What Is a Crypto Threat Model? Why It Matters Before Buying a Wallet

A threat model is a structured way to think about security. Instead of asking "what's the most secure wallet?", you ask three specific questions:

1. What am I protecting? — How much crypto, on which networks, and how often do I transact?
2. Who might target me? — Random hackers? Someone who knows I hold crypto? A government?
3. How would they attack? — Phishing? Physical theft? Malware? Coercion?

The answers determine which security measures actually matter for your situation — and which are overkill.

This concept comes from information security, where it's been used for decades by companies protecting sensitive data. It works just as well for individuals protecting cryptocurrency.

Without a threat model, security decisions become emotional. You either:

• Under-protect: Keep $50,000 on an exchange because "it's easier" — until the exchange freezes withdrawals.
• Over-protect: Spend $600 on three hardware wallets and a multi-sig setup for $500 in Bitcoin.
• Mis-protect: Buy an air-gapped wallet but reuse passwords everywhere — hardening the wrong layer.

A threat model prevents all three mistakes. It matches your defenses to your actual risk profile.

Not everyone faces the same risks. Here's a practical framework:

Level 1: Casual Holder ($100–$1,000)

Main risks: phishing, exchange failures, losing credentials. A basic hardware wallet ($50–80) with a paper seed backup is sufficient. No advanced features needed.

Level 2: Serious Holder ($1,000–$50,000)

Risks expand to targeted phishing, clipboard malware, and physical theft. Get a wallet with secure element and open-source firmware. Use a metal seed backup. Consider a passphrase wallet.

Level 3: High-Value Holder ($50,000+)

Risks include sophisticated phishing, physical coercion ($5 wrench attack), and social engineering. Use multi-signature or geographically distributed backups. Passphrase wallet with plausible deniability. Operational security matters as much as your wallet.

Level 4: Business / Institutional

Risks include rogue employees, key-person dependency, and regulatory seizure. Multi-signature with keys held by different people in different locations. Formal key management procedures.

1. Phishing (Most Common)

Fake websites or messages that trick you into entering your seed phrase. Hardware wallets protect you by keeping the seed on-device, but you can still approve bad transactions if you don't verify on the device screen.

Defense: Never enter your seed phrase on any website. Always verify on your hardware wallet display.

2. Clipboard Hijacking

Malware silently replaces the wallet address you copied with the attacker's address.

Defense: On-device address verification — compare every character before confirming.

3. Exchange Hacks & Freezes

You don't control crypto on an exchange. Self-custody with a hardware wallet eliminates this risk entirely.

4. Lost or Damaged Backup

More crypto is lost to poor backups than to hackers. Fire, flood, or negligence can destroy your only copy.

Defense: Metal seed backup in a separate location. Shamir Secret Sharing for high-value holdings.

5. Physical Theft or Coercion

Someone steals your wallet or forces you to unlock it.

Defense: PIN protection, passphrase wallets with plausible deniability, distributed backups.

Answer these questions honestly:

1. How much crypto do I hold? — Determines justified security complexity.
2. Do people know I hold crypto? — Public exposure increases physical and social engineering risks.
3. How do I transact? — Daily DeFi trading has different risks than annual rebalancing.
4. Where do I live and travel? — Some jurisdictions have border inspection risks.
5. What's my technical skill level? — Advanced setups add security but also complexity.

Write down your answers. They form your threat model. Match them to the threat level framework above.

Once you know your threat level, look for wallets with features that matter for your risks:

• Basic protection (all levels): Secure element, PIN, on-device address verification
• Backup resilience (serious+): Shamir backup support, passphrase wallets
• Physical security (high-value+): Air-gapped signing, tamper detection, duress PIN
• Privacy (privacy-focused): CoinJoin support, Tor compatibility
• Shared access (institutional): Multi-signature support

Don't pay for features you don't need. A $59 wallet with a secure element provides excellent security for most holders.

Use our wallet finder quiz for a personalized recommendation, or browse all ratings to compare features.