Zero Crypto at Home: Bankless in the Age of Wrench Attacks and Phishing | Jameson Lopp and Beau

Ryan:
[0:00] We have two security experts on the podcast today. In addition to myself, this is Ryan Sean Adams. David can't be with us today. Let me tell you why I'm doing this episode.

Ryan:
[0:10] There's been an increase in physical attacks on crypto investors. It's probably happened over the last year or two in particular. I could share a dozen or more stories. This is causing anxiety in the crypto community. Perhaps as a listener, it's causing you some anxiety as you've seen some of these in the headlines. So this episode is a way to get back some control. This episode is about tactics. This is ways to harden your physical security against retch attacks and your digital security against phishing attacks. It includes an approach that I like called zero crypto at home. At least that's what I'm calling it. And it pretty much means what it says. It is about designing a system so that you can't access crypto at home using multi-sigs, time delays, third-party verification when needed. Now, I know this adds some friction in the process. I know in some ways it's not ideal, but it is something I advise and that's important in particular if you're a doxed crypto investor. You're not pseudonymous and your name is out there. Because one thing I think you'll hear if you've listened to the Bankless podcast for any amount of time is we believe the purpose of crypto is freedom. You want to be your own bank, but you don't want to be your bank security guard. That is not freedom. So let's figure out how to go bankless in the age of wrench attacks.

Ryan:
[1:37] Bankless Nation doing this episode because it feels very timely. And the truth is, I've been delaying doing this episode for quite some time

Ryan:
[1:45] because it's somewhat anxiety inducing. But the reason that I think we need this now is because crypto natives and maybe the crypto industry is feeling some security anxiety, some increased security anxiety. So I have two guests on that are going to talk about that. And my hope is we get a clear eyed picture of the problem that crypto natives face. And also, we come out of this with some optimism and some solutions. So if you are a crypto native, if you've been in this industry for a while, this is one you're going to want to tune into because we dive into some topics around security and protection and wrench attacks pretty deeply. I have the two best guests to do this. Jameson Lopp. He is the co-founder of Casa Security. Also, Beau. He is a former CIA officer. He now runs safety at Pudgy Penguins. Jameson, Beau, thanks for joining us. Glad to be here.

Beau:
[2:44] Thanks for having me.

Ryan:
[2:45] All right. As we start 2026, I'd like your opinion on the biggest threats facing crypto natives. How would you categorize them and what would you say, Jameson?

Jameson:
[2:56] Well, I mean, the biggest threat, I think, is the same as it's always been, which has been trusted third parties and just not taking custody of your own assets because there's a million things that can go wrong in this space. And at least when you're taking control of your keys, you're limiting who can make all of those mistakes. Beyond that, privacy is a really big one. We'll get into that because I basically consider privacy to be the outermost layer of security. If you can stop people at the privacy layer, then hopefully they don't ever even get to test any of your other layers of security. And then really... What we'll probably end up spending some time talking about, but is I think the least concerning to people because it's the least frequent, but it's getting more attention is the actual physical attacks. But it is kind of novel to this space and has been getting more attention simply due to the egregious nature of them.

Ryan:
[3:54] Okay, I just want to drill into that for a minute, Jameson. So you think of all of the threats facing crypto holders and crypto natives today. Some of the threats that we're going to talk about, like brunch attacks maybe, are much more distant than the actual threat of cussing your crypto assets with some sort of third party. And by third party, you mean like an exchange, let's say, or a custodian, an FTX, or a BlockFi that you're not sure about. You still weight those threats as far higher than some of the ones we're going to talk about around going bankless with your crypto assets?

Jameson:
[4:29] Yeah, or even doing self-custody with novel smart contracts that haven't been sufficiently vetted and audited and stuff. And the problem with any of these is that they can all lead to catastrophic loss. But in this sort of grand scale of things, if you look at the total stats of losses and types of losses that have been happening in recent years, it's still mostly trusted third parties, poorly audited systems. And even though wrench attacks are on the rise, relatively speaking, when you compare them to the greater ecosystem of threats, they're still very small.

Ryan:
[5:07] Okay. Bo, what would you say to this same question, the greatest threats facing crypto natives in 2026?

Beau:
[5:13] I would pretty much agree with Jameson's prioritization there. I think, especially with keeping in mind, we may be heading into a bear market. We're in a bear market, however you want to think about it. The risks like you mentioned of an FTX or last cycle Robinhood had people force sell their Solana tokens near the market lows, right? When you don't control your own tokens, a lot of bad stuff can happen. Ranging from...

Beau:
[5:39] You know, an exchange trying to do the right thing from a regulatory perspective to an exchange going under. Jameson alluded to this a little bit, but, you know, as crypto companies start to lay off their developing teams because there's just less money in the space, those smart contracts aren't going to be audited as frequently. Scammers are going to focus, you know, potentially on that more than individual investors because they know there's less people guarding those types of, you know, financial assets out there. So I would, I don't have a ton to add to that. I think that's pretty much where I fall as well. And would also add that, you know, as wrench attacks become more of a topic of conversation, they sound scary, but, you know, for the average investor who's listening to this podcast,

Beau:
[6:26] like, you need to take care of that digital security side first. Because, you know, the odds of that wrench attack happening to you compared to the hundreds of phishing attempts you'll see online through X or Discord or Telegram every day, it's, you know, you need to prepare yourself for what's most likely that you're going to encounter every day. So fully agree with Jameson there.

Ryan:
[6:48] Actually, Bo, maybe Maybe that's a great place to start. And let's narrow the audience a little bit. So who you're talking about to on the Bankless podcast, as you guys probably know, is as we advocate the idea of going bankless, right? And so that has been what we advocate for day one for some of the reasons both of you mentioned. Third parties are the ones that often fail in a security setup, and those are the ones that lose your assets. So how do you solve for that? The cryptocurrency way, the Bitcoin way, the Ethereum way is you go bankless. Now, I feel like there have been increasingly some chinks in the armor with respect to that. Sometimes the user experience is sort of hard to do that. We'll talk about that. But then you can get past all of that and you can learn how to custody your crypto assets well. But then what's really thrown me for a loop has been both the phishing attacks that have gotten...

Ryan:
[7:42] Have increasingly sophisticated and have tricked even seasoned crypto natives out of their assets. So that's one dimension that has been sort of a chink in the armor of the advice to go bankless to solve this if you want the 100% kind of security. And the other thing has been, quite frankly, wrench attacks. And these, while rare, they're incredibly scary. And they have been happening to crypto natives in the space. So maybe these are the two things I want to focus on. And And Beau, you just gave us some prioritization there. And you said, by far and away, the biggest threat in terms of probability you're going to face if you are doing some self-custody of your assets is probably some sort of phishing type of attack. And you said digital security, I believe, is the most important. Can you get into the types of attacks that are targeting crypto natives on the phishing side of things? and then give us some scenarios maybe so that we can

Ryan:
[8:41] be thinking about this and then we'll talk about how to protect your digital security.

Beau:
[8:46] Sure, and yeah, I think just to put it in like a little bit more of a framework, you know, I have a military and Intel background. So when we're planning, we talk about the most likely course of action and the most dangerous course of action. So for people, you know, who are concerned about crypto threats, the most likely course of action, right, is that, you know, you're going to encounter these digital threats. You know, we can talk about the specifics in a second. But the most dangerous course of action is that idea of someone's going to show up to your home, they're going to threaten you and your family, you know, they're going to potentially take your life, you know, in an attempt to get your crypto, right? So, you know, it is important to plan for both the most likely and the most dangerous course of actions. So it's not to write off the wrench attack threat at all. But yeah, I think some scenarios for some of the phishing attempts we've seen, you know,

Beau:
[9:36] Really, scammers are trying to do one of two things.

Beau:
[9:40] And that is compromise your private keys, or it's to trick you into giving them permission to do something on-chain. So I have an NFT background because

Beau:
[9:49] I work with.

Beau:
[9:50] Pudgy Penguins. So using an NFT example, when you're trading NFTs on Ethereum, you have to grant smart contract approvals for marketplaces like OpenSea to take the asset from your wallet that you're selling and transfer it to the buyer. And when you grant these approvals, You know, you're giving permission for that smart contract to go into your wallet, take those assets and move it. And so scammers develop phishing sites that, you know, essentially impersonate reputable brands in the space like OpenSea or like Pudgy Penguins and try and trick the user into going to that site. So you might be scrolling your feed on X and see Pudgy Penguins is launching a new airdrop, you know, come claim it now. And you'll go to that site and it'll look just like our website. You'll see a connect wallet button. You'll connect your wallet and the website's going to scan your wallet to see what assets you hold. And if you hold the valuable assets they're looking for, they'll present you with a signature that makes a call on the smart contract that you've granted approvals for. So they'll use the permissions you gave to OpenSea to take a Pudgy Penguin NFT from your wallet and they'll transfer it to themselves. And they can use gasless signature requests to do this. It's not very clear what you're signing. And so you can pretty easily, if you're not paying attention or tired, you can give away your assets in seconds.

Beau:
[11:18] And then another vector I mentioned, right, is they want to compromise your private keys. And so a major way that attackers try and do this is through seeding malware onto the devices that might secure your private keys. So many people enter in this space, I'm sure, just like I did,

Ryan:
[11:35] Which is you

Beau:
[11:36] Download a MetaMask wallet. You know, it's a hot wallet. Your keys are generated online. They're stored, you know, locally. And so if you download malware, that can potentially take your private keys and fully compromise your wallet. And that can be distributed in a million different ways from downloading a mod to a game if you're using a gaming PC for crypto things. We've seen fake job interviews where the scammer tries to get a victim to download a meeting software that might look like Zoom. Fake versions of Ledger Live or other hardware wallet, local software. And the whole goal is to get that access to your device that secures those private keys. So I think at a high level, those are two examples of the phishing we see I think we can talk about social engineering more broadly, but almost all of these attempts have, you know, elements of social engineering, which is really to try and twist someone's emotions into doing an action that they otherwise might not do. So, you know, claiming an airdrop, you're going to get free money. This is an emotional, you know, response that people are going to have.

Beau:
[12:54] You know, someone potentially offering you a job has similar reactions. So I'll pause there.

Ryan:
[13:00] Jameson, what would you add to the digital threats?

Jameson:
[13:03] Yeah, I mean, I think that's a good rundown of the landscape of threats. And then I would say, you know, the techniques for combating these are actually not that difficult. It mostly comes down to simplicity and minimizing your attack surface. So if you are doing any sort of regular trading or interacting with crypto networks on a browser or on a laptop or desktop, then you should minimize how many different types of software you're installing on there. Every time you install a new software, that's a potential threat vector. Also, you should be segregating your different types of wallets.

Ryan:
[13:43] Think of it in the same way as like, you know, you have your wallet that you carry around with you with a little bit of cash and credit cards and stuff. That's your spending wallet. You don't carry around tens of thousands or hundreds of thousands of dollars with

Jameson:
[13:57] You in your back pocket. You shouldn't be doing the same thing with your crypto assets. You should be having your high security vault that is completely separate and hopefully cold storage and hopefully with like distributed keys if it's a life changing amount of money that we're talking about. And then you have your small spending account that you're taking more risks with, and it's not going to ruin your life if something goes wrong.

Ryan:
[14:21] All that makes sense. I guess maybe going back to some of the things that you guys are saying is, Bo, as you were describing this, it almost felt like a paralysis sets in, which is like, I want the easy button solution. And maybe the easy button solution is like, I just don't do anything on chain.

Ryan:
[14:42] You're saying that smart contracts, for instance, I could be tricked into clicking the wrong link and doing sort of a phishing smart contract. Well, maybe I just stopped doing things on chain altogether. Is that an answer here? Because I think this is part of the challenge that Bankless listeners will be faced with as they hear about some of these scenarios, which is just like, well, maybe the answer is I should stop doing things on chain. You go even more extreme. Maybe the answer is I should just put my crypto assets into custodial ETFs and just kind of let it ride. Bo, are there like ways around this? Because I'm worried that the attacks get more sophisticated. I won't always have my guard up. You know, there could be a co-worker's telegram account that gets hacked where they sort of analyze our conversation history. They sound just like the person I was talking to. I'm a little sleepy, a little groggy. I always click this Zoom link and then I click the Zoom link and I log on and it's deep faked. It looks like the person I've interacted with and they somehow are able to socially engineer private keys out of me. Well, I just don't want to click any links on the internet. I just don't want to join any Zoom meetings. What are some practical safeguards we can take on the digital security side that are like doable, but still have us able to actually live our day to day lives and do things in crypto?

Beau:
[16:11] Yeah, I think it's a great question. And I'm not going to steal Jameson's thunder on the ETFs because I know he has some, he's talked a lot about that. But like, I don't think the answer is, you know, just not doing things on chain, or I don't think the answer is, I'm not going to actually hold Bitcoin, I'm going to own an ETF instead, right? I think, you know, Especially, again, in the NFT world, you own these assets because they give you access to things. And so to just buy them and leave them in a wallet and never do anything with them is kind of defeating the purpose. Similar to if you're interested in DeFi, right? And you want to go open liquidity positions or lend against your money or any of those things, you're kind of leaving a whole bunch of options for yourself on the table if you just say,

Ryan:
[16:58] I'm not going to participate.

Beau:
[17:00] And so, you know, I think practically what Jameson was talking about a little bit about wallet segregation is super important. You know, I have what I described as like a three wallet system where I have that day to day wallet that I, you know, carry around with me for tiny things. I have wallets that I use that are dedicated to riskier activity. So if I wanted to sell an asset or interact with a smart contract,

Ryan:
[17:25] Grant approvals, that kind of thing, I'm mostly doing that on a dedicated

Beau:
[17:29] Set of wallets. And then I have wallets that I never grant approvals on.

Beau:
[17:34] And I never really do anything with except for transfer assets to and from them. And that helps me know that my riskiest activity is far away from my most valuable assets. And really, that system is betting against myself on some level that if I end up making a mistake, I know that I'm not going to have made that mistake on a wallet that has my most valuable assets. And so I think having a simple system where you know what you're doing with each wallet, You understand what you have allowed yourself to interact with. Those are really important. And the other thing I would say in general is, you know, wallet providers have gotten better. Wallet options have gotten better.

Beau:
[18:23] Both at detecting scams.

Beau:
[18:25] At securing your private keys. I think Jameson's company, Casa, is a good example of this. There's a bunch of alternatives out there to, oh, I clicked this Zoom link and all of a sudden all my assets are gone. And that's not really how it works anyways. But there's a bunch of alternatives to, yeah, if I download malware on my MacBook right now, I might lose a few hundred bucks in a hot wallet. But I know for certain that the way I've stored my private keys, the way that I've kept my seed phrases offline, they're not sitting in my notes app on my iPhone or my MacBook, like those things are not going to get compromised. And so, you know, I don't worry so much about, you know, what happens if I download malware? Is it going to impact my crypto assets? Because the system I've set up allows me to have some confidence and not worry as much about those scams. So I think it's super important for when we onboard people to the space for the first time to help them understand the consequences of certain decisions.

Beau:
[19:29] So many people just use the same wallet for everything they're doing on chain and never think about the risks of keeping all their eggs in one basket. So as simple as it is, literally just having a wallet on a separate seed phrase that's written down and using a hardware wallet or distributed signers, that's going to protect so much of your stack compared to if you just keep it all on one MetaMask wallet, for example, or one hot wallet. So I think...

Beau:
[20:03] I would just wrap it up by saying, don't keep your eggs in one basket. Leverage the advantages of hardware wallets that keep your keys stored offline. That's something that really anybody who's got more than $1,000 in crypto should think about. Go out and spend $100 on a hardware wallet and start moving those assets from your browser extension wallet or from your iPhone app wallet over to something

Beau:
[20:30] that's a little bit more secure.

Ryan:
[20:32] Okay, so wallet segregation. I think we picked up our first tactical to-do from this episode. Now let's flesh that out a bit more. Okay, so what I want is a wallet segregation approach that the two of you would rate as like a 9 out of 10, for instance. Right now, it sounds like the worst thing you could do is keep all of your crypto assets in one wallet on browser extension MetaMask. Do not do that. The worst thing you can do. But what's kind of a segregation approach that works for the vast majority of people? Is it sort of a hot wallet, cold wallet? Are there kind of two? And in the cold wallet, is that multi-sig? Is that hardware backed? And then how do you delineate what you keep in the hot wallet versus the cold wallet? And is there something in between? Is there like the idea of a warm wallet? Maybe, Jameson, you could just flesh out what a fairly good wallet segmentation approach would look like for someone listening.

Jameson:
[21:35] Well, I generally say you shouldn't keep more value in a hot wallet than you would carry around in cash in a wallet that you keep in your pocket. So for me, that would be maybe like $1,000-ish. It's highly convenient, but it's also highly prone to a wide variety of different forms of loss. Really, if you have more than a few thousand dollars worth of assets, it starts making logical sense to spend $100 to buy one of the well-vetted and reputable cold wallet hardware brands, whether that's Trezor, Ledger, Bitbox, what have you. There's plenty of them out there. It doesn't take too much research to figure out which ones have been around for a long time and have good reputations.

Beau:
[22:20] And that's good because you can carry that around with you if need be.

Jameson:
[22:24] These are incredibly tiny devices and you just plug them in to your phone or your laptop or what have you if you need to interact with a crypto asset network to do something. And that protects you from like 95% of the bad stuff that happens out there. The only thing that you need to understand at that point is that you should never, ever, ever type that seed phrase into anything other than the actual tiny little cold storage device itself, because that's where the social engineering comes in. And our best practices around security have increased so much over the past decade that that's why you see social engineering as the most common form of attack these days is because the malicious actors out there know that they're not actually going to be able to compromise these devices that are incredibly hardened and simple and difficult to get malware onto because they're designed to resist malware. So instead, the weak point for most people these days is right here between your eyes, is they're going to try to trick you and they're going to use very common tactics, fear, doubt, urgency, to try to make you think that there's some sort of emergency where you need to take action and you jump through hoops without really thinking about it too much. And I think that people mostly need to understand that as soon as you are taking custody of your assets,

Beau:
[23:51] With great power comes great responsibility.

Jameson:
[23:53] You are taking on a great power because you no longer have to ask permission to use your assets as you wish. But now you are the bank. And banks put a lot of effort into their security for a reason. There's a reason why banks exist. It's because people generally prefer to outsource all of the complexities of security. So one way I like to look at it is, you know how there's a lot of drugs out there where on the label it says, do not operate heavy machinery while taking this drug? I think that you should look at it as you should never operate a crypto wallet when you're not in peak cognitive condition. If you're under the influence of anything, if you're tired, if you're sick, that can cause you to not be as aware and catch things where some attacker is trying to trick you. So, you know, I generally interact with the crypto networks as little as possible. And when I do, I only do it, you know. In the middle of the day when I'm wide awake and I don't have any sort of issues that might cause me to miss something. So you have to be very careful whenever you interact with your wallet, it is a potentially catastrophic operation because if you screw up, if you fall for a trick, there's no one out there who can undo it.

Ryan:
[25:17] So I guess maybe an instinct, if you're feeling some sort of rush from some source to do this transaction now, whatever the cause of the source, you should really pause, you should take a deep breath and you should try to wait, you know, 24 hours at least for that panic to subside. You shouldn't do anything in a rush or in a panic when it comes to on-chain assets. On the social engineering side of things, how about sort of reducing the channels? You know, I think a lot of crypto listeners, bankless listeners are probably getting text messages, are probably getting spam calls from data leaks in the past, purporting to be Google, purporting to be maybe Coinbase support. Is the rule just like don't answer any of those things? Or on Telegram, for instance, you get DMs and it's just, this happens all of the time. People say, hey, is so-and-so a bankless employee? They asked me to join this channel for an interview. And the answer always is like, no. That's not how we contact you. But like, is the answer just don't respond to a DM or a telegram message from a source that you don't trust or haven't authenticated via multiple channels? Like, do you guys have general rules of thumb?

Ryan:
[26:35] To prevent yourself and harden yourself from being socially engineered by an email, a link, something that happens online, a text message?

Jameson:
[26:45] Yeah, so the key word that you used is authenticate. And the short version is that almost every communication channel out there is not authenticated. There are very few, maybe, so basically like end-to-end encrypted channels, like if you have a signal chat pre-established with someone where you've already verified it's been historically, maybe WhatsApp, beyond that, email, text message, Discord, Telegram, all of these other things are not authenticated and it's very easy for people to just pretend to be someone else. So the short version is I don't trust any incoming message. If you receive an incoming message that seems fishy, then what you should be doing is then finding how to contact that person yourself, preferably via a different communication channel and asking them, hey, is this you? Can you confirm or deny?

Ryan:
[27:43] Now, cat and mouse games, right, happen with this type of thing. So some of the attacks are getting more and more sophisticated. So imagine a scenario where it's a loved one who calls you and it sounds like their voice, for instance, and they're asking for funds for some sort of urgent use case. And it sounds just like them. Maybe it looks like it's coming from their phone number even. I've heard people talk about instituting safe words for their close social connection, which is some sort of a prompt or a way to prompt one of your loved ones, your individual, you agree upon the safe word in advance, and that allows you to authenticate. What are some of the best practices there, Jameson?

Jameson:
[28:25] Yeah, I mean, so the main reason I'm not a fan of safe words is because unless it's, if you're picking something kind of unique and you're not practicing it regularly, Then when you get into a situation where someone's under duress, you may very well forget it. I prefer to use shared insider knowledge. So, you know, if you and a friend or you and a loved one have an extensive history together, then there's going to be no shortage of like memorable events that you share that are not public that you can ask each other about. And of course, you can discuss that ahead of time. But I think that that's something that's easier to keep track of and be sure that you're just you're not going to draw a blank if you get into a situation. You don't want there to be some random word that you only talked about once five years ago and completely forgotten.

Ryan:
[29:16] So if you're doing a safe word, make sure you practice that on a routine basis, or otherwise, just you can authenticate by calling, you know, like recalling some sort of shared memory, some sort of thing only the two of you would know. And I guess, you know, hope that works out. But Bo, do you have anything to add on the social engineering front?

Beau:
[29:35] Yeah, I think, you know, just on safe words real quick, like, that's a concept that in the Intel world, obviously, is very, you know, common, you know, when you're meeting someone in real life, you want to establish bona fides, you want to make sure that this is the person you actually are here to meet, right? And James is exactly right, that takes practice, right? So doing something that's more natural, just, you know, having those shared memories is way more effective than, you know. Trying to force your loved one to bring up banana in a conversation, right? Especially if it's like a wrench attack scenario where they're under duress, that kind of thing. On social engineering in general, I think my rule of thumb is if I receive an incoming message from a crypto website or really anything crypto related at all, an exchange website, app, if I feel so concerned about whatever that incoming message is, I would go log into that website directly. I would not click the link in the email or the text message. I would not call the phone number that the text

Beau:
[30:40] Message tells me.

Beau:
[30:41] To call. I can always log into my Coinbase account and I can check, is there a suspicious login? There's a spot to see that in your security settings of your Coinbase account. So, you know, trusting that source directly, authenticating that, you know, the information you're getting from Coinbase is actually from Coinbase, you can do that by logging into Coinbase, right? So, you know, of course, that's dependent upon you doing that independently, typing the correct, you know, website in your browser, logging in and making sure it's the correct website, right? You know.

Beau:
[31:20] That message saying, hey, your Coinbase account has been hacked, click here to reset your password, that's never going to help you.

Jameson:
[31:28] Yeah. Another really common thing that very few people, I think, appreciate is how many types of attacks a simple password manager protects you from. And the reason for this is, like Bo was saying, often these incoming messages will have links and phishers will basically try to trick you into putting your credentials into their web portal, which they'll then grab and use to actually log into your account and drain everything. But if you're using a password manager, you should only be clicking on the password manager to have it autofill your username and password. And the reason why this is so powerful is that there are things out there like typo squatting where they'll buy these domains that to

Beau:
[32:13] The human eye.

Jameson:
[32:13] Look exactly like the target's domain like the coinbase.com or whatever but the password manager can tell the difference and if you end up clicking on one of these phishing links to a domain that looks the same the password manager will not auto fill it and that's another major red flag okay

Ryan:
[32:29] So another recommendation is password managers go ahead Bo

Beau:
[32:33] Yeah, and I think it's a very similar concept to what Jameson is describing with 2FA and multi-factor authentication. You know, when you use a key like a YubiKey or even most pass keys, right, those will not authenticate on those fake phishing websites. Whereas if you're using Google Authenticator and it's giving you a six-digit code, you are a vulnerability in that you can provide that six-digit code on a phishing website if you're not paying attention. And at that point, your 2FA has not done anything for you because those websites are running a script on the back end to immediately take your 2FA code and go plug it into the real Coinbase website, for example. So plus one on password managers. And when you're thinking about 2FA, I think buying a YubiKey for $50 is a great investment for anybody, period. But especially people in crypto, So, you know, that's something you can add to your Coinbase account. That's something you can add to most other exchanges.

Ryan:
[33:36] So a big, big plus one then for password managers, plus 2FA for all of your accounts in general. And the gold standard for 2FA is getting used to actually using a physical YubiKey at some level and storing that and protecting that and backing that up appropriately. SMS for two-factor. No, thank you.

Beau:
[33:58] Yeah, we do not like SMS,

Ryan:
[34:00] Right? The reason, of course, is if you get a text message, you could be SIM swapped. It is incredibly insecure. Do not use SMS. The authenticator codes, that's better than SMS if you have to, but then the gold standard would be a YubiKey. It sounds like that's the recommendation.

Jameson:
[34:16] Yeah, I'll actually tell you. So the specifics of what we require our employees to do at CASA is... Highest preference is YubiKey, like FIDO2, TAP, or Passkey on YubiKey, the newer YubiKey to support Passkeys. And as Bo said, Passkeys are a great improvement upon all other types of 2FA because they are bound to the domain name.

Jameson:
[34:41] Next one below that is the TOTP, the time-based one-time passwords, which is the six-digit rotating passwords. Many people just say Google Authenticator because that's the most common software. But Google Authenticator itself, I hate because by default, it will actually upload all of your secrets to the clouds, to your Google Drive. And so then if your Google account gets exposed, they can grab all of those. The cool thing, once again, about YubiKey is that I think a lot of people don't know is that even if a service doesn't support the FIDO U2F or passkey on YubiKey, there's actually some software for YubiKey called Yubico Authenticator. And that's like Google Authenticator, except it stores the secrets on the hardware device itself. So once again, you're getting all of that physical security where unless an attacker actually takes physical control of that YubiKey, they can't do anything. And then the last vestige of 2FA beyond that would be like email and then potentially SMS. There are still actually often banks only support, you know, the SMS 2FA and there's not much you can do about that. Personally, what I do is I have, I have a ton of different virtual phone numbers and, you know, those, the virtual phone number services are segregated and they're set up behind their own.

Jameson:
[36:07] Credentials and they can't be ported away. And so it's about as good as I figure you can get when it comes to SMS security.

Ryan:
[36:14] Can we say on digital security a word about email? Because so often as the founder of ProtonMail came on recently, he said email is not just email anymore. Email is actually identity. And so the challenge here is if your email gets hacked, many listeners will be using Gmail and there's lots of challenges with Gmail. I advocate advanced protection, you know, remove, for instance, the recovery phone number and the recovery email address. Those defaults are equally pernicious as kind of the Google Authenticator default. And then where possible, I mean, don't use Gmail, right? I mean, you could use ProtonMail. You can actually set up aliases and identities for various accounts. Jameson, what do you think of that advice and what would you add to the email conversation?

Beau:
[37:02] Yeah.

Jameson:
[37:02] So what we see most often with social engineering is that they're trying to get into your email account because often most people don't have strong two-factor authentication. And if you own somebody's email account, you can reset their passwords and their 2FA and then get into any third-party services that they want. And so I would say email account for most people is the most important aspect of their digital lives. And so I will once again say YubiKey is the answer. And so you can buy multiple Yubikys. You don't have to just buy one because obviously if it gets lost or broken, that becomes a big problem. You can buy three, four, five and then have several that are like backups. You can even put one of them in a bank vault, for example. So you know that's not going to get lost and that's just an extreme edge case recovery scenario. But by this is very, very high level, like everything that we're talking about, all types of cybersecurity, the strongest power. Security model that you can create is when you can actually take all of these digital security issues and pull them out into meat space, turn it into a physical security problem. And generally, the way that you do that is by some sort of physical security hardware device, whether it's one of the treasury ledger or whatever on the crypto side, or you the keys or other digital secrets managers that are used for a variety of different authentication mechanisms. I just want to

Ryan:
[38:32] Drop a word of encouragement to listeners at this point of the conversation, which is the investment that you'd make in passkeys, in YubiKeys, in securing your accounts. This is kind of a frontier investment because I think I am very much of the belief that the attacks that are happening to crypto, crypto is like tip of the spear. The attacks that are happening sort of in crypto in these sophisticated ways they're coming to everything and you have everyone is going to have these types of protections and securities in the future because it'll just be basic if you don't you'll get completely owned I guess what I'm saying is This investment that you're making in protecting your accounts and in passkeys and YubiKeys and password managers and all the security investment,

Ryan:
[39:19] that's just going to put you ahead of everybody else. But everybody else is going to have to adapt to this world as well. So it's not wasted time. It's not just a niche crypto thing. Everyone needs to have this type of security and will in the future, whether it takes three to five years for the rest of the world to catch up.

Jameson:
[39:35] Unfortunate aspect of security in general is that, you know, there's always going to be attackers. And so you're never going to have perfect security. All you want to do is have better security than other people because they're going to be the ones getting targeted. The attacker will be surveying the landscape of potential targets and say, oh, that looks too hard. I'm going to go over to your neighbor instead.

Ryan:
[39:57] Last thing before we leave digital security, I have seen cases where somebody did click the link, let's say, and download the malicious Zoom software and their entire machine is completely owned, like root level access to everything. And of course, like solution there is don't let that happen in the first place, but it can still happen. And I want to ask a question about maybe another thing I've heard some crypto folks do, and this might be a bit more advanced, so maybe not for everyone. In addition to sort of multi-sigs and the hardware wallets and the segregation that we talked about. How about a separate machine entirely for signing that doesn't get connected even to your public Wi-Fi? What do you think about that as a foolproof method where you don't do any crypto transactions on your regular daily machine? If you ever do them, you do them on a transaction signing machine that is segregated, that doesn't click Zoom links at all, that doesn't open emails, and it's just for one purpose. And that purpose is when you have to sign an important crypto transaction.

Jameson:
[41:02] Yeah, I mean, this falls under minimizing attack surface. And before, Trezor was the first crypto hardware device to launch, and that was in 2014, and before that, air-gapped laptop was really the gold standard for doing anything.

Ryan:
[41:19] Okay. Yeah. So maybe we're coming full circle. All right. So James, you just made the point that what you want to try to do is move some of the digital into the physical realm.

Ryan:
[41:29] So you have hardware devices and YubiKeys and maybe separate air-gapped laptops and that kind of thing. But let's talk more about the physical realm because the attackers have moved to the physical realm as well. Let's talk about what, Bo, you called the most dangerous type of attack. We've addressed the most likely. Hopefully, you have some tips now, listeners, on how to navigate that, how to protect yourself. Let's talk about a particular form of concerning attack, maybe the most dangerous

Ryan:
[41:56] type of attack, which are these violent in-person attacks. Bo, what are you seeing with this? Can you give us some numbers on these types of attacks, wrench attacks, numbers like a profile of what typically happens, who they're targeting. Just give us a rundown of what things look like in 2026.

Beau:
[42:17] Yeah, so I think there were just over 70 attacks last year that we know of, right? A lot of these attacks, you know, we assume go unreported, or if they are reported, it's possible that there's not a crypto connection identified. Yeah. Heading into 2026, I think we've seen 10 or 11 so far this year, maybe a couple more. So, you know, there's definitely like, again, when you think about the scale of humanity, right? There's 8 billion people on the planet, like we're talking about 100 incidents in the last 12 months that we know about, right? So it's relatively small scale, but it's very targeted. So it really starts with your digital security and your privacy, right? These attackers are looking to identify people in the real world who have control of these digital assets. So they're looking at people's Twitter accounts. They're looking at people's on-chain wallets. They're looking for people who flex their wealth. And you can obviously see that this person has money. They might be a target of interest. And then from there, they try and say, okay, can I identify who this person is? A lot of us operate pseudonymously. I would not say anonymously because none of us are really anonymous, but a lot of us use pseudonyms online to hide what our true name is.

Beau:
[43:39] If they can get through that barrier of identifying who this person might be, they're going to start doing what we would call open source research or OSINT research, looking for that intel they can get on that person online. And so what this looks like is, you know, buying data on the dark web or, you know, using cheap or free online search engines that let you look up, you know, email addresses and phone numbers and, you know, home addresses to identify, you know, where this person might be physically located, right? You'd be surprised how many states in the United States, you know, you can find someone's home address just based off of voter registration records or based off of, you know, speeding ticket or court appearances. It's, you know, our system is not designed around privacy in the digital age. And so, you know, really everybody has this problem if you've been online for, you know, 10 plus years. You know, all the accounts that you've signed up for, you know, I was helping someone with data breaches a couple of weeks ago, you know, their home address was leaked in a airline, you know, data breach where they had to provide their date of birth, their home address, like their residency and citizenship, you know, their phone number. So all of these pieces of data come together for a potential attacker to, you know, really identify where this

Beau:
[45:06] Person they found online might be located in the real world. And sometimes we're seeing this where people are doing their research themselves. This is like a sophisticated organization that has people doing this research, has people on the ground. Other times we're seeing people in the digital space sell this data to people who are willing to conduct those real world attacks. But the attacks look a little bit different depending upon the situation, but often we're seeing them occur at home. You know, someone walks up to your door pretending to be a delivery driver or a police officer, you know, some plausible sort of reason why they would be at your home. They knock on the door, you open it, and then they, you know, either try and convince themselves, you know, convince you to let them into the home, or they'll force themselves into the home, right, by brandishing a weapon or, you know, physically pushing through the home. And then, you know, A common thing we've seen is attackers detaining people, tying them to a chair, something like that, threatening them, essentially trying to get them to share where they're

Beau:
[46:17] You know, crypto wallets are, where their seed phrases are. And then their goal right at that point is to find that information and get out as soon as possible. We've also seen instances where this turns into like a kidnapped for ransom type situation where let's say, you know, they burst into a home and, you know, the keys aren't stored there or the wrong person is at home, et cetera, you know, then they might get in contact with the person who does control the funds and say, you know, I have your loved one, you know, send me $10 million in Bitcoin, right? So, you know, those are some of the tactics we've seen. It's a little bit different depending upon, you know, again, the situation we've seen people grabbed off the street, you know, we've seen people, you know, kind of mugged, right? Walking in and out of office buildings, you know, for the most part, these are targeting like, you know, well-known figures in the space, influencers, you know, executives of crypto companies, their family members, Yeah. So that's sort of, you know, from step A to Z, how does it go? And I'll let Jameson add anything if he has something.

Ryan:
[47:23] Yeah. And Jameson, while you're adding, can you tell us what in the world is happening in France right now? Because it seems like there is a very active cluster in France. And so people in the crypto community in France are really dealing with this, but it's not limited to France. I mean, these types of attacks are happening all over Europe. They're certainly attacking, they're happening in the US and they have happened in 2025 in the U.S. and just the way Beau was describing. But there does seem to be some cluster in France. What's the pattern there and why?

Jameson:
[47:54] I think there's a number of things going on, though I will note I did an extensive breakdown of this in a presentation I gave last year. And on a per capita basis, France was still not in the top few. It was actually Dubai on a per capita basis that has the most wrench attacks. And if I recall correctly, pretty much all of them were due to people engaging in high value face-to-face OTC trades. So basically someone showing up usually to a hotel room with a briefcase full of cash and then wanting to do a swap one way or another. But the other interesting thing is that Dubai also has the highest rate of bringing the criminals to justice, 100% capture rate of the criminals, probably due to their high level of surveillance throughout Dubai. So what's happening in France? I mean, I think

Beau:
[48:45] There have been.

Jameson:
[48:45] Several organized gangs that have been operating. I know there was one where I think the mastermind was operating out of Morocco, and I think that he got caught last year. Another thing that has happened is that we know that there was a corrupt tax official who was selling people's private data. So people who had crypto-related stuff on their tax returns, that was getting sold to some sort of organized crime groups.

Ryan:
[49:11] Insane. So essentially a government bribe to say, yeah, who has crypto? Who's likely to have this value? And you have to report these things to the government in France. And so they just bribe an official and the official gives up names and addresses.

Jameson:
[49:24] Yeah. And so there was a similar problem actually in Sweden where Sweden requires you to make all of your tax information public. And so there were a number of wrench attacks in Sweden because you had to basically tell the entire world, hey, I'm declaring crypto on my taxes. And I don't know, So, I mean, I haven't been to France in a long time, but I certainly see a lot of feedback on these posts of people basically claiming a sort of like cultural decline occurring in France where there's sort of lack of law enforcement. It seems like they are catching a number of people, but it also seems like a number of these people who are getting caught are not getting particularly severe punishments. And to your point too,

Ryan:
[50:04] Jameson, like the pattern is like oftentimes there will be an external actor mastermind who might be completely remote. Trying to parse through the target data and who then kind of, I don't know, hires, works with, splits, proceeds with kind of a more local group of thugs, young thugs with nothing to lose, you know, maybe not, does not have the capabilities to do all of the operational intelligence in order to target people. And that mastermind sometimes can be very tricky to pin down, even if kind of the local thugs are actually captured. Yeah.

Jameson:
[50:39] And then remember Ledger is based in France. I'm sure they have a lot of French customers and they've had a number of data breaches over the years, though I don't think we have any information to directly tie the data breaches to the attacks, but it seems quite plausible that that's yet another factor here. With the organized crime groups, another pattern that we've seen, though it's mostly been happening in Southeast Asia, is we've been seeing organized crime gangs from one country go find out about nationals from that country. And then when those nationals go on vacation to a different country, usually in Southeast Asia, they'll send the people over there, wrench attack them, and then fly back. And I think this is an interesting cross-border jurisdictional arbitrage type of organized criminal activity happens.

Beau:
[51:30] Especially in the EU too, where you can get from France to Switzerland without showing a passport, or you can get from France to Spain. It just gets you one jurisdiction away very quickly. I think one of the more recent attacks in France, the attackers ended up getting caught on a train where they were going from Paris towards southern France near the Swiss border. So, you know, the idea of conducting the attack and then quickly moving either into another jurisdiction or far away, I think that's the attractive thing about Europe.

Ryan:
[52:01] Okay, so the scariest version of this, I think, to many people maybe listening, is not the version where they're meeting somebody in a parking lot or they're flashing their assets on social media. At some level, I think most listeners to this are savvy enough not to do those types of things. The most scariest version, if you're thinking about the most dangerous category, Beau, is... Some mastermind has pinpointed your physical address and to your point, that is incredibly easy to do in this day and age. I mean, maybe we can get into if there's a way to actually protect your physical address and have that be private. But they know your location footprint and they also maybe they have some idea that you are a crypto holder by virtue of data leaks, maybe a hardware wallet data leak, maybe an exchange data leak. Maybe the tax software that you're using. This was also a factor, I think, in some of the attacks in France. You know, use tax software to submit your, if it's automated, you submit your addresses and what happens if that information is leaked. And so all of that information is out there. And then let's say you are pinpointed and an attacker knows your addresses,

Ryan:
[53:14] Knows how much in crypto assets that you might hold, has some sort of inkling in terms of how you actually might hold these assets and comes and breaks into your house, a home invasion, and threatens you and your family. I mean, that is like nightmare fuel, I think, for a lot of people listening. And we've already prefaced this by saying this is still extremely rare and is not the vector of attack that most listeners should be most worried about.

Ryan:
[53:41] However, it is the most panic-inducing, I think, and concern-inducing attack. So can we talk about how to mitigate that, all right? And I know there's no such thing as 100% security guarantees,

Ryan:
[53:55] But I am a believer, and having done some research on this and talked to both of you, that there are a number of things listeners can actually do to reduce the surface area of this type of attack and not eliminate it, but harden against it. And so let's talk about that. Jameson, how does somebody listening to this shore themselves up against physical home invasion, level wrench attacks?

Jameson:
[54:22] Well, like I said at the very beginning, the most important or I would say easiest thing you can do is privacy, is prevent yourself from becoming a target in the first place. But as you have noted, that can get very tricky, especially depending on what jurisdiction you live in. You're going to have different tools available to you, different things that you may be required to disclose. At least in America, we have some excellent legal tools with like trusts and limited liability corporations where you can obfuscate the true ownership, publicly registered assets like homes, vehicles and whatnot. And I take advantage of all of those. And then you have to get very comfortable with not putting your home residential address into any sort of foreign or database. You have to assume that that is going to get leaked eventually. And so, you know, I have a variety of mailboxes scattered around that I use whenever anything is asking for a physical address.

Jameson:
[55:23] But another thing that I would note is that this wrench attack problem is not limited to self-custody. I see a lot of people kind of funding self-custody, like, well, if you weren't custodian your assets, then you don't have to worry about being a wrench attack. But a number of these cases, people were actually keeping their assets with custodian. And the wrench attacker just says, OK, go authenticate into that custodian and withdraw all the assets. So it doesn't really make much of a difference to the attacker themselves, because it all comes down to single points of failure. And this is where things get complicated, because very few people think adversarially about their security posture. And so the short version to all of this and the reason why wrench attackers are so successful, I think they generally have a greater than 50% success rate. And from the metrics that we're aware of on an annual basis, we see them getting away with tens of millions of dollars. And that's just from the attacks where they disclose the amount that's taken. Many of these attacks, they never disclose the amount.

Jameson:
[56:31] But think of it this way. If you are able to transfer large amounts of value without leaving your house, then you have a single point of failure because you basically have to look at a wrench attack scenario as one where your body or your body of someone you care about is under physical duress. And all of your normal authentication procedures can be bypassed because they will be bypassed by you because you know how to do it. So the only way to truly present problems

Beau:
[57:12] A wrench attack from being successful.

Jameson:
[57:15] If they have already gotten past any privacy protections you have, is to take yourself out of the equation as a single point of failure. Which basically means, you know, you should not be set up with at least with your like long term savings, cold storage, such that you can authenticate and transfer that value without having to physically go to multiple locations and go through multiple physical authentication procedures.

Jameson:
[57:45] This is one of the things that we help people set up at CASA, which is basically a distributed key system where you have physical hardware devices that are geographically distributed and are using multiple different manufacturers to prevent against things like supply chain attacks. And just ensuring that you have strength through diversity. It's a very interesting aspect of security when you can have multiple keys that have different security properties around them. You get this cool additive security aspect to your setup, which very few people I think are even aware of. And the reason why I find this whole thing fascinating and why I've been doing this for over a decade is because I argue that if properly architected with crypto public permissionless networks, you can actually achieve security models that vastly exceed what a bank can do or even a Fort Knox can do. Even Fort Knox is a single point of failure and you can distribute your keys and your security across multiple continents if you want to like we have some extreme edge case clients that literally have to get on a plane and go through all the physical security of TSA and airport and such like you know nobody is going to be holding you under duress and being able to go through that level of physical security in order to get to your other keys.

Ryan:
[59:10] Let's zoom in on that, because I actually wrote an article about this and published

Ryan:
[59:15] this on X and on Bankless. And it was basically the idea of zero crypto at home. And this is kind of the revelation after listening to security folks for some period of time that the gold standard for defense against a successful wrench attack is actually, Jameson, as you say, you have almost zero, zero, zero crypto at home. So the way I define this in a memetic format is no hot wallet at home with funds over $1,000. You wouldn't carry that at home or on your person. No cold wallet at home, period.

Ryan:
[59:52] And no exchange, this is key, that allows moving funds without verification and delays. So zero crypto at home, you know you have it when you don't have the ability to access your funds without a time delay. Without multiple locations, without possibly some sort of third-party authentication, say, safe deposit box or some sort of other location where you access one of the pieces of your multi-sig and you make that a thing. You make that your posture. You could still go bankless, of course, but you just don't have access to any of your crypto assets. And to me, as I was uncovering this, maybe we'll dive into that a little bit deeper, actually, Jamison. So if somebody wants to implement what you're saying and what I wrote about, which is zero crypto at home, what sort of tools do they need in order to implement that? I feel like the core of this is kind of some sort of multi-sig wallet, potentially with time delays and a way to, and also if they keep any crypto assets on exchanges, also setting it up such that something is required before they can access those funds, maybe a time delay before adding a wallet or something like that. Can you break down what a zero crypto at home strategy might be for the average listener who's trying to do things a little more baglessly?

Jameson:
[1:01:21] Yeah, like I said, our primary goal at Casa is eliminating single points of failure. And that includes Casa itself as a company. If Casa blows up, we're still going to be able to sleep at night knowing that our clients can route around us and still be able to access their funds. But the first, like the foundational part of it is using these air-gapped devices, the ledgers and treasers and whatnot, to take those keys off the internet. Because as I said, that protects you from like 95% of attacks. As soon as you do anything on an internet connected device, you basically have a door open to 8 billion people to knock on and try to get through. Beyond that, once you've gotten those keys offline and into self-custody, the biggest problems that you are actually going to run into

Jameson:
[1:02:09] Tends to be foot guns where, you know, you make a mistake, something goes wrong, there's some sort of maybe environmental failure, you know, house fires are a thing, and you shouldn't be storing everything at home, because that is a single point of failure. And so it becomes less of an issue of like hackers and attackers, and more of an issue of having enough redundancy and resiliency, so that when something goes wrong, because something will go wrong eventually, but when something goes wrong, it's not a catastrophic failure. And that, once again, is where a multi-sig really comes into play. It's great because you have the flexibility to set up a digital vault that has many different keys. Perhaps it has three keys, five keys, 10 keys, really as many as you want.

Jameson:
[1:03:00] And then you can have enough flexibility in there that if you lose one or two or three keys, you're most likely going to have other keys available. But of course, this is where it's not panacea. The Dezzle really is in the details. If you set up a five-key vault and keep all of those five keys at home, and we have seen people do this, you still have a single point of failure. The important part is to distribute those keys so that they have a variety of different attributes. You know, you put the keys on different hardware devices by different manufacturers in different geographic locations. And all of these things come with decisions. And that's where I think people can get very paralyzed. And that's why services like Casa, I think, are very helpful because we're essentially a security consulting service. We help you understand what all the tradeoffs of these decisions are. And usually each of these decisions is going to be you trying to figure out convenience versus security. So a simple example is how far apart are you going to put those keys? You can put them

Beau:
[1:04:08] One house down and as really convenient, but perhaps not incredibly secure.

Jameson:
[1:04:13] The extreme example I already gave, you can put them on different continents that require you to take flights, which is the extreme level of security. You even are at the point there on jurisdictional arbitrage if there's some sort of government level action against crypto. But of course, it's incredibly inconvenient. So it really comes down to robustness and having the ability to recover from failure. And you do that by distributing the keys across as many different vectors as possible.

Ryan:
[1:04:45] Let's just run that by the attack scenario we're talking about, which is, let's say you're targeted in some way.

Ryan:
[1:04:51] You have a multi-sig setup, whether it's Kasa. And Kasa, I believe, supports Bitcoin, supports Ethereum, supports stablecoins and those crypto assets. There's other multi-sig technologies as well. There's SAFE, for instance. I've heard about people using Bitcoin vaults like Zengo. Anyway, you have your multi-sig set up. So what happens in a wrench attack type of scenario? So someone busts down into your house and then what? You say, I've got zero crypto at home. I mean, obviously they're not able to get the crypto assets or, Or, you know, I mean, could they drive to a second location to try to pick up your other multi-sigs? Like what happens? How does this in your scenario planning, Jameson, actually prevent a successful wrench attack?

Jameson:
[1:05:38] Yeah. So, I mean, obviously the next question that they're going to have is, okay, what is actually needed in order to access these keys? And that's where the details really become important. Where if you're just putting the keys at a friend's or neighbor's house that's only a few minutes away, that's probably not great. And you should assume that you will be coerced into telling the truth because you're going to be under duress. It's going to be a very bad situation. And lying and getting caught in a lie is only going to make it worse for you. So that's where having keys behind physical safeguards where they are only accessible, perhaps during certain times of day, business hours, where there are other layers of physical authentication to make sure that it's actually you that is going through them becomes very important.

Ryan:
[1:06:32] So like a bank safe deposit box is like a classic example of this, right?

Jameson:
[1:06:36] Yeah. And so this is also why multisig is important, because I would not advocate taking a single key to a single signature wallet and putting it in a bank safe deposit box, because that's still a single point of failure. The bank could have an employee that goes corrupt. Or we've even seen times when law enforcement has come in and completely swiped entire safety deposit box.

Ryan:
[1:07:00] This is happening in California. There's some other states that have done this.

Jameson:
[1:07:03] Yeah, but if you only have one key to a multi-sig, once again, you could lose access to that. It could be taken or destroyed and it's fine. You can recover from it with your other keys.

Ryan:
[1:07:13] Okay, so if you're doing that correctly, then the attacker basically can't get anything. I mean, like, will they be frustrated that they can't get anything? Will they believe you? Like, you know, what

Jameson:
[1:07:25] Else can you do? It doesn't matter if they believe you. And now, of course, the next question is, what are they going to do as a result of being frustrated? And the next logical question most people ask is, well, should I have a duress wallet to try to pay them off and make them go away? And unfortunately, we don't really have any data that shows that duress wallets work. We've actually seen the opposite, where people have immediately handed over everything that they had, and the attacker believed that they had been trying to dupe them with a duress wallet, and they kept torturing them for a long time before they finally got frustrated and ran away. The one thing that I will say, I think, works in the favor of victims here, is that there's a very incredibly low rate of homicide from these attacks. If you think about it, these are robbers. They are willing to use intimidation and some level of violence in order to get a very, very large payday, but they generally are not willing to actually murder someone and have law enforcement come after them for murder. Because any criminal who is at least seasoned and understands the way that law enforcement and the justice system prioritize going after attackers is that homicide has the highest clearance rate and gets the highest level of resources put behind it. So you don't want to be on law enforcement's radar for homicide.

Ryan:
[1:08:49] Yeah. Okay. So this is also what I added when I was thinking through my article about Zero Crypto at Home. So first step is implement Zero Crypto at Home. Actually don't have it, don't have access to it. And using some of the mechanisms that Jameson just described, One other idea I had is writing a note, actually, or having some sort of thing that you prepare in advance that says, I'm zero crypto at home. I keep no crypto at home on my phone, just pocket change. I have the pocket change, the less than $1,000. Go take that. I have nothing else. And then I do think if you're public, there are ways to sort of signal this or talk about this. Vitalik Buterin has actually done a pretty good job in places and tweet replies, for instance. He's talked about his multi-sig setup and he describes it as an M of N, some keys held by you, but not enough to block recovery and the rest held by people you trust. So he's got kind of a social recovery mechanism. Don't reveal who those other people are even to each other. And so

Ryan:
[1:09:51] And Vitalik has publicly said this, that he is kind of zero crypto at home. So if an attacker gets access to him at some level, there's nothing he can really do. And I think to your point, Jameson, earlier that a large number of these attacks so far have actually been successful. And that's why they keep happening. That's why they propagate. If that 50% number drops down to like 2% to 1%, it becomes very much negative ROI for attackers actually do home invasions and do rent attacks, and they will stop happening. That's not going to happen overnight, but this is how we as an industry can get control. Now, of course, the ideal scenario is that your house doesn't get invaded in the first place. And maybe, Beau, you could talk about that at some level. So how do you be vigilant against against an invader? Maybe it's a delivery person, for instance, or in the middle of the night, somebody breaking down your doors. What are some of the nuts and bolts that somebody can do to actually harden their location? Let's assume that privacy is not an option right now. They'd have to maybe move homes and do some of the things that the Jason Bourne things that Jameson is putting in place to protect their address. Let's say that's not an option. So they know their address is out there. Are there ways to harden their house or put protocols in place to actually protect themselves as well?

Beau:
[1:11:17] And go back to what Jameson said earlier about sometimes you don't need to be the most secure person in the world. You just need to be more secure than, you know, the next guy on the list. And, you know, becoming a hard target is... Is really like thinking, or I guess thinking of your home as a hard target versus a soft target is what's really important. So, you know, adding some cameras to the front of your home that are visible, but also effective in identifying, you know, who's coming up to your door. I like the idea of floodlights at night, right, that are motion sensor and someone walks, you know, up, climbs over your backyard fence and walks up to your house and all of a sudden, boom, they're hit in the face with, you know, a light. Big fan of the concept of, you know, using a home security system, or there's even some fairly cheap options for like panic buttons that you could set near, you know, like your front door or put it in your office where, you know, they're probably going to take you if they were coming into your house here.

Beau:
[1:12:19] Obviously, I think there's some common sense, what you're alluding to, of don't let people inside your house who are strangers, right? In San Francisco, we saw an example of an attack where the fake delivery driver was asking for a signature, and he pretended to not have a pen to hand the customer to sign their signature. So he asked if he could come inside to get a pen for the customer to sign the delivery notice on the package. And that was his lie that he used to talk himself into the house. So being aware of like, you know, people might give you an excuse that sounds somewhat legitimate and not letting them inside. A couple of other things I like to recommend to people is, you know, you should identify, you know, some sort of, you should have a conversation with anyone you live with at home about these concepts, right? Whether that's your spouse or your roommate or whatever, so that they understand that same type of risk. And really importantly, in that moment that you have a plan, right? So maybe your safe room that you designate is your bedroom, which has another lock on that door, where it maybe has a phone that you know you're going to be able to alert the police, or maybe that's where you put a panic button

Ryan:
[1:13:37] To alert the

Beau:
[1:13:39] Police at that time. I think it boils down to make sure that if someone's scoping out your house, because we know they do this, they're going to case your property before they go and conduct an attack. If they see cameras out front, if they see motion sensor lights, they might be discouraged from conducting that sort of attack. And then once something happens, don't just be blindsided by what's happening right in front of you. have a conversation with yourself and the people you live with ahead of time of, you know, what do we do if we think someone's trying to break into the home, right? The first time you think of that shouldn't be when it's happening to you. And it can be as simple as, I have a panic button in this location. I'm going to go press it. It's going to alert my security company. They're going to call my cell phone. I'm not going to pick up. And so I know the security company is going to go call the police.

Beau:
[1:14:36] I personally am an advocate of self-defense. I think, you know, I'm not going to recommend that to people on the call because I think it's, you know, it really is a very personal decision whether you choose to fight off an attacker, whether that's grabbing a baseball bat or whether that's, you know, using firearms or something else. Like, you know, you may be making things worse if that's, you know, what you choose to do. If you're not trained, you don't know what you're doing. But like, that's a part of my personal security plan, right? If someone breaks into my home, like, I am prepared to respond to them with force, right?

Beau:
[1:15:15] So I think there's a bunch of different options there. The basics should be, you know, how do you make your home itself a hard and unattractive target through the use of cameras, through the use of lights, through, you know, having strong locks on your doors. I mean, windows, people can break through, right? A security system that will alert people if someone does try and break into your home. So in the United States, this is like your classic ADT security system, those panic buttons I mentioned. And then the last thing I'll mention is a lot of people don't live in homes, right? They live in apartment buildings. They live in, you know, in these kind of shared spaces. And that can be to your advantage or disadvantage as well, right? If you live in an apartment building that requires key fobs to scan up to the elevator, that requires, you know, or that has a 24-7, you know, desk person or security guard outside your door, those factors might discourage people versus,

Beau:
[1:16:15] You know, if anyone can, you know, like I remember in college, you know, when we were sneaking into our buddy's apartment buildings to go, you know, to the pregame, right? Like you would just tailgate someone into the building and there was very low security. So when you're choosing where to live, especially when you're moving, those are some factors you should think about is how secure is this location I'm actually moving myself into? Does it deter an attacker because there's a camera up front or there's a security guard sitting at the desk? Could someone scan up, just walk to the elevator, press a floor and get off, right? Or do they need a key fob to actually get up there? So there are some factors you can think about, too, if it's not an actual like standalone home.

Ryan:
[1:16:59] I think that's a fantastic list of factors. I could tell Jameson wants to add a few things. I'll add a few other things, too. I think on that point of somebody coming to your door that's not scheduled that you don't know. Don't open the door. Talk to them through a camera, if you want. Make that a policy in your house. It feels at first a little socially awkward, but once you adopt it into your security process, I mean, you're like, why not? The other thing I would say is, in addition to self-defense, as you talked about, Beau, and I think, Jameson, you've thrown out some stats that unfortunately only if something like 6% of all of these crypto wrench attacks have been defended against by self-defense. So if you do that, then make sure you're good. I would say some of that self-defense, not to say you could outsource it, but you can outsource that to a big dog. Honestly, I mean, I think that is probably an underrated protector of the household is having a dog that will alert, maybe will respond in these types of attacks. I do have one question for you, Beau, and then we'll add Jameson or either of you can answer this. It's like, When it comes to, we talked about cameras, we talked about alarm systems. Are there things you can do to actually harden your entrance points, your doors and your windows? I think you've written blog posts about this, Jameson. So talk about that and share anything else that you think would be helpful.

Jameson:
[1:18:23] Yeah, well, it really depends on your home construction. But at least in America, the vast majority of home construction is really cheap. It only uses like three quarter inch screws. and for $20, you can get double-linked screws with hardened striker plates that massively improves the robustness of the door hinges and locking mechanisms in the frame. And then if you want to go a little bit further, and I've actually done some testing around this, there are a number of security films out there. I would go with like a 3M film and get it professionally installed on the windows. And those won't make them completely impervious, but they will give you probably at least 30 seconds to a minute of additional time where someone has to try to break through them before they can actually ingress into the house.

Ryan:
[1:19:11] And that's kind of what you're looking for with those types of solutions, even with kind of the reinforced doors with longer screws. Basically, it turns something that can be kicked down in like five seconds into something that's just, you know, you got to give 30 seconds and you got to give some good. And that obviously is something that's very alertive. It buys you time. That definitely strengthens things. Yeah.

Jameson:
[1:19:31] And you actually hit one of what I was going to mention with the dog is a really easily overlooked thing. And it doesn't even have to be a big dog. And in fact, in most cases, smaller dogs are better at alerting when they hear stuff.

Ryan:
[1:19:45] And everyone knows the yappy dog that just will not shut up.

Jameson:
[1:19:49] And the average criminal doesn't want to find out the hard way whether or not it's an attack dog or just an interested dog. Now, if you really want to go hardcore, you can get German Shepherd or Aduljan Malinois, pay around $20,000, get them like shoot song level defense training, and they will be an attack dog. But once again, this is time and resources and investment and whatnot. And the one other thing. I would just briefly mention, because I could spend a whole hour talking about it, and I have a lengthy article called Firearms for Home Defense on my blog. Going down the rabbit hole of firearms does involve a lot of decisions, and once again, resources, time, training.

Jameson:
[1:20:33] And mainly I tell people, look, just buying one gun and throwing it in one safe is not good enough. Because depending upon the layout of your home, what happens if the attacker is in between you and the gun? And so you have to think about every possible situation. And, you know, I have like a decentralized system of safes where every room within like 10 or 15 feet has a safe. And it's not just any safe. It's a quick access safe that takes less than three seconds to open. It has a simplex mechanical lock, not a biometric, not electronic. It's gonna work every time even if i'm under duress and it's the same weapon in every save so that i know that i don't have to think about how i'm going to be operating it there's all these little things and then there's a lot of decisions that went into like what weapon what caliber thinking about over penetration what is the construction of your house and the layout you don't want to shoot an attacker and accidentally hit someone that you care about and then of

Beau:
[1:21:37] As Bo said, you know, whether you're in a single family or maybe you're in some sort of complex, you have to worry about the neighbors as well.

Jameson:
[1:21:43] There's many, many factors and there's no simple answer to these things.

Ryan:
[1:21:47] So for listeners that feel overwhelmed, just recognize that I do too. When I listen to Jameson talk, I hear it kind of, he is a level 99 warlock of security. Okay. And so most listeners are not at that level. But I think the important thing is you can take this list of recommendations that you've heard from both Bo and Jameson today, and you can implement them slowly over time. This doesn't have to happen in a week or a month. I think the main thing is that you're making progress on this on a year-to-year basis. And so when you look at 2027, February, 2027, the question you want to ask yourself is, am I more secure? Am I in a better posture than I was last year? Do I have an ongoing project to tackle some of the highest return on investment things one by one? Do I have an active plan to do this? And if you are a better a year from now than you are today, that's the path that you should be on. So don't feel like all these recommendations, you need to implement them overnight. Bo, I want to ask you about another thing because we were talking about some of these attacks being targeted, right? And so one of the parts that I think we don't like about blockchain right now is that there is not good native on-chain privacy techniques to obfuscate addresses. And so this does give some sort of mastermind the ability potentially,

Ryan:
[1:23:11] If you're not careful, or even sometimes if you are careful, the ability to identify your wallets and your assets on chain.

Ryan:
[1:23:20] Are there ways to prevent that type of thing, to be careful? In my article, I threw out some obvious ones, which is just like, hey, don't link an ENS name or an NFT that uses your PFP to some of your main accounts holding crypto assets. Like, don't do that. That's a bad idea, right? And realize that when you transfer assets from one address to another, that can obviously be linked to anyone that's kind of looking on chain. But then I think when people are looking deeper in terms of privacy, they're like, well, how do I keep some of my addresses private, right? Do you have any solutions to that? Or what would you recommend on the on-chain address privacy side?

Beau:
[1:24:02] Yeah, I mean, I think the simple man's answer, right, is if you want to set up a new set, you know, new wallets that are private from old ones, you know, fund them from a different exchange than the one you used to fund your first wallets. You know, that's not true privacy, because you're not, you know, hiding who you are from the exchanges, right? But from attacker perspective, you know, I have wallets that I've set up through a different centralized exchange that don't talk to each other on-chain. I don't share NFTs. I don't use, you know, Bo Security as an ENS name.

Beau:
[1:24:40] For me, that's something I did a while ago, and I've just stuck with that system. I think there's a lot of tools that have come out recently or been developed more recently, like Zcash with Near Intents as a privacy option. There are privacy tools out there like Railgun. Obviously, there's infamous Tornado Cash, right? I think if you start playing around with those things, you have the potential to cause yourselves more compliance trouble with the exchanges you do use, that kind of thing. It kind of depends on what your risk tolerance is for that. But for the average person, I think the average person doesn't necessarily have this Twitter account profile that is attached to their on-chain wallet. And so that may not be as much of an issue. But for people who want to take their on-chain cluster of wallets and separate them from any activity they're doing in the future, the simplest way to do that from what the general public can observe is to just set up new wallets through a different exchange and transfer funds that way. Jameson may have a far more advanced answer than me on this, but I think there's so many compliance risks and other things you can get into with using a lot of the mixing tools and other things that I don't have my thesis on this fully fleshed out, I think, of what's the best thing to do.

Beau:
[1:26:07] It's, you know.

Jameson:
[1:26:08] The deck is stacked against you on most of these networks, public permissionless networks that operate completely transparently. Trying to be private on a completely open network is difficult to say the least. You know, I don't even really use mixtures myself. As you said, they can actually cause problems because you might get associated with other activity that you don't want. And really, if you need strong privacy, this is where I tell people to use Monero, use Zcash, use a network where strong privacy is built in at the protocol layer and you aren't having to jump through a bunch of hoops and figure out these complex technical machinations to try to create privacy on a transparent network. So I mostly don't, I don't try to tell people what to do from a privacy perspective because you're just so many foot guns out there and it's very easy to screw up. You know, even if you are doing a lot of things privately, you only have to make one mistake and blow a hole in everything that you've done.

Ryan:
[1:27:16] I think that captures the current state of privacy for sure. And unfortunately, that's really where we are as an industry. There aren't a lot of great solutions for Bitcoin or for Ethereum right now, although new solutions are coming together like every day. And I think this is a big area of investment. We see protocols like Zama has been pretty cool. That's new on the scene or things like Aztec. There are things that are in development. It's just it still feels like the status quo, the best you can do is like move

Ryan:
[1:27:46] funds through an exchange and create a new wallet. But then, of course, that is that is a vector, too, because what if the exchange leaks data? You know, how invisible really is that. It's just like, definitely, it's not great right now. Like privacy is not great right now in crypto. And that's just a realization. One other thing I'll add is just an emphasis on, be careful of the tax tracking app that you use. There are some local versions that keep all tax information local on your machine that you can switch to. We'll include some links maybe in the show notes to that. But I mean, that seems like a, that's a vector I worry about a lot. I mean, these are entities that are not necessarily putting in exchange level security practices in places that are not custodian assets

Beau:
[1:28:29] And they're cloud-based.

Ryan:
[1:28:30] Solutions. They can be hacked. If somebody can tie your on-chain profile and you're addressed to that hacked information, identify who you are, then they know where your wallets are. So that is something that might be actionable as we wrap this episode out.

Jameson:
[1:28:45] Also, I would say do not fall for the convenient path of putting Exchange API keys into your tax software. Yes, it makes it easy for them to get the data, but there have actually been hacks related to that where the attackers get the API keys and use it to take over your exchange account. So yeah, I think stuff like Rockkey, I think for example, which is

Ryan:
[1:29:09] Like a local

Jameson:
[1:29:09] Version of them is the best way to go.

Ryan:
[1:29:12] Unfortunately, we're in a position where the attackers are getting more sophisticated in the tools that they're using now, the ability to leverage AI to put all of this data set together and to kind of mastermind what targets to attack, that's getting more sophisticated. But I think the goal that both of you emphasize is we're not looking for perfection here. We just have to be better, like more hardened than everyone else. And I think some of the tactics we talked about will help listeners do that today. I guess I'm kind of met with this as I've been thinking about this increasingly in 2026. As I mentioned, I wrote that Zero Crypto at Home article, which is kind of

Ryan:
[1:29:49] I.e. uncovering some of my thoughts on best practices to prevent wrench attacks with a lot of input from the crypto security community, which is fantastic and of which both of you have contributed so much. But it does feel like a bit of a setback for the bankless vision. That's kind of what I'm left with. I'm just like, it's not the full story here. We're not done yet. And certainly there are even more challenges with the custodial solutions that we see in the traditional world, of course. But it is a heavy responsibility to take on private keys and to be your own bank. And so if you are taking on that responsibility, make sure you are not signing up for 24-7 security guard of your own house and your own private keys. You have to be smarter than this. But even so, I do feel like it's somewhat of a setback. Some people might be listening to this episode and just be like, oh my God, guys, that is a lot. I can just go buy crypto assets in my brokerage account and there's this thing and it's called iBit and I just like purchase that. I don't have to worry about any of this shit.

Beau:
[1:30:59] What do you think?

Ryan:
[1:31:00] I mean, I'm still optimistic. I feel like we are maybe at a kind of a local tranche in terms of custody and keys, in particular, the sentiment around some of these crypto attacks, these wrench attacks in person has made me feel that way. But will we get out of that? Will self-custodial crypto be the end game? Will we have billions doing the types of things that bankless listeners are doing and controlling their own keys? Or is Is this kind of a setback for the vision? Go ahead, James.

Beau:
[1:31:29] Let me throw a wrench, pun intended, in your iBit plan there, right? Let's say you're holding your iBit on Robinhood and you get wrench attacked because you're talking about Bitcoin all the time, but you think you're safe because you're holding it in an ETF. And the attacker shows up, you know, at your house between 9 a.m. and 4 p.m. Trading hours and says, hey, go sell all your iBit, buy Bitcoin on Robinhood and transfer it to me. Right. Like, you know, I'm sure Robinhood has some measures in place to prevent some of those things. But like, that's a theoretical thing that could happen. Right. So I think, you know, if you want to be in crypto, self custody is still the way to go because you're taking use of the assets. It's the advantage of being your own bank, of not being reliant on a government to approve the form of currency that you're using, like coming from a Fed background, right? Like I just see the advantages of this system so strongly.

Beau:
[1:32:33] And to Jameson's point earlier today, by taking the right steps, you can actually get stronger than bank security while having the advantages of making your own decisions around your money. You know, how many times do we see, you know, someone post an article about, I was trying to withdraw 20 grand from my bank account. And two hours later, I'm still answering questions about why I'm using the money. You know, I think that the advantages of that system will overcome the security challenges, especially as new tools get introduced, as wallets get better, you know, as police become aware of these trends and

Beau:
[1:33:11] start cracking down more on the crime, right, as more wrench attacks fail, as more scams fail. You know, I think there's no reason why we can't get to a very similar place in terms of safety of crypto as, you know, sort of the Web2 environment is today.

Ryan:
[1:33:29] Well said. What would you add, Jameson?

Jameson:
[1:33:31] Yeah, I mean, look, the reason why I've spent the past decade building self-custody systems is because I felt like we are fighting against human nature. And human nature is to generally choose convenience at the expense of almost all else. And also human society and civilization has developed over millennia via specialization of tasks. So we as humans are used to outsourcing very large swaths of our lives, even our own food production. You know, these things are incredibly important to our day-to-day and long-term living. And so, you know, outsourcing financial stuff is also second nature. And so it's really going against the grain to tell people to completely flip that model on their head and take responsibility for a very important aspect of their lives and their finances. And so that's why I felt like we need to keep

Jameson:
[1:34:30] Working to make self-custody more convenient and more bulletproof because if the average person isn't confident in themselves to be able to do this securely and safely they're not going to be able to sleep at night and they're going to throw up their hands and say okay i'm just going to outsource it to someone who really knows what they're doing and of course as we all know that means they're throwing out really the most valuable premise of new systems in the first place which is not having to trust a third party and ask permission to use your money the way that you want. And so I think I'll close out by, there's this one quote that comes back to me all of the time, which I think is pretty fitting in this situation because we've spent the past hour and a half talking about how complicated this is and how many different things you are having to worry about if you want to manage crypto securely. And that is this quote

Jameson:
[1:35:25] If you wish to build a ship, do not divide men into teams and send them to the forest to cut wood. Instead, teach them to long for the vast and endless sea. And this is why I preach the gospel of sovereignty, the gospel of empowering yourself via these public permissionless protocols, so that you don't have to rely upon the whims of bankers and regulators and governments and whatnot. And so, you know, that, in a sense, that will get us written off as the paranoid crypto anarchists by the Michael Sayers of the world. And I'm okay with that. I just want to see as many people as possible understand that this is an option. And if you're willing to put into the effort, you can greatly empower yourself and your family for many generations to come.

Ryan:
[1:36:13] Well said. And I don't think we're paranoid. I think we're just ahead of the curve. And the end goal, as you said, summed it up well, is sovereignty. There's another word for that is freedom. And so I think one way that bankless listeners can lose their freedom is if they become a bank security guard and they feel that pressure all of the time. But some of the tools that we talked about, multi-sig is so key for this. Once you have a good multi-sig setup, I think you'll feel much better about your position. you implement this and you will be able to take back your freedom. Let's end it there. Got to let you know, of course, crypto is risky. You could lose what you put in, but we are headed west. This is the frontier. It's not for everyone, but we're glad you're with us on the bankless journey. Thanks a lot.