Self-Custody Is a Liability for 95% of Crypto Holders
"Not your keys, not your coins" is a slogan from a community that lost more coins to itself than to every exchange hack combined. The honest position is that most people should custody nothing.
Self-custody is the single most overprescribed piece of advice in crypto, and the people prescribing it almost never live by it the way they suggest you should. They have multisigs. They have hardware wallets behind passphrases behind air gaps behind threshold schemes behind operational security a normal human being could not survive a divorce with intact. Then they go on a podcast and tell a 62-year-old aunt with a Coinbase balance that she's a sheep for not running her own node.
The aunt is fine. The slogan is wrong for her. It's wrong for almost everyone.
What "self-custody" actually demands
To custody your own keys responsibly, you need to do all of the following, every year, forever:
- Generate a seed phrase on a device you can verify is uncompromised. Most users cannot.
- Store that phrase in a way that survives fire, flood, theft, your own death, and the cognitive decline that statistically arrives by your seventies.
- Refuse to type that phrase into anything, ever, including the very plausible-looking pop-up that will eventually ask you to.
- Recognize phishing across email, SMS, Discord, Telegram, X, and the next twenty platforms not yet invented.
- Sign transactions on a hardware device you trust, after reading raw transaction data you can interpret, on a chain whose mempool dynamics you understand.
- Inherit it. Plan for the day you are not here. The number of crypto holders who have done this is functionally zero.
This is not a list of consumer behaviors. It is the operational profile of a small private bank. We are demanding it of retail.
The actual loss data is brutal
Chainalysis estimates between 3 and 4 million BTC are permanently lost โ roughly 17โ22% of total supply. The vast majority were lost to self-custody errors: forgotten passwords, dead drives, demented seed phrases, divorces, deaths, and disasters. That number dwarfs every exchange hack ever, combined, by an order of magnitude.
James Howells threw out a hard drive with 8,000 BTC. Stefan Thomas has 7,002 BTC behind an IronKey he forgot the password to. Quadriga lost $190M because the founder allegedly died with the keys โ but plenty of solo holders have done the same to themselves, just without the headlines.
The fail mode of self-custody is total, irreversible loss. The fail mode of a regulated custodian is being made whole by FDIC-equivalent insurance, civil suit, or, in the worst case, partial recovery. These are not the same shape of risk.
The maximalist will tell you "be your own bank." Banks have insurance, audit teams, fraud departments, lawyers, and bailouts. You have a sticky note.
The obvious counter
"Mt. Gox. FTX. Celsius. Voyager. BlockFi. Custodians fail." They do. They have failed spectacularly. And the union of all customer losses across every collapsed crypto exchange in history โ somewhere in the tens of billions of dollars โ is real and terrible. It is also much smaller than the loss to self-custody mistakes, and is partially recoverable through bankruptcy proceedings (Mt. Gox creditors are being paid; FTX creditors recovered above 100% in dollar terms).
The honest answer isn't "custody yourself" or "trust the exchange." It's "diversify the failure modes." Some at a regulated custodian. Some at a different regulated custodian. The truly long-term, conviction holdings, on hardware โ but only if you have actually demonstrated to yourself, in dry runs, that you can recover them. Most people who claim to self-custody have never actually restored from seed. They are storing keys, not custodying value.
Who self-custody is actually for
- People with operational discipline they have proven (not assumed).
- People who are politically targeted and need censorship resistance โ dissidents, journalists, activists in authoritarian states. Self-custody is genuinely life-saving here.
- People holding sums where the cost of compromised counterparty risk is genuinely larger than the cost of compromised personal opsec.
- Builders who need to sign on-chain.
For the cousin with $4,000 of ETH who wanted to try crypto, self-custody is a roulette wheel where most of the slots are "you lose your money to a phishing site or a forgotten password." The exchange might fail. The exchange has insurance. The aunt does not.
The response
The maximalist position has been mistaking "should" for "can." Yes, in a perfect world, every holder would be a sovereign individual with airtight opsec. In the real world, the same population that calls customer support to reset their email password is being told to engineer their own key management. The bridge is not "lecture them harder." The bridge is better products: institutional custodians regulated like banks, social-recovery wallets that don't require a seed phrase to be human-memorable, multisig as a default rather than a power-user feature, and inheritance built into the protocol layer rather than left for grieving families to puzzle out.
Until those exist for the median user, self-custody is, for most people, a liability dressed in the language of empowerment. Empowerment is good. Losing your savings to your own filing cabinet is not.