Self-custody is the practice of holding your own cryptocurrency private keys rather than trusting an exchange to hold them for you. Done right, it eliminates the largest risk in crypto — exchange failure. Done wrong, it creates a new largest risk — losing access to your own funds. The right way is straightforward; here is the full walkthrough.
Step 1: Decide what you are protecting
Self-custody is overkill for $50 of crypto used to test a swap. It is essential for $50,000 in long-term holdings. The threshold where it becomes worth the operational overhead is somewhere around $1,000–$5,000 — varying by your personal risk tolerance and tech comfort.
Step 2: Pick a hardware wallet
The current major options:
- Ledger Nano X / Nano S Plus — most popular, broadest software support, Bluetooth optional on X
- Trezor Safe 5 / Model T — open-source firmware, color touchscreen on Safe 5
- GridPlus Lattice1 — enterprise-leaning, secure enclave architecture, larger form factor
- Coldcard Mk4 — Bitcoin-only, air-gapped operation, security-paranoid users’ choice
Buy direct from the manufacturer. Never buy a used hardware wallet — assume any wallet not delivered shrink-wrapped from the factory is compromised.
Step 3: Set up the device
- Unbox in a private location
- Verify the tamper-evident packaging is intact
- Connect via USB to a computer you trust
- Install the official desktop software (Ledger Live, Trezor Suite)
- Initialise as a new wallet (do NOT use any “recover from seed” option a factory wallet should not have)
- Set a strong PIN (6–8 digits, not your birthday)
Step 4: Generate and back up the seed phrase
The device generates a 12 or 24-word seed phrase. Write it down on paper — included in the box — or on a metal backup plate (steel/titanium, fire- and water-proof, $30-100 from sites like Cryptotag or Billfodl).
Critical rules:
- Never type the seed into any computer, phone, or website
- Never photograph it
- Never email or message it
- Store in two physically separate, secure locations
- Do not store the locations together with the device
Step 5: Test recovery
Before transferring meaningful funds:
- Send a small amount of crypto to the wallet
- Wipe the device (factory reset)
- Restore from your seed phrase
- Verify the funds are visible
If this test fails, your backup is wrong. Fix it before depositing serious funds.
Step 6: Move funds from exchange to wallet
- Get a receiving address from the wallet software
- Send a test transaction first (small amount)
- Verify the test arrived correctly
- Send the rest in subsequent transactions
Address poisoning is a real attack vector. Verify the full address character-by-character, not just the first 4 and last 4.
Step 7: Operational practices
- Use a clean computer for signing transactions — not the one you browse on
- Read every transaction detail on the hardware-wallet screen before approving (the malware-on-host attack is real)
- Review token approvals periodically at revoke.cash
- Keep firmware up to date
Inheritance planning
If you die without anyone able to access your seed, your funds are permanently inaccessible. Consider:
- A sealed copy in a safe-deposit box with someone you trust having key + instructions
- Shamir Secret Sharing (split the seed into N pieces, M required to reconstruct)
- A trust structure for material amounts
Common failure modes
- Lost seed phrase — most common. Self-custody loss rate (across all crypto holders) is estimated at 4–7% of supply over multi-year horizons.
- House fire / flood — paper backup destroyed. Solution: metal backups in multiple locations.
- Forgotten location — wrote it down somewhere safe, can’t remember where. Solution: documented inheritance plan.
- Phishing — fake device support DMs asking for seed. Never share. Period.