Stress & Failure Scenarios in Bitcoin Custody

How Bitcoin custody systems behave when the conditions they were built for no longer apply.

This reference is published by CustodyStress, an independent Bitcoin custody stress test that produces reference documents for individuals, families, and professionals.

Someone dies, and their spouse doesn't know where the seed phrase is stored. A house fire destroys the only hardware wallet. A divorce turns a shared custody arrangement into a contested one. A family member receives a threatening message demanding bitcoin. An executor opens a safe deposit box and finds a metal plate with 24 words — and no instructions.

These are not unusual situations. They are the moments when a custody system faces real pressure. The system was set up when things were calm. Everything made sense at the time. But the system was never tested under the conditions that eventually arrived.

Common questions that surface include:

– "If something happens to me, who can actually access this?"

– "Would my spouse even know where to start?"

– "What if two bad events happen at the same time?"

This reference describes how custody systems behave when those conditions change. It covers physical destruction — fire, flood, earthquake. It covers adversarial pressure — coercion, extortion, ransom. It covers legal proceedings — divorce, creditor seizure, forfeiture. It covers self-inflicted errors — forgotten passwords, corrupted backups, misunderstood recovery steps. And it covers what happens when these events combine or arrive in sequence, creating failures the holder never modeled.

Includes (observed failure patterns):

– Fire, flood, and earthquake destroying backup materials or access paths

– Coercion, extortion, and ransom scenarios that turn the holder into the attack vector

– Divorce and legal seizure where cooperation breaks down

– Forgotten passwords, corrupted backups, and self-inflicted access loss

– Multi-event failures where two or more problems collide at the same time

The Theft-Versus-Loss Tradeoff

Custody systems face two opposing threats. Someone could steal the bitcoin. Or the holder could lose access to their own bitcoin. Defenses against one threat tend to increase exposure to the other. The observations in theft protection versus loss prevention tradeoffs describe this structural tension: more passwords, more complexity, more barriers make the system harder to breach. They also make the system harder to recover. The holder who builds maximum theft resistance may build a system that their heirs cannot access. The holder who builds maximum recoverability may build a system that an attacker can exploit.

This tension runs through every stress scenario. Physical destruction threatens the loss axis. Coercion and extortion threaten the theft axis. Divorce threatens both simultaneously — one party may attempt unauthorized access while the other may attempt to make assets undiscoverable. The balance point between theft protection and loss prevention is not a fixed setting. It shifts depending on which stress scenario materializes, and no single configuration optimizes for all of them at once.

Environmental Destruction and Physical Loss

Custody materials exist in physical space. Hardware wallets sit on shelves. Seed phrases are written on paper or stamped into metal plates. These objects can be destroyed. The observations in backup survival after fire, flood, or disaster describe what happens when elemental destruction eliminates physical custody materials. Fire burns paper. Water corrodes electronics. A person imagines these events and asks what happens to the bitcoin. The answer depends on whether the physical destruction eliminates all recovery paths or only some of them.

Regional disasters amplify this problem. The patterns in earthquake infrastructure failure and backup access describe what happens when distribution fails at regional scale. The holder stored custody materials across multiple locations within the same metropolitan area, believing that distribution protected against single-point failure. The earthquake damages all of those locations simultaneously. Roads become impassable. Communication networks go down. Power outages persist for days. The distribution strategy assumed that disaster would be localized. The disaster was not. What appeared to be geographic redundancy was geographic concentration at a scale the holder did not model.

The holder who anticipates physical destruction encounters a design tension documented across multiple memos: distributing backups across more locations increases resilience against localized destruction but increases the number of places where a backup can be found by someone who is not the holder. The same distribution that protects against fire increases exposure to discovery. Metal backup plates survive fire. They also survive being found by a burglar, a contractor, or a family member who was not supposed to know they existed.

Adversarial Pressure and Coercion

Most custody planning assumes voluntary action. Someone dies. Heirs step in. Credentials are located. Funds transfer according to documented intent. The process unfolds without opposition. The observations in custody behavior under physical coercion describe a different situation: someone is threatened, pressured, or forced to act against their own interest. The custody system that was designed to protect the holder now faces a scenario where the holder is being compelled to defeat their own protections. Every security feature the holder added — every PIN, every passphrase, every time delay — becomes a tool the coercer forces the holder to bypass. Most security plans assume the attacker is someone else. Under coercion, the attacker is forcing the holder to unlock their own system.

Extortion creates a related but distinct pattern. The observations in custody behavior under extortion or threat describe what happens when a holder receives a credible threat demanding bitcoin transfer. The threat comes from someone who knows the holder has bitcoin — through public statements, blockchain analysis, data breaches, or social relationships. The holder's custody security was designed to prevent unauthorized access. Under extortion, the holder may become the authorized vector for their own loss.

The most extreme version of adversarial pressure appears in ransom demands and custody exposure under duress. Deadlines measured in hours or days create time pressure. Family members search for seed phrases, navigate hardware wallets, and attempt transactions they have never performed — all while someone's safety depends on the outcome. The custody system's complexity, designed for security during calm operation, becomes an obstacle when speed determines whether a person is harmed.

Duress wallet features interact with these scenarios in unexpected ways. The observations in duress wallets and inheritance confusion describe what happens when a security feature designed to protect against coercion encounters a different stress event — the holder's death. The feature creates two access paths. One leads to primary holdings. Another leads to a decoy balance. An executor or heir who discovers both paths may not know which is which. A feature built for one stress scenario creates confusion under a different one.

Legal Seizure and Adversarial Proceedings

Legal proceedings can transform a cooperative custody environment into an adversarial one. The observations in custody access and disclosure during divorce and legal authority versus technical access in divorce describe how divorce proceedings stress custody systems in ways that differ from death or incapacity. Two people who once cooperated are now in conflict. They may have shared finances, shared accounts, shared devices, and shared knowledge about custody arrangements. What was built together is now contested between opposing parties. One spouse may have sole technical access. The other may have legal claims to the assets. The gap between technical control and legal entitlement widens as cooperation breaks down.

Creditor seizure introduces a different kind of legal pressure. The observations in legal seizure mechanics for self-custody holdings describe what happens when enforcement mechanisms designed for traditional assets encounter cryptocurrency custody. A sheriff can seize a bank account by serving a writ on the bank. There is no institution to serve when bitcoin is held in self-custody. The debtor physically possesses the keys. Legal authority to seize exists. The practical mechanism to enforce that authority encounters a system that does not recognize court orders. Compliance depends entirely on the holder's cooperation, and the holder may have both the technical ability and the personal incentive to resist. The court can hold the holder in contempt. It cannot move the bitcoin. Courts can order someone to turn over Bitcoin. But they cannot move it themselves. That gap exists because Bitcoin does not rely on a bank.

Self-Inflicted Error and Memory Failure

Not all custody failures originate from external events. Some originate from the holder. The observations in forgotten passphrase and memory decay over time describe what happens when a passphrase that protects bitcoin access exists only in someone's memory. Today they recall it clearly. Six months from now, they may not. The passphrase differs from a seed phrase in that it is typically not written down — that is the point of it, and the source of its fragility. Security that depends on memory weakens as memory weakens.

The theft-versus-loss tradeoff is visible here in its sharpest form. A passphrase that is written down can be found by someone who is not the holder. A passphrase that is not written down can be forgotten by the holder. The holder who chose not to write it down chose theft resistance over loss resistance. That choice may have been correct at the time it was made. Whether it remains correct years later, when memory has changed and circumstances have shifted, is a different question.

The observations in scenario-based testing for custody resilience describe how modeled stress scenarios can surface failure surfaces that static review does not reveal. A stress test does not just check whether everything looks fine. It models what happens when specific events occur — the holder dies, the spouse cannot find the PIN, the executor does not know a seed phrase exists — and traces whether the system survives each scenario. The difference between a review and a stress test is the difference between inspecting a bridge and driving a truck across it. The review checks that components are present. The stress test reveals whether those components produce the intended outcome under the conditions that will actually occur.

Partial Recovery and Cascading Failure

Recovery does not always succeed or fail cleanly. The observations in partial recovery that stalls before completion describe a middle state that is often misread. Some access is restored. Progress appears to have been made. The situation looks like it is resolving. But completion has not occurred. The system is not fully restored. Partial recovery occupies a position between total loss and full restoration, and the apparent progress can mask unresolved dependencies that prevent the final step.

Partial recovery creates its own risks. The person who has recovered partial access may believe the process is nearly complete. They may relax the urgency that drove the initial recovery effort. Meanwhile, the remaining steps may be the hardest ones — requiring a passphrase that no one has, coordination with a cosigner who cannot be reached, or technical steps that exceed the skill of the person performing recovery. The easy parts complete first. The hard parts remain. Getting halfway through recovery does not mean the hardest part is behind you. A system that is ninety percent recovered may be zero percent functional if the remaining ten percent contains the step that actually moves the bitcoin.

The failure mode taxonomy for professional assessment documents these patterns systematically. Failure modes do not always present as total loss. They can present as delay, as partial access, as confusion about which wallet holds the primary balance, as disagreement about who has authority, or as paralysis when the person with access fears making an irreversible mistake. The taxonomy traces how different failure modes interact — how a documentation gap compounds with a coordination failure, how a forgotten passphrase cascades into a missed probate deadline, how an untested backup creates a partial recovery that stalls before the bitcoin can actually move.

Emergency Access and Crisis Response

Some stress events create immediate access needs that standard custody procedures do not accommodate. The observations in emergency kit design for crisis bitcoin access describe the tension between security and rapid availability. A medical emergency, a sudden incapacity, or a family crisis creates urgent need for access before formal estate processes or legal proceedings can authorize it. The kit concept sits between normal daily operations and full posthumous handoff. Designing it requires balancing two contradictory requirements: the materials need to be accessible quickly by someone other than the holder, and they need to remain inaccessible to everyone else at all other times. Making the kit easier to find in an emergency also makes it easier to find by someone with the wrong intentions. Making it harder to discover for security also makes it harder to discover when someone's life may depend on accessing funds within hours rather than months.

Across every stress scenario — fire, flood, earthquake, coercion, extortion, kidnapping, divorce, seizure, forgotten credentials, partial recovery — the same structural pattern appears. The custody system was designed under conditions that no longer apply. The stress event introduces variables the design did not account for: physical destruction, adversarial intent, legal compulsion, time pressure, memory loss, or emotional incapacity.

The system's response to these variables is not a function of how well the system was built. It is a function of whether the system was built for this particular kind of stress. A system that survives fire may not survive divorce. A system that resists coercion may not survive the holder's own memory failure. No single configuration addresses every scenario. The failure surfaces shift depending on which event arrives. The question is not whether a system looks secure. The question is how it behaves when pressure arrives.

Stress scenarios compound. A death event can coincide with regional disaster. A divorce can coincide with a creditor action. An extortion threat can coincide with a phone-number takeover. Many failures are not caused by one event. They happen when two problems collide at the same time. The custody system that survives one stress event may not survive two arriving simultaneously, because the second event eliminates the recovery path the first event was supposed to fall back on.

---

Index of Memos in This Category

The following memos document individual stress scenarios, failure modes, and system behavior under specific adverse conditions. Each memo examines one axis of custody failure. Some memo titles are phrased as questions for search discoverability; the documents remain descriptive.

• Bitcoin Custody Behavior Under Coercion and Duress
• Bitcoin Custody Cost of Mistakes
• Bitcoin Custody Fragility Model
• Bitcoin Custody Stress Test
• Bitcoin Custody Verification Failure
• Bitcoin Custody What Can Go Wrong
• Bitcoin Custody Worst Case
• Bitcoin Divorce Custody
• Duress Wallet Features and Inheritance Survivability
• Bitcoin Custody During Divorce
• Bitcoin Earthquake Damage
• Bitcoin Emergency Kit Design Tensions
• Bitcoin Extortion Threat
• Bitcoin Foreclosure Seizure Mechanics
• Bitcoin Hardware Wallet Failure
• Bitcoin Kidnapping Ransom
• Elemental Destruction as a Backup Test
• Bitcoin Mental Health Crisis
• Bitcoin Passphrase Forgotten After Delay
• Bitcoin Passphrase Risk
• Bitcoin SIM Swap Custody
• Bitcoin Surgery Complications
• Bitcoin Terminal Illness Timeline Compression
• Exchange Bankruptcy Bitcoin Inheritance
• Partial Recovery as a Failure Mode
• Protect Bitcoin from Theft vs Loss

← Return to CustodyStress