A lost or stolen seed phrase should be treated as compromised. You need to replace the key entirely by conducting a key replacement.
Warning: If you are reading this article and need to remedy a serious situation, please know the following steps impact the keys securing your bitcoin and missteps have the potential to result in permanent loss of funds.
If you'd like to speak one-on-one with a bitcoin expert to walk through this process, we strongly encourage you to sign up for Premium Support.
1. Acquire or reset a replacement device
If your seed phrase is lost or stolen, the best thing to do is purchase a replacement hardware wallet in order to generate a new key to perform a key replacement on the Unchained platform. It's generally best to purchase devices directly from the manufacturer. See the full list of hardware wallets that Unchained supports.
Optional: Factory reset an unused device
If you have an old hardware wallet (ensure it is unused and non-compromised before proceeding) that you want to use for replacing the compromised key, you can follow the manufacturer's respective instructions to perform a factory reset.
- Trezor: How to wipe your Trezor Model One
- Trezor: How to wipe your Trezor Model T
- Ledger: Reset Ledger Nano S (Plus) to factory settings
- Ledger: Reset Ledger Nano X to factory settings
Note: When you lose a seed phrase, you technically can use the hardware wallet associated with it to generate a new key and perform a key replacement. We advise against this in this guide because doing so is a technical process which done incorrectly could make you dependent on Unchained's key to recover your bitcoin.
2. Initialize device as new
Next, initialize the brand new (or newly-reset) device. This generates a new seed phrase which generates the public key that you will upload to the Unchained platform.
Note: Don't dispose of the corresponding hardware wallet for the compromised seed phrase at this stage. While not required, you may wish to use it to sign for the key replacement as described in step 4 below. This allows you to conduct a key replacement without depending on an Unchained signature.
Follow the guide from the manufacturer to set up the device as new:
- Trezor: How to setup your Trezor Model One
- Trezor: How to setup your Trezor Model T
- Ledger: Setup Ledger Nano S
- Ledger: Setup Ledger Nano X
- Coldcard: How to setup a Coldcard
3. Upload the new key to your Unchained account
Before you can conduct a key replacement, you need to upload the new key.
- Log in to your Unchained account.
- Click Keys from the menu on the left-hand side of your screen.
- Click the Upload New Key button a the top of the screen.
- Use the platform suggestion or enter a custom name for this key and select Next.
- Select the manufacturer of the device you're using.
- On Trezor and Ledger, click Connect to export your public key. On a Coldcard, follow the instructions on the screen to import your public key via microSD card.
- Review the exported public key and select Next.
4. Conduct a key replacement
- Navigate to your keys dashboard.
- Select the key you want to replace.
- Click on Replace Key and author a transaction.
- Select the new key from the Choose Key dropdown menu.
- Verify that you can or can't sign a transaction via the Can you sign? section toggle.
- If you select that you can sign, you're saying you can provide the two signatures required to move funds to the wallet controlled by the new quorum of keys. This means you will need both the non-compromised key and restore the seed phrase backup associated with the lost or stolen hardware wallet to another hardware wallet in order to sign with the second key.
- If you select that you can't sign, you're saying that you can only provide one signature. This means you will sign with the transaction using the non-compromised hardware wallet. Unchained will then countersign to provide the second signature, which will successfully replace the key, but this method requires identity verification.
- Click Replace Key.
- Confirm that you are sure of the change by clicking Replace.
- Sign for the transaction to complete the replacement.
- If you chose can sign, you'll need to sign for both keys that you control.
- If you chose can't sign, sign with the non-compromised key and record a verification video to approve the key replacement and submit it.
5. Securely store your new hardware wallet and seed phrase
Following operational security best practices, you should securely store the new hardware wallet and seed phrase.
Tip: Keep the hardware wallet corresponding to the lost seed phrase. Mark it with a pen or stamp as “lost device” or “compromised device” but keep it secure. You can also rename the impacted key in the Unchained platform to reflect that it shouldn't be used.
Other important maintenance items
Download your wallet configuration file
Your multisig wallet configuration file contains the extended public key information from each device. Therefore, a new wallet constructed with a different key entails a different wallet configuration file.
Remove or adjust any whitelisted addresses
Many exchanges allow or may even require users to verify receive addresses by “white-listing” or “allow-listing” before sending funds. If you have done this, be sure to update white-listed any addresses at your exchange of choice. Your new vault has a unique set of addresses associated with it and bitcoin sent to addresses of old or compromised keys may be lost.
If you followed the above steps correctly, your Unchained vault should be controlled by three new keys: your original non-compromised key, the newly-generated key and associated hardware wallet, and Unchained's key. You can verify this by performing a test withdrawal.