XDRIPACADEMY
Sign in

Lessons·Self-custody·9 min·Beginner

Your real threat model, in plain English

A threat model is not a checklist of scary words. It is a ranked list of what is actually likely to take your coins. Once you have one, every security decision gets easier.

Most security advice in crypto is delivered as a checklist. Use a hardware wallet. Do not click links. Do not share your seed phrase. The advice is not wrong. It is just floating in space, not connected to a clear picture of who is coming for your coins and how. Without that picture, the checklist feels like superstition. With it, every item snaps into place.

That picture has a name. It is called a threat model. The name sounds technical. The thing is not.

What a threat model actually is

A threat model is one sentence. These are the people who would take my coins, this is what they would have to do to take them, and this is what I would have to do to make that hard.

Three parts. Adversaries. What they have to pull off. What you do about it. Once you have written that sentence honestly for your own situation, every security decision becomes a question of "does this raise the cost for the adversary I actually have, or am I just doing busy work?"

The mistake most beginners make is borrowing someone else's threat model. The model that fits a state-funded journalist in a hostile country is not the model that fits a parent with $40,000 in savings. The first will cost you years of your life and most of your patience. The second will not protect the journalist. Pick yours, not theirs.

Key takeaway

A threat model is the sentence "who, what, and what I do about it." Build the right one for your situation. The most secure setup in the world is useless if it is solving the wrong problem.

The threats that actually take coins, ranked

Crypto loss is not evenly distributed across spectacular attacks. It is heavily concentrated in a handful of failure modes. We will list them roughly in the order they actually happen, most common first.

  1. Phishing and social engineering. Someone convinces you, by message or fake website or impersonated support agent, to type or paste or sign something you should not. The "attack" is just a conversation. This category dwarfs every other one combined.
  2. Seed-phrase exposure to your own digital surface. A photo of the seed in your camera roll. The seed in a cloud-synced note. The seed typed into a password manager that decrypts on a compromised laptop. Self-inflicted, and very common.
  3. Address poisoning and lookalike addresses. Attackers seed your transaction history with addresses that resemble ones you have used before. You copy from the wrong place. Funds go to them.
  4. Approval and signing exploits. You sign a transaction that does not say what you think it says. A token approval grants spending rights you did not intend. Common when interacting with new contracts on unfamiliar interfaces.
  5. Lost access without a backup. Not theft, not an attacker. Just a dead device, a forgotten password, a misplaced piece of paper, and no second copy. The chain does not care that there was no malice.
  6. Hardware-wallet supply-chain or physical compromise. Tampered devices delivered with pre-set seeds, or stolen devices with weak PIN protection. Real but rare for individuals who buy from manufacturers directly.
  7. Targeted physical attack ("the wrench"). Someone who knows you hold value and applies pressure in person. Rare, but the hardest to defend against, and the threat model changes completely if this is on your list.
  8. Exchange or custodial failure. Coins held at a third party that becomes insolvent, frozen, or hacked. Not self-custody at all, but worth naming because most "lost" coins still vanish here.

A useful exercise: for each item on that list, ask yourself how much of your current behavior is actually addressing it. The honest answer is usually that the top three are the ones that touch real-life users, and the bottom three get most of the attention because they sound exciting.

Two threat models, side by side

Two readers, both holding crypto, with very different correct answers.

Reader A. A 35-year-old engineer with $25,000 in a wallet. Public profile: low. Social media: a few crypto follows but nothing that announces the holdings. Lives in a stable jurisdiction.

For Reader A, the realistic threats are phishing, self-inflicted seed exposure, address poisoning, and lost access. A reasonable setup is a hardware wallet, a metal seed backup in a known location, no cloud copies of anything, and a strict habit of verifying every signature on the device screen. They do not need to plan around a wrench attack. They do need to assume someone will impersonate their wallet's support team this year.

Reader B. A 50-year-old founder of a public crypto-related company with $5,000,000 across multiple wallets. Public profile: high. Social media: known holdings, named team, public wallet addresses. Travels frequently.

For Reader B, the realistic threats include everything Reader A faces, plus targeted physical risk, plus targeted phishing built specifically for them. The setup needs multi-signature, geographic distribution of keys, household awareness, plausible deniability for which device holds what, and an explicit plan for the worst day. They do need to plan for a wrench attack. They cannot pretend otherwise without lying to themselves.

The setup for Reader B applied to Reader A is paranoid overhead with no real benefit. The setup for Reader A applied to Reader B is criminal under-protection. Same chain, same coins, completely different correct answers.

Worth noticing

You are not Reader A or Reader B exactly. You are some specific point on a spectrum, and that point moves over time. Your threat model is not a one-time exercise. Revisit it any time your holdings, your public profile, or your life circumstances change meaningfully.

The two questions to ask before any security decision

When you are about to add a step, buy a device, change a backup, or read a guide, run the decision through two questions:

  1. Which threat does this actually reduce, for me? If you cannot name it in one sentence, the step is probably theatre.
  2. What new threat does this create? Every safeguard adds surface area. A safe deposit box is a third party. A multi-sig is a coordination problem. A hidden device is something you can forget. Pick the trade consciously.

Two questions, applied honestly, will keep most people from over-engineering and from under-protecting at the same time.

What this pillar will give you

Across the next lessons we cover seed-phrase hygiene, hardware versus software, exchanges versus wallets, and the institutional version of all of this. Read them with your own threat model in mind. Skip the parts that solve problems you do not have. Spend twice as long on the parts that solve problems you do.

Key takeaway

Phishing and self-inflicted seed exposure account for most real-world losses. Plan for those first. Borrow no one else's threat model. Ask "what does this protect, for me, and what does it cost" before adding any layer. The right setup is a setup you can actually live with, sized to the threats you actually face.

Track your progress

Create a free account to mark lessons complete and unlock pillar discounts.

← All lessonsSeed phrase hygiene that survives a fire