Further Reading: Wallets, Custody, and Personal Security

Foundational Standards and Specifications

  • BIP-39: Mnemonic Code for Generating Deterministic Keys. Marek Palatinus, Pavol Rusnak, Aaron Voisine, Sean Bowe. The original specification for seed phrase generation, including the wordlist, entropy-to-mnemonic conversion, and mnemonic-to-seed derivation via PBKDF2. Essential reading for understanding the technical foundation of every modern cryptocurrency wallet. https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

  • BIP-32: Hierarchical Deterministic Wallets. Pieter Wuille. The specification for deriving a tree of cryptographic keys from a single master seed. Defines parent-child key derivation, hardened vs. non-hardened derivation, and the chain code mechanism. The mathematical foundation of HD wallets. https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

  • BIP-44: Multi-Account Hierarchy for Deterministic Wallets. Marek Palatinus, Pavol Rusnak. Builds on BIP-32 to define a standard derivation path structure (purpose/coin_type/account/change/address_index) that enables interoperability between wallets. https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki

  • SLIP-44: Registered Coin Types for BIP-44. SatoshiLabs. The registry of coin type numbers used in BIP-44 derivation paths (0 for Bitcoin, 60 for Ethereum, etc.). Useful reference for understanding which derivation paths correspond to which blockchains. https://github.com/satoshilabs/slips/blob/master/slip-0044.md

Wallet Security and Self-Custody

  • "Why We Need Wide Adoption of Social Recovery Wallets." Vitalik Buterin (2021). Buterin's influential essay arguing that the burden of single-key self-custody is the primary barrier to cryptocurrency adoption, and proposing social recovery as a solution. Examines the limitations of multi-sig and hardware wallets, and outlines a guardian-based recovery model. https://vitalik.eth.limo/general/2021/01/11/recovery.html

  • "The Glacier Protocol: An Operational Guide for Personal Cold Storage of Bitcoin." Glacier Protocol Team. An exhaustive, step-by-step guide to generating and storing Bitcoin keys on air-gapped computers. While primarily focused on Bitcoin, the operational security principles — quarantine procedures, entropy verification, multisig setup — are applicable to any cryptocurrency. The level of rigor approaches institutional grade. https://glacierprotocol.org/

  • "A Cypherpunk's Manifesto." Eric Hughes (1993). The foundational document of the cypherpunk movement, which articulated the principles — privacy, cryptographic autonomy, and resistance to centralized control — that underpin the self-custody philosophy. Understanding why "not your keys, not your coins" is a value, not just a risk management strategy. https://www.activism.net/cypherpunk/manifesto.html

  • Mastering Bitcoin, 3rd Edition. Andreas M. Antonopoulos, David A. Harding. O'Reilly Media, 2023. Chapters 5 (Wallets) and 6 (Transactions) provide the most accessible deep-dive into HD wallet construction, key derivation, and transaction signing. The technical detail is sufficient for implementation while remaining readable.

Attack Vectors and Incident Analysis

  • "The Ronin Network Hack: A Post-Mortem." Chainalysis Blog (2022). Detailed analysis of the Ronin Bridge attack, including blockchain forensics tracing the $620 million in stolen funds through the Lazarus Group's laundering pipeline (Tornado Cash, cross-chain bridges, P2P exchanges). Provides the data behind Case Study 1. https://www.chainalysis.com/blog/ronin-bridge-hack-north-korea/

  • "SIM Swap Attacks: What They Are and How to Protect Yourself." Electronic Frontier Foundation (EFF). Comprehensive overview of SIM swap mechanics, documented cases, and carrier-level defenses. Includes specific recommendations for securing mobile accounts used for cryptocurrency-related authentication. https://ssd.eff.org/module/how-avoid-phishing-attacks (EFF Surveillance Self-Defense series)

  • "Understanding ERC-20 Token Approvals and the Risks of Unlimited Allowances." Revoke.cash Documentation. Technical explanation of how the ERC-20 approve function works, why unlimited allowances are dangerous, and how to audit and revoke them. Includes worked examples for Ethereum, Polygon, Arbitrum, and other EVM chains. https://revoke.cash/learn

  • "The $5 Wrench Attack." A widely referenced thought experiment (originally from an XKCD comic, #538) illustrating that cryptographic security is irrelevant when an attacker can apply physical coercion. Important for calibrating the role of technical security within a holistic threat model. https://xkcd.com/538/

Hardware Wallet Architecture

  • Ledger Security Model Documentation. Ledger Academy. Official documentation describing Ledger's secure element architecture, attestation model, firmware update process, and the BOLOS operating system. Essential reading for understanding what Ledger devices do and do not guarantee. https://www.ledger.com/academy/security

  • Trezor Security Model. SatoshiLabs. Trezor's documentation of its open-source security architecture, including the trade-offs of using a general-purpose microcontroller without a secure element. Contrasts instructively with Ledger's closed-source secure element approach. https://trezor.io/learn/a/trezor-security-model

  • "Extracting Seeds from Hardware Wallets." Kraken Security Labs (2020). A research report demonstrating physical key extraction from a Trezor Model T using voltage glitching — a fault injection attack. This paper is frequently cited in discussions of secure element vs. general-purpose microcontroller trade-offs, and illustrates why physical access to a hardware wallet is a meaningful threat. https://blog.kraken.com/security/kraken-security-labs-supply-chain-attacks-against-ledger-nano-x

  • ColdCard Documentation and Source Code. Coinkite. ColdCard's fully open-source firmware, hardware schematics, and operational guides. A reference implementation for Bitcoin-only hardware wallet design with air-gapped signing, PSBT support, and dual secure element architecture. https://coldcard.com/docs/

Institutional Custody and MPC

  • "Multi-Party Computation: An Introduction." Yehuda Lindell. Academic introduction to the MPC protocols used in institutional custody solutions like Fireblocks. Explains the cryptographic foundations: secret sharing, oblivious transfer, garbled circuits, and threshold signing schemes. Moderately technical but accessible to readers with undergraduate-level mathematics. https://eprint.iacr.org/2020/300.pdf

  • "The Institutional Investor's Guide to Cryptocurrency Custody." Fidelity Digital Assets (2023). White paper examining custody from the perspective of a traditional financial institution entering the digital asset space. Covers regulatory requirements (SEC Custody Rule, OCC guidance), insurance considerations, and operational risk frameworks.

  • "Fireblocks MPC-CMP: Technical Overview." Fireblocks Whitepaper. Technical documentation of Fireblocks' MPC-CMP (Communication-efficient Multi-Party) protocol, which enables threshold signing without ever assembling the complete key. Includes performance benchmarks and security proofs. https://www.fireblocks.com/what-is-mpc/

Regulatory and Policy Context

  • "EU Transfer of Funds Regulation (TFR) — Implications for Self-Custody Wallets." European Parliament (2023). The regulatory text requiring identity verification for transfers between self-custody wallets and regulated exchanges. A case study in how regulation interacts with self-custody technology.

  • "OFAC Sanctions on Tornado Cash: Legal Analysis." Coin Center (2022). Legal analysis of the U.S. Treasury's decision to sanction Tornado Cash — the mixing service used by the Lazarus Group to launder funds from the Ronin hack. Examines the legal theory of sanctioning autonomous smart contracts and the implications for open-source software development. https://www.coincenter.org/analysis-what-is-and-what-is-not-a-sanctionable-entity-in-the-tornado-cash-case/

Tools and Practical Resources

  • Revoke.cash — Web tool for auditing and revoking ERC-20 token approvals across Ethereum and EVM-compatible chains. The most widely used approval management interface. https://revoke.cash

  • Safe (Gnosis Safe) — The dominant multi-sig smart contract wallet for Ethereum. Documentation includes setup guides, governance frameworks, and developer APIs. https://safe.global

  • Sparrow Wallet — Open-source Bitcoin desktop wallet with support for hardware wallet integration, multi-sig, and air-gapped signing via PSBT. Recommended for users who want maximum control over their Bitcoin operations. https://sparrowwallet.com

  • Ian Coleman's BIP-39 Tool — Browser-based tool for generating and exploring BIP-39 mnemonics and BIP-32/BIP-44 derivation paths. Useful for educational purposes. WARNING: Should only be used offline on an air-gapped machine for any real key generation. https://iancoleman.io/bip39/

  • Casa — Managed multi-sig custody service for individuals. Provides 2-of-3 and 3-of-5 multi-sig setups with inheritance planning, mobile key management, and emergency recovery. A bridge between self-custody and institutional custody for high-net-worth individuals. https://casa.io