In 2025, thieves stole about $3.4 billion in cryptocurrency, according to Chainalysis. Almost none of it came out of an offline key sitting in someone's drawer. It was drained from exchanges, apps, and connected platforms — the online end of the market. That single fact is the whole argument for understanding the cold wallet vs hot wallet choice before you hold any serious amount of crypto.
This guide is for anyone past their first purchase who now has to answer a simple question: where do the coins actually live? You will get the honest trade-offs, what the 2025 hacks really proved, and a five-step process to set up cold storage without losing access to your own money. If you are still learning the basics of exchanges and keys, start with our beginner-focused crypto course and come back to this.
- A hot wallet keeps your private key on an internet-connected device; a cold wallet keeps it offline.
- The offline key is the point: a properly air-gapped cold wallet has no remote attack surface.
- Nearly all of 2025's $3.4B in stolen crypto came from connected platforms, not from hardware in users' hands.
- Use both: a hot wallet for spending, cold storage for savings you are not touching this month.
- You can still lose cold-stored crypto — through a lost or leaked seed phrase, not a remote hack.
What's the difference between a cold wallet and a hot wallet?
A hot wallet stores your private keys on a device that is connected to the internet — a phone app, a browser extension, or an exchange account. A cold wallet stores those keys offline, on a device that never exposes them to the internet, such as a hardware wallet. Hot means convenient and exposed; cold means slower to use and far harder to reach remotely.
The distinction that matters is not the gadget — it is the private key. Whoever controls the key controls the coins. A hot wallet keeps that key somewhere an attacker can potentially reach across a network. A cold wallet keeps the key isolated, so a transaction can only be approved by someone physically holding the device and its PIN.
Good hardware wallets go further: they store the key on a certified Secure Element chip (Common Criteria EAL5+ or higher), the same class of tamper-resistant chip used in passports and bank cards, tested against physical extraction and side-channel attacks. The key is generated on the device and never leaves it — not even when you sign a transaction.
Why 2025 turned this into a $3.4 billion question
2025 was the worst year on record for crypto theft. Chainalysis counted roughly $3.4 billion stolen across the industry; the independent firm TRM Labs put the figure more conservatively at about $2.7 billion. Either way, the pattern was the same — the losses clustered on connected infrastructure.
The single largest event was the Bybit hack of 21 February 2025: around $1.5 billion, or roughly 401,000 ETH, gone in one operation — the biggest single crypto theft in history, attributed to North Korea-linked actors. Chainalysis found the top three hacks alone accounted for 69% of all money stolen from services that year.
Biggest crypto thefts of 2025 — all hit connected platforms
Source: Chainalysis; The Record / Recorded Future News, 2025.
Look at what got hit: an exchange, a decentralized exchange, a DeFi protocol, another exchange. Every one is a connected platform holding pooled user funds. What this means for you: the target is the online honeypot, not the individual holding keys offline. Moving coins off a platform and into cold storage takes you out of that blast radius.
And it was not only platforms. Chainalysis noted that attacks on individual wallets rose in 2025, as thieves increasingly went after ordinary holders through phishing pages, fake apps, and wallet-draining malware. Notice the method, though: those attacks trick a user into signing or revealing keys on a connected device. They do not reach into an offline key. That is precisely the ground a cold wallet, paired with careful signing habits, is built to defend.
The Bybit case carries a subtler lesson. The stolen funds sat in a cold multi-signature wallet, yet the attackers never cracked the offline key. They compromised the signing interface instead — malicious code changed what the human signers saw on screen versus what they actually approved, so the team authorized a transaction that handed over control. Cold storage protects the key. It does not protect a corrupted approval process. For an ordinary self-custody user this is reassuring: you are not running a platform's signing stack, so your risk is far simpler to manage.
Cold wallet vs hot wallet: the honest trade-offs
Neither wallet is "better" in the abstract — they solve different problems. A hot wallet optimizes for access; a cold wallet optimizes for protection. Here is how they compare on the dimensions that actually decide where your coins should sit.
| Factor | Hot wallet | Cold wallet |
|---|---|---|
| Key storage | On an internet-connected device | Offline, isolated from any network |
| Remote attack surface | Meaningful — malware, phishing, drained apps | Effectively none if air-gapped |
| Best use | Spending, trading, small active balances | Long-term savings, larger holdings |
| Cost | Usually free (software) | Hardware device, roughly $50–$200 |
| Convenience | Instant, always on hand | Slower — connect device, confirm on-screen |
| Main failure mode | Remote theft while online | Losing or leaking the seed phrase |
Read the last row twice. The two wallets do not just differ in security level — they fail in completely different ways. A hot wallet is lost to an attacker; a cold wallet is lost to your own record-keeping. That changes what you have to get right, which is exactly what the setup steps below cover.
Which wallet should you actually use?
Both. The standard practice in crypto security is to separate funds by purpose and risk, not to crown one wallet the winner. Keep what you actively spend or trade in a hot wallet, and keep the bulk of your holdings — the part you are not touching this month — in cold storage. It mirrors how you already treat money: a current account for daily use, a vault for savings.
A simple rule of thumb: if losing a balance to a phone hack would ruin your month, it does not belong in a hot wallet. Many traders draw the line at a fixed figure — anything above, say, a few hundred dollars they are not about to trade moves to cold storage. The exact number is yours; the discipline is what protects you.
One trap worth naming: leaving coins on an exchange is not the same as holding your own hot wallet. On an exchange, the platform holds the keys — you hold an IOU. That is custodial risk, and it is a different animal from a self-custodied app. A spot Bitcoin ETF holds the coins for you too, which suits some investors fine — but "not your keys, not your coins" is the lesson FTX taught the hard way when it froze customer withdrawals in November 2022.
How to set up cold storage safely in 5 steps
Getting a hardware wallet is the easy part. Not locking yourself out of your own money is the part people rush. Follow these five steps in order, and do not fund the wallet until step four is done.
That recovery test in step four is non-negotiable. A hardware wallet that breaks, is lost, or is stolen costs you nothing if the seed phrase is safe — you restore to a new device and carry on. A perfect device with a phrase you copied wrong is a permanent loss. The device is replaceable; the phrase is the money.
The mistakes that lose people their crypto
Self-custody removes the platform as a point of failure and puts you in charge — which means the failures left are the avoidable, human kind. These are the ones that recur:
- Storing the seed phrase digitally. A photo, a notes app, an email to yourself — any of these can go online and be scraped. The phrase belongs on paper and metal, offline.
- Typing the phrase to "verify" it. No legitimate wallet, exchange, or support agent will ever ask for your recovery phrase. Anyone who does is stealing from you.
- Keeping everything in a single hot wallet because moving to cold storage felt like a chore. The chore is a one-time hour; the alternative is your full balance exposed to every app you connect.
- Approving transactions without reading them. The Bybit signers learned this at scale — always confirm the address and amount on the hardware screen itself, which malware cannot alter.
- Blind-signing token approvals that grant an app open-ended access to your funds. Revoke old approvals and be wary of the scams designed to farm them; you can spot the crypto scams still draining wallets with a few habits.
Custody is one leg of surviving crypto; risk control is the other. Even perfectly stored coins can be mismanaged, so learn to size your crypto positions alongside securing them.
Frequently asked questions
Trading and holding crypto involves substantial risk of loss and is not suitable for every investor. Crypto is highly volatile and regulation varies by country. This article is educational content, not investment advice.