Operational security and the identity layer
In 2022, federal authorities recovered $3.6 billion in stolen Bitcoin—the largest financial seizure in US history.
How did they find it? The thieves stored their private keys in cloud storage. Plain text. The blockchain never forgets, and neither did iCloud.
This case captures both sides of self-custody: the assets were stolen because the original owners trusted an exchange (Bitfinex, hacked in 2016). The thieves lost them because they trusted cloud storage. Everyone in this story made custody mistakes.
Part 1 covered what keys are. Part 2 covers how to actually protect them—and what happens when your wallet becomes your identity.
Theory is easy. Execution is where people lose money.
Don't put everything in one place. A common setup:
Hot wallet (MetaMask, Phantom)
Cold wallet (Ledger, Trezor)
Deep cold storage
The logic: if your hot wallet gets drained by a malicious contract, you lose spending money—not your savings.
Most theft doesn't come from cracked encryption. It comes from users approving transactions they didn't understand.
Before signing anything:
The Seth Green incident from Part 1? He signed a transaction. That's all it took.
Your mnemonic phrase is a physical security problem, not a digital one.
Do:
Don't:
The $3.6B recovery happened because investigators got a warrant for cloud storage. Don't make it that easy—for anyone.
Your wallet address is more than a payment endpoint. It's becoming identity infrastructure.
Every transaction is permanent and public. Your address accumulates a history:
This creates reputation without requiring personal information. DAOs check wallet history before allowing participation. Protocols airdrop tokens based on past behavior. Your address is your resume.
Raw addresses are hostile to humans:
0x47bb4cCA98FC49B971d86c5t26562c86E6284CeD
Domain services fix this:
yourname.ethyourname.sol.crypto, .wallet, etc.These names resolve to addresses, work across many apps, and create consistent identity. Owning yourname.eth is like owning yourname.com in 1995—except it points to your wallet, not a server.
Caveat: Some exchanges still don't support sending directly to ENS names. Always verify before large transfers.
Self-custody enables pseudonymous participation—activity under a persistent identity that isn't linked to your legal name.
This matters for:
But pseudonymity isn't anonymity. Sophisticated analysis can often link wallets to identities through exchange deposits, behavioral patterns, or metadata leaks. If privacy is critical, it requires active effort—not just using a wallet without KYC.
Self-custody vs. custodial isn't binary. It's a spectrum, and most sophisticated users operate at multiple points simultaneously.
These reduce single-point-of-failure risk while preserving meaningful control.
Many people use all three:
The question isn't "self-custody or not." It's "what level of custody for what purpose."
| Priority | Favors Self-Custody | Favors Custodial |
|---|---|---|
| Security from exchange failure | ✓ | |
| Security from personal error | ✓ | |
| Privacy | ✓ | |
| Convenience | ✓ | |
| Regulatory clarity | ✓ | |
| Access to DeFi | ✓ | |
| Insurance/recovery options | ✓ |
Neither approach dominates. The right choice depends on your situation.
Self-custody isn't about ideology. It's about threat modeling.
What are you protecting?
From whom?
The choice depends on what you're protecting and from whom. There's no universal answer, only tradeoffs you understand or tradeoffs you don't.
Understanding them is the point of self-custody education. Acting on that understanding is up to you.
Operational security and the identity layer
In 2022, federal authorities recovered $3.6 billion in stolen Bitcoin—the largest financial seizure in US history.
How did they find it? The thieves stored their private keys in cloud storage. Plain text. The blockchain never forgets, and neither did iCloud.
This case captures both sides of self-custody: the assets were stolen because the original owners trusted an exchange (Bitfinex, hacked in 2016). The thieves lost them because they trusted cloud storage. Everyone in this story made custody mistakes.
Part 1 covered what keys are. Part 2 covers how to actually protect them—and what happens when your wallet becomes your identity.
Theory is easy. Execution is where people lose money.
Don't put everything in one place. A common setup:
Hot wallet (MetaMask, Phantom)
Cold wallet (Ledger, Trezor)
Deep cold storage
The logic: if your hot wallet gets drained by a malicious contract, you lose spending money—not your savings.
Most theft doesn't come from cracked encryption. It comes from users approving transactions they didn't understand.
Before signing anything:
The Seth Green incident from Part 1? He signed a transaction. That's all it took.
Your mnemonic phrase is a physical security problem, not a digital one.
Do:
Don't:
The $3.6B recovery happened because investigators got a warrant for cloud storage. Don't make it that easy—for anyone.
Your wallet address is more than a payment endpoint. It's becoming identity infrastructure.
Every transaction is permanent and public. Your address accumulates a history:
This creates reputation without requiring personal information. DAOs check wallet history before allowing participation. Protocols airdrop tokens based on past behavior. Your address is your resume.
Raw addresses are hostile to humans:
0x47bb4cCA98FC49B971d86c5t26562c86E6284CeD
Domain services fix this:
yourname.ethyourname.sol.crypto, .wallet, etc.These names resolve to addresses, work across many apps, and create consistent identity. Owning yourname.eth is like owning yourname.com in 1995—except it points to your wallet, not a server.
Caveat: Some exchanges still don't support sending directly to ENS names. Always verify before large transfers.
Self-custody enables pseudonymous participation—activity under a persistent identity that isn't linked to your legal name.
This matters for:
But pseudonymity isn't anonymity. Sophisticated analysis can often link wallets to identities through exchange deposits, behavioral patterns, or metadata leaks. If privacy is critical, it requires active effort—not just using a wallet without KYC.
Self-custody vs. custodial isn't binary. It's a spectrum, and most sophisticated users operate at multiple points simultaneously.
These reduce single-point-of-failure risk while preserving meaningful control.
Many people use all three:
The question isn't "self-custody or not." It's "what level of custody for what purpose."
| Priority | Favors Self-Custody | Favors Custodial |
|---|---|---|
| Security from exchange failure | ✓ | |
| Security from personal error | ✓ | |
| Privacy | ✓ | |
| Convenience | ✓ | |
| Regulatory clarity | ✓ | |
| Access to DeFi | ✓ | |
| Insurance/recovery options | ✓ |
Neither approach dominates. The right choice depends on your situation.
Self-custody isn't about ideology. It's about threat modeling.
What are you protecting?
From whom?
The choice depends on what you're protecting and from whom. There's no universal answer, only tradeoffs you understand or tradeoffs you don't.
Understanding them is the point of self-custody education. Acting on that understanding is up to you.