Custody in plain language: control the keys, control the coins
In crypto, “custody” means who has the power to move the funds. That power comes from the private key (or the seed phrase that can recreate it). If you control the private keys, you control the funds. If someone else controls them—an exchange, an app company, a custodian—then you have an IOU that depends on their systems, policies, and security.
This is why custody decisions are security decisions. You are choosing where the “move money” authority lives: on an exchange, on your internet-connected device, or offline.
Three common custody choices (and what you’re really choosing)
1) Custodial exchange wallet (the exchange holds the keys)
What it is: Your balance inside an exchange account. The exchange controls the private keys and signs transactions on your behalf.
- Pros: Easiest to use; fast trading; password reset flows; often supports fiat on/off ramps; can add account security controls (2FA, withdrawal allowlists).
- Cons: You are exposed to exchange risks (account takeover, withdrawal freezes, insolvency, policy changes, outages). If your account is locked, you may not be able to move funds when you want.
- Best for: Small amounts you actively trade, or temporary holding while you learn and set up self-custody.
2) Non-custodial hot wallet (you hold the keys on a connected device)
What it is: A mobile or desktop wallet where the seed phrase/private keys are generated and stored on your device (often encrypted). You sign transactions locally.
- Pros: You control the keys; fast access for spending; works with many apps; you can move funds without asking permission.
- Cons: Your device is online, so threats include malware, phishing, fake wallet apps, clipboard hijackers, SIM-swap leading to account compromise of related services, and accidental seed exposure (screenshots, cloud backups).
- Best for: Everyday use and moderate amounts where convenience matters, assuming you can keep your device reasonably secure.
3) Cold storage (hardware wallet or offline key management)
What it is: Keys are generated and kept offline or in a dedicated device designed to isolate them from your computer/phone. Transactions are signed without exposing the private key to the internet-connected environment.
Continue in our app.
You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.
Or continue reading below...
Download the app
- Pros: Strong protection against online attacks; reduces risk from malware on your computer/phone; best fit for long-term holding.
- Cons: More setup steps; you must manage backups carefully; losing the seed phrase can mean permanent loss; physical theft and coercion become more relevant threats.
- Best for: Larger amounts and long-term holdings where security outweighs convenience.
A decision framework: amount, frequency, and threat model
Step 1: Classify by amount (relative to your life)
- Low: You can afford to lose it without major impact (learning funds).
- Medium: Would hurt, but not catastrophic.
- High: Would be financially devastating or meaningfully change your life plans.
Step 2: Classify by transaction frequency
- Daily/weekly: You need quick access (spending, frequent transfers).
- Monthly: Occasional moves (rebalancing, periodic buys).
- Rarely: Long-term holding (months/years).
Step 3: Identify your most likely threats
| Threat | What it looks like | Most relevant to | Mitigation direction |
|---|---|---|---|
| Phishing | Fake login pages, fake support, “verify your wallet” links | Exchange + hot wallets | Bookmark sites, verify domains, never share seed |
| Device malware | Keyloggers, clipboard address swapping, remote access | Hot wallets | Cold storage for large funds; keep devices clean |
| Exchange account takeover | Stolen password/2FA, SIM swap, email compromise | Custodial wallets | Strong 2FA, withdrawal allowlists, separate email |
| Custodian failure | Withdrawal halt, insolvency, legal freeze | Custodial wallets | Self-custody for long-term funds |
| Physical theft/loss | Stolen phone, lost hardware wallet, house fire | Hot + cold | Seed backups, passcode, secure storage |
| User error | Sending to wrong chain/address, losing seed phrase | All | Small test transfers, checklists, recovery drills |
Putting it together (simple rule set)
- Low amount + frequent use: Non-custodial hot wallet (or exchange wallet temporarily).
- Medium amount + occasional use: Hot wallet with strong device hygiene, or hardware wallet if you prefer maximum safety.
- High amount + rare movement: Cold storage (hardware wallet or offline key management) with a well-tested backup plan.
Anatomy of a wallet (what the pieces are and why they matter)
Seed phrase (recovery phrase)
A seed phrase is a list of words (commonly 12 or 24) that can recreate your wallet’s private keys. Anyone who has it can take your funds. It is not a “password” you can reset; it is the master key.
- Treat it like: Cash + identity documents combined.
- Never share it: Not with “support,” not with friends, not with a website, not with a form.
- Never store it in cloud notes: Cloud notes, email drafts, screenshots, photo libraries, and password managers that sync to the cloud can be compromised through account takeover, malware, or data leaks.
Private key
The private key is the cryptographic secret used to sign transactions. Many wallets hide it behind the seed phrase. If someone gets the private key, they can spend the funds for that address.
Public key and address
The public key is derived from the private key. The address is derived from the public key and is what you share to receive funds. Sharing an address is generally safe; sharing a seed phrase/private key is not.
Wallet app vs. wallet keys
The wallet app is just an interface. Your funds live on the blockchain, and your keys are what allow you to control them. You can usually restore the same wallet in a different app using the seed phrase.
Structured walkthrough: create, back up, verify, and practice recovery
The goal of this walkthrough is to build a repeatable process that reduces mistakes. Do this when you are not rushed, and avoid doing it on public Wi‑Fi or in crowded places.
Part A: Create a new non-custodial wallet (hot wallet example)
- Choose a reputable wallet app from the official app store or the vendor’s official website. Avoid ads and sponsored search results that can lead to clones.
- Install and open the app, then select Create new wallet.
- Set a strong device lock (PIN/biometric) and enable the wallet’s app lock if available.
- Let the wallet generate your seed phrase. Do not copy it to clipboard, do not screenshot it, and do not type it into any other device.
Part B: Record the seed phrase safely (backup creation)
- Write the seed phrase on paper (or stamp/engrave on a metal backup for fire/water resistance). Write clearly and in the correct order.
- Create two backups stored in separate secure locations (for example, a home safe and a second secure location). The goal is to survive loss events like theft, fire, or misplacement.
- Keep it offline. No photos, no cloud storage, no email, no messaging apps.
- Add a label that is not obvious (avoid writing “Bitcoin seed phrase”). Use a neutral label you will recognize.
Part C: Verify the backup (don’t assume it’s correct)
- Use the wallet’s “verify seed phrase” step if offered. Many wallets ask you to re-enter selected words in order.
- Double-check legibility: confirm each word is spelled correctly. Seed words come from a fixed list; a misspelling usually means it will not restore.
- Confirm you can find your backup quickly (without exposing it). If it’s too hard to access, you may be tempted to store it digitally later.
Part D: Practice a recovery simulation (with a dummy amount)
This is the most overlooked step. A backup you have never tested is not a plan.
- Prepare a small “dummy amount” you can afford to lose (a tiny test transfer).
- Send the dummy amount to your new wallet address. Wait for confirmation and verify it appears in the wallet.
- Simulate loss of the device: on a second device (or after uninstalling the app), install the same wallet app (or another reputable wallet that supports the same standard) and choose Restore wallet.
- Enter the seed phrase from your written backup. Confirm the wallet restores and shows the same address/balance (after syncing).
- Optional safety drill: send the dummy amount back out to another address you control. This confirms you can sign transactions after recovery.
Cold storage walkthrough: hardware wallet basics (high-level, practical)
Hardware wallets vary, but the safe setup principles are consistent.
- Buy from the manufacturer or an authorized seller. Avoid used devices.
- Initialize the device yourself. Do not use a device that comes with a pre-written seed phrase. A legitimate device will generate the seed during setup.
- Write down the seed phrase offline as you would for a hot wallet. Consider a durable backup for long-term storage.
- Set a strong PIN on the device.
- Verify receiving addresses on the device screen when possible. This helps defend against malware that changes addresses on your computer.
- Do a test transfer with a small amount first, then move larger funds only after you confirm everything works.
Recommended default setups for beginners
Default setup A: “Small spending wallet” (daily convenience)
- Type: Non-custodial hot wallet on your phone.
- Use for: Small balances, learning, occasional transfers, spending.
- Key habits: Keep seed phrase offline; enable app lock; keep phone OS updated; avoid installing random apps; verify addresses before sending.
Default setup B: “Long-term storage” (security first)
- Type: Hardware wallet (cold storage) with an offline seed backup.
- Use for: Larger balances you rarely move.
- Key habits: Two secure backups in separate locations; test recovery with a small amount; keep the device and backups physically secure; plan for inheritance/emergency access without exposing the seed.
Default setup C: “Exchange as a bridge, not a vault”
- Type: Custodial exchange wallet for short periods.
- Use for: Buying/selling, converting, moving to self-custody.
- Key habits: Strong unique password; 2FA (prefer authenticator app or hardware key); withdrawal allowlist if available; beware of phishing and fake support.
Clear do-not-do rules (print these mentally)
- Do not share your seed phrase with anyone, ever. No legitimate service will ask for it.
- Do not store seed phrases in cloud notes, email, screenshots, or photo libraries.
- Do not type your seed phrase into websites or “wallet connect” pop-ups that request it.
- Do not skip test transfers when moving to a new wallet or new chain.
- Do not assume your backup works without a recovery simulation.
- Do not keep large long-term holdings on an exchange by default if you can reasonably self-custody.
- Do not install wallet apps from links in messages or ads; use official sources.
- Do not rush address checks; verify the first and last characters and confirm the network/chain matches.
