Kentucky Bill HB 380 Raises Fears of Backdoor ‘Recovery’ in Crypto Hardware Wallets

Kentucky’s latest attempt to crack down on cryptocurrency kiosk scams has unexpectedly put the state’s own pro–self-custody stance under pressure. A late-added amendment to House Bill 380 (HB 380) would require hardware wallet providers to help users reset passwords and seed phrases—an obligation critics say is functionally impossible without building a backdoor into devices that are designed to be truly self-custodial.

What HB 380 Tries to Do — And What Got Added Late

HB 380 is billed as a consumer-protection measure targeting cryptocurrency kiosks—machines often used by retail consumers, including older Americans, to buy or sell digital assets. The bill’s core provisions are direct responses to rising fraud tied to these kiosks.

Among its key measures, HB 380 would:

• Cap daily kiosk transactions at $2,000 per user.
• Limit new-user accounts to $10,500.
• Provide a 72-hour cancellation window for certain transactions.
• Impose fee caps and mandate prominent scam warnings.
• Define explicit refund rights for fraud victims.

These are not abstract concerns. According to the FBI’s 2024 Internet Crime Complaint Center (IC3) report, there were 10,956 complaints involving crypto kiosks in 2024, with reported losses of $246.7 million—up 31% from 2023. Victims over age 60 accounted for roughly $107.2 million of those losses, underscoring why lawmakers are under pressure to act.

The controversial element, however, was not in the original text. On March 12, House Floor Amendment 3 (HFA 3) was filed—just one day before the House passed HB 380 unanimously, 85–0. Buried inside that amendment is Section 33, a provision that shifts the bill’s scope from kiosks to the design of hardware wallets themselves.

Section 33 would require any “hardware wallet provider” to offer live customer service and to “provide a mechanism for, and assistance with, resetting any password, PIN, seed phrase, or other similar information” used to access a wallet. Because violations would fall under Kentucky’s consumer-protection law governing unfair and deceptive trade practices, noncompliance could carry real legal and commercial risk for wallet manufacturers operating in the state.

How Section 33 Collides With Kentucky’s Own Self-Custody Law

The new requirement sits uneasily beside Kentucky’s existing policy on self-custody.

In March 2025, the state enacted HB 701, a law that explicitly defined a hardware wallet as a device that stores private keys offline while allowing the owner to retain independent control. HB 701 used essentially the same language for “self-hosted wallets,” emphasizing user ownership, independence, and direct control over private keys—and it stated that individuals shall not be prohibited from using such wallets.

In other words, Kentucky lawmakers only a year ago codified the architecture of self-custody: the user, not a third party, controls the keys, and thus the assets.

Section 33 of HFA 3 now pulls in the opposite direction. Requiring hardware wallet providers to assist with resetting passwords, PINs, or seed phrases implies the provider must retain or regain some form of access that standard non-custodial designs are built to avoid.

A state-supplied comparison of HB 701 and HB 380 with Section 33 highlights the tension:

• Under HB 701, wallet philosophy centers on the user retaining independent control; under HB 380 with Section 33, providers must be able to help users regain access.
• Hardware wallets are defined in HB 701 as offline key storage devices; Section 33 treats them more like serviceable consumer products.
• Self-hosted wallets under HB 701 are about user control over keys; Section 33 pushes toward provider-enabled recovery paths.
• HB 701 bolstered the right to use such wallets; HB 380 with Section 33 would expand deceptive-trade-practice exposure if providers cannot offer mandated recovery.

For investors and policy watchers, this is not a minor drafting issue. It goes to the core of whether “self-custody” in Kentucky remains what it was deliberately defined to be in 2025, or whether providers will now be nudged toward architectures that are inherently more recoverable—and therefore more vulnerable.

Why Seed Phrases and Non-Custodial Design Matter

To understand why Section 33 is so contentious, it helps to look at how non-custodial hardware wallets are designed.

In a typical non-custodial setup, a wallet generates a “seed phrase” during initialization. This phrase is the master credential from which every private key in the wallet is mathematically derived. Whoever controls the seed phrase effectively controls the assets.

Precisely because of that power, standard non-custodial designs hand the seed phrase to the user once—during setup—and then ensure that no copy is retained by the manufacturer. If the user loses that backup, the wallet and its funds are irrecoverable. This is not an accident; it is a deliberate security model.

Some major hardware wallet providers demonstrate how this model diverges:

• Trezor explicitly tells users that without a wallet backup, they cannot recover their wallet. If the backup is lost, access to the wallet is gone. Responsibility for recovery rests fully with the user.
• Ledger takes a different, optional approach through its paid Ledger Recover service. Subscribers can opt in to a system where their seed phrase is reconstructed from identity-verified fragments stored with third parties. According to Ledger, non-subscribers continue to self-manage their seed phrases, and use of Ledger Recover requires a subscription, on-device physical confirmation, and identity checks.

Section 33, as drafted, collapses the distinction between voluntary, opt-in recovery services and mandatory, default obligations. It would require any hardware wallet provider operating in Kentucky to make a recovery mechanism available to every user—whether or not that user wants such a service, and regardless of the provider’s original architecture.

The Bitcoin Policy Institute, in a March 20 letter to the Kentucky Senate, argued that compliance with Section 33 would effectively force providers either to store seed phrases server-side or to implement some remote reconstruction flow. In their view, both options amount to a “cryptographic backdoor,” because they introduce a path—however carefully managed—by which a third party could ultimately facilitate recovery of what are supposed to be user-held keys.

For investors who rely on hardware wallets specifically to avoid any third-party access, that backdoor risk is precisely what they are trying to eliminate.

Potential Impact on Hardware Wallet Providers and Kentucky Users

HB 380 cleared the Kentucky House and reached the Senate on March 16. As of March 23, it had not yet appeared on the Senate’s posted orders for passage, and the legislative calendar is tight: regular legislative days run through March 27, with a concurrence window March 31 through April 1, and final adjournment scheduled for April 15.

If the Senate were to pass HB 380 with Section 33 intact, the immediate pressure would fall on hardware wallet manufacturers.

Pure non-custodial providers—those whose products are built on the premise that only the user ever sees or stores the seed phrase—would suddenly be exposed to Kentucky’s unfair and deceptive trade practice framework if they cannot offer the mandated reset mechanism. Bringing their products into compliance would require fundamental redesign, not simple customer-service tweaks.

Realistically, providers would face a limited set of choices:

• Accept the legal exposure and maintain current designs.
• Restructure products to add some form of remote recovery, altering their security model.
• Exit or restrict the Kentucky market to avoid the compliance burden altogether.

Any of those outcomes would narrow the range of true self-custody options available to Kentucky residents—undercutting HB 701’s original purpose of protecting wallet sovereignty. At the same time, Section 33 would not affect all providers equally.

Vendors that already offer optional recovery services, like Ledger, are structurally closer to compliance than providers that have never stored seed phrases or created recovery paths. A state-level mandate that effectively rewards recoverable architectures while penalizing pure self-custody amounts to a regulatory thumb on the product market, even if unintentionally.

For crypto investors who deliberately choose hardware wallets to avoid custodial risk, this creates a patchwork problem: certain devices or features may become harder to access legally in some states, even as federal regulators are beginning to draw clearer lines around what counts as custody.

Why a Targeted Senate Fix Is on the Table

One way forward that has been floated is straightforward: amend the bill in the Senate.

If senators strip Section 33 entirely, HB 380’s central consumer-protection framework for kiosks—daily transaction caps, refund windows, fee limitations, and mandatory scam warnings—would remain intact. Alternatively, the Senate could narrow the language to exclude self-hosted and non-custodial devices as defined in HB 701, ensuring that the reset obligation applies only to products where the provider already acts more like a service intermediary.

Either approach would resolve the direct conflict between Kentucky’s 2025 law protecting self-custody architecture and the new design obligations implied by Section 33. It would also bring the state’s stance closer to the direction being outlined by federal banking regulators.

On March 2, the Office of the Comptroller of the Currency (OCC) proposed stablecoin custody rules that explicitly carve out entities that merely provide hardware or software tools for people to self-custody their private keys or payment stablecoins. In that federal framework, self-custody tools are separated from custodial intermediaries, rather than blurred together.

Other states are taking their own, sometimes harsher, approaches. Tennessee, for example, enacted a 2026 measure that makes operating a virtual currency kiosk a Class A misdemeanor—an aggressive posture toward the kiosk model that contrasts with Kentucky’s more calibrated consumer-protection effort in HB 380.

These parallel developments position Kentucky as a live test case. The kiosk fraud problem is demonstrably real, and HB 380’s main provisions can be defended on consumer-protection grounds. Section 33, however, operates at a different layer: it imposes a design duty on hardware wallets that HB 701 previously defined by the absence of exactly such a duty.

What’s at Stake for Self-Custody Going Forward

The remaining question is whether Kentucky can reconcile its anti-fraud goals with its stated support for wallet sovereignty.

If the Senate takes no corrective action and leaves Section 33 in place, Kentucky’s legal framework will send mixed signals. On paper, the state would both affirm users’ rights to self-hosted wallets and expose non-custodial manufacturers to deceptive-trade-practice liability unless they build in recovery mechanisms. In practice, manufacturers would decide which of those policies to navigate around—by changing designs, geofencing customers, or accepting legal risk.

If, instead, lawmakers narrow or remove Section 33, Kentucky could preserve both: a stronger regulatory perimeter around high-risk kiosks, and a consistent, technology-neutral stance that leaves self-custody tools free to preserve their core security properties.

For crypto investors and policy watchers monitoring the future of self-custody in the U.S., the outcome in Kentucky will be instructive. It will show whether state-level consumer protection can be calibrated to target genuine fraud channels like kiosks without unintentionally reshaping the architecture of hardware wallets that, by design, place control—and responsibility—fully in the hands of the user.

With the legislative clock running down, the decision on HB 380 is likely to come quickly. The structure of self-custody in one of the more crypto-engaged U.S. states may hinge on how the Senate handles a single, quietly inserted section.