She Filmed His Seed Phrase While He Slept: The Bitcoin Custody Lesson Every Wealthy Family Needs

On March 19, 2026, Bloomberg reported that Hong Kong investor Ping Fai Yuen — known in local media as a "teenage stock market prodigy" who built his fortune under the name Huo Liaosen — is suing his ex-wife Fun Yung Li in London's High Court. The allegation: she secretly filmed the mnemonic seed phrase of his cold wallet and used it to steal 2,323 Bitcoin, worth approximately £180 million (~$238 million at the time of the transfer).

The Bitcoin is gone. It moved on-chain. No bank reversed the transaction. No fraud department intervened. No court injunction arrived in time to stop it. By the time the legal system engaged, the cryptographic transfer was already final — settled in roughly ten minutes, immutable forever.

This is not a story about a bad marriage. It is a story about a custody architecture that was designed to fail.

For families holding significant Bitcoin positions, this case is a masterclass in what happens when self-custody meets the one threat model most holders never consider: the person who sleeps next to you.

What Happened: The Mechanics of a $238 Million Seed Phrase Theft

The details that have emerged from court filings and reporting by Bloomberg and PANews paint a straightforward picture — and that's precisely what makes it terrifying.

Yuen stored his 2,323 Bitcoin on a hardware wallet — a cold storage device designed to keep private keys offline and away from internet-connected threats. The device itself was likely secured in his home, possibly in a safe. The seed phrase — the 12 or 24-word mnemonic backup that can reconstruct the entire wallet — was apparently stored in a location his wife could physically access.

According to the filings, Fun Yung Li filmed the seed phrase. That's it. No sophisticated hacking. No zero-day exploit. No supply chain attack on the hardware wallet manufacturer. She pointed a phone camera at a piece of paper (or metal plate, or whatever medium the seed phrase was recorded on), captured the words in order, and later used them to restore the wallet on a different device.

Once she had the seed phrase, she had the Bitcoin. She transferred 2,323 BTC to wallet addresses she controlled. The transaction confirmed on the Bitcoin network. And at that point, from a technical standpoint, the theft was complete and irreversible.

Why the Seed Phrase Is the Single Point of Failure

A Bitcoin seed phrase (technically a BIP-39 mnemonic) is a human-readable encoding of the master private key that controls all Bitcoin addresses derived from that wallet. Anyone who possesses these words — in the correct order — can reconstruct the wallet on any compatible device and move every satoshi it contains.

The hardware wallet itself is not the security. The PIN on the hardware wallet is not the security. The safe the hardware wallet sits in is not the security. The seed phrase is the security — and the vulnerability. Everything else is a speed bump.

In this case, the speed bumps were irrelevant. The wife had physical access to the home. She had time. She had a camera. That was sufficient to defeat a custody architecture protecting a quarter of a billion dollars.

Why Bitcoin Is Different: No Recovery, No Reversal, No Recourse

If Fun Yung Li had stolen $238 million from a bank account, the outcome would be radically different. Banks have fraud departments. Wire transfers can be reversed within certain windows. Courts can freeze accounts. Regulatory bodies can compel financial institutions to hold funds pending investigation.

Bitcoin has none of these mechanisms. By design.

This is the fundamental tension of self-custody: the same property that makes Bitcoin censorship-resistant and immune to government seizure also makes it immune to recovery when stolen by someone with physical access to your seed phrase.

Consider the asymmetry:

• Traditional assets: Theft requires ongoing institutional cooperation (the bank must process the transfer, maintain the account, allow withdrawals). Each step is a potential intervention point.
• Bitcoin: Theft requires a one-time action (broadcast the transaction). Once confirmed, no institution, government, or technical mechanism can reverse it. The blockchain doesn't know or care whether the person who signed the transaction was the "rightful" owner.

Yuen is suing in London's High Court. He may win a judgment. The court may order his ex-wife to return the Bitcoin. But a court order is only as good as the ability to enforce it. If the Bitcoin has been moved to addresses she controls through privacy-preserving methods, the judgment may be practically unenforceable. She could face contempt charges, fines, even imprisonment — but the Bitcoin itself may never return.

This is why prevention — through proper custody architecture — is the only reliable protection. Recovery after the fact is a legal fantasy in most self-custody theft scenarios.

The Multi-Signature Solution: Eliminating Single Points of Failure

The custody architecture that would have prevented this theft already exists and has been well-understood in Bitcoin security circles for over a decade. It's called multi-signature (multisig) custody.

In a standard single-signature wallet — the type Yuen apparently used — one seed phrase controls everything. One key to sign transactions. One point of failure. One seed phrase photograph away from catastrophe.

Multi-signature wallets require multiple independent keys to authorize a transaction. The most common configurations:

• 2-of-3 multisig: Three keys exist. Any two must sign to move funds. No single key holder can act alone.
• 3-of-5 multisig: Five keys exist. Any three must sign. Even the compromise of two keys is insufficient for theft.

Had Yuen's 2,323 Bitcoin been stored in a 2-of-3 multisig wallet, filming one seed phrase would have been useless. His wife would have captured one of three keys — necessary but not sufficient to move funds. She would have needed physical access to a second key, stored in a different location, to complete the theft.

Multisig Configuration for Married Couples

For a married couple with significant Bitcoin holdings, the recommended minimum is a 2-of-3 multisig with the following key distribution:

1. Key 1 — Husband: Hardware wallet + seed phrase backup, stored in a location only the husband accesses (e.g., a personal safe deposit box at a bank in a different city from the home).
2. Key 2 — Wife: Hardware wallet + seed phrase backup, stored in a location only the wife accesses (e.g., her own safe deposit box at a different institution).
3. Key 3 — Neutral third party: Hardware wallet + seed phrase backup held by a trusted professional — an attorney, a professional custodian, or an institutional key-holding service.

Under this architecture:

• Either spouse can initiate a transaction, but needs cooperation from one other key holder to complete it.
• Neither spouse can unilaterally move funds — not even the spouse who originally purchased the Bitcoin.
• If one spouse dies, the surviving spouse + the third-party key holder can move funds (enabling estate succession).
• If the marriage dissolves, the third-party key holder serves as a neutral tiebreaker, cooperating only with court orders or pre-agreed terms.

For larger holdings — 1,000+ BTC, the range Yuen's position fell in — a 3-of-5 configuration adds further redundancy and security. Five keys distributed across five independent locations and holders means an attacker needs to compromise three separate points of failure. This is the architecture recommended for family offices and ultra-high-net-worth individuals in our complete custody architecture guide.

Geographic Key Distribution: Why Location Matters as Much as Cryptography

Multi-signature custody is only as strong as the physical separation between keys. If all three keys in a 2-of-3 setup are stored in the same house — one in the bedroom safe, one in the home office, one in the garage — a single person with household access can compromise all three.

Geographic distribution means storing keys in physically separate, independently secured locations:

• Location 1 — Home: One hardware wallet for convenient access to initiate transactions. Seed phrase backup is NOT stored at home.
• Location 2 — Bank safe deposit box: Seed phrase backup (metal plate, not paper) in a safe deposit box at a bank in a different city. Access requires ID verification and physical presence.
• Location 3 — Attorney or custodian: Third key held by a professional fiduciary in their secure facility. Access governed by a written agreement specifying the conditions under which they will co-sign.

The principle is simple: physical access to one location should never be sufficient to move funds. The attacker's problem should require coordinating access across multiple jurisdictions, institutions, and security perimeters simultaneously.

In the Yuen case, geographic distribution would have been decisive. Even if his wife had filmed one seed phrase at home, the second key required to move funds would have been in a bank vault or attorney's office she couldn't access without detection and cooperation.

International Distribution for Large Holdings

For holdings above $50 million — a threshold Yuen's position exceeded by a factor of four — keys should be distributed across national borders. A 3-of-5 multisig with keys in Hong Kong, Singapore, Switzerland, the United States, and the UK means that compromising the wallet requires coordinating theft across five countries' legal systems, banking regulations, and physical security infrastructures simultaneously. This is functionally impossible for any domestic attacker.

Hardware Wallet Best Practices: The Details That Matter

Even within a multisig architecture, each individual key requires proper handling. The Yuen case highlights several specific failures:

Never Store Seed Phrases Digitally

The seed phrase should never exist in digital form — no photographs, no text files, no password managers, no cloud storage, no encrypted USB drives. Digital storage creates copies. Copies proliferate. A photograph on a phone syncs to iCloud. A text file on a laptop gets backed up to Google Drive. An encrypted file can be decrypted if the password is compromised.

The seed phrase should exist only on physical media: stamped or engraved metal plates (resistant to fire, water, and corrosion) stored in a physically secured location. Paper is acceptable only as a temporary medium during initial wallet setup, to be immediately replaced by metal and destroyed.

The Passphrase (25th Word) as a Second Factor

BIP-39 supports an optional passphrase — sometimes called the "25th word" — that acts as an additional authentication factor on top of the seed phrase. When enabled, the same 24-word seed phrase with a different passphrase generates an entirely different set of wallet addresses and keys.

This is a critical defense against seed phrase theft: even if an attacker obtains all 24 words, they still need the passphrase to access the actual wallet. Without it, the seed phrase generates a decoy wallet (which can even contain a small "honeypot" balance to make the attacker believe they've found the funds).

PIN Protection and Duress PINs

Hardware wallets should always have PIN protection enabled. Some devices (notably Coldcard) support a "duress PIN" — a secondary PIN that, when entered, opens a decoy wallet with a small balance rather than the primary wallet. In a coercion scenario, the duress PIN provides plausible deniability.

PIN protection alone would not have stopped the Yuen theft — his wife bypassed the hardware wallet entirely by copying the seed phrase. But in a scenario where a spouse coerces physical access to the device (under threat of divorce proceedings, for example), the duress PIN provides an additional layer of protection.

The Estate Planning Intersection: Access If You Die, Protection While You Live

Here is the central paradox of Bitcoin custody within marriage: you need your spouse to be able to access the Bitcoin if you die, but you need to prevent them from accessing it unilaterally while you're alive.

Traditional estate planning solved this decades ago for conventional assets. Joint accounts with survivorship rights. Revocable trusts with successor trustees. Beneficiary designations. The entire legal and financial infrastructure is designed around the assumption that an intermediary (a bank, brokerage, or insurance company) will enforce the succession rules.

Bitcoin has no intermediary. The succession rules must be encoded into the custody architecture itself.

The Directed Trust Model

A directed trust separates the roles traditionally combined in a single trustee:

• Distribution trustee: Decides when and how much to distribute to beneficiaries (typically the surviving spouse).
• Investment trustee: Manages the Bitcoin position (holds or delegates custody of keys).
• Administrative trustee: Handles tax filings, record-keeping, and compliance.

By separating these roles, no single person — including the surviving spouse — has both the authority to approve a distribution and the custody access to execute it. The investment trustee holds the key, but can't distribute. The distribution trustee can approve a distribution, but can't sign the transaction. Both must cooperate.

Wyoming Private Family Trust Companies (PFTCs)

Wyoming's trust-friendly legislation allows families to establish a Private Family Trust Company (PFTC) — essentially a family-owned trust company that serves as trustee for family trusts. For Bitcoin-wealthy families, a Wyoming PFTC can:

• Serve as the institutional key holder in a multisig arrangement.
• Be governed by a board that includes family members AND independent directors.
• Operate under a charter that specifies exactly when and how Bitcoin can be moved — including requiring multiple board approvals for any transaction above a threshold.
• Survive any individual family member's death, incapacity, or marital dissolution.

A PFTC holding one key in a 2-of-3 multisig provides the institutional stability and governance structure that a simple "give one key to your attorney" arrangement lacks. The attorney might retire, die, or be conflicted out. The PFTC persists.

Co-Trustee Structures

For families not ready to establish a PFTC, co-trustee structures achieve a similar result. Appoint two co-trustees for the trust that holds Bitcoin — one family member and one independent professional (typically a trust company or an attorney acting in a fiduciary capacity). Both co-trustees must agree to any distribution or custody action. Neither can act alone.

This maps directly to multisig: each co-trustee holds a key. The trust document specifies the conditions under which each co-trustee should sign. The legal governance layer and the cryptographic custody layer reinforce each other.

Prenuptial and Postnuptial Provisions for Bitcoin Custody

If you hold significant Bitcoin and are married (or about to be), your prenuptial or postnuptial agreement should address custody architecture — not just the division of assets in a divorce, but the specific rules governing access to keys during the marriage.

What the Agreement Should Cover

• Multisig configuration: The agreement should specify the m-of-n configuration (e.g., 2-of-3) and the general distribution of keys (one per spouse, one with a neutral third party).
• Unauthorized access definition: Explicitly define that accessing, copying, photographing, or reconstructing a seed phrase, private key, or hardware wallet PIN without the other party's consent constitutes unauthorized access — with specific remedies (liquidated damages, forfeiture of claims to the Bitcoin, criminal referral).
• Key access rights: Specify each party's rights to their own key and the conditions under which the third-party key holder will cooperate (court order, mutual consent, death verification).
• Custody architecture changes: Require mutual consent for any changes to the multisig configuration, key storage locations, or third-party key holder identity.
• Separation protocol: Specify what happens to the multisig arrangement upon legal separation — typically, the third-party key holder is instructed to cooperate only with court orders until the divorce is finalized.

What a Court Can and Cannot Do

A court can:

• Order the disclosure of all Bitcoin holdings and wallet addresses.
• Order a party to transfer Bitcoin as part of an equitable distribution.
• Hold a non-compliant party in contempt (fines, imprisonment).
• Issue a judgment for the dollar value of stolen or hidden Bitcoin.

A court cannot:

• Reverse a Bitcoin transaction.
• Freeze a Bitcoin wallet (there is no intermediary to serve the freeze order on).
• Recover Bitcoin if the controlling party has moved it and refuses to cooperate.
• Compel a hardware wallet manufacturer to provide access (they can't — they don't have the keys).

This enforcement gap is precisely why the custody architecture itself — multisig, geographic distribution, third-party key holders — must prevent the theft before it happens. Once Bitcoin moves, the legal system can punish but rarely recover.

The Trusted Third-Party Key Holder Model

The third key in a 2-of-3 multisig arrangement is the linchpin of the entire architecture. Choosing the right third-party key holder is one of the most important decisions in Bitcoin custody design.

Option 1: Attorney as Key Holder

A Bitcoin-literate estate planning attorney holds the third key under a written key-holding agreement. The agreement specifies:

• The attorney will co-sign a transaction only upon receiving written instructions from both spouses, OR a certified death certificate, OR a court order.
• The attorney will not co-sign based on instructions from only one spouse (preventing unilateral action).
• The attorney maintains the key in a secure facility (bank vault, not their office desk drawer).
• Successor key holder provisions if the attorney retires or dies.

Option 2: Professional Custodian

Institutional Bitcoin custody providers (Unchained Capital, Casa, Onramp) offer collaborative custody models where they hold one key in a client-controlled multisig. The client retains majority key control (2 of 3 keys), while the custodian holds one key and will co-sign only after verifying the client's identity and the transaction's legitimacy.

For married couples, this model can be adapted: the custodian's verification process can be configured to require confirmation from both spouses for transactions above a certain threshold, or to require additional documentation during periods of legal separation.

Option 3: Family Governance Entity

As discussed above, a Wyoming PFTC or similar family governance entity can serve as the institutional key holder. This is the most robust option for families with holdings above $10 million, as it provides governance continuity independent of any individual relationship.

Red Flags: 8 Signs Your Bitcoin Custody Is Vulnerable to Domestic Theft

If any of the following apply to your current Bitcoin custody setup, your holdings are exposed to the same risk that cost Yuen $238 million:

1. Single-signature wallet: All your Bitcoin is controlled by one seed phrase. One key. One point of failure. This is the most critical red flag — everything else is secondary if this one is true.
2. Seed phrase stored at home: Your seed phrase backup (paper, metal plate, or any other medium) is in your house, where your spouse has physical access 24/7.
3. Seed phrase stored digitally anywhere: Photograph on your phone. Note in your password manager. Text file on your computer. If it's digital, it's copyable without physical access.
4. No passphrase (25th word): Your hardware wallet uses only the 24-word seed phrase with no additional passphrase, meaning the seed phrase alone is sufficient to steal the funds.
5. Spouse knows the seed phrase: You've shared your seed phrase with your spouse "in case something happens to me." This is the $5 wrench attack with no wrench required.
6. All keys in one jurisdiction: Even in a multisig setup, if all keys are in the same city or country, a determined attacker with local access can potentially compromise multiple keys.
7. No written custody agreement: There is no prenuptial, postnuptial, or other written agreement defining key access rights, unauthorized access penalties, or separation protocols for your Bitcoin custody.
8. No independent third-party key holder: Your multisig arrangement (if you have one) involves only family members — no neutral, professional, institutionally-accountable party holds a key.

If you checked three or more of these, your custody architecture needs immediate attention. If you checked five or more, you are one domestic dispute away from a catastrophic, irrecoverable loss.

The 5-Step Action Plan: Securing Your Bitcoin Against All Single Points of Failure

Whether you hold 1 BTC or 2,323 BTC, the principles are the same. The implementation scales with the value at risk.

Step 1: Move to Multi-Signature Custody

If you are currently using a single-signature wallet — one hardware wallet, one seed phrase — this is the single most important change you can make. Move your Bitcoin into a 2-of-3 multisig wallet. Tools like Sparrow Wallet, Electrum, or institutional platforms like Unchained and Casa make this accessible even without deep technical expertise.

The migration itself requires careful execution: generate the three new keys on three separate hardware wallets, create the multisig wallet, verify the receiving addresses on each hardware device, send a small test transaction, verify receipt, then transfer the full balance. Do not rush this process. Verify every step.

Step 2: Distribute Keys Geographically

Once you have a multisig wallet, distribute the three keys to three physically separate locations. At minimum:

• Key 1: Your personal hardware wallet (at home for convenience, but seed phrase backup NOT at home).
• Key 2: Bank safe deposit box in a different city.
• Key 3: Professional third-party key holder (attorney, custodian, or PFTC).

Each key's seed phrase backup should be on a metal plate (Cryptosteel, Billfodl, or similar) — not paper, which is vulnerable to fire, water, and degradation.

Step 3: Add a Passphrase to Every Key

Enable the BIP-39 passphrase on each hardware wallet. Use a strong, unique passphrase for each key. Memorize each passphrase and store a written backup in a separate location from the corresponding seed phrase. This ensures that even if a seed phrase is compromised (photographed, stolen, or discovered), the attacker still cannot reconstruct the key without the passphrase.

Step 4: Formalize the Legal Framework

Work with an attorney experienced in both family law and digital asset custody to draft or update your prenuptial/postnuptial agreement with Bitcoin custody provisions. At minimum, the agreement should define:

• The multisig configuration and key distribution.
• What constitutes unauthorized access.
• Remedies for unauthorized access (liquidated damages, forfeiture).
• Separation and divorce custody protocols.
• Death and incapacity succession protocols.

Simultaneously, ensure your estate plan (revocable trust, will, power of attorney) is updated to reflect the multisig structure and provides your executor or successor trustee with enough information to participate in key recovery — without giving them unilateral access.

Step 5: Test the Architecture Annually

A custody architecture that isn't tested is a custody architecture that doesn't work. At least once per year:

• Verify that each hardware wallet powers on and the PIN works.
• Verify that each seed phrase backup is intact and legible.
• Execute a small test transaction using the multisig quorum to confirm all keys and the signing workflow function correctly.
• Confirm that your third-party key holder still has their key, understands their obligations, and has current contact information for you.
• Review and update your key-holding agreements and estate documents if any circumstances have changed (new address, new attorney, marital status change).

Document each annual review. The documentation itself becomes evidence of prudent custody management if a dispute ever reaches court.

The Lesson From $238 Million

Ping Fai Yuen built a Bitcoin position that most people can only dream of — 2,323 BTC, accumulated through what was reportedly years of prescient investing. He secured it against hackers, exchange failures, government seizure, and every external threat that the Bitcoin community traditionally worries about.

He did not secure it against his wife.

This is not a failure of Bitcoin. Bitcoin worked exactly as designed — it transferred value to the person who held the keys, instantly and irreversibly. It is a failure of custody architecture: a single-signature wallet, a seed phrase stored within reach of a person with motive and opportunity, and no structural safeguard requiring multiple independent parties to authorize a transaction.

The fix is not complicated. Multi-signature custody, geographic key distribution, a professional third-party key holder, and a legal framework that defines access rights — these tools have existed for years. They are well-understood, widely available, and increasingly accessible even to non-technical holders.

What they require is the willingness to acknowledge an uncomfortable truth: the person closest to you is, by definition, the person with the most physical access to your custody infrastructure. And in Bitcoin, physical access to a seed phrase is total access to the funds.

Design your custody architecture accordingly. Not because you don't trust your spouse — but because sound custody architecture should never depend on trust in the first place.