Back to Crypto

Not Your Keys, Not Your Coins — Also, Your Keys, Also Your Problem

Exchange custody and raw self-custody both lose people money in predictable ways. The honest answer is tiered. Here's the decision matrix.

8 min read
cryptocustodysecurityfield guide

The Mantra That's Half Right

"Not your keys, not your coins" is the closest thing crypto has to scripture. And like most scripture, it gets quoted a lot more than it gets examined.

The mantra is half right, and the half that's right is very right. Every exchange collapse follows the same script: withdrawals pause "temporarily," a reassuring blog post appears, and then a bankruptcy filing reveals that customer deposits were somebody's trading capital all along. People who thought they owned coins discovered they owned an IOU from an insolvent counterparty. Unsecured creditor is a brutal thing to become retroactively. The mantra earned its status honestly.

Here's the half nobody puts on a t-shirt: self-custody hands you every one of the custodian's responsibilities with none of the custodian's infrastructure, and regular people fail at those responsibilities constantly. A meaningful share of all bitcoin in existence is widely estimated to be lost forever — not stolen by exchanges, just lost. Seeds thrown out with old laptops. Passphrases dying with their owners. Wallets on hard drives sitting in landfills.

The custody debate runs on two dogmas shouting past each other. "Trust the platform" loses money in one predictable set of ways. "Trust yourself" loses money in a different predictable set of ways. The honest answer isn't a side. It's a matrix, and we'll get there — but first you need to respect both failure ledgers, because the loss patterns are the whole argument.

Ledger One: How Custodians Lose Your Money

The custodial failure modes are famous because they're spectacular — they happen to everyone at once, in public.

Insolvency and fraud. The big one. The exchange isn't holding your assets one-to-one; it's lending them, staking them, or trading them, and you find out during the bank run. Your balance was a database row, and the database was fiction.

Withdrawal freezes. Short of collapse, platforms halt withdrawals under stress — "to protect users," in the way a locked exit protects a crowded theater. Your coins exist; you just can't have them during exactly the window when you want them most.

Account-level lockouts. Compliance flags, botched KYC reviews, support tickets aging in a queue. No hack, no insolvency — just your assets on the other side of a bureaucracy that has no SLA and no phone number.

Platform hacks. Rarer at major venues than the early days, but when a custodian holding hot balances gets breached, the losses are collective and instant.

Jurisdiction risk. The platform is legal until it isn't, in your country or theirs. Regulatory action can strand assets behind geofences and court orders for years.

Ledger Two: How You Lose Your Own Money

Self-custody failures are quieter — they happen one wallet at a time, with nobody to sue and no Twitter thread. That doesn't make them rarer. There's no bankruptcy filing for a seed phrase in a landfill, so this ledger stays undercounted, and the dogma survives on the undercount.

Lost seed. The classic. The phrase was written down somewhere safe — so safe it moved houses, got water damaged, got thrown out, or was never actually written down at all. There is no "forgot password" flow. That's the feature. It's also the bug.

Phishing and malicious signatures. Modern wallet-draining doesn't crack your cryptography; it asks you, politely, to sign the transaction that empties you. A fake mint page, a spoofed support DM, an approval prompt you didn't read. The signature is the authorization. The chain executed your instructions perfectly.

Malware and clipboard swaps. You copy an address, malware pastes a different one, and irreversibility — the property you were promised as a feature — now works for the attacker.

Fat-finger loss. Wrong network, wrong address, mistyped amount. In traditional finance, there's a fraud department. Here, there's a block explorer where you can watch your mistake achieve finality.

The $5 wrench. All the cryptography in the world reduces to whether you can withstand coercion by someone holding a wrench. If people know you hold size, you become the attack surface.

Death without a plan. Perfect operational security with no inheritance plan doesn't protect your coins — it burns them on a delay. Your heirs can't brute-force your discipline.

The Uncomfortable Symmetry

Strip the branding and the two ledgers are the same ledger. Custody is the question of whose competence you're trusting. An exchange asks you to trust its solvency, its security team, and its incentives. Self-custody asks you to trust your own backups, your own phishing radar, your own estate planning — forever, with no off days.

The maximalists on both sides make the same error: they price the other side's failure modes at full sticker and their own at zero. Exchange loyalists talk about lost seeds and never about frozen withdrawals. Self-custody absolutists recite collapse history and then hand a hardware wallet to a relative who reuses one password everywhere, calling that an upgrade.

It isn't a religion question. It's a matching problem: stakes, usage, and threat model on one side, custody tier on the other.

Loss Pattern → Prevention

Before the matrix, here's the mapping. Every failure mode above has a known, boring countermeasure. None of them are clever. All of them work.

Loss patternWhat actually prevents it
Exchange insolvencyKeep on-platform only what you're actively trading; withdraw the rest
Withdrawal freezeSame — treat exchange balances as spending money, not savings
Account lockoutRedundancy: never let one platform be your only access to funds
Lost seedSteel backup, two geographically separate locations, recovery tested before funding
Phishing / malicious signatureHardware wallet with on-device verification; never sign what you can't read; no links from DMs
Clipboard swap / malwareVerify first and last characters on the device screen, not the computer screen; test transaction first
Wrong address / networkSmall test send before any large transfer — the fee is insurance, pay it
$5 wrench attackDon't advertise holdings; multisig or timelock so no single moment of coercion clears the vault
Death / incapacityWritten inheritance instructions stored with your estate documents — access path, not the secrets themselves

Notice the shape of that column: caps on platform exposure, tested backups, on-device verification, test transactions, a succession plan. It's checklists, not ideology. The people who keep their coins are not the ones with the strongest opinions; they're the ones with the most boring procedures.

The Custody Decision Matrix

Here's the framework. Find your row on stakes and usage, then read across.

Holding sizeUsage patternReasonable custody tier
Pocket money (loss annoys you)Active tradingReputable, regulated exchange — the convenience is worth the counterparty risk at this size
Pocket moneyOccasional use / DeFiSoftware hot wallet, small balances, hygiene rules above
Meaningful (loss hurts for months)Periodic activityHardware wallet for the core position + small hot wallet as the spending layer
MeaningfulLong-term holdHardware wallet, steel seed backup, two locations, recovery tested
Life-changing (loss is unrecoverable)Rare movementMultisig or collaborative custody — no single point of failure, including you
Life-changingAny active tradingDon't. Split it: a trading allocation on-platform, the core in multisig. The core doesn't trade.

Read it like a banking stack, because that's what it is. Exchange balance = cash in your pocket: convenient, capped, assumed losable. Hot wallet = checking account. Hardware wallet = savings. Multisig = the vault. Nobody carries their net worth in a money clip, and nobody drives to a bank vault to buy coffee. Crypto didn't repeal that logic; it just shipped without the guardrails that used to enforce it.

Two rules sit on top of the matrix. Tiers are cumulative, not exclusive — a functional setup usually runs three at once: a capped exchange balance, a small hot wallet, and cold storage holding the real position. And promotion is triggered by size, not by conviction — when a tier's balance grows past what its row says, you move coins up the stack. The market doesn't care that you meant to get around to it.

The Honest Close

"Not your keys, not your coins" survives because it keeps being proven right in headlines. Nothing here argues otherwise — if a custodian is holding your long-term savings, you are one bad balance sheet away from learning the difference between a deposit and a donation.

But the mantra is a warning, not an architecture. The full sentence is longer and less quotable: not your keys, not your coins — and also, your keys, your single point of failure, your phishing radar at 2 a.m., your backup discipline, your estate plan. Keys aren't just ownership. They're a job. Take the job seriously or scope it to stakes you can afford to lose.

So skip the religion and run the checklist: find your row in the matrix, cap the exchange layer, test the recovery before the balance gets serious, send the test transaction, write the inheritance plan. An afternoon of boring, one-time work — measured against loss patterns that repeat so reliably you can map them in a table.

Both dogmas lose money on schedule. The matrix is how you stop being on the schedule.