Escrowlyst
Security

How we protect your funds

Escrowlyst's custody architecture is engineered so that no single person — including our own founders — can move your money alone.

Last updated · January 1, 2026
Defense in depth
L1Multi-signature wallets
L2Cold-storage majority
L3Per-deal vault isolation
L4Telegram identity binding
L5Manual dispute officer

Multi-signature wallets

Every vault is a 3-of-5 multi-signature wallet. Two signers are operational (held by senior custody engineers), two are independent custodians (held by external trustees), and one is a hardware-secured break-glass key held by our legal counsel and accessible only via a documented incident-response procedure.

Cold-storage majority

At any moment, no more than 5% of vaulted funds sit on hot infrastructure. The remaining 95%+ lives on air-gapped hardware in geographically separated facilities. Movements between cold and hot require dual control and an executed deal queue.

Per-deal isolation

Every deal gets its own vault entry and its own deposit address. Funds are never co-mingled with other deals or with our treasury, so an issue with one deal cannot affect another. Each address is derived from a deterministic, auditable scheme.

Telegram identity binding

We tie every deal to the Telegram user IDs of both parties at the moment of agreement. Mid-deal account swaps trigger an automatic freeze and a manual verification step. We will never accept "I’m using a new account" without re-verification.

Operational controls

  • Hardware-key 2FA for every staff member, every login, every signing event.
  • Principle of least privilege — staff can only see the deals they are working on.
  • Quarterly external penetration tests on our infrastructure.
  • Annual proof-of-reserves attestation published on escrowlyst.com.
  • Continuous on-chain monitoring of every vault address.
  • Immutable audit log of every signing decision, retained for 7 years.

Threat model

What we defend against

  • Insider collusion (mitigated by 3-of-5 multi-sig spread across operational + external signers).
  • Hot-wallet compromise (mitigated by <5% hot exposure and per-deal isolation).
  • Counterparty impersonation (mitigated by Telegram-ID binding + freeze-on-swap).
  • Sanctioned-funds ingress (mitigated by pre-deposit on-chain screening).
  • Phishing of our own staff (mitigated by hardware keys and signing-only workstations).

What you defend against

  • Telegram account takeover — enable cloud password and 2FA on your own account.
  • Address-swap malware — always verify the deposit address inside your Escrowlyst thread, not from clipboard.
  • Impersonators — the only official handle is @escrowlyst.

Incident response

If we detect or suspect any compromise that could affect a live vault, we freeze the affected deal queue, notify all impacted parties in their threads within 60 minutes, and publish a post-incident report on this site within 14 days.

Responsible disclosure

Found a vulnerability? Message @escrowlyst on Telegram with the subject "SECURITY". We respond within 24 hours, will not pursue good-faith researchers, and reward verified reports.