We found it hard to overlook a recent claim from a competitor describing their custody solution as “the most impenetrable on the market.” This got us thinking. What does “impenetrable” really mean? In a market filled with complex and conflicting terms—cold, hot, warm storage, self-custody, managed custody, custodial and non-custodial wallets, online and offline solutions—it’s no wonder institutions are struggling to identify what’s truly secure and what’s the best fit for their needs. Digital asset custody isn’t about being “the least hackable,” or “the most secure out there.” You’re either impenetrable, or you’re not. What Is Impenetrable Custody? Impenetrable Custody means nothing can get through. Period. For custody solutions to be impenetrable, they must be completely disconnected with no external input. Zero input from the internet means zero opportunities for malicious actors to breach the system and get their hands on private keys—the keys to control these assets. It’s an absolute. Your custody solution is either impenetrable, or it’s vulnerable. No exceptions. So don’t be fooled by custody providers talking about “truly cold” or “the most impenetrable” solutions. Impenetrable custody doesn’t come on a scale. Which brand would you go for? Storage methods for digital assets There are several methods of storing digital assets and each comes with its own level of security. Impenetrable Custody is the most secure method of storing digital assets. Some custody solution providers tend to blur the lines, and we’re here to help you set things straight with this glossary: Hot / Warm custody solutions: These are always online, providing instant access for rapid transactions but introducing greater vulnerability due to their internet connectivity, as shown in many incidents over the years. Multi-Party Computation (MPC) wallets—often classified as warm wallets—allow multiple parties to maintain control of private key fragments. However, as seen in the Liquid hack ($90M stolen, see below), MPC wallets connected to the internet remain susceptible to outside hacks. Cold custody solutions: Often marketed as offline, cold wallets are not always disconnected as advertised. While they are partially or intermittently connected to the internet, some providers claim a level of security that may not reflect the true risks. In the case of the DMM hack ($305M stolen), we can safely assume, based on local Japanese regulations requiring custodians to keep 95% of their assets in cold custody solutions, that some of the funds were certainly stolen from cold wallets (see below). This highlights the vulnerability of cold custody solutions that require an internet connection. Impenetrable Custody solutions: GK8 created the market’s first and most secure Impenetrable Custody solution guaranteeing zero input from the internet. By remaining offline with no external connectivity, GK8’s Impenetrable Vault offers theft-proof security, free from the vulnerabilities associated with online access. Some solutions marketed as cold have unclear connectivity, while GK8’s Impenetrable Vault provides an absolute zero-input guarantee, setting a new standard for digital asset security. Pyramid of custody, from warm to Impenetrable Lessons from real-world hacks Let’s take a look at some real-world hacks that highlight where traditional custody solutions alone have fallen short: DMM hack: DMM Bitcoin, a Japanese crypto exchange, lost over 4,500 Bitcoin (BTC)—worth more than $300 million. Local regulations in Japan require custodians to keep 95% of their assets in cold custody solutions that should be always offline. The amount stolen could only have come from both hot and cold wallets. Liquid Global hack: The Japanese exchange Liquid lost more than $90 million in a hack that targeted its MPC system. MPC systems are always connected to the internet and this exposure introduced risks that were ultimately exploited. WazirX hack: WazirX lost over $230 million when its multisig wallet, powered by Liminal’s digital asset custody infrastructure, was compromised. The attack illustrated the vulnerabilities in multisig solutions, particularly around key management and human oversight. These incidents highlight a common theme: anything short of total isolation from the internet and from external input is not impenetrable. When planning your custody strategy, it’s crucial to remember this principle. It’s important to realize that every blockchain transaction necessitates a digital input, and any online connection to a custody solution exposes its private keys to potential cyberattacks. Protecting assets while enabling operational efficiency For financial institutions, choosing the right custody setup requires balancing security and accessibility. We recommend a layered approach based on the smart distribution of your digital assets to set the right balance. As an example, consider the following: Long-term security: Store 80% of your treasury in an Impenetrable Custody solution to ensure the highest level of protection. With zero internet connectivity, it provides absolute security, shielding assets from any online threats. Operational flexibility: For daily transactions, allocate around 20% of your treasury to an MPC solution. MPCs are ideal for high-speed, secure access. GK8’s unique uMPC reduces the risks commonly associated with MPCs, providing enhanced security by enabling an unlimited number of co-signers, and ensuring high transactional speeds and resilience. This balanced strategy aims to protect your assets while meeting operational needs, giving you a robust, reliable system designed for both security and accessibility. Plan your custody strategy carefully: Key takeaways for financial institutions Here’s what you should keep in mind when planning your custody strategy: Ask the right questions: Is the solution always offline? Who manages the private keys? Does the system allow for any external input, or is it completely isolated? Understand the level of internet connectivity, and ensure it matches your needs and makes a good fit for your AUM. Combine custody solutions: Make sure to use more than one solution to balance both your security and accessibility needs. Don’t be fooled by marketing: Claims of “most impenetrable” are red flags. Impenetrable is binary; it either is or isn’t. Every blockchain transaction requires an online input, which inevitably calls for an internet connection—so ask providers of ‘cold’ solutions how they obtain this input with their so-called ‘offline’ or ‘cold’ offerings. Keep your reputation in mind: As the financial world moves into the digital age, your customers will demand absolute security for their assets and their trust in you is your most valuable asset. Choose Impenetrable Custody as the foundation of your custody strategy. To provide your clients with the peace of mind they need to place their trust in you, consider using additional custody solutions for daily operations, combined with GK8’s Impenetrable Vault. And the next time someone tries to sell you on the “most impenetrable” solution, ask them a simple question: Is it impenetrable? Their answer should be equally simple—yes or no. Learn more about GK8’s Impenetrable Custody solution: Schedule a demo now. Legal Disclosure: This document, and the information contained herein, has been provided to you by Galaxy Digital Holdings LP and its affiliates including GK8 (“Galaxy Digital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Galaxy Digital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsement of any of the digital assets or companies mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Certain statements in this document reflect Galaxy Digital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Galaxy Digital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Galaxy Digital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Affiliates of Galaxy Digital may have owned or may own investments in some of the digital assets and protocols discussed in this document. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. For all inquiries, please email contact@galaxydigital.io. ©Copyright Galaxy Digital Holdings LP 2024. All rights reserved.