Casa Blog - Bitcoin Security Made Easy

TLDR:

After a sophisticated scam nearly cost him his bitcoin, a veteran portfolio manager realized his digital asset custodian were a single point of failure. Casa empowered him with true self-custody: multi-signature vaults that require multiple keys to move funds, encrypted communication with Casa Advisors, and inheritance planning backed by human support. With Casa, he eliminated custodial risk and secured his family’s access to digital wealth for generations.

The Challenge: The Dangers of Centralizing Responsibility 

Over 90% of successful cyberattacks begin with social engineering, making it the single largest driver of cyber incidents. Unlike technical exploits, these attacks prey on human trust, manipulating victims into revealing sensitive information or taking harmful actions.

Contrary to what you might think, by using a custodian, the stakes are even higher. By concentrating both customer data and assets in one place, they create an irresistible target for attackers. This became painfully clear in August 2021, when a Coinbase data breach exposed the personal information of nearly 70,000 customers. For attackers, the leaked emails, account details, and transaction histories were a goldmine for attackers, enabling scams that looked indistinguishable from legitimate communication.

Our client, a seasoned portfolio manager with decades of experience managing risk in equities and fixed income, discovered this risk firsthand. He believed Coinbase’s reputation and ease of use made it the safest option. Following the breach, he became the target of a highly sophisticated, multi-stage social engineering attack:

Stage 1: Urgency Creation (Google impersonation)He received multiple missed calls and, upon returning them, was told by someone claiming to be Google support that his email password was compromised. They even tried to dictate a “new password” for him to use. This was a classic setup: attackers start by shaking trust in the victim’s existing systems.

Stage 2: Impersonation with insider data (Coinbase support)Later that day, another caller claimed to be from Coinbase support. To build trust, they recited his exact balance, KYC details, and full transaction history. All information stolen in the breach. They even opened with the script: “We will never ask for your password,” mimicking real Coinbase security language. To the client, this felt indistinguishable from a genuine support interaction.

Stage 3: Spoofed communication reinforcementTo back up the phone call, the attackers emailed him from a domain that Coinbase itself had listed as “safe” publicly.  He cross-checked it, and it matched perfectly, giving the scam further legitimacy.

Stage 4: The fraudulent wallet setupNext, the attackers instructed him to download a wallet app directly from the App Store (not via a suspicious link, which made it seem safe). Then they told him he would receive an “automated Coinbase text” with a seed phrase and asked him to use that seed to secure his account.

This was the key moment where the scammer attempted to make him send his bitcoin to a wallet created from a seed phrase by SMS and take full control of his funds. He resisted, refusing to use a seed phrase received by SMS.

Stage 5: The “test transaction”When the seed tactic failed, the attacker pivoted. They urged him to move 5 BTC to the fraudulent wallet “as a test.” He only sent the minimum amount possible (~$10), but the pressure was escalating.

Stage 6: The anti-fraud quizFinally, the attackers told him to complete Coinbase’s automated fraud quiz but to “answer ‘No’ to everything.” The very first question was: “Are you currently speaking to a Coinbase employee?”

Thinking he was actually talking to a Coinbase employee, he ignored the attackers and answered “Yes” and his account was instantly locked by Coinbase’s anti-fraud system. That lockout likely saved him from catastrophic loss.

“My heart sank. Up until that exact moment, I still thought I was talking to Coinbase. That was the wake-up call.”

He realized he had entrusted not only his assets but also his personal data to a custodian with a single point of failure, and he couldn’t afford to make that mistake twice. Worse still, when he later tried to withdraw all of his holdings from Coinbase, the exchange froze his account until he provided updated identity documents. After already seeing his original KYC data leaked in the breach, he refused to hand over more. As a result, part of his bitcoin remains stuck, held hostage by a custodian he no longer trusts


The Transformation: From Third-Party Custodian to Self-Custody

Security and protection aren't just about stronger passwords or better fraud detection, it’s about eliminating the single point of failure altogether. Custodians require you to outsource both your data and your assets, making you vulnerable to breaches that are out of your control. Self-custody, by contrast, flips the model: It decentralizes responsibility, ensuring only you hold the keys, and transforms bitcoin ownership into a resilient, long-term safeguard. 

  • No single point of failure: Your keys are distributed for resilience.
  • Freedom from custodian risk: No exchange or third-party can freeze or seize funds. 
  • Flexibility: Security paired with ease of use.
  • Trusted support: Reliable experts on call.
  • Complete control: Private keys always in his own hands.
  • Anti-social engineering safeguards: A set of built-in processes and procedures designed to protect against social engineering attacks and other security risks.
Evolving Casa’s defenses against social engineering
Casa is the home for bitcoin and digital asset wealth, and a home should always feel safe no matter what is happening outside. Right now, the fastest-growing attack vector we are seeing against bitcoiners and people who have digital wealth is social engineering. Social engineering attacks typically arrive by

No Single Point of Failure

Casa’s multi-signature vaults eliminated the portfolio manager’s greatest concern: centralization risk. Instead of entrusting all of his bitcoin to a single custodian, he distributed private keys across multiple secure locations and family members. Even if one key were lost or compromised, it would never be enough to access his funds. And with Casa’s app, he could instantly disable any suspect key, shutting down threats before they escalated. This architecture gave him resilience and the peace of mind that no single breach or insider attack could endanger his holdings.

Key Security Principles at Work:

  • Threshold Security: The client’s primary vault was configured as a 5-key vault. This means that three independent keys are required to move funds. No single device, person, or company can act alone.
  • Geographic Diversity: Keys were distributed across secure locations. This ensures that theft, natural disasters, or localized risks cannot compromise the whole system.
  • Casa Key as a Backstop: Casa holds one of the keys, but critically, Casa cannot move funds unilaterally. The client always retains majority control, but Casa can serve as a recovery partner if another key is lost.
  • Instant Key Revocation: Through the Casa app, the client can immediately disable any suspect key. For example, if a key was lost or misplaced, the client could revoke that key instantly and reassign a replacement, rendering the stolen device useless.
  • Hardware Wallet Integration: Keys are tied to independent hardware wallets, each protected by unique PINs and seed phrases. Even if an attacker physically stole one device, they would still need multiple others and the knowledge to use them.
  • Tamper Visibility: Because the client placed keys in daily-use or regularly inspected locations, he would know immediately if something was missing. This adds human-layer awareness to technical security.

Flexibility Without Complexity

The portfolio manager initially feared self-custody might be too complex, but Casa’s tiered memberships made it simple.

  • Standard: A simple, secure entry point with a 3-key vault. Ideal for day-to-day use or smaller balances.
  • Premium: A 5-key vault with inheritance support and direct access to expert advisors.
  • Private: Casa’s most comprehensive service, offering 6-key vaults, personalized setup, and dedicated white-glove support, the level he chose to safeguard his long-term holdings.

Ultimately, he chose the Private Client plan to protect his long-term holdings. It delivered peace of mind through layered security and concierge-level service giving him full control without friction. By aligning vault complexity with his financial goals, Casa transformed what once felt daunting into a structured system. Day-to-day giving and transactions remained simple, while his long-term wealth was secured with institutional-grade robustness. And with Casa’s built-in buy feature, he could purchase bitcoin directly in the app via ACH or wire transfer and move it seamlessly into his vaults.

The security review every serious bitcoiner should do in 2026
Most bitcoiners with meaningful positions have done something about security: a hardware wallet, a seed phrase backup, enough research to feel covered. Bitcoin security is a system, not a purchase. A setup built for the position you had in 2021 or 2022 often has real gaps for what you’re

Trusted Support

Unlike custodians or completely self-serve self-custodial solutions, Casa combines world-class technology with high-touch human service. The client was paired with a dedicated advisor who became his direct point of contact for setup, troubleshooting, and security questions. Communication with your Dedicated Advisor can take place over encrypted channels, supported by Casa’s anti-social-engineering safeguards.

This human layer extended to inheritance as well. His family knew they could reach out directly to Casa’s team if something happened to him, ensuring that even technologically unsavvy loved ones would not be left alone to navigate recovery. For the client, this personal connection was just as important as the vault technology, removing the isolation he once felt managing his security.

“My Casa Advisor knows me. I can reach out to him whenever I need to, and my wife knows she can too.”


Complete Control

Most importantly, Casa returned full sovereignty to the portfolio manager. Unlike custodians, Casa never holds unilateral control of funds and the keys remain in the user’s hands. By distributing keys among family members and trusted friends, with his attorney aware of Casa’s role, he created a clear inheritance plan that balanced privacy with resilience.

For the first time, he had both the assurance that his wealth was safe today and the confidence that it would remain accessible to his family in the future. What had once been his greatest fear became one of his greatest sources of peace of mind.


Anti-Social Engineering Safeguards

The attack the portfolio manager experienced was a result of the attacker applying pressure and information. The only thing that stood between him and catastrophic loss, was a Coinbase fraud detection system he didn't even know he was relying on.

He realized through this incident that custodians are a single point of failure and if the attacker had gotten through the fraud detection screen, there was nothing else to stop him from losing everything. He also realized that the data breaches from prior custodians is what made him a target in the first place, his account balance, transaction history, KYC documents, all of it sitting in one place, was exactly what gave the attacker enough detail to sound credible.

Casa is built around both sides of that problem.

Firstly, Casa never stores KYC documents or account balances, so there's no centralized data trove to leak or weaponize. Because funds are distributed across multiple keys, each with its own seed phrase, a single compromised or lost key isn’t a problem. Moving funds requires coordinated approvals across devices and no phone call, spoofed email, or leaked database can change that.

Secondly, Casa’s social engineering defense suite offers many of the protections custodial clients expect in addition to several they don’t such as:. 

Phone Call Detection watches for an active call while you're in the app. If you're on the phone being helped with sending digital assets, the app asks you to verify the caller is a Casa employee via an Advisor Verification Code. If the person on the phone cannot provide a verification code, hang up.

Guardian Mode adds an optional live video verification call with a Casa Advisor before the Casa Key adds the final signature on any transaction. Two Casa Advisors confirm you're acting freely and on your own volition before they sign.

Whitelisting requires new addresses to go through a 48-hour waiting period before they become active. The moment any new address is added, you get an email. Even if an attacker had initiated a send, or convinced you to add an address to send to, nothing would move in that session.

Suspicious Account Activity watches for logins from physically impossible locations. If his credentials had been used from somewhere he couldn't be, he'd have known immediately. No IP addresses stored, ever.

What had once been a frighteningly realistic attack became, under Casa's model, a scenario that simply couldn't succeed.


Results

By choosing Casa, the portfolio manager:

  • Eliminated custodial risk entirely, no exchange or third party can freeze, seize, or leak his funds
  • Distributed keys across secure locations and family members, so no single compromise is catastrophic
  • Simplified ongoing security with tiered vaults matched to his financial goals, from day-to-day transactions to long-term holdings
  • Gained a dedicated advisor available on demand, with encrypted communication and verified identity on every interaction
  • Built a clear inheritance plan his family can act on, backed by human support from Casa's team
  • Protected against the full social engineering attack chain with architecture that removes the single point of failure custodians create, and a defense suite that makes the attack pattern itself unworkable

Wrap-Up

Today, the portfolio manager stores his bitcoin with confidence in Casa’s multi-signature vaults. No exchange breach can expose his assets, because Casa never holds them. His keys are distributed across safes, family members, and trusted contacts, ensuring redundancy against any single failure. And with all communication conducted through encrypted channels, attackers have no avenue for social engineering, making his security as resilient to human trickery as it is to technical threats.

The difference from Coinbase couldn’t be starker. There, he couldn’t even move his own bitcoin without giving up more personal details; on top of the data they’d already leaked. With Casa, it’s the opposite: no hoops, no extra exposure. His bitcoin is truly his, and his alone.

Ultimately, Casa delivered on the promise that first attracted him: absolute control of his bitcoin, backed by human support whenever he needs it.

“I just feel better about it now—I have that connection with Casa, and I know everything is in place if something happens.”