Self-Custody: Where and How to Store your Crypto Safely
Crypto Basics

Self-Custody: Where and How to Store your Crypto Safely

Created 1yr ago, last updated 1yr ago

Safely storing your crypto holdings should be one of your new year resolutions — learn how with CoinMarketCap Academy.

Self-Custody: Where and How to Store your Crypto Safely

Table of Contents


Cold cold heart, hard done by you…This well-known chorus could very well sum up 2022 for most crypto investors, as 2021’s new highs mutated into some pretty bad lows during another controversial Crypto Winter.

And we’re not just talking about the downward price action. This year has seen some of our biggest industry “champions” fall from grace as their empires collapse like a house of cards, costing investors tens of billions in lost or stolen funds.

This has resulted in a large number of users moving funds off exchanges in order to protect their assets, despite exchanges scrambling to come up with new transparency features such as Proof-of-Reserve (learn about CoinMarketCap’s new tracker here).
So with crypto’s annus horribilis nearly at end, the big question for 2023 is (yet again):

Where and how do I store my crypto safely?

The answer remains: Self-custody, where only you safekeep and control your crypto assets.

If you’re new to crypto or need a refresher on how and where to self-custody your crypto in a private wallet (also known as an unhosted or non-custodial wallet) and protect it from all those cold cold hearts in crypto, preferably in cold storage,  this article is for you.

First, let’s review the crypto’s recent custodial carnage that brought us to this point.

Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?

Crypto Custodians Fall Like Dominoes

The shocking demise of SEC darling Sam Bankman Fried’s exchange FTX and trading firm Alameda Research over a few days in November 2022 has cost the industry billions of dollars in lost funds, resurrecting its former image as a Wild West of unregulated finance from the Mt. Gox days, and exposed an insidious underlayer of alleged mismanagement and criminality that shocked even Enron veterans.
It has put another huge dirty nail in the coffin of centralized crypto custodians who are now seemingly teetering like a house of cards instead of providing the stability and yield they, as trusted financial intermediaries, promised during better times (yes, only last year).
It can be argued that FTX and other CeFi firms like Celsius, 3 Arrows Capital, BlockFi, Voyager, Genesis and others have all been wiped out by the domino effect that Luna Terra’s collapse earlier this year set off. As its contagion spread across the industry, interconnected custodial lenders and borrowers who were secretly using high-risk leverage with customer funds to offer high yield to investors were eventually exposed and claimed by the fallout.
With the confidence in these crypto custodians and exchanges at all time lows, it seems we’ve gone full circle and need to return to crypto’s core value: self-custody.

Proof-of-Keys vs Proof-of-Reserves

On Jan. 3, 2019, a new movement started on the 10th anniversary of Bitcoin’s genesis block in the midst of the last brutal crypto winter. Called “Proof-of-Keys,” it implored all exchange users to temporarily take their crypto off them to see if these entities actually held all the user digital assets they claimed to.

While the idea is laudable, it's supposed to be more rhetorical than practical, highlighting the most important truth in all of crypto:

Not Your Keys, Not Your Crypto.

Let’s repeat that one more time.

Not Your Keys, Not Your Crypto.

Meanwhile, post-FTX crypto exchanges, led by industry leader Binance, have created their version of Proof-of-Keys to provide better transparency and peace of mind for users. Called Proof-of-Reserve, this is the self-disclosing of user deposit holdings and proves that an exchange is as liquid as they say. However, it doesn’t necessarily reflect any liabilities that the exchange or custodian might be holding. CoinMarketCap introduced a new Proof-of-Reserve tracker on our site in November to help users check on centralized crypto exchanges’ reserves.

The truth is that crypto like Bitcoin was created to remove the need for financial intermediaries, thanks to its trustless, immutable and decentralized nature. However, as the crypto industry grew, centralized exchanges and custodians came to market to service users' needs, providing ease of access to cryptocurrency. Unfortunately, the outsized influence of these centralized entities allowed it to get away with many things — from misusing users funds to outright fraud.

Evidently, proof-of-keys is as important as ever.

Self-Custody Basics

OK, back to self-custody.

Firstly, in order to move your funds off exchanges and self-custody your crypto, you’re going to need a non-custodial wallet which only you control.

There are two broad categories to understand:

1. Cold Wallets (offline): hardware wallets, paper and steel wallets
2. Hot Wallets (online): software and browser-based wallets
In recent years, hot wallets and cold wallets have gravitated to become more like the other. Hot wallets, considered more insecure as they’re connected to the Internet, have become more secure thanks to new biometric measures such as fingerprint and retina sign-ins on the devices they’re kept on, such as phones and computers. Meanwhile cold storage wallets, known as hardware wallets, have upped their game considerably, giving users safe access to DeFi, NFTs and Web3 applications.

What Is a Cold Wallet?

Cold wallets are offline crypto wallets that are never connected to the Internet and therefore cannot be remotely accessed by third parties online. These physical wallets keep your crypto in what is called cold storage and are considered the most secure wallets out there.

There are three main types: a paper wallet, steel wallet and hardware wallet.

  • A paper wallet is simply a paper printout or written recording of your private key or recovery seed phrase on a piece of paper.
  • A steel wallet is a virtually indestructible metal wallet that is resistant against environmental damage like fire or water.
  • A hardware wallet is a dedicated device that keeps your private key safe and signs transactions on your behalf with it.
While paper wallets are free, steel wallets and hardware wallets can cost anything from $50 to $400, based on their features. Unfortunately, paper wallets and steel wallets do not offer any further functionality other than protecting your private keys or seed phrase, and this makes them unsuitable to partake in the wonderful new worlds of decentralized finance (DeFi), GameFi, non-fungible tokens (NFTs) and Web3, to name a few.

For that, you’re going to need a hardware wallet (or a hot wallet).

One more thing: paper and steel wallets usually require the private key or recovery seed to be generated on an electronic device first. This could potentially leave a digital copy behind that can be found and exploited by hackers or other device users. The best hardware wallets allow users to create their wallets on the device itself, without connecting to a phone or computer.

What Should I Know About Hardware Wallets?

Hardware wallets, interchangeably called cold wallets, are sophisticated electronic devices that keep your private key off the internet at all times. However, they can differ wildly in quality and price.

To pick one that is right for you, it’s best which of the following features you value most:

1. Security

2. Form factor

3. Convenience

4. Coin support

5. Functionality


Most hardware wallets offer various biometric and air-gapped features to enable cold storage. However, the top ones also use a special microprocessor chip called a secure element (SE) to protect them against unauthorized private key access or device tampering.

You’ll usually see an SE boast a security rating that ranges from EAL5+ to EAL7+. EAL (or CC EAL) stands for Common Criteria Evaluation Assurance Levels and helps to validate that a certain system or device (like a flagship smartphone, hardware wallet or e-passport) meets a defined and standardized set of security requirements.

A higher EAL usually brings a higher price tag, but doesn’t necessarily mean a device is always more secure, just that it was more stringently evaluated, and may have provided its security features more reliably. The process can be very subjective. Therefore, anything from 5+ should be more than adequate.

NGrave, which recently partnered with Binance Labs, boasts an EAL7+ SE, but also comes with a hefty price and limited coin support. Still, it is touted to be as cold as you can get.

Meanwhile, market leader Ledger’s Nano X and S models respectively have EAL6+ and EAL5+ secure elements, which is the same as mobile hardware wallet CoolWallet’s Pro and S models.

SafePal S1 sports a 5+ SE, while cold storage pioneer Trezor surprisingly doesn’t have secure elements in its wallets, preferring to use a single open-source chip base instead that it has perfected over time.

In a dispute between Trezor and Ledger a few years back, the Trezor CEO quoted the “$5 wrench attack”, which implies that your cold storage security is only as good as how well you protect it and yourself. If you were to be threatened with physical violence for example, you may disclose its location and provide access to it, making the secure element irrelevant.
Air-gapped wallets,such as NGrave, Ellipal Titan and Keystone, also appeal to crypto holders who want their wallets completely isolated from all external communication, such as even a USB cable.

Form, Factor and Convenience

Most cold wallets (such as Ledger and Trezor) use a tethered USB interface to connect with a personal computer, making them quite bulky in the process. Hardware wallets that are standalone (e.g. SafePal) or solely connect over encrypted Bluetooth to a mobile phone are usually slimmer and easier to carry around without drawing attention.

The slimmer the device, the less opportunities there are for supply-chain tampering before it gets to you. Also consider if you want to safekeep the device at home or take it with you wherever you go.

In this case, you may want to look at other factors like environmental durability and warranty. The bank card-sized and waterproof CoolWallet Pro and other similar mobile-only wallets like KeyCard are marketed as an on-the-go hardware wallet to keep close and use without drawing attention.

Functionality and Coin Support

Hardware wallets have historically supported much fewer coins than software wallets, since they require more integration and security tests to maintain their overall integrity. However, this is not the case anymore, and many now offer full support for most leading layer-1 and layer-2 chains and their ecosystem tokens.

Furthermore, their accompanying computer or phone apps (such as Ledger Live) allow users access to a full range of DeFi and NFT integrations such as WalletConnect, MetaMask, Uniswap and OpenSea where they can buy, trade and store assets as they wish. This is especially important in light of 2022’s repeated phishing campaigns targeting users of these platforms, most notably OpenSea.

Hot Wallets: What to Know

A hot wallet is a crypto wallet application that is connected to the internet. This makes it conveniently quick and easy to move funds around or interact with decentralized exchanges and applications (DApps).

However this online access exposes your crypto to increased risks of hacking and scamming, as your wallet security relies heavily on the security of the device (e.g. phone or computer) it is hosted on.

Your funds can also be compromised and redirected if you’re not careful, for example if you click on a phishing link or sign the wrong smart contract, as we saw with the OpenSea blind signing scandal earlier this year. This is something that hardware wallets protect against as the bad actor requires physical access to the device to execute a transaction.

Hot wallets can be divided into:

1. Software wallets: software application that is installed and run on a phone or computer
2. Browser-based wallets: a browser extension that runs within a web browser.

Hot wallets are the most popular form of self-custody wallets, as they are free to download and easy to use once set up. With the advent of Web3, many have now pivoted in order to be positioned as Web3 wallets.

What Is a Web3 Wallet?

Web3 wallets are decentralized, feature-rich crypto wallets that are easy to use, support multiple chains in most cases, can store and trade users’ cryptocurrency and NFT assets, and interact seamlessly with DApps and compatible websites.

These wallets do not keep a user’s private keys or recovery seeds, so you’ll need to store it yourself. Also, your Web3 hot wallet security is only as good as the security of the device you host it on, although you can also set up passwords and biometric logins for the wallet itself in most cases to add additional safety layers.

Some of the most popular wallets currently are:

  • MetaMask (for Ethereum and EVM-compatible chain assets)
  • TrustWallet (Binance-backed multi-chain wallet),
  • Phantom (Solana),
  • Exodus (multi-chain support)
MetaMask is the most used crypto wallet in the world thanks to its incredible versatility and ease of use that provides smooth access to hundreds of thousands of EVM-based DeFi and NFT applications and assets, but drew a lot of flak in November 2022 when Consensys, its creator, disclosed that its API tool Infura were collecting users’ wallet and IP addresses.

What Are Multi-Sig And MPC Wallets?

Other exciting technologies are multi-party computation (MPC) and multi-signature (multi-sig) wallets which replace the need to be solely responsible for safekeeping your recovery seed or private key. MPC and multi-sig wallets are mostly used by institutional firms who require for security purposes that more than one person be involved in order to access funds.

In short, multisig wallets require a number of people to sign a transaction in order to approve it. This ensures that hackers or a bad actor or two within a firm cannot steal funds.

MPC wallets like ZenGo work similarly in a way, dividing its private key and control between a few different devices or cloud servers that store equivalent mathematical “secrets.” Only when they are joined together can funds be accessed. MPC wallets can also create single-use and time-limited dynamic keys and use enhanced security measures and encryption like ECDSA, and threshold and Schnorr signatures.

For the purposes of this article though, we’re going to assume you are riding solo with your crypto self-custody.

Here are 11 tips to stay safe.

11 Self-Custody Tips

1. Only download a wallet application from the official app store or website in order to avoid fake or modified phishing versions.

2. Ensure your wallet devices are always updated to the latest official firmware or software available.

3. Always keep your recovery seed phrase or private key safe from third parties and environmental hazards such as fire and water.

4. Never generate or store a digital copy of your recovery seed or private key. Even your printer could keep a digital copy. Write it down instead.

5. Use 2 factor-authentication (2FA) and biometric verification (fingerprints, patterns etc) on your phone or laptop if you have a software wallet or use a hardware wallet application.

6. Be careful which smart contracts or Dapps you interact with, and avoid blind signing where possible.

7. Research the safety of any browser extensions before you install them.

8. Spread your portfolio out over a few different hardware and software wallets to ensure your crypto eggs aren’t all in one basket.

9. Get two or more hardware wallets if you can. Keep one at home to safeguard your long term holdings, and use a mobile hardware wallet to use DeFi and Web3 applications on a frequent basis.

10. Use different wallets and email addresses when you take part in airdrops, and keep only the minimum funds there.

11. Use a VPN where possible to protect your anonymity against hackers and scammers.

Do We Need Centralized Exchanges At All?

Not all centralized crypto exchanges (CEXs) are bad apples, and established ones like Binance, Coinbase and Kraken have done much over the years to advance and self-regulate the industry, diligently protecting their customers.

CEXs will continue to be a major primary onramp to attract new users, the lifeblood of crypto, to the space, offering great sign-up incentives, convenient log-ins that require no private key or seed phrase, and easy tools to convert your fiat into crypto and vice versa.

After the lessons learned (the hard way) in 2022, many have touted that instead of shunning centralized exchanges, it can be used as an on-ramp from fiat, quickly trading from crypto to crypto, and then transferring and holding the bulk of your crypto assets on cold storage for the long term.

The Proof-of-Reserves initiative, where exchanges voluntarily and transparently disclose their holdings to third parties for auditing and verification, is an important step in the right direction for exchanges.

As new anti-money laundering (AML) measures such as the FATF Travel Rule, which requires exchanges to share user information with each other for all transactions over $1,000, become globally implemented, this will also help to better regulate the space, deterring bad actors from entering. So in short, yes, centralized exchanges will continue to have a place in crypto if they can manage to clean their house. When they behave like FTX though, they set the entire industry back years.
If you’re going to use a centralized exchange, take a close look at their track record and user reviews.

Final Thoughts

This article shows a wide variety of options at your disposal to self-custody your crypto. However, self-custody comes with its own risks, such as losing or exposing your keys, getting hacked, scammed or worse case, physically attacked.

For example, what happens if you lose access to your private key or recovery seed? It’s pretty much bye bye crypto, as these poor souls who lost millions have found out. To try and guess a private key or recovery seed is practically impossible. Even if a brute force attack of a billion computers tried a billion keys a second for a billion years, they’d still have less than a 1-in-a-billion chance to crack your private key.

Self-custody requires commitment, dedication and full responsibility for your crypto assets. Good luck on your new journey!

This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
7 people liked this article