Security
How Bitcoin Custody Works: A Complete Explainer

Security

Bitcoin custody is the practice of securing the cryptographic keys that control Bitcoin. Unlike a bank balance, which is an entry in a ledger the bank controls, Bitcoin is controlled by whoever holds the private key that can authorize a transaction. That single fact reframes the entire question of security: with Bitcoin, you are not protecting an account, you are protecting a secret. This explainer walks through exactly how that secret is generated, stored, and used, the models institutions and individuals use to protect it, and how to decide who should hold the keys to your coins.
The phrase "not your keys, not your coins" became a slogan after a decade of exchange failures, but it is also a precise technical description of how the Bitcoin network works. Whether you self-custody or use a managed platform like Sable, understanding custody is the difference between owning Bitcoin and owning a promise from someone who owns Bitcoin.
A common misconception is that Bitcoin is "stored" in a wallet the way cash sits in a physical wallet. It is not. Every bitcoin exists only as an entry on the blockchain, a shared public ledger replicated across tens of thousands of computers worldwide. What a wallet actually stores is a private key: a large, effectively unguessable number that proves you have the right to move the coins associated with a particular address. Sign a transaction with that key and the network accepts it; without it, the coins are permanently frozen.
This is why custody is fundamentally about key management. A thief who copies your private key can drain your coins from anywhere on earth, instantly and irreversibly. Lose the key with no backup and the coins are gone forever, still visible on the ledger but unspendable. There is no password reset, no fraud department, and no chargeback. Estimates of permanently lost Bitcoin run into the millions of coins — a large fraction of them from the early years when keys were treated casually. Custody, done properly, is the discipline that prevents both outcomes at once: theft and loss.
The single most important variable in Bitcoin custody is whether the private key ever touches an internet-connected device. This defines the spectrum from hot to cold storage.
A hot wallet keeps keys on a device connected to the internet — a phone app, a browser extension, or an exchange server. Hot wallets are convenient: you can send and receive in seconds. That convenience is also the risk. Because the key exists on an online device, malware, phishing, or a server breach can potentially reach it. Hot wallets are appropriate for small, working balances, the digital-asset equivalent of the cash in your pocket, not the money in your vault.
A cold wallet keeps keys on a device that is never connected to the internet: a dedicated hardware wallet, an air-gapped computer, or a signing device in a physical vault. Transactions are prepared online, signed offline, and only the finished (already-signed) transaction is broadcast. Because the key never touches a networked machine, remote attackers have nothing to reach. This is why every credible custodian, including Sable, keeps the overwhelming majority of client assets in cold storage. Our security page describes the specific architecture we use.
A single key, however well hidden, is a single point of failure. If it is stolen, the coins are gone; if it is lost, the coins are frozen. Institutional custody solves this by requiring multiple independent keys to authorize any movement, so that no one device, person, or location can act alone. Two architectures dominate in 2026.
A multisig arrangement requires a threshold of independent keys to sign a transaction — for example, two of three, or three of five. Each key is a complete, standalone private key, and the requirement is enforced by the Bitcoin protocol itself. A common institutional setup places keys in geographically separated vaults, held by different people or entities, so that compromising one location accomplishes nothing. Multisig is transparent (the rules are visible on-chain) and battle-tested, and providers such as Casa and Unchained have made it available to individuals as well as institutions.
MPC takes a different approach. Instead of several complete keys, it mathematically splits a single key into shares distributed across independent parties, and the full key is never assembled in one place at any moment. Signing happens collaboratively across the shares without ever reconstructing the whole key. As custody-technology firm Fireblocks explains, MPC operates at the cryptographic layer rather than the blockchain protocol layer, which lets signing policies be updated and key shares refreshed without moving funds to a new address. This operational flexibility has made MPC the default for many large custodians managing assets across dozens of blockchains.
| Property | Multi-signature (Multisig) | Multi-party computation (MPC) |
|---|---|---|
| Where enforced | On-chain, by the Bitcoin protocol | Off-chain, by cryptography |
| Keys involved | Multiple complete, independent keys | One key split into shares; never reassembled |
| Changing the signing policy | Usually requires moving funds to a new address | Can be updated without an on-chain transaction |
| Cross-chain support | Bitcoin-native; varies by chain | Consistent across many blockchains |
| Transparency | Rules visible on-chain | Rules kept off-chain / private |
| Typical users | Individuals and institutions | Institutional custodians at scale |
All of the above technology gets packaged into one of two broad models. Everything else is a variation on these two.
You hold your own keys, typically on one or more hardware wallets, and you alone are responsible for security, backups, and recovery. Self-custody delivers the purest form of ownership: no counterparty can freeze, lend, or lose your coins, because no counterparty is involved. The cost is total personal responsibility. A house fire that destroys your only seed-phrase backup, a forgotten passphrase, or a sophisticated phishing attack falls entirely on you. For technically confident holders willing to build and rehearse a real backup and inheritance plan, self-custody is a legitimate and powerful choice.
A qualified custodian or managed platform holds the keys on your behalf using the multisig or MPC systems described above, wrapped in insurance, audits, and professional operations. You trade some direct control for a team whose full-time job is security, and for protections — insurance, proof of reserves, disaster recovery — that are difficult for an individual to replicate. The critical caveat, learned expensively in 2022, is that not all "custody" is equal: an unregulated exchange holding your coins in a commingled hot wallet is custody in name only. The failures of FTX and Celsius were, at root, custody failures, in which customer coins were treated as the platform’s own. We examine how strong platforms avoid this in our guide to evaluating a digital-asset platform.
| Consideration | Self-custody | Institutional custody |
|---|---|---|
| Who holds the keys | You | A regulated custodian or platform |
| Counterparty risk | None | Present — must be diligenced |
| Insurance | Rare / self-arranged | Standard at reputable custodians |
| Recovery if you make a mistake | None — errors are final | Support and recovery procedures |
| Best suited to | Technical holders, long-term storage | Larger balances, yield, estate simplicity |
| Operational burden | High (all on you) | Low (handled for you) |
In US regulation, "qualified custodian" is not marketing language; it is a defined term under the Investment Advisers Act custody rule. Registered investment advisers are generally required to hold client assets with a qualified custodian — historically a bank, a broker-dealer, or a futures commission merchant. For years, the open question was whether crypto-native custodians could qualify. That question moved forward in September 2025, when the SEC’s Division of Investment Management issued no-action relief allowing advisers and registered funds to treat certain state-chartered trust companies as qualified custodians for crypto assets, subject to conditions.
For an investor, the practical takeaway is to ask a platform a direct question: who is the qualified custodian, and under what regulatory framework do they operate? A credible answer names a specific, regulated entity. A vague answer, or a claim that the platform is its own unregulated custodian of commingled funds, is a red flag. The SEC’s own custody-rule modernization work signals that this area is being actively formalized, which favors platforms already structured around regulated custody.
Beyond keys, professional custody is defined by three operational safeguards that individuals rarely replicate on their own.
Reputable custodians carry insurance policies — often underwritten through specialist markets such as Lloyd’s of London — that cover specific loss scenarios, most commonly theft of assets in cold storage and, sometimes, employee dishonesty. Insurance is not a blanket guarantee; policies have limits and exclusions, and market-price declines are never covered. But the presence of a real, named policy is a meaningful signal that a third party has underwritten the custodian’s security practices. It is reasonable to ask what is covered, for how much, and by whom.
Proof of reserves is a cryptographic method for a custodian to demonstrate it actually holds the assets it claims. An independent auditor takes an anonymized snapshot of customer balances, hashes them into a Merkle tree — a data structure that produces a single fingerprint (the Merkle root) representing all balances — and verifies that on-chain holdings match total liabilities. Individual customers can then confirm their own balance was included without revealing anyone’s data. Exchanges such as Kraken publish regular proof-of-reserves attestations verified by outside accountants. The best practice includes proving liabilities, not just assets, since a reserve number is meaningless without knowing what is owed against it.
Finally, mature custody assumes that things will go wrong and plans for it: geographically distributed key shares so no single disaster is fatal, documented and tested recovery procedures, and redundancy in both hardware and personnel. This is unglamorous work, and it is precisely what distinguishes an institution from an enthusiast with a hardware wallet in a drawer.
Sable is built around institutional custody rather than asking clients to run their own security stack. In practice that means the large majority of digital assets are held in geographically distributed cold storage with multi-signature approvals, holdings carry institutional insurance, and data is encrypted in transit and at rest. Clients add their own protection at the account layer — starting with two-factor authentication and withdrawal controls — while the custody engineering happens behind the scenes. The full model, including how deposits and withdrawals are handled, is documented on our how it works and security pages, and summarized in the FAQ.
There is no single correct answer, only a correct answer for your situation. A few honest heuristics:
Bitcoin custody is the practice of securing the private keys that control your Bitcoin. Because the coins themselves live permanently on the blockchain, "holding" Bitcoin really means holding the secret key that can authorize moving it. Custody is the set of methods — hardware wallets, cold storage, multisig, MPC, qualified custodians — used to keep that key safe from both theft and loss.
Neither is universally safer; they fail in different ways. Self-custody removes counterparty risk but puts theft, loss, and recovery entirely on you. A reputable institutional custodian adds insurance, audits, and professional security but introduces counterparty risk you must diligence. For large balances, most investors are better served by a regulated custodian or a mix of both, provided the custodian can name its qualified custodian, insurance, and proof-of-reserves practices.
Hot storage keeps keys on an internet-connected device, which is convenient but exposed to remote attacks; it suits small working balances. Cold storage keeps keys completely offline, so remote attackers have nothing to reach; it is the standard for long-term and large holdings. Serious custodians keep the large majority of assets in cold storage and only a small operational float hot.
It means that if a third party holds the private keys, you own a claim on that party, not the Bitcoin itself. If they are hacked, become insolvent, or freeze withdrawals, your coins can be at risk — as happened in the 2022 exchange failures. The phrase is a reminder to understand exactly who controls the keys behind any balance you hold, and under what protections.
Sable uses institutional custody: the large majority of digital assets are held in geographically distributed cold storage secured with multi-signature approvals, holdings carry institutional insurance, and client data is encrypted in transit and at rest. Clients secure their own accounts with two-factor authentication and withdrawal controls. The full approach is described on the security and how it works pages.

Join a select group of executives, entrepreneurs, and institutional investors who trust Sable to protect and grow their capital with AI-driven precision.
Accredited investors only. Past performance is not indicative of future results. Minimum investment requirements apply.