Independent Custody
Risk Intelligence
Deterministic, versioned LISR ratings for hardware wallets and the agentic payment stack. Locked at publication. Built for institutional due diligence.
$3.1B lost to custody failures in H1 2025 · 22 agentic protocols monitored weekly · Zero other independent ratings exist.
Wallet Index
LISR v1.0 — 6 wallets scored. Scores are deterministic, versioned, and locked at publication. Lower score = lower custody risk.
Some manufacturer links below are referral links — disclosed per our independence policy. Referral status never affects scores.
Independence is the product. Linkmerica accepts no payment from wallet manufacturers or protocol operators for ratings. Scores are locked at publication and cannot be retroactively altered. Referral links, where present, are disclosed and have no bearing on LISR scores — several rated products carry no referral relationship. Linkmerica never requests private keys, seed phrases, or wallet access.
Ledger
MODERATE RISK| Category | Score | Risk Bar |
|---|---|---|
| Security Architecture | 3.2 |
|
| Firmware Integrity | 6.4 |
|
| Supply Chain Risk | 7.7 |
|
| Key Management | 2.8 |
|
| Operational Security | 3.4 |
|
| Recovery Risk | 6.9 |
|
- Closed-source firmware and operating system
- Centralized supply chain with single manufacturer
- Historical data breach exposure (customer database, 2020)
Trezor
MODERATE RISK| Category | Score | Risk Bar |
|---|---|---|
| Security Architecture | 6.7 |
|
| Firmware Integrity | 2.8 |
|
| Supply Chain Risk | 7.7 |
|
| Key Management | 3.2 |
|
| Operational Security | 4.5 |
|
| Recovery Risk | 3.8 |
|
- No secure element in Trezor One
- Susceptibility to physical side-channel attacks on Trezor One
- Supply chain lacks comprehensive tamper-evident packaging
Tangem
HIGH RISK| Category | Score | Risk Bar |
|---|---|---|
| Security Architecture | 4.2 |
|
| Firmware Integrity | 8.2 |
|
| Supply Chain Risk | 5.1 |
|
| Key Management | 5.5 |
|
| Operational Security | 7.7 |
|
| Recovery Risk | 7.7 |
|
- Closed-source firmware with no reproducible build verification
- Centralized manufacturing with single vendor dependency
- No user-accessible seed phrase by default—backup dependent on additional cards
SafePal
HIGH RISK| Category | Score | Risk Bar |
|---|---|---|
| Security Architecture | 5.5 |
|
| Firmware Integrity | 8.2 |
|
| Supply Chain Risk | 7.8 |
|
| Key Management | 4.5 |
|
| Operational Security | 5.0 |
|
| Recovery Risk | 4.8 |
|
- Binance strategic investment — regulatory exposure and ecosystem centralization risk
- Closed-source firmware across all product lines
- Proprietary secure element implementation without independent verification
ELLIPAL Titan
HIGH RISK| Category | Score | Risk Bar |
|---|---|---|
| Security Architecture | 6.5 | |
| Firmware Integrity | 7.8 | |
| Supply Chain Risk | 7.2 | |
| Key Management | 5.5 | |
| Operational Security | 5.8 | |
| Recovery Risk | 3.5 |
- Closed-source firmware with no reproducible builds
- No secure element — general ARM processor used for cryptographic operations
- Chinese supply chain with no disclosed independent manufacturing audit
- Mobile app dependency creates additional attack surface
- No Common Criteria or FIPS certification for institutional compliance
Foundation Passport Prime
MODERATE RISK| Category | Score | Risk Bar |
|---|---|---|
| Security Architecture | 3.8 |
|
| Firmware Integrity | 4.0 |
|
| Supply Chain Risk | 2.9 |
|
| Key Management | 3.5 |
|
| Operational Security | 5.8 |
|
| Recovery Risk | 4.8 |
|
Methodology
The Linkmerica Institutional Security Rating (LISR) is a deterministic, versioned custody risk framework produced by the Linkmerica Research Team. Scores are locked at publication and cannot be retroactively altered. Methodology revisions increment the LISR version number and are disclosed in the public changelog.
LISR scores are produced across six structural risk categories. Category weights, sub-factor definitions, and internal scoring math are proprietary to the Linkmerica Research Team. Evidence is drawn exclusively from publicly available information at the time of assessment. Read the full methodology →
| Score Range | Risk Tier | Institutional Guidance |
|---|---|---|
| 0.0 – 3.5 | LOW | Suitable for institutional consideration with standard diligence. |
| 3.6 – 6.0 | MODERATE | Requires additional controls or policy mitigations. |
| 6.1 – 8.0 | HIGH | Significant risk factors present — limited institutional suitability. |
| 8.1 – 10.0 | CRITICAL | Not recommended for institutional custody use. |
LISR scores are deterministic and version-controlled. Lower scores indicate lower custody risk. Scores reflect publicly observable factors at time of review and are subject to revision following material firmware updates, security incidents, or scheduled review periods. Category weights, sub-factor definitions, and internal scoring math are proprietary to the Linkmerica Research Team and are not disclosed.
Agentic Protocol Ratings
NEW — ACR FRAMEWORKLISR Agentic Custody Readiness (ACR) — independent custody risk ratings for agentic payment protocols and agent wallet infrastructure. The first framework of its kind.
Mastercard AP4M
HIGH RISKThe first independent agentic protocol custody score. Machine-to-machine payment protocol with 31 launch partners and on-chain agent permissioning across Polygon, Solana, and Base. Primary finding: absence of public disclosure on session key scoping, guardrails, and multi-party approval mechanisms.
Full ACR ReportGoogle AP2
HIGH RISKAgent Payments Protocol under FIDO Alliance governance since April 2026, with 100+ partners and cryptographic mandate architecture. More publicly documented than AP4M — risks are visible and research-validated rather than undisclosed. Key gaps: no native mandate revocation, no multi-party approval, and demonstrated prompt injection attacks producing cryptographically valid mandates for unintended purchases.
Full ACR ReportAdditional protocol scores publishing as the framework matures. See the full 22-target monitoring surface →
Research
View all 4 briefs ↗AP4M: 30 Days After Launch — What the Intelligence Record Shows
The first institutional research document built on a dated monitoring record. Linkmerica tracked AP4M from the day after launch — before the protocol could be independently verified.
The Quantum Readiness Gap: Rating the Self-Custody Stack Against Q-Day
Hardware wallet manufacturers are responding unevenly to the 2029–2035 Q-Day risk window. LISR assessment of four wallets against the post-quantum transition.
Published June 15, 2026 — one week before federal quantum executive orders validated the same thesis.
Institutional Custody Risk Assessment
A structured, written custody risk assessment produced by the Linkmerica Research Team under the LISR framework. Asynchronous — no calls required. Delivered within 5 business days. Linkmerica never requests private keys, seed phrases, or wallet access.
- HNW self-custody holders
- Single-setup written LISR assessment
- PDF delivery, 5 business days
- Multi-wallet / multisig treasury
- Compliance-ready documentation
- 12-month changelog monitoring
- Agentic wallet infrastructure review
- Payment rail custody risk assessment
- By application