Lost Seed Phrase: What You Can (and Can’t) Recover

Every few weeks somebody messages me with the same panic in their typing. “I’ve lost my seed phrase. My Ledger still works but I can’t open the recovery sheet. Is my Bitcoin safe?” Or worse: “The wallet is dead, the seed sheet got binned during a house move, the funds are visible on-chain but I can’t sign a transaction.”

I’ve watched people walk away from six-figure bags because of a thrown-out shoebox. I’ve watched people get scammed out of what was left chasing a recovery service that was never going to deliver. This post is the honest version. What you can recover, what you can’t, what the scam industry will try to sell you, and the system to set up today so you never have to read a post like this again.

Short answer: If your seed phrase is fully lost and your wallet device is also lost or wiped, your crypto is gone. No support team, recovery service, or government agency can rebuild a 12 or 24-word seed from nothing. Partial recovery is possible in narrow cases — missing one or two words, or words known but unordered. Brute-forcing a complete unknown phrase is mathematically impossible. The scam industry around “wallet recovery” is one of the largest in crypto and most “services” are theft fronts.

Get a Ledger to set up cold storage properly → (affiliate)


Key takeaways

  • A fully lost seed phrase means lost funds — full stop. There is no backdoor.
  • If your Ledger or hardware wallet dies but the seed is intact, you restore on a new device in five minutes.
  • Partial recovery (missing 1-2 words, or unordered words) is possible with open-source tools like Btcrecover.
  • The “wallet recovery service” industry is largely scams — the FBI has flagged it as one of the fastest-growing fraud categories.
  • Multisig and Shamir backups are the only real defences against this happening to you.

The hard truth: a fully lost seed equals lost funds

I’ll lead with the part nobody wants to hear because the rest of the post depends on it being clear.

A Bitcoin seed phrase — usually 12 or 24 words drawn from the BIP39 word list — is the master key to every address derived from it. If you lose the seed and the device is also gone (broken, wiped, stolen, formatted), the funds are visible on the blockchain but they cannot be moved. They sit there. Forever. Or until quantum computing breaks elliptic curve cryptography, which is not the recovery plan anyone should be hoping for.

Nobody can “recover” a seed phrase you didn’t write down. Not Ledger. Not Trezor. Not Coinbase. Not the FBI. The blockchain is open — anyone can see the balance — but the cryptographic key that signs transactions only exists in your seed. If the seed is gone, the key is gone.

This is the design. It’s the entire reason self-custody works. The same maths that means no government can seize your funds also means no recovery agent can give them back to you.

Why this surprises people

Most people come to crypto from banking. In banking, if you forget your password, you do a security challenge, prove your identity, and the bank resets it. The bank holds the master record.

In self-custody crypto, you are the bank. The seed phrase is the master record. If you lose it and there’s no backup, nobody else has a copy. That’s the trade for not needing permission to move money.

If you’ve never thought about this trade-off properly, read how to store crypto safely before you move another satoshi. It walks through the whole self-custody model and what you’re actually responsible for.


Why nobody can “recover” a seed phrase for you

The question I get most: “Surely Ledger have a backup of my seed somewhere?”

No. They don’t. And if they did, the entire security model would be broken.

A hardware wallet works because the seed phrase never leaves the device. It’s generated on the device by a hardware random number generator, displayed once for you to write down, and stored in a secure element chip that the host computer never sees. Ledger doesn’t transmit the seed to its servers. Trezor doesn’t. Coldcard doesn’t. None of them.

This is verifiable. Ledger’s secure element is documented in their security architecture papers and the device firmware is audited. The seed is generated locally, displayed locally, and stored locally. Period.

The hosted wallet exception

There’s one case where a “recovery” of sorts exists: custodial wallets. If you held crypto on Coinbase, Binance, BitGet, or any exchange and you forgot your password, the exchange can reset it because the exchange holds the keys. That’s not your wallet — it’s the exchange’s wallet with your name on the account.

If your funds are on an exchange and you’ve lost access to the account, that’s a different problem with a different solution. Contact support, complete identity verification, and they’ll restore access. That isn’t seed phrase recovery — that’s account recovery.

Read how to store crypto safely for the difference between custodial and non-custodial storage. Most people don’t realise which one they actually use until something goes wrong.

Why this matters legally

In some jurisdictions, lost crypto with provable ownership has been claimed as a tax-deductible loss. Talk to a tax advisor and document everything — the wallet address, the lost transaction history, the date you realised it was gone. It doesn’t get your funds back, but it might soften the hit.


The scam industry around recovery

This section is the most important one because more people lose more crypto to recovery scams than they ever lost to the original seed phrase issue.

The FBI’s Internet Crime Complaint Center reported over $5.6 billion in crypto-related fraud losses in their most recent annual report, and “cryptocurrency recovery services” is one of the fastest-growing categories. The pattern is so common the agency issued a specific public service announcement warning about it.

Here’s how the scam works.

You post in a Telegram group or on Reddit asking for help. Within minutes you receive a DM from a “wallet recovery expert” — sometimes pretending to be Ledger support, sometimes claiming to be an independent forensic specialist. They sound calm and professional. They use technical terms. They ask for either:

  • An upfront payment to “begin analysis” (anywhere from $200 to $5,000)
  • Your seed phrase or what’s left of it, “to verify the wallet structure”
  • Remote access to your computer “to scan for traces of the wallet file”

If you pay the upfront fee, they vanish. If you give them your seed phrase, they immediately drain whatever is left. If you give them remote access, they install malware that watches every wallet operation you ever do again.

Real cases

In one widely reported case, a US victim paid $50,000 to a “Ledger recovery specialist” who turned out to be operating from an overseas call centre. The funds were gone, the original seed was still unrecovered, and the perpetrators were untraceable. Chainalysis has documented similar schemes targeting victims of the May 2020 Ledger data breach, where leaked customer details were used to identify people who likely held large amounts.

The pattern is consistent. The “service” reaches out to you, not the other way around. They have a slick website. They ask for money or access early. They guarantee results. Real recovery work guarantees nothing because the mathematics guarantees nothing.

How to spot the scam

These are the red flags. Any one of them should end the conversation.

  • They contact you first (DM, email, comment reply).
  • They claim to “have a relationship” with Ledger, Trezor, or another wallet vendor.
  • They ask for any part of your seed phrase, password, or private key.
  • They ask for remote access to your device.
  • They demand payment in crypto upfront.
  • They guarantee recovery.
  • They have testimonials but no verifiable identity.

If you’re in a panic and someone shows up offering to help, that person is the scammer. Real legitimate services that exist (and a few do, narrowly) are listed below. They don’t DM you.

Read the crypto scams guide for the full taxonomy of how this industry operates.


Partial recovery scenarios

Here’s where the news gets better. If you have most of your seed phrase, there are real, mathematically sound paths to recovery.

Scenario 1: You have 11 of 12 words

A 12-word BIP39 seed has a built-in checksum in the last word. The first 11 words contain 121 bits of entropy plus 7 bits of checksum derived from those bits.

If you know 11 of the 12 words and know which position is missing, the maths is manageable. There are 2,048 possible words in the BIP39 word list, but only about 128 of them produce a valid checksum for any given combination of the other 11 known words. So instead of testing 2,048 possibilities, you test 128.

Open-source tool Btcrecover handles this. It runs locally on your computer. You feed it the 11 known words, the position of the missing word, and the address format you used. It tests each candidate and reports the one that derives an address with funds.

This works. I’ve seen people recover funds this way. The tool is free, audited, and the maths is public.

Scenario 2: You have all 12 words but don’t know the order

This is harder but not impossible.

12 words can be arranged in 479 million different orders. That sounds like a lot, but modern CPUs can test millions of seed derivations per second. Btcrecover with a known wordset and a known address derivation path will chew through the search space in hours to days depending on hardware.

If the words are 24, the maths gets brutal. 24 factorial is roughly 6.2 x 10^23. Even at a billion guesses per second, you’d need longer than the age of the universe to test every permutation. In practice, if you have constraints — you remember some words come earlier, you remember the first word is “abandon” — the search space shrinks and recovery becomes feasible.

Scenario 3: You have a smudged or unreadable word

If one or two characters in a word are unclear, the BIP39 word list helps you. Most BIP39 words are uniquely identified by their first four letters — “abandon”, “ability”, “able”, and so on each have unique 4-character prefixes. If you can read “abi” you know it’s “ability”. If you can only read “ab” you have a small set of candidates to test.

This is the easiest partial recovery case. Btcrecover handles it natively.

Scenario 4: You have the seed but lost the passphrase (25th word)

If your wallet was set up with a passphrase (BIP39 optional passphrase, sometimes called the 25th word), the seed alone won’t open it. You need both.

Brute-forcing a passphrase is possible if the passphrase was short or follows a pattern you remember. If it was a strong random string you can’t recall, the funds are gone in the same way as a fully lost seed.

The thing to know: the passphrase is the whole point of high-value cold storage. Read seed phrase storage for the full setup.


BIP39 word list mathematics

This is the technical layer. Skip if you don’t care; it matters for understanding what’s actually possible.

BIP39 (Bitcoin Improvement Proposal 39) defines the standard for converting a random number into a memorisable word sequence. The full word list has exactly 2,048 words, each chosen because:

  • They are between 3 and 8 characters.
  • The first 4 characters of every word are unique.
  • They are common English words from a curated dictionary.
  • They sort alphabetically.

A 12-word seed encodes 128 bits of entropy plus 4 bits of checksum. A 24-word seed encodes 256 bits of entropy plus 8 bits of checksum.

Brute-forcing a 128-bit key by guessing is computationally infeasible. The number of possible 128-bit keys is roughly 3.4 x 10^38. At the rate of a billion guesses per second on every computer on Earth running for the age of the universe, you would not test even a meaningful fraction of the space.

This is why a fully lost seed is gone. Not “hard to recover.” Gone.

Bitmain’s Antminer S21 Pro at 234 TH/s — currently one of the most powerful mining ASICs — performs SHA-256 hashes. SHA-256 is used in mining, not in BIP39 derivation. Even if you reassigned every active Bitcoin ASIC in the world to brute-forcing BIP39 seeds (which they aren’t designed for), the energy cost alone would exceed global electricity production for a meaningful period.

The maths is unkind. That’s the point.

Why this protects you

The same maths that means your fully lost seed is gone also means nobody can guess your active seed. The address holding your Bitcoin has a public key visible to everyone. Nobody can derive the private key from the public key, and nobody can guess the seed that generated the private key. That’s the entire reason your funds are safe sitting at the address while you sleep.

The trade-off is symmetric. You can’t lose access without an enemy gaining access being equally impossible.


Brute-force tools that exist (and what they actually achieve)

Here’s the honest survey of tools.

Btcrecover

Btcrecover is the most widely used open-source seed and password recovery tool. It’s a Python project, audited, and runs entirely locally. Features:

  • Recover wallets with a few missing words or partial information
  • Recover wallet passwords for Electrum, MultiBit, MetaMask, and other wallets
  • Recover BIP39 passphrases with custom tokenlists
  • Run on multi-core CPUs and GPUs for speed

This is the tool. If you have partial information, this is the path. It’s free, it works, and a competent person with command-line skills can run it themselves in an afternoon. The GitHub README has examples for every common scenario.

The catch: you need to install Python, understand command-line arguments, and have patience. If that sounds like work, you have two choices — learn the basics or pay someone you trust who is verifiable, not a random DM contact.

Hashcat

Hashcat is a password recovery tool used widely in security research. It can be configured to brute-force wallet passwords and BIP39 passphrases when you have constraints (length, character set, known prefix).

Used by professionals for legitimate forensic work. Also used by scammers who pretend they have proprietary tools when in reality they’re running publicly available software and marking up the bill.

John the Ripper

Same category as Hashcat. Open-source, professional-grade, and the underlying engine that many “wallet recovery services” actually run. If a service is charging you $5,000 for John the Ripper output, you’re being overcharged for output you could produce yourself for free.

What none of these tools can do

They cannot brute-force a complete unknown 12 or 24-word seed. They cannot recover anything when no information is known. The maths is too big.

Anyone selling “complete seed recovery from nothing” is selling you a lie. There is no exception. The mathematics is public and verifiable.


When to actually pay a wallet recovery service

There are narrow cases where a paid service makes sense. Knowing the difference between a legitimate service and a scam is the difference between getting your funds back and losing what’s left.

Legitimate cases

  • You have a corrupted wallet file (e.g., a Bitcoin Core wallet.dat from 2014) and can’t open it, but the file exists.
  • You have a hardware wallet with damaged firmware but the secure element is intact.
  • You have a partial seed phrase and need help running Btcrecover at scale across many candidate variations.
  • You have a passphrase you nearly remember and need help building a custom search space.

In these cases, a few legitimate firms exist. They share certain characteristics:

  • They have verifiable identities — real names, real LinkedIn profiles, real addresses.
  • They charge a percentage of recovered funds, not upfront fees.
  • They sign non-disclosure agreements before you share any partial seed material.
  • They never request your full seed phrase or passphrase by message.
  • They have published case studies and references.

Wallet Recovery Services (run by Dave Bitcoin) is one of the longest-running legitimate operators in this space. There are a small number of others. Most of the websites that rank highly when you Google “crypto wallet recovery” are scams.

How to vet a recovery service

If you’re considering paying anyone:

  1. Check how long they’ve been operating. Less than 2 years is a red flag.
  2. Find their owner’s real name and verify it on LinkedIn.
  3. Confirm they take payment after recovery as a percentage, not before.
  4. Confirm they do not need your full seed phrase or passphrase at any stage.
  5. Confirm the work they do is something you could verify is happening (running a known tool against a known address).

If any of these fail, walk away.


Recovery vs hardware wallet damage

This is a common mix-up that causes unnecessary panic.

If your Ledger or Trezor device physically dies — water damage, dropped down stairs, battery failure, firmware corruption — your funds are not lost. The device is not your wallet. The seed phrase is your wallet. The device is just an interface.

To recover from device damage:

  1. Buy a new hardware wallet (the same brand is easiest, but any BIP39-compatible wallet works).
  2. During setup, choose “restore from recovery phrase” instead of generating a new one.
  3. Enter your 12 or 24 words in order.
  4. The new device derives the same addresses and gives you full access to your funds.

This takes about five minutes. The funds reappear immediately because they never left the blockchain — your access was the only thing affected.

If you don’t have a hardware wallet yet, I’d point you at the Ledger Nano X review for the model I use. Pick one up here: Ledger shop (affiliate). Buy direct, not from Amazon, not from a marketplace — the supply chain matters for security.

Restoring on a different brand

Most modern hardware wallets are BIP39-compatible, meaning the same seed works across devices. You can restore a Ledger seed on a Trezor, a Trezor seed on a Coldcard, and so on. The derivation path may need to be set manually depending on the address type (Legacy, SegWit, Native SegWit) — the device documentation explains how.

This is portability you should test once. Set up a test wallet with a small amount, write down the seed, then practice restoring on a second device. Once you’ve done it, you know the system works and the panic dissolves the next time something breaks.


Inheritance: preventing this happening to someone else

The other version of “lost seed phrase” is the one where you didn’t lose it — but the person who inherited it can’t find it, doesn’t know what it is, or doesn’t know how to use it.

Chainalysis estimates that roughly 20% of all Bitcoin in circulation is permanently lost. A significant chunk of that is inheritance: people who died holding crypto and never told their family how to access it.

Don’t be that statistic.

A simple inheritance plan

You don’t need a lawyer. You need a system.

  1. Write a “in case I die” document. Stored offline, not on a cloud drive. Include: which wallets hold what, where the seed phrases are physically stored, which devices belong to which wallet, and any passphrases.
  2. Tell at least one person where the document is. Not what it contains — just where it is. Spouse, parent, executor, whoever.
  3. Pair this with the seed phrase storage. The document tells the person where to find the seed. The seed tells the wallet how to derive the address. The address holds the funds.
  4. Update it when anything changes. New wallet, new device, moved house, new passphrase — update the document.

For a fuller version of this system, read seed phrase storage. It includes options like metal backup plates, Shamir secret sharing, and trustless multisig schemes.

Multisig as inheritance

If you hold a significant amount and you want a real inheritance plan, multisig is the answer. A 2-of-3 multisig setup means three keys exist (e.g., one on your Ledger, one with your spouse, one in a safety deposit box) and any two can authorise a transaction. If you die, two of the three remaining keys can move the funds. If a thief steals one, they can’t.

Multisig explained walks through the setup. It’s the answer to “how do I never lose my crypto” and the answer is “you make the loss of any single key non-fatal.”


The system to set up TODAY so this never happens again

Right. Here’s the actionable bit. Whether you’ve just had a near-miss or you’re reading this defensively, this is the setup.

Step 1: Get a hardware wallet

If you don’t already have one, this is non-negotiable. A hardware wallet generates your seed phrase in a secure environment and signs transactions without exposing the seed to the internet.

The Ledger Nano X is what I use. Pick one up at Ledger’s official shop (affiliate). Do not buy from a marketplace — the supply chain matters because a tampered device could leak your seed during setup.

Step 2: Generate and verify the seed

When you set up the device, it will display 24 words (or 12, depending on settings). Write them down. Then verify them — most devices ask you to re-enter random words to confirm. Do this properly. Sloppy verification is the most common cause of “I wrote down the wrong word and didn’t notice until 18 months later when I needed to restore.”

Step 3: Store the seed across multiple locations

A piece of paper in a single location is a single point of failure. Fires happen. Floods happen. House moves happen.

The minimum I recommend:

  • Copy 1: Metal backup plate (Cryptosteel, Billfodl, or similar) stored at home in a fire-rated safe.
  • Copy 2: Metal backup plate stored at a separate location (parent’s house, safety deposit box, trusted family member).

Both copies should be the same words. If you want to split the seed across locations using Shamir Secret Sharing so that no single location holds a complete copy, that’s a more advanced setup — covered in seed phrase storage.

Step 4: Test the recovery

This is the step people skip. Do not skip it.

Move a tiny amount (say, $10) to the wallet. Then wipe the device. Then restore from the seed phrase. Confirm the $10 is still accessible. Send it back to where it came from to confirm signing works.

You now know the system works. The number of people who discover their seed phrase is wrong only when they need it is alarming.

Step 5: Document it for inheritance

Write the “in case I die” document. Tell someone where it is. Update annually.

Step 6: Add a passphrase if the amount justifies it

For holdings above a certain threshold (set your own — mine is about 12 months of expenses), a BIP39 passphrase adds a second factor. Even if someone steals the 24-word seed, they can’t access the funds without the passphrase. Memorise the passphrase, store it separately from the seed, and treat it with the same seriousness.

Step 7: Consider multisig for the long-term bag

For holdings you don’t plan to touch for years, multisig removes single points of failure entirely. 2-of-3 across three devices in three locations is the standard. Read multisig explained for the setup.

Step 8: Use a VPN on any device handling seeds

Online seed exposure happens. Clipboard malware exists. Wifi interception exists. Any time you’re entering seed words into recovery software, restoring a wallet, or working with seed material, run it on a clean machine through a VPN. I use NordVPN (affiliate) — public networks are where account compromises happen.

That’s the system. It takes a Saturday to set up. It prevents the entire category of “lost seed” panic from ever happening to you again.


The wallet I use for cold storage.

If you don’t have a hardware wallet yet, this is where to start. Buy direct from Ledger — not Amazon, not eBay.

Shop Ledger →

Affiliate link. I may earn a commission at no extra cost to you.


What the recovery industry says vs what’s true

Quick reference table for the claims you’ll encounter.

Claim Reality
“We can recover any lost seed phrase.” False. Mathematically impossible without partial information.
“We have a special relationship with Ledger.” False. Ledger does not partner with recovery services.
“Pay upfront and we’ll guarantee recovery.” Scam. Legitimate operators charge a percentage of recovered funds.
“Send us your seed phrase to verify.” Scam. Funds will be drained instantly.
“We need remote access to your computer.” Scam. Malware will be installed.
“We can brute-force a complete unknown seed.” False. The maths makes this infeasible by orders of magnitude.
“We have a 99% success rate.” False or meaningless. Legitimate forensic work has low success rates because most cases are unrecoverable.
“Sponsored by [reputable crypto brand].” Verify directly with the brand. Most are lies.

If anyone makes any of these claims to you, end the conversation.


Pros and cons of paying for recovery

Worth considering Walk away
You have partial information (most of the seed) Service contacts you first
Wallet file exists but is corrupted Demands upfront payment
Verifiable real-world business with track record Asks for full seed or passphrase
Charges percentage of recovered funds Promises guaranteed recovery
Will work under NDA without seeing full seed Requests remote access
Documented public references Operates anonymously

Frequently asked questions

Can the FBI recover my crypto from a lost seed phrase?

No. The FBI cannot break BIP39 cryptography any more than a private recovery service can. They can sometimes trace stolen funds through chain analysis and seize them from exchanges, but they cannot reconstruct a lost seed. Anyone claiming “FBI-grade recovery” is selling marketing copy.

Can Ledger or Trezor support recover my seed?

No. The seed never leaves your device and is never transmitted to the vendor. They have no copy and no way to derive one. This is the entire security model of a hardware wallet.

What if my crypto is on an exchange like BitGet or Coinbase?

That’s not a seed phrase problem — it’s an account recovery problem. Contact the exchange’s support, complete their identity verification, and they can restore account access because they hold the keys, not you. This is the trade-off of custodial storage.

How long would it take to brute-force a complete seed phrase?

Longer than the age of the universe with current and foreseeable computing power. A 12-word seed has 128 bits of entropy, which is roughly 3.4 x 10^38 possible values. No realistic compute budget makes a dent in that.

Is it possible to recover crypto from a damaged hardware wallet?

If the seed phrase is intact, you don’t need to recover from the device — you restore on a new device using the seed. If both the seed and device are damaged or lost, the funds are unrecoverable.

What if I remember some of the seed words but not the order?

You can use Btcrecover to test permutations. For 12-word seeds with no order information, this takes hours to days on a modern computer. For 24-word seeds, it becomes impractical unless you have constraints.

Does writing my seed phrase on paper make me a target?

Only if the paper is found. The risk is loss (fire, flood, moving) far more than theft. A metal backup plate stored in a fire-rated safe at home plus a copy at a second location handles both risks.

Can I store my seed phrase in a password manager?

It is not recommended. Password managers are connected to the internet and represent a single point of failure. If the password manager is compromised, every account it holds is compromised including your wallet. Cold storage means offline storage.

What’s the difference between a seed phrase and a private key?

A private key is the raw cryptographic key that signs a single transaction. A seed phrase is a human-readable encoding of an entropy source that can derive an unlimited number of private keys. The seed is the master; the keys are derivatives.

Should I worry about quantum computing breaking my seed?

Not in any reasonable near-term timeframe. Current quantum computers cannot break the cryptography used in Bitcoin. By the time they can, the network will have migrated to quantum-resistant signatures. This is not a recovery strategy.


Final word

A lost seed phrase is the single most common way people lose crypto permanently. It’s also the most preventable. The cost of the prevention is a Saturday afternoon and the price of a hardware wallet. The cost of the failure is everything in the wallet.

If you’ve just lost a seed and the funds are gone, I’m sorry. There is no comfortable framing of that. Document the loss, make sure you understand it for tax purposes, and rebuild from somewhere safer.

If you’re reading this defensively, set up the system today. Not next weekend — today. The post you most want to read is the one you never need to.

Right — over to you.


The setup that prevents this entire post from ever being relevant to you.

Ledger Nano X. Metal backup plate. Two locations. Tested restore. Done.

Get a Ledger →

Affiliate link.


Alan Spicer

Crypto trader since 2020 · Coin Bureau · Crypto Banter · Trade Travel Chill

Alan has been in crypto for nearly six years. He writes what he wishes someone had told him on day one — the wins, the rugs, and the stuff the YouTubers won’t say on camera.

More from Alan →


Related posts


Leave a Reply

Your email address will not be published. Required fields are marked *