Bitcoin Security Best Practices: A Comprehensive Checklist

Why Bitcoin Security Matters

Bitcoin's core value proposition is sovereignty over your own money. That sovereignty comes with responsibility: there is no bank to call, no fraud department to file a claim with, and no way to reverse a transaction once confirmed. In 2025, over $2.67 billion was stolen in cryptocurrency hacks, with the Bybit breach alone accounting for $1.5 billion. The majority of losses stem not from protocol vulnerabilities but from poor key management, social engineering, and operational failures.

This checklist covers every layer of Bitcoin security: from how you generate and store your seed phrase to how you protect yourself against phishing, SIM swaps, and network surveillance. Whether you hold 0.01 BTC or 100 BTC, the principles are the same. The difference is how many layers you stack.

Security Tier Overview

Not every user needs every measure. The following table maps security practices to three tiers based on the value at risk and your threat model. Start at Basic, then add layers as your holdings or risk profile grow.

Key Generation and Entropy

Every Bitcoin private key begins with entropy: random data used to generate a seed phrase. The BIP-39 standard defines how this entropy maps to a mnemonic word list. A 12-word seed encodes 128 bits of entropy; a 24-word seed encodes 256 bits. Both are computationally infeasible to brute-force with current technology: even 128 bits would require 2^128 guesses, a number that exceeds the atoms in the observable universe.

The 24-word format provides an additional margin against theoretical quantum computing advances. Grover's algorithm would halve the effective entropy of a 256-bit seed to 128 bits, which remains secure. For a 12-word seed, the effective post-quantum entropy drops to 64 bits, which is potentially vulnerable decades from now. If you are planning for long-term cold storage, 24 words is the safer default.

Note: Never generate a seed phrase manually or using software on a general-purpose computer. Hardware wallets use dedicated true random number generators (TRNGs) that are resistant to malware and side-channel attacks. For maximum assurance, some users roll casino dice to generate entropy and import it into their signing device.

Hardware Wallet Comparison

A hardware wallet keeps your private keys on a dedicated device that never exposes them to your computer or phone. The differences between devices matter: open-source firmware allows independent audit, air-gapped operation eliminates USB attack surfaces, and secure element chips resist physical extraction.

For Bitcoin-focused security, air-gapped devices like the Coldcard, Keystone, and Jade eliminate USB-based attack vectors entirely. Fully open-source firmware means the community can audit for backdoors. Ledger's BOLOS operating system remains closed-source due to NDA restrictions with the secure element manufacturer, which limits independent verification.

Always purchase hardware wallets directly from the manufacturer. In 2025, Kaspersky documented counterfeit Trezor devices sold through unauthorized resellers with replaced internal chips and pre-generated recovery seeds. If a device arrives with a seed phrase already filled in, it has been compromised.

Storage: Multisig and Backup Strategies

Single-signature wallets have a single point of failure: whoever has the seed phrase controls the funds. A multisig setup distributes control across multiple keys, so that no single compromised device or stolen backup can drain your wallet. For a detailed breakdown of multisig configurations, see our multisig planner tool.

The most common multisig configuration is 2-of-3: three keys are created, and any two are required to sign a transaction. This means you can lose one key (theft, fire, hardware failure) and still recover your funds. For larger holdings, 3-of-5 provides additional redundancy. For a deeper technical explanation, see our guide on Bitcoin multisig wallets.

Seed Phrase Backup Methods

Paper backups are fragile: they degrade with moisture, fire, and time. Metal seed plates (stamped or engraved steel) survive house fires, floods, and decades of storage. Distribute backups across at least two geographic locations to protect against localized disasters.

For advanced users, SLIP-39 (Shamir's Secret Sharing) splits a master seed into multiple shares with a configurable threshold. A 3-of-5 Shamir backup means you need any three of five shares to reconstruct the seed, but each individual share reveals zero information. Hardware support for SLIP-39 is currently limited to Trezor (Safe 3, Safe 5, Safe 7) and Keystone 3 Pro. Coldcard, Ledger, BitBox02, and Jade do not support SLIP-39.

BIP-39 Passphrase

A BIP-39 passphrase (sometimes called the "25th word") adds an extra layer of protection to your seed. With a passphrase enabled, someone who finds your 24-word backup cannot access your funds without also knowing the passphrase. The passphrase creates an entirely separate set of derivation paths, so a wrong passphrase simply opens an empty wallet rather than failing visibly. This provides plausible deniability: you can keep a small amount in the no-passphrase wallet while your real holdings sit behind the passphrase.

Operational Security

Most Bitcoin theft happens not through cryptographic attacks but through social engineering. Phishing, SIM swaps, and malware account for far more losses than brute-force key extraction.

Phishing and Social Engineering

In 2025, phishing attacks accounted for approximately $410 million in crypto losses in the first half of the year alone. Common vectors include fake exchange login pages, fraudulent wallet update prompts, and impersonation of support staff on social media. The defense is straightforward:

• Bookmark exchange and wallet URLs; never follow links from emails or messages
• Verify software downloads against published GPG signatures or SHA-256 checksums
• Never enter your seed phrase into any website, app, or form
• Treat all unsolicited "support" messages as scams

SIM Swap Protection

SIM swap attacks allow an attacker to hijack your phone number by convincing your carrier to transfer it to a new SIM. The FBI's IC3 reported 982 SIM swap complaints with $26 million in losses in 2024. The UK saw a 1,055% increase in unauthorized SIM swaps that same year. Once an attacker controls your number, any account using SMS-based two-factor authentication is compromised.

• Remove SMS 2FA from all financial accounts; use TOTP or hardware keys instead
• Set a SIM PIN or carrier account PIN with your mobile provider
• Use a dedicated phone number (or VoIP number) for crypto accounts
• Enable port-out protection if your carrier supports it

Two-Factor Authentication Hierarchy

Not all 2FA methods are equal. A Google study found that hardware security keys blocked 100% of targeted phishing attacks. Since 2017, Google has reported zero successful phishing incidents across 85,000+ employees using hardware keys. TOTP apps block around 90% of targeted attacks, while SMS blocks only 76%.

• Hardware security keys (YubiKey, Google Titan): phishing-resistant, domain-bound cryptographic verification
• TOTP apps (Google Authenticator, Aegis, 2FAS): locally generated codes, immune to SIM swaps
• SMS codes: better than nothing, but vulnerable to SIM swaps and interception

Network Privacy

Bitcoin transactions are pseudonymous, not anonymous. Every transaction is permanently recorded on a public blockchain. Without privacy measures, your IP address can be linked to your transactions, your wallet balances can be inferred through address reuse, and chain analysis firms can cluster your UTXOs.

Running Your Own Node

When you use someone else's Bitcoin node, they can see which addresses you query, which lets them link your IP to your wallet. Running your own node over Tor eliminates this leak. Most node distributions (Umbrel, RaspiBlitz, Start9) integrate Tor automatically. Your node communicates with peers via .onion addresses, hiding your IP from both peers and your ISP.

Transaction Privacy

Coin control lets you choose which UTXOs fund a transaction, preventing accidental linkage of addresses from different contexts. Wallets like Sparrow and Electrum support manual UTXO selection.

CoinJoin implementations mix your transaction with other users to break on-chain linkability. Wasabi Wallet remains the most accessible option following the Samourai Wallet shutdown in April 2024 (both founders were sentenced in late 2025). JoinMarket offers a fully decentralized alternative but requires more technical skill. For a deeper analysis, see our research on Lightning network privacy.

Exchange and Custodial Security

The February 2025 Bybit hack demonstrated that even institutional-grade custody can fail. North Korea's Lazarus Group stole approximately $1.5 billion by compromising a Safe{Wallet} developer's machine and injecting malicious code into the transaction signing interface. The attack bypassed multisig protections because the malicious transaction appeared legitimate on the signing UI.

If you must keep funds on an exchange, minimize your exposure:

• Enable hardware key 2FA (not SMS, not TOTP alone for high-value accounts)
• Set up withdrawal address whitelists with a 24-48 hour lock period
• Use a dedicated email address that is not linked to any social media
• Withdraw to self-custody any amount you are not actively trading

For a comparison of custody models and their tradeoffs, see our self-custodial vs custodial wallets research. For Bitcoin-native self-custody with stablecoin support, Spark provides a layer-2 protocol where users retain full control of their keys while transacting with both BTC and USDB stablecoins.

Common Attack Vectors

Understanding how attacks work is the first step to defending against them. The following vectors account for the majority of Bitcoin theft:

• Supply chain attacks: tampered hardware wallets from unauthorized resellers with pre-generated seeds
• Clipboard malware: replaces copied Bitcoin addresses with an attacker's address before pasting
• Fake wallet software: trojanized versions of popular wallets distributed through unofficial channels
• Phishing emails and websites: fake exchange or wallet login pages that harvest credentials
• SIM swaps: carrier-level phone number hijacking that bypasses SMS-based 2FA
• Physical coercion ("$5 wrench attack"): addressed through multisig, time-locked vaults, and plausible deniability setups
• Dust attacks: tiny unsolicited transactions used to track and de-anonymize wallet holders

Security Checklist

Use this checklist to audit your current setup. Each item maps to the security tiers defined above.

1. Generate your seed phrase on a hardware wallet purchased directly from the manufacturer
2. Back up your seed on a metal plate stored in a physically secure location
3. Store a second backup in a separate geographic location
4. Enable a BIP-39 passphrase for additional protection
5. Remove SMS 2FA from all accounts; switch to TOTP or hardware security keys
6. Set a SIM PIN with your mobile carrier
7. Use a dedicated email for financial accounts
8. Verify all transaction details on your hardware wallet screen before signing
9. Run your own Bitcoin node to avoid leaking address queries to third parties
10. Route node traffic through Tor
11. Use coin control to prevent UTXO linkage across contexts
12. Set up multisig for holdings above your personal risk threshold
13. Test your recovery process: can you restore from backup to a new device?
14. Document your setup for inheritance (without exposing secrets)

For inheritance planning specifically, see our Bitcoin inheritance solutions guide.

Frequently Asked Questions

How do I secure my Bitcoin from hackers?

Use a hardware wallet for key storage, never enter your seed phrase into any website or app, enable hardware-key-based 2FA on all accounts, and remove SMS as a second factor. For larger holdings, set up a multisig wallet so that no single compromised device can move your funds. See the security tier table above to match your setup to your risk level.

Is a 12-word seed phrase secure enough?

A 12-word BIP-39 seed provides 128 bits of entropy, which is computationally infeasible to brute-force with current technology. However, 24 words (256 bits) offer a larger margin against future quantum computing advances. For long-term cold storage, 24 words is the safer choice.

What is the best hardware wallet for Bitcoin?

There is no single best option: it depends on your priorities. Coldcard is the gold standard for Bitcoin-only, air-gapped security. Keystone 3 Pro offers air-gapped QR signing with three secure element chips. BitBox02 provides a clean open-source design with a Bitcoin-only firmware edition. Blockstream Jade is fully open-source with a unique virtual secure element model. All four are fully open-source and Bitcoin-focused. See the hardware wallet comparison table above for details.

Should I use a VPN or Tor when using Bitcoin?

Running your own Bitcoin node over Tor is the strongest privacy option: it hides your IP from both peers and your ISP. A VPN alone hides your activity from your ISP but shifts trust to the VPN provider. The layered approach (VPN + Tor) hides Tor usage from your ISP while Tor hides Bitcoin activity from the VPN. Commercial VPNs vary in their logging practices, so self-hosted VPN solutions are preferred for high-security setups.

How does multisig protect my Bitcoin?

Multisig requires multiple private keys to authorize a transaction. In a 2-of-3 setup, an attacker who steals one key still cannot move funds. This protects against single points of failure: a stolen device, a compromised backup, or physical coercion targeting one location. Use our multisig planner to model different key configurations.

What is a SIM swap attack and how do I prevent it?

A SIM swap occurs when an attacker convinces your mobile carrier to transfer your phone number to their SIM card. This gives them access to any account using SMS-based 2FA. The FBI reported $26 million in SIM swap losses in 2024. Prevent it by removing SMS 2FA from all financial accounts, setting a carrier PIN, and using hardware security keys or TOTP apps instead.

How do I verify my hardware wallet is genuine?

Buy only from the manufacturer's official website. On arrival, check for tamper-evident packaging (holographic seals, shrink wrap, or epoxy). The device should generate a fresh seed during setup: if it arrives with a pre-filled recovery card, it has been compromised. Coldcard and BitBox02 support firmware verification through attestation checks that cryptographically prove the device is genuine.

This guide is for informational purposes only and does not constitute financial or security advice. Security best practices evolve as new attack vectors emerge. Data is based on publicly available information as of early 2026. Always verify current recommendations and test your recovery procedures before relying on any security setup.