What do I do if my hardware wallet is lost or stolen?

If your hardware wallet is lost or stolen, you need to acquire a new one and conduct a key replacement.

Warning: If you are reading this article and need to remedy a serious situation, please know the following steps impact the keys securing your bitcoin and missteps have the potential to result in permanent loss of funds.

If you'd like to speak one-on-one with a bitcoin expert to walk through this process, we strongly encourage you to sign up for Premium Support.

While a single lost or stolen hardware wallet usually presents no immediate risk to funds in a multisig custody setup like an Unchained vault, a lost or stolen hardware wallet constitutes a compromised key. Performing a key replacement to reestablish the proper operational security of your multisig setup is a high priority and should be done as soon as possible.

Follow the below steps to replace the lost device and reestablish vault security.

1. Acquire or reset a replacement device

If your device is lost or stolen, you need to purchase a replacement if you don't already have one. It's generally best to purchase devices directly from the manufacturer. See the full list of hardware wallets that Unchained supports

Optional: Factory reset an unused device

If you have an old hardware wallet (ensure it is unused and non-compromised before proceeding) that you want to replace the lost or stolen hardware wallet with, you can follow the manufacturer's respective instructions to perform a factory reset.

2. Initialize device as new

Next, initialize the brand new (or newly-reset) device. This generates a new seed phrase which generates the public key that you will upload to the Unchained platform.

Note: Don't dispose of the corresponding seed phrase for the broken hardware wallet at this stage. While not required, you may wish to use that backup to sign for the key replacement as described in step 4 below. This allows you to conduct a key replacement without depending on an Unchained signature.

Follow the guide from the manufacturer to set up the device as new:

3. Upload the new key to your Unchained account

Before you can conduct a key replacement, you need to upload the new key. 

  1. Log in to your Unchained account.
  2. Click Keys from the menu on the left-hand side of your screen.
  3. Click the Upload New Key button a the top of the screen. 
  4. Use the platform suggestion or enter a custom name for this key and select Next.
  5. Select the manufacturer of the device you're using.
  6. On Trezor and Ledger, click Connect to export your public key. On a Coldcard, follow the instructions on the screen to import your public key via microSD card.
  7. Review the exported public key and select Next.

4. Conduct a key replacement

  1. Navigate to your keys dashboard.
  2. Select the key you want to replace.
  3. Click on Replace Key and author a transaction.
  4. Select the new key from the Choose Key dropdown menu.
  5. Verify that you can or can't sign a transaction via the Can you sign? section toggle.
    • If you select that you can sign, you're saying you can provide the two signatures required to move funds to the wallet controlled by the new quorum of keys. This means you will need both the non-compromised key and restore the seed phrase backup associated with the lost or stolen hardware wallet to another hardware wallet in order to sign with the second key.
    • If you select that you can't sign, you're saying that you can only provide one signature. This means you will sign with the transaction using the non-compromised hardware wallet. Unchained will then countersign to provide the second signature, which will successfully replace the key, but this method requires identity verification.
  6. Click Replace Key.
  7. Confirm that you are sure of the change by clicking Replace.
  8. Sign for the transaction to complete the replacement.
    • If you chose can sign, you'll need to sign for both keys that you control.
    • If you chose can't sign, sign with the non-compromised key and record a verification video to approve the key replacement and submit it.

5. Securely store your new hardware wallet

Following operational security best practices, you should securely store the new hardware wallet.

Tip: Keep the seed phrase corresponding to the lost hardware wallet. Mark it with a pen or stamp as “lost device” or “compromised device” but keep it secure. You can also rename the impacted key in the Unchained platform to reflect that it shouldn't be used.

Other important maintenance items

Download your wallet configuration file

Your multisig wallet configuration file contains the extended public key information from each device. Therefore, a new wallet constructed with a different key entails a different wallet configuration file. 

See our articles on how to download your new wallet config file and how to store it securely.

Remove or adjust any whitelisted addresses

Many exchanges allow or may even require users to verify receive addresses by “white-listing” or “allow-listing” before sending funds. If you have done this, be sure to update white-listed any addresses at your exchange of choice. Your new vault has a unique set of addresses associated with it and bitcoin sent to addresses of old or compromised keys may be lost. 

That's it!

If you followed the above steps correctly, your Unchained vault should be controlled by three new  keys: your original non-compromised key, the newly-generated key and associated hardware wallet, and Unchained's key. You can verify this by performing a test withdrawal.