Crypto Threat Modelling: A Personal Security Plan for Self-Custody

Introduction

Most security advice for crypto holders arrives as a flat list of instructions: use a hardware wallet, enable two-factor, never share your seed. The instructions are sound. But the list is the same whether the reader is a student with £400 of Ethereum on a phone or a retiree who has quietly moved a £400,000 retirement pot into self-custody. That cannot be right, because the two face genuinely different adversaries and the cost of being wrong is wildly different. The discipline that fixes this is threat modelling: a short, structured exercise that produces a security posture proportionate to what you actually hold and who can realistically reach it. It is the foundation our crypto operational security hub builds the rest of the stack on, and this guide takes it from a framework into a working personal plan.

The reason this matters is that the largest crypto losses in 2025 were not failures of cryptography or hardware. They were failures of judgement about which threat to take seriously. A holder who pours hours into a multisig setup but pastes a poisoned address from their transaction history has spent their effort on the wrong adversary. A holder who obsesses over physical-coercion countermeasures while leaving SMS two-factor on the exchange account that holds their funds has done the same in reverse. A good model prevents both by forcing you to be honest about probability and impact before you choose a single defence, so the effort lands where the risk actually is.

What follows is built to be worked through in order. First, what threat modelling actually means and the three questions at its core. Then a value-tiering table that maps four holding bands to a proportionate posture, with two worked holders (a £3,000 casual owner and a £300,000 serious one) to make the difference concrete. Then an adversary taxonomy that names the four realistic attacker types and which defence answers each, followed by an honest treatment of the physical-coercion branch that has been rising through 2025 and 2026. The guide closes with an attack-surface inventory you can run against your own setup, and the small number of triggers that should make you revisit the whole model.

One boundary is worth stating up front. This page is the map, not every destination on it. Where a threat needs an operational fix with real depth — how to recognise a phishing lure, how to read a signature before approving it, how to back up a seed against fire and coercion — this guide names the threat and the adversary, then hands you to the cluster satellite that owns the fix. The aim here is to make sure you are defending against the right things in the right proportion before you start spending effort on any of them.

What Threat Modelling Means for Self-Custody

Threat modelling borrows from security engineering, where it means systematically identifying what could go wrong with a system before an attacker finds out for you. Stripped of jargon for a self-custody holder, it reduces to three questions answered honestly about your own situation. What am I protecting, and what is it genuinely worth relative to my life? Who realistically wants it, given how visible and how valuable my holdings are? And what is the cheapest defence against each of those adversaries, measured not just in money but in the friction I will actually tolerate over years? The output is not a feeling of safety; it is a short list of the threats that apply to you specifically and the proportionate response to each.

The crucial property of a model, and the thing a checklist cannot give you, is that it tells you what to ignore. Security has an opportunity cost: every hour spent hardening against an attack that will never come is an hour not spent on the one that will. A casual holder who reads a harrowing kidnapping story and starts planning decoy wallets and panic codes has misallocated their attention. Their actual adversary is an automated drainer kit that has no idea who they are. The model corrects this by anchoring every decision to probability and impact rather than to whichever attack is most vivid in the news cycle. Vividness and probability are almost inversely correlated in crypto security, which is exactly why an explicit model beats intuition.

The asset, adversary, surface, mitigation frame

It helps to give the three questions a slightly more formal shape, because each maps to a thing you can write down and revise. A complete personal model has four moving parts, and the discipline is to fill in all four rather than jumping straight to mitigations.

• Asset: what you are protecting, expressed as a figure relative to your life rather than an abstract balance. The relevant number is whether losing it would change where you live or when you retire, not the raw total.
• Adversary: who would realistically come for it, from an automated remote drainer that does not know your name, through a targeted phisher, to the rare physical attacker who does know exactly who and where you are.
• Attack surface: the concrete paths an adversary could use: a malicious signature, a SIM-swap on your number, malware on a hot-wallet device, a seed stored somewhere readable, or your identity linked to your holdings in a leaked database.
• Mitigation: the proportionate defence for each surface, chosen for the friction you will genuinely sustain rather than the strongest option that exists. A defence you abandon is worse than a modest one you keep.

Model thinking versus checklist thinking

The difference between the two is easiest to see in how they handle a new attack. When gasless Permit phishing surged in 2025, a checklist holder had no way to react until someone published a new checklist item. A model holder already had a slot for it: a new attack arrived, they asked whether it changed their surface or their adversary, and they slotted the recognition habit into the layer that already covered signing. Checklists are static and go stale; models are adaptive and absorb new threats into an existing structure. That adaptiveness is the entire point, because the threat landscape in self-custody changes faster than any static list can keep up with.

A model is also explicitly a living document. It is built once and then revised only when one of a handful of triggers fires: a balance crossing a tier, a public footprint appearing, a jurisdiction changing, a tool or partner failing, or a new attack class becoming prominent. Between triggers it sits quietly and does its job. The closing section of this guide returns to those triggers in detail; for now the point is that threat modelling is cheap to maintain precisely because it is not a constant chore but a structure you only touch when something real changes.

Tiering Protection to Holding Size

The single most useful output of a model is a posture tiered to value, because almost every meaningful security decision shifts as the figure at risk grows. The table below maps four holding bands to a proportionate posture, the backup regime that fits, whether the architecture upgrade to multisig is warranted, and how relevant physical risk realistically is at each level. The bands are illustrative inflection points rather than hard rules — your own crossover may sit higher or lower depending on income, jurisdiction and public footprint — but the direction of travel is consistent: more value warrants more friction, and the jumps are larger than most holders expect.

The table compresses a lot of judgement, so two clarifications matter. First, the multisig column points to an architecture decision rather than a backup format, and the full mechanics — how M-of-N quorums work, how signers are chosen, and how the model resists both single-device failure and coercion — belong to our multisig wallets complete guide rather than being re-derived here. Second, the physical-risk column is deliberately tied to visibility as well as value: a £250,000 holder who has never mentioned crypto to anyone faces far less physical risk than a £60,000 holder who posts their gains under their real name.

From the £1,000 band upwards the table assumes a single dedicated hardware wallet as the core device, the one purchase that closes the remote key-extraction door for every tier above the spending float; a well-supported option such as the Trezor hardware wallet is what the savings tiers in the table are built around.

Investor A versus Investor B

Tables describe; worked cases convince. Consider two real-shaped holders whose models land in completely different places, and notice that almost nothing in their setups should look the same.

Investor A holds about £3,000, mostly in Ethereum and a couple of tokens, used occasionally for swaps and a small staking position. The honest figure is that losing it would sting for a few months but change nothing structural. Their adversary is overwhelmingly the automated remote attacker: a drainer kit on a cloned site, a phishing email, clipboard malware that swaps a copied address. No one is going to surveil or coerce them, because they are not identifiable as a holder and the sum would not repay the effort. The proportionate model is light: a reputable wallet treated as a spending account, an authenticator app instead of SMS, a single tested backup of the seed, and the discipline to treat every unexpected signing request as hostile. Adding a passphrase, a multisig, or any physical-security measure here is pure over-engineering: friction with no matching threat.

Investor B holds about £300,000 accumulated over years, the bulk of which is earmarked for a house deposit and retirement. Losing it would be genuinely life-changing, which moves every decision. Their adversary set is broader: the same automated attackers, plus a targeted phisher who might identify them through an old exchange account, plus — if they have ever discussed holdings publicly or appear in a breached database — a small but non-zero physical-coercion risk.

Their proportionate model is heavier on every axis: the architecture upgrade so that no single key can move the whole sum, two geographically separated metal backups, SMS stripped from every account that touches funds, a written inheritance plan because dying without one would erase the lot, and a deliberate effort to keep their real identity unlinked from their on-chain accounts. The same fear that is over-engineering for Investor A is prudent planning for Investor B, and the only thing that changed is the honest value and visibility figure at the top of the model.

The lesson the two cases share is that the right amount of security is not a universal constant but a function of value and visibility. A holder who copies Investor B's regime onto Investor A's balance has burnt effort and patience they will eventually abandon; a holder who runs Investor A's light regime on Investor B's portfolio is one bad day from a catastrophe. The tiering table exists precisely so you can find your own row honestly rather than copying someone else's.

Mapping Your Adversaries

The second question in the model (who realistically wants your coins) deserves more than a single answer, because the four realistic adversary types differ sharply in how they reach you and which defence stops them. Naming them explicitly stops the common error of defending against the wrong one. The taxonomy below sets out each adversary, the realistic reach they have, the entry point they exploit, and which page in this cluster owns the corresponding defence, so you can trace each threat that applies to you straight to its fix.

Probability versus impact

The four adversaries do not sit at the same point on the probability-impact grid, and where each lands should drive how much attention it gets. The remote phisher and opportunistic malware are high-probability, moderate-impact threats: they will try almost every active holder, and the impact is capped at whatever a single compromised wallet or approval can reach. The physical-coercion attacker is the inverse: very low probability for almost everyone, but potentially catastrophic impact, because a holder under duress can be forced to surrender everything reachable. The insider sits in an awkward middle: low probability but high impact and very hard to defend against technically, since the person already has trust and may already know where things are. A sound model spends most of its budget on the high-probability quadrant while keeping a proportionate, not paranoid, eye on the catastrophic-but-rare corner.

The insider branch most holders never consider

The insider adversary is the one threat models most often omit, partly because it is uncomfortable to contemplate. It is not usually a malicious relative; far more often it is the simple fact that the more people who know a precise large figure and where the backups are, the wider the surface for accidental disclosure, social pressure, or being named to an external attacker. Insiders also feature in a meaningful share of physical-coercion cases, where attackers either are known to the victim or learnt of the holdings through someone who was.

The defence is not secrecy from everyone — that path loses the funds to inheritance failure instead — but structure: graduated disclosure so a trusted heir knows a plan exists without knowing the live secrets, and physical separation of backups so no single person controls enough to act alone. The backup separation mechanics belong to our seed phrase backup and recovery opsec, and the structured handoff to heirs is covered in detail in the inheritance guide linked at the foot of this page.

For the two high-probability adversaries — the remote phisher and opportunistic malware — the defence is overwhelmingly recognition and signing discipline rather than any device or architecture. Learning to spot a hostile lure before you reach a signing screen is covered in our wallet drainer and phishing defence, and reading exactly what a transaction grants before you approve it is the subject of our transaction signing hygiene and approvals. Those two satellites carry the load for the adversaries almost every reader will actually face.

The Physical-Adversary Branch: Coercion and the Wrench Attack

The physical adversary is the one the rest of this model treats separately, because it breaks an assumption every digital defence relies on: that the holder is free to refuse. A wrench attack — the term comes from a long-running joke that a cheap wrench applied to a person beats the most expensive cryptography — is in-person coercion to extract crypto. The attacker does not need to defeat the hardware or guess the seed; they force the holder to authorise the transfer themselves, which renders the entire digital stack moot. It is the one adversary against whom verification discipline and a good signing routine offer nothing, because the holder is the one being compromised.

The honest framing matters more here than anywhere else in the model, in both directions. Underplaying the trend would be wrong: 2025 was, by the public dataset Jameson Lopp maintains, a record year, with roughly 70 documented physical attacks on crypto holders worldwide, up from around 41 in 2024. CertiK's tracking found 34 such incidents in the first four months of 2026 alone, a 41% rise on the same period a year earlier, with estimated losses near $101 million, 82% of cases in Europe and France the worst-hit country.

Both sources stress that the real figures are higher, because victims frequently do not report out of fear of retaliation or exposure. Overplaying it would be equally wrong: against a global population of many millions of holders, even a record year of around 70 attacks is a vanishingly small probability for any individual, and the cases concentrate heavily on a specific profile.

Who actually faces this, and who does not

The defining feature of physical-coercion targets is not raw wealth but the combination of wealth and identifiability. Investigators describe a shift to data-driven targeting: rather than surveilling a victim for weeks, attackers now assemble target lists from leaked databases, on-chain balances and property records. They pick the people whose holdings are large and whose identity is already linked to them. Two datasets overlapping is enough: a blockchain explorer reveals a wallet's balance, while a breach, a tax-software leak or a social-media post supplies the matching name and address.

In January 2026 a breach at the French tax provider Waltio exposed records tied to roughly 50,000 users, exactly the kind of fuel that feeds this targeting. The practical consequence is that the people genuinely exposed are the visibly wealthy and the publicly linked, and the single most effective defence for everyone else is simply to never become identifiable as a large holder in the first place.

The Ledger co-founder David Balland case from January 2025 illustrates the profile without sensationalism. Balland, publicly known as a co-founder of a prominent hardware-wallet company and therefore an obvious presumed large holder, was kidnapped from his home in central France along with his wife. A crypto ransom was demanded from another co-founder. French gendarmerie units traced the location and rescued both within roughly a day; ten people were arrested, and most of the ransom cryptocurrency was traced, frozen and seized. The case is instructive precisely because it fits the profile (a publicly identifiable, presumed-wealthy individual) and because it ended in rescue and recovery rather than the worst outcome. It is a reason for those at the top tier to plan, not a reason for an anonymous £5,000 holder to lose sleep.

Designing for it without over-engineering

For the small group genuinely exposed, the model has a clear structural answer, but the mechanics live elsewhere in the cluster by design. The core principle is to make it impossible for the holder to hand over everything even under maximum pressure, which is an architecture problem rather than a behaviour one: an M-of-N setup with a geographically separated key means no single person, including the holder, can move the full balance alone, so coercion at one location cannot succeed. That coercion-resistance reasoning is developed in full in the multisig guide linked from this cluster.

A second pattern is the decoy or duress wallet — a credible smaller balance an attacker can be given while the bulk stays hidden behind a separate secret — but the mechanics of constructing one safely, including how much to hold in the decoy and how the hidden wallet is derived, are a backup-regime topic owned by the seed-phrase backup and recovery guide. This page is where you decide whether the physical branch applies to you at all; those pages are where you build the response if it does.

The proportionality point bears repeating because it is the most common mistake in this corner of the model. Anti-coercion measures impose real friction and complexity, and for the overwhelming majority of holders they defend against a threat that will never arrive. The right response to a frightening kidnapping story is to ask whether you actually fit the target profile — large holdings and a public link between you and them — and to act only if you genuinely do. For everyone else, the effort is far better spent on the high-probability remote adversaries, and the single most valuable physical-security measure remains the cheapest one: do not make yourself findable.

Your Attack Surface

With the adversaries named and tiered, the third part of the model is concrete: the actual paths into your holdings. Your attack surface is the full set of those paths, and most holders have never written it down, which is why the same few gaps recur in loss post-mortems. The checklist below is a personal inventory to run against your own setup. The goal is not to eliminate every surface (that is impossible) but to know what each one is and to confirm that the highest-leverage ones are closed, because a single open path can undo every other defence.

• Devices that hold or sign with keys: phones, laptops and any machine running a hot wallet. Each is a path if it runs untrusted software or is left unpatched. The reduction is to minimise what sits on networked devices and graduate savings to hardware.
• Browser extensions and connected applications: every extension can potentially read what you do, and every application you have connected your wallet to holds standing permissions. The reduction is to audit and prune both, and to keep a clean browser profile for signing.
• Email and phone number as recovery roots: the highest-leverage surface of all, because whoever controls your email or number can often reset everything else. The reduction is a unique strong email password, app-based or hardware two-factor, and removing SMS from anything that gates funds.
• Cloud and photo storage: a seed photographed or typed into a note syncs silently to a cloud account that is itself a target. The reduction is absolute: nothing secret ever enters cloud storage, and the seed is never photographed.
• On-chain and social linkage: the connection between your real identity and your wallet addresses, assembled from social posts, reused usernames, exchange withdrawals and leaked databases. The reduction is to keep the two deliberately separate and never publicise holdings.

The two highest-leverage fixes

If the inventory above feels long, two items dominate the return on effort and deserve attention first. The first is the email-and-phone recovery root, because it sits upstream of almost everything else: an attacker who takes over your email through a SIM-swap and an SMS reset can often cascade into exchange accounts, cloud backups and any wallet using email or SMS recovery. Demoting SMS from a root of trust and hardening the email account closes a path that, left open, makes much of the rest of your security cosmetic. The second is the identity-to-holdings link, which is the surface that turns a remote adversary into a physical one and that you control more completely than any other: nothing forces you to be publicly identifiable as a holder, and choosing not to be is the cheapest high-impact decision in the entire model.

The informational surface most holders forget

Beyond the technical paths, there is an informational surface that open-source intelligence — OSINT — feeds on: the trail of clues that lets a stranger build a picture of you as a holder. A wallet address posted under your real name, a screenshot of a portfolio with the username visible, a reused handle that links a forum account to a trading account, a public brag about a gain: each is a small disclosure, and they aggregate.

The reductions are cheap and mostly behavioural: separate identities for public discussion and on-chain activity, never share specific figures, scrub balances from screenshots, and assume that any exchange holding your verified identity may one day be breached and its data correlated with public chain activity. This surface costs nothing to shrink and is the foundation under both the physical-coercion and targeted-phishing branches, which is why it is worth a deliberate pass even for holders whose other surfaces are already tight.

Each surface in the inventory maps to a deeper treatment elsewhere in the cluster: the device and signing surfaces to the hub's behaviour layer, the seed-storage surface to the backup guide, the phishing surface to the drainer-defence guide. Run the inventory once to find your own gaps, then follow the relevant satellite to close the ones that matter for your tier. The hub guide for this cluster shows how the surfaces line up against the four-layer stack and which satellite owns each fix.

From Model to Routine

A threat model is only useful if it stays current with your actual situation, and the way it goes wrong is silently: a model built when you held £4,000 quietly protects you long after a rally moved you to £80,000 and a different adversary set. The fix is not to review constantly — that is the chore that gets abandoned — but to review on triggers. Five events should prompt a fresh pass through the three questions, and recognising them is itself part of the discipline.

• Crossing a value tier. A deposit or a rally that moves you from one band of the tiering table to the next changes both your adversary set and your warranted posture; the move from single-key to multisig territory is the one most often missed.
• Gaining a public footprint. A podcast appearance, a doxxing, a press mention, or an on-chain account being publicly linked to your name all raise your visibility and can move the physical branch from irrelevant to relevant.
• A jurisdiction change. Relocating to, or travelling in, a region with a higher rate of physical attacks or weaker recourse changes the physical calculus regardless of your balance.
• A partner or tool failing. An exchange you used being breached, a wallet being discontinued, or a service changing hands all alter your surface and may expose data that links your identity to your holdings.
• A new attack class appearing. When a technique like address poisoning or gasless Permit phishing becomes prominent, ask whether it adds a path to your surface and slot the recognition habit into the layer that already covers it.

The minimum viable model

If the full exercise feels like a lot, it collapses into a short routine that any holder can complete in a single sitting and that captures most of the value. Done honestly, these few steps produce a defensible posture even before any deeper reading.

• Write down the honest figure: what you hold, expressed as whether losing it would change your life, and which row of the tiering table that puts you in.
• Name your realistic adversary: for most readers, the automated remote attacker; add the targeted or physical adversary only if your value and visibility genuinely warrant it.
• List your live surfaces: run the attack-surface inventory and mark the ones that are currently open, starting with email, phone number and seed storage.
• Choose proportionate fixes: close the highest-leverage open surfaces first, and pick defences at the friction level you will actually sustain over years.
• Set your review triggers: note the five triggers above so a changed situation prompts a fresh pass rather than a stale model quietly protecting the wrong thing.

From there, the cluster does the rest. Once you know which surfaces are open and which adversary you actually face, the satellites carry the operational depth: recognising lures, reading approvals before you sign, and backing up the seed against fire, loss and coercion each have a dedicated guide, all gathered in the Related Resources list below and linked from the relevant sections above. The model points; the satellites build.

Conclusion

The argument of this guide is that security without a model is guesswork, and guesswork in self-custody tends to defend against whichever attack is most frightening rather than the one most likely to happen. A threat model fixes that with three honest questions — what is it worth, who realistically wants it, and what is the cheapest defence against each — and the answers produce a posture proportionate to your situation rather than to the news cycle. The value-tiering table tells you which row you are in; the adversary taxonomy tells you who to defend against; the attack-surface inventory tells you which doors are open. Investor A and Investor B end up in completely different places not because one is more careful but because they honestly face different threats.

The physical-coercion branch deserves a closing word because it is the easiest to get wrong in both directions. It is real and rising — a record year in 2025 and a further sharp increase into 2026 — and for the genuinely exposed, the visibly wealthy and the publicly linked, it warrants an architectural answer that this cluster develops elsewhere. But for the overwhelming majority of holders it remains a tail risk, and the single most effective defence against it costs nothing: keep your real identity unlinked from your holdings, and never become a name on a target list. Proportionality is the whole discipline. The wrong amount of fear is as dangerous as the wrong amount of carelessness.

Build the model once, honestly, and let it tell you where to spend your effort. Then follow the cluster satellites to close the surfaces that matter for your tier, and revisit the model only when a real trigger fires: a tier crossed, a footprint gained, a jurisdiction changed, a tool failed, or a new attack class arrived. The reward for the afternoon it takes is that every later security decision becomes obvious, because you already know exactly what you are protecting and from whom.

Sources

• CertiK — 2026 wrench attacks overview: backs the 34 physical attacks recorded in the first four months of 2026, the 41% year-on-year rise, the ~$101M estimated losses, and the European concentration.
• The Block — a record year for wrench attacks: backs the characterisation of 2025 as a record year and the Jameson Lopp dataset of roughly 70 documented physical attacks, up from around 41 in 2024, with heavy underreporting.
• CoinDesk — Ledger co-founder kidnapping, January 2025: backs the David Balland case framing, the crypto ransom demand, the gendarmerie rescue of both victims, the arrests, and the tracing and seizure of most of the ransom.
• CryptoSlate — the data overlap used to locate holders: backs the two-dataset targeting model (on-chain balance plus leaked database or property record), the Waltio breach affecting ~50,000 users, and data-driven rather than surveillance-driven targeting.
• Chainalysis — 2026 Crypto Crime Report: backs the surge in individual-wallet compromises to ~158,000 incidents affecting ~80,000 victims in 2025, and the share of stolen value reaching personal wallets.
• FBI IC3 — the US internet-crime complaint service: federal reference for SIM-swap and crypto-fraud complaint context supporting the attack-surface inventory.

Frequently Asked Questions

What is a personal crypto threat model, and how is it different from a generic security checklist?

A threat model is a short, honest answer to three questions about your own situation: what am I protecting and what is it worth, who realistically wants it, and what is the cheapest defence against each of them. A generic checklist gives everyone the same instructions regardless of whether they hold £500 or £500,000, which means it is either wasteful for small holders or dangerously thin for large ones. The model produces a posture proportionate to your value and your adversaries; the checklist produces a one-size template. The model also tells you what to ignore, which matters as much as what to do: loading a £2,000 holder with anti-kidnapping measures designed for a doxxed whale is the classic over-engineering mistake. You build the model once in an afternoon, then revise it only when your balance, your public footprint or your jurisdiction changes.

How much crypto do I need before physical threats are worth planning for?

Physical coercion is a minority concern that scales with two things: how much you hold and how visibly you are linked to it. For most holders below roughly the £250,000 mark who keep a low public profile, the realistic adversary is remote and automated, and physical planning is over-engineering. Two factors move physical risk up regardless of balance: being publicly identifiable as a holder, through social media, conference appearances, on-chain accounts tied to your name, or a leaked exchange database, and holding in a form that can be moved under coercion in minutes. CertiK recorded 34 physical attacks on crypto holders in the first four months of 2026, a 41% rise on the same period a year earlier, with 82% in Europe and France worst hit. The number is small against millions of holders, but it is rising and concentrated on the visibly wealthy, so the honest planning line is value plus visibility, not value alone.

What is a crypto wrench attack and how likely is it?

A wrench attack is physical coercion to extract crypto: an attacker confronts the holder in person and applies threats or violence until keys, passwords or transfers are handed over, bypassing every digital defence because the holder is forced to authorise the theft themselves. The name comes from a long-running joke that a $5 wrench beats expensive cryptography. It is real but rare relative to remote attacks. Jameson Lopp's public dataset logged roughly 70 documented physical attacks in 2025, a record year, up from around 41 in 2024, and CertiK counted 34 in the first four months of 2026. Both sources stress heavy underreporting, because victims fear retaliation or exposure. For the overwhelming majority of holders the probability is very low, and it rises sharply only for those who are both visibly wealthy and publicly linked to their holdings. It is a tail risk to design for at the top tiers, not a daily threat for everyone.

How do attackers find out that I hold crypto?

Increasingly through data, not surveillance. Investigators describe a two-dataset overlap: a blockchain explorer shows wallet balances publicly, while a leaked database, a property record or a social-media post supplies a real name and home address. Where those intersect, an attacker has a target list with an estimated net worth, an address and even family structure, assembled in under an hour and without ever watching anyone. Leaked exchange and tax-software databases are the fuel: in January 2026 a breach at French tax provider Waltio exposed records tied to roughly 50,000 users, and a separate case used a leaked database to link a multi-million-pound wallet to a specific UK home before a violent home invasion. The defensive takeaway is to break the link: keep your real identity separate from your on-chain accounts, never publicise holdings or gains, and assume any exchange that holds your identity could be breached.

Should I tell my family how much crypto I own?

Treat this as a deliberate threat-model decision, not a default. There are two competing risks. If nobody knows the crypto exists or how to recover it, the funds are lost permanently when you die or lose capacity, which is the single most common way self-custodied crypto disappears. But the more people who know a specific large figure, the wider the insider-risk surface, and family or close contacts feature in a meaningful share of physical-coercion cases. The usual resolution is graduated disclosure: a trusted heir or executor needs to know that crypto exists and how to find the recovery instructions after your death, but does not need a running total, the live access secrets, or the impression of a casually accessible fortune. Pair that with a sealed inheritance plan so the knowledge is structured rather than ambient. The detailed handoff mechanics are covered in our inheritance guide.

Does owning a hardware wallet mean I can stop worrying about threat modelling?

No. A hardware wallet closes one specific door, remote extraction of the private key, and leaves every other door in your threat model untouched. It does not stop you approving a malicious signature, it does not protect the phone number that resets your email, it does not back itself up against a house fire, and it cannot resist someone physically forcing you to authorise a transfer. The Chainalysis 2026 report found individual-wallet compromises surged to roughly 158,000 incidents affecting about 80,000 victims in 2025, most of them owners whose keys were technically safe. Buying the device is one line in the model, not the whole model. Threat modelling is precisely the exercise that tells you which of the remaining doors actually matter for your situation, so the hardware purchase is where serious self-custody begins rather than ends.

How often should I review my crypto threat model?

Review it on a trigger basis rather than a calendar. Five events should prompt a fresh look. Crossing a value tier, when a rally or a deposit moves you from a hot-wallet holding to a hardware-warranting one, or from there into multisig territory. Gaining a public footprint, such as a podcast appearance, a doxxing, or an on-chain account being linked to your name. A jurisdiction change, including travel to or relocation in a higher-risk region. A partner or tool failing, such as an exchange you used being breached or a wallet being discontinued. And a new attack class becoming prominent, the way address poisoning and gasless Permit phishing did through 2025. Absent any trigger, an annual sanity check is enough. The model is meant to be cheap to revisit, so the discipline is to actually revisit it when a trigger fires rather than letting a stale model protect a changed situation.

Related Resources

• Crypto operational security: the complete guide — the hub that frames the four-layer stack this threat model feeds into, from device through architecture and behaviour to recovery.
• Multisig wallets: the complete guide — the architecture upgrade for the upper tiers, and the structural answer to coercion where no single key can move the whole balance.
• Wallet drainer and phishing defence — the recognition skills that defeat the high-probability remote adversary almost every reader will actually face.
• Transaction signing hygiene and approvals — reading exactly what a transaction grants before you approve it, the defence for the signing surface in your inventory.
• Seed phrase backup and recovery OPSEC — metal storage, geographic distribution, the passphrase, and the decoy-wallet mechanics that the physical branch points to.
• Crypto security stack by holding size — the side-by-side decision matrix that turns the value-tier rows of this model into a concrete setup for your band.

Financial Disclaimer

This content is not financial advice. All information provided is for educational purposes only. Cryptocurrency investments carry significant investment risk, and past performance does not guarantee future results. Always do your own research and consult a qualified financial advisor before making investment decisions.