Why this matters - quick context

Unlike custodial platforms, when you hold Bitcoin yourself a compromise can directly lead to irreversible loss. Canadian users face the same risk profile as international users, plus local operational considerations such as banking rules for fiat exits or reporting requirements for large losses. The good news is that many compromises can be contained and mitigated with the right incident-response steps and a disciplined recovery plan.

Recognizing a compromise: Red flags to watch for

Not all signs are obvious. Some compromises are the result of supply-chain tampering, counterfeit hardware, or malware on a connected computer or phone. Be suspicious when any of the following occur:

• Unexpected firmware prompts asking to export or re-enter your seed phrase.
• Device asks for your seed phrase after a firmware update or during normal use.
• Unrecognized transactions created or broadcast from your wallet without your approval.
• Companion app shows changed addresses, unknown config, or a new pairing request.
• Device looks physically altered, or packaging had signs of prior opening at delivery.
• Your recovery process failed when restoring to a second, clean device.

Immediate incident response - what to do in the first hour

Time matters. Follow a calm, decisive sequence to avoid making irreversible errors.

1. Stop using the compromised device. Power it down and disconnect any cables. Do not enter your seed phrase or PIN into any device or website.
2. Isolate companion devices. Remove the wallet from any desktop or mobile apps. Put the computer or phone used for signing offline and consider it potentially compromised.
3. Set up a clean signing environment. Use a known-good hardware wallet, a new device from a verified source, or an air-gapped environment to prepare an outgoing transaction. If you do not have a replacement, obtain one only from an official vendor or trusted reseller - do not buy used devices.
4. Monitor on-chain activity. Use a watch-only wallet on a separate device to track your addresses. Do not import your seed to the watch-only wallet; add only the public keys or addresses.
5. Consider moving funds immediately. If you believe attackers can act, move funds to a new secure address or to a multisig vault. Prioritize smaller test transfers before moving all funds.

Choosing the right recovery path

There are three common recovery options. Choose the one that matches your technical confidence, device availability, and the threat model.

1. Restore to a new hardware wallet

If you have a clean, verified device from the original vendor, restore your BIP39 seed to that device and create a fresh wallet. After restoration, generate a new receiving address and move funds using the new device. Important precautions:

• Verify the new device firmware signatures on a trusted network or via the vendor's recommended verification method.
• Never type your seed into a computer or phone. Use the hardware device s native restore flow.
• Perform a small test transfer first to confirm the environment is secure.

2. Create a new wallet and sweep funds

A safer approach is to create a brand-new wallet with a new seed and then sweep - meaning send - the entire balance from the compromised addresses to the new wallet. Sweeping reduces the chance that a stolen seed will remain valid for future transactions. Best practices:

• Use an air-gapped signer or fresh hardware wallet for signing the sweep transaction.
• Construct the transaction as a Partially Signed Bitcoin Transaction - PSBT - on an offline device and only broadcast it from an online machine after signing.
• Consider batching sweeps if you hold many UTXOs to reduce on-chain fees and address exposure.

3. Move to multisig or shared custody

If you hold significant funds, move them into a multisig setup as soon as possible. Multisig reduces the impact of a single compromised key because an attacker cannot sign alone. Options include 2-of-3 or 3-of-5 schemes using diverse hardware wallets and geographic separation of signers. For families or small businesses this adds resilience and a recovery path without relying on a single device.

Step-by-step: Safely sweeping a compromised wallet

Here is a condensed, actionable sweep workflow you can follow. Adapt details to your chosen wallet software and devices.

• On an offline computer, install open-source wallet software on a clean system - or use an air-gapped device.
• Create a new wallet with a brand-new seed on a verified hardware wallet. Record the seed on a metal backup or high-quality paper backup and store it securely.
• Export the receiving descriptor or xpub from your new wallet to the offline machine to build the PSBT.
• From the offline machine, construct a sweep PSBT referencing the compromised addresses and the new receiving address. Verify amounts and fees offline.
• Sign the PSBT on the new hardware wallet or air-gapped signer. Only after signing, connect to an online machine and broadcast the fully signed transaction.
• Confirm on-chain that funds arrived. Keep a watch-only copy of the old addresses to monitor for unexpected replays or dusting.

If you are not comfortable with PSBT workflows, ask for expert help from a trusted, local Bitcoin professional or community member rather than improvising with your seed phrase online.

Dealing with theft vs suspected compromise

Different outcomes require different actions.

If funds are stolen

• Gather evidence - transaction IDs, timestamps, device serial numbers, photos of tampering, and logs from companion apps.
• File a police report with local law enforcement and keep a copy for any insurance or reporting needs.
• Report to your bank if a fiat exit involved an Interac e-transfer or wire - banks may help trace counterparty information for fraud investigations.
• Consider reporting to relevant Canadian authorities if applicable - for instance, FINTRAC for suspicious activity by a reporting entity - but do not expect FINTRAC to act as a recovery service for individual thefts.

If compromise is suspected but no funds moved

Treat it as urgent and follow containment and sweeping steps. Change passwords for any related services, secure your email and phone, and audit any physical access to where your backups are stored.

Hardening your future setup - prevention and resilience

After recovery, re-evaluate your custody model. Consider the following layered protections to reduce single-point-of-failure risk:

• Multisig - Require multiple devices or people to sign. Spread keys across hardware wallet models and vendors.
• Air-gapped signers and PSBT - Keep signing offline where possible and use PSBTs to limit exposure.
• Metal backups - Store seeds on durable metal plates that survive fire and water. Keep at least two geographically separated copies.
• Vendor verification - Buy hardware wallets only from manufacturers or authorized Canadian resellers. Check firmware signatures and product authenticity as per vendor guidance.
• Supply-chain awareness - Beware third-party resellers on online marketplaces selling used or opened devices. Use tamper-evident packaging and inspect packaging carefully.
• Operational security - Keep minimal exposure of recovery material. Use passphrase-protected seeds (BIP39 passphrase) if comfortable with the operational trade-offs.
• Regular drills - Test recovery and restoration procedures periodically with small sums so you know the process works in a stress situation.

Canadian-specific considerations

A few items are especially relevant for Canadians:

• Buying devices - Purchase hardware wallets from authorized Canadian resellers or directly from the manufacturer to limit supply-chain risk and to simplify warranty or replacement.
• Banking and fiat exits - If stolen funds were cashed out through Interac e-transfer or bank wires, contact your bank immediately. Include transaction details in any police report.
• Regulatory reporting - Large or suspicious transactions involving third parties may involve entities regulated by FINTRAC. If an exchange or money services business is implicated, they are subject to Canadian AML rules and reporting obligations.
• Insurance and legal help - Canadian insurance for crypto theft is limited. Document everything and consult legal counsel or a specialized crypto incident response firm for high-value cases.

Tools and techniques worth knowing

A few widely used, stable tools can help in incident response and recovery:

• PSBT workflows - Standardized PSBTs allow offline creation and signing, improving security for sweep transactions.
• Watch-only wallets - Use descriptors or xpubs to monitor addresses without exposing keys.
• btcrecover - A community tool for seed recovery in certain lost-seed cases. Use cautiously and offline; never upload seeds to unknown services.
• Multisig coordination software - Tools that manage cosigners and transactions make multisig easier to operate securely.

Checklist - immediate and follow-up actions

Use this quick checklist when you suspect compromise:

• Power down compromised device and isolate companion devices.
• Set up a clean signing environment on a verified device.
• Sweep funds to a new wallet or move into multisig.
• Document everything and file a police report if funds were stolen.
• Notify your bank and any exchanges involved in fiat exits.
• Improve long-term custody: multisig, metal backups, vendor verification, regular drills.