We have two security experts on the podcast today.
In addition to myself, this is Ryan Sean Adams.
David can be with us today.
Let me tell you why I'm doing this episode.
There's been an increase in physical attacks on crypto investors.
It's probably happened over the last year or two in particular.
I could share a dozen or more stories.
This is causing anxiety in the crypto community.
Perhaps as a listener, it's causing you some anxiety as you've seen some of these in the
headlines.
So this episode is a way to get back some control.
This episode is about tactics.
This is ways to harden your physical security against retch attacks and your digital security
against phishing attacks.
It includes an approach that I like called zero crypto at home.
At least that's what I'm calling it.
And it pretty much means what it says.
It is about designing a system so that you can't access crypto at
home using multi-sigs, time delays, third-party verification when needed.
Now, I know this adds some friction in the process.
It's not ideal, but it is something I advise and that's important in particular if you're
a doxed crypto investor.
You're not pseudonymous and your name is out there.
Because one thing I think you'll hear if you've listened to the Bankless podcast for any amount
of time is we believe the purpose of crypto is freedom.
So let's figure out how to go bankless in the age of retch attacks.
Before we do, I want to thank our friends and sponsors over at RocketPool.
Speaking of non-custodial access, of course, RocketPool is a non-custodial staking provider.
They are now launching their Saturn upgrade.
This is the biggest upgrade in RocketPool that's ever shipped since its launch.
A few key features.
It is bringing an RPL fee switch if you're waiting for that.
So now staking RPL can earn even more protocol revenue.
That's all paid in ETH, of course.
Liquid staking also has boosted minting capability.
And on the node side, you can now run a node with four ETH validators and megapools.
Those are opening in just a few days.
So this lowers the barrier of entry even more.
If you are looking for more than just basic staking yield on your ETH, go check out RocketPool.
There's a link in the show notes.
You can stake your ETH and get ready for those four ETH validators.
They are actually launching February 18th.
It's probably launched by the time you listen to this episode.
Let's get right into the episode with Jameson Lopp and Bo on security.
Bagel Station doing this episode because it feels very timely.
And the truth is I've been delaying doing this episode for quite some time because it's somewhat
anxiety inducing.
But the reason that I think we need this now is because crypto natives and maybe the crypto
industry is feeling some security anxiety, some increased security anxiety.
So I have two guests on that are going to talk about that.
And my hope is we get a clear eyed picture of the problem that crypto natives face.
And also we come out of this with some optimism and some solutions.
So if you are a crypto native, if you've been in this industry for a while, this is one you're
going to want to tune into because we dive into some topics around security and protection
and wrench attacks pretty deeply.
I have the two best guests to do this, Jameson Lopp.
He is the co-founder of Casa Security, also Bo.
He is a former CIA officer.
He's now run safety at Pudgy Penguins.
Jameson, Bo, thanks for joining us.
Glad to be here.
Thanks for having me.
All right.
As we start 2026, I'd like your opinion on the biggest threats facing crypto natives.
How would you categorize them?
And what would you say, Jameson?
Well, I mean, the biggest threat, I think, is the same as it's always been, which has been
trusted third parties and just, you know, not taking custody of your own assets because
there's a million things that can go wrong in this space.
And at least when you're taking control of your keys, you're limiting who can make all
of those mistakes.
Beyond that, privacy is a really big one.
We'll get into that because I basically consider privacy to be the outermost layer of security.
If you can stop people at the privacy layer, then hopefully they don't ever even get to
test any of your other layers of security.
And then really what we'll probably end up spending some time talking about, but is I
think the least concerning to people because it's the least frequent, but it's getting more
attention is the actual physical attacks.
But it is kind of novel to this space and has been getting more attention simply due to the
egregious nature of them.
Okay.
I just want to drill into that for a minute, Jameson.
And so you think of all of the threats facing crypto holders and crypto natives today, some
of the threats that we're going to talk about, like brunch attacks maybe, are much more distant
than the actual threat of custing your crypto assets with some sort of third party.
And by third party, you mean like an exchange, let's say, or a custodian, an FTX, or a BlockFi
that you're not sure about, you still weight those threats as far higher than some of the
ones we're going to talk about around going bankless with your crypto assets?
Yeah, or even doing self-custody with novel smart contracts that haven't been sufficiently
vetted and audited and stuff.
And the problem with any of these is that they can all lead to catastrophic loss.
But in this sort of grand scale of things, if you look at the total stats of losses and
types of losses that have been happening in recent years, it's still mostly trusted third
parties, poorly audited systems. And even though wrench attacks are on the rise, relatively
speaking, when you compare them to the greater ecosystem of threats, they're still very small.
Okay. Bo, what would you say to this same question, the greatest threats facing crypto natives in
2026?
I would pretty much agree with Jameson's prioritization there, I think, especially with keeping in mind
we may be heading into a bear market, we're in a bear market, however you want to think about
it. You know, the risks like you mentioned of an FTX or, you know, last cycle Robinhood had
people force sell their Solana tokens, you know, near the market lows, right? When you don't
control your own tokens, a lot of bad stuff can happen, ranging from, you know, an exchange
trying to do the right thing from a regulatory perspective to an exchange going under. Jameson
alluded to this a little bit, but, you know, as crypto companies start to lay off their developing
teams, because there's just less money in the space, those smart contracts aren't going to be
audited as frequently. Scammers are going to focus, you know, potentially on that more than
individual investors, because they know there's less people guarding those types of, you know,
financial assets out there. So I would, I don't have a ton to add to that. I think that's pretty much
where I fall as well. And would also add that, you know, as wrench attacks become more of a topic of
conversation, they sound scary. But, you know, for the average investor who's listening to this,
this podcast, like, you need to take care of that digital security side first. Because, you know,
the odds of that wrench attack happening to you, compared to the hundreds of phishing attempts you'll
see online through X or Discord or Telegram every day, it's, you know, you need to prepare yourself for
what's most likely that you're going to encounter every day. So fully agree with Jameson there.
Actually, Beau, maybe that's a great place to start. And let's narrow the audience a little bit. So who you're
talking about, too, on the bankless podcast, as you guys probably know, is as we advocate the idea of
going bankless, right? And so that has been what we advocate for day one for some of the reasons both
of you mentioned. Third parties are the ones that often fail in a security setup. And those are the
ones that lose your assets. So how do you solve for that? The cryptocurrency way, the Bitcoin way,
the Ethereum way is you go bankless. Now, I feel like there have been increasingly some chinks in the
armor with respect to that. Sometimes the user experience is sort of hard to do that. We'll talk
about that. But then you can get past all of that and you can learn how to custody your crypto assets
well. But then what's really thrown me for a loop has been both the phishing attacks that have gotten
increasingly sophisticated and have tricked even season crypto natives out of their assets. So
that's one dimension that has been sort of a chink in the armor of the advice to go bankless to solve
this if you want, you know, the 100% kind of security. And the other thing has been, quite frankly,
wrench attacks. And these, while rare, they're incredibly scary. And they have been happening to
crypto natives in the space. So maybe these are the two things I want to focus on. And Beau,
you just gave us some prioritization there. And you said, by far and away, the biggest threat in terms
of probability you're going to face if you are doing some self custody of your assets is probably
some sort of phishing type of attack. And you said digital security, I believe, is the most important.
Can you get into the types of attacks that are targeting crypto natives on the phishing side of
things? And then give us some scenarios, maybe so that we can be thinking about this. And then we'll
talk about how to protect your digital security.
Sure. And yeah, I think just to put it in like a little bit more of a framework, you know, I have a
military and Intel background. So we when we're planning, we talk about the most likely course of
action and the most dangerous course of action. So for people, you know, who are concerned about
crypto threats, the most likely course of action, right, is that, you know, you're going to encounter
these digital threats. You know, we can talk about the specifics in a second. But the most dangerous
course of action is that idea of someone's going to show up to your home, they're going to threaten you and your
family, you know, they're going to potentially take your life, you know, in an attempt to get your your
crypto, right. So, you know, it is important to plan for both the most likely and the most dangerous
course of actions. So it's not to write off the the wrench attack threat at all. But yeah, I think some
scenarios for some of the phishing attempts we we've seen, you know, really, scammers are trying to do
one of two things. And that is compromise your private keys, or it's to trick you into giving them
permission to do something on chain. So I have an NFT background because I work with Pudgy Penguins. So
using an NFT example, you know, when you're trading NFTs on Ethereum, you have to grant smart contract
approvals for marketplaces like OpenSea to take the asset from your wallet that you're selling and
transfer it to the buyer. And when you grant these approvals, you know, you're giving permission for
that smart contract to go into your wallet, take those assets and move it. And so scammers develop
phishing sites that, you know, essentially impersonate reputable brands in the space like OpenSea or like
Pudgy Penguins and try and trick the user into going to that site. So you might be scrolling your feed on X and
see Pudgy Penguins is launching a new airdrop, you know, come claim it now. And you'll go to that site,
and it'll look just like our website, you'll see a connect wallet button, you'll, you know, connect your
wallet, and the website's going to scan your wallet to see what assets you hold. And if you hold the
valuable assets they're looking for, they'll present you with a signature that makes a call on the smart
contract that you've granted approvals for. So they'll use the permissions you gave to OpenSea to
take a Pudgy Penguin NFT from your wallet, and they'll transfer it to themselves. And they use,
they can use gasless signature requests to do this, it's not very clear what you're signing. And so you can
pretty easily, if you're not paying attention or tired, you know, you can give away your assets in
seconds. And then another vector I mentioned, right, is they want to compromise your private keys.
And so a major way that attackers try and do this is through seeding malware onto the devices that might
secure your private keys. So many people enter in this space, I'm sure just like I did, which is
You download a MetaMask wallet, you know, it's a hot wallet, your keys are generated online,
they're stored, you know, locally. And so if you download malware, that can potentially take your
private keys and fully compromise your wallet. And that can be distributed in a million different ways from
downloading, you know, a mod to a game, if you're using a gaming PC for crypto things, we've seen
you know, fake job interviews where the scammer tries to get a victim to download a, you know,
a meeting software that might look like Zoom, you know, fake versions of, you know, Ledger Live,
or other hardware wallet, local software. And the whole goal, right, is to get that access to your
your device that secures those private keys. So I think at a high level, those are two examples of
the phishing we see. You know, I think we can talk about social engineering more broadly, but
almost all of these attempts have, you know, elements of social engineering, which is really
to try and twist someone's emotions into doing an action that they otherwise might not do. So,
you know, claiming an airdrop, you're going to get free money, this is an emotional,
you know, response that people are going to have, you know, someone potentially offering you a job
has similar similar reactions. So I'll pause there.
Galaxy operates where digital assets and next generation infrastructure come together,
serving institutions end to end. On the market side, Galaxy is a leading institutional platform,
providing access to spot derivatives, structured products, DeFi lending, investment banking,
and financing. With more than 1600 trading counterparties, Galaxy helps institutions navigate
every phase of the market cycle. The platform also supports long-term allocators,
through actively managed strategies and institutional-grade staking and blockchain
infrastructure. That scale is real. Galaxy has over $12 billion in assets on the platform,
and averaged a $1.8 billion loan book in late 2025, reflecting deep trust across the ecosystem.
Beyond digital assets, Galaxy is also building infrastructure for an AI-powered future.
Its Helios data center campus is purpose-built for AI and high-performance computing,
with more than 1.6 gigawatts of approved power capacity, making it one of the largest sites of its
kind. From global markets to AI-ready data centers, Galaxy is serving the digital asset ecosystem end
to end. Explore Galaxy at galaxy.com/bankless, or click the link in the show notes.
Euphoria brings one-tap trading to the palm of your hand. Built on MegaEth, Euphoria takes real-time
price charts and projects it over a grid of squares. You tap the squares that you think the price will
enter in just 5 to 30 seconds in the future. If the price goes into that quadrant, you can pocket
anywhere between 2 and 100x your trade. No other application helps you trade faster and with more leverage on
market-driving events, like FOMC meetings, presidential speeches, or global macro events.
Thanks to MegaEth's real-time blockchain, Euphoria is the way to get real-time price
interactions with the market. On Euphoria, you'll be able to compete with friends using Euphoria's
real-time social trading experience, allowing you to go head-to-head with your friends. A great
party trick if you project the app on a TV. It'll be like the Mario Party of derivatives.
To trade on Euphoria, people can deposit stablecoins from any chain,
or do direct fiat transfers, and everything gets converted into MegaEth's native stablecoin,
USDM, in the background. Check it out at euphoria.finance and download the app,
or find it in Telegram as a mini-app.
In 2024, emerging markets generated over $115 billion in annual yield for investors,
with yields ranging between 10 to 40%. These are some of the highest,
most persistent yields on Earth. The problem? DeFi can't access them. BRICS changes this. Built
on MegaEth, BRICS takes emerging market money markets and sovereign carry and turns them into
composable primitives you can access straight from your wallet. While DeFi investors earn 3 to
6% on stablecoins and T-bills, institutions have been harvesting 10 to 50% yields backed by sovereign
monetary policy. BRICS connects these worlds with institutional-grade tokenization,
local banking rails, compliance across jurisdictions, and real-time stablecoin settlement. BRICS does the
heavy lifting so DeFi can finally access real collateral and structured products on top of
real-world yield. Even the best carry trades can be within reach. BRICS brings DeFi's promise
to the emerging world and brings emerging market yield to your wallet. Let the yield flow with BRICS.
Jameson, what would you add to the digital threats?
Jameson, what would you add to the digital threats?
Jameson, I think that's a good rundown of the landscape of threats. And then I would say,
the techniques for combating these are actually not that difficult. It mostly comes down to simplicity
and minimizing your attack surface. So if you are doing any sort of regular trading or interacting
with crypto networks on a browser or on a laptop or desktop, then you should minimize how many different
types of software you're installing on there. Every time you install a new software, that's a potential
threat vector. Also, you should be segregating your different types of wallets. Think of it in the
same way as like, you have your wallet that you carry around with you with a little bit of cash
and credit cards and stuff. That's your spending wallet. You don't carry around tens of thousands or
hundreds of thousands of dollars with you in your back pocket. You shouldn't be doing the same thing
with your crypto assets. You should be having your high security vault that is completely separate and
hopefully cold storage and hopefully with like distributed keys if it's a life-changing amount
of money that we're talking about. And then you have your small spending account that you're taking
more risks with and it's not going to ruin your life if something goes wrong.
All that makes sense. I guess maybe going back to some of the things that you guys are saying is,
Bo, as you were describing this, it almost felt like a paralysis sets in, which is like,
I want the easy button solution and maybe the easy button solution is like, I just don't do anything on
chain. You know, you're saying that smart contracts, for instance, I, you know, I could be tricked into
clicking the wrong link and doing sort of a, you know, a phishing smart contract. Well, maybe I just
stopped doing things on chain altogether. Is that an answer here? Like, because I think this is part of
the challenge that bankless listeners will be faced with as they hear about some of these scenarios,
which is just like, well, maybe, maybe the answer is I should stop doing things on chain. You go even
more extreme. Maybe the answer is I should just put my crypto assets into custodial ETFs and just kind
of let it ride. Bo, are there like ways around this? Because I'm worried that the attacks get more
sophisticated. I won't always have my guard up. You know, there could be a co-workers telegram
account that gets hacked where they sort of analyze our conversation history. They sound just like the
person I was talking to. I'm a little sleepy, a little groggy. I always click the zoom link.
And then I click the zoom link and I log on and it's deep faked. It looks like the person I've
interacted with and they somehow are able to socially engineer private keys out of, out of me. Well,
like, I just don't want to click any links on the internet. I just don't want to join any, any zoom
meetings. What are some practical safeguards we can take on the digital security side that are like
doable, but still have us able to actually live our day-to-day lives and do things in crypto?
Yeah, I think it's a great question. And I'm not going to steal Jameson's thunder on the ETFs,
because I know he has some, uh, he's talked a lot about, about that, but like, I don't think the answer
is, you know, just not doing things on chain, or I don't think the answer is,
I'm not going to actually hold Bitcoin. I'm going to own an ETF instead. Right. I think,
you know, it, especially again, in the NFT world, like you own these assets because they give you
access to things. And so to just buy them and leave them in a wallet and never do anything with them
is kind of defeating the purpose. Um, you know, similar to if you're interested in DeFi, right?
Like, you know, and you want to go open liquidity positions or lend against your money or, you know,
any of those things, like you're kind of leaving a whole bunch of options for yourself on the table.
If you just say I'm, I'm not going to participate. Um, and so, you know, I think
practically what Jameson was talking about a little bit about wallet segregation is super important.
Um, you know, I have what I described as like a three wallet system where I have that day to day
wallet that I, you know, carry around with me for tiny things. I have wallets that I use that are
dedicated to riskier activity. So I'll, you know, if I wanted to sell an asset or interact with a smart
contract, uh, you know, grant approvals, that kind of thing, I'm mostly doing that on a dedicated set
of wallets. And then I have wallets that I never, uh, grant approvals on and I never really do anything
with except for transfer assets to and from them. And that helps, you know, me know that my riskiest
activity is far away from my most valuable assets. And really that system is betting against myself
on some level that if I end up making a mistake, I know that I'm not going to have made that mistake
on a wallet that has my most valuable assets. Um, and so I think, you know, having a simple system
where, you know, you know what you're doing with each wallet, you understand what you have allowed
yourself to interact with. Um, those are, are really important. Um, and the other thing I would say
in general is, you know, wallet providers have gotten better. Wallet options have gotten better.
Um, both at detecting scams at securing your private keys. You know, I think Jameson's company
Casa is a good example of this. Um, there's, there's a bunch of alternatives out there to,
you know, Oh, I clicked this zoom link and all of a sudden all my assets are gone. Right. And that's
not really how it works anyways, but you know, there's a bunch of alternatives to, yeah. If you,
if I download malware on my Mac book right now, like I might lose a few hundred bucks in a hot wallet,
but I know for certain that the way I've stored my private keys, the way that I've kept my seed phrases
offline, they're not sitting in my notes app on my iPhone or my Mac book, like those things are not
going to get compromised. And so, you know, I don't worry so much about, you know, what happens if I
download malware? Is it going to impact my crypto assets? Because the system I've set up allows me to,
to have some confidence, uh, and not worry as much about those scams. So I think it's super important for,
you know, when we onboard people to the space for the first time to help them understand the
consequences of certain decisions. Right. You know, so many people just use the same wallet for
everything they're doing on chain and never think about, you know, uh, the risks of keeping all their
eggs in one basket. Uh, so, you know, as simple as it is, like literally just having a wallet on a separate
seed phrase that's written down and, you know, using a hardware wallet or distributed signers,
like that's going to protect so much of your, you know, your stack compared to if you just keep it
all on, on one, you know, MetaMask wallet, for example, or one hot wallet. So I think, uh,
I would just wrap it up by saying, don't keep your, your eggs in one basket, you know, leverage the
advantages of, of hardware wallets that keep your keys stored offline. Uh, that's something that
really anybody who's got more than a thousand dollars in crypto should think about, you know,
go out and spend a hundred bucks on a hardware wallet and start moving those assets from,
you know, your browser extension wallet or from your iPhone app wallet, um, over to,
you know, something that's a little bit more secure. Okay. So wallet segregation, I think we,
we picked up our first tactical to do, uh, from this episode. Now let's flesh that out a bit more.
Sure. Okay. So what I want is a wallet segregation approach that the two of you would rate as like a,
uh, you know, a nine out of 10 for, for instance. So right now it sounds like the worst thing you
could do is keep all of your crypto assets in one wallet on like browser extension MetaMask. Like,
do not do that. The worst thing you can do, but what's kind of, um, you know, uh, a segregation
approach that works for the vast majority of people. Is it sort of a hot wallet, cold wallet?
Are there kind of, you know, two and in the cold wallet, is that multi-sig? Is that hardware backed?
Uh, and then how do you delineate what you keep in the hot wallet versus the cold wallet? And is there
something in between? Is there like the idea of a warm wallet? Maybe Jameson, you could just flesh out
what a, um, a fairly good wallet segmentation approach would look like for someone listening.
Well, I generally say you shouldn't keep more value in a hot wallet than you would carry around in cash
and enter your wallet that you keep in your pocket. So, you know, for me, that would be maybe like a
thousand dollars ish. Um, you know, it's, it's highly convenient, but it's also highly prone to a
wide variety of different forms of, of loss. Really, if you have more than a few thousand dollars worth
of assets, it starts making logical sense to spend a hundred dollars to buy one of the well vetted and
reputable, uh, cold wallet, you know, hardware brands, whether that's Trezor, Ledger, uh, BitBox,
what have you. There's plenty of them out there. It doesn't take too much research to figure out which
ones have been around for a long time and have good reputations. Um, and, and that's good because you
can carry that around with you if need be. These are incredibly tiny devices and you just plug them in,
uh, to your, your phone or your laptop or what have you, if you need to interact with, uh, a crypto asset
network to do something. And that protects you from like 95% of the bad stuff that happens out there.
The only thing that you need to understand, uh, at that point is that you should never,
ever, ever type that seed phrase into anything other than the actual tiny little, uh, cold storage
device itself, because that's where the social engineering comes in. Um, you know, the, our best
practices around security have increased so much over the past decade that that's why you see a social
engineering as the most common form of attack these days is because the, the malicious actors out there
knows that they're not actually going to be able to compromise these devices that are incredibly hardened
and simple and difficult to get malware onto because they're designed to resist malware. So instead the
weak point for most people these days is, is right here between your eyes is they're going to try to
trick you and they're going to use very common tactics, um, you know, fear, doubt, urgency, uh, to
try to make you think that there's some sort of emergency where you need to take action and you jump
through hoops without really thinking about it too much. And I think that people mostly need to
understand that as soon as you are taking custody of your assets, uh, you know, with great power comes
great responsibility. You, you are taking on a great power because you no longer have to ask permission
to use your assets as you wish, but now you are the bank and banks put a lot of effort into their
security for a reason. There's a reason why banks exist. It's because people generally prefer to
outsource all of the complexities of security. So, uh, one, one way I like to, to look at it is,
you know, you know how there's a lot of drugs out there where on the label it says, you know, do not
operate heavy machinery while taking this drug. I think that you should look at it as you should never
operate a crypto wallet when you're not in peak cognitive condition. If you're under the influence of
anything, if you're tired, if you're sick, um, you know, that can cause you to not be as aware
and catch things where, uh, some attacker is trying to trick you. So, you know, I generally,
uh, interact with the crypto networks as little as possible. And when I do, I only do it, you know,
in the middle of the day when I'm wide awake and I don't have any sort of issues that might cause me to,
to miss something. So you have to be very careful whenever you interact with your wallet.
It is a potentially catastrophic operation because if you screw up, if you fall for a trick, there's no
one out there who can undo it. So I guess maybe an instinct if you're feeling some sort of rush from
some source to do this transaction now, whatever the cause of the source, you should really pause,
you should take a deep breath and you should try to wait, you know, 24 hours at least, uh, for that
panic to subside. You shouldn't do anything in a rush or in a panic when it comes to on-chain assets.
On the social engineering side of things, how about sort of reducing the channels? You know,
I think a lot of crypto listeners, bankless listeners are probably getting text messages,
are probably getting, uh, spam calls from data leaks in the past, you know, purporting to be
Google purporting to be maybe Coinbase support. You know, is the rule just like, don't answer any of
those things or on telegram, for instance, you get DMS and it's just this, this happens all of the time.
We, we, uh, people say, Hey, is, is so-and-so a bankless employee? They asked me to join this
channel for an interview. And the answer you're always is like, no, like that's not how we contact
you. But like, is the answer just don't, uh, respond to a DM or a telegram message from a source
that you don't trust or haven't authenticated via multiple channels? Like, do you guys have general
rules of thumb to prevent yourself and harden yourself from being socially engineered by an
email, a link, uh, something that happens online, a text message?
Yeah. So, uh, the key word that you used is authenticate. And the short version is that almost
every communication channel out there is not authenticated. Um, there are very few, maybe,
so basically like end to end encrypted channels, like if you have a signal chat pre-established with
someone where you've already verified, it's then historically maybe WhatsApp, uh, beyond that, you
know, email, text message, discord, telegram, all of these other things are not authenticated. And it's
very easy for people to just pretend to be someone else. So the short version is I don't trust any
incoming message. If you receive an incoming message that seems fishy, then what you should be doing
is then finding, uh, how to contact that person yourself, preferably via a different communication
channel and asking them, Hey, is this you, can you confirm or deny now cat and mouse games, right? Uh,
happen with, with this type of thing. So some of the attacks are getting more and more sophisticated.
So imagine a scenario where it's a loved one who calls you and it sounds like their voice, for instance,
and they're asking for funds for some sort of urgent use case. And it sounds just like them.
Maybe it looks like it's coming from their phone number. Even, um, I've heard people talk about
instituting, you know, safe words for their close social connection, which is some sort of a prompt
or a way to prompt, uh, one of your loved ones, your individual, you agree upon the safe word,
um, you know, in advance. And that allows you to authenticate. What are some of the best practices
there, Jameson? Yeah. I mean, so the main reason I'm not a fan of safe words is because unless it's,
if you're picking something kind of unique and you're not practicing it regularly, then when you
get into a situation where someone's under duress, you may very well forget it. I prefer to use, uh,
shared insider knowledge. So, you know, if you and a friend or you and a loved one, uh, have an extensive
history together, then there's going to be no shortage of like memorable events that you share
that are not public that you can ask each other about. And of course you can discuss that ahead of
time. Um, but I think that that's something that's easier to keep track of and be sure that you're just,
you're not going to, you know, uh, draw a blank. If you get into a situation, you don't want
there to be some random word that you, uh, only talked about once five years ago. I've completely
forgotten. So if you're doing a safe word, make sure you practice that on a routine basis
or otherwise just, you can authenticate by calling, you know, like recalling some sort of shared memory,
some sort of thing only the two of you would know. And I guess, you know, hope, hope that works out.
But Bo, do you have anything to add on, on the social engineering front?
Yeah. I think, you know, just on safe words real quick, like that's a concept that an Intel world
obviously is very, you know, common. Um, you know, when you're meeting someone in real life,
you want to establish bona fides, you want to make sure that this is the person you actually are here
to meet. Right. And James is exactly right. That takes practice. Right. So doing something that's
more natural, just, you know, having those shared memories is, is way more effective than,
you know, trying to force your loved one to bring up banana in a conversation. Right.
Especially, especially if it's, if it's like a wrench attack serial where they're under duress,
that kind of thing. On, on social engineering in general, I think, you know, my rule of thumb is,
if I receive an incoming message from a crypto, uh, you know, website, or really anything crypto related
at all at exchange website, you know, app. Um, if I feel so concerned about whatever that incoming message
is, I would go log into that website directly. I would not click the link in the email or the text
message. I would not call the phone number that the text message tells me to call. You know,
I can always log into my Coinbase account and I can check, is there a suspicious login? Right.
There, there's a, you know, there's a spot to see that in your security settings of your Coinbase
account. So, you know, trusting that source directly authenticating that, you know, the information you're
getting from Coinbase is actually from Coinbase. You can do that by logging into Coinbase. Right. So,
um, you know, of course that's dependent upon you doing that independently,
typing the correct, you know, website in your browser, logging in and making sure it's the
correct website. Right. You know, that message saying, Hey, your Coinbase account has been hacked.
Click here to reset your password. Like that's never going to help you.
Yeah. Another really common thing that very few people, I think, appreciate is how many types of
attacks a simple password manager protects you from. And the reason for this is like Bo was saying,
often these incoming messages will have links and phishers will basically try to trick you into
putting your credentials into their web portal, which they'll then grab and use to actually log into
your account and drain everything. But if you're using a password manager,
you should only be clicking on the password manager to have it auto fill your username and password.
And the reason why this is so powerful is that there are things out there like typosquatting,
where they'll buy these domains that to the human eye look exactly like the target's domain,
like the coinbase.com or whatever. But the password manager can tell the difference. And if you end up
clicking on one of these phishing links to a domain that looks the same, the password manager will not
auto fill it. And that's another major red flag.
Okay. So another recommendation is password managers. Go ahead, Bo.
Yeah. And I think it's a very similar concept to what Jameson is describing with 2FA and multi-factor
authentication. You know, when you use a key like a YubiKey or even most pass keys, right? Those will not
authenticate on those fake phishing websites. Whereas if you're using Google Authenticator and it's giving
you a six digit code, you are a vulnerability in that you can provide that six digit code on a phishing
website if you're not paying attention. And, you know, at that point, your 2FA has not done anything
for you because those websites are running a script on the back end to immediately take your 2FA code
and go plug it into the real Coinbase website, for example. So, you know, plus one on password managers.
And when you're thinking about 2FA, you know, I think buying a YubiKey for $50 is a great investment
for anybody period. But especially people in crypto, you know, that's something you can add to your
Coinbase account. That's something you can add to most other exchanges. So a big, big plus one then for
password managers plus 2FA for all of your accounts in general. And the gold standard for 2FA is getting
used to actually using a physical YubiKey at some level and storing that and protecting that and backing
that up appropriately. SMS for two factor. Yeah, we do not like SMS, right? The reason, of course, is
if you get a text message, you could be SIM swapped. It is incredibly insecure. Do not use SMS. The
authenticator codes, that's better than SMS if you have to, but then the gold standard would be a YubiKey.
It sounds like that's the recommendation. Jameson, you look like, yeah, got it.
So the specifics of what we require our employees to do at CASA is highest preference is YubiKey,
like FIDO to tap or passkey on YubiKey, the newer YubiKey to support passkeys. And as Bo said,
passkeys are a great improvement upon all other types of 2FA because they are bound to the domain name.
Next one below that is the TOTP, the time-based one-time passwords, which is the six-digit
rotating passwords. Many people just say Google Authenticator because that's the most common
software. But Google Authenticator itself I hate because by default, it will actually upload all of
your secrets to the clouds, to your Google Drive. And so then if your Google account gets exposed,
they can grab all of those. The cool thing once again about YubiKey is that I think a lot of people
don't know is that even if a service doesn't support the FIDO, U2F, or passkey on YubiKey,
there's actually some software for YubiKey called YubiCo Authenticator. And that's like Google
Authenticator, except it stores the secrets on the hardware device itself.
So once again, you're getting all of that physical security where unless an attacker actually takes
physical control on that YubiKey, they can't do anything. And then the last vestige of 2FA
beyond that would be like email and then potentially SMS. There are still actually often banks only
support the SMS 2FA and there's not much you can do about that. Personally, what I do is I have a ton of
different virtual phone numbers and those virtual phone number services are segregated and they're
set up behind their own credentials and they can't be ported away. And so it's about as good as I
figure you can get when it comes to SMS security.
Can we say on digital security a word about email? Because so often as the founder of ProtonMail came
on recently, he said email is not just email anymore. Email is actually identity. And so the talent here is if
your email gets hacked and many listeners will be using Gmail and there's lots of like challenges with
Gmail. I advocate advanced protection, you know, remove, for instance, the recovery phone number
and the recovery email address. Those defaults are equally pernicious as kind of the Google Authenticator
default. And then where possible, I mean, don't use Gmail, right? I mean, you could use ProtonMail. You can
actually set up aliases and identities for various accounts. Jameson, what do you think of that advice
and what would you add to the email conversation? Yeah. So what we see most often with social
engineering is that they're trying to get into your email account because often most people don't have
strong two factor authentication. And if you own somebody's email account, you can reset their
passwords and their 2FA and then get into any third party services that they want. And so I would say
email account for most people is the most important aspect of their digital lives. And so I will once
again, say YubiKey is the answer. And so you can buy multiple YubiKeys. You don't have to just buy
one because obviously if it gets lost or broken, that becomes a big problem. You can buy three, four,
five and then have several that are like backups. You can even put one of them in a bank vault,
for example. So you know that's not going to get lost. And that's just an extreme edge case recovery
scenario. But by this is very, very high level, like everything that we're talking about, all types of
cybersecurity, the strongest security model that you can create is when you can actually take all of
these digital security issues and pull them out into meatspace, turn it into a physical security problem.
And generally the way that you do that is by some sort of physical security hardware device,
whether it's, you know, one of the like treasury ledger or whatever on the crypto side or YubiKeys or
other digital secrets managers that are used for a variety of different authentication mechanisms.
I just want to drop a word of encouragement to listeners at this point of the conversation,
which is the investment that you'd make in passkeys, in YubiKeys,
in securing your accounts. This is kind of a frontier investment because I think I am very much of the
belief that the attacks that are happening to crypto, crypto is like tip of the spear.
The attacks that are happening sort of in crypto in these sophisticated ways,
they're coming to everything. And everyone is going to have these types of protections and
securities in the future because it'll just be basic. If you don't, you'll get completely owned.
I guess what I'm saying is this investment that you're making in protecting your accounts and in
you know, passkeys and YubiKeys and password managers and all the security investment,
that's just going to put you ahead of everybody else. But everybody else is going to have to adapt
to this world as well. So it's not wasted time. It's not just a niche crypto thing.
Everyone needs to have this type of security and will in the future, whether it takes, you know,
three to five years for the rest of the world to catch up.
And the unfortunate aspect of security in general is that, you know, there's always going to be
attackers. And so you're never going to have perfect security. All you want to do is have better
security than the other people because they're going to be the ones getting targeted. The attacker will
be surveying the landscape of potential targets and say, oh, that looks too hard. I'm going to go
over to your neighbor instead. Last thing before we leave digital security. I have seen cases where
somebody did click the link, let's say, and download the malicious Zoom software and their entire
machine is completely owned, like root level access to everything. And of course, like solution there
is don't let that happen in the first place, but it can still happen. And I want to ask a question
about maybe another thing I've heard some crypto folks do. And this might be a bit more advanced,
so maybe not for everyone. In addition to sort of multi-sigs and the hardware wallets and the
segregation that we talked about, how about a separate machine entirely for signing that doesn't get
connected even to your public Wi-Fi? What do you think about that as a as a foolproof method where you
don't do any crypto transactions on your regular daily machine? If you ever do them, you do them on
a transaction signing machine that is segregated, that doesn't click Zoom links at all, that doesn't
open emails, and it's just for one purpose. And that purpose is when you have to sign an important
crypto transaction. Yeah, I mean, this falls under minimizing attack surface. And, you know, before
Trezor was the first crypto hardware device to launch, and that was in 2014. And before that,
air-gapped laptop was really the gold standard for doing anything.
Okay. Yeah. So maybe we're coming full circle. All right. So, James, you just made the point that
what you want to try to do is move some of the digital into the physical realm. So you have
your hardware devices and YubiKeys and maybe separate air-gapped laptops and that kind of thing.
But let's talk more about the physical realm because the attackers have moved to the physical realm as
well. Let's talk about what, Beau, you called the most dangerous type of attack. We've addressed the
most likely. Hopefully you have some tips on now, listeners, on how to navigate that, how to protect
yourself. Let's talk about a particular form of concerning attack, maybe the most dangerous type of
attack, which are these violent in-person attacks. Beau, what are you seeing with this? Can you give us
some numbers on these types of attacks, wrench attacks, numbers like a profile of what typically happens,
who they're targeting? Just give us a rundown of what things look like in 2026.
Yeah. So I think there were just over 70 attacks last year that we know of, right? A lot of these
attacks, we assume go unreported or if they are reported, it's possible that there's not a crypto
connection identified. Heading into 2026, I think we've seen 10 or 11 so far this year, maybe a couple more.
So, you know, there's definitely like, again, when you think about the scale of humanity, right? There's
8 billion people on the planet, like we're talking about 100 incidents in the last 12 months that we
know about, right? So it's relatively small scale, but it's very targeted. So it really starts with your
digital security and your privacy, right? These attackers are looking to identify people in the real
world who have control of these digital assets. So they're looking at people's Twitter accounts,
they're looking at people's on-chain wallets, you know, they're looking for people who flex their wealth,
and you can obviously see that this person has money, they might be a target of interest.
And then from there, they try and say, okay, can I identify who this person is, right? A lot of us
operate pseudonymously, right? I would not say anonymously, because none of us are really anonymous,
but you know, a lot of us use pseudonyms online to hide, you know, what our true name is. You know,
then they, if they can get through that barrier, right, of identifying who this person might be,
they're going to start doing what, you know, we would call open source research, or OSINT research,
you know, looking for that intel they can get on that person online. And so what this looks like is,
you know, buying data on the dark web, or, you know, using cheap or free online search engines that let
you look up, you know, email addresses and phone numbers and, you know, home addresses to identify,
you know, where this person might be physically located, right? You'd be surprised how many states in
the United States, you know, you can find someone's home address just based off of voter registration
records, or based off of, you know, speeding ticket, or court appearances. It's, you know,
our system is not designed around privacy in the digital age. And so, you know, really, everybody
has this problem, if you've been online for, you know, 10 plus years, you know, all the accounts that
you've signed up for, you know, I was helping someone with data breaches a couple weeks ago, you know,
their home address was leaked in a airline, you know, data breach where they had to provide their
date of birth, their home address, like their residency and citizenship, you know, their phone
number. So all of these pieces of data come together for a potential attacker to, you know,
really identify where this, you know, person they found online might be located in the real world.
And sometimes we're seeing this where people are doing their research themselves. This is like a
sophisticated, you know, organization that has people doing this research has people on the ground.
Other times we're seeing people in the digital space, sell this data to people who are willing to
conduct those real world attacks. But you know, the attacks look a little bit different, depending
upon the situation, but often we're seeing them occur at home, you know, someone walks up to your door
pretending to be a delivery driver, a police officer, you know, some plausible sort of reason why they
would be at your home, they knock on the door, you open it, and then they, you know, either try and
convince themselves, convince you to let them into the home, or they'll force themselves into the home,
right, by brandishing a weapon or, you know, physically pushing through the home. And then,
you know, a common thing we've seen, right, is attackers, you know, detaining people, right,
tying them to a chair, something like that, threatening them, essentially trying to get them to share where
their, you know, crypto wallets are, where their seed phrases are. And then their goal, right, at that
point is to find that information and, and get out as soon as possible. We've also seen instances where
this turns into like a kidnapped for ransom type situation where, let's say, you know, they burst into
a home and, you know, the keys aren't stored there, or the wrong person is at home, etc., you know, then
they might get in contact with the person who does control the funds and say, you know, I have your loved
one, you know, send me $10 million in Bitcoin, right. So, you know, there, those are some of the
tactics we've seen, it's a little bit different depending upon, you know, again, the situation,
we've seen people grabbed off the street, you know, we've seen people, you know, kind of mugged, right,
walking in and out of office buildings. You know, for the most part, these are targeting, like,
you know, well known figures in the space, influencers, you know, executives of crypto
companies, their family members. Yeah, so that that's sort of, you know, from step A to Z,
how does it go? And I'll let Jameson add anything if he has something.
Yeah, and Jameson, while you're adding, can you tell us what in the world is happening
in France right now? Because it seems like there is a very active cluster in France. And so people in
the crypto community in France are really dealing with this. But it's not limited to France. I mean,
these types of attacks are happening all over Europe. They're certainly attacking, they're happening
in the US and they have happened in 2025 in the US and just the way Beau was describing. But there does
seem to be some cluster in France. What's the pattern there and why?
I think there's a number of things going on. Though I will note, I did an extensive breakdown of this in
a presentation I gave last year. And on a per capita basis, France was still not in the top few. It
was actually Dubai on a per capita basis that has the most wrench attacks. And if I recall correctly,
pretty much all of them were due to people engaging in high value face to face OTC trades. So basically,
someone showing up usually to a hotel room with a briefcase full of cash and wanting to do a swap
one way or another. But the other interesting thing is that Dubai also has the highest rate of bringing
the criminals to justice, 100% capture rate of the criminals, probably due to their high level of
surveillance throughout Dubai. So what's happening in France? I mean, I think there have been several
organized gangs that have been operating. I know there was one where I think the mastermind was
operating out of Morocco. And I think that he got caught last year. Another thing that has happened
is that we know that there is a corrupt tax official who was selling people's private data. So people who
had crypto related stuff on their tax returns, that was getting sold to some sort of organized crime
groups, um, insane. So essentially a government bribe to say, yeah, who has crypto, who's likely to have
this value? And you know, you have to report these things to the government in France. And so they just
bribe an official, the official gives up names and addresses.
Yeah. And so there was a similar problem actually in Sweden, where Sweden requires you to make all of your
tax information public. And so there were a number of wrench attacks in Sweden, because you had to
basically tell the entire world, Hey, I'm declaring crypto on my taxes. And I don't know, I mean, I haven't
been to France in a long time, but I certainly see a lot of feedback on these posts of people basically
claiming a sort of like cultural decline, uh, occurring in France where there's a sort of lack of law
enforcement. Um, it seems like they are catching a number of people, but it also seems like, uh,
a number of these people who are getting caught are not getting particularly severe punishments.
And to your point too, Jameson, like the pattern is like, oftentimes there will be an external actor,
a mastermind who might be completely remote, um, trying to parse through the target data and who
then kind of, I don't know, hires, works with splits, um, proceeds with kind of a more local group of
thugs, young thugs with nothing to lose, you know, maybe not, does not have the capabilities to do
all of the, uh, operational intelligence in order to target people. And that mastermind sometimes can be
very tricky to, uh, pin down even if the kind of the local thugs are actually captured.
Yeah. And then remember, uh, Ledger is based in France. I'm sure they have a lot of French customers
and they've had a number of data breaches over the years, though. I don't think we have any information
to directly tie the data breaches to the attacks, but it seems quite plausible that that's yet another
factor here. Um, you know, with the, the organized crime groups, another, uh, pattern that we've seen,
though it's mostly been happening in Southeast Asia, is we've been seeing organized crime, uh,
gangs from one country go, uh, like find out about nationals from that country. And then when those
nationals go on vacation to a different country, usually in Southeast Asia, they'll send the people
over there, wrench attack them and then fly back. Wow. And I think this is an interesting, like,
cross-border jurisdictional arbitrage type of organized criminal activity happen. Okay. So,
especially in the E, in the EU too, right, where, you know, you can get from France to Switzerland
without showing a passport, or you can get from, from France to Spain, right? It just gets you one
jurisdiction away very quickly. I think one of the more recent attacks in France, the attackers ended up
getting caught on a train where they were going from Paris towards Southern France near the Swiss border.
So, you know, the idea of conducting the attack and then quickly moving either into another
jurisdiction or far away, I think that's the attractive thing about Europe. Okay. So the
scariest version of this, I think to many people may be listening is, is not the version where they're
meeting somebody in a parking lot or, you know, they're, they're flashing their, their assets on,
uh, social media. At some level, I think most listeners to this are savvy enough not to do those
types of things. The, the most scariest version, if, if you're thinking about the kind of the most
dangerous category, Bo is, um, some mastermind has pinpointed your, um, physical address and to your
point that is incredibly easy to do in this day and age. I mean, maybe we can get into if there's a way to
actually protect, uh, your physical address and, and have that be private, but they, they know your,
your, um, location footprint. And they also, maybe they have some idea that you are a crypto holder,
um, by virtue of data leaks, maybe a hardware wallet data leak, maybe an exchange data leak,
maybe the tax software that you're using. This was also a factor, I think, in some of the,
the attacks in France, you know, use tax software to submit your, uh, if it's automated, you submit your
addresses and what happens if that information is, is, uh, leaked. And so, um, all of that information
is out there. And then let's say you are pinpointed and an attacker knows your addresses,
knows how much in crypto assets that you might hold, has some sort of inkling in terms of how you
actually might hold these assets and comes and breaks into your house, a home invasion
and threatens you and your family. I mean, that is like nightmare fuel, I think, for a lot of people
listening. And we've already prefaced this by saying this is, uh, still extremely rare and is not the,
the vector of attack that most listeners should be most worried about. However, it is the most, uh,
panic inducing, I think, and, and concern inducing attack. So can we talk about how to mitigate that?
All right. And I know there's nothing, no such thing as a a hundred percent security guarantees,
but I am a believer and, you know, having done some research on this and, and talk to both of you,
that there are a number of things listeners can actually do to reduce the surface area of this type
of attack and not eliminate it, but harden against it. And so let's talk about that.
Jameson, how does somebody listening to this, uh, shore themselves up against physical home
invasion level wrench attacks? Well, like I said at the very beginning, the most important, or I would
say easiest thing you can do is, uh, privacy and is prevent yourself from becoming a target in the
first place. But as you have noted, uh, that can get very tricky, especially depending on what
jurisdiction you live in. You're going to have different tools available to you, uh, different things that
you may be required to disclose. Um, at least in America, we have some excellent legal tools,
uh, with like trusts and limited liability corporations, where you can obfuscate the true
ownership of publicly registered assets, like homes, vehicles and whatnot. And I take advantage of all of
those. Um, and then you have to get very comfortable, uh, with not putting your home residential address
into any sort of foreign or database. You have to assume that that is going to get leaked eventually.
And so, you know, I have a variety of, uh, mailboxes scattered around that I use whenever anything is
asking for a physical address. Um, but another thing that I would note is that this wrench attack
problem is not limited to self custody. I see a lot of people kind of funding self custody, like, well,
you know, if you weren't custodian your assets, then you don't have to worry about being wrench attack. But
a number of these, uh, cases, people were actually keeping their assets with a custodian and, you know,
the wrench attacker just says, okay, you know, go authenticate into that custodian and withdraw
all the assets. So it doesn't really make much of the difference to the attacker themselves. Um,
because it all comes down to single points of failure. And this is where things get complicated,
because very few people think, uh, adversarially about, uh, their security posture. And so the,
the short version to all of this, and the reason why wrench attackers are so successful,
I think they generally have a greater than 50% success rate. And, uh, from the metrics that we're aware of,
um, on an annual basis,
we see them getting away with tens of millions of dollars. And that's just from the attacks where
they disclose the amount that's taken many of these attacks. And they never disclose the amount,
but think of it this way. If you are able to transfer large amounts of value, uh, without leaving your
house, then you have a single point of failure, because you basically have to look at a wrench attack
scenario as one where you, you know, your, your body or your body of someone you care about is under
physical duress and all of your normal authentication procedures can be bypassed because they will be
bypassed by you because you know how to do it. So the only way to truly present, um, a wrench attack
from being successful if they have already gotten past any privacy protections you have is to take
yourself out of the equation as a single point of failure, which basically means, uh, you know,
you should not be set up with, at least with your like long-term savings, cold storage, such that you
can, uh, authenticate and transfer that value, uh, without having to physically go to multiple locations
and go through multiple physical authentication procedures. You know, this is one of the things
that we help people set up at Casa, which is basically a distributed key system where you have physical
hardware devices that are geographically distributed and, um, are using multiple different manufacturers
to prevent against things like, uh, supply chain attacks and just ensuring that you have strength
through diversity. It's a, it's a very interesting, um, aspect of security when you can have multiple
keys that have different security properties around them. You get this cool additive security, uh,
aspect to your setup, which very few people I think are even aware of. And the reason why I find this
whole thing fascinating and why I've been doing this for over a decade is because I argue that if properly
architected with, uh, crypto public permissionless networks, you can actually achieve security models that
vastly exceed what a bank can do or even a Fort Knox can do. Even Fort Knox is a single point of failure
and you can distribute, uh, you know, your keys and your security across multiple continents if you want
to. Like we have some extreme edge case clients that literally have to get on a plane and go through all
the physical security of TSA and airport and such. Like, you know, nobody is going to be holding you under
duress and being able to go through that level of physical security, uh, in order to get to your other
keys. Let's zoom in on that because, um, I actually wrote, uh, an article about this and, and published
this on X and, um, on bankless. And it was basically the idea of zero crypto at home. And this is kind of the
revelation after listening to security folks for, uh, some period of time that the gold standard for
defense against a successful wrench attack is actually Jameson, as you say, you have almost zero,
zero, zero crypto at home. So the way I define this in my, like in a memetic format is no hot wallet at
home with funds over $1,000. All right. You just, you wouldn't carry that in home at home or on your
person, no cold wallet at home period. Okay. And I, no exchange. This is key that allows moving funds
without verification and delays. So zero crypto at home, you know, you have it when you don't have
the ability to access your funds without a time delay, without multiple locations, without possibly
some sort of third party authentication, say safe deposit box or some sort of other location where
you access one of the pieces of your multi-sig and you make that a thing, you make that your posture.
You could still go bankless of course, but you just don't have access to any of your crypto assets.
And to me, as I was uncovering this, so maybe we'll dive into that, um, a little bit deeper,
actually Jameson. So if somebody wants to implement what you're saying and what I
wrote about, which is zero crypto at home, what sort of tools do they need in order to implement
that? I feel like the core of this is kind of some sort of multi-sig wallet, potentially with
time delays and a way to, and also, um, if they keep any crypto assets on exchanges,
also setting it up such that, you know, something is required before they can access those funds,
maybe a time delay before adding a wallet or something like that. Can you break down
what a zero crypto at home strategy might be for the average listener who's, who's trying to do
things a little more banklessly? Yeah. Like I said, uh, our primary goal at Casa is eliminating single
points of failure. And that includes Casa itself as a company. Um, if Casa blows up, we're, uh, still going to be able to sleep at night knowing that our clients can route around us and still be able to
access their funds. But, um, the first, like the foundational part of it is using these air gaps
devices, you know, the ledgers and treasers and whatnot, um, to, to take those keys off the internet,
because as I said, that's, that protects you from like 95% of attacks. Um, as soon as you do anything
on an internet connected device, you basically have a door open to 8 billion people to knock on and
try to get through, uh, beyond that, once you've gotten those keys offline and into self custody,
the biggest problems that you are actually going to run into tends to be, uh, foot guns where,
you know, you make a mistake, something goes wrong. There's some sort of maybe environmental failure,
you know, house fires are a thing. Uh, you know, you shouldn't be storing everything at home because
that is a single point of failure. And so it becomes, uh, less of an issue of like hackers
and attackers and more of an issue of having enough redundancy and resiliency so that when something goes
wrong, because something will go wrong eventually, but when something goes wrong, it's not a catastrophic
failure. And that once again is where multi-sig really comes into play. It's great because you
have the flexibility to set up a digital vault that has many different keys. Uh, perhaps it has three
keys, five keys, 10 keys, um, really as many as you want. And then you can have, uh, enough flexibility
in there that if you lose one or two or three keys, you're most likely going to have other keys
available. But of course this is where it's not panacea. It, the dazzle really is in the details.
If you have, if you set up a five key vault and keep all of those five keys at home, and we have seen
people do this, you still have a single point of failure. Uh, it's really important part is to
distribute those keys so that they have a variety of different attributes. You know, you put the keys
on different hardware devices by different manufacturers in different geographic locations.
And, and all of these things come with decisions. And that's where I think people can get very
paralyzed. And that's why services like CASA, I think are very helpful because we're essentially
a security consulting service. We help you understand what all the trade-offs of these decisions are.
And usually each of these decisions is going to be you trying to figure out convenience versus security.
So a simple example is how far apart are you going to put those keys? You could put them
one house down and as really convenient, but perhaps not incredibly secure. The extreme example I already
gave, you can put them on different continents that require you to take flights, which is the extreme
level of security. You even are at the point there on jurisdictional arbitrage if there's some sort of
government level action against crypto. But of course it's incredibly inconvenient. So it really comes
down to robustness and, and having the ability to recover from failure. And you do that by distributing
the keys across as many different vectors as possible. What if you could trade gold, forex,
and global markets with the same tools and speed that you use for crypto? That's exactly what BitGet
TradFi unlocks. After strong beta demand, including over a hundred million dollars in single day gold
trading volume, BitGet TradFi is now live for all users. Inside of your existing BitGet account,
you can trade 79 instruments across forex, precious metals, indices, and commodities,
all settled directly in USDT. No platform switching and no fiat conversions. This is BitGet's universal
exchange vision in action. Crypto and traditional finance side-by-side. You get deep liquidity,
low slippage, and leverage up to 500x, letting you apply crypto strategies to macro markets. New to
TradFi? Start with gold. The gold-USD pair is liquid, macro-driven, and a familiar natural bridge
between crypto and traditional markets. Try trading gold on BitGet now at bitget.com. Click the link in
the show notes for more information. This is not financial advice. Few people in crypto put real
skin in the game when they make public top or bottom calls. The DeFi report is one of them. The
week before the October 10th flash crash, Michael from the DeFi report emailed his entire newsletter
saying he's going aggressively risk off and sold the majority of his book from crypto into cash. This is
when ETH was about $4,000 and Bitcoin was $110. Michael runs the DeFi report, an industry-leading
research platform built on data, cycle awareness, risk management, transparency, and most importantly,
skin in the game. We like Michael at Bankless. We like his analysis, and that's why you hear him on
the Bankless podcast about once a month. And the DeFi report is giving Bankless listeners one free month
of access to the DeFi report. So if you're looking for some sharp, data-driven analysis to make better
informed decisions around your portfolio, you can learn why and how Michael called the top and what
he's doing next, all in the DeFi report pro. Check it out. There is a link in the show notes.
Let's just run that by the attack scenario we're talking about, which is let's say you're targeted
in some way. You have a multi-sig setup, whether it's, you know, Kasa. Kasa, I believe, supports
Bitcoin, supports Ethereum, supports stable coins and those crypto assets. There's other multi-sig
technologies as well. There's, you know, SAFE, for instance. I've heard about people using Bitcoin
vaults like Zengo. Anyway, you have your multi-sig set up. So what happens in a wrench attack type of
scenario? So someone busts down into your house and then what? You say, I've got zero crypto at home.
I mean, obviously they're not able to get the crypto assets or, you know, I mean, could they drive to a
second location to try to pick up your other multi-sigs? Like what happens? How does this in your scenario
planning, Jameson, actually prevent a successful wrench attack?
Yeah. So, I mean, obviously the next question that they're going to have is,
okay, what is actually needed in order to access these keys? And that's where the details really
become important, where if you're just putting the keys at a friend's or neighbor's house that's
only a few minutes away, that's probably not great. And you should assume that you will be coerced into
telling the truth because you're going to be under duress. It's going to be a very
bad situation. And, you know, lying and getting caught in a lie is only going to make it worse for you.
So that's where having keys behind physical safeguards, where they are only accessible,
perhaps during certain times of day, business hours, where there are other layers of physical
authentication to make sure that it's actually you that is going through them becomes very important.
So like a bank safe deposit box is like a classic example of this, right?
Yeah. And so this is also why multi-sig is important because I would not advocate taking a
single key to a single signature wallet and putting it in a bank safe deposit box because that's still
a single point of failure. The bank could have an employee that goes corrupt. Or we've even seen
times when law enforcement has come in and completely swiped entire safety deposit box.
This is happening in California. There's some other states that have done this.
Yeah. But if you only have one key to a multi-sig once again, you could lose access to that. It could
be taken or destroyed and it's fine. You can recover from it with your other keys.
Okay. So if you're, if you're doing that correctly, then the attacker basically can't get anything. I mean,
like, will they be frustrated that they can't get anything? Will they believe you? Like I, you know,
what else can you do?
It doesn't matter. It doesn't matter if they believe you. And now, of course, the next question
is what are they going to do as a result of being frustrated? And the next logical question most people
ask is, well, should I have a duress wallet to try to pay them off and make them go away? And
unfortunately, we don't really have any data that shows that duress wallets work. We've actually seen
the opposite where people have immediately handed over everything that they had and the attacker
believed that they had been trying to dupe them with a duress wallet and they kept torturing them
for a long time before they finally got frustrated and ran away. The one thing that I will say I think
works in the favor of victims here is that there's a very incredibly low rate of homicide from these
attacks. If you think about it, these are robbers. They, they are willing to use intimidation and some
level of violence in order to get a very, very large payday, but they generally are not willing to actually
murder someone and have, have law enforcement come after them for murder. Because any, any criminal
who is at least seasoned and understands the way that law enforcement and the justice system prioritize
going after attackers is that homicide has the highest clearance rate and gets the highest level of resources
put behind it. And so you don't want to be on a law enforcement's radar for homicide.
Speaker 1: Yeah. Okay. So this is also what I added when I was thinking through my article
about zero crypto at home. So first, first step is implement zero crypto at home. Actually don't
have it, don't have access to it. And using, using some of the mechanisms that Jameson just described.
One other idea I had is writing a note actually, or having some sort of thing that you prepare in
advance that says, I'm zero crypto at home. I keep no crypto at home on my phone, just pocket change.
I have the pocket change, the less than $1,000. Go take that. I have nothing else. And then I do
think if you're public, there are ways to sort of signal this or, or talk about this. Vitalik Buterin
has actually done a pretty good job in places and tweet replies. For instance, he's talked about his
multi-sig setup. And he describes it as, it's an M of N, some keys held by you, but not enough to block
recovery and the rest held by people you trust. So he's got kind of a social recovery mechanism. Don't
reveal who those other people are even to each other. And so Vitalik has publicly said this, that he is
kind of zero crypto at home. So if an attacker gets access to him at some level, there's nothing he can
really do. And I think to your point, Jameson, earlier that a large number of these attacks so far
have actually been successful. And that's why they, that's why they keep happening. That's why they
propagate. If that 50% number drops down to like 2%, to 1%, it becomes very much negative ROI for
attackers to actually do home invasions and do wrench attacks. And they will stop happening. That's not going
to happen overnight. But this is how we as an industry can get control. Now, of course, the ideal
scenario is that your house doesn't get invaded in the first place. And maybe Bo, you could talk about
that at some level. So how do you be vigilant against an invader? Maybe it's a delivery person,
for instance, or in the middle of the night, somebody breaking down your doors. What are some of the nuts
and bolts that somebody can do to actually harden their location? Let's assume that privacy is not an
option right now. They'd have to maybe move homes and do some of the things that the Jason Bourne things
that Jameson is putting in place to protect their address. Let's say that's not an option. So they know
their address is out there. Are there ways to harden their house or put protocols in place to actually
protect themselves as well? And go back to what Jameson said earlier about sometimes you don't
need to be the most secure person in the world. You just need to be more secure than the next guy on
the list. And becoming a hard target is really, I guess, thinking of your home as a hard target versus
a soft target is what's really important. So adding some cameras to the front of your home that are
visible, but also effective in identifying who's coming up to your door. I like the idea of floodlights
at night, right, that are motion sensor and someone walks up, climbs over your backyard fence and walks
up to your house and all of a sudden, boom, they're hit in the face with a light. I'm a big fan of the
concept of using a home security system or there's even some fairly cheap options for panic buttons that
you could set near your front door or put it in your office where they're probably going to take you if
they were coming into your house here. Obviously, I think there's some common sense what you're alluding
to of don't let people inside your house who are strangers, right? In San Francisco, we saw an example
of an attack where the fake delivery driver was asking for a signature and he pretended to not have a
pen to hand the customer to sign their signature. So he asked if he could come inside to get a pen for
the customer to sign the delivery notice on the package. And that was his lie that he used to talk
himself into the house. So being aware of like, you know, people might give you an excuse that sounds
somewhat legitimate and not letting them inside. A couple other things I like to recommend to people is,
you know, you should identify, you know, some sort of, you should have a conversation with anyone you live
with at home about these, these concepts, right? Whether that's your spouse or your roommate or whatever,
so that they understand that same type of risk. And, you know, really importantly, in that moment
that you have a plan, right? So, you know, maybe your safe room that you designate is your bedroom,
which has another lock on that door, you know, where it maybe has a phone that you know you're
going to be able to alert the police, or maybe that's where you put a panic button to, you know,
alert the police at that time. You know, I think it boils down to, you know, make sure that if
someone's like scoping out your house, because we know they do this, right, they're going to case
your property before they go and conduct an attack. Like if they see cameras out front,
if they see, you know, motion sensor lights, they might be discouraged from conducting,
you know, that sort of attack. And then once something happens, like, don't just be
blindsided by what's happening right in front of you. Have a conversation with yourself and the people
you live with ahead of time of, you know, what do we do if we think someone's trying to break into the
home, right? The first time you think of that shouldn't be when it's happening to you. And it can be as
simple as I have a panic button in this location, I'm going to go press it, it's going to alert my
security company, they're going to call my cell phone, I'm not going to pick up. And so I know
the security company is going to go call the police. I personally, I'm an advocate of self-defense. I
think, you know, I'm not going to recommend that to people on the call because I think it's, you know,
it really is a very personal decision whether you choose to fight off an attacker, whether that's grabbing
a baseball bat, or whether that's, you know, using firearms or something else. Like, you know,
you may be making things worse, if that's, you know, what you choose to do. If you're not trained, you don't know what you're doing.
But like, that's a part of my personal security plan, right? If someone breaks into my home, like, I am
prepared to respond to them with with force, right? So, I think there's a bunch of different options there. The
basics should be, you know, how do you make your home itself a hard and unattractive target, through the use of
cameras, through the use of lights, through, you know, having strong locks on your doors, I mean, windows, people can break
through, right? A security system that will alert people, if someone does try and break into your
home. So, in the United States, this is like your classic ADT security system, those panic buttons I
mentioned. And then the last thing I'll mention is, a lot of people don't live in homes, right? They
live in apartment buildings, they live in, you know, in these kind of shared spaces. And that can be to
your advantage or disadvantage as well, right? If you live in an apartment building, that requires key
fobs to scan up to the elevator, it requires, you know, that has a 24/7, you know, desk person or
security guard outside your door, those factors might discourage people versus, you know, if anyone can,
you know, like, I remember in college, you know, when we were sneaking into our buddy's apartment
buildings to go, you know, to the pregame, right? Like, you would just tailgate someone into the
building, and there was very low security. So, when you're choosing where to live, especially when
you're moving, you know, those are some factors you should think about is, how secure is this location
I'm actually moving myself into? Does it deter an attacker because there's a camera up front,
or there's a security guard sitting at the desk? Could someone scan up, you know, just walk to the
elevator, press a floor and get off, right? Or do they need a key fob to actually get up there? So,
there's some factors you can think about too, if it's not an actual, like, standalone home.
I think that's a fantastic list of factors. I could tell Jameson wants to add a few things.
I'll add a few other things too. I think on that point of somebody coming to your door that's not
scheduled that you don't know, don't open the door. Talk to them through a camera, if you want. Make
that a policy in your house. It feels at first a little socially awkward, but, you know, once you
adopt it into your security process, I mean, you're like, why not? The other thing I would say is,
in addition to self-defense, as you talked about, Beau, and I think, Jameson, you've thrown out some
stats that, unfortunately, only if something like 6% of all of these crypto wrench attacks have been
defended against by self-defense. So, if you do that, then make sure you're good. I would say,
some of that self-defense, not to say you could outsource it, but you can outsource that to a big
dog. Honestly, I mean, I think that is probably an underrated protector of the household is having a
dog that will alert, maybe will respond in these types of attacks. I do have one question for you,
Beau, and then we'll add Jameson, or either of you can answer this. When it comes to, we talked about
cameras, we talked about alarm systems. Are there things you can do to actually harden your entrance
points, your doors, and your windows? I think you've written blog posts about this, Jameson,
so talk about that and share anything else that you think would be helpful.
Yeah, well, it really depends on your home construction, but at least in America,
the vast majority of home construction is really cheap and only uses like three-quarter-inch screws.
And for 20 bucks, you can get double-linked screws with hardened striker plates that massively
improves the robustness of the door hinges and locking mechanisms in the frame. And if you want to go a
little bit further, and I've actually done some testing around this, there are a number of security
films out there. I would go with like a 3M film and get it professionally installed on the windows.
And those won't make them completely impervious, but they will give you probably at least 30 seconds
to a minute of additional time where someone has to try to break through them before they can actually
ingress into the house. And that's kind of what you're looking for with those types of solutions,
even with kind of the reinforced doors with longer screws. Basically, it turns something that can be
kicked down in like five seconds into something that's just, you know, you got to give 30 seconds,
and you got to give some some good. And that obviously is something that's very alert of,
it buys you time, that that definitely strengthens things.
Yeah. And you actually hit one of what I was going to mention with the dog is, is a really easily
overlooked thing. And it doesn't even have to be a big dog. And in fact, in most cases, smaller dogs
are better at alerting when they hear stuff. Everyone knows the yappy dog that just will not
shut up. And the average criminal doesn't want to find out the hard way whether or not it's an attack
dog or just an interested dog. Now, if you really want to go hardcore, you can get a German Shepherd
or a Belgian Malinois, pay around $20,000, get them like shoots on level defense training,
and they will be an attack dog. But once again, you know, this is this is time and resources and
investment and whatnot. And the one other thing I would just briefly mention, because we can I could
spend a whole hour talking about it. And I have a lengthy article called like firearms for home defense
on my blog, going down the rabbit hole of firearms does involve a lot of decisions. And once again,
resources, time training. And I mainly I tell people, look, just buying one gun and like throwing it in
one safe is not good enough. Because depending upon the layout of your home, what happens if the attacker
is in between you and the gun. And so you have to think about every possible situation. And, you know,
I have like a decentralized system of safes where every room within like 10 or 15 feet has a safe.
And it's not just any safe. It's a quick access safe that takes less than three seconds to open.
It has a simplex mechanical lock, not a biometric, not electronic. It's going to work every time,
even if I'm under duress. And it's the same weapon in every safe so that I know that I don't have to
think about how I'm going to be operating it. There's all these little things. And then there's
a lot of decisions that went into like what weapon, what caliber, thinking about overpenetration,
what is the construction of your house and the layout. You don't want to shoot an attacker and
accidentally hit someone that you care about. And then of course, once again, as Bo said, you know,
whether you're in a single family or maybe you're in some sort of complex, you have to worry about the
neighbors as well. There's many, many factors and there's no simple answer to these things.
So for listeners that feel overwhelmed, just recognize that I do too. When I listen to Jameson
talk, I hear kind of, he is a level 99 warlock of security. Okay. And so most listeners are not at that
level, but I think the important thing is you can take this list of recommendations that you've heard
from both Bo and Jameson today, and you can implement them slowly over time. This doesn't have to happen
in a week or a month. I think the main thing is that you're making progress on this on a year to year
basis. And so when you look at 2027, February, 2027, the question you want to ask yourself is,
am I more secure? Am I in a better posture than I was last year? Do I have an ongoing project to tackle
some of the highest return on investment things one by one? Do I have an active plan to do this?
And if you were a better a year from now than you are today, that's the path that you should be on.
So don't feel like all these recommendations, you need to implement them overnight. Bo, I want to ask
you about another thing, because we were talking about some of these attacks being targeted, right?
And so one of the parts that I think we don't like about blockchain right now is that there is not
good native on chain privacy techniques to obfuscate addresses. And so this does give some sort of
mastermind the ability potentially if you're not careful, or even sometimes if you are careful,
the ability to identify your wallets and your assets on chain. Are there ways to prevent that type of
thing to be careful? In my article, I throw out some obvious ones, which is just like,
hey, don't link an ENS name or an NFT that uses your PFP to some of your main accounts holding crypto
assets. Like, don't do that. That's a bad idea, right? And realize that when you transfer assets
from one address to another, that can obviously be linked to anyone that's kind of looking on chain.
But then I think when people are looking deeper in terms of privacy, they're like, well,
how do I keep some of my addresses private, right? Do you have any solutions to that? Or what would you
recommend on the on chain address privacy side?
Yeah, I mean, I think the simple man's answer, right, is if you want to set up a new set,
you know, new wallets that are private from old ones, you know, fund them from a different exchange
than the one you used to fund your first wallets. You know, that's not true privacy because you're not,
you know, hiding who you are from the exchanges, right? But from a attacker perspective,
you know, I have wallets that I've set up through a different centralized exchange that don't talk to
each other, each other on chain. I don't share NFTs. I don't use, you know, Bo Security as a ENS name.
You know, for me, that was, that's something I did a while ago, and I'm just stuck with that system.
I think there's a lot of tools that have come out recently, or been developed more recently, like
Zcash with near intense as a privacy option. There are privacy tools out there,
like Railgun. Obviously, there's, you know, infamous tornado cash, right? I mean, I think
if you start playing around with those things, you have the potential to like cause yourselves more
compliance trouble with the exchanges you do use, that kind of thing. It kind of depends on
what your risk tolerance is for that. But for the average person, like, you know, especially,
I think the average person, right, doesn't necessarily have this Twitter account profile that is,
you know, attached to their on chain wallet. And so, you know, that may not be as much of an issue.
But for people who want to, you know, take their on chain cluster of wallets and separate them from,
you know, any activity they're doing in the future, the like, simplest way to do that from
what the general public can observe, is to just set up new wallets through a different exchange and
transfer funds that way. Jameson may have a far more advanced answer than me on this. But, you know,
I think, like, there's so many compliance risks and other things you can get into with using a lot of
the mixing tools and other things that, like, I don't have my thesis on this fully fleshed out,
I think, of what's the best thing to do. It's, you know, the deck is stacked against you
on most of these networks, public permissionless networks that operate completely transparently,
trying to be private on a completely open network is difficult to say the least. You know, I don't
even really use mixers myself. As you said, they can actually cause problems, because you might get
associated with other activity that you don't want. And really, if you if you need strong privacy,
this is where I tell people to like use Monero, use Zcash, use using network where strong
privacy is built in at the protocol layer and you aren't having to like jump through a bunch of
hoops and figure out these complex technical machinations to try to create privacy on a
transparent network. So I mostly don't, I don't try to tell people what to do from a privacy perspective,
because you're just so many foot guns out there. And it's very easy to screw up, you know, even if you
are doing a lot of things privately, you only have to make one mistake and
blow a hole in everything that we've done. I think that captures the current state of privacy for sure.
And unfortunately, that's really where we are. As an industry, there aren't a lot of great solutions
for Bitcoin or for Ethereum right now, although new solutions are coming together like every day. And I
think this is a big area of investment. We see protocols like Zama has been pretty cool.
That's new on the scene. There are things like Aztec. There are things that are in development. It's
just it still feels like the status quo. The best you can do is like move funds through an exchange and
create a new wallet. But then, of course, that is a that is a vector, too, because what if the exchange
leaks data? You know how invisible really is that? It's just like definitely it's not great right now.
Like privacy is not great right now in crypto. And that's just a realization. One other thing I'll add
is just an emphasis on be careful of the tax tracking app that you use. There are some local
versions that keep all tax information local on your machine that you can switch to. We'll include
some links maybe in the show notes to that. But I mean, that seems like a that's a vector I worry about
a lot. I mean, these are entities that are not necessarily putting in exchange level security
practices in places that are not custody assets and they're cloud based solutions. They can be hacked.
If somebody can tie your on chain profile and your address to that hacked information, identify who you
are, then they know where your wallets are. So that that is something that might be actionable as we as we
wrap this episode out. Also, I would say do not fall for the convenient path of putting exchange API keys
into your tax software. Yes, it makes it easy for them to get the data, but there have actually been
hacks related to that where the attackers get the API keys and use it to take over your exchange account.
So yeah, I think stuff like Rocky, for example, which is like a version of it is the best way to go.
Unfortunately, we're in a position where the attackers are getting more sophisticated in
the tools that they're using now, the ability to leverage AI to put all of this data set together
and to kind of mastermind what targets to attack. That's getting more sophisticated. But
I think the goal that both you emphasize is we're not looking for perfection here. We just have to be
better, more hardened than everyone else. And I think some of the tactics we talked about will help
listeners do that today. I guess I'm kind of met with this as I've been thinking about this
increasingly in 2026. As I mentioned, I wrote that Zero Crypto at Home article, which is kind of
uncovering some of my thoughts on best practices to prevent wrench attacks with a lot of input from
the crypto security community, which is fantastic and of which both of you have contributed so much.
But it does feel like a bit of a setback for the bankless vision. That's kind of what I'm left with.
I'm just like, it's not the full story here. Like we're not done yet. And certainly there are even more
challenges with the custodial solutions that we see in the traditional world, of course. But it is a heavy
responsibility to take on private keys and to be your own bank. And so if you are taking on that
responsibility, make sure you are not signing up for 24/7 security guard of your own house and your own
private keys. You have to be smarter than this. But even so, I do feel like it's somewhat of a setback.
Some people might be listening to this episode and just be like, "Oh my God, guys, that is a lot. I can
just go buy crypto assets in my brokerage account and there's this thing and it's called iBit and I
just like purchased that. I don't have to worry about any of this shit." What do you think? I mean,
I'm still optimistic. I feel like we are maybe at kind of a local tranche in terms of custody and keys,
in particular the sentiment around some of these crypto attacks, these wrench attacks in person,
has made me feel that way. But will we get out of that? Will self-custodial crypto be the end game?
Will we have billions doing the types of things that bankless listeners are doing and controlling
their own keys? Or is this kind of a setback for the vision? Go ahead, James.
I'm sorry, if I can jump in. Let me throw a wrench, pun intended, in your iBit plan there,
right? Let's say you're holding your iBit on Robinhood and you get wrench attacked because you're
talking about Bitcoin all the time, but you think you're safe because you're holding it in an ETF.
And the attacker shows up at your house between 9 a.m. and 4 p.m. trading hours and says,
hey, go sell all your iBit, buy Bitcoin on Robinhood and transfer it to me, right?
Yeah, wow.
Like, you know, I'm sure Robinhood has some measures in place to prevent some of those things, but like,
that's a theoretical thing that could happen, right? So, I think, you know, if you want to be
in crypto, self-custody is still the way to go because you're taking use of the assets. You know,
the advantage of being your own bank, of not being reliant on a government to, you know,
approve the form of currency that you're using, like, coming from a Fed background, right? Like,
I just see the advantages of this system so, so strongly. And to Jameson's point earlier today,
you know, by taking the right steps, you can actually get stronger than bank security while
having the advantages of, you know, making your own decisions around your money. You know,
how many times do we see, you know, someone post an article about, I was trying to withdraw 20 grand
from my bank account and two hours later, I'm still answering questions about why I'm using the money.
You know, I think that the advantages of that system will overcome the security challenges,
especially as new tools get introduced, as wallets get better, you know, as police become aware of
these trends and start cracking down more on the crime, right? As more wrench attacks fail, as more
scams fail, you know, I think there's no reason why we can't get to a very similar place in terms of
safety of crypto as, you know, sort of the Web 2 environment is today. Well said. What would you add,
Jameson? Yeah, I mean, look, the reason why I've spent the past decade building self custody systems
is because I felt like we are fighting against human nature. And human nature is to generally choose
convenience at the expense of almost all else. And also human society and civilization has developed over
millennia via specialization of tasks. So we as humans are used to outsourcing very large swaths of
our lives, even our own food production. You know, these things are incredibly important to our day-to-day
and long-term living. And so, you know, outsourcing financial stuff is also second nature. And so it's
really going against the grain to tell people to completely flip that model on their head and take
responsibility for a very important aspect of their lives and their finances. And so that's why I felt
like we need to keep working to make self custody more convenient and more bulletproof. Because if the
average person isn't confident in themselves to be able to do this securely and safely, they're not going
to be able to sleep at night and they're going to throw up their hands and say, "Okay, I'm just going to
outsource it to someone who really knows what they're doing." And of course, as we all know, that means
they're throwing out really the most valuable premise of new systems in the first place, which is not
having to trust a third party and ask permission to use your money the way that you want. And so I think
I'll close out by there's this one quote that comes back to me all of the time, which I think is pretty
fitting in this situation because we've spent the past hour and a half talking about how complicated
this is and how many different things you are having to worry about if you want to manage crypto
securely. And that is this quote, "If you wish to build a ship, do not divide men into teams and send them
to the forest to cut wood. Instead, teach them to long for the vast and endless sea." And this is why I
preach the gospel of sovereignty, the gospel of empowering yourself via these public permissionless
protocols so that you don't have to rely upon the whims of bankers and regulators and governments and
whatnot. And so that, in a sense, that will get us written off as the paranoid crypto anarchists by the
Michael Saylors of the world. And I'm okay with that. I just want to see as many people as possible
understand that this is an option. And if you're willing to put into the effort, you can greatly empower
yourself and your family for many generations to come. Well said. And I don't think we're paranoid. I
think we're just ahead of the curve. And the end goal, as you said, summed it up well, is sovereignty.
There's another word for that is freedom. And so I think one way that bankless listeners can lose
their freedom is if they become a bank security guard and they feel that pressure all of the time.
But some of the tools that we talked about, multi-sig is so key for this. Once you have a
good multi-sig setup, I think you'll feel much better about your position. You implement this
and you will be able to take back your freedom. Let's end it there. Gotta let you know, of course,
crypto is risky. You could lose what you put in, but we are headed west. This is the frontier. It's not for
everyone, but we're glad you're with us on the bankless journey. Thanks a lot.