Cold Wallets: Navigating Access Below Zero

By mid-2025, you will likely be well aware of the distinctions between cold and hot wallets. However, an extensive article by Web3 researcher Vladimir Menaskop may very well convince you otherwise while also providing insights on how to truly safeguard your assets from unauthorized access.

There’s often confusion between hardware wallets and cold wallets, with the latter frequently associated with a specific brand.

For instance, a post on Reddit mentions: «I’ve been investing in Bitcoin for the last six months and am now considering buying a cold wallet. From what I understand, there are three main choices: 1) Trezor; 2) Ledger; 3) Jade.»

Or take this message from a DeFi chat shared with me recently: «Cold wallets don’t store coins; they hold keys for accessing wallets across different networks — that’s it.»

To make matters worse, even specialized media outlets often blur these definitions, conflating one with the other. There are instances where articles list hardware wallets in discussions about cold wallets, and others that attempt to differentiate cold wallets from hardware wallets, yet still err regarding multi-signature wallets.

Moreover, even IT security companies sometimes confuse the two concepts, stating: «Hardware wallets, a category that includes cold wallets, are physical devices and are harder for attackers to target as they exist offline and in the real world.»

It’s not merely a debate over terminology; a flawed understanding of the functionalities of hardware and other wallets contributes to frequent hacks, although these wallets are designed to prevent such occurrences. Therefore, I’ve dedicated this article to clarifying these issues.

I must emphasize that my approach is pragmatic rather than academic, so the classifications won’t be exhaustive, but the criteria will directly address specific issues at hand.

To comprehend how this all applies in practice, let’s delve deeper into the nuances of cold storage.

Let’s consider two straightforward scenarios.

In the first, you manually generate a seed phrase (or use a semi-automatic method), transfer it to a metal medium, and execute your first test transaction to one of many wallets.

But what comes next?

Most people will want to verify their holdings, for seeing doesn’t equate to owning. Thus, cold wallets rarely lack outgoing transactions in everyday usage. (In some cases, verification can occur in different ways, but that’s a topic for another day).

The second scenario involves multi-signatures. Yes, you can create a multi-signature setup on the same Safe without incurring transaction fees (similarly to fee-less payments available from MetaMask or Rabby), but does the multi-signature remain offline during this time? Essentially, it comprises a series of smart contracts, leading to a singular conclusion: «No.»

Certainly, if you dig deeper, access levels, familiar to many Linux users, are defined here: write, edit, and so forth. In terms of editing (sending transactions), a multi-signature wallet will remain offline for a considerable period.

Where are the keys for these multi-signatures stored? Unlike hardware wallets like Trezor, Ledger, and SafePal, this scenario will not contain private keys at all.

To be precise, private keys for signers and a concatenation of public keys exist, allowing us to state that:

*“A multi-signature is a smart contract that executes an operation only if it is signed by several previously associated private keys. The number of required signatures is termed the threshold.”*

Let’s enumerate:

This last point is crucial, especially when recalling the Bybit hack. They employed an onboarding process through hardware wallets that utilized multi-signatures in Safe, which proved ineffective due to the signers overlooking numerous obvious mistakes following the Radiant, WazirX, and similar hacks. (As further proof, there are two examples from Ledger’s practices where the device itself wasn’t compromised, but rather the surrounding infrastructure was, via traditional paper phishing letters, and through cloning.)

In today’s environment, neutrality is vital: MetaMask, for example, has stated its dedication to sanctions and related blocking, while Ledger released an anti-base for seed phrase preservation.

Let’s attempt to explore cold storage from another perspective: the synthetic one.

First, I’ll list specific implementations of cold storage (we’ll generalize wallet and storage here, as this is another significant topic requiring its own investigation):

In reality, cold wallets can be categorized into two types:

Examples include:

Simple ones are precisely hardware, paper, and the like, which are used sparingly and strictly for their intended purpose. In contrast, complex wallets combine multi-signature setups with hardware wallets or split seed phrases using Shamir’s method into three to five parts, each stored in vastly different formats. (Again, here we understand cold storage in a mixed sense).

Given the above, it’s crucial to grasp a significant argument: when discussing major projects, a cold wallet devoid of appropriate organizational, technical, economic, and legal standards is meaningless.

The cases like Bybit, Mt. Gox, various bridges, and Radiant serve as clear evidence. Yes, this is another reason why hardware wallets cannot be deemed cold 100% of the time. According to Euler diagrams, they only represent a partial intersection of unequal categories.

Now, let’s describe each sub-type.

**Sub-type #01: Metal Storage.** This refers to private keys (less often) and seed phrases (more often) recorded on metal (typically using titanium plates, e.g., CryptoSteel):

This method is reliable for storage in any locale: rust and fire pose no threat. However, it is risky if someone gains physical access to the plates. Thus, they are often split into parts stored with custodians, including in bank vaults (which presents a paradox: the most non-custodial crypto exists where it was initially created to avoid being stored).

You can integrate steganography, mentioned earlier, and try concealing the plate (after verification) in a statue, for example.

**Sub-type #02: Paper Storage.** Writing seed phrases and private keys on paper is classic. It’s advisable to use different writing tools (regular pencil, ink) on various mediums (cardboard, paper, notebook pages) and create two or three copies. Hide them where even you won’t think to look.

Steganography is key. Conceal phrases in books, children’s drawings; use lemon juice and other invisible inks. Live in the UAE? Write in Chinese. Live in China? Use Georgian. Any additional level of security is valuable here.

And always avoid writing the entire phrase; keep a few words “in reserve.” This won’t prevent hacking: two or three words can be reconstructed rather quickly, but if you discover a theft, it allows time to act.

**Sub-type #03: Multi-signature.** This can be discussed extensively, but thus far, nothing has surpassed the Safe: the Bybit hack has proven this too. However, it also showed that merely having Safe multi-signature isn’t enough; one must possess resolute nerves and sound judgment to avoid treating $1.4 billion like $1.4.

Yet again: even the combination of “hardware wallet plus multi-signature” isn’t adequate for cold storage. The following secure transfer protocols must be observed:

**Sub-type #04: Backup Cards.** Examples of solutions that are similar to hardware or offline wallets, yet differing in functionality and usage directions.

**Sub-type #05: Hardware Wallets.** Many exist, but each has shown some vulnerability: offline hacks on various Trezor models, phishing attacks on Ledger, etc.

**Sub-type #06: Custom Smart Contracts with Specialized Software:** This may consist of any smartphone running Linux or Android with all communication modules disabled (or removable), such as Wi-Fi or Bluetooth. There are even specialized solutions like Purism.

**Sub-type #07: Exotic Solutions.** I will elaborate more on this.

Yes, such things do occur. Here are several examples for clarity, recognizing that they might not entirely fall under typical cold wallets but rather represent cold storage (while classifying them strictly as offline isn’t always necessary).

**Steganography**

This can take various forms, but here are illustrative examples:

Of course, technically this is still paper, metal, or digital forms, but organizationally, these are far more secure methods than just a list of obvious words.

**Temporography**

It would be remiss not to mention it. Here are a few basic examples:

Certainly, this isn’t exhaustive, but it’s a good starting point. Two key questions remain.

*“Part of the data is stored in encrypted form on the blockchain, while the other is engraved on metal plates in physical hideouts. Additionally, [Dutch Bitcoin enthusiast Didi] Taihuttu has implemented personal encryption, altering some words in the phrase. […] ‘Even if someone puts a gun to my head, I won’t be able to give away more than what’s on the wallet in my phone. And there’s not much there,’ Taihuttu stated.”*

**Cold Storage and Security**

If you’ve already answered the previous question, I recommend enhancing your personal security, which consists of the following elements:

The technical aspect was described above. If that’s insufficient, refer to the supplementary guide.

The economic aspect involves portfolio management and risk assessment. The legal aspect pertains to operating within specific jurisdictions and understanding their laws. The organizational element encompasses everything beyond the previous three: your working hours, responses to phishing attempts (including customizations), and other social attacks, interactions with people, and so on.

I won’t list everything, but I’ll cover the basics.

**Functionality vs. Security**

In cold storage, it’s crucial to select wallets based not on functionality but solely on reliability: functional wallets can be those used for testing or hot wallets.

Cold wallets must be:

**Phishing**

Regardless of the type of cold storage you choose, you, as a living individual, will always be the weakest link. So always follow the principle from Greg Jordan’s film “Unthinkable”: if everyone thinks you’ve planted three “bombs,” there should actually be four or even five.

**Rule Number Zero**

It’s simple: anyone can be hacked, anytime and anywhere. It’s a matter of focus, resources, and effort involved. If it takes too long, costs too much, and yields less than expected, the hack likely won’t happen.

Of course, destructive attacks do always exist, but your personal security targets those. You are the last bastion; you are part of your cold storage.

First off, there’s a technical distinction that’s been explained on websites like Ledger’s:

*“Are cold wallets and hardware wallets the same? In reality, they represent two different concepts with varying use cases and levels of protection. Interestingly, both types can exist within a single wallet.”*

Yet, this statement acknowledges other scenarios, where hardware and cold storage differ significantly.

In simpler terms, you can create a combination of “MetaMask plus Trezor” and use it as a daily hot wallet, all while ensuring your keys remain secure from attacks that could occur if someone steals your MetaMask password in an online environment to access and withdraw funds. However, you will not be exempt from:

But, you can cold-store the same Trezor with a passphrase, which offers more peace of mind for at least a portion of your funds.

In 2025, offline access is often insufficient for reliable cold storage; thus, a hardware wallet is merely a part (and potentially a questionable one) of cold storage.

Cold storage itself can be distinguished between cold wallets and cold storage solutions. We’ll address storage in the future, but for now, it’s crucial to remember that a hardware wallet is, at best, simple cold storage without additional storage protocols.

It can be, but does not default to being so.

Based on practical experience, a hardware wallet cannot be cold if:

Many may find this approach excessive or contrived, but all that has been described above serves as evidence (to me) that it is not. Thus, in my view, Trezor, Ledger, and others are reliable hardware wallets that can qualify as cold storage under specific conditions, but should not be assumed to be so by default.

When beginners are led to believe the adage: “I bought a hardware wallet — and now I’m safe,” that sense of security is artificial and misleading. Finding a secured seed phrase, even those never “born” online, is one thing; hacking hardware wallets, even the most advanced models, is entirely different. And yes, I reiterate for the third time: the Bybit hack stands as the best proof of that. Study it.

Consider this: focus on selecting a non-custodial, open-source wallet based on a specialized device equipped with security elements and other protective measures that serves as a signer within a multi-signature arrangement.

In practice, hot wallets are generally:

Custodial wallets should definitely not be treated as cold storage: they can be, but that’s not necessary. Proprietary wallets shouldn’t be cold storage either.

Cold wallets typically feature two sub-types:

In conclusion:

Of course, this is just the first level of assessment; nevertheless, it is crucial and helps guide your understanding in a rapidly changing world.

My aim was not to provide an academic exploration of the diversity of cold wallets nor to promote specific solutions, but rather to outline a methodology that assists in practically organizing cold storage while elucidating our understanding of cold wallets in particular. This is the case where it is better to overthink and overprepare than to act as if everything is fine after purchasing any hardware solution.

I believe I have achieved this goal. For those seeking more, two small sections follow below.

**List:**

As you may have guessed, this involves charity: supporting social assistance foundations, non-profit Web3 startups, NFT artists, and so forth. In most cases, your funds will definitely be well-utilized. However, as they say, that’s a whole different story.