The custody question, framed correctly

"Should I keep my crypto on Coinbase or in a wallet?" is the wrong question. The right question is: what is the smallest amount of trust I can put in any single party — exchange, software vendor, hardware manufacturer, or family member — without making my life unmanageable for the next ten years?

Answer that, and the right wallet falls out of the analysis. There is no "best wallet" in the abstract. There is the wallet that matches your value range, your operational tolerance, your inheritance plan, and the threat model you are actually defending against. A college student with $400 in BTC needs a different setup than a software engineer with a $400,000 stack accumulated over six years.

The ladder, from most convenient to most defensive

The ladder of self-custody runs from "almost no different from a bank account" to "you are running a cryptographic vault by yourself." Each rung adds friction in exchange for reducing your dependency on someone else's good behavior.

  • Rung 0 — Exchange custody. Coinbase, Kraken, Gemini, Binance.US. The exchange holds your assets in their internal wallets; your account is a credit balance. Easy onboarding, password-recovery exists, insurance on some accounts, regulatory recourse. The catch: if the exchange goes insolvent, gets sanctioned, or freezes your account during a compliance review, you do not have your funds.
  • Rung 1 — Hot wallet on a personal device. MetaMask, Trust Wallet, Coinbase Wallet (the self-custody product, not the exchange), Phantom for Solana. You hold the seed phrase. The seed phrase lives encrypted on a device that has internet access — phone, laptop, browser extension. Easy daily use; vulnerable to malware, phishing, and device theft.
  • Rung 2 — Hardware wallet, single signer. Ledger, Trezor, Coldcard, Keystone. The seed phrase exists on a device that signs transactions in isolation. The seed never touches an internet-connected device during normal use. Defensive ceiling for solo holders below a certain value threshold.
  • Rung 3 — Hardware wallet plus BIP-39 passphrase. Same hardware, but the actual addresses derive from seed + passphrase. The seed alone produces a decoy wallet; the real funds live behind the passphrase, which exists only in your memory.
  • Rung 4 — Multisig. Two or three hardware wallets, each with its own seed. Funds held under a 2-of-3 or 3-of-5 address. No single seed compromise loses funds. Coordinator software (Sparrow, Specter Desktop) manages the addresses.
  • Rung 5 — Air-gapped multisig with geographic separation. The signing devices have never been connected to the internet — they sign via QR codes or microSD cards. Each signer lives in a different physical location (home, deposit box, attorney). This is the working ceiling for retail self-custody; everything above it (Coldcard with Tor + Sparrow on Tails Linux, etc.) is for paranoid or institutional use.

Where on the ladder you should actually sit

The working allocation by holdings, calibrated for US-based retail holders in 2026:

  • Under $500. Rung 0 or Rung 1. Honestly, do not over-engineer. Use Coinbase or Kraken, enable hardware-key 2FA, learn the basics. Move to self-custody once you have something worth defending.
  • $500 to $5,000. Rung 1, optionally Rung 2 if you have an existing hardware wallet from learning. Hot wallet (MetaMask, Trust Wallet) for most of it. A small amount on an exchange is fine for liquidity.
  • $5,000 to $50,000. Rung 2 minimum. Buy a Ledger Nano S Plus or Trezor Safe 3. Move 80%+ off-exchange. Keep a small float on Coinbase or Kraken for tax-event timing. Start using a password manager with hardware-key 2FA on every account.
  • $50,000 to $500,000. Rung 3 minimum. BIP-39 passphrase on the hardware device. Consider a second hardware device as a backup signer. Set up an address allowlist on your primary exchange. Write the estate-recovery document.
  • $500,000 to $5,000,000. Rung 4. 2-of-3 multisig with geographic separation. One signer at home, one at a bank deposit box, one with an attorney or family member. The legal layer matters: have an attorney review your estate-recovery plan.
  • Over $5,000,000. Rung 5 plus a security consultant on retainer. At this value, the threat model includes physical attacks (the "$5 wrench attack"), targeted social engineering, and OSINT-based profiling. Most retail-grade advice stops being adequate.

What to look for in a hot wallet

Most US holders interact with hot wallets daily — MetaMask for Ethereum DeFi, Trust Wallet for mobile flexibility, Phantom for Solana, Coinbase Wallet for everything. The differences between them matter less than how you configure each one. The settings that should be the same across whichever hot wallet you use:

  • Hardware wallet pairing. Even a hot wallet should sign meaningful transactions through a hardware device. MetaMask supports Ledger, Trezor, and several others via "Connect hardware wallet." Every transaction above a threshold (mine is $500) goes through the hardware.
  • Blockaid or built-in signature alerts. Modern MetaMask versions show a red banner for high-risk signature requests (Permit, Permit2, setApprovalForAll on unknown contracts). Do not bypass these warnings without reading them.
  • Auto-lock timeout under 10 minutes. The wallet should require password re-entry after a short idle period. The default is too long; reduce it to 5 minutes.
  • Approval audit monthly. Run revoke.cash or the wallet's own approval-list view. Most users accumulate 30–80 stale token approvals from old DeFi experiments. Revoke everything not in active use.
  • Dedicated browser profile. The browser running MetaMask should have one extension installed: MetaMask. (Plus one ad-blocker, optionally.) Every other extension is a potential exfiltration path.

What to look for in a hardware wallet

The hardware wallet market in 2026 has consolidated to five real options: Ledger Nano S Plus, Trezor Safe 3, Keystone 3 Pro, Coldcard Mk4, Ledger Stax. The dimensions that matter when choosing among them:

  • Secure element grade. The chip that physically holds the seed and signs transactions. EAL5+ (Ledger ST33K1M5) is the floor; EAL6+ (Trezor Optiga Trust M, OneKey Infineon) is better. Anything below EAL5+ should be ruled out.
  • Open source posture. Trezor's firmware is fully open. Ledger's is partially closed. Coldcard's is fully open. Open source allows independent audit; closed source requires trusting the manufacturer's internal audit process.
  • Air-gap option. Some devices (Coldcard, Keystone, OneKey Pro) can sign transactions entirely offline via QR codes or microSD. Others (Ledger, Trezor) require USB or Bluetooth connection. Air-gap is harder to use; it is also harder to compromise.
  • Multisig support. All five major devices support multisig in principle. Keystone and Coldcard are designed multisig-first; Ledger and Trezor support it but with less polished UX.
  • BIP-39 passphrase support. All current devices support this. Verify before purchase that the device you choose includes it.

The purchase channel matters as much as the device choice. Buy direct from the manufacturer's official US storefront. Never Amazon (even "Sold by [Brand]" has been compromised by reseller fraud). Never eBay, never Craigslist, never a "trusted friend." The $20 saved on secondhand is the cheapest part of the loss.

The address allowlist, often overlooked

Coinbase, Kraken, Binance.US, and Gemini all let you set up an "address allowlist" or "withdrawal allowlist" on your account. Once enabled, withdrawals can only go to addresses you have explicitly pre-registered. Adding a new address requires a 24-72 hour cooling-off period plus a confirmation email.

This is the single most underutilized defensive measure in retail crypto. It costs nothing, requires one afternoon to set up, and stops most account-compromise scenarios cold. If an attacker breaches your Coinbase login, they cannot withdraw to their own address — only to your hardware wallet's address that you pre-registered. They have to wait 72 hours to add a new address, which gives you time to detect the compromise.

Set this up the day you start using any new exchange. Pre-register your hardware wallet's receive address. Disable withdrawals to "any address" entirely. The friction of having to wait 72 hours to add a new destination is the friction that saves you from a 3 AM panic withdrawal during a fake support call.

The 2FA hierarchy, for the entire stack

Every exchange account, every email associated with crypto, every password manager, every cloud service that touches your custody plan — all of them need 2FA, and not all 2FA is equal.

SMS 2FA is the weakest tier. Vulnerable to SIM-swap attacks where the attacker convinces your mobile carrier to port your number. Documented SIM-swap losses in US crypto are in the $50M+/year range. Remove SMS 2FA wherever you can; where the service requires it as a fallback, add a carrier-level port-out PIN.

TOTP authenticator apps (Google Authenticator, Authy) are the minimum acceptable tier. The code is generated locally on your device; the attacker needs the device. Slightly better: push-based 2FA (Duo, Microsoft Authenticator push), which adds contextual information ("Sign-in from Lagos at 3 AM — approve?") that a tired user can still notice.

Hardware security keys (YubiKey, Titan, SoloKey) and passkeys are the defensive ceiling. The key proves possession via cryptographic challenge-response that cannot be replayed, phished, or intercepted. Use these on email and your primary exchange at minimum. Buy two; register both; carry one and keep the spare in a safe.

The estate-planning document

The conversation no one wants to have: what happens to your crypto when you die or become incapacitated. Most US holders have no plan. The IRS treats unrecovered crypto as part of the estate at fair market value on date of death — meaning your heirs may owe tax on assets they cannot access.

The minimum estate-planning step: a one-page document, signed and dated, stored with your other estate-planning materials. It names the device model and where it lives, the safe location of the seed backup, the wallet software needed to interact with the seed, and a list of every exchange account with login credentials stored in your password manager. The document does not contain the seed itself or any passphrase.

For larger estates, consider multisig with one signer key held by an attorney specializing in digital-asset estates. The attorney's key alone cannot move funds; combined with your spouse's or executor's key, it can. This is the defensive structure: irreplaceable on death of any single party, recoverable on cooperation of any two.

The migration plan when value crosses a threshold

Most holders accumulate crypto over years without revisiting their custody setup. A wallet appropriate for $5K at purchase is inadequate for $50K after a bull run. The thresholds to actually reassess:

  • $500. Move off the exchange to a hot wallet. Stop thinking of Coinbase as "your" crypto.
  • $5,000. Buy a hardware wallet. Move the bulk off the hot wallet. Add hardware-key 2FA to your primary exchange.
  • $50,000. Add a BIP-39 passphrase. Set up an address allowlist on every exchange. Write the estate-recovery document.
  • $500,000. Convert to 2-of-3 multisig. Add a geographic separation of signers. Engage an attorney for the estate-recovery layer.
  • $5,000,000. Bring in a professional security consultant. The threat model now includes physical attacks; most retail advice stops being adequate.

The migration itself: move funds in descending order of size. Highest-value asset first, lowest-value last. This minimizes tail risk during the migration window — the worst-case scenario is partway through, when you have funds spread across the old setup and the new setup simultaneously.

The handful of mistakes I see repeated

Patterns I see in reader emails to privacy@wechibi.com, in order of frequency:

  • Seed phrase on a photo, photo synced to cloud, cloud account phished. Documented case loss: $14K-$280K range. Defense: never photograph the seed.
  • SMS 2FA on the email associated with the exchange. SIM-swap, email compromise, password reset, withdrawal. Defense: hardware-key 2FA everywhere, port-out PIN at the carrier.
  • Setting approval signed on a phishing site, approval drained $20K-$300K hours later. Defense: bookmark every DeFi protocol; never use search engines to navigate to wallet-connect pages.
  • Seed phrase on a single piece of paper in a single location, lost in a fire / flood / move / divorce. Defense: two backups in two geographic locations. Always.
  • No estate-planning document; holder dies, family knows funds exist but cannot access. Defense: the one-page recovery document, stored with the will.

None of these mistakes require sophisticated attackers. Each one is a structural gap in the holder's setup that an opportunistic attacker can exploit. The defensive playbook is to close the gaps before they get tested.

The final rule

Custody is a relationship between you and the future. The future will include device failures, fires, lawsuits, divorces, illnesses, deaths, software bugs, phishing attempts, social engineering, and probably at least one event that nobody currently predicts. The defensive goal is not to be invincible. It is to design a setup that survives any single failure mode, and ideally any two.

Run the rehearsal once a year. Update the estate document when life changes. Audit approvals monthly. Treat every signature like a contract you are signing in real life: read it, name the counterparty, name the amount, name the duration.

The pages on this site that elaborate the specific decisions: Hardware wallet comparison, Seed storage methods, Cold vs hot wallet, Exchange evaluation, 2FA hierarchy, 30-item self-check.