Personal Crypto: Hardware Wallets, Passphrase and Coercion-Resistant Backup

Holding Bitcoin on a Latin American exchange in 2026 is the equivalent of leaving gold bars on a jeweler counter with the door propped open. In May a mid-sized exchange lost 38 million reais to a drainer signed from a lookalike domain, and three months earlier a Sao Paulo trader was held for seven hours until he transferred 14 BTC. Self-custody is not libertarian ideology, it is wealth risk management. But swapping the exchange for a Ledger Nano X glued to an unlocked MacBook does not move the problem, it only shifts the vector. The right question is not 'which wallet should I buy', it is 'which threat model am I defending and for how many years'. This piece tackles both ends: the private key and the human who can be forced to hand it over.

Start with the threat model before the hardware. If you hold under USD 10k and phishing dominates your risk surface, a Coldcard Mk4 or Trezor Safe 5 with an eight-digit PIN solves it. Above USD 100k targeted physical attack enters the math and you need a BIP39 passphrase, geographic distribution and plausible deniability. The spreadsheet I recommend has five columns: adversary (script kiddie, phone scammer, organized crime, intimate partner, state), capability, motivation, attack cost, mitigation. Readers of OPSEC for Security Researchers: Building a Personal Threat Model will recognize the skeleton; here we tune it for the financial vector, which is more aggressive because the attacker can read the exact target value off the public blockchain.

Once the hardware wallet is chosen, the classic next mistake is using only the factory 12 or 24 word seed. The BIP39 passphrase, that optional 25th word, separates real custody from security theater. It lets you derive two or more wallets from the same seed: a decoy holding USD 400 in sats for coercion scenarios, and the real one behind a strong passphrase. Use a seven-plus word diceware string, never something memorable like dog name plus birthday. The passphrase is not stored on the device; an attacker who steals the Coldcard and lacks it finds the decoy and walks. Combined with the patterns from Passwords and MFA: Moving to Passkeys Without Breaking Your Recovery, this collapses the blast radius of any single compromise.

Backing the seed up on laminated paper inside a 400 dollar safe is comfortable illusion. Paper ignites at 233 Celsius and a domestic fire blows past 800. The practical fix is stainless steel stamping: Cryptosteel Capsule, Blockstream Jade Plate, or for the workshop type, a 304 plate plus number punches. Distribute geographically: one copy at home, one at your parents in another city, one in a bank safe deposit box on your name. For meaningful balances, consider 3-of-5 Shamir Secret Sharing via SLIP39, natively supported on Trezor Safe 5: no single location compromises funds, and you survive losing two units. Anyone who built Disk Crypto and Backups: VeraCrypt, LUKS and a Resilient 3-2-1 Strategy already groks the 3-2-1 logic applied now to raw entropy.

Crypto phishing graduated from basic email to polished wallet drainers. The dominant 2026 attack is a Google sponsored ad floating above the real MetaMask site, routing victims to a pixel-perfect clone that asks them to 'reconnect the wallet via WalletConnect'. The signature requested is a setApprovalForAll granting unlimited control over your ERC-20 tokens. Layer your defense: never reach wallets through search, only through verified bookmarks; run a dedicated browser inside a Firejail profile (see Linux Application Sandboxing with Bubblewrap, Firejail and Flatpak); audit active approvals monthly with Revoke.cash; sign complex transactions with blind-signing disabled on Ledger so full calldata is shown. For significant holdings, run an air-gapped Coldcard setup via QR codes and never plug USB.

The scenario nobody wants to rehearse is the express kidnapping or armed home invasion. This is where the decoy passphrase saves lives, but only if the playbook has been drilled. Keep USD 1000 to 3000 in sats in a sacrificial hot wallet on your phone, with believable volume so an average criminal accepts and leaves. The real passphrase wallet lives on a device hidden outside your primary residence. Pair with local non-cloud cameras, a dead-man-switch contact plan with a trusted person and a Anti-Doxxing Personal Security: Removing Data from Brazilian Data Brokers hygiene routine to cut your odds of becoming an identifiable target. Public listing selling an expensive car plus a mansion photo on Instagram is the invitation preceding 80 percent of cases reported by the Sao Paulo police in 2025.

Digital inheritance is the blind spot that kills more crypto than any hacker. If you die tomorrow without accessible instructions, your 3 BTC become an example in a master thesis about lost coins. The fix is not WhatsApping the seed to your spouse; it is a sealed envelope of step-by-step instructions held by a trusted lawyer, containing physical backup locations, device names, an indirect passphrase hint (never the passphrase itself) and the contact of a technical friend who can assist. Treat it as a testable runbook: have a relative perform a dry run against the decoy wallet while you are alive. Serious personal crypto is process, not product: hardware wallet with strong passphrase, distributed Shamir metal backup, isolated browsing, drilled decoy and tested inheritance runbook. Do it once, properly, and sleep for a decade.