In the early days of crypto cards, users cared about plastic material and cashback percentages. After the BaaS crackdowns of 2025, where dozens of white-label card programs were frozen overnight due to the regulatory collapse of mid-tier intermediaries, custody has become the defining feature.
If you use a crypto card today, you are trusting a multi-layered technical stack that includes network rails, issuing banks, and Banking-as-a-Service (BaaS) providers. Understanding where your money actually sits, who holds the keys, and how to audit the infrastructure matters more than any cashback rate.
Decoding the Crypto Card Stack
A crypto card is rarely a single entity. It is a vertical chain of four distinct layers:
- The Network (Visa/Mastercard) provides the rails but never touches your crypto. They only care about the fiat settlement at the point of sale.
- The Issuer is a licensed bank or Electronic Money Institution (EMI) with the right to put their name on the card and settle with the network.
- The BaaS Partner is the middleware connecting the bank to the crypto world. They handle API integrations and often the regulatory reporting.
- The Program (The Brand) is the app you downloaded. They are the marketing layer. In many cases, they hold no licenses themselves and rent the stack from the layers above.
The risk is concentrated at Layer 3. If the BaaS partner loses its license, the brand is paralyzed, even if their own code is perfectly fine.
Wirecard and Railsr
In 2020, the collapse of Wirecard froze cards for millions of users across the UK and Europe. In 2023, Railsr (formerly Railsbank) faced a similar liquidity crisis, leading to its sale and the disruption of dozens of fintech brands. In 2026, the Monavate and Quicko crackdowns repeated the pattern.
The lesson: your card provider is often a facade. If the BaaS provider fails, your safeguarded funds are legally yours, but access to them is cut off. Never trust a card that does not disclose its underlying Tier-1 banking partners.
The Custody Spectrum
The industry has split into three distinct custody models. Your choice determines whether your funds are recoverable by a support ticket or whether they are truly yours.
Custodial (Exchange Model)
The issuer (Binance, Bybit, Coinbase) holds the private keys in their institutional vaults. This is the most popular model for mass-market users. Social recovery works through ID verification: lose your phone, verify your identity, get back in. Users who care about that identity footprint should read our privacy guide.
The vulnerability: you are 100% exposed to platform insolvency. If the exchange goes bust or is hit with a regulatory freeze, your card balance is an unsecured claim in bankruptcy court.
Self-Custodial (Web3 Model)
The card is linked directly to a wallet where you hold the seed phrase or signing authority. Cards like Gnosis Pay or Solflare do not hold your funds. They have permission to spend a limited amount of your on-chain assets.
Account Abstraction (ERC-4337) has made this model practical. Smart contract wallets handle recovery and gas fees behind the scenes.
The vulnerability: if you lose your keys without a backup, the money is gone. There is no forgot-password option.
Hybrid (MPC)
Multi-Party Computation splits the key into shards. One shard stays on your phone, one with the issuer, one with a backup provider. No single party can spend without the other's shard.
This gives the feel of self-custody (no one can spend without your shard) with the safety of institutional backup (the issuer can help you rotate shards if you lose your phone). Cards like Tria use this approach.
Smart Accounts and ERC-4337
The biggest technical shift in recent years is the move from Externally Owned Accounts (EOAs) to smart contract wallets. For crypto card users, this unlocks three features:
Social Recovery lets you designate guardians (a hardware wallet or a trusted contact) who can reset your access if you lose your device.
Sponsored Gas means the card issuer pays your gas fees in the background. You see a $0.00 fee transaction, even though it is happening on-chain.
Programmable Limits let you set rules like "this card can only spend $500 per day." If the card is stolen, the thief is limited by the contract code.
Paymasters and Bundlers
Behind every ERC-4337 transaction are two entities. Bundlers take your user operation (a request to spend) and package it with others to save on gas. Paymasters pay the gas fee on your behalf.
When a card like MetaMask Card offers gasless spending, they are using a Paymaster to subsidize the on-chain cost. A reliable card provider will have a backup gas-funding mechanism to prevent declines during network congestion.
MPC vs HSM: How Keys Are Signed
Multi-Party Computation (MPC)
MPC uses a mathematical protocol to sign transactions without ever recreating the full private key in one place. Even if the issuer's server is hacked, the attacker only gets one shard, which is useless alone. Used by providers like Fireblocks, Coinbase Prime, and Tria.
Hardware Security Modules (HSM)
HSMs are physical hardware where keys are generated and stored. They are tamper-proof: if someone tries to open the physical box, the keys self-destruct. Used by traditional banks and legacy custodial crypto card programs.
BaaS Risk: EMI vs Full Banking License
Most crypto cards are issued by Electronic Money Institutions (EMIs), not full banks. This is a critical distinction for your custody safety.
Full banks offer depositor insurance (up to $250,000 via FDIC in the US, or up to 85,000 GBP via FSCS in the UK). If the bank fails, the government pays you back.
EMIs offer safeguarding instead. The EMI is legally forbidden from lending your money out and must keep your funds in a separate account at a full bank. But if an EMI goes bankrupt, your money is not insured by the government. You wait for a liquidator to verify the accounts, which can take months or years.
This is why self-custody cards have a structural advantage: the issuer never has your money in the first place.
Threat Modeling: Attack Vectors in 2026
Three attack types target crypto card users:
MPC Shard Phishing: attackers no longer ask for your seed phrase. They send a fake system update notification asking you to "sync your security shard." If you click, you hand over your half of the private key.
Malicious Bundlers: in the ERC-4337 world, a malicious Bundler could theoretically front-run your transaction or redirect it. Modern cards protect against this by using encrypted mempools.
SIM-Swap Attacks: even with 2FA, attackers can socially engineer their way into your account. The defense is using a card that authorizes transactions through your phone's secure enclave hardware, making SIM-swap useless because the authorization happens on the device, not through SMS codes.
The Audit Checklist
Before committing more than $1,000 to a card balance, check these ten points:
- Who is the safeguarding bank? Find the name of the Tier-1 bank holding the fiat.
- Is the brand a principal member of Visa/Mastercard, or just a program manager?
- Does it use ERC-4337? If yes, who is the guardian for social recovery?
- Where are the MPC shards held? Are they distributed across different legal jurisdictions?
- Is there a proof-of-reserves link with real-time on-chain auditing?
- What is the JIT timeout? How long does the issuer hold your funds during a swap?
- What happens during an L2 outage? Is there a force exit to Ethereum L1?
- Is the card EMI or banking-licensed? Know your insurance status.
- Can you set smart contract spending limits, or are you relying on the app's software?
- Who is the BaaS provider? Check if they have a history of regulatory warnings.
Geographic Nuances: MiCA vs US Regulation
Custody is not just a technical choice. It is a geographic one.
In Europe, MiCA has made the self-custody model the regulatory favorite. Because the issuer never takes your keys, they avoid many of the heavy custodial license requirements, allowing faster iteration.
In the US, the regulatory environment remains enforcement-driven. This favors massive, regulated custodians like Coinbase. For US residents, self-custody cards are harder to find, as issuers fear being labeled as unlicensed money transmitters.
Overview
Your crypto card is a four-layer stack: network, issuer, BaaS partner, and brand. Historical failures (Wirecard, Railsr, Monavate) have consistently hit the BaaS layer, freezing user access even when funds were legally safeguarded. The three custody models (custodial, self-custodial, and MPC hybrid) each carry different tradeoffs between convenience and control. ERC-4337 smart accounts add programmable safety features like spending limits and social recovery. Before funding any card with significant capital, audit the underlying banking partner, verify the custody model, and check whether your funds are EMI-safeguarded or bank-insured.
