Playbook
Crypto Wallets — Seed to the Vault, Sweep on Recovery
Platform claims verified July 6, 2026
What this mechanism is
Self-custodied crypto is the one asset class with no company, no support line, and no death-certificate process behind it — whoever holds the seed phrase holds the money, and if nobody holds it, the money is gone forever. The plan is therefore simple and absolute: the seed phrase goes into AmberKey Layer 2, and when your survivors recover it, they don’t keep using your wallet — they sweep everything to a brand-new wallet of their own, because your seed stopped being a secret the moment other people could read it.
Set it up now
- Create one crypto card in AmberKey per wallet. On the card (Layer 1) record: the wallet software or hardware model (e.g., “Trezor Safe 5 in the desk safe,” “Electrum on the gray laptop”), the chains/coins on it, roughly what’s there (“most of the BTC,” not exact balances), and where the hardware device physically lives.
- Escrow into Layer 2, per wallet:
- The seed phrase (the 12/18/24 BIP-39 words, in order, exactly as written). This alone recovers a standard wallet on any compatible software — no hardware device needed.
- The passphrase, if you use one (Trezor “hidden wallet,” Ledger “25th word”). This is critical: the seed alone cannot recover a passphrase wallet. Both vendors are explicit that a lost passphrase means the hidden wallet is permanently inaccessible — Trezor and Ledger do not store it and cannot recover it. Seed without passphrase = your survivors restore an empty (or decoy) wallet and reasonably conclude the money is gone.
- The device PIN (convenience only — the seed makes it unnecessary, but it lets survivors use the actual device; note that Ledger devices factory-reset after 3 wrong PINs, Trezor after 16).
- Derivation quirks, if any: nonstandard derivation paths, multisig configurations (record every cosigner key’s location and the quorum), or wallets that predate BIP-39. If your setup needs anything besides “type these words into a standard wallet,” write it down step by step.
- If you use a passphrase, structure the Layer 2 items so seed and passphrase are clearly labeled as belonging together (“Trezor seed” + “Trezor passphrase — REQUIRED with the seed above”).
- Write the sweep instruction into the card’s executor notes: “Recover, then immediately move everything to a new wallet. Do not keep using mine.” (The survivor steps below explain how.)
- Never type the seed into a computer, photograph it, or store it in a password manager or cloud note during this process. Transcribe it on paper from the original backup, enter it into AmberKey only through the client-side encrypted Layer 2 flow, then destroy the working copy.
- Exchange accounts (Coinbase, Kraken, etc.) are not covered by this playbook — they’re custodial, have real death-certificate estate processes, and belong on a generic/bank-style card with metadata only.
- Re-escrow whenever you: create a new wallet, change a passphrase, or move significant funds to a wallet AmberKey doesn’t know about. An unrecorded wallet is a lost wallet.
What AmberKey stores
- Layer 1 (metadata): wallet inventory — model/software, chains, approximate contents, physical location of devices and original seed backups, multisig structure, and the sweep instruction.
- Layer 2 (bearer secrets): the seed phrase(s), the passphrase(s), device PINs, and any derivation/multisig details needed to reconstruct spending ability. This is the highest-value, most bearer-like secret AmberKey holds — it is exactly what Layer 2’s client-side encryption and the recovery circle’s quorum exist for.
- Nothing crypto belongs in Layer 1 beyond the map. A seed phrase in a metadata field would be catastrophic; the AmberKey UI treats seeds as Layer 2 items only.
What your survivors do
Take this slowly; unlike banks, there is no undo and no support line. If a trusted, crypto-literate friend or a professional can sit with you, this is the playbook to do it for.
- Find the crypto card in the AmberKey packet. It lists each wallet, what’s roughly on it, and where any hardware devices are. The seed words and any passphrase are in the vault (Layer 2).
- Tell no one outside the estate what you’re holding, and don’t post timelines. Anyone who learns you hold a seed phrase may target you.
- Prepare a clean computer (fully updated, malware-free — a freshly updated machine you trust, not a shared or old one) or, better, a new hardware wallet purchased directly from the manufacturer (trezor.io or ledger.com — never a marketplace reseller).
- Create the estate’s new wallet first. Set up the new hardware wallet (or reputable software wallet) and let it generate a fresh seed — write those new words on paper, store them somewhere safe, and never photograph them. This new wallet is where everything is going.
- Now recover the deceased’s wallet: enter their seed words (and the passphrase, if the vault has one — enter it exactly, it’s case- and space-sensitive) into a compatible wallet. If the card says Trezor or Ledger, entering the seed into a new device of the same brand is the smoothest path; any standard BIP-39 wallet also works.
- If the balance looks wrong or zero — stop, don’t panic. Check: Was there a passphrase in the vault you haven’t entered? (Seed without passphrase shows a different, often empty, wallet.) Does the card mention a nonstandard derivation path or multisig? Try those details before concluding anything. Balances are on the blockchain; nothing “expires.”
- Sweep, don’t settle in. Send the full balance of each coin from the recovered wallet to addresses in the new wallet. Why: the deceased’s seed has now existed in AmberKey, on printed share cards’ recovery output, on your screen, and in however many hands the recovery took — it is no longer a secret, and anyone else who ever reconstructs it can drain the wallet at any time (this is Trezor’s own guidance after any seed exposure: move funds promptly to a wallet with a new seed, and never reuse the old one). Start with a small test transaction, confirm it arrives, then move the rest. Expect small network fees.
- After sweeping, the old seed and passphrase are worthless — the estate’s crypto now lives behind the new seed only. Guard those new paper words like the money they are.
- Crypto is estate property: report holdings and the sweep transactions to the executor/attorney for the estate inventory and taxes (the sweep itself is not a sale, but records matter later).
Required documents
- None for access — the seed is the entire authority. No death certificate, court, or company is involved for self-custody.
- The usual estate documents still matter for the legal side: the executor should inventory the holdings, and US estates owe tax paperwork on them. For exchange accounts, the exchange’s own estate process applies (death certificate + letters testamentary; check each exchange’s current policy).
Expected timeline
- Recovery + sweep: an afternoon, once the AmberKey vault is reconstructed and a new device is in hand (allow a week to buy hardware from the manufacturer).
- No external waiting periods — the only clock is the attacker’s, which is why the sweep happens promptly after recovery, not “someday.”
Gotchas
- Seed without passphrase recovers the wrong (often empty) wallet. Trezor and Ledger both implement hidden/passphrase wallets where the passphrase is never stored anywhere by the vendor. If the owner used one and didn’t escrow it, that money is permanently gone — no exceptions, no recovery service. Owners: escrowing the passphrase is not optional. Survivors: an empty balance means “check for a passphrase,” not “it’s lost.”
- The device is not the wallet. A broken, lost, or PIN-wiped hardware wallet loses nothing — the seed restores everything on a new device. Conversely, holding the physical device without PIN or seed gets you nothing (3 wrong PINs factory-reset a Ledger; 16 wipe a Trezor). The seed words in Layer 2 are the asset.
- Keeping the recovered wallet “for convenience” is the classic fatal mistake. Every day funds sit on the old seed, everyone who ever glimpsed those words is a co-owner. The sweep is not paranoia; it’s the whole point of the procedure.
- Sweeping via software counts as exposure too. Typing a seed into a desktop wallet on a compromised computer hands it to malware. Prefer restoring into a fresh hardware wallet; if software is unavoidable, use a freshly updated, trusted machine and sweep immediately.
- Buy hardware only from the manufacturer. Tampered resale devices with pre-known seeds are a real scam. trezor.io and ledger.com, direct.
- Multisig dies quietly. A 2-of-3 multisig where nobody documented the other two keys is unrecoverable even with one seed escrowed. If the card mentions multisig, every key’s location and the exact setup must be in Layer 2.
- Scammers circle bereaved crypto holders. “Recovery services” that ask for the seed phrase are the theft. Nobody legitimate ever needs the seed words — not Trezor, not Ledger, not an exchange, not a lawyer.
- Don’t let devices and paper backups leave in the estate sale. A hardware wallet in a junk drawer, or the original paper seed backup in a filing box, is a live key. The Layer 1 card lists where they all are — collect and destroy/secure them after the sweep.