A close-up of a physical hardware wallet resting on a wooden desk beside a notebook and pen — clean, purposeful, no clutter. Warm natural light. No coins, no charts.

Topic: Crypto · Type: Evergreen · Reading time: ~8 min

In 2025, hackers stole somewhere between $2.78 billion and $4 billion in cryptocurrency. The Bybit exchange alone lost $1.5 billion in a single attack — the largest crypto theft in history. And yet, most individual crypto holders aren't losing funds to nation-state hackers. They're losing them because they kept everything on an exchange that froze withdrawals, or because they photographed their seed phrase, or because a phishing site looked exactly like the real one.

Storing crypto safely isn't complicated. But it does require understanding a few concepts that nobody explains clearly — and making a handful of deliberate choices. This guide covers exactly that.

The single most important concept: not your keys, not your crypto

When you buy Bitcoin or Ethereum through an exchange and leave it there, you don't own the crypto in any meaningful sense. You own a claim on the exchange — the same way a bank account balance is technically a claim on your bank, not cash in a vault with your name on it.

The exchange holds the private keys: the cryptographic proof that controls your funds on the blockchain. If the exchange gets hacked, freezes withdrawals, goes bankrupt, or simply blocks your account, you may have no recourse. The collapse of FTX in 2022 cost users billions. The Bybit hack of February 2025 showed that even well-funded, operationally serious platforms can be breached.

This isn't an argument against ever using exchanges — they're fine for buying, selling, and moving smaller amounts. But they're not a storage solution. Once you've bought crypto and don't intend to trade it soon, the question becomes: where do you actually hold it?

Worth knowing: Only 13.2% of stolen crypto was recovered in 2025. Unlike a fraudulent bank transaction, there's no dispute process. Once crypto leaves your wallet to an attacker, it's gone.

Hot wallets vs cold wallets: the practical difference

The industry uses a lot of jargon. Strip it back and there are really two kinds of storage:

Hot wallets are connected to the internet. This includes exchange wallets, browser extension wallets like MetaMask, and most mobile crypto apps. They're convenient for transactions and interacting with DeFi apps, but they're exposed to online threats: malware, phishing, browser exploits. In the first half of 2025 alone, personal wallet compromises accounted for 44% of all stolen crypto value — up from just 7.3% in 2022. The attacks are getting more targeted.

Cold wallets store your private keys offline. The most practical form is a hardware wallet — a physical device, roughly the size of a USB drive, that keeps your keys isolated from the internet. When you want to send crypto, you connect the device, confirm the transaction on its screen, and the keys never leave the device even during that process.

The practical rule most experienced holders follow: keep 90% of your holdings in cold storage, and only 10% or less on an exchange or hot wallet for active use. If you hold less than a few hundred dollars, a reputable hot wallet is probably sufficient. Once you're holding an amount you'd genuinely be upset to lose — use cold storage.

This is also covered in more detail in our guide to the dark side of crypto: scams, hacks, and how to stay safe, which walks through the attack vectors in more depth.

Hardware wallets: what they are and which to consider

A hardware wallet is a physical device that generates and stores your private keys in a secure chip — isolated from your computer and the internet. Even if your laptop is fully compromised by malware, your hardware wallet's keys remain safe, because the device requires you to physically confirm every transaction on its own screen.

The market is dominated by two brands with long track records:

Ledger (Nano S Plus, Flex, Stax) — supports over 5,500 cryptocurrencies. The Flex model introduced an E-Ink touchscreen, which makes it easier to verify transaction details before signing. Prices start around $79. Ledger uses a proprietary chip and closed-source firmware, which some security researchers have criticised; the company has responded with multiple independent audits.

Trezor (Safe 3, Safe 5) — fully open-source hardware and software, which means its code can be audited by anyone. The Safe 5 retails at $169 and includes a colour touchscreen with EAL6+ security rating. Open-source proponents generally prefer Trezor for transparency.

For beginners, either Ledger Nano S Plus (~$79) or Trezor Safe 3 (~$79) is a reasonable starting point. More advanced options include air-gapped devices like the COLDCARD (Bitcoin-only, never connects to the internet) or Cypherock X1, which eliminates the traditional seed phrase entirely by splitting your key across multiple smart cards using Shamir's Secret Sharing.

One firm rule: buy directly from the manufacturer's website or an authorised retailer. Hardware wallets purchased secondhand or from marketplaces have occasionally arrived pre-tampered.

The seed phrase: the piece most beginners get wrong

When you set up any self-custody wallet — hardware or software — you'll be given a seed phrase: a sequence of 12 or 24 common English words. This phrase is the master key to your entire wallet. Anyone who has it can access all your funds, on any device, anywhere in the world.

Three things that are genuinely alarming about how people treat their seed phrases:

First, the most common mistake is storing it digitally. Screenshots, photos, cloud notes, email drafts — all of these are vulnerable. If your phone or cloud account is compromised, your crypto is gone. Write it down by hand.

Second, paper degrades. A coffee spill, a house fire, a flood — the list of ways a paper note can be destroyed is long. For any meaningful amount of crypto, a metal seed phrase backup (stainless steel tiles or plates, costing $30–$90) provides fire, water, and crush resistance. A standard paper note might not survive the same disaster that made you need to recover your wallet.

Third, losing your seed phrase is permanent. There is no "forgot password" option. No support team. If your hardware wallet is lost or damaged and you've lost your seed phrase, your crypto is inaccessible forever. An estimated $100 billion in crypto has been lost due to seed phrase mismanagement over the history of the industry.

The standard advice is sound: write it down twice, store one copy somewhere secure at home, and consider a second copy somewhere geographically separate (a family member's safe, a bank safety deposit box). The 25th-word passphrase — an optional extra word you choose that creates a completely hidden wallet — adds another layer if you're holding significant amounts.

If you're just getting started with self-custody, it's worth reading our explainer on crypto wallets: hot vs cold, custodial vs non-custodial which covers the vocabulary in more detail.

The threats that actually take people's money

Most guides cover the technical setup well. What they understate is the social and psychological dimension of crypto theft.

Phishing remains the most common attack vector. Fake exchange websites, fake wallet interfaces, emails that look like they come from Ledger or Coinbase — these are getting harder to distinguish. In 2025, AI-generated phishing sites became sophisticated enough to be visually indistinguishable from the real thing. Deepfake voice calls impersonating customer support have been reported. The rule is simple and should be treated as absolute: no legitimate wallet company, exchange, or support team will ever ask for your seed phrase.

Supply chain attacks are rarer but real. Never enter your seed phrase into any device you didn't set up yourself from scratch. If a device arrives with a "pre-configured" seed phrase, or prompts you to enter one during setup via a website, it's compromised.

The "rubber hose attack" — physical coercion — is worth acknowledging for high-value holders. This is why some advanced users maintain a decoy wallet (a small-balance account using the same seed phrase with a different 25th-word passphrase) that can be disclosed under pressure, while the main holdings remain protected.

For the vast majority of people, though, the threats are mundane: a phishing link clicked in a moment of inattention, a seed phrase stored as a photo on a phone that later got sold, or a balance left on an exchange that suspended withdrawals.

What this means for you this week

If you've bought crypto and left it sitting on an exchange, that's the first thing to address. Decide what you're holding long-term — anything above a few hundred dollars that you're not actively trading — and move it to self-custody. A Ledger or Trezor setup takes about 20 minutes and costs less than a single month's streaming subscriptions.

Write your seed phrase on paper during setup. Then buy a metal backup solution and transfer it. Keep the device and the seed phrase stored separately — a hardware wallet found without its seed phrase is much less useful to a thief.

The hardware wallet market grew 34% in retail cold storage usage entering 2025, and is projected to reach $2.55 billion by 2033. The momentum is driven, in large part, by people learning the hard way. You don't have to.

If you want to understand the broader risks in the crypto space — not just storage, but scams, market manipulation, and what to actually do with these assets — our piece on how much of your portfolio should be in crypto covers the allocation question with the same level of specificity.