BITCOIN

BitKey, Bitcoin Keeper aim to obsolete physical theft

Sunday, May 17, 2026 · from 3 podcasts

3 SOURCESCitadel Dispatch TFTC What Bitcoin Did

New wallets replace seed phrases with biometrics and time-locks to neutralize physical coercion.
Automated inheritance via Miniscript removes lawyers, creating self-executing on-chain trusts.
Foundation's hardware sandboxing challenges Ledger's monopoly on secure app development.

Self-custody security is shifting from protecting a secret to designing systems where the secret is useless to a thief. New wallets are being built not just to withstand digital attacks, but to make the physical theft of Bitcoin mathematically pointless.

On What Bitcoin Did, Jonathan Pollock detailed BitKey's vault system. It uses a 2-of-2 multisig with Block, requiring two biometric scans separated by a configurable time delay - days or weeks. The goal is to outlast an attacker's patience, as 99% of documented coercion attacks end within a week. Paradoxically, Pollock noted the final escape route might be sending funds to a KYC exchange, moving the battle from a knife point to an identity-verification process an attacker cannot win.

"The industry must design for a scenario where the attacker has full knowledge of your setup and the victim is compliant, yet the coins remain unreachable."
- Jonathan Pollock, What Bitcoin Did

Inheritance, the other major flaw in self-custody, is being automated on-chain. On Citadel Dispatch, Ben Kaufman explained how Bitcoin Keeper uses Miniscript absolute time-locks. An owner gives an heir a key that only activates after a set period, like two years. If the owner doesn't refresh the lock with an on-chain transaction, the heir gains access automatically, turning the Bitcoin protocol into a self-executing trust.

The underlying hardware is also being redesigned to eliminate the seed phrase, which Pollock calls an 'instant compromise' vector. BitKey keeps the private key strictly on the hardware, gated by a fingerprint. Meanwhile, on TFTC, Zach Herbert argued that Foundation's new operating system, KOS, uses hardware-level sandboxing to isolate apps, challenging Ledger's manual-review model. This aims to create a general-purpose security device where apps can't access the master seed, enabling innovation without centralized permission.

"Recovery is handled through a collaborative 2-of-3 setup where keys are distributed between the hardware, a phone app, and Block’s servers."
- Jonathan Pollock, What Bitcoin Did

The progression is clear: security is no longer a user's DIY project. It's being baked into protocols and hardware that protect users from both external coercion and their own errors.

Custody Payments Adoption

Ledger Square Bitcoin Bitcoin Keeper Bitkey Miniscript

Source Intelligence

- Deep dive into what was said in the episodes

Citadel Dispatch

CD203: HERMANN AND CAREL - ATTACK ON BITCOIN IN SOUTH AFRICA • May 15

Coinbase is rebranding its wallet app as 'Base,' positioning it as a Web3 super app akin to WeChat that will include a shitcoin wallet, a social feed, games, and USDC payments.
Spectre Wallet launched in 2020 to simplify multisig by connecting directly to Bitcoin Core, eliminating the need for an Electrum server. Ben Kaufman notes the ecosystem now includes many alternatives like Sparrow, Nunchuk, and Kasu.
Bitcoin Keeper is a mobile app that guides users from a single-sig hot wallet up to long-term, multisig cold storage and inheritance planning. It supports ten major hardware wallets via QR, file, NFC, or a companion desktop app for USB connections.
Bitcoin Keeper's multisig setup uses encrypted 'magic links' stored briefly on its servers for collaboration. Users can share keys, wallet descriptors, or partially signed transactions via these links, QR codes, or files.
Ben Kaufman argues multisig provides superior security and fault tolerance for life savings or corporate treasuries, while a single-sig hardware wallet with a passphrase offers simpler plausible deniability for most users.
Ben Kaufman says major hardware wallet theft is rare; the primary risk is users mishandling seed backups or falling for social engineering scams that panic them into entering seeds online.
Bitcoin Keeper uses Miniscript for inheritance, allowing users to add a time-locked 'inheritance key' that activates after a set period, turning a 2-of-3 multisig into a 2-of-4 or enabling a single-key emergency spend.
Ben Kaufman explains Bitcoin Keeper's inheritance uses absolute time locks set to a future date, not relative locks. Users must create an on-chain transaction to renew the time lock, which the app automates but requires a backup update.
Bitcoin Keeper monetizes via a subscription tier model: a free tier offers core features, while paid tiers start at $15/month for automated backups, Miniscript, inheritance planning, and a server-key option with spending limits.
Bitcoin Keeper supports USDT on Tron, using a BIP85 child seed from the user's main backup and a service called 'gasfree' to pay fees in USDT. The team plans to add swap functionality and support more chains based on demand.
Odell notes Argentina's black market has dollarized into Tether on Tron, and Trust Wallet dominates globally due to its Tether support, creating an opportunity for Bitcoin Keeper to attract international users with strong Bitcoin features.
Bitcoin Keeper omits Lightning support to focus on long-term savings, reasoning users should separate spending and storage wallets. Ben Kaufman has not deeply explored self-custody Lightning solutions like Spark or Arc.
Ben Kaufman observes Bitcoin's financialization is shifting culture toward paper Bitcoin and away from hardcore self-custody, though absolute user numbers for freedom money are still rising and tools are improving.
Bitcoin Keeper is building a contacts feature to enable in-app messaging for collaboration and future social recovery. Ben Kaufman views its current Miniscript inheritance as a form of social recovery where trusted parties hold time-locked keys.

BTC Markets Adoption Stablecoins Protocol Custody

TFTC: A Bitcoin Podcast

Marty Bent

#745: The AI Approval Layer Is Fake with Zach Herbert • May 13

Foundation's Passport Prime runs on a custom microkernel operating system called KOS, with a kernel under 9,000 lines of code written in Rust, designed for minimal attack surface and app sandboxing.
Herbert criticizes Ledger for dominating 90% of the hardware wallet market with a legacy platform built on 30-year-old smart card/Java Card technology, forcing a closed, app-reviewed ecosystem.
KOS sandboxes third-party apps via a message-passing microkernel, memory isolation using an MMU, and grants apps only hardened derived child keys - never the master seed.
Herbert says Foundation will release an SDK and a developer mode for Passport Prime with an MCP server, allowing AI models to autonomously test apps on the real hardware.
Herbert highlights potential KOS app use cases: Nostr signers, password managers, computer login locks, enterprise custody solutions, and storing AI tool credentials securely.
Herbert argues enterprise Bitcoin custody is critically vulnerable, relying on outdated HSMs, internal iPhone apps, or locked-down Linux PCs - all using the same insecure legacy tech available to anyone.

Also from this episode: (8)

Protocol (3)

Zach Herbert advocates for Bitcoin as the ultimate winner in a global currency war where central banks are devaluing fiat currencies.
Herbert argues the common Bitcoin-AI intersection narrative - Lightning for machine-to-machine payments - is a 15-year-old concept from projects like 21.co's Balaji machine-payable web.
Marty Bent observes that Bitcoiners have a unique, low-time-preference perspective on security and institutional trust, which is essential for guiding the AI industry away from its current growth-over-security trajectory.

AI & Tech (4)

Zach Herbert says Foundation's AI integration has accelerated their development pace significantly, though AI models still struggle with low-level firmware and driver code.
Herbert says Foundation's core mission is applying Bitcoin principles of explicit human approval and trusted hardware to secure AI, not just enable AI payments.
Herbert identifies a security crisis in current AI: the approval layer is fake because models ask for permission to perform actions they already have the full technical capability to execute, creating massive risk.
Herbert blames legacy operating systems like Mac OS, Windows, and Linux, built on 30-year-old Unix code with massive attack surfaces, for being unable to distinguish between human and AI agent actions.

Safety (1)

Herbert warns that AI models like Claude's Mythos will likely expose zero-day vulnerabilities in massive codebases like the Linux kernel or Chromium weekly, making current operating systems untenable for security.

AI Infrastructure Startups Privacy Adoption Digital Sovereignty

What Bitcoin Did

Danny Knowles

The Future of Owning Bitcoin | Jonathan Pollock • May 11

Jonathan Pollack argues that wrench attacks exploit a structural flaw in self-custody: when something more valuable than Bitcoin is threatened with violence, security collapses because keys can be coerced.
Pollack criticizes duress pins and decoy wallets as flawed solutions, noting they rely on deception and don't end the attack - they merely shift the threat location or potentially escalate the attacker's anger.
Pollack proposes the wrench attack test: industry solutions should protect Bitcoin even when an attacker knows your setup and you are fully compliant. He believes seedless architectures and transaction-based exit mechanisms offer more protection than instant-compromise seed phrases.
BitKey is a seedless multisig wallet with three keys. Pollack explains users hold two keys: one on the hardware and an encrypted app key uploaded to cloud storage, while Block holds a third key that cannot view transactions due to chaincode delegation.
Pollack states BitKey's new hardware wallet features a screen to verify all system actions, including transactions, security settings, and recovery configurations, moving beyond simple transaction signing.
Pollack argues self-custody products must balance security, recovery, privacy, and ease of use, noting the biggest threat to Bitcoin is often user error rather than external adversaries.
Pollack critiques conflating self-reliance as a virtue with lacking good products. His ethos is to enable permissionless money access through safer, easier solutions rather than DIY complexity.
Pollack outlines BitKey's proposed wrench attack vault solution: a two-of-two door requiring biometric checks and a configurable time delay, and a self-custody door unlocked after a preset period like two years.
Pollack and Danny Knowles discuss a potential final vault destination for stolen keys, suggesting a KYC exchange address might be optimal despite being custodial, as institutions are not susceptible to physical coercion.
Pollack believes ETFs offer permissioned price exposure, not permissionless money utility. He argues users must choose between self-custody key risks and political/business risks like forced conversion, custodial fraud, or market restrictions.
Pollack defines a hardware wallet as a system needing internet connectivity for wallet functions, not just an air-gapped signing device. He advocates evaluating self-custody as a holistic system covering security, recovery, privacy, and usability.
Pollack argues comparing BitKey's full system to a standalone hardware signer like Coldcard is incomplete; one must include the DIY multisig, recovery, and inheritance setups, which BitKey integrates elegantly.
Danny Knowles mentions a wrench attack statistic: approximately 50 attacks per week in France this year, citing a friend's report of a London attack where a significant amount was stolen from an exchange.
Pollack references James Lopp's GitHub data on wrench attacks: extending the attack duration beyond one week reduces incidents to 1% of listed cases, and no attacks lasted longer than a month.

Also from this episode: (1)

Protocol (1)

Pollack views quantum computing as a supply shock risk rather than an existential threat to Bitcoin, preferring a price crash over protocol changes that confiscate coins and break property rights.

Custody Adoption ETFs Privacy