The story you are about to read was inspired by a common real-world attack. Names and identifying details have been changed, but the core message remains the same: in a spear phishing attack, you can’t give up what you don’t have.
Alex is a PhD student and a bitcoin maxi in their mid-30s. They have long been generally interested in monetary history, the evolution of surveillance, and philosophical discussions of freedom and technology. They first really got into bitcoin during the pandemic, and since then have come to see it as the future of money and their best shot at financial independence. They’ve been putting a little bit away, in their exchange account, every time they get paid for about 6 years now.
They decided to move their stack off exchange and into self-custody for security, based on their own research, and nudged by a few trusted acquaintances in the bitcoin community. They did a deep dive into hardware wallets, narrowed their final list down to three, and ultimately landed on Bitkey.
“I like that it’s multisig by default” they say. “I also like that, even if I lose both my hardware and my phone, there’s a way back to my wallet. That’s not something that other 2-of-3 multisig setups can say.”
“Someone is trying to login to your exchange account.”
It was the end of a long week of research. Alex had put in what felt like years at the library and was running on fumes and caffeine. They were wrapping up a marathon session when their phone rang.
Alex answered. An automated voice said: “Someone’s trying to log into your [exchange] account. If this was you, you can ignore this call. If this was not you, press the # key.”
Alex definitely wasn’t trying to log in to their exchange account. They pressed # and the call ended.
“Are you in Quebec?”
Minutes later, Alex’s phone rang again. This time it was a real person.
“They asked if I was in Quebec, which I wasn’t. They then asked if I still had an active account with [exchange].”
Alex said no, they weren’t in Quebec, and while yes, they did still have an active account, most of their bitcoin was in self-custody.
The caller said they’d send a quick email with important next steps.
“They really made it seem like it was urgent—like I was in the middle of being scammed and if I didn’t act now, something bad was going to happen.”
“Please enter your recovery phrase.”
The attacker stayed on the line. An email that appeared to be from their exchange popped into their inbox. The attacker told Alex they’d stay on the line while they worked through all the prompts.
“Was this login from Quebec you? No. Next. Do you use a hardware wallet? Yes. Next.”
“The last prompt said something like, ‘Please follow the on-screen instructions. In order to verify the security of your recovery phrase, please enter it below.’”
There was an option to toggle between a 12-word seed phrase or a 24-word seed phrase.
“That one gave me pause,” Alex says. They told the caller that their wallet didn’t have a seed phrase, so they couldn’t enter it into the form. The caller asked what kind of wallet Alex was using and listed a number of popular hardware brands.
Alex said “Bitkey” and told the attacker that it didn’t have a recovery phrase.
The attacker pressed Alex again, insisting that every kind of hardware wallet has a recovery phrase. If they couldn’t provide it, the security of their wallet might be irreversibly compromised.
A little extra friction
When Alex couldn’t produce a recovery phrase, the caller tried a new angle on the same attack: they asked Alex to download an entirely new wallet, transfer their funds, then share the seed phrase for the new wallet.
At that, the alarm bells started ringing. Alex knew that something really wasn’t right. They correctly assumed that this was a scam and hung up the phone.
In fairness, had Alex set up a new wallet, moved their funds, and handed over that seed as they were prompted, not even Bitkey could have saved them. But that little extra bit of friction meant that, during the first phase of the attempted scam, they couldn’t just give up the master key to their funds as easily as a password or a phone number. The attack failed.
Instead of losing everything, Alex kept control of their bitcoin.
Post-mortem: “Until it happens to you…”
“Any time I see something on reddit or X about someone losing their bitcoin to a scammer, I’m like, that is so dumb. That would never happen to me,” Alex said. “But then it very nearly did.”
“It really was the false sense of urgency—this feeling like my bitcoin was in danger, someone was actively trying to scam me, and all I had to do was follow these steps right away to keep my stash protected,” Alex says. “In reality, I was being scammed, just not in the way I originally thought.”
Looking back, the signs were there.
“In hindsight, the whole thing had all the telltale signs of a scam,” said Alex. “But there were also things that made it feel real. Like the caller had me log in to my real exchange account, so I got a legitimate email from them—just totally unrelated to the scam in progress.”
In this case, Bitkey’s design put a moment of pause between that false sense of urgency and an irreversible mistake. Instead of losing everything, Alex walked away with a decent story and their whole stack intact.
To learn more about Bitkey (or to grab one for yourself), visit bitkey.world.
