing market for stolen personal data, and you have an environment where Bitcoin holders face a genuinely elevated risk profile compared to holders of traditional assets.

The Three Attack Vectors Every Holder Should Understand

1. Physical Violence and Coercion

Physical attacks on Bitcoin holders are not rare edge cases. They are a documented, growing pattern. Criminals have learned that the fastest way to steal Bitcoin is not to hack it, but to find the person holding it and apply pressure directly.

Recent examples span multiple continents and demographics. In France, Ledger co-founder David Balland was kidnapped; his finger was severed before a ransom was ultimately paid. In New York, an Italian national was held for days in a Manhattan townhouse, with attackers extracting $28 million in Bitcoin. In British Columbia, a family was taken hostage, eventually transferring $2 million under duress.

These cases share a common thread: the attackers knew who held Bitcoin and how much. That intelligence typically comes from data breaches, purchaser lists from hardware wallet companies or exchanges that have been acquired by criminal networks. Physical violence often follows digital reconnaissance.

2. Data Breaches and Target List Creation

Every time a Bitcoin holder buys a hardware wallet, signs up for an exchange, or uses a Bitcoin-related service that collects personal information, they create a data point that could eventually end up in the wrong hands.

The breach history of companies serving Bitcoin holders is significant. In 2020, Ledger suffered a breach exposing the personal data of approximately 270,000 customers, including names, email addresses, and physical mailing addresses. That data was subsequently published online and later linked to a pattern of phishing campaigns and physical threats. In January 2026, Ledger was affected again, this time through a third-party payment partner, Global-e. The May 2025 Coinbase breach exposed the records of approximately 69,500 users, with estimated remediation costs between $180 million and $400 million.

Each breach has the same effect: it turns a company's customer list into a targeting database for criminal actors.

For a deeper look at how data breaches create physical risk, see our full analysis: How Crypto Data Breaches Turn Bitcoin Holders into Physical Targets.

3. SIM Swaps and Social Engineering

Digital attacks on Bitcoin holders increasingly exploit human systems rather than technical ones. SIM swap attacks, where a criminal convinces a mobile carrier to transfer a victim's phone number to a SIM card they control, have become a primary method for bypassing two-factor authentication and taking over exchange and wallet accounts.

The scale is staggering. In the UK, reported SIM swap cases rose 1,055% between 2023 and 2024, from 289 to over 3,000 cases. The FBI reported $26 million in SIM swapping losses in the US in 2024. The 2022 FTX hack, $400 million in assets, was ultimately executed via SIM swap. Organized operations have been documented where individual operators earn between $10,000 and $100,000 per day impersonating exchanges and government agencies to manipulate account access.

For a detailed breakdown of how these attacks work and how to recognize them, see: SIM Swap Attacks on Bitcoin: How Hackers Steal Crypto Through Your Phone.

Why Common Security Approaches Fall Short

Most Bitcoin holders rely on one of three approaches: self-custody with a hardware wallet, custody with an exchange, or some combination. Each has significant, underappreciated vulnerabilities.

Self-Custody

Self-custody (holding your own private keys) is philosophically appealing and often recommended as the gold standard. But it creates a specific risk profile: you become the single point of failure, and the fact of your self-custody may be inferrable from data breaches at hardware wallet companies. A holder who keeps their keys at home has made themselves a physical target if their identity and purchase history are known to attackers.

Exchange Custody

Exchanges offer convenience but centralize risk. They are prime targets for SIM swap attacks, social engineering, credential theft, and insider compromise. An exchange's security is only as strong as its weakest human touchpoint, and those touchpoints are systematically targeted.

Hardware Wallets

Hardware wallets provide strong technical security for the device itself, but the companies that manufacture and sell them collect purchaser data. When those companies are breached, and several have been, their customer lists become targeting databases. Hardware wallet ownership is not a secret if your shipping address was in a company's systems.

For a full analysis of where each approach fails, see: Why Bitcoin Self-Custody and Exchanges Both Leave You Vulnerable, And What Works Instead.

What More Effective Bitcoin Security Looks Like

The core weakness of every traditional custody approach is that it creates a single point of failure: one person, one device, one institution, one key. Effective Bitcoin security distributes that risk across multiple independent parties, introduces time-based protections, and layers in verification at each step.

Multi-Institution Custody

A multi-institution custody model distributes signing authority across multiple independent financial institutions using a multi-signature (multisig) configuration. In a 2-of-3 arrangement, for example, any two of three institutions must co-sign a transaction. No single institution can move funds unilaterally, and neither can an attacker who compromises one of them.

This model addresses physical coercion directly: even under extreme duress, a holder cannot authorize a transfer alone. Attackers gain nothing by targeting the individual, because the individual does not hold sufficient signing authority to move funds.

Time-Locks and Velocity Limits

Configurable time delays add another protective layer. Transactions can be set to require a waiting period of 5, 10, or 20 business days (or as long as 365 days) before they execute. Velocity limits cap how much can be transferred in a given window. These mechanisms serve a dual purpose: they provide an intervention window if a fraudulent transaction is initiated, and, crucially, they function as a visible deterrent when disclosed to potential attackers.

A criminal who understands that any transfer will be delayed for 20 business days and flagged for review has no viable path to quickly liquidating stolen Bitcoin. The deterrent effect of disclosed time-locks is itself a meaningful security feature.

AI-Enabled Verification

Emerging verification layers, including biometric authentication, deepfake detection, and pre-call liveness checks, help ensure that authorization requests are genuinely coming from the account holder and not from someone impersonating them. As deepfake technology becomes more accessible, these protections will become increasingly important for any high-value custody arrangement.

Protecting What You've Built

Bitcoin's value proposition is strong precisely because it operates outside traditional financial intermediaries. But that same independence creates security obligations that most holders are not fully equipped to meet alone.

The threat landscape of physical attacks, data breaches, SIM swaps, and social engineering is real, documented, and growing. The good news is that institutional-grade protections that were once available only to the largest holders are now accessible to individuals through multi-institution custody solutions.

Understanding the threats is the first step. Building a custody structure that accounts for them is the second.

Onramp offers multi-institution Bitcoin custody designed specifically around these threat vectors, combining distributed signing authority, configurable time-locks, and AI-enabled verification in a single framework. If you want to explore whether that kind of structure makes sense for your situation, the conversation starts here.

Explore the Full Series

This article is the hub for a four-part series on Bitcoin security. For deeper coverage of each threat vector:

• How Crypto Data Breaches Turn Bitcoin Holders into Physical Targets
• SIM Swap Attacks on Bitcoin: How Hackers Steal Crypto Through Your Phone
• Why Bitcoin Self-Custody and Exchanges Both Leave You Vulnerable, And What Works Instead

SEO METADATA, CLUSTER POST 1

Meta Title: How Crypto Data Breaches Turn Bitcoin Holders into Physical Targets

Meta Description: When hardware wallet companies and exchanges get breached, customers don't just lose data. They end up on criminal targeting lists. Here's how it happens and what it means for your security.

Primary Keyword: crypto data breach bitcoin

Secondary Keywords: ledger data breach, coinbase breach 2025, bitcoin holder target list, hardware wallet data leak

Internal Links: Link back to Pillar Page; link to Cluster 2 (SIM swaps); link to Cluster 3 (custody risks)

Word Count Target: 1,000-1,300 words

How Crypto Data Breaches Turn Bitcoin Holders into Physical Targets

Most Bitcoin holders think about data breaches the way they think about any financial security incident: as a threat to their accounts, their passwords, their digital assets. The real risk is more direct than that, and more physical.

When a hardware wallet company or exchange is breached, what criminals often walk away with is not just login credentials. They get names, email addresses, and home mailing addresses. In some cases, they also get purchase histories indicating how much hardware, and by extension, how much Bitcoin, a person might hold. That information, in the hands of the wrong people, is not just a digital threat. It is a targeting database for physical crime.

The breach history of companies serving Bitcoin holders is extensive enough that this is no longer a theoretical concern. It is a documented pattern.

The Breach Record: A Timeline of Exposure

Ledger: 2020

In 2020, Ledger: one of the world's most widely used hardware wallet manufacturers, suffered a data breach that exposed the personal information of approximately 270,000 customers. The stolen data included full names, email addresses, and physical shipping addresses. It was subsequently published on public forums and has since been linked to a pattern of targeted phishing campaigns, social engineering attempts, and documented physical threats against holders.

The breach did not expose private keys or seed phrases. The attackers did not need those. What they had was enough: a verified list of people who owned Bitcoin hardware, with addresses attached.

Ledger: January 2026

Ledger was affected again in January 2026, this time through a third-party payment partner, Global-e. The incident demonstrated a persistent vulnerability in how Bitcoin-adjacent companies handle customer data through their vendor networks. Even if the core company's systems are hardened, downstream partners may not be, and every partner that touches customer data is a potential exposure point.

Coinbase: May 2025

In May 2025, Coinbase disclosed a breach affecting approximately 69,500 users. The incident was notable not only for its scale but for its origin: insider compromise. The attackers did not break through technical defenses. They recruited or coerced employees with access to customer records. Coinbase's estimated costs from the breach ran between $180 million and $400 million.

Insider attacks represent one of the most difficult-to-defend vectors in any custodial system. An employee with legitimate access to customer data bypasses most perimeter defenses entirely.

Each breach converts a company's customer list into a criminal targeting database: one that may be sold, published, and used for years.

The Pipeline from Breach to Physical Attack

The connection between a data breach and physical violence on a Bitcoin holder is not always immediate or direct. The pipeline typically looks something like this:

• A company serving Bitcoin holders (a hardware wallet manufacturer, an exchange, or a Bitcoin-related service) is breached.
• Customer data, including names and physical addresses, is extracted and either sold on dark web marketplaces or published publicly.
• That data is acquired by criminal networks who cross-reference it with on-chain analytics tools to estimate holder wealth.
• Holders with identifiable addresses and significant estimated holdings become targets for phishing, extortion attempts, or physical surveillance.
• In serious cases, physical violence (kidnapping, home invasion, armed robbery) follows.

This pipeline has been documented in connection with the 2020 Ledger breach specifically. In the years following, Ledger customers reported receiving targeted threat messages, being approached physically, and in some cases, being victims of crimes that investigators connected to the leaked data.

Why This Threat Is Structural, Not Incidental

The companies that serve Bitcoin holders (exchanges, hardware manufacturers, and financial services firms) have a business model that requires collecting personal data. KYC regulations mandate identity verification for regulated entities. Shipping physical hardware requires mailing addresses. Customer support requires contact information.

This data collection is not optional within those business models. It is required. And every piece of that data represents a liability: a record that, if breached, can be weaponized.

The structural reality is this: any company that sells Bitcoin hardware or services and collects physical customer addresses is creating a list that could one day be used to target those customers. Holders cannot opt out of this data collection when using regulated services, but they can factor it into how they think about their overall security posture.

Self-custody may protect your keys. It does nothing to protect the fact that your address appeared on a purchaser list.

What Effective Protection Actually Addresses

Understanding data breaches as a physical threat, not just a digital one, changes what "good security" looks like for Bitcoin holders.

Hardware wallet self-custody protects private keys but does not address the identity exposure created by the purchase. Exchange custody centralizes risk and creates a high-value target for both digital and insider attacks. Neither approach accounts for the possibility that a criminal already has your home address and a rough estimate of your holdings.

Multi-institution custody models address a different part of the problem: they make the individual holder an ineffective target for physical coercion. If signing authority is distributed across multiple independent institutions in a 2-of-3 configuration, a criminal who shows up at your door, or kidnaps you, cannot compel a transfer without the cooperation of independent institutions, each with their own verification protocols and fraud detection systems. Time-lock configurations mean that even a fraudulently authorized transfer cannot be executed immediately.

The deterrent effect of that architecture, when visible to potential attackers, is itself a form of protection.

The Takeaway

Data breaches in the Bitcoin ecosystem are not just a reason to change your passwords. They are the first step in a documented process that has ended in physical harm for real holders in multiple countries.

Protecting against this threat requires thinking beyond device security and into the structural question of how your custody arrangement responds when someone who wants your Bitcoin already knows where you live.

Return to the main guide: Bitcoin Security: The Complete Guide to Protecting Your Holdings from Physical and Digital Threats.

Up next: SIM Swap Attacks on Bitcoin: How Hackers Steal Crypto Through Your Phone.

SEO METADATA, CLUSTER POST 2

Meta Title: SIM Swap Attacks on Bitcoin: How Hackers Steal Crypto Through Your Phone

Meta Description: SIM swap fraud increased 1,055% in a single year. Here's how attackers use your phone number to bypass 2FA, take over crypto accounts, and steal Bitcoin, and what you can do about it.

Primary Keyword: SIM swap bitcoin

Secondary Keywords: crypto SIM swap attack, bitcoin account takeover, SIM hijacking cryptocurrency, protect bitcoin from SIM swap

Internal Links: Link back to Pillar Page; link to Cluster 1 (data breaches); link to Cluster 3 (custody risks)

Word Count Target: 1,000-1,300 words

SIM Swap Attacks on Bitcoin: How Hackers Steal Crypto Through Your Phone

Your phone number was never designed to be a security credential. But somewhere along the way, it became the master key to a huge portion of the internet's account recovery systems, including most cryptocurrency exchanges.

SIM swap attacks exploit exactly that design flaw. By convincing a mobile carrier to transfer your phone number to a SIM card they control, attackers can bypass two-factor authentication, reset account passwords, intercept verification codes, and drain wallets, all without ever touching your device.

The attack has become one of the most consequential threats to Bitcoin and cryptocurrency holders. And the numbers are moving fast.

The Scale of the Problem

In 2023, UK mobile carriers reported 289 verified SIM swap fraud cases. In 2024, that number had risen to over 3,000, a 1,055% increase in a single year. The FBI reported $26 million in SIM swapping losses across the US in 2024. These are only the cases that were reported and documented; the actual scale is likely significantly larger.

SIM swap fraud rose 1,055% in the UK between 2023 and 2024, from 289 cases to over 3,000.

Bitcoin and cryptocurrency holders are disproportionately targeted because the payoff is high, the transaction is irreversible, and the attack surface, mobile carrier customer service systems, is wide and difficult to fully harden.

The most dramatic example of SIM swap fraud in the crypto space remains the 2022 FTX hack, in which $400 million in assets were extracted via a SIM swap executed during the exchange's bankruptcy proceedings. The attackers did not need to break any cryptographic system. They just needed to control a phone number.

How a SIM Swap Attack Works: Step by Step

Understanding the mechanics helps clarify both why this attack is effective and what defenses actually matter.

1. The attacker identifies a target, typically a Bitcoin holder with a known or estimated significant balance.
2. The attacker gathers personal information about the target, often from data breaches, social media, or purchased datasets. This includes name, phone number, address, and sometimes the last four digits of their social security number or other information used for carrier identity verification.
3. The attacker contacts the target's mobile carrier, by phone, online chat, or sometimes by visiting a physical store, and impersonates the account holder.
4. Using the gathered personal information to pass identity verification, the attacker convinces the carrier to transfer the target's phone number to a SIM card the attacker controls.
5. The attacker now receives all calls and texts sent to that phone number, including two-factor authentication codes from cryptocurrency exchanges, banks, and email providers.
6. With those codes, the attacker resets passwords and gains access to accounts, bypassing all SMS-based 2FA protections.
7. Funds are transferred out. Because crypto transactions are irreversible, there is no recourse once the transfer executes.

The entire process can take minutes. In some documented cases, organized groups have automated parts of the attack, enabling them to move quickly across multiple targets simultaneously.

The Social Engineering Layer

SIM swap attacks are not primarily technical exploits. They are social engineering attacks. The vulnerability is in the human verification systems of mobile carriers, not in cryptographic protocols.

Mobile carrier customer service representatives are trained to help customers who are locked out of their accounts. That helpfulness is the attack surface. Attackers who can answer a few verification questions, date of birth, last four digits of a social security number, last bill amount, account PIN, can often get a swap processed.

The attack does not break your phone's security. It circumvents it entirely by compromising the human systems around it.

Organized operations in this space have become sophisticated. Groups have been documented where operators earn between $10,000 and $100,000 per day by impersonating exchanges and government agencies, building scripts, running verification rehearsals, and coordinating attacks across multiple carriers and targets simultaneously.

This is not amateur activity. It is a structured criminal industry that has evolved specifically in response to the value of cryptocurrency accounts.

Why Standard Defenses Are Insufficient

SMS Two-Factor Authentication

SMS-based 2FA is the most common protection on cryptocurrency exchanges, and it is precisely what SIM swap attacks are designed to defeat. Once an attacker controls your phone number, every SMS-based 2FA code comes to them. This makes SMS 2FA actively counterproductive in the context of this specific threat. It creates a false sense of security while the real attack surface sits with your mobile carrier.

Authenticator Apps

App-based authenticators (Google Authenticator, Authy, etc.) are better than SMS because they do not depend on phone numbers. However, they protect the 2FA layer specifically. They do not address the underlying vulnerability if an exchange's account recovery process can be bypassed using other means, or if the attacker also has access to your email account (which may itself be protected by SMS 2FA).

Carrier PIN Locks

Mobile carriers offer port protection and account PINs that add a step to the SIM swap process. These help, but they are not absolute, customer service errors, social engineering of carrier employees, and in some documented cases, carrier insider compromise, have all been used to bypass them.

The Custody Architecture Question

SIM swap attacks illustrate a core problem with exchange-based custody: when signing authority and account access depend on identity verification systems that can be socially engineered, the security of your holdings is bounded by the weakest human in that verification chain.

Multi-institution custody addresses this by removing single points of failure entirely. In a 2-of-3 multi-signature configuration distributed across independent institutions, a SIM swap that compromises one institution's communication channel cannot authorize a transfer, you still need independent authorization from at least one other institution, with its own verification protocols, its own personnel, and its own independent security posture.

Layered on top of that, time-lock configurations mean that even a fraudulently initiated transfer cannot execute immediately. A delay of 5, 10, or 20 business days gives institutions and account holders a window to identify and halt unauthorized activity before it becomes irreversible.

AI-enabled verification layers, including biometric checks and pre-call liveness detection, add another barrier against identity impersonation, which is the root mechanism that SIM swap attacks depend on.

What to Do Now

If you hold significant Bitcoin on an exchange or in any custody arrangement that relies on SMS-based verification, the risk is real and current. Here are practical steps worth considering:

• Contact your mobile carrier and add a port-out PIN and account lock. Request that no changes to your account be made without in-person verification at a store.
• Move away from SMS 2FA on all cryptocurrency accounts and email accounts. Use an app-based authenticator or hardware security key instead.
• Audit which services have your phone number on file as a recovery option. Reduce that footprint where possible.
• Recognize that exchange-based custody concentrates risk. Consider whether your custody structure appropriately accounts for this threat vector.

Ultimately, SIM swap attacks are a strong argument for custody models that do not route authorization through telecom infrastructure at all. Models where distributed signing authority means that no single communication channel, however compromised, can unlock a transfer.

Return to the main guide: Bitcoin Security: The Complete Guide to Protecting Your Holdings from Physical and Digital Threats.

Up next: Why Bitcoin Self-Custody and Exchanges Both Leave You Vulnerable, And What Works Instead.

SEO METADATA, CLUSTER POST 3

Meta Title: Bitcoin Custody Risks: Why Self-Custody and Exchanges Both Leave You Exposed

Meta Description: Self-custody sounds safe. Exchanges sound convenient. But both approaches have critical vulnerabilities that most Bitcoin holders don't fully account for. Here's what actually works.

Primary Keyword: bitcoin custody risks

Secondary Keywords: bitcoin self custody security, hardware wallet risks, bitcoin exchange security, multi-institution bitcoin custody

Internal Links: Link back to Pillar Page; link to Cluster 1 (data breaches); link to Cluster 2 (SIM swaps)

Word Count Target: 1,100-1,400 words

Bitcoin Custody Risks: Why Self-Custody and Exchanges Both Leave You Exposed

The standard advice for Bitcoin holders tends to collapse into two camps: take control of your own keys through self-custody, or trust an established exchange to hold your assets. Both positions contain real wisdom, and both have critical vulnerabilities that are rarely discussed with the same clarity as their benefits.

As the threat landscape for Bitcoin holders has grown more sophisticated, the weaknesses in each approach have become harder to dismiss. Physical attacks, data breaches, and social engineering have all exposed the gaps that self-custody and exchange custody share: they each concentrate risk in a single point of failure.

Understanding where each model breaks down is the first step toward building a custody arrangement that actually holds up.

The Case for Self-Custody, and Where It Falls Apart

Self-custody is grounded in one of Bitcoin's foundational principles: if you do not control your private keys, you do not control your Bitcoin. The logic is sound. Exchanges fail, get hacked, freeze withdrawals, or become insolvent. When they do, customers with assets on the platform discover that custodial "ownership" is a legal claim, not a technical one.

But self-custody transfers the entire security burden to the individual, and most individuals are not equipped to carry it without gaps.

You Become the Single Point of Failure

In a self-custody model, the security of your Bitcoin is bounded by your own security practices. If your seed phrase is stored insecurely, lost in a natural disaster, or discovered by a family member or intruder, your Bitcoin may be unrecoverable or stolen. There is no support line, no fraud protection, no recourse. The permanence of Bitcoin transactions means that mistakes are permanent.

Self-Custody Does Not Protect Your Identity

Hardware wallet self-custody protects your private keys, but it does nothing to protect the fact that you purchased a hardware wallet from a company that experienced a data breach. If your name and home address appeared on Ledger's 270,000-customer breach list, a criminal network may already know you hold Bitcoin hardware. Your keys may be safe; your physical safety is a separate question.

Self-custody protects your keys. It does not protect the fact of your ownership, and that information is often what attackers want first.

Key Recovery Creates Its Own Risk

Secure key management requires either a backup that can recover the wallet (introducing exposure risk) or the risk of total loss if the primary key is destroyed or inaccessible. Many self-custody holders are caught between making their backup accessible enough to be useful and keeping it secure enough to be safe. That balance is genuinely difficult to strike at the individual level.

The Case for Exchange Custody, and Where It Falls Apart

Exchange custody is convenient, familiar, and appropriate for smaller balances or frequent traders who need liquidity. Established exchanges carry insurance, employ security teams, and have compliance infrastructure. For many users, the tradeoff makes sense.

But exchange custody centralizes risk in ways that make it systematically attractive to attackers, and those attackers have proven repeatedly that the human systems around exchange security are the most reliable entry point.

SIM Swap and Account Takeover

As covered in detail in our companion piece on SIM swap attacks, exchange accounts protected by SMS-based two-factor authentication are vulnerable to a relatively simple social engineering attack at the mobile carrier level. An attacker who gains control of your phone number can reset passwords and capture 2FA codes, bypassing technical defenses without ever directly attacking the exchange's infrastructure.

The 2022 FTX hack executed via SIM swap, costing $400 million, is the most prominent example, but smaller-scale account takeovers happen constantly. The FBI reported $26 million in SIM swapping losses in 2024 alone.

Insider Threats

The May 2025 Coinbase breach was traced to insider compromise, employees with legitimate data access who were recruited or coerced into extracting customer records. This is one of the most difficult attack vectors to defend against because it bypasses technical perimeter defenses entirely. An employee with legitimate access does not trigger the same alarms as an external attacker.

Exchanges employ hundreds or thousands of people with varying levels of access to customer data and, in some cases, operational systems. Each one represents a potential attack surface that cannot be fully eliminated through technical controls alone.

The Concentration Problem

An exchange holding the assets of millions of users is, by definition, one of the most attractive targets in the financial world. The expected value of successfully attacking a major exchange, combined with the fact that Bitcoin transactions are irreversible, makes them persistent and high-priority targets for sophisticated actors. No matter how strong an exchange's security posture, it will always attract more sophisticated and persistent attacks than any individual holder would.

Both self-custody and exchange custody solve different problems. Neither fully addresses the threat environment Bitcoin holders actually face today.

Hardware Wallets: Useful, But Incomplete

Hardware wallets provide strong device-level security. They keep private keys offline, require physical confirmation for transactions, and protect against a wide range of remote attacks. For that specific function, they work well.

But they are part of a custody arrangement, not a custody arrangement in themselves. Their limitations matter:

• The company selling the hardware wallet collected your shipping address. That address may now be on a breach list.
• Physical access to the device, combined with certain technical attacks, can extract keys from some hardware wallets.
• Loss or destruction of the device creates recovery problems that are only as secure as the backup process.
• Hardware wallets do nothing to protect against the social engineering, SIM swaps, or physical coercion that increasingly characterize attacks on Bitcoin holders.

Hardware wallets are a valuable component of a broader security strategy. They are not a complete answer to the current threat landscape.

What a More Resilient Custody Architecture Looks Like

The common thread in the failures of self-custody, exchange custody, and hardware wallet use is the single point of failure. Each model concentrates signing authority (and therefore vulnerability) in one person, one device, or one institution.

Multi-institution custody addresses this at the architectural level. By distributing signing authority across multiple independent institutions in a multi-signature configuration. For example, in a 2-of-3 arrangement where any two of three institutions must co-sign a transaction, the model eliminates any single point through which an attacker can move funds.

What This Means for Physical Coercion

A holder who is physically threatened cannot authorize a transfer unilaterally, because they do not hold sufficient signing authority alone. The deterrent effect of this, when visible to potential attackers, is itself a protection: a criminal who understands that coercing the holder will not produce a transferable authorization has a fundamentally weaker motive for the attack.

What This Means for Account Takeover

An attacker who compromises one institution's account systems, through SIM swap, social engineering, or credential theft, does not gain access to signing authority at the other institutions. Each institution has independent verification protocols, independent personnel, and independent security infrastructure. Compromising one does not compromise the others.

Time-Locks as Active Deterrence

Configurable time-lock delays of 5, 10, or 20 business days (up to 365 days) add a temporal layer that further changes the risk calculus for attackers. A transfer that cannot execute for three weeks is not a useful outcome for a criminal who needs immediate liquidity. The delay also provides an intervention window: if a fraudulent transaction is initiated, there is time to identify it and halt it before it becomes irreversible.

Disclosing the existence of time-locks to potential attackers amplifies the deterrent effect. If an attacker knows in advance that any transfer will be delayed and reviewed, the expected value of attacking the holder drops substantially.

AI-Enabled Verification

Emerging verification layers, biometric authentication, deepfake detection, pre-call liveness checks, address the identity impersonation dimension of attacks. As deepfake technology matures, the ability to verify that a person authorizing a transaction is genuinely who they claim to be becomes increasingly important. Multi-institution custody frameworks that incorporate these tools are better positioned against social engineering attacks that depend on identity deception.

Choosing the Right Custody Structure

The right custody arrangement depends on a holder's specific situation, the size of their holdings, their access needs, their risk tolerance, and the threat environment they're operating in. There is no universal answer.

But the analysis should start from an honest assessment of what self-custody and exchange custody each actually protect against, and what they do not. For holders with significant Bitcoin exposure, a custody structure built around distributed signing authority, time-lock protections, and institutional-grade verification is worth understanding seriously.

Onramp offers multi-institution custody built around exactly these principles. If you want to explore how that structure compares to your current approach, start the conversation here.

Return to the main guide: Bitcoin Security: The Complete Guide to Protecting Your Holdings from Physical and Digital Threats.

Also in this series:

• How Crypto Data Breaches Turn Bitcoin Holders into Physical Targets
• SIM Swap Attacks on Bitcoin: How Hackers Steal Crypto Through Your Phone

Further Reading

Is Multi-Institution Bitcoin Custody Safe? Collusion Risk Explained

Not Your Keys, Not Your Coins: What It Really Means and Where It Falls Short

How Does Multi-Institution Bitcoin Custody Work?

Introducing Onramp Guardian: The Final Layer of Bitcoin Security

Bitcoin Custody 101: Self-Custody vs. Third-Party Custody Explained