Institutional Crypto Custody: How Cold Custody Secures Digital Assets

The history of finance is, in many ways, the history of safekeeping. Gold was locked inside vaults, cash secured within bank branches, and securities evolved from paper certificates to electronic records held by central securities depositories. The objective never changed: protect something tangible from theft, loss, or destruction.

Digital assets introduced a different challenge. A bitcoin does not sit inside a vault; an ether token is not stored on a server. Cryptocurrencies exist only as entries on distributed ledgers, and ownership is determined exclusively through control of a cryptographic private key. Possession transfers assets, loss can mean permanent loss of access, and theft transfers control instantly and irreversibly.

The stakes are not theoretical. An estimated 20% of all bitcoin, roughly 3.7 million BTC, is believed permanently lost to forgotten keys and discarded drives. Major failures turned custody from a technical footnote into a board-level priority:

The challenge was no longer safeguarding an asset; it is safeguarding the means of controlling it.

The industry’s first response to this challenge was cold storage: keeping private keys offline and disconnected from internet-facing systems to reduce the risk of cyberattacks. While effective at protecting keys, cold storage alone addresses only one part of the custody equation.

As digital assets gained institutional adoption, a broader framework emerged: cold custody, which combines offline key protection with governance, operational controls, segregation of duties, disaster recovery, and auditable processes designed for institutional-scale asset protection.

Understanding how digital asset security evolved from cold storage to cold custody is essential for understanding how regulated institutions safeguard client assets today. Let’s examine what each term means and the key differences between them.

Key takeaways

• Digital assets exist only as ledger entries; ownership equals control of a private key, so custody means protecting the key, not the asset.
• An estimated ~20% of all bitcoin (~3.7M BTC) is permanently lost,and failures from Gox (2014, ~850k BTC) to FTX (2022) and the Bybit hack (2025, ~$1.5B) show why robust custody matters.
• Cold storage is a technique; cold custody is an architecture, layering physical security, cryptography, governance, operations, and disaster recovery.
• Institutions rely on distributed trust (multi-signature, HSMs, and MPC) so no single person, device, or location can move assets alone.
• The frontier is the pursuit of “absolute cold”: removing every avoidable assumption of trust across the custody stack.

The Evolution of Cold Storage

Cold storage began with a simple principle: keep private keys offline. Early users relied on paper wallets and later fireproof metal backups, eliminating online attack vectors but creating a new problem: the key remained dependent on a single person and a single physical location.

Hardware wallets improved security by generating and storing keys in dedicated offline devices, making self-custody practical for millions. But they still concentrate control in a single device and individual, creating risks if the device is lost, stolen, or damaged.

In short, cold storage solved online exposure. It did not solve governance, operational resilience, or institutional-scale risk management. That gap is what cold custody was designed to address.

Cold Custody: True Digital Asset Safeguarding

Institutional crypto custody, often called cold custody, is the practice of securing private keys that control digital assets in a permanently offline, multi-layered environment. Physical security protects the infrastructure from unauthorised access, while cryptographic controls protect the key material itself. Governance frameworks ensure no individual can move assets unilaterally, operational procedures create accountability and oversight, and disaster recovery provides resilience against catastrophic events.

For regulated providers, the architecture extends further into insurance coverage, proof-of-reserves attestations, and compliance with applicable custody, safeguarding, and digital-asset regulatory frameworks, such as the SEC custody rules in the US and the EU’s Markets in Crypto-Assets (MiCA) regulation.

The terms are often used interchangeably, but they describe different things. Cold storage is a technique: keeping private keys offline. Cold custody is an operating model: the full architecture of people, processes, and controls that protects those keys at institutional scale. Cold storage is one layer inside cold custody.

Source: AMINA Bank

In short: every institution uses cold storage, but cold storage alone is not custody. Cold custody is what turns “keys kept offline” into a system regulated entities can trust with client assets.

“Cold storage” suggests a single approach, but the reality is a spectrum, ranging from simple personal methods to some of the most secure facilities ever constructed.

As digital-asset values rose, a new category of custody emerged for institutions, family offices, and ultra-high-net-worth individuals. Some of the most advanced facilities operating today sit inside former military bunkers carved into mountainous terrain, originally built to withstand geopolitical threats and now repurposed to protect cryptographic secrets.

The controls resemble defence infrastructure more than financial services: layered biometric authentication, photographic identification, controlled-access chambers, continuous monitoring, and electromagnetic shielding to mitigate interference. Signing environments stay permanently disconnected from external networks, and transactions are authorised through controlled procedures in which only signed transaction data leaves the secure environment. The keys themselves never touch internet-connected systems.

A global financial institution cannot rely on a single employee holding a recovery phrase, nor depend on a single device for access to client assets. Such arrangements introduce operational bottlenecks, governance concerns, and key-person risk incompatible with institutional standards. The industry’s response has been distributed trust architectures:

Source: AMINA Bank

Providers often combine these primitives with Shamir’s Secret Sharing for backup and SOC 1 / SOC 2 Type II controls for assurance. More than technical innovation, this marks a philosophical shift: rather than only protecting secrets, modern custody seeks to eliminate concentrations of power, so that no individual, system, location, or process can become a single point of failure.

1. A transaction is prepared on an online system.
2. It is transferred into the air-gapped signing environment via a one-way channel (often QR codes or data diodes).
3. The keys sign the transaction entirely offline, under the required m-of-n
4. Only the signed transaction data leaves the secure environment to be broadcast. The private keys never touch an internet-connected system.

The evolution of cold custody is best understood as the gradual removal of assumptions:

1. The first generation removed the assumption that internet-connected systems could be trusted.
2. The second removed the assumption that a single storage medium would survive indefinitely.
3. The third removed the assumption that one device should control access.
4. The fourth removed the assumption that one individual should authorise transactions.

The most advanced architectures are defined not by a specific technology but by a philosophy: systematically identifying and eliminating avoidable risk across every layer. While absolute security may remain unattainable, the pursuit of absolute cold continues to drive innovation across the industry.

The history of cold custody is the story of an industry learning to protect a secret that can control extraordinary value. What began with paper wallets has evolved into architectures combining cryptography, physical security, governance, distributed computing, and operational resilience. The most important lesson is that security cannot be reduced to a single device, facility, or technology. As digital assets integrate further into the global financial system, the line between good custody and exceptional custody will be drawn not by where assets are stored, but by how comprehensively risk has been engineered out of the system.

Q. What is cold custody in crypto?
Cold custody is the practice of securing the private keys that control digital assets in a permanently offline, multi-layered environment. It combines air-gapped infrastructure, distributed cryptography, governance controls, and operational oversight to remove single points of failure, going well beyond simply keeping keys offline.

Q. What’s the difference between cold storage and cold custody?
Cold storage refers narrowly to keeping private keys offline. Cold custody is a broader architecture that adds physical security, distributed cryptography, governance, operational procedures, and disaster recovery. In short, cold storage is one component; cold custody is the complete system institutions rely on to safeguard assets.

Q. What is the difference between a hot wallet and cold storage?
A hot wallet is connected to the internet for fast, frequent transactions but is exposed to remote attack. Cold storage keeps keys offline for security at the cost of convenience. Institutions typically hold the large majority of assets (often 95% or more) in cold storage and only a small operational float in hot wallets.

Q. What percentage of crypto do institutions keep in cold storage?
Most institutional custodians keep the overwhelming majority, commonly 95% to 98%, of assets in cold storage, retaining only a small hot-wallet balance for day-to-day liquidity and withdrawals.

Q. Is cold storage 100% safe?
No. Cold storage eliminates online attack vectors but remains exposed to physical theft, hardware failure, insider misconduct, and human error. True security comes from layering cold storage with distributed cryptography, governance, and disaster recovery, reducing risk across every layer rather than relying on offline storage alone.

Q. What is the difference between MPC, multisig, and HSM?
Multisig requires multiple independent approvals to move funds. An HSM is tamper-resistant hardware that protects keys and signing. MPC splits cryptographic authority across multiple parties so no complete key ever exists in one place. Institutions often combine all three to eliminate single points of failure.

Q. How do institutions sign transactions from offline storage?
A transaction is prepared on an online system, then transferred to an air-gapped signing environment, often via QR codes or one-way data transfer. The keys sign it offline, and only the signed transaction data leaves the secure environment. The private keys never touch internet-connected systems.

Q. What happens to crypto if the private key is lost?
If a private key and all its backups are lost, the assets become permanently inaccessible, and no central authority can restore them. An estimated 20% of all bitcoin is believed lost this way, which is why institutional custody emphasises distributed backups and recovery procedures. The QuadrigaCX case, where roughly $190M became inaccessible after its founder’s death, is the cautionary example.

Q. Can cold storage be hacked?
Keys held in true cold storage cannot be reached remotely, so most “cold storage hacks” actually exploit the signing process, insider access, or social engineering rather than the offline keys themselves. The 2025 Bybit incident illustrated how attackers target the transaction-approval workflow, not the cold keys directly. source in above table

Q. Are crypto custodians insured and regulated?
Many institutional custodians carry insurance and operate under regulatory frameworks, such as qualified-custodian rules in the US and comparable licensing, prudential, or digital-asset regulatory regimes in other jurisdictions. They may also publish SOC 1 / SOC 2 Type II reports and proof-of-reserves attestations. Coverage and oversight vary significantly, so due diligence is essential.

Q. What is a qualified custodian?
A qualified custodian is a regulated entity, such as a bank or trust company, authorised to hold client assets under specific legal and operational standards. For institutions, using a qualified custodian provides regulatory clarity, segregation of assets, and stronger investor protections than self-custody.

Disclaimer – Research and Educational Content

This document has been prepared by AMINA Bank AG (“AMINA”). AMINA is a Swiss licensed bank and securities dealer with its head office and legal domicile in Switzerland. It is authorised and regulated by the Swiss Financial Market Supervisory Authority (“FINMA”).

This document is published solely for educational purposes; it is not an advertisement nor a solicitation or an offer to buy or sell any financial investment or to participate in any particular investment strategy. This document is for publication only on AMINA website, blog, and AMINA social media accounts as permitted by applicable law. It is not directed to, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or would subject AMINA to any registration or licensing requirement within such jurisdiction.

Research will initiate, update and cease coverage solely at the discretion of AMINA. This document is based on various sources, incl. AMINA ones. In preparing this document, AMINA may have made limited use of artificial intelligence–enabled tools to assist with research, summarisation, and drafting, with all content subject to human review and validation.

No representation or warranty, either express or implied, is provided in relation to the accuracy, completeness or reliability of the information contained in this document, except with respect to information concerning AMINA. The information is not intended to be a complete statement or summary of the subjects alluded to in the document, whereas general information, financial investments, markets or developments. AMINA does not undertake to update or keep current information. Any statements contained in this document attributed to a third party represent AMINA’s interpretation of the data, information and/or opinions provided by that third party either publicly or through a subscription service, and such use and interpretation have not been reviewed by the third party.

Any formulas, equations, or prices stated in this document are for informational or explanatory purposes only and do not represent valuations for individual investments. There is no representation that any transaction can or could have been affected at those formulas, equations, or prices, and any formula(s), equation(s), or price(s) do not necessarily reflect AMINA’s internal books and records or theoretical model-based valuations and may be based on certain assumptions. Different assumptions by AMINA or any other source may yield substantially different results.

Nothing in this document constitutes a representation that any investment strategy or investment is suitable or appropriate to an investor’s individual circumstances or otherwise constitutes a personal recommendation. Investments involve risks, and investors should exercise prudence and their own judgment in making their investment decisions. Financial investments described in the document may not be eligible for sale in all jurisdictions or to certain categories of investors. Certain services and products are subject to legal restrictions and cannot be offered on an unrestricted basis to certain investors. Recipients are therefore asked to consult the restrictions relating to investments, products or services for further information. Furthermore, recipients may consult their legal/tax advisors should they require any clarifications.

At any time, investment decisions (including, among others, deposit, buy, sell or hold investments) made by AMINA and its employees may differ from or be contrary to the opinions expressed in AMINA research publications.

This document may not be reproduced, or copies circulated without prior authority of AMINA. Unless otherwise agreed in writing, AMINA expressly prohibits the distribution and transfer of this document to third parties for any reason. AMINA accepts no liability whatsoever for any claims or lawsuits from any third parties arising from the use or distribution of this document.

©2026 AMINA, Kolinplatz 15, 6300 Zug