Cold Wallets: Defining Access Below Zero

By the middle of 2025, you will likely be well aware of the differences between cold and hot wallets. However, a new comprehensive article by Web3 researcher Vladimir Menaskop may very well challenge your understanding and provide you with insights on how to effectively safeguard your assets from unauthorized access.

Hardware wallets are often confused with cold wallets, with the latter frequently categorized solely based on certain brand names.

For instance, consider this post from Reddit: “I’ve been investing in Bitcoin for the past six months and am now considering purchasing a cold wallet. From what I understand, the three main options are: 1) Trezor; 2) Ledger; 3) Jade.”

Or take this message from a DeFi chat that a subscriber recently sent me: “Cold wallets don’t store coins; they store the keys to access wallets across different networks — nothing more.”

The confusion even extends to industry publications, which often blur the lines between these concepts. For example, one credible source mistakenly includes hardware wallets in an article about cold wallets, while another attempts to distinguish between the two but makes an error concerning multisig wallets.

Moreover, even IT firms specializing in security occasionally conflate these terms, illustrating a lack of clarity. They state: “Hardware wallets, which include cold wallets as a subcategory, are physical devices and, as they exist offline in the physical world, are much harder for cybercriminals to attack.”

This misunderstanding is not merely a semantic issue. Misconceptions about the functions of hardware and other types of wallets lead to frequent hacks, despite the fact that these tools are intended to protect users. Therefore, this article aims to clarify these matters.

I’ll emphasize a practical approach rather than an academic one, so the distinctions may not be exhaustive, but all criteria will be applied to address specific concerns.

To better understand the practical implications, let’s delve into cold storage more deeply.

Imagine two simple scenarios.

The first: You manually (or semi-automatically) generate a seed phrase, transfer it to a metal medium, and send your first test transaction to one of many wallets.

But what happens next?

Most people will want to confirm their holdings; seeing the balance doesn’t equate to ownership. As a result, cold wallets seldom go without outgoing transactions in daily use. (While there are alternative ways to verify, we’ll save that for another time).

The second scenario involves multisig. Yes, you can create a multisig on the Safe platform without paying transaction fees (similar to gasless payments on MetaMask or Rabby), and you can also withdraw funds from there without incurring costs. But is the multisig offline at that moment? Essentially, it operates as a collection of smart contracts, so the answer in this context would be a resounding “No.”

If we delve deeper, access levels (permissions) familiar to many Linux users here are distinct: read, write, edit, and so on. In terms of editing (sending transactions), the multisig will be offline for an extended period.

Where are the keys for the multisigs stored? Unlike hardware wallets like Trezor, Ledger, and SafePal, no private keys exist in this case.

More precisely, there are the private keys of the signers and a concatenation of the public keys, allowing us to say that:

*“A multisig is a smart contract that will perform a certain operation only if it is signed by several previously associated private keys. The number of required signatures is referred to as the threshold value.”*

This last point is crucial considering the hack of Bybit, where the input was structured through hardware wallets that were multisig on the Safe platform. Despite this, all signatories overlooked numerous obvious mistakes, which were unacceptable following hacks like those of Radiant, WazirX, and others like them. For further clarity, here are two Ledger examples where it was not the device itself but the surrounding infrastructure that was compromised: through traditional paper letters and via cloning methods.

In our times, neutrality is also significant: for example, MetaMask has announced its commitment to sanctions and related lockouts, while Ledger released an anti-database to secure seed phrases due to negative user backlash.

But let’s explore cold storage from a synthetic perspective.

To begin, I’ll outline specific implementations of cold storage (while merging the definitions of wallet and storage into one, since that’s another important topic that requires separate investigation):

In reality, cold wallets fall into two main categories:

Here are some examples:

The simple types include hardware and paper wallets, utilized sparingly and for their intended purpose. The complex types involve multisigs in tandem with hardware wallets or storing seed phrases divided according to Shamir’s method into three to five parts, each kept in very different formats. (Once again, we’re discussing cold storage in a mixed context here).

From the discussed points, it’s vital to understand one key argument: for truly large-scale projects, a cold wallet makes no sense without the implementation of appropriate organizational, technical, economic, and legal norms.

The cases of Bybit, Mt. Gox, various bridges, Radiant, and others clearly demonstrate this. This is another reason hardware wallets cannot always be regarded as cold storage. According to Euler diagrams, this is merely a partial intersection of two unequal categories.

Now, let me describe each sub-type.

**Sub-Type #01:** Hardware. This refers to storing private keys (less often) and seed phrases (more often) on physical media (generally, titanium plates like CryptoSteel).

This method is reliable for storage anywhere; rust and fire pose little threat. However, it is risky if someone gains physical access to the plates. Thus, they are often divided into parts and stored with custodians, including in bank safety deposit boxes (which presents an oxymoron: the most non-custodial crypto is stored in institutions it was originally designed to avoid).

You can also combine steganography with the above method and hide a plate (after validation) within a statue, for example.

**Sub-Type #02:** Paper. Writing down seed phrases and private keys on paper is classic. It’s better to use different writing instruments (simple pencil, ink) on various media (cardboard, paper, notebook sheet) and in two to three copies. Hide them in locations where you wouldn’t normally look.

Steganography is incredibly valuable. Encipher your phrases within books, children’s drawings; write with lemon juice or other invisible inks. Live in the UAE? Write in Chinese. In China — in Georgian. Any level of added security is worthwhile here.

One last thing: never write the full phrase down; leave a few words “in reserve.” This won’t protect against hacking per se — two or three words can be rapidly recovered, but if you detect theft, it’ll buy you time to take actions.

**Sub-Type #03:** Multisig. There’s much to discuss here, but for now, Safe has made no better alternative; the Bybit hack proves this as well. But it also demonstrated that Safe multisig alone is insufficient; you also need steel nerves and a clear mind to avoid sending $1.4 billion as if it were just $1.4.

Again, even combinations of «hardware wallet plus multisig» aren’t sufficient for cold storage. You must adhere to the following secure transfer guidelines:

**Sub-Type #04:** {Backup Cards} are a notable solution resembling a hardware/offline wallet, but with differing functionalities and applications.

**Sub-Type #05:** Hardware wallets come in various forms, yet each has exhibited some vulnerabilities: offline hacks on certain Trezor models, phishing attacks on Ledger, and more.

**Sub-Type #06:** Specialized smart software: any smartphone running Linux or Android with disabled (or removable) communication modules, including Wi-Fi and Bluetooth, can qualify, as can dedicated solutions like Purism.

**Sub-Type #07:** Exotic methods. I’ll elaborate on this further.

Yes, such methods do exist. Here are several examples to clarify the subject, especially as these don’t align strictly with cold wallets, but more with cold storage (though it’s not always appropriate to label it offline).

**Steganography**

It comes in various forms, but here are some examples:

Technically, these still involve paper, metal, or digital media, but organizationally, they are far more secure than just a simple list of recognizable words.

**Temporography**

It would be remiss not to mention it in this context. Here are a few simple examples:

Certainly, this isn’t an exhaustive list, but it should suffice for a start. We only need to tackle two pivotal questions next.

*“A portion of the data is stored in encrypted form on the blockchain, while another is engraved onto metal plates hidden in physical locations. Additionally, Dutch Bitcoin enthusiast Didi Taihuttu employed personal encryption by substituting some words in the phrase… ‘Even if I had a gun to my head, I could not give away more than what’s on the wallet in my phone. And that’s not much,’ Taihuttu stated.”*

**Cold Storage and Security**

If you’ve already answered the previous question, I recommend enhancing your security, which consists of the following components:

The technical aspect has been discussed above. If that is insufficient, consult additional guides for safe storage of private keys.

The economic component involves portfolio management and risk management. The legal aspect concerns operations within specific jurisdictions and an understanding of their laws. The organizational facet encompasses everything beyond the first three: your work time, response to phishing (including customization), and other social attacks, conversations with individuals, and so forth.

I won’t enumerate everything but will cover the basics.

**Functionality vs. Security**

In cold storage, it’s essential to choose wallets based not on functionality but solely on reliability: functionality can be found in test or hot wallets.

A cold wallet should be:

**Phishing**

No matter which form of cold storage you choose, as a human, you will always be the weakest link. Always adhere to the practices depicted in the film «Unthinkable» by Greg Jordan: if everyone thinks you’ve planted three “bombs,” make it four or even five.

**Rule Zero**

This is simple: anyone can be hacked, at any time, and anywhere. The question is one of attention, resources, and effort. If a hack is costly, time-consuming, and the profit falls short of expectations, it’s likely that a breach won’t occur.

Indeed, there are destructive-type attacks, but your personal security is aimed at those. You are the last line of defense; you are part of your cold storage.

First, there’s a technical distinction that sites like Ledger mention:

*“A cold wallet and a hardware wallet are essentially the same thing? In reality, they are two different items with distinct use scenarios and levels of protection. And the most intriguing part? Both types of wallets can exist within a single unit.”*

However, this pertains to their case: the scenarios described above highlight that hardware and cold storage can be quite different.

In simpler terms, you can set up a «MetaMask plus Trezor» combination and use it as a daily hot wallet, knowing your keys are secure and that you are protected against attacks, such as when your MetaMask password gets compromised for any reason, allowing unauthorized access to your private keys and funds. But you are not immune to:

However, you can make that same Trezor a cold wallet by adding a passphrase, giving you peace of mind, at least for a portion of your assets.

By 2025, offline access alone may often be inadequate for proper cold storage; thus, a hardware wallet is merely a component (and a potential one) of cold storage.

Moreover, cold storage can be separated into a cold wallet and cold storage. We’ll explore storage options next time, but it’s crucial to remember at this moment that a hardware device, in the best scenario, is a simple form of cold storage without additional safeguards.

It may be possible, but it is not the default setting.

Based on practice, a hardware wallet cannot be considered truly cold if:

For most people, this approach may seem unnecessary or contrived, but everything described above and below suggests otherwise. Thus, for me, Trezor, Ledger, and others are reliable hardware wallets that can become cold under specific conditions but do not inherently qualify as such.

So when newcomers are told: “I bought a hardware wallet—now I can relax,” that feeling of calm is misplaced. Finding an encrypted seed phrase for wallets that never “existed” online is one thing; attacking even the most advanced hardware wallets is another. And yes, I’ll reiterate for the third time: the Bybit hack is the best proof of this. Study it.

The conclusions are yours to draw. Focus should center on choosing a non-custodial, open-source wallet based on a specialized device featuring security elements and additional protective measures that participate as signatories in a multisig setup.

In practice, hot wallets are most often:

Meanwhile, it’s unnecessary to treat custodial wallets as cold storage: you can do so, but there’s no need. Proprietary wallets should be excluded as well.

Cold wallets typically fall into two subtype categories:

Ultimately, this presents us with:

While this is merely the first layer of evaluation, it remains extremely important and helps navigate a rapidly evolving landscape.

My goal was not to provide an academic overview of the variety of cold wallets or to promote specific solutions but rather to describe a methodology that assists in organizing cold storage in practice while detailing the perception of cold wallets. This is a situation where it’s better to overthink and aim for rigour than to dismiss concerns after acquiring any hardware solution.

I believe I have fulfilled that task. For those seeking more, two additional sections are provided below.

**List:**

As you may have guessed, this pertains to charity: supporting social assistance funds, non-profit Web3 startups, NFT artists, and so on. In the vast majority of cases, your contributions will be well-utilized. However, as they say, that’s entirely another story.