In early 2025, the Bybit exchange lost $1.5 billion in Ethereum during a transfer from cold storage to a warm wallet. Roughly $300 million of that is already considered irrecoverable. The incident was a stark reminder that wallet architecture is not just a technical decision. It is a risk management decision with direct financial consequences.
Whether you are overseeing a pension fund evaluating digital asset custody, managing an exchange, or advising a board on crypto investment risk, understanding the difference between hot and cold wallet architectures and how to combine them properly is fundamental.
This article breaks down both approaches, explains where they fit in an institutional risk framework, and covers the hybrid architectures that leading platforms use today.
What a Crypto Wallet Actually Is
A crypto wallet does not store cryptocurrency. Your assets live on the blockchain as ledger entries. The wallet stores the cryptographic private keys that prove ownership and authorise transactions.
Whoever controls the private key controls the funds. There is no central authority to reverse a transaction or reset a password. This is why wallet architecture matters so much from a risk perspective: you are designing the security perimeter around the single artefact that represents total control of the assets.
Every wallet also has an associated seed phrase (also called a recovery phrase), typically 12 or 24 words derived from the BIP-39 standard. This phrase can regenerate all private keys associated with the wallet.
Losing both the private key and the seed phrase means permanent, irreversible loss of funds. For a deeper dive on protecting these credentials, see our guide on private key backup and recovery procedures.
Hot Wallets: Speed at the Cost of Exposure
A hot wallet is any wallet where the private keys are stored on a device connected to the internet. This includes browser extension wallets (MetaMask, Phantom), mobile apps (Trust Wallet, Coinbase Wallet), desktop applications (Electrum, Exodus), and exchange-hosted wallets where the platform holds keys on your behalf.
Why organisations use them. Hot wallets enable real-time transactions. For an exchange processing thousands of withdrawals per hour, or a DeFi protocol executing on-chain operations, internet connectivity is not optional. Hot wallets provide the liquidity layer that makes crypto operationally functional.
The risk profile. Because hot wallet keys live on internet-connected infrastructure, they are exposed to the full spectrum of online threats: remote hacking, malware and keyloggers, phishing attacks targeting credentials, server-side exploits if keys are stored in cloud infrastructure, and insider threats from employees with administrative access.
The attack surface is large and always-on. In 2024 alone, over $2.2 billion in crypto assets were stolen, with exchange hot wallets and smart contract exploits accounting for the majority. The Anti-Phishing Working Group reported a 170% surge in cryptocurrency phishing attacks that same year.
From an IT risk management lifecycle perspective, hot wallets sit in the highest-risk quadrant: high inherent risk with controls that can reduce but never eliminate the online exposure. Your qualitative risk assessment for IT infrastructure should classify hot wallet systems as critical assets with correspondingly strict control requirements.
Cold Wallets: Security Through Isolation
A cold wallet stores private keys on a device that is not connected to the internet. The most common forms are hardware wallets (Ledger, Trezor), which are purpose-built devices with secure elements that sign transactions offline, air-gapped computers that never connect to any network, and metal or paper backups where seed phrases are physically engraved or written and stored in secure locations.
Why organisations use them. Cold wallets eliminate the online attack vector entirely. A hacker on the other side of the world cannot steal a private key that exists only on a device locked in a vault with no network interface. For long-term storage of significant holdings, cold storage is the industry standard.
The risk profile. Cold wallets trade online risk for operational and physical risks. Accessing funds requires manual intervention, often involving physical travel to a secure location, multiple authorisers, and hardware interaction.
This creates latency measured in hours or days rather than milliseconds. Physical risks include device theft, loss, or damage, natural disasters destroying storage locations, hardware failure or firmware corruption, and social engineering targeting key custodians.
The Bybit incident in February 2025 demonstrated that even cold-to-warm transfers can be compromised if signing processes or human procedures are exploited during the brief moment keys are active.
A solid business continuity plan for IT must account for cold wallet access during disruption scenarios. If your vault is in a flooded building or your key custodians are unreachable, what is your recovery path? Your Business Impact Analysis should include cold wallet access time as a critical dependency.
The Hybrid Architecture: How Institutions Actually Do It
No serious institution relies on a single wallet type. The standard approach is a tiered architecture that balances liquidity against security. The industry rule of thumb, sometimes called the 95/5 rule, is to keep 90–95% of assets in cold storage and only 5–10% in hot wallets.
The hot wallet layer serves immediate operational liquidity (enough for a few hours of normal withdrawal volume), while the cold storage layer holds the bulk of reserves.
Automated treasury management. Leading platforms automate the flow between tiers. When the hot wallet balance drops below a predefined threshold (say, two hours of expected withdrawal volume), the system triggers a refill request from cold storage.
When deposits accumulate beyond a safety cap in the hot wallet, an automated sweep moves excess funds to cold storage. This minimises the amount of value exposed to online risk at any given moment.
Warm wallets. Some architectures add a middle tier: the warm wallet. This sits between hot and cold, with keys that are online but protected by additional controls like multi-signature requirements or time-delayed transactions.
Warm wallets serve as a buffer, reducing the frequency of cold storage access while adding a layer of approval before funds reach the fully internet-exposed hot wallet.
Multi-signature (multisig) wallets. Multisig requires M-of-N key holders to approve a transaction (for example, 3 of 5 authorisers). This eliminates single points of failure. If one key is compromised, the attacker still cannot move funds without additional keys.
Multisig is widely used for both institutional cold storage and high-value hot wallet operations. The trade-off is complexity: losing multiple keys can permanently lock the account, and coordination overhead increases with the number of signers.
Multi-Party Computation (MPC). MPC wallets represent the cutting edge. Instead of a single private key, MPC splits the key into multiple shares (shards) held by different parties or machines.
No single entity ever possesses the complete key. Shares cooperate to generate valid signatures without ever being reassembled.
MPC provides cold-wallet-level security with near-hot-wallet speed, supports distributed signing with multi-role approvals, produces full audit trails for compliance, and can reduce transaction fees by up to 50% compared to multisig.
For compliance-sensitive operations, MPC is increasingly the architecture of choice because it combines security with the governance and auditability that regulators expect.
Building a Wallet Risk Framework
Wallet architecture decisions should feed directly into your enterprise risk management framework. Here is how to structure the analysis.
Asset classification. Categorise every digital asset holding by value, liquidity requirement, and regulatory sensitivity.
Root reserve holdings (the bulk of assets) go to cold storage. Operational float (daily transaction requirements) stays in hot wallets. Everything else falls into a tiered allocation based on access frequency.
Threat modelling. Map the threat landscape for each wallet tier. Hot wallets face remote cyber threats (hacking, phishing, malware, API exploits). Cold wallets face physical threats (theft, loss, disaster, insider collusion during access ceremonies). Warm wallets and MPC architectures face a blend of both.
Your cyber security key risk indicators should include metrics specific to wallet operations: failed access attempts, anomalous transaction patterns, time since last cold storage audit, and hot wallet balance as a percentage of total assets.
Control design. Apply the three lines of defence model. The 1st line (operations/IT) manages day-to-day wallet operations, implements access controls, and executes transactions.
The 2nd line (risk and compliance) sets wallet security policy, defines thresholds for hot/cold allocation, monitors KRIs, and ensures regulatory alignment. The 3rd line (internal audit) periodically verifies that controls are operating as designed, tests recovery procedures, and reviews access logs.
Incident response. Wallet compromises require rapid response. Your incident response plan should specify immediate actions (freeze affected wallets, revoke compromised keys), communication protocols (regulator notification, customer disclosure), forensic investigation procedures, and fund recovery strategies.
Under the EU’s DORA regulation, financial entities must report major ICT incidents within hours. Under NYDFS BitLicense requirements, licensees must report fraud, breaches, or hacks promptly.
Design your incident response to meet the most demanding timeline. For context on these regulatory frameworks, see our article on MiCA, DORA, and NYDFS BitLicense requirements.
Regulatory Expectations on Wallet Architecture
Regulators are paying increasing attention to how digital assets are custodied. Several frameworks now have direct implications for wallet architecture choices.
EU MiCA: Crypto-Asset Service Providers (CASPs) must hold virtual currency in a manner that protects customer assets, with segregation from operational funds. MiCA’s governance requirements extend to custody arrangements, and CASPs must demonstrate adequate safeguards. An ISO 27001 risk assessment methodology provides a structured way to document these controls.
EU DORA: As a regulation covering all financial entities including CASPs, DORA requires comprehensive ICT risk management frameworks that encompass wallet infrastructure, third-party custody providers, and HSM manufacturers. Resilience testing must cover wallet failure scenarios.
NYDFS BitLicense: BitLicensees must hold virtual currency in a manner that protects customer assets, maintain comprehensive books and records, and submit to regular examinations. NYDFS’s 2022 stablecoin guidance requires reserves to be held with US-chartered banks and audited monthly. Sub-custodians must be regulated to equivalent standards.
NIST SP 800-57: While not crypto-specific, NIST’s key management guidance directly applies to wallet private key lifecycle management: generation, storage, backup, rotation, and destruction. The draft Rev. 6 (December 2025) adds post-quantum algorithm considerations that will affect future wallet architectures.
For organisations that must comply with multiple frameworks simultaneously, anchoring your approach in the five-step risk management process (identify, analyse, evaluate, treat, monitor) provides a universal structure that maps cleanly onto any jurisdiction’s requirements.
Common Mistakes in Wallet Architecture
Keeping too much in hot wallets is the most frequent error. If your hot wallet holds more than a few hours of operational liquidity, you are over-exposed. Every dollar above the operational minimum is unnecessary risk.
Treating cold storage as inherently safe without testing recovery is another common failure. Cold wallet keys that cannot be restored from backup are a liability, not an asset. Schedule quarterly recovery drills.
Treating wallet security as purely a technology problem ignores the human layer. Social engineering, insider threats, and procedural failures during key ceremonies have caused some of the largest losses in crypto history. The Bybit incident exploited the transfer process, not the cold storage itself.
Ignoring concentration risk is a structural error. If all your cold storage keys are held by a single custodian or stored in a single geographic location, you have a single point of failure that no amount of encryption can fix.
Apply the 3-2-1 backup principle: three copies, two different media, one offsite. For data integrity risk assessment purposes, wallet transaction records and key inventory data should be included alongside traditional data stores.
Emerging Trends: MPC, Account Abstraction, and Post-Quantum Readiness
The hot-vs-cold binary is blurring. MPC wallets are providing cold-level security with hot-level speed, making them increasingly attractive for institutional use.
Account abstraction (ERC-4337 on Ethereum) enables smart contract wallets with programmable security policies: spending limits, time locks, social recovery, and automated approval workflows built into the wallet itself.
Post-quantum cryptography is the longer-term consideration. Current wallet key algorithms (ECDSA, EdDSA) are theoretically vulnerable to quantum computing attacks.
NIST’s new quantum-resistant algorithms (FIPS 203, 204, 205) will eventually require wallet infrastructure updates. The organisations that build post-quantum readiness into their wallet architecture planning now will avoid a painful migration later. Your enterprise risk management technology practices should include a horizon-scanning component that tracks these developments.
Next Steps: What To Do This Quarter
First, audit your wallet architecture. Document every wallet in your environment by type (hot, warm, cold, MPC), custodian, key management method, and the value held. Second, benchmark your hot/cold ratio. If more than 10% of total assets sit in hot wallets, investigate why and whether the operational justification holds.
Third, test your cold storage recovery. Can you restore from backup within your defined RTO? If you have never tested this, assume it will fail when you need it most. Fourth, review your multisig and MPC configurations.
Are the right people in the right roles? Has anyone left the organisation without having their signing authority revoked? Fifth, update your risk register. Wallet architecture risk should appear as a distinct line item with its own inherent risk rating, control descriptions, and residual risk assessment.
Sixth, brief your board. If your organisation holds digital assets, your leadership team should understand the wallet architecture and the risk trade-offs involved. Use a quantitative risk management approach to translate wallet exposure into financial terms the board can act on.
Want more actionable risk content?
Explore more at riskpublishing.com. Related articles: NIST cybersecurity key risk indicators, CIS risk assessment method v2.0, privacy risk assessment template, and GDPR risk assessment template.
References and Further Reading
BitGo: Cold Wallet vs Hot Wallet: Differences Explained
Cobo: Cold Wallet vs Hot Wallet: What Crypto Exchanges Need to Know in 2025
IdeaSoft: Hot Wallet vs Cold Wallet vs Custodial Wallet: Strategy Guide
Gemini: Crypto Wallets: Hot vs Cold Wallets
CCN: Exchanges vs Wallets: Where Your Crypto Is Safest (2025)
NIST: SP 800-57 Part 1 Rev. 5: Recommendation for Key Management
ESMA: Markets in Crypto-Assets Regulation (MiCA)
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.