Chris, this is the most structured risk framework I’ve seen applied to crypto. I want to stress-test one assumption though: your custody risk formula.
You write: amount at risk x probability of compromise x (1 - recovery probability)
The challenge is that probability of compromise is not static — it’s a function of the attacker’s knowledge, motivation, and capabilities. For the $282M victim, the probability of compromise was much higher than for an anonymous wallet holding the same amount, because the attacker had correlated the on-chain whale wallet with a real-world identity through breach data.
This means risk assessment needs to incorporate an OSINT exposure score — how much publicly available information links your crypto holdings to your real identity. Factors include:
- Previous interactions with exchanges that require KYC (correlated to your withdrawal addresses)
- Data breaches at hardware wallet companies (Ledger 2020: 272K names + addresses + phone numbers)
- Social media activity discussing holdings or trading strategies
- On-chain analysis connecting wallet clusters to known entities
- ENS names or other on-chain identity markers
For individuals: the practical advice isn’t just “use multisig.” It’s “quantify your OSINT exposure and reduce it.” Use coinjoins, separate withdrawal addresses, avoid linking wallets to KYC exchanges, and for the love of all that is holy, don’t post your portfolio on Twitter.
For institutions: commission regular OSINT assessments of your organization’s crypto exposure. Red team your team members — can a skilled researcher determine your cold wallet addresses, your signing procedures, or the personal phone numbers of your signers? If yes, you’re already at elevated risk.
The 1,400% increase in impersonation scams that Chainalysis reports is partly driven by the growing availability of correlated identity data. As breaches accumulate and on-chain analysis tools improve, the attacker’s cost of reconnaissance drops while the potential payoff remains enormous. The risk trajectory is worsening, not improving.