OMNM

Podcast · 52 min

Jameson Lopp: From Cypherpunks to Quantum Threats

February 17, 2025 · Douglas Borthwick, Ali Davoudi & Phil Larmon

Jameson Lopp Discusses Bitcoin Security, Cypherpunk Ideals, and Self-Custody Solutions

In this episode, hosts Phil Larmon, Ali Davoudi, and Douglas Borthwick of 'Old Men, New Money' interview Jameson Lopp, a noted figure in the Bitcoin and cybersecurity space. Jameson shares his background in computer science and his journey into the world of Bitcoin. He explains the origins of Bitcoin within the cypherpunk movement and discusses its foundational principles of privacy and encryption. The conversation delves deep into Bitcoin's security features, including the concept of multi-key (multisig) security that Jameson’s company CASA specializes in. They explore CASA's innovative services for personal and enterprise Bitcoin security, including inheritance solutions, and discuss contemporary digital threats such as social engineering. Jameson also shares his concerns about the potential centralization risks posed by Bitcoin ETFs and paper Bitcoin. The episode highlights the importance of education and self-custody in the cryptocurrency world. The show concludes with Jameson promoting educational resources and encouraging the audience to take control of their digital assets.

00:00 Introduction and Hosts

00:22 Guest Introduction: Jameson Lopp

00:44 Jameson's Background and Bitcoin Journey

01:23 Understanding Cypherpunks and Bitcoin Security

06:07 Quantum Computing and Bitcoin

10:12 CASA: The Evolution and Security Focus

16:53 Inheritance Solutions for Bitcoin

25:11 Enterprise Solutions and Future Prospects

27:11 White Collar Professionals and Bitcoin

27:40 Evolution of the Customer Base

28:33 Expanding Beyond Bitcoin

29:31 Leadership Changes and Challenges

31:28 Security Trends and Threats

35:45 Personal Experiences with Cyber Attacks

39:37 Advice for Bitcoin Security

45:43 Concerns About Bitcoin Centralization

49:36 Closing Thoughts and Recommendations

Transcript

Old Men New Money, please subscribe on YouTube, Spotify and iTunes. Thank you. I'm Phil Lerman. I'm Ali Davoudi. I'm Douglas Borthwick. And this is Old Men New Money. Please follow us on socials. We've got 16,000 subscribers so far across platforms. We're two months into this and we really appreciate any comments. Thank you. Subscribe below. And today we've got an excellent guest here, Jameson Lopp. Jameson I've known for, I'd say five years, six years. And that's great to have you on the show today, Jameson. Welcome. Thanks. Hopefully I don't have to call myself an old man, even though I've got the gray and the beard, I don't feel old yet.

Don't worry. Your beard game is pretty strong there, Jameson. So Jameson, could you just give a quick bio for our audience? Yeah. So computer science background, spent the first decade of my career building sort of web scale infrastructure for an online marketing company. And just past the decade mark of working full-time on Bitcoin, self custody and security products. So I've seen a lot of terrible things over the years, but the nature of security is you learn from preferably other people's mistakes, you learn from your own mistakes, and we keep putting one foot in front of the other. Now you call yourself a cypher punk.

Can you tell me what that is? Yeah, it's basically the movement that was the origin of many different aspects of internet security and privacy that we take for granted today. I'm sure everyone who's watching this, for example, is using SSL, like HTTPS in your browser when you're going to websites. That technology was developed by cypherpunks. A lot of the cryptography, encryption, things that are used at very low layers of the internet to secure our daily activities were invented by cypherpunks because they realized that back in the eighties and early nineties, the internet had no privacy or security.

Everything was out completely in the open, could be intercepted, could be manipulated, and so because of their paranoia and because of their understanding of how, you know, the system had great potential for empowerment, but also for abuse, they wanted to make it harder for authority figures or just malicious actors on the internet to abuse. One of the many cypherpunk projects that was tried over the years was this idea of cryptographically secured money.

There were many different attempts at it and the cypherpunks had basically given up on it until some rando going by Satoshi came along and dropped a white paper and some code and here we are 16 years later, spawned an entire industry. So what led you to Bitcoin? It was my nerdy background combined with my libertarian leanings. So Bitcoin kept coming up on some of the nerdy new sites like Slashdot that I was visiting back in the day. And of course I dismissed it the first few times as a project where everybody was going to get wrecked and lose their money, but it was persistent. It kept coming back around.

And so eventually I read the white paper and that really blew my mind from a computer science perspective because Satoshi solved the double spending problem in a way that was the exact opposite of how I, or I think really any classically trained computer scientists would try to do because it was. Untenably computationally expensive, the solution that they came up with.

And so as computer scientists, we are trained to use the most efficient data structures and algorithms to get a particular problem solved and rather Satoshi kind of turned this problem on its head and said, Hey, instead of having one database that we try to secure and create a lot of integrity protections around, we're just going to make everybody in the world have to run this database. And then we're going to make it really expensive to actually add or change any entries into the database. I like to say that the Bitcoin blockchain is the least performant database I've ever come across in my entire career.

But the result is that it has some very unique properties that are interesting to leverage in a variety of ways. And the most secure, would you agree that it's the most secure that you've worked with? Oh, for sure. Because it gives you this, we could say thermodynamically expensive level of assurance that once you have paid the fee to get your update to that database in that it's, it's not technically impossible to undo, but it's just impractical from any like economic standpoint. And neuter's economics and neuter's the economics for you. Yeah. And really there's many different things that make Bitcoin fascinating and make it work so well.

But I think one of the biggest pleasant surprises over the years is that Satoshi somehow got all the game theory, right? Now, regardless of the code and the math and the cryptography and stuff, it's like the games theory around all of the different entities that are operating in the space and they're sufficiently mutually aligned incentives that has allowed it to continue to prosper for 16 years. And mutually assured self destruction too. Whenever anybody talks about a 50.1% attack, I'm like, yeah, but what's the point you'd be the one that would take the greatest percentage of the hit.

If you have 50.1 and nobody has trust in the network anymore, you're the one that it's the largest percentage hit. So it doesn't really, like you said, from a game theory standpoint, it's actually genius. Well, a lot of guys talking right now about these supercomputers, how quantum computing is going to break into it. Now, Ali's view certainly is that why would you break into Bitcoin? We could break into the Fed or Bank of America or whatever. What are your thoughts on this? Ah, yeah. If someone had a sufficiently powerful quantum computer, there's a lot of things that could be done with it.

Now, I think that Bitcoin is a tantalizing target because it's a bearer asset. The game theory here is tricky too, right? Like Ali was saying, if you're going to 51% attack Bitcoin, technically that's possible if you get enough pools to collude or whatever, or if you have enough nation states put in, kick enough doors down, it's always the question of what is the incentive to do? So are we talking about a nation state attacker that has more money than they know what to do with because they can basically print as much as they want? That could cause some of the sort of game theory or financial assumptions to get thrown out the window.

But thankfully it seems like even to this day have bigger problems to deal with, they're not like worried about an existential threat from Bitcoin. The quantum threat, I gave a talk on this last year and you know, if I had a sufficiently powerful quantum computer, then I would just look at the rich list and basically like Binance and BitFenix, really the biggest exchanges that are keeping a hundred thousand plus Bitcoin in one address that has already had the public keys exposed, which means that it's not quantum safe and hit that, take that money, but then you have to ask yourself what would happen. Obviously the market would react.

I think it would be very difficult to be able to liquidate a substantial portion of those proceeds without the market just completely tanking. And a lot of people would lose confidence in Bitcoin, at least for the short or medium term, if we didn't already have some sort of quantum resistant proposal in place. There's a lot of variables at play here, really the closest like crisis situation that we can even refer to would be like the 2013 unintentional blockchain fork, where there was a, it was like a database locking issue between two different versions of the Bitcoin node software that, that caused a consensus failure.

And I think that was maybe like six hours of consensus failure before we managed to get it fixed and got everybody back on the right track. And there was a bit of market freak out during that time. I feel like some of the exchanges may have actually frozen all trading activity because they didn't know exactly how it was all going to play out. It would be trickier if we had basically massive amounts of coins that were changing ownership, because then you're going to have these massive companies be like, we need our money back. Can we roll back to blockchain? What are we going to do about this?

And there would be this overhanging existential threat for all Bitcoin holders of like, how do I make sure that this doesn't happen to me? It'll be like a great classic. Like when they rolled it back with that, when they, when their DAO got hacked. Yeah, it's just, it's tougher with the quantum stuff because the only way to really fix it requires everybody to migrate their Bitcoin into a new quantum resistant scheme. And this is one of the things I talked about last year in my presentation was like doing some rough calculations, you know, based upon how much block space we have and how many UTXOs are out there.

Like it's going to take several years to get everybody to migrate to a new scheme, whatever scheme that may be. And right now we don't even have a proposal that's anywhere near the activation or implementation stage. Thankfully, I think we have many years to work on it, but we should not be dragging our feet. Early folks in Bitcoin like yourself have very much taken a security route. And there's lots of things you can take with Bitcoin and lots of routes you can take, but security, and I think that you're certainly a proponent of personal security and also obviously your Bitcoin security. What made you focus on these areas?

Basically because it's fundamental to everything else. So I give you an example of like how Casa came to be before Casa was a multi-sig Bitcoin vault cold storage service. It was actually called Bedkin and it was a decentralized Airbnb app running on the original block stack protocol. And this was before I joined when I joined, we pivoted, but basically after six months of working on that, the team very quickly realized nobody is going to use this decentralized Airbnb app. If they're losing their keys. We need to solve key management.

And so that's how Bedkin got thrown out and it trans transformed into Casa, which has got an homage to that original idea, but also to the fact that we're trying to build a safe home for people's Bitcoin for their keys, for their assets, and ultimately probably for many other things. Can you explain multi-key? Yeah, the best way to think of it is that it's the digital version of a bank safety deposit box. If you go in your safety deposit box, there's not just one key on it. There's multiple keys that need to be turned, most likely one owned by you, one owned or controlled by an authorized employee at that vault.

And so the reason for that is that it gives you a better security model, right? Theoretically, the bank employee can't just go in there and open your stuff up because they don't have your key. Also, you can't just go in and open stuff up or someone can't just steal your key and go in and open up your box because they need to get an authorized employee to sign off on it. And of course they're going to vet you and validate whoever has that key that they're an authorized user. The reason why we like multi-key setups is because this is how you architect a security model that eliminates single points of failure.

And this is one of the biggest problems with custody in general, whether it's third-party custody or self custody, a lot of the terrible catastrophes that have happened in this space, whether to organizations or to individuals have been because they basically had all of the keys to the kingdom were basically one key and so you had to protect that key at all costs. And if anything happens to it, then it's game over and there's nobody who can get your money back. And so that's that's true.

Both of if a malicious adversary gets that key and steals the money, or if you just screw up, you make a mistake and you lose your key, then it's effectively the same thing we understood that Bitcoin self custody has to be built with the understanding that it's going to be operated by humans and humans make mistakes. Humans tend not to be security experts, so you can't have really any assumptions about how they're going to manage things, exactly what they're going to do.

And so the idea is that when you onboard into a Casa setup, whether that's two out of three keys or three out of five keys, you are you're distributing your risk around your distributing risk, think of it as strength through diversity. And basically you want a diversity of like physical locations where your keys are geographically distributed. This protects you against natural disasters, protects you against physical attackers who might accidentally or on purpose come across a key. And it also allows you to have a diversity of software and hardware, which protects you against things like supply chain attacks.

Basically, you have to consider like all of the million different things that could go wrong with a key and then have all of your keys set up differently so that whenever X goes wrong, it only affects one key. It doesn't wipe out all of your keys. It doesn't wipe out a threshold that will prevent you from being able to spend your money or allow someone else to spend it. It's yeah, it's generally security through of risk. So if I have three keys, you have two keys of mine and I lose one of my keys. I can still have access. Cause I just, so Casa Casa always has one key as a sort of offline recovery mechanism.

And then depending on which setup you're in, there are different types of authentication protocols that you can build around how a signature will get requested from that for our entry level plans is basically you set up a series of questions and answers. And then there's a seven day waiting period between you authenticating and us actually signing it. Uh, once again, because time is a great security protector. Yeah, it's generally, if you're able to slow down attackers, then it's a great demotivator and disincentive for attackers.

And then for our higher level plans, you're getting more bespoke service, like with dedicated advisors who will do video calls with you. And you can set up things like duress words or emergency contacts, people that we reach out to. And, and in those cases, you can have a lower waiting period, but it's always multiple days. That's why you've a tiered pricing plan based on how much Bitcoin you have. You may be looking for other services. It's almost like having a family office that starts to add up different services for you for personal protection or whatever. Yeah.

And we even have products specifically for family offices are really good for sort of team based management of assets, whether that's a corporate treasury or a family office or a small investment fund or whatever you're doing. It's, I think it's important for organizations to eliminate single points of failure. Obviously you don't want your chief financial officer to be able to take $10 million with a few clicks of a button and basically go off to some non-extradition country, right? You want there to be good governance, good checks and balances in your treasury management.

So on that note, I do want to talk about the enterprise side, but the first thing that jumps into my mind are scenarios of inheritance, right? When someone passes, what are the solutions that you've brought to market around inheritance, because obviously that's a big problem. I think the first time I ever heard of it, I was at Bitcoin Miami and a gentleman was damn near in tears. And he just came to the conference just to look for solutions because his father had passed and he knew he had a whole bunch of Bitcoin and Ethereum and had, had no idea how to get to it. Yeah. You need to set up the solution before you pass.

That's the most important thing. We've actually done a couple of different inheritance protocols. And the first one that I think we rolled out in 2021 or so. It was very hands-on to say the least. It basically involved onboarding lawyers, estate and trust attorneys and making sure that you had everything spelled out in your instructions of exactly like who the beneficiaries and key holders and so on and so forth were. And in that case, there was more of a KYC element of using legal identity and using the legal system to enforce these things. And it took so much man hours to get someone onboarded into that.

And we always had questions around, will the attorney actually be a good key holder? A lot of them didn't even want to be key holders for obvious reasons. You know, liability and such. And then also on the legal side, it meant that we could only really offer this to like, I think United States and Mexican citizens. It was very limiting. And then whenever we had a client somewhere else who wanted to do it, it was always this really high legal cost of trying to navigate through whatever the particular jurisdictions inheritance laws were.

What we rolled out basically a year ago is a much more streamlined version of this that it's purely technical. It doesn't require any sort of legal system set up or KYC or identity or anything like that. We still do offer the other version to our private client level, if that's what you want, but with the technological solution, it's actually incredibly easy. For example, the two of three set up, you can onboard a beneficiary to your inheritance in a few minutes. And the way that we do that is basically you just put in their email address into your app, they get an invite to set up their beneficiary wallet.

And then what you're doing is basically you're doing a encrypted key share with them of your mobile key from your set up. And so they're receiving this encrypted version of one of the keys. They can't actually decrypt it. They can't use it. They can't do anything with it. And the only thing they can actually do in their app as an inheritance beneficiary is they can hit a button that says, I want to kick off the inheritance claims process.

I want to claim that the account owner has passed and what happens if they do that is that we start emailing, notifying, reaching out to the account owner, basically saying, Hey, your beneficiary has said that you passed. If this is not true, you need to go into the app and kick them out because they're trying to defraud you or they've been compromised or something has gone wrong and we just, we keep doing that regularly for six months.

And if that six month period goes by uncontested by the account holder, then the inheritance recipient can decrypt the key and can initiate a transaction to partially sign the time security component you were talking about six months is a long time program. They don't have to show you a death certificate. Nope. So if you have this service, you got to make sure you keep your email up and you answer your phone. That, and he's giving you a valid shard. So basically you're telling the estate or the account holder, Hey, one of your beneficiaries is showing up with a valid shard saying that you passed.

And then Jamison saying that extra six months of timeframe is what allows you to really verify all that. And I'm guessing at some point in there, you would never need it. You would never need a death certificate Jamison. Correct. This is a purely technical solution. It exists outside of the whole probate process and all of that. If that period passes, this is in the terms and conditions of CASA as a company and the service that you're opting into, if you decide to set up inheritance, you don't have to, if you don't want to, you can do your own thing.

But yeah, if that period passes, then they can also then a signature from the CASA recovery key. And once we then sign that, then it's fully signed and the funds can move. Six months, isn't that long because probate can last for years. Yeah. This is a positive thing when your, when your parents pass away, you can get money today as opposed to in two years time. And to your point though, it is of course, important to maintain these systems. And one of the unique things, CASA was the first to ever do this. We were the first to ever introduce this idea of health checks. And we have health checks for a variety of different things in your setup.

It, but it's generally the keys is what we're worried about. And if you, well, if you have a CASA setup, then any given key, if you haven't used it in six months, we're going to send you a notification. It says, Hey, you need to do a health check. Just make sure the key is still working. It hasn't been compromised. It's still where you think it is. And then that same thing happens actually with the inheritance recipients keys. So they're getting, you know, health checks on a regular basis. And so if they are not being a good custodian of your encrypted inheritance key, you'll find out. Or maybe it's changed, right?

If someone, if maybe you're a person that's going to act as your, maybe they passed or maybe you've got divorced and they were your person, is it pretty easy to change who that person would be? Yeah, you can remove and add new people at a win. Well, what happens if someone stops paying for the service? Yeah, this is self custody, right? So we don't have the ability to move anybody's money. It basically just stays frozen where it is. What happens in the app, if you have not paid your annual service fee is that the app transitions to a withdraw only sweep full wallet balance mode. We're not going to stop you from being able to exit.

We just don't want you to have like all of the cool conveniences that come along with operating our multisig service. When you said Casa earlier, you said always has an offline key on the recovery. Douglas said, so I could have three out of five, six. And you said Casa will always have an offline key. Does that mean in the event of failure of everything else, Casa would always be able to retrieve the account? Not as it stands today, because we only ever have one out of three or one out of the five and for the three key set up, you have to have two signatures for the five key set up, you have to have three. So it is possible with self custody.

If you throw all of your keys away and there's not much we can do about it. Now, this does open up an interesting other conversation for there are future potential improvements around this with more complex Bitcoin scripting where you can have other conditional spins where you can have basically this other time lock spending condition that says, if a year has passed, then allow, you know, some other key or set of keys to be able to spend these coins.

And that's something that we're talking about regularly of like how we would implement that and whether we would want that to be some fully regulated custodian that would have unilateral spending power, whether it would be some sort of multi-institution key sharing thing. You're only really limited by your creativity here. So on that note, you brought up a enterprise solution and some government solutions. How do those solutions differ from maybe the personal use type basis?

It's really more team based management and accounting and permissions, granularity stuff, because with organizations, of course, you have to worry more about onboarding off boarding and general communication on an ongoing management of that key set. So it's think of it as like fancier dashboards and more granular management of the individual key holders and what actions they can take. You can onboard a view only auditor, for example, who isn't even a key holder, but can get all of the details of the transactions and balances. There's a lot of talk right now about obviously states getting involved and countries getting involved in this.

Is this something that you're seeing? Are you seeing a lot more corporate states, governments coming to you saying, what can we do here? Or is that something that's out of your purview right now? That's really mostly corporations, but that makes sense. They can move faster. There's obviously many companies already in the crypto space that have the coin treasuries that they are managing and some of it's all over the place. Some of them go full self custody.

Some of them go like a split between self custody and a regulated custodian trying to diversify risk profiles even more in terms of number of companies adding the treasury strategy to their balance sheets. Like, are you able to disclose that with us? Have you seen like a growth of 50%, a hundred percent, five percent? It's hard to say in general, I would expect that almost all of the companies in the industry have some level of treasury management, but for people outside of working in the crypto industry, it's pretty minuscule. Some interesting patterns that we are seeing though are more white collar professional groups.

So think of various physicians, they're like doctors who have their own practice, essentially doctors who are also entrepreneurs, they are running their own corporations. We do see a fair amount of like white collar professionals, more just the entrepreneurs that have their own company with its own balance sheets. And they want to diversify into Bitcoin. So how would you say your customer base is developed? I'm guessing first it was true Bitcoiners, maximalists. So then it moved on to a little bit more retail and then family offices. Is it developing? And now you're talking about small corporates.

Yeah, to be clear, we've always been focused on call it the whales, the individuals or organizations that have the most to lose. And this is supposedly the time of institutional adoption. And this is, I think it's crunch time for us to be able to make the case to the larger institutions that they shouldn't simply trust regulated providers with all of their money and basically throw out some of the most fundamental aspects of this asset by letting someone else hold their keys for them. Now, is this only for Bitcoin or can folks do this with Ethereum or what all is included or what all can you service?

Yeah, we added Ethereum support a couple of years ago, mainly really for stable coins. That was the big ask. But of course we support ERC 20. We don't add every ERC 20 token automatically into that, but if there's sufficient demand for it and it seems legit, then we're open to considering it. So my Trump coin, I can't really stick in there just yet. And that's on Solana, isn't it? Yeah, we're definitely not supporting Solana stuff and have not really had much demand for it. It's a different ecosystem. Our bread and butter is like super high security cold storage.

And I would venture to say that most of the people in the Solana ecosystem are more looking for move fasts, do quick things, not just buy and hold for many years. Now founding a company isn't for the faint of heart, right? So when you joined, did you originally join as you're going to come on as the CEO or cause you talked about how the company had pivoted. Well, how did you come about joining? And it wasn't as the leader or did that, did you evolve into the CEO? There had been a few different evolutions over the years. When I joined, there were only four or five of us. And at that time it was a different CEO.

His name was Jeremy and he got us through the first few years, which were pretty tough and we had a few missteps and came close to losing everything. But we pulled through that first bear market and he decided to step back. And that was when Nick Newman stepped up into a CEO role and I stepped into a chief security officer role. But these, well, for me, it was mostly just a title change. I've been pretty much doing the same thing the entire time. Now with the leadership change with Trump coming in, that has to be an exciting thing for our crypto industry, because it's more welcomed. What has been the difference? Have you seen more interest?

Has that brought in more clients? Has it brought in more initial meetings of discovery meetings to be educated? It basically follows the exchange rate, right? When more people become wealthier, we have more people who have a lot to lose and end up coming to us and trying to understand our offering. I don't know, I feel like the main difference from Trump becoming more accepting of the space is that my highly skeptical Southern conservative family members now all of a sudden are a lot less skeptical. They're like, oh, if Trump says it's okay, then I guess it is okay. Got it.

Are there any other trends in the security sector that you're seeing at your tracking or maybe things that you're thinking about you be pivoting into as well and additional services? Yeah, so there's a few trends. One of them is that because we have continued to improve the best practices for custody in general, that we're seeing, at least in Bitcoin, we're seeing fewer large scale hacks. Generally, the trend of amount of hacked Bitcoin go has been going down for many years now for almost a decade.

Most of the hacks seem to be occurring in more like Solana, Ethereum, more complex smart contract protocols, basically where people are writing new smart contracts and there's often bugs in them and that's what's getting exploited. And so the result of that is that we're seeing a new class of attackers come out and that's the social engineers.

And so basically, because the actual mechanisms around key storage have gotten so much better, it's generally not worth the average attackers time to try to actually steal your keys, to try to get through whatever your layers of security are, because if you've got them on an offline dedicated device, the hackers not getting to that, they would, they have to like compromise so many other things, it's not even worth the trouble. So instead, what they're realizing is the weak point is the humans who are operating these keys.

And so this is essentially where we are today is that you're much more likely essentially to get your brain hacked than you are to get your actual wallet hacked. And what that really means is people, emailing, callings, using some methods, some communication channel to try to trigger you with the right combination of words, fear, urgency, so on and so forth, trying to trigger you into making a mistake and into voluntarily jumping through all of your authentication and security protocols to then voluntarily send your assets to the attacker because you think that you're currently in danger.

And this is how, you know, you get yourself out of danger. That's a lot like the fake Celsius emails that everyone was getting or everyone gets every couple of months. Let's say, Hey, look, give us your wallet address. Give us all your information so we can transfer you the Bitcoin that you're still owed by Celsius. Yeah. There's so many different methods. Like we've seen, there's a lot of fake airdrops. That's still a thing. Trying to play on people's greed and getting them to hook up their wallet and click on some malicious smart contract there to basically grant it permission to drain all of their money out of their wallet.

Um, then there's, yeah, using any of the data leaks from any of the bankruptcies to basically, once again, prey upon people who have already lost so much and they're like, okay, I can finally get my money back. Nope, we're actually taking everything else that you had. And a lot of it, uh, these days is targeting Coinbase and other major exchange users, and they're just taking all of the data leak list of any crypto service that's ever had a data leak. And then assuming that there's probably a good chance that you have a Coinbase or a Kraken or Binance account or whatever.

And then they say, Oh, your account is compromised or you've had unauthorized activity on it. We need you to click here to reset your password. And of course that's where they get you. I hear those phone calls today already. Yeah. And that's the other thing is that now they're literally calling people on the phone and walking them through step by step of basically having the person send all of their money. And it's, it's pretty outrageous when you actually hear, uh, some of these calls that have been recorded and talking to the attackers, but really the profile of those attackers, they're mostly teenagers, right? They're mostly kids.

And so I think they don't like fully understand the damage that they're doing is just a game to them. And also I know personally from my own incident a number of years ago, that a lot of these kids effectively operate with impunity because at the federal level, there's almost no like juvenile justice system. If you get caught and you're under 18, you're often going to get off, uh, with a slap on the wrist or with anything at all.

Uh, that's something that happened when I, I caught the guy who swatted me many years ago is that the federal district attorney actually declined to even prosecute because apparently it wasn't worth their time to go after a minor. And the only saving grace was at the state level district attorney was willing to prosecute. What was getting swatted? Like, what was that experience like? It was pretty surreal, but it was fortunate in my circumstance because I wasn't actually home when it happened. I was actually at the gym and I was driving back into my neighborhood when I ran into the police blockade.

Uh, and then it took us like 20 or 30 minutes to figure out that I was the, the armed hostage guy, uh, who they were looking for. And I was like, yeah, you can see I am neither armed nor have any hostages. Uh, thankfully it ended without any incident, but it could have ended much worse. What caused it Jameson? Was it that the person ordering the swatting? Is it because they disagreed with you on a Bitcoin improvement protocol on a BIP or something like that? So it was related. Um, so it happened at the height of the fork wars and the scaling debates and, uh, it was like October of 2017, I think.

And, um, yeah, and, and so, but the thing is, according to the guy, cause I ended up meeting him when I went to court, he said, he actually didn't even know who I was rather. It was some of his friends, his accomplices in the cyber crime space. Who they were the ones who got pissed off by something that I said, and they egged him on and said, Hey, you should swat him and extort him and so on and so forth, cause this guy has Bitcoin and you can probably get a bunch of money. And my investigation into that attacker led me to believe that like he, this was not the first time that he did this.

Like he was known as being the guy who could swat people and get away with it. I was somewhat pleased that I was able to actually get a resolution on that and get him on the radar of the justice system, because I think all of the other victims failed to get any justice. So it was only because he was 15. I'm actually going to save this quote from you and we're going to attribute it to you, James thing. It's one of the best ones I've ever heard. You're much more likely to get your brain hacked than your wallet hacked. I love that. I remember when, remember Mt. Gox and Mark Karpelis and everything.

I'm looking at this guy and I remembered hearing about it. I'm thinking, what the hell does Mt. Gox, what does that even stand for? And such a, the gathering online online exchange. And so I went to go look at it and I'm looking at this French guy that likes Japanese whiskey and Japanese prostitutes. And these kids just handed him $700 million and he has access to it all. And I'm thinking, that's not the code getting hacked. That's this guy embezzling. And that's, I love that. You're much more likely to get your brain hacked. Mark got in way over his head. He also thought that he was smarter than he was.

Like he, one of the big problems was that he refused to delegate. He was doing everything himself. And also I think that like when he took over that service, like when he bought it from Jed McCaleb, I think it had already been hacked at least once at that point, and I think that he didn't even know it. I think the accounting was so bad that they didn't even know they already had a huge hole in their balance sheet at that time. And then it just took a number of years before it got so bad that they finally realized they ran out of money.

So what advice would you give Jameson to Bitcoin or is there a certain amount of money that they should start getting worried about and that's when they should start thinking about security or should they just start as soon as they buy? Yeah, I usually, I would say I have three or four different thresholds of like how to think about security. So first there's pocket money. If it's like the amount of money that you would carry around in your wallet, then losing it's probably not a big deal. Not going to be a life altering catastrophe. For pocket money, you don't really need a whole lot of security.

It's fine for it to be like a hot wallet or just sitting on an exchange or whatever. Because why invest a lot of time and resources into protecting something that's not worth very much. Then beyond that, it's like when you start getting into investment territory. I don't know, everybody's going to be different. Thousands of dollars, tens of thousands of dollars. Whenever it becomes a non-trivial amount of your net worth, your investment portfolio.

At that point, I think you should at least invest a hundred dollars into a hardware wallet, get those funds off the exchange, get them into cold storage so that it's essentially hack proof, but realize that there are still potential single points of failure there. And you want to have decent, multiple redundant backups. And, and even then you're still securing all your funds with only one key. So if that key falls into the wrong hands, it could be game over. Then beyond that, it's more of the life changing or generational wealth, whatever you want to call it. Where the vast majority of your net worth may be in Bitcoin.

This is where it starts to make sense to invest into security so that you eliminate single points of failure. Because at this point, if you lose your money, it's probably going to have life altering catastrophic consequences and you're going to regret it forever. Why not essentially buy some insurance on that upfront by improving your security and improving your resilience and your robustness. And that's when I think Casa starts to make sense lately. I've basically been saying, if you're a whole coin or you should definitely be thinking about Casa.

Will Casa always stick to custody or do you see, do you guys envision a time in the future where Casa might actually lend again, Bitcoin that it's storing for its as a third party custodian or multi-sick custodian, is it, do you guys? Yeah, I mean, there's a, there's a number of ways it could go. I would say like in general, we do our best to avoid being a regulated financial institution. We want to be a consulting service and a software service provider, but lending is definitely one of the biggest asks that we've had from our clients. And we are exploring a few different options of doing that.

And without going into too many details, we're looking into options that don't require us actually taking full custody and maybe some sort of hybrid multi-institution custody setup. It's, it's still early. There are things like discrete log contracts. Lava is one example of a lending service that is using that fairly niche Bitcoin technology to be able to do more trustless lending, but there's a variety of ways that it could go. And I do think, especially as more banks and financial institutions start to get into this space, we are going to see a plethora of lending options.

Now, we've got buddies that say that they're Bitcoiners and then when you press them, they say they own iBit. What's your aim to that? If someone owns iBit, are they a Bitcoiner? Do they own Bitcoin? They have financial exposure to Bitcoin, the asset. I think that unless you're actually using the Bitcoin protocol, it's harder to say that you're a Bitcoiner. You can go down the hole, like moral and philosophical ethos of like promote eating steak and lifting weights and sunning my balls and all these other things, but that does not have Bitcoin or make, right?

I think one interesting analogy, I like to bring this up a lot because I spent my first decade working on email related software is would any of you say that you're an email user? Absolutely. Unfortunately, you're all wrong. So here's the thing, like none of you are actually using the email protocol. The email protocol SMTP has been so horribly centralized and become such a monstrosity of these layers of meta protocols, of reputation based protocols, basically all the anti-spam stuff that have been built up over the decades is that none of us are actually using the email protocol. None of us are actually interacting with an SMTP server.

Think of it as an email node, rather, we're all using these lightweight clients that connect to one of a handful of highly centralized monolith email services, something like 90% of all email users are captured by 10 companies at this point. Ali and I did use SMTP at Carnegie Mellon.

If you're at a university, those organizations are large enough that they might still be operating their own email servers, though I know a lot of them have off offloaded to Microsoft or Google workspace or whatever, but that's basically the problem is like the cost of operating as a sovereign email user over the past 20 years has gone up so high that you essentially have to have a whole team of IT managers to be able to run that infrastructure.

And basically this is all to ensure the deliverability of your emails, which is like one of the things that I was working on for many years back in the day, and all of that to say this is one of my greatest worries about the sort of long term of future of Bitcoin, especially in relation to things like the ETFs is that it's not difficult for me to imagine simply because of human nature of preferring to choose convenience at the expense of almost all else, although a lot of people are going to go into those ETFs and they're not even going to have the option for self custody to withdraw.

So I do worry about too much adoption happening that centralizes too much of essentially the economic power and ultimately that could have a negative effect on the governance of the Bitcoin protocol if all of the money is in the hands of a few institutions. And if you actually read the ETF prospectus for pretty much any of the ETFs, they reserve the right to decide in the event of a protocol change, which is the real Bitcoin. Yeah, I guess folks watching this, they're interested in Bitcoin, they're interested in just crypto in general, but Bitcoin specifically, everyone's sitting there saying, look, all this demand, everyone's getting excited.

In fact, we talked about this before this call. There's so much demand seems to be building, but the price is coming off. And the question is, is this whale selling or are we just looking at a lot of noise? What's your view? Why is price not doing as Samson says, where's the Omega candle? Yeah, that has been surprising. I think there was some rumbling about Binance potentially selling a lot of their treasury and then they were trying to hand wave it away, but their explanation didn't make any sense to me. I don't know. Go do it. Clearly somebody's been selling a lot to sailor, right?

If you go do an overlay in December of 2017, right around January of 2018, the derivatives, the options futures contracts came out and I have friends that are in the energy trading space on this. And as soon as it came out, he made a directional price bet with me and he said, they're going to slam it. And I said, okay, I'll bet you, we made a bet that it would be above $10,000. And if you recall, I think at the time had gotten up to 19, 19 and change. And if you just overlay from the time that the option, they introduced the futures contracts, they slammed it all the way back down to 3,600 and it's actually, it'll be interesting.

I would suspect for you because for me, there's 21 million underlying of which 4 million or Eric cover really lost 20 million are currently issued in that standing and you have 1 million left to go. But as far as the derivatives contracts, there's an unlimited number of them. I mean, at what point is there going to be a, Hey, I want to see the physical delivery and who's everybody, what are all these things that you're writing these options, driven who's selling? Yeah. It's so it's problematic, especially when you have the cash settled futures. They're, I think I had a whole article about this a few years ago.

This is actually one of the many other risks of these trad fi Bitcoin products is that they have the potential to essentially create paper Bitcoin. There's a number of different ways that you can create the paper Bitcoin, whether it's basically through time delays of, of when like the actual settlement has to occur, or if it's because you're literally just creating paper contracts that aren't even backed by spot Bitcoin. And I think that people should be more worried about that because what is the point of 21 million, if we're allowing trad fi folks to basically print paper Bitcoin? Absolutely.

It's no different than when we got off the gold standard with the dollar. Now it's just a piece of paper and you've got a printer back here and you're just putting it up and it has no ties to any type of logic and value. Jamison, this has been a fantastic interview. We really appreciate you coming on. Are there any closing thoughts that you'd like to share with the audience? Any recommendations or just what are the calls to action to come to learn more about Casa and where can they find you online? Yeah, I generally tell people that the most important thing you can do is to educate yourself. If you're asking the question, should I buy Bitcoin?

Then the answer is no, because it means you have not sufficiently investigated this thing to convince yourself that actually you have to have Bitcoin, like once you go far enough down the rabbit hole, it's not even a question. It's just something that you have to do to hedge against a number of different risks in this world and to empower yourself against shenanigans, manipulations by a lot of these trusted third parties. You can check out Bitcoin.page. That's my resource website.

Got thousands of educational links on there and you can go down any number of rabbit holes because there are a variety of different perspectives and aspects of the system that you can learn more deeply about. If you want to learn more about Casa, if you decide to make a sizable investment that you want to protect, you can check us out at casa.io. Wonderful. And they can find you on social. Is X your preferred social platform? I prefer Noster, but I recognize that's very niche. So you can find me on X. My handle is just L-O-P-P. Awesome. Awesome. Again, thank you so much for being on the show. I'm Phil Larmon. How the hell are you, Rudy?

I'm Douglas Borthwick. And you've been listening to Old Men, New Money. If you've liked this episode, then please follow us on socials. We've got 16,000 subscribers so far across platforms. We're two months into this and we really appreciate any comments. Thank you. Subscribe below.

New episodes return August 2026

Get the free weekly briefing and you'll know the moment we're back in the studio.