The $3 million Remilia Treasury theft on March 17, 2024 — where malware compromised a password manager to steal seed phrases and drain multisig wallets — exposed a critical flaw in how even sophisticated crypto organizations approach key management. For users and organizations holding significant digital assets, a basic hardware wallet is no longer sufficient. This advanced tutorial walks through the architecture and implementation of a production-grade multisig wallet setup that would have prevented the Remilia breach entirely.
The Objective
This tutorial demonstrates how to configure a secure multisig wallet using established coordination tools and hardware wallets. The goal is to create a wallet configuration where no single point of failure — whether a compromised password manager, a stolen hardware wallet, or a malicious insider — can result in the loss of funds. By the end, you will have a fully operational multisig wallet with independent hardware signers, verified receive addresses, and a tested recovery procedure.
Prerequisites
Before starting, ensure you have the following:
Hardware: At least three hardware wallets from established manufacturers. For maximum security, use devices from different manufacturers — for example, one Ledger, one Trezor, and one Keystone. This diversification protects against manufacturer-specific firmware vulnerabilities. Each device should be set up independently with its own seed phrase, generated on the device itself — never imported from another source.
Software: A multisig coordination application such as Sparrow Wallet (desktop), Electrum, or a framework-specific coordinator like Caravan. These tools manage the quorum configuration and transaction signing workflow without ever having access to your private keys directly.
Knowledge: Familiarity with basic Bitcoin transactions, UTXO management, and the concept of public key cryptography. Understanding the difference between single-sig and multisig wallet architectures. Comfort with command-line tools is helpful but not strictly necessary.
Step-by-Step Walkthrough
Step 1: Initialize each hardware wallet independently. Set up each device in a clean environment — ideally on a dedicated, freshly installed operating system. Generate a new seed phrase on each device. Record each seed phrase on a separate steel backup plate. Store these plates in different physical locations: a home safe, a bank deposit box, and a trusted third location. The critical principle is that compromising one location gives an attacker nothing useful without access to the other locations.
Step 2: Export extended public keys (xpubs). From each hardware wallet, export the extended public key through the coordinator application. The xpub allows the coordinator to generate and verify receive addresses and construct transactions without ever having access to private keys. Connect each hardware wallet to the coordinator one at a time, verify the device authenticity through the manufacturer’s verification process, and import the xpub.
Step 3: Configure the quorum. Set up a 2-of-3 multisig configuration, meaning any two of the three hardware wallets must sign a transaction for it to be valid. This provides both security and redundancy: one wallet can be lost or destroyed without losing access to funds, while an attacker who compromises one wallet still cannot move funds without a second signer.
Step 4: Verify receive addresses on each device. This is a critical step that many users skip. For each receive address generated by the coordinator, verify it on at least two hardware wallet screens. This ensures that no malware on your computer has replaced the coordinator’s address with an attacker’s address — a common attack vector that has resulted in significant losses.
Step 5: Test with a small transaction. Send a small amount — 0.001 BTC or equivalent — to your new multisig wallet. Then create a spending transaction that requires signatures from two of your three hardware wallets. Verify that the transaction broadcasts successfully and that the funds arrive at their destination. This test confirms that your entire setup — key generation, address derivation, transaction construction, and signing — is working correctly before you commit larger amounts.
Step 6: Document your configuration. Create a written record of your multisig configuration, including the quorum parameters (2-of-3), the xpub from each signer, and the derivation path used. Store this documentation alongside your seed phrase backups. Without this information, recovering your wallet from seed phrases alone is significantly more complex.
Troubleshooting
Device not recognized: Ensure you are using a supported connection method — some hardware wallets require specific USB drivers or browser extensions. Try a different USB cable or port. If using a mobile connector, ensure Bluetooth is enabled and the device is in pairing mode.
Address mismatch: If a receive address differs between the coordinator and the hardware wallet display, stop immediately. This indicates potential malware on your computer. Perform a full system scan, consider rebuilding your operating system from a clean installation, and never send funds to an unverified address.
Lost signer: If one of your three hardware wallets is lost or damaged, you can still sign transactions with the remaining two. However, you should immediately create a new multisig wallet with fresh keys and migrate your funds. A 2-of-3 multisig with only two remaining signers effectively becomes a 2-of-2 — still secure, but with zero redundancy.
Mastering the Skill
Once you have a working multisig setup, advance your practice with these techniques:
Timelocks: Add time-based conditions to your wallet configuration, requiring funds to remain locked for a specified period before they can be moved. This provides a window to detect and respond to unauthorized access attempts.
Geographic distribution: Store hardware wallets and backup plates in different cities or countries. This protects against localized threats — natural disasters, physical theft, or legal seizure in a single jurisdiction.
Regular testing: Every three to six months, perform a test transaction to verify that your entire setup remains functional. Hardware wallets can degrade, backup plates can be damaged, and software can become incompatible with updated firmware. Regular testing catches these issues before they become critical during an actual recovery scenario.
Inheritance planning: Document a procedure for trusted individuals to access your funds in the event of your incapacitation or death. This typically involves providing each trusted party with one seed phrase backup and clear instructions on how to coordinate with the other key holders. Consider working with an estate planning attorney who understands digital assets.
The Remilia hack was preventable. A properly configured multisig wallet with hardware signers and air-gapped seed phrase storage would have rendered the password manager compromise irrelevant. Do not wait for your own breach to take operational security seriously. The tools are available, the procedures are proven, and the stakes — as the crypto market continues to grow — only increase.
Disclaimer: This article is for educational purposes only and does not constitute professional security advice. Always verify procedures with qualified security professionals before implementing with significant assets.
3 hardware signers is the only way to sleep at night
hardware wallets are great but multisig is the real defense
this would have saved charlotte fang if she had used independent signers