Hot Wallets: Convenience or Catastrophe? Lessons from Exchange Hacks

Crypto wallets are defined by where the private keys that they manage are stored. Hot wallets store private keys on networked computers, while cold wallets use a standalone, non-networked device to store private keys. Hardware wallets are one example of a cold wallet that uses a device that connects via USB, Bluetooth, or NFC to a computer and digitally signs transactions sent to it.

Hot and cold wallets represent a tradeoff between convenience and security. Since hot wallets store keys on devices connected to the Internet, it’s possible to use the same device to sign a transaction and submit it to the blockchain. However, this also means that these private keys are more vulnerable to theft if an attacker compromises the computer used to store the private key. In contrast, cold wallets are more inconvenient to use but are more secure because they are more difficult for an attacker to access.

Often, crypto exchanges use a mix of hot and cold wallets to store their funds. This creates a balance between convenience and security for the organizations and their customers.

The majority of a CEX’s funds are likely kept in cold storage. This makes them more difficult to access and offers a higher level of security for the organization and its users. The use of cold wallets takes advantage of the fact that an exchange is likely to be storing a certain amount of crypto at any one time, given that deposits can offset or exceed withdrawals.

However, storing all of its crypto in cold wallets creates a poor user experience since customers would have to wait to complete a withdrawal. This makes it impossible to use exchanges for arbitrage or other transactions that require the ability to have funds immediately available.

For this reason, exchanges will keep a certain percentage of their funds in hot wallets, making them immediately accessible. This percentage is usually selected to ensure that the exchange has sufficient funds on hand to meet expected levels of withdrawals. If these hot wallet holdings dip too low or rise too high, the exchange can transfer crypto from/to their cold wallets to hit the desired target.

Storing funds in hot wallets is essential for exchanges to meet customer service expectations. However, it also increases an exchange’s vulnerability to cybercriminals. Several major DeFi hacks have involved CEXs losing millions due to stolen private keys, including:

• Mt Gox: The 2014 hack of Mt. Gox involved 850,000 BTC stolen via compromised keys

• DMM Bitcoin: DMM Bitcoin was hacked in 2024 for $304 million in one of the top ten crypto hacks to date

• Phemex: In January 2025, Phemex suffered a $73 million hack likely due to compromised keys

While these attacks involved attackers directly accessing private keys, this is not the only way that attackers exploit CEXs’ hot wallets. Increasingly, cybercriminals are using more sophisticated techniques to trick custodians of private keys into digitally signing malicious transactions.

This was the case in the WazirX hack of July 2024, in which an estimated $235 million was stolen from the CEX. The attacker exploited an issue with the Liminal frontend to trick signers into approving a transaction that handed over control of the project’s multi-sig wallet.

CEX hacks are a regrettably common occurrence due to the fact that they are high-value targets that commonly keep a portion of their funds in hot wallets. Some key takeaways from major exchange breaches include the following:

• Hot Wallets Are Major Targets: The majority of CEX hacks target hot wallets, whose private keys are easier for an attacker to access. Since exchanges need to keep a portion of their holdings in hot wallets to serve their customers, they are a prime target.

  
  

• Multi-Sig Is Essential: Many hacks of major exchanges have taken advantage of the fact that hot wallets were protected by a single private key. While attackers have breached exchanges using multi-sig wallets, these attacks are more difficult to perform.

  
  

• Not All Keys Are Compromised: While many CEX hacks involve stolen keys, attackers also use social engineering to achieve their goals. Some major hacks have involved exploiting vulnerabilities or using trickery to induce a legitimate user to digitally sign a malicious transaction.

  
  

• Infrastructure Security Is Vital: Major CEX hacks, like the Bybit and WazirX hacks, involved attacks against frontend systems. Ensuring that software is patched and monitoring for suspicious transactions is vital for security.

For the average user, the best way to protect against compromised hot wallets is to avoid using them entirely. Unless you need the ability to make rapid or automated transactions, storing private keys on a standalone device reduces risk with minimal operational impact.

If this isn’t a possibility, then the next best option is to ensure that all hot wallets are protected using multi-sig. Securing funds with multiple private keys reduces the risk that an attacker will be able to compromise enough of them to perform malicious transactions. However, this assumes that all keys are stored separately and properly protected.

Organizations can further reduce their risk by minimizing the funds that could be lost by a compromised account. Maintaining multiple hot wallets — and storing their keys independently of one another — forces an attacker to steal even more keys to carry out a successful attack.

Social engineering attacks are also a threat and require robust off-chain security practices to manage. For help with enhancing the security of your organization’s crypto holdings against potential theft, reach out to Halborn.