What Is Crypto Custody? A Complete Guide for 2026
In finance, custodians play a critical role in safeguarding assets and ensuring regulatory compliance. You would never let a brokerage hold your funds, run its own trades, and skip regulatory oversight.
Yet for years, that is exactly how most institutions accessed crypto. FTX was the most prominent example – an unregulated exchange that used $8 billion in customer deposits to fund its own trading arm before collapsing in November 2022.
Where digital assets are stored and who controls access determines how protected they are. Crypto custody refers to the secure storage and management of private keys used to access digital assets on a blockchain.
Below is a guide that uncovers how crypto custody works and why it matters in 2026. Read on as we break down:
What is crypto custody and how does it work?
Why Is Digital Asset Custody Important?
What happened with FTX and Bybit?
How does off-exchange custody work?
How has BitMEX maintained a zero-loss record?
What Is Digital Asset Custody and How Does It Work?
To understand digital asset custody, you first need to understand how crypto assets are stored.
Unlike traditional securities, which exist in centralised registries managed by banks and clearinghouses, digital assets live on a blockchain. Transactions are recorded on-chain, and ownership is confirmed by a private key held in a wallet.
Every crypto wallet has two components:
Public key: a cryptographic address derived from the private key. It is visible on the blockchain and used to receive funds.
Private key: a cryptographically generated string of characters that authorises transactions and proves ownership of the assets. It functions as the sole signing authority for the wallet.
Think of the public key as the account number and the private key as the sole password that will ever exist for that account. It is important to note here that for crypto, there is no central authority to reverse a transaction, reset a password, or recover stolen funds. If the key is lost, the assets are gone forever.
Types of Digital Asset Custody
Digital asset custody is the secure storage and management of a crypto wallet’s private keys on behalf of the asset holder. It comes down to two things: who holds the private keys and how well they are protected. The most common types of custody are:
Self-custody: The owner of the wallet manages their own private keys using proprietary infrastructure or hardware wallets (e.g., Ledger). Full control, but full operational burden and key-person risk. If the keys are lost or compromised, there is no recovery mechanism.
Third-party custody: A regulated provider stores and manages private keys on the owner’s behalf, with segregated accounts, compliance reporting, and insurance. Most institutions use this model because it aligns with fiduciary obligations and regulatory expectations.
Hybrid custody: The owner retains partial control over signing authority whilst a third-party custodian manages storage and security infrastructure. This method is suitable for firms that want involvement in the signing process without shouldering full operational responsibility.
Hot Wallets vs Cold Wallets
Private keys are stored in digital wallets and the type of wallet determines how secure they are. There are three types of wallets, each with different trade-offs between accessibility and security.
Hot wallets: Connected to the internet and operate automatically. They allow fast, frequent trading but are the most exposed to cyberattacks.
Warm wallets: Also connected to the internet but require additional security to verify transactions such as multi-signature approval.
Cold wallets: Store private keys entirely offline in physically secured environments, making them significantly harder to compromise.
Cold wallets are the golden standard for institutional-grade custody. Cold wallets typically involve air-gapped devices, geographically distributed vaults, and strict access controls. Private keys never touch the internet, and the most common attacks – phishing, malware, remote exploits – cannot reach them. Cold wallets also never interact with smart contracts, which removes the risk of malicious approvals.
Most institutional custody solutions hold the majority of client assets in cold storage, with only a small operational float in hot or warm wallets.
Why Third-Party Custody Matters
“Not your keys, not your coins” is a popular cryptocurrency mantra meaning that if you do not control the private keys to your wallet, you do not truly own your assets.
For retail traders that is a philosophy. For asset managers, it is a fiduciary and regulatory obligation. Depositing client capital directly with a trading venue is a trust exercise dressed up as convenience.
Matters for Asset Managers Specifically
Investor protection when raising funds: Liquidity Providers and allocators now ask custody questions before they ask strategy questions. A qualified custodian relationship is the difference between a fund that passes due diligence and one that doesn't.
Alignment with the traditional finance standard: Segregated custody under a qualified custodian is the baseline in every other asset class. Crypto is converging on the same bar, and fiduciary duty demands the same controls.
Resolving counterparty risk against exchanges: Holding balances directly on any exchange concentrates counterparty exposure with that single venue. Third-party custody spreads that exposure by keeping assets with an independent, qualified custodian until trades settle.
Operational flexibility: Assets held with an independent custodian can be mobilised across multiple venues without the friction of on-boarding, depositing, and withdrawing on each one.
When you deposit assets onto a platform, you are trusting that platform to safeguard your funds. Your capital is exposed to custody risk, including:
Hacking risk: Exchanges without robust security infrastructure are high-value targets. In February 2025, the Bybit hack drained roughly $1.5 billion through a compromised signing interface.
Insolvency risk: If an exchange becomes insolvent, your assets may end up as part of the bankruptcy estate. FTX's collapse in 2022 left more than 1 million creditors exposed after customer funds were commingled with company capital.
Operational risk: Internal fraud, mismanagement, or commingling of funds can erode client assets without any external attack.
Regulatory risk: Platforms operating without proper licencing can be shut down, frozen, or sanctioned — leaving depositors unable to access their capital.
In 2025, illicit cryptocurrency addresses received at least $154 billion, a record and a 162% increase year-over-year.
What Happened with FTX and Bybit? Lessons for the Industry
FTX (November 2022)
FTX was the second-largest crypto exchange by volume and valued at over $32 billion at its peak. It marketed itself to institutions as safe and regulated. Behind the scenes, customer deposits were being funnelled to Alameda Research, the exchange's affiliated proprietary trading firm.
There was no segregation between client funds and company capital. No independent custodian was sitting between the exchange and the assets it held. When Alameda's trading losses mounted and a liquidity crisis hit, FTX could not honour withdrawals. The exchange filed for bankruptcy, leaving more than 1 million creditors exposed and approximately $8 billion in customer funds unaccounted for.
The lesson was straightforward: without segregation, transparency, or independent oversight, there is no circuit breaker. Proper custody controls, whether in-house or through a third party, are what separate a trustworthy exchange from a risky one.
Bybit (February 2025)
Lazarus Group, a North Korean state-sponsored hacking collective, carried out a supply chain attack – not on Bybit directly, but on a developer machine at Safe{Wallet}, the multisig provider Bybit relied on.
The attackers modified the code that displayed transaction details on screen. Bybit employees saw the correct recipient address and amount on their computers, but different data was sent to their cold wallet hardware keys for signing. As multisig transactions do not display recipient info on the cold wallet screen, the signers approved the transfer blindly.
Roughly $1.5 billion in ETH was drained – the largest single theft in cryptocurrency history. The incident exposed a critical vulnerability: even cold storage can be compromised when the signing process relies on a single platform's infrastructure without independent verification.
The lesson here was slightly different to FTX: even cold storage methods can fail without independent verification when fending off malicious actors. Vetting counterparty risk at every point of the transaction cycle is crucial to avoid loss of funds.
How Does Off-Exchange Custody Work?
The off-exchange settlement model tackles counterparty risk head-on. Rather than depositing assets onto a platform, traders keep their assets in cold custody with a regulated custodian. Custody providers like Zodia Custody offer institutional custody infrastructure, allowing firms to access exchange liquidity through a settlement network that mirrors collateral and locks assets only when a trade executes.
Institutions can access the liquidity and product range of a centralised exchange via the gateway of independent cold custody.
BitMEX is now live on Zodia Custody's Interchange, one of the leading off-venue settlement networks. The integration allows institutional and professional clients to trade directly on BitMEX without needing to pre-fund onto the exchange, whilst their assets remain in Zodia's Trading Vault until settlement.
How Has BitMEX Maintained a Zero-Loss Record?
Since launching in 2014, BitMEX has never lost customer cryptocurrency through intrusion or hacking. In an industry where exchanges have collectively lost billions to hacks, fraud, and mismanagement, that track record is rare.
BitMEX was among the first exchanges to implement a multi-signature wallet system, requiring multiple approvals for any withdrawal. We publish Proof of Reserves and Proof of Liabilities bi-weekly, giving traders verifiable, up-to-date assurance that funds are stored and segregated.
The addition of Zodia Custody's Interchange network adds another option for institutional clients looking for an added layer of asset separation. Clients can get full access to the crypto derivatives markets while reaping the benefits of cold, segregated custody.
The Bottom Line
The infrastructure for proper crypto custody exists, and the solutions are more accessible than ever. The regulatory frameworks are maturing and the cost of getting custody wrong has been demonstrated in ways that no compliance team can ignore.
Where you trade matters just as much as how you trade. Exchanges with proven security records, transparent reserves, and independent custody options are no longer the exception.
Whether you custody directly on the platform or through an independent provider, make sure your assets are protected. Learn more about the BitMEX x Zodia Custody integration here.
Disclaimer: This article is provided for informational purposes only and does not constitute financial or investment advice. Readers should conduct their own research and consult with qualified advisors before making any decisions regarding digital asset custody or trading.
Frequently Asked Questions
What is a crypto custodian?
A crypto custodian securely stores and manages the private keys controlling digital assets on behalf of clients. In traditional finance, the equivalent is a custodian bank holding securities for investors. Crypto custodians provide security infrastructure, regulatory compliance, and operational controls that most institutions cannot build in-house.
What is the difference between self-custody and third-party custody?
Self-custody means you control your own private keys, typically using hardware wallets or proprietary infrastructure. Third-party custody means a regulated provider manages the keys on your behalf, with segregated storage, insurance, and compliance reporting. Most institutions use third-party custody because it meets fiduciary and regulatory obligations.
What is a hot wallet vs a cold wallet?
A hot wallet connects to the internet — fast and convenient for frequent transactions, but more exposed to cyber threats. A cold wallet stores private keys offline in physically secured environments, providing stronger protection against hacking. Institutional-grade custody primarily uses cold storage for the majority of client assets.
Do banks offer crypto custody?
Yes, a growing number of traditional financial institutions now offer crypto custody services, either directly or through regulated subsidiaries. Standard Chartered (through Zodia Custody), BNY Mellon, and several Swiss and German banks are notable examples. MiCA in the EU is accelerating this trend by providing a clear regulatory framework for custodians.
What happens to my crypto if the custodian goes under?
Your assets should be protected if the custodian uses properly segregated accounts, as client funds are held separately from the custodian's own balance sheet. In a bankruptcy, segregated assets should not form part of the custodian's estate. Segregation is the single most important feature to verify when choosing a custody provider.
What is an off-exchange settlement?
Off-exchange settlement allows institutions to trade on centralised exchanges without depositing assets directly onto the exchange. Assets remain in cold custody with an independent custodian, and collateral is mirrored or locked only when a trade executes. This reduces counterparty risk whilst maintaining access to exchange liquidity.
Is crypto custody regulated?
Crypto custody is becoming increasingly regulated.MiCA mandates proper custody arrangements in the EU. The UK FCA, Hong Kong AMLO, Singapore MAS, Abu Dhabi FSRA, and Australian ASIC all have frameworks covering digital asset custody. Coverage varies by jurisdiction, so verify the custodian's licencing in your specific market.
