A duress wallet lets you reveal a decoy Bitcoin balance under coercion while hiding your real holdings. Here's how to set one up using BIP-39 passphrases — the most underused Bitcoin security tool.
The "$5 wrench attack" is Bitcoin's most underestimated threat: someone physically coerces you into revealing your Bitcoin. Technical security — hardware wallets, multisig, air-gapped computers — provides no protection when the attacker is standing in front of you.
A duress wallet (also called a decoy wallet or plausible deniability wallet) is your defense: a secondary Bitcoin wallet that looks real, contains a small balance, and can be revealed under coercion while your actual holdings stay hidden.
This guide explains how to set one up properly.
Bitcoin's BIP-39 standard supports an optional passphrase — sometimes called the "25th word." The passphrase extends your seed phrase to derive a completely different wallet:
Both wallets are mathematically valid. Both derive real Bitcoin addresses. There's no cryptographic way for an attacker to know whether a given seed phrase has a passphrase attached to it — or how many.
Under coercion, you reveal your seed phrase. The attacker accesses Wallet A, finds your decoy balance (say, 0.05 BTC — a plausible amount), and your real holdings in Wallet B remain inaccessible.
The BIP-39 passphrase is not a PIN or a second password — it's a cryptographic input to the HD wallet derivation process. Key properties:
Any passphrase is valid: There's no "wrong" passphrase. If you enter the wrong passphrase, you don't get an error — you get a different (empty) wallet. This is by design: it's impossible for an attacker to brute-force which passphrase is "correct."
Case-sensitive, character-sensitive: "Bitcoin" and "bitcoin" derive completely different wallets. Every character matters — spaces, capitalization, symbols.
No recovery if forgotten: If you forget your passphrase, your funds are gone. The passphrase is not stored anywhere. This is why backup procedures are critical.
Unlimited passphrases: You can have multiple passphrases, each deriving a different wallet. You could have:
An attacker who finds multiple wallets can't prove they've found all of them.
Passphrase support is available on all major hardware wallets. Recommended options for duress wallet setups:
For a full comparison, see our Bitcoin Hardware Wallet vs Software Wallet guide.
Create your wallet normally:
This is critical: an empty decoy wallet is unconvincing. Fund it with a plausible amount — enough to be credible, small enough to be an acceptable loss.
Guidelines:
A decoy balance of 0.05–0.1 BTC (~$4,000–$8,500 at current prices) reads as a real but modest holding. Most people who hold Bitcoin don't have 10+ BTC — a small balance is plausible.
Your passphrase should be:
Example passphrase structure: [Random word][Number][Symbol][Random word][Number] — e.g., "Maple7!Freight42" (do not use this example)
Your passphrase must be backed up separately from your seed phrase — and in a way that doesn't reveal the connection:
Option 1: Memorize it entirely. Ideal if it's short and distinctive. High risk of forgetting.
Option 2: Write it down and store it separately from your seed phrase — in a different physical location. The seed phrase backup and passphrase backup should never be in the same place.
Option 3: Encode it. Store the passphrase in a way that requires additional knowledge to decode (a cipher only you know, a reference only you understand).
Never: Store your passphrase in a cloud service, password manager linked to your main accounts, or email.
The technical setup is only half the equation. Duress wallets fail from operational security mistakes:
Don't talk about your holdings: The attacker can only coerce you if they know you hold significant Bitcoin. Practice OPSEC — don't disclose holdings publicly, on social media, or in casual conversation.
Keep the decoy wallet active: Occasionally transact from the decoy wallet. Wallets with no transaction history after initial funding look suspicious.
Maintain the decoy: Don't let the decoy balance go to zero. Keep it funded at a plausible level.
Your hardware wallet: The decoy is the "default" behavior of your device — no passphrase needed. Your real wallet requires the passphrase step. Under coercion, you can genuinely hand over the device and reveal the seed phrase without exposing your real wallet.
Rehearse your story: You should have a simple, consistent explanation for your Bitcoin holdings. "I bought some Bitcoin a few years ago, this is what's left" is credible for a small balance.
For holdings large enough to warrant a more complex setup, combine passphrase wallets with multisig:
An attacker who coerces you into revealing everything you physically hold still can't access Wallet C — they'd need to coerce the third-party keyholder too. See our multisig setup guide for details.
Some hardware wallets support a duress PIN — a secondary PIN that opens a decoy wallet when entered. This provides the same plausible deniability without requiring knowledge of the BIP-39 passphrase system.
Coldcard has had this feature for years. If your hardware wallet supports it, a duress PIN is a simpler user experience than managing passphrase wallets manually — it's the same concept, implemented at the device level.
Can an attacker tell if I have a passphrase? No. There's no cryptographic or visible indication. The seed phrase alone derives a valid wallet — the attacker can't prove a passphrase exists.
What if I forget my passphrase? Your funds are permanently inaccessible. This is by design — no one can recover a forgotten passphrase, including hardware wallet manufacturers. Back it up securely.
How long should my passphrase be? At minimum 15–20 characters. Longer is better. A passphrase that's 30+ characters with mixed case, numbers, and symbols is essentially impossible to brute-force.
Should I use a word or phrase I know? Avoid common phrases, song lyrics, quotes, or book titles — these are in brute-force dictionaries. Create something genuinely random.
Does this protect against remote hacks? No. The passphrase wallet protects against physical coercion. For remote attack protection, use hardware wallets and follow our Bitcoin Security Tips guide.
A duress wallet with a BIP-39 passphrase is one of the most underused Bitcoin security tools. The setup takes 30 minutes and provides genuine protection against physical coercion — the attack vector that no amount of cryptographic security addresses.
The keys: fund the decoy convincingly, back up the passphrase separately from the seed, test the recovery process before you need it, and maintain operational security about your holdings.
For complete Bitcoin security, see our Bitcoin Seed Phrase Backup Guide, Bitcoin Passphrase BIP-39 Guide, and How to Store Bitcoin Safely.
Get our free Beginners Guide to Buying Bitcoin plus weekly insights for long-term holders.
Bitcoin scams cost billions annually. Here are the 10 most common attacks — phishing, pig butchering, fake giveaways, ATM fraud, clipboard hijacking — and exactly how to protect yourself from each.
SIM swap attacks have stolen millions in Bitcoin. Learn exactly how they work and the specific steps to make yourself immune — from removing SMS 2FA to carrier-level locks.
Coinjoin breaks the link between Bitcoin inputs and outputs for financial privacy. After Samourai's shutdown, here's what still works — Wasabi Wallet, JoinMarket, Payjoin — and how to use them safely.