Why Collusion Is a Legitimate Concern in Bitcoin Custody

Bitcoin is an absolutely scarce asset. There are only 21 million Bitcoin and that means it is absolutely critical to protect your share from all possible risks and threats.

Given the magnitude of the decision of how to secure your Bitcoin, every investor is right to ask: what happens if the custodians holding the keys in multi-institution custody coordinate in bad faith?

It is important to note that before multi-institution custody, investors had two binary options: trust a single custodian or manage their own keys.

With a single custodian, there is no need for collusion to occur; a single point of failure is all it takes. With self-custody, the investor bears all the responsibility and faces a different set of operational, inheritance, and security risks.

The fact that we are even discussing collusion is a sign of progress. It reflects the reality that multi-institution custody is a more resilient, distributed, and robust model that introduces meaningful checks and balances that did not exist before.

How Multi-Institution Custody Works

In Onramp’s multi-institution custody model, your Bitcoin is protected by three independent institutions. Each institution holds one key, and any two of the three are required to authorize a transaction from your vault at your explicit direction. No single party, not the client, not Onramp, and not any individual custodian, can move funds unilaterally.

Every withdrawal is verified through live video calls with trained operations team members across two independent institutions. These real-time interactions ensure that no movement of funds can occur without direct client participation, identity verification, and procedural compliance.

Importantly, the key management process follows a quorum of quorums architecture. Each institution internally shards its private key, requiring multiple individuals to participate in signing and others to authorize that signing. This means a single employee at a single institution cannot unilaterally sign or initiate a withdrawal.

The security of this system rests on three layers of governance:

• Technical Governance: Each private key is sharded and distributed within the institution using a quorum-based signing process. Several individuals are required to initiate and authorize a signature, introducing internal checks and balances.
• Legal Governance: Each key-holding institution is bound by legal agreements that require them to act only on the explicit instructions of the client. Signing without client authorization is a clear breach of contract.
• Game Theory and Brand Governance: These institutions have reputations to uphold and broader business lines to protect. Participating in an unauthorized transaction would destroy their credibility for the sake of a single wallet. It is not economically rational.

These key-holding institutions also operate other custody businesses where Bitcoin can be moved with far less oversight. If someone were intent on acting maliciously, they would logically target simpler systems they already control, rather than a multi-institutional vault that requires coordination between two separate companies, each with its own personnel, policies, and risk controls.

Taken together, these safeguards make collusion extraordinarily unlikely. Even if multiple individuals attempted to act maliciously, they would have to bypass rigorous technical processes, break binding legal agreements, and destroy the trust they have built in the market just to steal from a single wallet.

You can read more about this custody model in our article, How Does Multi-Institution Custody Work?

How Collusion Would Have to Occur in Practice

For a collusion event to occur, two of the three institutions would have to violate internal procedures, risk their business reputation, and work together to approve a fraudulent withdrawal. There would need to be coordination of several employees at multiple institutions who could bypass multiple layers of security, verification protocols, biometrics, and more to move funds in a controlled and monitored environment.

This is not simply pressing a button. It would involve a breakdown of checks, audit trails, identity reviews, and regulated operations across multiple companies. In other words, it is an extremely high-effort, high-risk, and high-cost path that would require coordination between attackers at multiple independent institutions.

Why Collusion Is Extremely Unlikely in This Model

• Custodians manage institutional-grade infrastructure that requires multiple independent individuals
• Custodians operate in different jurisdictions with independent legal, compliance, and operational obligations
• In some cases, they are regulated entities that undergo ongoing external audits and monitoring
• Systems have behavioral red flags and activity monitoring designed to detect anomalies
• The reputational and legal risk of colluding is far greater than any potential gain

Even if several individuals within an organization attempted to act maliciously, the structure makes unauthorized transactions incredibly difficult to execute without immediate detection.

What Happens if One Custodian Turns Rogue?

The quorum model ensures that no single custodian can act alone. If one of the three institutions becomes compromised or non-cooperative, the client can still access their funds using the other two. Onramp also supports key rotation and custodian replacement when necessary.

This means clients retain recoverability and resilience even in the rare event that trust breaks down with one party.

Insurance as a Final Layer of Protection

While the risk of collusion is exceptionally low, every Onramp client is covered by a $100 million per incident insurance policy through Lloyd’s of London. This policy specifically includes protection against collusion and other extreme tail risks.

To obtain this coverage, Onramp underwent a rigorous underwriting and verification process to demonstrate the integrity of our custody model. The insurance is not the first line of defense; it is the final one. But for clients, it adds a meaningful layer of reassurance.

Final Thoughts

Collusion is a fair and important question to raise when evaluating any custody model. At Onramp, we believe trust is best earned through structure, not slogans.

Our model is designed to withstand even worst-case scenarios by separating power, requiring human verification, and involving multiple institutions with their own incentives, oversight, and risk controls.

If you are evaluating custody solutions and want help understanding how to assess design risks like collusion, our team is here to walk you through the trade-offs and protections built into multi-institution custody.

Learn more about our multi-institution custody solutions. → https://www.onrampbitcoin.com/products/multi-institution-custody

Our team is here to support you in your decision-making process. We’ve guided thousands of clients and can help you make the right decision for your circumstances - book a consultation.