Custody at scale: who is actually holding your money?

Why scale changes the custody question

For an individual buying crypto, the custody decision is relatively simple. Use an exchange for convenience. Use a hardware wallet for meaningful balances. We covered this in Module 4.

For an institution buying meaningful crypto, the question is fundamentally different. A hardware wallet doesn't work when:

• You have ten people who need transaction approval authority
• You need an audit trail showing who approved what and when
• You are regulated and must report holdings to multiple agencies
• You need insurance against theft or operational failure
• You hold billions of dollars and a single device is a single point of failure
• You need integrations with accounting, treasury, and compliance systems

This is the institutional custody problem, and it has spawned an entire industry of qualified custodians, multi-signature schemes, and MPC architectures. Understanding this stack is the difference between knowing crypto exists and knowing how the institutional money actually moves.

The custody spectrum

Crypto custody is not binary. It is a spectrum.

At one end is pure self-custody: you control the keys, no third party has access. This is what a hardware wallet provides. Maximum control, maximum personal responsibility.

At the other end is fully delegated custody: a regulated custodian holds and manages the keys, you hold a contractual claim. This is what Coinbase Custody, Fidelity Digital Assets, and BitGo provide for institutional clients. Maximum convenience and regulatory compliance, requires trust in the custodian.

In between are hybrid models: multi-signature setups where you hold some keys and the custodian holds others, requiring multiple parties to sign each transaction.

The right point on this spectrum depends entirely on the entity making the choice. An individual investor holding $50,000 of crypto for the long term: hardware wallet, full self-custody. A registered investment advisor managing $50 million of client crypto: qualified custodian, no self-custody (it would be a regulatory violation). A treasury company holding $5 billion of Bitcoin: institutional-grade infrastructure with multisig, MPC, and qualified custodianship.

The three technical pillars

Three technical primitives underpin institutional crypto custody.

Multi-signature (multisig). A multisig wallet requires multiple keys to sign a transaction. Common configurations are 2-of-3 (any two of three designated keyholders can sign) or 3-of-5. This eliminates single points of failure — losing one key does not lose access to the funds, and one compromised key cannot drain the wallet. Multisig is well-supported on Bitcoin via native scripts and on Ethereum via smart-contract wallets like Safe (formerly Gnosis Safe).

MPC (Multi-Party Computation). MPC cryptographically splits a single key into shares distributed across multiple parties. The parties can collectively sign transactions without ever reconstructing the full key in one place. The blockchain sees a single signature; the custodian's infrastructure sees a distributed signing ceremony. Fireblocks pioneered MPC for institutional custody. It offers the security benefits of multisig with cleaner UX and chain-agnostic support.

Cold storage. Cold storage means keys are generated and stored on devices that have never been connected to the internet. Air-gapped hardware. Often kept in physical vaults. Movements out of cold storage typically require multi-party approval and physical access. This is the foundation of institutional custody for long-term holdings. The fastest Bitcoin moves on a major exchange's hot wallet happen instantly; movements out of the exchange's cold storage can take hours or days because they involve physical access and multi-party approval.

Most institutional custody combines all three. Multisig for redundancy, MPC for distributed signing, cold storage for long-term holdings. The hot/cold ratio is a key risk parameter — what percentage of holdings are accessible quickly (hot) versus locked away in deep cold storage.

The major qualified custodians

By assets under custody and institutional adoption, the dominant players are:

Coinbase Custody. A separately licensed entity from Coinbase's exchange business, qualified as a New York trust company. Holds Bitcoin for most of the US spot Bitcoin ETFs (BlackRock's IBIT among them). Among the largest crypto custodians by AUM.

Fidelity Digital Assets. Custody arm of Fidelity. Holds Bitcoin for Fidelity's FBTC and for institutional clients. Benefits from Fidelity's deep institutional relationships and regulatory expertise.

BitGo. One of the oldest crypto custodians (founded 2013). Provides custody for many trading firms, market makers, and lenders. Uses multisig as its primary architecture.

Anchorage Digital. First federally chartered crypto bank (US Office of the Comptroller of the Currency). Heavily MPC-based. Targets banks, asset managers, and crypto-native institutions.

Fireblocks. Not a custodian itself, but the dominant institutional custody platform. Provides MPC-based infrastructure that institutions use to manage their own custody operations. Used by many exchanges, OTC desks, and treasury operations.

For an institution choosing a custodian, the practical questions are: what is the regulatory profile (qualified custodian status matters for many use cases), what insurance is in place, what is the operational track record, what integrations are needed.

What the spot Bitcoin ETFs actually use

When BlackRock launched IBIT in January 2024 — the spot Bitcoin ETF that became one of the fastest-growing ETFs in history — the SEC required that the underlying Bitcoin be held by a qualified custodian. BlackRock chose Coinbase Custody.

This is significant. BlackRock — the largest asset manager in the world, with $11+ trillion under management — could not just hold the Bitcoin themselves. The regulatory framework for ETFs holding crypto requires qualified custodianship. And in 2024, Coinbase Custody was the dominant qualified custodian for Bitcoin.

The same pattern repeats across the spot Bitcoin ETF stack. Fidelity's FBTC uses Fidelity Digital Assets. Bitwise, Grayscale, and several others use Coinbase Custody.

Knowing this tells you something important about systemic risk in the institutional Bitcoin market. A meaningful percentage of all institutional Bitcoin holdings sits with a small number of custodians, primarily Coinbase Custody. If that custodian had a major operational failure, the impact would ripple across multiple major institutional positions simultaneously. This is not a reason to avoid the ETFs — Coinbase Custody has operated at scale without major incident — but it is a structural fact worth knowing.

What this means for individual users

Most individual users will never directly use a qualified custodian. The minimum balances and account requirements rule out most retail. But the architecture matters indirectly for several reasons.

If you hold a spot Bitcoin ETF, your effective custody is with the ETF's chosen qualified custodian. You are exposed to that custodian's operational risk, layered with the ETF issuer's organizational risk, layered with broker-dealer risk through your brokerage account. This is multiple layers of trust compared to direct Bitcoin self-custody.

If you use a centralized exchange like Coinbase for retail crypto, the exchange itself uses institutional custody infrastructure to hold the aggregate customer balance. You are trusting that the exchange's segregation, accounting, and operational practices are sound — the same trust assumption that failed at FTX.

If you ever manage crypto on behalf of others (a family office allocator, a fund manager, a corporate treasurer), the custody decision is not optional and not trivial. Regulatory and fiduciary obligations require institutional infrastructure. The choices made by Strategy, BlackRock, and the major foundations are not arbitrary — they reflect the actual constraints of institutional capital.

The practical takeaway

Custody at scale is not just self-custody at higher numbers. It is a different problem with different infrastructure and different participants.

For individuals: hardware wallet for meaningful balances, exchange for active small balances, do not put life-changing money on exchanges.

For institutions: qualified custodians, multisig and MPC architectures, cold storage for long-term holdings, insurance as the backstop. The choice of custodian is a meaningful strategic decision, not a logistical one.

Knowing how this layer works gives you the framework to evaluate institutional crypto firms (which custodian do they use? which architecture? what insurance?) and to understand the systemic dynamics of institutional crypto holdings (where does the concentration actually sit?).

The next module digs into where yield actually comes from in crypto — distinguishing real yield from token-emission yield, and explaining how proof-of-stake validators actually earn what they earn. After custody, where the money sits, the next question is where the money grows.