What is the safest way to store Bitcoin?

The safest way to store Bitcoin is through multi-institution custody, which distributes private keys across multiple regulated entities. This eliminates single points of failure unlike hardware wallets or single-custodian exchanges.

What is the difference between hot and cold storage for Bitcoin?

Hot storage keeps private keys connected to the internet for quick access but higher risk. Cold storage keeps keys offline for maximum security. Onramp uses cold storage with multi-institution custody for institutional-grade protection.

How does Onramp store Bitcoin?

Onramp uses multi-institution custody with 2-of-3 multisig, distributing keys across multiple regulated custodians. This includes Lloyd's of London insurance coverage and manages over $1B in assets under custody.

How do you store Bitcoin safely?

Storing Bitcoin safely means keeping private keys protected from theft, loss, and single points of failure. Options include hardware wallets for self-custody, multisig vaults requiring multiple keys, or institutional custody where regulated custodians hold keys on your behalf.

How does institutional Bitcoin custody work?

Institutional Bitcoin custody involves regulated entities holding private keys on behalf of clients, often with insurance, audits, and compliance frameworks. Multi-signature setups distribute control across multiple custodians, eliminating the risk of any single custodian failure or breach.

How does Onramp store Bitcoin safely for its clients?

Onramp uses Multi-Institution Custody to distribute private keys across 4 regulated custodians, so no single entity controls your Bitcoin. With $1B+ in assets under custody and a $100M Lloyd's of London insurance facility, Onramp eliminates the custody risks that caused exchanges like FTX to collapse.

How has Bitcoin custody evolved over time?

Bitcoin custody has evolved through three phases: early self-custody on paper wallets and hardware devices, exchange custody (which introduced catastrophic counterparty risk), and now institutional multi-custodian custody with insurance and regulatory oversight. Each phase addressed the failure modes of the previous one, with Onramp's Multi-Institution Custody representing the current institutional standard.

What are the main Bitcoin custody options today?

Bitcoin custody options today range from self-custody hardware wallets (maximum control, maximum personal responsibility) to single-custodian institutional custody (regulated but with concentration risk) to multi-custodian models like Onramp's Multi-Institution Custody (distributed risk, institutional-grade compliance). Each has different trade-offs in security, accessibility, and operational burden.

Why is Multi-Institution Custody the safest way to store Bitcoin?

Multi-Institution Custody eliminates the single point of failure that makes all other models vulnerable: no single hacker, regulator, or insolvency can compromise all assets simultaneously. Onramp distributes $1B+ in Bitcoin across 4 regulated custodians and adds a $100M Lloyd's of London insurance facility as a final line of protection. This multi-layered approach is the institutional standard for how Bitcoin should be stored safely.

The Evolution of Bitcoin Custody

Brian Cubellis | Chief Strategy Officer

Aug 13, 2024

Read the full report here

The Evolution of Bitcoin Custody: From Single Custodians to Multi-Institution Security

Custody is one of the oldest problems in finance. From the grain storehouses of ancient Mesopotamia to the vaulted chambers of Renaissance banking to the clearing houses of modern capital markets, every era of financial history has produced its own institutional answer to the same fundamental question: who holds the assets, and how do we know they are safe?

Bitcoin reframes that question in ways that have no precedent. Unlike every asset that came before it, Bitcoin is a digital bearer instrument whose ownership is determined entirely by control of a cryptographic private key. There is no bank to call, no insurance recovery process, no court that can reverse a transaction. If the key is lost or stolen, the Bitcoin is gone. This finality raises the stakes of custody to a level that traditional financial infrastructure was not designed to address.

The response has been an evolution of custody models, each attempting to balance security, control, and operational practicality. Understanding that evolution, and the incentive structures that make each model work or fail, is essential for any investor or institution making a serious Bitcoin allocation decision.

The Long History of Centralized Custody and Its Recurring Failures

The concept of financial custody traces its origins to the communal resource management of early agricultural societies. Ancient Mesopotamian temples stored grain surpluses and precious metals, with priests playing the role of early bankers, managing deposits and extending credit. Medieval Italian city-states, Florence, Venice, and Genoa, developed more sophisticated banking concepts, including double-entry bookkeeping and the bill of exchange, that became the foundation of modern financial systems.

Throughout this history, a consistent pattern emerged: as financial institutions centralized wealth and control, systemic vulnerabilities followed. Concentration of power led to market manipulation and economic disparity. Opacity in decision-making enabled misuse of funds. The Great Depression of the 1930s and the Global Financial Crisis of 2008 both demonstrated how centralized financial practices, high-risk lending, inadequate oversight, and systemic governance failures, could generate global economic disruption from a single point of institutional failure.

Regulatory frameworks emerged in response to each crisis, but they addressed symptoms rather than the underlying cause. The fundamental structure of centralized control remained, and with it, the recurring potential for the same failures. Bitcoin was designed in the immediate aftermath of the 2008 crisis as a direct response to this recurring vulnerability.

Bitcoin as a Digital Bearer Instrument

Bitcoin's most important and most consequential property for custody purposes is that it functions as a digital bearer instrument. Ownership is determined entirely by control of a private key. Unlike traditional financial assets, where transactions can be reversed or errors corrected by financial institutions, Bitcoin transactions are immutable once confirmed on the blockchain. There is no recourse after a loss. Bitcoin does not benefit from FDIC insurance or similar protections. If the key is compromised, the Bitcoin is gone permanently.

Unlike physical bearer instruments like gold, which can be secured with physical measures such as safes and vaults, Bitcoin requires cryptographic security. Private keys, whether stored in hardware wallets or software systems, must be protected against unauthorized digital access and against physical theft or loss. The combination of irreversibility and cryptographic nature makes Bitcoin custody fundamentally different from the custody of any traditional asset. It demands solutions that are both more technically sophisticated and more operationally fault-tolerant than anything traditional financial infrastructure was built to provide.

Bitcoin's architecture also provides a capability that gold and every other physical bearer asset cannot offer: native multisignature technology, which enables distributed custody with cryptographic enforcement.

The Power of Bitcoin's Native Multisignature Technology

Bitcoin's multisignature (multisig) mechanism allows control over assets to be distributed among multiple parties, requiring a predefined number of signatures before any transaction can be executed. A 2-of-3 multisig arrangement, for example, requires any two of three designated parties to sign a transaction before it can be broadcast to the network. No single party has unilateral control. This is a capability that is native to Bitcoin's protocol, enforced by the cryptography itself rather than by any institutional policy or legal agreement.

Gold cannot be multisigned. Equities cannot be multisigned. No physical asset has an equivalent mechanism for distributing control without trusting any single party. Bitcoin's multisig capability is unique in the history of money, and it is the technical foundation that makes Multi-Institution Custody possible.

The Custody Spectrum: From Single Entity to Multi-Institution

Single Third-Party Custody

The earliest and still most common institutional Bitcoin custody model concentrates all key management within a single entity, whether an exchange, trust company, or custodial service provider. Some large custodians implement internal multisig, requiring multiple keys to authorize transactions. But even when internal multisig is used, a single institution controls all the keys. That institution remains a single point of failure: a hack, an insider threat, a regulatory seizure, or an insolvency event can expose the entire custodied position.

An alternative implementation, Multi-Party Computation (MPC), shards a single cryptographic key across multiple parties rather than using Bitcoin's native multisig with truly independent keys. MPC arrangements are generally proprietary, requiring trust in the vendor's specific security implementation. Unlike native multisig, which involves multiple fully independent keys enforced at the protocol level, MPC's reconstitution of shards to sign a transaction can reintroduce a single point of failure at the moment the shards are combined.

Self-Custody

Self-custody gives the Bitcoin owner complete control over their own private keys, eliminating reliance on any third party. This is the most philosophically aligned approach with Bitcoin's design principles, but it places the entire burden of security on the individual. Single-signature self-custody requires deep cryptographic knowledge and rigorous operational discipline. Multi-signature self-custody improves security by distributing key control, but demands careful coordination among key holders. Both models require ongoing technical maintenance and make inheritance planning complex and operationally risky.

For individuals and family offices managing significant Bitcoin positions, the operational burden of self-custody scales poorly with asset value. The larger the position, the higher the stakes of any security failure, and the more demanding the technical requirements become.

Collaborative Multi-Signature Custody

Collaborative multisig custody divides key control between the client and a trusted service provider, typically in a 2-of-3 arrangement where the custodian holds one or two keys and the client holds the rest. This model reduces the client's burden by delegating some key management responsibilities. However, if either the custodian or the client holds two of the three keys, they retain the ability to act as a single point of failure. The model also does not fully remove the technical complexity of key management from the client relationship.

Multi-Institution Custody

Multi-Institution Custody distributes keys across three fully independent entities, each with distinct ownership, management, governance, and financial interests. No single institution has unilateral control. The client's explicit direction is required to authorize any movement of funds, and that authorization requires the cooperation of at least two independent institutions. The client removes themselves from the management of private keys entirely while retaining control over their assets.

This model eliminates single points of failure at both the technical and institutional levels. The three independent institutions have no shared ownership, no shared management, and no shared infrastructure. An attack, compromise, or failure affecting one institution cannot propagate to the others.

"Multi-Institution Custody eliminates single points of failure at both the technical and institutional levels. Three independent entities, distinct ownership, distinct management, distinct infrastructure. No unilateral control. No shared vulnerability."

The Incentive Structures That Make Multi-Institution Custody Work

The security of Multi-Institution Custody is not only a function of its technical architecture. It is also a function of the incentive structures it creates among the participating institutions.

Checks and Balances Through the 2-of-3 Quorum

In a 2-of-3 quorum arrangement, transactions require the approval of at least two independent institutions. No single institution can authorize a transfer unilaterally. This requirement creates a structural check on the behavior of each participant: any institution that wished to act in bad faith would need the active cooperation of at least one other institution, cooperation that is highly unlikely given the distinct ownership and reputational stakes of each participant. The 2-of-3 structure makes bad faith collusion not merely prohibited but economically irrational.

Fiduciary and Reputational Incentives

Each institution in a Multi-Institution Custody arrangement has powerful incentives to maintain rigorous security and to act in the client's best interest. Reputational damage from a security breach or custodial failure would be publicly auditable and commercially devastating for a regulated institution. Financial incentives align each custodian's economic wellbeing with the security of client assets. The transparency of blockchain-based multisig transactions means that custodial actions are permanently recorded and publicly verifiable, creating a real-time accountability mechanism that traditional custody arrangements cannot replicate.

Good Faith Enforcement Through Transparency

Multi-Institution Custody does not merely prevent bad actions. It actively promotes good faith behavior. The transparent, auditable nature of Bitcoin transactions means that all parties are continuously aware that their actions are subject to oversight by both peers and clients. This transparency functions as a deterrent against any form of malpractice and as an ongoing enforcement mechanism for maintaining the highest standards of conduct.

Multi-Jurisdictional Custody: An Additional Layer of Resilience

As Bitcoin gains global adoption, the complexity of custody solutions must scale to match the sophistication of the threats they face, including state-level actors and organized criminal enterprises. Multi-jurisdictional key quorums, in which each institution holding a key operates in a distinct legal jurisdiction, provide an additional layer of protection that single-jurisdiction custody cannot offer.

Onramp's partnership with Tetra Trust, Canada's first and only qualified digital asset custodian, enables a three-country custody structure: BitGo in the United States, CoinCover in the United Kingdom, and Tetra Trust in Canada. Regulatory action in any single jurisdiction cannot compromise the full custody arrangement because the remaining keys are held by institutions operating under different legal frameworks. Political instability, localized infrastructure failures, or jurisdiction-specific regulatory changes affect only one leg of the custody structure, not the whole.

Each custodian's compliance with its own regional regulatory requirements adds an additional layer of legal accountability. Multi-layered regulatory compliance across three distinct jurisdictions is a level of institutional rigor that single-custodian models cannot match.

Security in a High-Value Environment

Bitcoin's appreciation has made every wallet a more attractive target for sophisticated adversaries, from organized cybercriminals to state-sponsored actors. As Bitcoin's prominence and value increase, so does the public awareness of where large positions are held, intensifying the risk for any custody model that relies on a single entity or a single point of defense.

Multi-Institution Custody addresses this directly by removing the conditions that make large custodied positions attractive targets. An attacker seeking to compromise a multi-institution arrangement must simultaneously breach multiple independent, high-security institutional environments in separate jurisdictions, each with its own security protocols, cryptographic infrastructure, and personnel. The complexity of such an attack exceeds the realistic capability of virtually any threat actor. Individual holders or single-custodian models present far more accessible targets by comparison.

Multi-Institution Custody also reduces the attack surface for individual clients. Clients no longer manage the operational security of their keys on a day-to-day basis. Professional institutions with rigorous, audited security protocols handle key management. The client retains control over their assets through the explicit direction requirement but is no longer personally responsible for the cryptographic infrastructure that secures those assets.

Choosing the Right Custodians

The effectiveness of any Multi-Institution Custody arrangement depends critically on the quality of the institutions that participate in it. Each custodian must demonstrate a track record of security, financial health, regulatory compliance, and technological capability. The selection process must assess historical security performance, the robustness of internal controls, compliance with relevant regulations in each operating jurisdiction, and the quality of the custody technology employed.

Custodian selection is not a one-time decision. Ongoing assessments and independent audits are necessary to ensure that each institution maintains compliance with agreed-upon standards and adapts appropriately to new security challenges. Transparency in operations and decision-making builds trust among clients and among the custodians themselves, a crucial property in a model where coordination and cooperation between institutions directly determines the security of client assets.

The Step-Function Improvement

Multi-Institution Custody represents a step-function improvement over every prior model in the Bitcoin custody spectrum. It distributes trust across multiple fully independent institutions, eliminates single points of failure at both the technical and institutional levels, creates powerful incentives for all participants to act in the client's best interest, and allows clients to retain control over their assets without bearing the operational burden of key management.

The game theory underpinning the 2-of-3 quorum is particularly robust: the structure makes collusion economically irrational, bad faith behavior publicly visible, and unilateral control structurally impossible. No other custody model achieves this combination of properties.

Onramp was built on the conviction that Bitcoin is the most important asset for investors to understand as they position their portfolios for the decades ahead. The custodial architecture that delivers on Bitcoin's promise of financial sovereignty and security is Multi-Institution Custody. Onramp provides that architecture through its partnership with BitGo, CoinCover, and Tetra Trust, with segregated on-chain vaults legally titled to each client, SOC 2 compliant controls, and Lloyd's of London insurance coverage. Contact Onramp to learn how Multi-Institution Custody can serve as the foundation of your Bitcoin strategy.