What is a private key in crypto?

A private key is a long string of numbers and letters that proves ownership of cryptocurrency and authorizes transactions. It works like a password — anyone who has it can spend your crypto. Unlike a bank password, a private key cannot be reset or recovered. If you lose it and don't have a backup seed phrase, your funds are gone permanently.

What is the difference between a hot wallet and a cold wallet?

A hot wallet is connected to the internet (like MetaMask or a Coinbase account), making it convenient for frequent transactions but more vulnerable to hacks. A cold wallet is offline (like a Ledger or Trezor hardware device), making it far more secure for long-term storage. Most professionals use both — hot wallets for daily use and cold wallets for larger holdings.

What does 'not your keys, not your crypto' mean?

This phrase means that if you leave your crypto on an exchange like Coinbase or Kraken, you don't actually control it — the exchange holds the private keys on your behalf. If the exchange is hacked, goes bankrupt, or freezes withdrawals (as FTX did in 2022), you could lose access to your funds. Self-custody means holding your own private keys so you have full control.

← Crypto Explained

How Crypto Wallets Work

Q: What is a crypto wallet?

A crypto wallet doesn't actually store cryptocurrency. It stores the private keys that prove you own crypto on the blockchain. Think of it as a keychain, not a vault. Your crypto always lives on the blockchain — the wallet just holds the keys that let you access and move it.

Your crypto wallet doesn't store crypto — it stores keys. Understanding the difference is the single most important thing you can learn before putting money into digital assets.

Subscribe Free — 100% Free, Always.

What Is a Crypto Wallet?

The name "wallet" is misleading. A crypto wallet doesn't hold your cryptocurrency the way a leather wallet holds cash. Your crypto — whether it's Bitcoin, Ethereum, or any other token — always lives on the blockchain. It never leaves.

What a wallet actually stores are your cryptographic keys: the private key that proves ownership and lets you authorize transactions, and the public key that lets others send crypto to you. A wallet is a keychain, not a vault.

This distinction matters enormously. If your wallet is lost or destroyed but you still have your keys (or your seed phrase, which we'll cover shortly), your crypto is perfectly safe. Conversely, if someone gains access to your private key, they can take everything — even if they never touch your physical device.

Public Keys vs Private Keys

Every crypto wallet generates a pair of cryptographic keys that work together:

Public key: Think of this as your email address. You share it freely so people can send you crypto. It's derived from your private key through a one-way mathematical function — meaning anyone can generate the public key from the private key, but nobody can reverse-engineer the private key from the public key.
Private key: Think of this as your password — except there is no "forgot password" link. Your private key is a long string of characters that proves you own the crypto associated with your public address. Anyone who has this key can spend your funds. You never share it with anyone, period.

In practice, your wallet address (the string of characters you give someone to receive crypto) is a hashed version of your public key. The entire system is built on asymmetric cryptography — the same math that secures online banking, military communications, and every HTTPS website you visit.

Seed Phrases: Your Master Backup

When you create a new wallet, the software generates a seed phrase (also called a recovery phrase or mnemonic phrase) — typically 12 or 24 random English words presented in a specific order. This seed phrase is a human-readable representation of your master private key.

From this single seed phrase, the wallet can regenerate every private key and public key it will ever create. If your phone breaks, your computer is stolen, or your hardware wallet is destroyed, you can enter your seed phrase into any compatible wallet software and recover all your accounts and funds instantly.

The flip side: anyone who gets your seed phrase owns your crypto. There is no customer service to call, no bank to dispute the charge, and no legal recourse in most jurisdictions. Write it down on paper or stamp it into metal. Never store it digitally — not in a notes app, not in email, not in cloud storage. The moment it touches the internet, it is at risk.

Hot Wallets vs Cold Wallets

Wallets are broadly categorized by whether they're connected to the internet:

Hot Wallets (Internet-Connected)

Hot wallets are software applications that run on your phone, browser, or desktop. They're convenient — you can send and receive crypto in seconds — but because they're online, they're exposed to hacking, malware, and phishing attacks.

Think of a hot wallet like the cash in your pocket: useful for daily spending, but you wouldn't carry your life savings.

Cold Wallets (Offline Storage)

Cold wallets keep your private keys completely offline. Because they never touch the internet, they're virtually immune to remote hacking. The trade-off is convenience — you need physical access to the device to sign transactions.

Think of a cold wallet like a safe deposit box: secure for long-term storage, but not ideal for grabbing coffee.

Hardware Wallets

Hardware wallets are the most popular form of cold storage. These are small physical devices — roughly the size of a USB thumb drive — that store your private keys on a secure chip that never exposes them to your computer or the internet.

The two most established brands are:

Ledger: French company, uses a proprietary secure element chip. Their Nano X and Nano S Plus models support thousands of cryptocurrencies. Ledger Live is the companion software for managing assets.
Trezor: Czech company, pioneer of the hardware wallet market. Their Model T and Model One devices are fully open-source, meaning the community can audit the code for security vulnerabilities.

When you make a transaction with a hardware wallet, the device signs the transaction internally and sends the signed output to your computer. The private key itself never leaves the device. Even if your computer is compromised with malware, the attacker cannot extract your keys.

For anyone holding more than a few thousand dollars in crypto, a hardware wallet is not optional — it's essential.

Software Wallets

Software wallets are apps or browser extensions that make interacting with blockchains fast and simple. The most widely used include:

MetaMask: The most popular Ethereum wallet. It runs as a browser extension or mobile app and connects to decentralized applications (dApps). If you've ever used DeFi or minted an NFT, you've likely used MetaMask.
Phantom: The leading wallet for the Solana ecosystem, also supporting Ethereum and Polygon. Known for its clean interface and fast transaction speeds.
Trust Wallet: A multi-chain mobile wallet owned by Binance. Supports a very wide range of blockchains and tokens.
Rabby: An Ethereum wallet focused on security, showing transaction simulations before you sign so you can see exactly what will happen.

Software wallets are ideal for smaller amounts you actively use — interacting with DeFi protocols, swapping tokens, or making payments. For significant holdings, pair a software wallet with a hardware wallet for the best balance of security and convenience.

Exchange Custody: Not Your Keys, Not Your Crypto

When you buy crypto on an exchange like Coinbase, Kraken, or Binance, the exchange holds the private keys on your behalf. You have an account balance, but you don't actually control the underlying assets. This is called custodial storage.

The phrase "not your keys, not your crypto" became painfully relevant in November 2022 when FTX — at the time one of the world's largest exchanges — collapsed overnight. Customers who held billions of dollars in crypto on the platform could not withdraw. Many lost everything.

Exchange custody has some legitimate advantages:

No risk of losing your private key or seed phrase — the exchange manages that
Easy fiat on/off ramps (converting between dollars and crypto)
FDIC insurance on USD balances at some U.S. exchanges (not on crypto itself)
Customer support if something goes wrong

But the risks are real:

Exchange hacks (Mt. Gox, FTX, countless others)
Frozen withdrawals during market stress
Regulatory seizure of assets
Counterparty risk — you're trusting the exchange's solvency

The professional approach: use exchanges for trading, then withdraw to self-custody for long-term holding. For an expert perspective on Bitcoin custody and security, watch our interview with Jameson Lopp.

Institutional Custody Solutions

Large investors, family offices, and funds face a different custody challenge. They need the security of cold storage combined with regulatory compliance, insurance, and governance controls that a Ledger device in a desk drawer doesn't provide.

Institutional custody providers include:

Coinbase Institutional (Coinbase Prime): Regulated, insured, and widely used by publicly traded companies holding Bitcoin on their balance sheets.
BitGo: Multi-signature custody with $250M+ in insurance coverage. Used by many exchanges and funds.
Fireblocks: Enterprise-grade infrastructure using multi-party computation (MPC) to eliminate single points of failure. Processes trillions in digital asset transfers.
Fidelity Digital Assets: Backed by the credibility and infrastructure of one of the world's largest financial institutions.

The institutional custody market has matured enormously since 2020. It had to — without secure, regulated custody, large allocators simply would not enter the market.

Multi-Signature Wallets

A multi-signature (multisig) wallet requires more than one private key to authorize a transaction. For example, a 2-of-3 multisig wallet generates three keys and requires any two of them to sign before funds can move.

This is powerful for several reasons:

Eliminating single points of failure: No single lost key, stolen device, or compromised employee can drain the wallet.
Organizational governance: DAOs and companies use multisig to require multiple approvals for treasury transactions — much like requiring two signatures on a corporate check.
Personal security: You can store three keys in different locations (home safe, bank safe deposit box, trusted family member). Even if one location is compromised, your funds are safe.

Gnosis Safe (now Safe) is the most widely used multisig wallet on Ethereum, securing over $100 billion in assets across thousands of organizations.

Security Best Practices

After 75+ combined years in financial markets, we've learned that security is not about being paranoid — it's about being disciplined. Here are the non-negotiable rules:

Never share your private key or seed phrase. No legitimate service, support agent, or wallet provider will ever ask for it. If someone asks, it is a scam — 100% of the time.
Back up your seed phrase on physical media. Write it on paper. Better yet, stamp it into steel or titanium so it survives fire and flood. Store copies in separate physical locations.
Use a hardware wallet for significant amounts. Any holding you would be devastated to lose should be on a hardware device, not a browser extension.
Verify transaction details on your hardware wallet's screen. Malware can alter destination addresses on your computer display. The hardware wallet screen shows the true transaction details.
Use unique, strong passwords for every exchange account and enable two-factor authentication (2FA) with an authenticator app — never SMS, which is vulnerable to SIM-swapping attacks.
Be skeptical of everything. Phishing sites, fake wallet apps, and social engineering attacks are the primary way people lose crypto. Bookmark exchange URLs. Double-check wallet addresses. Verify before you click.

Common Mistakes and How to Avoid Them

Most crypto losses are not caused by sophisticated hackers. They're caused by human error. Here are the mistakes we see most often:

Storing seed phrases digitally. Screenshots, notes apps, email drafts, Google Docs — all of these are attack surfaces. If it's connected to the internet, it can be compromised. Use paper or metal.
Sending crypto to the wrong network. Sending Ethereum on the wrong chain (e.g., to a Bitcoin address) can result in permanent loss. Always double-check the network before confirming.
Not testing with a small amount first. Before sending a large transfer, always send a small test transaction to confirm the address is correct and you're on the right network.
Approving malicious smart contracts. When you connect your wallet to a dApp, you may be asked to approve token spending. Malicious contracts can drain your wallet. Only interact with verified, audited projects.
Leaving everything on exchanges. Exchanges are convenient but they are not banks. They can fail, get hacked, or freeze your account. If you don't control the keys, you don't control the crypto.
Losing access to 2FA. If your phone breaks and you haven't backed up your authenticator app's recovery codes, you could be locked out of your exchange account. Back up your 2FA recovery codes alongside your seed phrases.

Choosing the Right Wallet

Wallet Type	Best For	Security	Convenience
Hardware wallet (Ledger, Trezor)	Long-term storage, large holdings	Highest	Lower
Software wallet (MetaMask, Phantom)	DeFi, daily transactions	Moderate	High
Exchange custody (Coinbase, Kraken)	Beginners, active trading	Varies	Highest
Multisig wallet (Safe)	Organizations, shared treasuries	Very high	Lower

Many experienced holders use a combination: a hardware wallet for the bulk of their holdings, a software wallet for regular DeFi interaction, and an exchange account for trading and fiat conversion.

The Bottom Line

Crypto wallets are the foundation of digital asset ownership. Understanding how they work — and specifically understanding that you are managing cryptographic keys, not digital coins — is what separates informed participants from people who get hurt.

The principles are straightforward: control your own keys, back up your seed phrase on physical media, use hardware wallets for anything significant, and never trust anyone who asks for your private key. These aren't complex ideas. They just require discipline.

We've spent our careers in traditional finance, where custody infrastructure was built over centuries. Crypto is building that same infrastructure in years. The tools exist. The responsibility to use them correctly is yours.