What happens to your crypto when you die?

Right now, the answer is nothing. Your keys die with you. Your family hires a lawyer who doesn't understand seed phrases. Your holdings sit in a wallet nobody can open. Forever.

Set up inheritance Watch the walkthrough

Who this is for.

If you hold crypto, you have a problem your bank will never have. There is no helpline. There is no probate court that knows what a BIP39 phrase is. Your keys are the asset, and whoever has them, has everything.

deny.sh inheritance is for the people who took self-custody seriously and now want to plan for the day they aren't around to manage it. Three customer shapes in particular:

  • Individual holders with material crypto positions, a partner or two trusted family members, and no appetite to hand their seed to a lawyer.
  • Families with shared holdings where multiple people might need access in a crisis (spouse, adult children, sibling) and a clear cooling-off window before anything happens.
  • Institutional custodians (funds, family offices, estate professionals) who need ID-verified nominees, a documented release process, and an audit trail their regulator will accept.

Every existing option is broken.

You can't put a seed phrase in a will. Probate is public record. A safety deposit box needs a court order to open, and by then everyone knows what's inside. A lawyer holding your keys is a single point of failure with a billable hour rate.

Existing crypto inheritance services ask you to trust a third party with your keys. That defeats the point of self-custody.

deny.sh works differently. You set a heartbeat. Your nominees verify themselves. If the heartbeat stops, the system enters a cooling-off window, then routes the request through manual review before any encrypted bundle leaves. The file itself is deniably encrypted, so even the inheritance mechanism doesn't expose what's really inside.

Why deny.sh, not a DIY dead-man's switch.

You could roll your own. A cron job, a PGP-encrypted file in cloud storage, a script that emails your brother if you stop logging in for 90 days. People have built versions of this on a weekend, and most have one of three problems: they leak the bytes the moment they fire, they fire on the wrong signal (cloud outage, password change), or they are so brittle that the heir gets a corrupt blob and a sympathy card.

deny.sh is built for the parts you'd rather not build yourself:

  • UK operator, regulated by default. Treehouse in Valhalla Ltd is Cyber Essentials Certified (IASME, May 2026). We are a UK company with a registered address, a director, a tax ID, and accountable people. Your nominees can find us. Your regulator can audit us.
  • Multi-party verification. Every nominee proves they are who they say they are before the moment matters. Email plus SMS at minimum, document plus selfie on the institutional tier. Nobody learns your seed phrase because somebody intercepted a single email.
  • Cooling-off built in. 7 to 30 days where you can still cancel with one click. Long trips, hospital stays, sabbaticals: none of those wipe out your nominees.
  • Manual review before any release. A human at deny.sh reads every release request, confirms the contract really did escalate, and only then mints the download token. Three buttons: approve, reject, or hold pending more info.
  • Single-use download tokens consumed before the bundle streams. A replay is structurally impossible. A crash mid-stream means a dead link, not a leak.
  • Deniable encryption underneath. The control file itself encrypts to two plaintexts under two passwords. Even if the bundle leaks, an attacker can't tell what is real and what is a decoy.
  • Hash-chained audit log for the whole journey. Every heartbeat, every state transition, every verification step, every release decision lands in your per-tenant audit chain. RFC 3161 TSA timestamped within minutes. Signed PDF receipts on demand.

How it works, in five steps.

2-minute walkthrough

Prefer to see it rather than read it? The walkthrough page has a 2-minute video of the full flow plus a written nine-step breakdown of every screen, state, and audit-chain entry.

Watch the walkthrough →

1

Encrypt your control file with a decoy.

Use deny.sh to create a deniably encrypted bundle. One password shows a dust wallet or a plausible alternative. The other shows your real holdings. The ciphertext is identical either way.

2

Set a heartbeat schedule.

Every 30 days, 60 days, 90 days. Whatever fits your life. Check in by email link, web click, API, or SMS. Miss two and the contract enters a cooling-off window. Miss the cooling-off and it enters awaiting-nominee.

3

Nominate beneficiaries who verify themselves.

Each nominee confirms email + phone in advance (institutional tier adds ID verification). They get their own read-only dashboard to see contract status. Unverified nominees are skipped when the moment comes.

4

Manual review, then a single-use link.

If the contract reaches awaiting-nominee, every release request is hand-reviewed before any link is issued. Approved nominees receive a single-use download token valid for 7 days. Replay-vulnerable links die before the bundle is streamed.

5

Hash-chained audit log for the whole journey.

Every heartbeat, every state transition, every verification step, every release decision lands in the per-tenant audit chain. RFC 3161 timestamped, signed receipts on demand. Whoever holds the file later can prove the sequence of events.

Already signed up? Open your inheritance dashboard.

Why this is different.

deny.sh Lawyer + will Casa / Unchained Trusted friend
No third-party key custody
Automated release
Decoy when bytes leak
No public record
Works without a lawyer
Shamir splitting built in
Self-custody preserved

Plans.

Personal

$99/year

Annual, one tenant

  • 1 inheritance contract
  • Up to 3 verified nominees
  • Email + SMS nominee verification
  • Heartbeat: 30, 60, or 90 days
  • 7 to 30 day cooling-off window
  • Manual review before any release
  • Hash-chained audit log + signed PDF receipts
Get started

Family

$249/year

Annual, multi-contract household

  • Up to 5 inheritance contracts
  • Up to 10 nominees per contract
  • Email + SMS nominee verification
  • Custom heartbeat schedules
  • Configurable cooling-off per contract
  • Multi-party Shamir support
  • Priority support
Get started

Institutional

$999/year

Annual only, B2B contract

  • Unlimited contracts and nominees
  • Onfido ID + selfie verification
  • Multi-party Shamir (custom M-of-N)
  • Full audit-chain export (JSON, NDJSON, CSV)
  • API access with per-tenant rate limits
  • SLA + dedicated support contact
  • Optional custom retention windows
Contact us

Already on a deny.sh dev or pro plan? Inheritance is a separate add-on. See all pricing for the API-only plans.

Your keys should outlive you.

Set up in five minutes. Check in once a month. Sleep well knowing it's handled.

Set up inheritance Watch the walkthrough

FAQ.

What if deny.sh shuts down?

All encryption is client-side. Your files work offline with the open-source CLI. Export your control files as a backup. The switch check-in is the only server feature.

Which wallets/chains are supported?

deny.sh is chain-agnostic. It encrypts any text: seed phrases, private keys, recovery codes, for any blockchain.

Can I update my beneficiaries?

Yes. Log in to manage recipients, update control files, or change check-in schedules at any time.

How is this different from a lawyer or will?

A will is public record after probate. deny.sh keeps everything encrypted and private. No lawyers, no courts, no delays.

What if I miss a heartbeat by accident?

You get two more cycles to come back. After the second miss, the contract enters a cooling-off window (7 to 30 days, your choice at creation) where one fresh heartbeat cancels everything. Only after cooling-off expires do nominees get notified. There is also a pause feature for known long absences.

Can a nominee refuse?

Yes. Each nominee has their own read-only dashboard with a refuse button. One click burns all their pending tokens and they're removed from the contract. Refused nominees are skipped if the moment ever comes.

What does manual review actually look at?

A human at deny.sh confirms three things before approving any release: heartbeats genuinely missed (not a system glitch), nominee genuinely verified (email + SMS + ID where required), and no recent customer login or out-of-band cancellation. Three buttons: approve, reject, or hold for more info. Every decision lands in the audit chain with notes.

Is the audit log really tamper-evident?

Yes. Each op is hashed into a per-tenant chain (the audit-chain control, shipped May 2026). RFC 3161 TSA timestamps every entry within minutes via a background worker. Signed PDF receipts on demand for any single op. Hand it to a regulator and they can independently verify the whole sequence.