Back to Blog

The Ultimate Bitcoin Self-Custody Guide 2026

A complete framework for taking custody of your Bitcoin without selling your identity, your privacy, or your peace of mind. The Bitcoin Butlers Sovereignty Protocol.

Bitcoin ButlersBitcoin Butlers
·
Thursday, June 4, 2026
·
28 min read

The Bitcoin Butlers Sovereignty Protocol

A complete framework for taking custody of your Bitcoin without selling your identity, your privacy, or your peace of mind. Written for the technically competent. Linked from every other guide we publish.

Why this guide exists

Self-custody is the only thing that makes Bitcoin different from every monetary system that came before it. Without it, Bitcoin is just another asset on someone else's ledger — and history has made it abundantly clear what happens to those.

Mt. Gox. QuadrigaCX. FTX. Celsius. BlockFi. Voyager. Genesis. Prime Trust. Every single one of them said the same thing in their marketing: "Your funds are safe with us." Every single one of them was lying — sometimes knowingly, sometimes not. The result for the customer is identical either way.

The lesson is older than Bitcoin. The mechanism is older than Bitcoin. The phrase "not your keys, not your coins" exists because the alternative has been tried, repeatedly, in every form, across every century, and every time it ends the same way.

This guide is the framework we use to take people from "bitcoin on an exchange" to "sovereign holder of an asset nobody else can touch." We call it the Bitcoin Butlers Sovereignty Protocol because it's a protocol, not a product. You can follow it without buying anything from us. Most of it is free. The hardware costs less than the worst-case fee on the exchange you're already using.

We hold your hand, not your keys.

Who this guide is for (and not for)

This guide is for:

  • People who can install software, read documentation, and follow technical instructions

  • People who value privacy and don't want their financial life on a permanent record at every government agency on Earth

  • People who understand that "I'll deal with custody later" is the most expensive form of procrastination in modern finance

  • People holding enough Bitcoin to be worth protecting properly — generally $5,000+ — but the principles apply regardless

This guide is not for:

  • People who want to trade actively — keep what you trade on a regulated venue with insurance, and self-custody only the long-term hold

  • People who refuse to learn the basics — if you won't watch a 20-minute tutorial, hire a butler or accept the consequences

  • People who think "self-custody" means buying a hardware wallet and never testing the backup — that's not self-custody, that's a slow-motion bag fumble

If you need hand-holding through this end-to-end, book a butler. The protocol works whether you do it yourself or with a guide.

The protocol at a glance

Before the detail, here is the entire framework on one page:

  • Threat model first. Your setup follows your threat model, not the other way around.

  • Acquire without surveillance. Use non-KYC P2P first, local cash second, sovereign-aligned exchanges third. Never the ETF.

  • Single-sig with a passphrase vault and a decoy wallet until your stack justifies the operational overhead of multisig.

  • Two steel backups, geographically separated, tested.

  • OPSEC continuously. Don't dox your stack, run your own node, watch-only wallets for monitoring, Lightning for spending.

  • Test before you trust. Backups you haven't recovered aren't backups.

  • Graduate only when you have to. Multisig and collaborative custody come later — premature complexity kills more Bitcoin than incompetent simplicity.

The rest of this guide is the how.

Part 1: Threat model first

Most self-custody advice on the internet is wrong because it skips this step. People are told to "use a hardware wallet" or "set up multisig" without anyone asking what they're actually protecting against.

Your setup follows your threat model. Not the other way around.

The three core threat categories:

  • Remote attackers — phishing, malware, exchange hacks, address poisoning, supply-chain compromise on your devices. The most common category. Affects everyone.

  • Physical threats — theft, wrench attacks, coercion, search warrants, border crossings. Probability scales with your perceived wealth and where you live.

  • Yourself — losing keys, forgetting passphrases, dying without succession plans, dropping the SD card in the toilet. The most underestimated category. Affects nearly everyone eventually.

Most setups optimize for #1 and ignore #2 and #3. That's why most self-custody stories end badly even when the holder did "everything right."

Your model questions:

  • How much Bitcoin do you hold, in absolute terms and as a percentage of your net worth?

  • Who knows you hold Bitcoin? (Family, social media, exchange KYC records.)

  • What jurisdiction are you in? What are the search-and-seizure norms there?

  • Who would inherit if you died tomorrow? Do they know how?

  • What's your operational tolerance — can you handle a multisig signing ceremony every quarter, or will you stop testing after month two?

The answers determine everything that follows. A US-based retail holder with $50k in BTC, a wife who knows about it, and zero public profile has a fundamentally different optimal setup than a European YouTuber with a million dollars in BTC and a podcast titled I Hold Bitcoin and So Should You.

Don't skip this. The rest of the protocol is calibrated against your honest answers here.

Part 2: Acquisition — How to get Bitcoin without selling your identity

This is where the surveillance starts. Every KYC exchange is a permanent record of your Bitcoin ownership, tied to your government ID, accessible by any of: the exchange's employees, the exchange's insurance company, hackers who breach the exchange, every relevant tax authority, every relevant intelligence agency, and the data broker industry. Forever.

The Ledger leak of 2020 is the textbook example. Names, addresses, phone numbers, emails of 270,000+ hardware wallet buyers — released to the public. People received physical extortion threats at their homes. The buyers had done nothing wrong. They just used KYC for a $50 purchase. The breach made them targets for life.

If you can avoid linking your real identity to your stack at the point of acquisition, do it. Here's the ladder, from most sovereign to most pragmatic.

Tier 1: Non-KYC P2P via HODL HODL

HODL HODL is a peer-to-peer Bitcoin exchange that holds no funds, requires no KYC, and uses multisig escrow so the platform never has unilateral control over your Bitcoin. You trade directly with another human; HODL HODL just hosts the marketplace and the multisig.

This is the closest thing to a true peer-to-peer Bitcoin acquisition method that's still convenient enough for normal humans to use.

Why it works:

  • No identity verification, ever

  • Funds are in 2-of-3 multisig — buyer, seller, HODL HODL — during the trade

  • Wide range of payment methods: bank transfer, cash deposit, gift cards, other crypto

  • Active liquidity in most jurisdictions

Why it's not trivial — pay attention here:

The HODL HODL platform itself is fine. The risks are operational and almost entirely come down to phishing and malicious links.

  • Phishing sites. There are dozens of hodlh0dl.com lookalike domains. Bookmark the real one. Never click HODL HODL links from emails, X DMs, Telegram, Discord, or Nostr DMs. Type the URL or use your bookmark. Every time.

  • Malicious offer links. Inside HODL HODL, some sellers attach external links in their offers ("see my terms," "ID verification," etc.). Don't click them. Real HODL HODL trades never require external sites, external verification, or external KYC.

  • Account takeover. HODL HODL supports 2FA. Use a hardware key (YubiKey) or TOTP app, never SMS. Use a unique strong password. Better yet — use a different password manager identity entirely for HODL HODL and never log in from the same browser as your normal accounts.

  • One session, one device. In HODL HODL's settings, restrict your account so only one session can be logged in at a time. This is a one-click setting and it kills the most common account-compromise vectors dead.

  • Tor. Access HODL HODL over Tor (the .onion mirror exists). This separates your IP from your trade history.

  • Dedicated identity. Use a Protonmail or SimpleLogin alias for your HODL HODL account. Don't reuse the email you use for KYC exchanges, social media, or anything else linked to your real name.

Operational security during the trade itself:

  • Don't screen-share during a trade for any reason. "Helping you verify" is a scam vector.

  • Don't pay outside the platform. The escrow only protects you if the payment is on-platform.

  • Match the seller's reputation to the trade size. A new seller with 0 trades and a "great rate" is a scam. Stick to 100+ trade reputation, > 95% completion rate, for any size that matters.

  • Pay attention to the price oracle. If the seller's rate is 5%+ above market, ask why. There's usually a reason — sometimes legitimate (premium for no-KYC), sometimes a setup for a partial-payment scam.

  • For larger trades, split across multiple sellers. Don't put $50k through one counterparty.

  • Source of funds matters for privacy. If you send KYC-linked fiat to a HODL HODL counterparty, the counterparty now knows your real name. They don't know your wallet, but they know you bought non-KYC Bitcoin. For most threat models this is fine. For the highest-privacy use cases, use a non-attributable funding source.

Alternatives at the same tier:

  • RoboSats — fully Tor-based, non-KYC, uses Lightning escrow. Smaller order sizes, but excellent for the truly privacy-paranoid. No account, just a Tor identity per trade.

  • Bisq — desktop application, fully decentralized, no central platform to compromise. Steeper learning curve, slower liquidity. The most cypherpunk option.

  • Peach — mobile, gaining liquidity, simpler UX than HODL HODL.

Pick one and learn it deeply. Switching between platforms multiplies your phishing surface area without improving privacy.

Tier 2: Local meetups and cash

If you don't want to deal with online P2P, the next tier is meeting humans face-to-face and trading cash for Bitcoin.

Where to find them:


  • BitDevs — technical, but the people there are exactly who you want to know

  • Local Bitcoin events around major conferences

  • The Bitcoin people you already know — and they all know someone who'll trade

How it works in practice:

You meet someone you have at least a one-degree-of-separation trust relationship with. You hand them cash. They send Bitcoin to a wallet address you control. You verify the transaction lands on-chain (use a block explorer over Tor to avoid linking your IP to the address). You go home.

That's it. No middleman, no platform fee, no KYC, no record outside the blockchain itself.

The trust ladder:

  • Tier A: Someone you know personally. Best. Often available at meetups once you've shown up enough times.

  • Tier B: Someone vouched for by someone you know. Good. Verify the vouch with the voucher directly, not via DMs that could be spoofed.

  • Tier C: A stranger at a meetup. Acceptable for small amounts. Don't show up with $20k in cash to meet someone you've never seen before.

Legal considerations:

In most jurisdictions, person-to-person sales of Bitcoin with cash are legal as long as:

  • You're not running it as a business (i.e., not regularly buying and reselling at markup, which would make you a Money Service Business in the US)

  • You're not knowingly facilitating money laundering

  • You declare the eventual capital gains when you sell

You are responsible for understanding the law where you live. We are not your lawyer. Most jurisdictions explicitly carve out personal P2P trades; some don't. Look it up.

Cash provides liquidity and a secondary market. Once you have a network of people who do this regularly, you have a permanent, censorship-resistant marketplace that no government, exchange, or platform can shut down. That alone is worth the time to build.

Safety:

  • Meet in public. Coffee shops are good. Banks are good (use the lobby). Don't meet at someone's house.

  • Bring a friend for any trade over a few thousand dollars.

  • Count the cash on-site. Confirm the Bitcoin on-chain on-site. Don't leave until both are settled.

  • Don't tell anyone in advance where you're going or what you're doing, beyond the people directly involved.

Tier 3: Bull Bitcoin and a FOSS wallet

Sometimes you can't do P2P. The amount is too large, the liquidity isn't there, the time pressure is real, or you just need to get started without learning a new platform.

For that, the right answer is a Bitcoin-only exchange that shares your values about sovereignty. Not Coinbase. Not Kraken. Not the company that just rebranded to add 47 shitcoins.

Bull Bitcoin is our pick. Here's why:

  • Bitcoin-only. No shitcoins, no distractions, no upsell into custodial yield products.

  • They actively push you toward self-custody. Their entire UX is built around getting Bitcoin out of their exchange and into your wallet. They are not trying to be your bank.

  • They offer encrypted backups as a meaningful self-custody pathway — encrypted seed backups you control, that they can't access. This is unusual and good.

  • Privacy-respecting. No more KYC than legally required. No data resale.

  • Lightning-native. Receive into Lightning, hold on-chain.

Use Bull Bitcoin to bootstrap a stack. The moment you have a meaningful amount, withdraw to your hardware wallet and stop using the exchange for storage. The exchange is the on-ramp, not the destination. They built it that way intentionally — respect the design.

The FOSS wallet question:

Whatever exchange you use, your wallet should be free, open-source, and verifiable. Closed-source wallets are a trust violation by design.

Our shortlist:

  • Sparrow Wallet — desktop, the best single-sig and multisig wallet for technical users. Connects to your own node. Air-gapped signing with hardware wallets. The standard.

  • Nunchuk — mobile + desktop, exceptional for collaborative multisig setups, also great for single-sig with passphrase.

  • Blue Wallet — mobile, simple, on-chain + Lightning, good for hot wallet day-to-day spending.

  • Green Wallet — mobile, decent privacy, two-factor security model.

Avoid:

  • Coinbase Wallet, MetaMask, Trust Wallet — none of these are Bitcoin-first; some are openly hostile to non-KYC use

  • Any wallet that requires KYC to use

  • Any wallet that won't show you the seed

  • Any wallet that doesn't let you connect to your own node

What about ETFs and Bitcoin equities?

Don't.

When you buy IBIT, FBTC, GBTC, or any other Bitcoin ETF — or shares of MSTR, MARA, RIOT, or a Bitcoin treasury company — you don't own Bitcoin. You own an IOU on Bitcoin from a third party, denominated in shares of a regulated security.

That IOU is contingent on:

  • The custodian not rehypothecating. Coinbase Custody, BitGo, Anchorage — they're regulated, audited, and have policies against rehypothecation. They've also each had multiple incidents that revealed how reality differs from policy. The auditor signed off on FTX too.

  • The custodian not failing. Custodians have failed, with assets disappearing. The legal recovery process takes years and rarely returns 100%.

  • The custodian not being compelled. A custodian can be served with a warrant, a freeze order, an OFAC compliance notification, or an asset forfeiture demand. Your shares can be frozen. Your shares can be confiscated. You have no recourse other than the legal system of whichever jurisdiction you live in.

  • The issuer not failing. The ETF wrapper itself is a corporate entity that can go bankrupt, get sued, or be wound down.

  • You disclosing your full identity. Every ETF purchase is a permanent KYC record at your broker, your custodian, the SEC equivalent, the FBI/IRS equivalent.

Compare that to a UTXO in a wallet whose seed you generated yourself, on a hardware device you control, with a passphrase only you know:

  • No custodian

  • No issuer

  • No third party to fail, compel, or rehypothecate

  • No identity disclosure

The ETF holders are not Bitcoiners. They are people who bought permission to be exposed to Bitcoin's price chart, with all of the original counterparty risk Bitcoin was specifically invented to eliminate. The fact that the price chart goes up doesn't change what they actually own.

Use the spot market. Take possession. That's the entire point.

Part 3: The single-sig sovereign vault

Once you have Bitcoin, the question becomes how to store it.

The default recommendation for most holders is single-sig with a passphrase. Not multisig. Not collaborative custody. Not Shamir backup.

We'll explain when to graduate to multisig in Part 7. Until you hit those criteria, single-sig with a passphrase is the right tradeoff between security and operational risk.

Why single-sig (with a passphrase)

Multisig sounds more secure on paper. In practice, it kills more Bitcoin than single-sig because:

  • Multisig requires multiple devices, multiple backups, multiple recovery paths, all of which must remain coordinated for years or decades

  • Multisig requires a wallet descriptor (the "map" of how the signers combine), which is itself a critical backup that most people forget about

  • Multisig setup mistakes are silent — you don't find out you screwed it up until you try to recover

  • Multisig recovery in a stress situation (death, disability, attack) is exponentially harder for whoever has to do it

For holdings under ~$250k, in most threat models, the additional security from multisig is outweighed by the operational complexity it introduces. The most likely loss path remains user error, and user error compounds with complexity.

Single-sig with a passphrase gives you:

  • One device, one seed, one passphrase — minimal moving parts

  • A passphrase that adds an entire 13th word's worth of entropy — typically 128 bits or more if chosen well

  • A natural decoy wallet at the base seed (no passphrase) that holds a small "tribute" balance for plausible compliance under coercion

  • Recoverable from a single steel plate plus the passphrase you remember (or backup separately)

The passphrase vault + decoy pattern

This is the single most underrated security pattern in Bitcoin. Almost no one teaches it properly.

How it works:

  • You generate a 12-word or 24-word seed phrase on your hardware wallet, as normal.

  • You add a passphrase ("13th word" in BIP-39 terminology). The passphrase can be any text — words, sentences, anything memorable to you.

  • With the passphrase, your hardware wallet derives a completely different wallet from the same seed. This is your vault. Your real Bitcoin lives here.

  • Without the passphrase, the same seed derives a different wallet, your decoy. Put a meaningful-but-not-significant balance in this wallet — $200, $500, depending on your threat model.

Why this matters:

If someone finds your steel backup, or coerces you into "showing them your wallet," or executes a $5 wrench attack — they enter the seed phrase, see the decoy wallet with its tribute balance, and walk away thinking they got everything. Your real stack, behind the passphrase, is invisible. There is no cryptographic way to prove the passphrase wallet exists. Plausible deniability is built into the standard.

Passphrase rules:

  • Long. 6+ words minimum. The XKCD "correct horse battery staple" approach works fine, but longer is better.

  • Memorable to you. The best passphrases are personal — phrases that you'll remember in 20 years, that nobody else would guess, that aren't written anywhere obvious.

  • Never digital. Don't type it into a password manager unless you understand the threat model of that password manager being compromised.

  • Backed up separately from the seed. The seed goes on steel. The passphrase goes... somewhere else. Memorize it if you can. If you can't trust your memory, split it: half memorized, half on a separate backup, neither sufficient on its own.

  • Tested. After setup, send a small test transaction to the vault address, then wipe your hardware wallet, then restore from seed + passphrase, then verify the test funds are still there. Don't move significant funds until you've proven you can recover.

This is the part most people skip. Don't be them.

Hardware wallet selection

You need a hardware wallet. Any reputable, open-source, air-gapped or USB-connected hardware wallet is fine. Our recommendations:

  • ColdCard Q — best-in-class air-gapped signing, dice-roll entropy, advanced features. The Q has a full keyboard and screen; the Mk4 is a more compact alternative.

  • SeedSigner — fully air-gapped, FOSS, built from a Raspberry Pi Zero, the cypherpunk option. Cheapest and most verifiable.

  • Blockstream Jade — solid, affordable, fully open-source. The Jade Plus adds a larger screen and camera.

Avoid:

  • Ledger devices — closed firmware on the secure element, Recover service controversy, the customer-data leak. There are better choices.

  • Trezor One — outdated security model; if you're going Trezor, get the Safe 5 at minimum

  • Any "hardware wallet" with a touchscreen, app store, "smart features," NFT support, etc. — that's not a hardware wallet, it's a phone

Supply chain verification

This is the step everyone skips and shouldn't:

  • Buy directly from the manufacturer, or from us. Not Amazon. Not eBay. Not a "deal" you found on Telegram. The supply chain attack surface is real and has been demonstrated repeatedly.

  • Check tamper-evident packaging. Every reputable hardware wallet ships in tamper-evident packaging. Check the seals before you open. If anything looks wrong, do not use the device. Contact the manufacturer.

  • Verify firmware before initial setup. Most devices show a firmware signature on first boot — verify it against the manufacturer's published signature.

  • Generate your own entropy. ColdCards let you roll dice. Use this feature. Don't trust factory entropy alone; combine it with your own dice rolls.

If you bought from Bitcoin Butlers, we ship in our own tamper-evident packaging on top of the manufacturer's. We sign our packages. We're a known counterparty in the community. The supply chain risk through us is structurally lower than through any e-commerce marketplace.

Steel backups: two locations, geographically separated

Your seed phrase, written on the recovery card the hardware wallet ships with, will not survive a house fire, a flood, a basement leak, or twenty years.

You need steel.

Two backups, two locations, two purposes:

  • Primary backup — at home, in a fireproof safe or secured location. For convenience and routine verification.

  • Secondary backup — geographically separated. A trusted relative's house in a different city. A bank safety deposit box in a different jurisdiction. Buried in your in-laws' backyard if that's your style. The point is if your home becomes inaccessible — fire, flood, eviction, raid — you have a second copy.

Steel options we sell, ranked:

  • Steel Backup Plates — laser-engraved by us, ColdCard-format, single-sig or multisig-ready. The default.

  • Codex32 / BIP-93 backup — error-correcting backup format, splits backup into pieces, ours are laser-engraved on steel. For larger stacks where you want error correction or geographic splitting without classical multisig overhead.

  • DIY stamped steel — works fine, cheaper, but consistency is harder. If you go DIY, use 304 or 316 stainless and a hardened punch set.

Whatever you choose: engrave the words, don't print, don't laminate, don't tape. Materials matter.

Setting up the vault — the high-level walkthrough

The detailed device-specific tutorials live in our Master Concierge. This is the high-level sequence:

  • Unbox hardware wallet, verify tamper-evident packaging

  • Initial setup: set PIN

  • Generate seed with dice-roll entropy (where supported)

  • Write seed to steel backup #1

  • Add passphrase to derive vault wallet

  • Send small test transaction to vault address

  • Wipe hardware wallet

  • Restore from seed + passphrase

  • Verify test funds are still in vault

  • Send second test transaction

  • Write seed to steel backup #2, move to secondary location

  • Move main stack to vault address in increments

  • Send a small amount to decoy address as your "tribute" balance

  • Set up a watch-only wallet (Sparrow or Nunchuk) on a regular device to monitor balances without exposing the seed

Yes, all of this. Yes, every step. The 90 minutes you spend on this is the cheapest insurance you'll ever buy.

Part 4: Operational security

A perfect vault doesn't help if you broadcast that you have one.

Don't dox your stack


  • Don't tell people how much Bitcoin you have. Not at parties. Not on Twitter. Not on Nostr. Not in a podcast. Not to your accountant unless legally required, and then only the minimum.

  • Don't post pictures of your hardware wallet, your steel backup, your setup, your office, anything that geolocates you alongside Bitcoin discussion.

  • Don't use a real-name social account to engage in Bitcoin culture. Use a pseudonym.

  • Don't tell anyone where your backups are. Including your partner, until and unless they need to know — and then only through a structured inheritance plan, not casual conversation.

The amount of money that gets stolen via "I knew he had Bitcoin because he was always talking about it" is enormous and unmeasured. Don't be the data point.

Coin control and UTXO privacy

When you send Bitcoin, you're spending one or more UTXOs (unspent transaction outputs). The change goes back to your wallet as a new UTXO. The chain analysis firms can link these together unless you actively prevent it.

The basics:

  • Don't reuse addresses. Every receive should be to a fresh address. Modern wallets do this automatically; double-check yours.

  • Label your UTXOs. Sparrow and Nunchuk both let you label each UTXO with its source. When you spend, you can see which UTXOs you're combining.

  • Don't combine UTXOs that should stay separate. If you have a KYC-purchased UTXO and a non-KYC UTXO, combining them in a single transaction links your identity to the non-KYC purchase forever. Keep them isolated.

  • Watch-only on the hot device. Your hardware wallet stays cold. Your monitoring (checking balances, watching for receives) happens on a separate device using a watch-only wallet. The hardware wallet only comes out to sign.

Network privacy


  • Run your own node. Ministry of Nodes, Start9, Umbrel, or a manually configured Bitcoin Core install. When you connect a wallet to your own node, you stop leaking your addresses to third-party servers. This is the single biggest privacy upgrade most users never make.

  • Use Tor for blockchain queries. Sparrow and most modern wallets support it natively.

  • Avoid VPN-as-a-service for high-stakes work. VPN providers keep logs; many have been compelled to hand them over. Tor is more robust for serious privacy work, though slower.

Lightning for daily spending

Don't spend out of your cold storage. The fees are too high, the privacy is too bad, and the operational risk is too high.

For day-to-day Bitcoin spending — coffee, online subscriptions, tips — use a separate Lightning wallet with a small balance. Phoenix, Zeus, or Breez are all solid choices. Top up from your hot wallet, not your cold storage.

Cold storage is for storage. Lightning is for spending. The two should never touch.

Part 5: Test before you trust

Untested backups aren't backups. They're hopes.

The recovery drill — do this within 48 hours of setup, then quarterly:

  • Take your steel backup

  • Take your passphrase

  • Take a different compatible hardware wallet — preferably a SeedSigner or a wiped second device

  • Restore the seed + passphrase

  • Verify the resulting wallet matches your vault address

  • Send a small test transaction to the restored wallet and back

If anything doesn't match, you don't have a working backup, and you find out before the day you need it.

The first time you do this is the most uncomfortable 30 minutes of your year. After that, it's a routine quarterly check that takes 10 minutes and gives you absolute confidence.

Part 6: Common threats and scams

The threats that take most people down aren't sophisticated nation-state attacks. They're known scams that prey on inattention.

Phishing. Bookmark every Bitcoin-related URL you use. Never click links from email, X DMs, Nostr DMs, Telegram, Discord, or "support" replies. Type the URL or use your bookmark. Every. Time.

Fake hardware wallets. Buy from the manufacturer or from us. Check tamper-evident packaging. If a wallet ships with a seed already on a card "for convenience," it is compromised and your funds are gone the moment you load them.

Address poisoning. Attackers send dust to your wallet from addresses that look similar (same first/last 4 characters) to addresses you've used before. Then you copy-paste an old address from history, miss the middle characters, and send to theirs. Verify the full address every time. Use address book entries.

Support scams. No legitimate Bitcoin service has live support that DMs you on Twitter, Discord, or Telegram offering help. Every single one of those is a scam. The real support channels are documented on the official site and they're ticket-based, not DM-based.

The "you've been hacked, send Bitcoin to be safe" scam. Variants include the "your seed is compromised, sweep to this safe address" attack. No legitimate service tells you to move funds. Hang up, type the official URL in a new browser, log in, and verify independently.

Sextortion. "I have a video of you, send Bitcoin or I'll release it." 100% bullshit, 100% of the time. They don't have a video. They have a leaked email/password combo from a 2017 breach. Don't pay. Change your password. Move on.

Border crossings and search warrants. If you live somewhere where this is a real threat, the passphrase vault + decoy pattern is your friend. Under coercion, you "open" the decoy. The vault is invisible. Do not lie about the existence of Bitcoin if compelled under oath — but you are under no obligation to disclose the existence of wallets the questioner doesn't know to ask about. Talk to a lawyer in your jurisdiction.

Part 7: When to graduate

Single-sig with a passphrase is the right answer for most holders. But not all. You should consider graduating when:

Multisig signals:

  • Your stack exceeds ~$250k AND you've successfully tested single-sig recovery at least twice

  • You need geographic distribution of signing authority (different family members, different jurisdictions)

  • You're in a jurisdiction with active asset forfeiture concerns and need cosigners in multiple legal regimes

  • You're running treasury for an entity (corporate, family office, foundation) where single points of failure are unacceptable governance

Inheritance signals:

  • You have heirs who can't and won't learn to operate a single-sig vault solo

  • You need a formal succession plan that survives your death without depending on memorized passphrases

  • The amount at stake is meaningful enough that a structured inheritance plan is worth the legal and operational cost

Collaborative custody signals:

  • You want a third party (Bitcoin Butlers, AnchorWatch, Casa, Unchained) to hold one of N keys to assist with recovery and inheritance, while you retain full sovereignty

  • You need a counterparty with the operational maturity to engage with your estate attorney, your heirs, and the legal system in your jurisdiction

We offer collaborative custody through AnchorWatch (KYC) and non-KYC collaborative custody through Nunchuk. The right answer depends on your threat model and your jurisdiction.

Don't graduate too early. Multisig setups created in haste, by people who haven't tested single-sig recovery, are responsible for an outsized share of the "I lost everything" stories. The complexity is real and compounds with stakes.

The Sovereignty Protocol — recap


  • Threat model first. Be honest about who you are, where you live, what you hold, and who's coming.

  • Acquire without surveillance. HODL HODL first. Local cash second. Bull Bitcoin third. Never the ETF.

  • Single-sig with passphrase vault and decoy. Hardware wallet, dice-roll entropy, verified supply chain.

  • Two steel backups, geographically separated, tested.

  • OPSEC continuously. Don't dox. Coin control. Own node. Lightning for spending.

  • Test the recovery within 48 hours. Then quarterly.

  • Graduate to multisig or collaborative custody only when criteria are met.

This is the protocol. It's free. You can execute it without ever buying anything from us, and we'd rather you do it imperfectly than not do it at all.

Where Bitcoin Butlers fits

Most of the protocol is execution-by-doing. Some of it benefits from a verified human walking you through it.

  • The Master Concierge — configurable, shareable, free. Pick your devices and your setup; we generate your tailored guide. Share the URL with family.

  • Hardware and Steel — supply chain you can trust, packaging you can verify, custom engraving available.

  • Book a Butler — one-on-one walkthrough with a verified human expert. Single-sig setup, multisig setup, recovery testing, inheritance planning, troubleshooting. We hold your hand, not your keys.

Or do it all yourself with this guide and never speak to us. That's the whole point.

Last updated: [DATE]. This guide is refreshed quarterly. If something here is out of date, tell us on Nostr and we'll fix it.

The Bitcoin Butlers Sovereignty Protocol is published under CC BY-SA 4.0. Copy it. Translate it. Republish it. Just credit the source and don't try to sell it.

self-custodysovereigntyhardware-walletseed-phrasepassphrasemultisiginheritancebitcoin-security

Ready to take control of your Bitcoin?

Book a session with one of our expert Bitcoin Butlers for personalized guidance on self-custody, security, and wealth management.

Book a ButlerBrowse Content