Crypto Gloss

Crypto Custody

The phrase “not your keys, not your coins” captures one of crypto’s most consequential design decisions: who controls the private keys that authorize asset movement. Custody determines whether you can be hacked, whether you can be exit-scammed, whether your heirs can recover assets after death, and whether regulators can seize or freeze holdings. For individuals, custody choices range from trusting an exchange (convenience, counterparty risk) to managing hardware wallets (security, complexity). For institutions managing millions or billions, custody is a regulated, compliance-intensive discipline involving licensed custodians, insurance, regulatory oversight, and multi-party signing. The FTX collapse in November 2022 — where customer assets held by an exchange custodian were misappropriated — is the modern definition of why custody matters.

What Custody Means

The following sections cover this in detail.

The Private Key

Possible answers:

  1. Only you (self-custody)
  2. A third party (custodial exchange)
  3. Split between you and a third party (hybrid/MPC)
  4. Required signatures from multiple parties (multisig)
  5. A regulated institution under legal obligation (qualified custodian)

Custody Models

The model works as follows.

1. Self-Custody

Hardware wallets (Cold Storage):

The gold standard for individual self-custody:

  • Private keys generated and stored offline on a dedicated device (Ledger, Trezor)
  • Transactions signed inside the device; private key never touches internet-connected computer
  • Recovery seed (12-24 words) can restore if device is lost
  • Secure from remote hacks; vulnerable to physical theft or loss of seed

Software wallets (Hot Wallets):

  • Private keys stored in the software wallet on your computer or phone (MetaMask, Phantom)
  • Convenient for active DeFi use
  • Higher risk: malware can potentially extract keys; phishing attacks
  • Not suitable for large holdings

Self-custody risks:

  • No recovery if seed is lost (no customer service)
  • No reversal if hacked (transactions are final)
  • Inheritance complexity: must proactively plan key succession

2. Exchange/Custodial

Centralized exchanges (Coinbase, Binance, Kraken):

  • Exchange holds the private keys
  • User has an account with a balance (like a bank)
  • Exchange is responsible for security
  • User bears counterparty risk

Counterparty risk illustrated:

  • Mt. Gox (2014): 850,000 BTC lost when exchange was hacked
  • QuadrigaCX (2019): $190M “lost” when founder died (alleged) with sole access to keys
  • Celsius/BlockFi (2022): Customer deposits lost in bankruptcy — assets weren’t segregated
  • FTX (2022): $8B in customer assets misappropriated by Sam Bankman-Fried for Alameda trading

Each case: user trusted an exchange to hold keys, exchange failed, users lost funds.

3. Qualified Custodians (Institutional)

Regulated institutions that hold crypto assets for institutional clients under legal obligations:

Key qualified custodians:

  • Coinbase Custody — subsidiary of Coinbase, State-regulated trust company
  • BitGo — leading institutional custodian, licensed in multiple states
  • Fidelity Digital Assets — Fidelity’s crypto custody arm
  • Anchorage Digital — US federally chartered digital asset bank

Qualifying characteristics:

  • State trust company or bank charter → regulatory oversight
  • Insurance (typically $100-500M+ commercial crime policies)
  • Segregated customer accounts (assets not commingled with firm assets)
  • Proof of reserves audits
  • SOC 2 certification (security controls audit)

Why institutions need qualified custodians:

  • Many institutional investors (pension funds, RIAs, hedge funds) are legally required to use qualified custodians for client assets
  • SEC investment adviser rules require certain assets held with qualified custodians
  • Insurance requirements for boards

4. Multi-Party Computation (MPC) Wallets

MPC is an advanced cryptographic technique for custody:

  • Private key is never assembled in full — it’s split into “shares” distributed across multiple parties
  • Transaction signing requires participation of a threshold of parties (e.g., 2 of 3)
  • No single party can sign alone; no single point of key exposure

MPC vs. Multisig:

Aspect Multisig MPC
On-chain Yes (visible as multisig address) No (looks like regular address)
Key assembly Never (multiple signatures combined) Never (shares combined cryptographically)
Cost Higher gas (multiple signatures required) Normal gas (one combined signature)
Complexity Higher contract complexity Higher cryptographic complexity

MPC providers: Fireblocks, Copper, Curv (acquired by PayPal), Coinbase Prime.

Fireblocks is the dominant institutional MPC custody provider — used by 1,800+ institutions for digital asset custody and transaction management.

Institutional Custody Stack

For large financial institutions, crypto custody involves:

  1. Key generation ceremony — provably secure key ceremony creating initial key shards
  2. Hardware Security Modules (HSMs) — tamper-proof hardware storing key shards offline
  3. Policy engines — multi-person approval workflows (transaction over $1M requires 3 approvers)
  4. Travel Rule compliance — FATF regulatory reporting for transactions over $3,000
  5. Insurance — commercial crime, cyber liability, and professional indemnity policies
  6. Audits — third-party custody audits, proof of reserves

The Custody Landscape Post-FTX

FTX’s collapse fundamentally changed institutional crypto custody discussions:

  • Segregated custody (assets held separately from firm balance sheet) became non-negotiable
  • “Proof of Reserves” became a standard demand from institutional clients
  • Exchange-operated custodians face more scrutiny than third-party custodians
  • Bank charters (like Anchorage’s OCC charter) gained importance as signals of regulatory soundness

How to Approach Self-Custody

For individuals:

  1. Purchase a hardware wallet at
  2. Set up wallet securely: never photograph seed phrase, store physically in fireproof safe
  3. Move assets from exchange to hardware wallet
  4. Buy crypto via then withdraw to self-custody

Social Media Sentiment

Custody became a dominant crypto conversation topic in 2022 after Terra/LUNA, Celsius, Voyager, and FTX collapses — all involving loss of funds held in non-self-custody arrangements. The “not your keys, not your coins” mantra gained mainstream recognition. Hardware wallet sales surged after each major exchange failure. On one side: crypto purists and Bitcoin maximalists advocate exclusively for self-custody. On the other: institutional adoption advocates note that qualified custodians are necessary for regulatory-compliant institutions and are genuinely more secure than individual hardware wallet management for most users. The practical consensus: for significant holdings, cold storage self-custody or qualified custodian is the gold standard; for DeFi interactions, hot wallet with limited funds is acceptable. The MPC wallet trend is viewed positively — it provides institutional-grade security without the privacy leak of on-chain multisig. Regulatory clarity on qualified custodian definitions for crypto (SEC’s SAB 121 debate) is an ongoing story.

Last updated: 2026-04

Related Terms

Sources

Financial Stability Board. (2022). Regulation, Supervision and Oversight of Crypto-Asset Activities and Markets. FSB Report.

Gennaro, R., & Goldfeder, S. (2018). Fast Multiparty Threshold ECDSA with Fast Trustless Setup. CCS 2018.

Narayanan, A., Bonneau, J., Felten, E., Miller, A., & Goldfeder, S. (2016). Bitcoin and Cryptocurrency Technologies. Princeton University Press.

Adrian, T., & Mancini-Griffoli, T. (2021). The Rise of Digital Money. IMF Staff Discussion Note.

Antonopoulos, A. (2017). Mastering Bitcoin. O’Reilly Media.