BEGINNER_DOC_018 // BEGINNERS / SECURITY
SECURITY
Bitcoin's protocol is cryptographically secure. The weak point is always the human
layer — how keys are stored, how devices are managed, and how attackers exploit
trust. Most bitcoin is lost to poor key management, social engineering, or exchange hacks —
not to broken cryptography. Security is your responsibility.
THREAT_MODEL — WHERE_BITCOIN_IS_ACTUALLY_LOST
COMMON CAUSES OF BITCOIN LOSS
1. Lost private keys / seed phrases (~20% of all BTC estimated lost)
2. Exchange hacks (custodial risk) (Mt. Gox, FTX, etc.)
3. Phishing and social engineering (fake wallets, support scams)
4. Malware / clipboard hijacking (address replacement)
5. Physical theft (rubber hose attack) (forced key disclosure)
6. Weak key generation (predictable randomness)
7. Reused nonces in ECDSA signing (private key extractable)
NOT a common loss vector:
✗ Breaking SHA-256 or ECDSA (computationally infeasible today)
SECURITY_BEST_PRACTICES
Key Storage
PRIORITY 1
The foundation of Bitcoin security. Your keys must be generated securely, stored offline, and backed up redundantly.
✓ Use a hardware wallet for significant amounts
✓ Write seed phrase on paper or metal — never digitally
✓ Store backups in multiple physically separate locations
✓ Add a BIP39 passphrase for an additional layer of protection
✓ Verify the wallet generates your seed from true randomness
✗ Never store seed phrases in photos, cloud drives, or email
✗ Never enter your seed phrase on any website
✗ Never share your seed phrase with anyone for any reason
Address Verification
BEFORE EVERY SEND
Clipboard malware silently replaces copied addresses with attacker-controlled ones. Always verify the address you're sending to.
Steps before confirming a transaction:
1. Copy the recipient address
2. Check the FIRST 6 and LAST 6 characters match visually
3. On hardware wallets: verify address on the device screen
4. For large amounts: send a small test transaction first
5. Never rush — transactions are irreversible
Exchange Risk (Custodial)
NOT YOUR KEYS
Leaving bitcoin on an exchange means the exchange holds your private keys. You have a debt claim, not bitcoin. Exchanges can be hacked, frozen, or go bankrupt.
Exchange custody:
You own: an IOU from the exchange
They own: the actual bitcoin
Risk: hacks, insolvency, government seizure, withdrawal limits
Self-custody:
You own: the private keys
You control: the actual UTXOs on-chain
Rule: "Not your keys, not your coins"
Only keep on exchanges what you plan to actively trade.
NOT YOUR KEYS, NOT YOUR COINS
SELF-CUSTODY IS THE ONLY FORM OF TRUE BITCOIN OWNERSHIP
PRIVACY BASICS
Reusing Bitcoin addresses links your transactions. Use a fresh address for every receive.
HD wallets do this automatically. On-chain activity is permanent and public.
MULTISIG
For large holdings, consider a 2-of-3 multisig — funds require signatures from 2 of 3 keys
held in different locations. Eliminates single point of failure.
TERMINOLOGY_INDEX
Self-Custody
Holding your own private keys rather than delegating custody to an exchange or third party.
Multisig
M-of-N signature scheme requiring multiple keys to authorize a spend. Removes single points of failure.
Passphrase
An optional 25th BIP39 word. Creates a completely different wallet. Provides plausible deniability.
Clipboard Attack
Malware that replaces a copied Bitcoin address with an attacker's address when pasting.
Social Engineering
Manipulation tactics to trick users into revealing keys or sending bitcoin to attackers posing as support.
Air Gap
A signing device that never connects to any network. Transactions are transferred via QR code or SD card.