Did you find this article helpful?
If it clarified even one security risk for you, consider sharing it with others who may benefit 😎
⬇️⬇️⬇️⬇️⬇️
Key Answer: A recovery phrase (also called seed phrase) lets you restore access to your crypto on any compatible device if your hardware wallet breaks or gets lost. However, a recovery phrase cannot protect you if you sign a malicious transaction. Stefan Thomas learned a different but equally devastating lesson: a password-only backup can lock you out forever.
Executive Summary
- Locked Fortune: Stefan Thomas has 7,002 BTC (worth over $700 million) locked in an IronKey device with only 2 password attempts remaining
- Permanent Deletion: After 10 failed password attempts, the IronKey permanently deletes its contents
- No Recovery Option: A forgotten password means permanent loss if no recovery phrase exists
- Modern Solution: Hardware wallets use recovery phrases, not passwords, as the primary backup method
- Limitations Apply: Even with a recovery phrase, signing malicious transactions can still cause losses
Why Does Stefan Thomas's Story Matter?
Stefan Thomas, a programmer, created an animated video explaining Bitcoin in 2011. As payment, he received 7,002 BTC—worth roughly $2,000 at the time. He stored the private keys on an IronKey, an encrypted USB drive known for its military-grade security, and wrote the password on a piece of paper.
At some point, Thomas lost the paper with his password. The IronKey has a strict security feature: after 10 incorrect password attempts, it permanently erases all data. Thomas tried eight times. Each attempt failed. He stopped with two guesses remaining. By 2024, those 7,002 BTC became worth over $700 million at peak/late-2024 prices — a fortune he cannot access.
What Is the Difference Between Password and Recovery Phrase?
Password-Based Security (IronKey)
- Access requires the exact password
- Limited attempts before permanent lockout
- No alternative recovery method
- Forgotten password means permanent loss
Recovery Phrase-Based Security (Hardware Wallets)
- 12 or 24 words generated during setup
- Words can restore access on any compatible device
- No attempt limits on recovery
- Device can break, get lost, or be destroyed without losing assets
This is why hardware wallets like D'CENT, Ledger, and Trezor use recovery phrases. The device itself is not the backup. The recovery phrase is.
How Do Recovery Phrases Work?
When you set up a hardware wallet, the device generates a recovery phrase. This phrase is a human-readable representation of your private keys.
If your device breaks:
- Purchase a new hardware wallet
- Select "Restore from recovery phrase"
- Enter your 12 or 24 words (D'CENT also supports an optional 25th word)
- Access to all your assets is restored
No password attempts. No lockout risk. No permanent loss from forgotten credentials.
Important to understand:
A hardware wallet significantly reduces the risk of your keys being stolen by hackers or malware. However, if you sign a malicious transaction or fall victim to approval-based phishing, losses can still occur. The recovery phrase protects against device failure, not user error. With D'CENT, Blockaid analyzes your transactions and warns you about malicious or suspicious activity before you sign.
Mistakes: Critical Errors to Avoid
Storing Recovery Phrase Digitally
Never photograph, screenshot, or type your recovery phrase into any device. This includes cloud storage, note apps, email drafts, and password managers. Digital storage exposes your phrase to hackers.
Relying on Memory
Stefan Thomas trusted a piece of paper. Many people trust their memory. Both can fail. Use durable, offline storage methods like metal backup plates.
Confusing Password and Recovery Phrase
Your device PIN or password is not your backup. Only the recovery phrase can restore your wallet on a new device. Treat them as separate security layers.
Skipping Backup Verification
Write down your recovery phrase during setup. Then verify it by checking the words match what the device displays. Some users discover errors only when they need to recover.
Using a Single Storage Location
If your recovery phrase is stored in one place and that location is compromised (fire, flood, theft), you lose everything. Consider secure secondary storage in a different physical location.
Backup Security Checklist
Minimal, Actionable, and Sustainable
Recovery Phrase Storage
-
Recovery phrase written on paper or metal
Use durable materials that won't degrade over time -
Stored completely offline (no digital copies)
Never photograph, screenshot, or type into any device -
Kept in a secure, private location
Protected from fire, water, and physical damage -
Secondary backup stored in a separate location
Different physical location for disaster recovery
Verification
-
Phrase verified against device display after writing
Confirm accuracy during initial setup -
Regular verification that backup remains legible and accessible
Check periodically without entering it anywhere
Access Planning
-
Family or trusted contacts know how to access if needed
Plan for emergency situations -
Device PIN/password stored separately from recovery phrase
Keep these as independent security layers
If any items are unchecked, address them immediately.
FAQ
Q1: Could Stefan Thomas eventually recover his Bitcoin?
A: According to media reports, Thomas declined external recovery attempts, and there is no public confirmation that his Bitcoin has ever been successfully recovered, despite claims involving prior agreements.
Q2: What is an IronKey?
A: IronKey is an encrypted USB storage device with military-grade security. It limits password attempts and permanently erases data after too many failures. Unlike hardware wallets, it has no recovery phrase backup.
Q3: How is a hardware wallet different from an IronKey?
A: Hardware wallets generate a recovery phrase during setup. If the device fails or you forget your PIN, you can restore access using those words on a new device. IronKey offers no such recovery method.
Q4: Can I lose my crypto if I forget my hardware wallet PIN?
A: No. If you forget your PIN, you can reset the device and restore using your recovery phrase. The PIN protects the device; the recovery phrase protects your assets.
Q5: Does a hardware wallet guarantee I will never lose my crypto?
A: No. A hardware wallet significantly reduces the risk of key theft from online attacks and malware. However, if you lose your recovery phrase, sign a malicious transaction, or grant harmful approvals to a DApp, losses can still occur.
Q6: What happens if someone finds my recovery phrase?
A: They gain full access to your assets. Anyone with your recovery phrase can restore your wallet on their own device and transfer everything. Guard your phrase as carefully as you would cash.
Q7: Should I store my recovery phrase in a password manager?
A: No. Password managers are connected to the internet and can be hacked. Recovery phrases should remain completely offline. Write them on paper or stamp them on metal.
Q8: How much Bitcoin is lost forever?
A: According to Chainalysis, approximately 20% of all Bitcoin (around 3.7 million BTC) is locked in wallets where owners have lost access. Stefan Thomas's 7,002 BTC is part of this total.
