Jameson Lopp: Self‑custody, phishing risks and a three‑wallet security model for crypto holders

Jameson Lopp, co‑founder and CTO of Casa and former BitGo engineer, warns crypto holders to prioritise self‑custody and sharpen both digital and physical security. Lopp says reliance on trusted third parties remains the largest systemic risk, while phishing and social‑engineering attacks are the most probable threats to individual holders. He highlights rising violent “rich” attacks (home invasions, kidnapping for ransom) tied to publicly visible wealth signals, and warns malware that targets signing devices and phones is a serious vector. Recommended protections include wallet segmentation (a three‑wallet system: small hot wallet, medium warm wallet, large cold/multisig wallet), multisig and distributed key custody with devices from different vendors, use of air‑gapped signing machines, hardware security keys (YubiKey/passkeys) over SMS 2FA, password managers, and prioritising privacy to reduce targetability. Lopp cautions that economic pressure on crypto firms could reduce smart contract audits, increasing investor risk, and says convenience still drives many to custodians. For traders: immediate measures are to minimise attack surface (don’t click links, use direct logins), segregate funds by risk, secure exchange email/API credentials, adopt hardware keys and multisig for large holdings, and assume physical risk when your digital footprint signals wealth. Keywords: self‑custody, phishing, multisig, YubiKey, wallet segmentation.