As digital asset volumes grow and regulatory scrutiny increases, cryptocurrency exchanges are rethinking how they manage funds at the infrastructure level. The core question is no longer whether to separate hot and cold storage, but how to structure that separation in a way that is operationally resilient, auditable, and compliant. Exchanges that get this right are building durable businesses. Those that get it wrong face existential risk, as history has shown repeatedly.
TL;DR
- Institutional-scale exchanges use tiered storage architectures that balance liquidity needs against security exposure.
- Hot wallets handle daily operations but carry the highest risk; cold wallets protect the majority of assets but require structured access protocols.
- Operational policy, not just technology, determines whether a tiered wallet system holds up under pressure.
- Compliance and auditability are now as important as the cryptographic security of the wallets themselves.
- The right infrastructure layer sits underneath exchange operations, managing risk automatically and consistently.
About the Author: This article is written by the Cregis team, drawing on nine years of institutional digital asset infrastructure experience, $300B+ in transactions secured, and active deployment across 3,500+ businesses in 50+ countries. Cregis operates at the intersection of custody architecture, compliance, and institutional-scale crypto operations.
Why Do Exchanges Need Separate Hot and Cold Wallet Architectures?
The fundamental reason for separating hot and cold storage is risk containment. An exchange that keeps all assets in internet-connected wallets exposes everything to a single attack surface. An exchange that keeps everything in cold storage cannot serve customers who need to withdraw funds on demand.
The architecture that emerges from this tension is a tiered system [cobo.com]:
- Hot wallets stay connected to the internet and hold a small percentage of total assets, typically whatever is needed to cover expected withdrawal demand over a short window.
- Warm wallets act as a buffer layer, holding funds that can be moved to hot wallets when needed but are not directly accessible to trading systems.
- Cold wallets hold the bulk of assets in offline or air-gapped environments, accessed only through structured, multi-party approval processes [taurushq.com].
The proportion of assets held in each tier varies by exchange size, liquidity obligations, and risk appetite. But the principle is consistent: minimize the amount of value that sits within reach of an attacker at any given moment.
This is not a new idea, but executing it well at institutional scale requires more than good intentions. It requires policy, automation, and auditability working together.
What Are the Operational Challenges of Running Hot Wallets at Scale?
Hot wallets are the operational engine of an exchange. Every deposit, withdrawal, and internal transfer that touches a customer account flows through hot wallet infrastructure [scholarship.law.wm.edu]. That makes them essential and, simultaneously, the most exposed part of the system.
The challenges compound as volume grows:
- Key management: A single private key controlling a hot wallet is a single point of failure. At institutional scale, exchanges need distributed key management that prevents any one person or system from authorizing a transaction unilaterally.
- Withdrawal automation: High-volume exchanges process thousands of withdrawals per hour. Manual approval at that scale is not viable, which means the policy layer governing automated signing must be airtight.
- Refill triggers: Moving funds from cold storage to hot wallets to meet demand is itself a high-risk moment. The process for authorizing that transfer must be structured and logged.
- Monitoring: Hot wallet balances, transaction patterns, and outflow rates need real-time surveillance. Anomalies should trigger alerts before they become incidents.
The exchanges that manage these challenges well do so by treating hot wallet operations as a policy problem, not just a technology problem. The technology enforces the policy, but the policy has to be designed first.
How Are Institutions Securing Cold Wallet Operations?
Cold wallet security is where institutional crypto custody diverges most sharply from retail practice. At the institutional level, cold storage is not simply a hardware wallet kept in a safe. It is a structured operational process [taurushq.com].
Key elements of institutional cold wallet operations include:
| Element | What It Means in Practice |
|---|---|
| Air-gapped signing | Transaction signing occurs on a device that has never touched the internet |
| Multi-party authorization | No single person can initiate or approve a cold storage withdrawal |
| Geographic distribution | Key shards or hardware devices are held across multiple physical locations |
| Access logging | Every interaction with cold storage infrastructure is logged and attributable |
| Rehearsed recovery | Procedures for recovering access in an emergency are tested, not just documented |
The insider threat dimension is particularly significant [taurushq.com]. Most major exchange incidents have involved either external attackers exploiting hot wallet exposure or internal actors with privileged access. Cold wallet procedures need to account for both. That means separation of duties, dual control on access, and behavioral monitoring of anyone with custody-related privileges.
What Role Does Compliance Play in Wallet Architecture Decisions?
Stepping back from the operational detail, a separate concern is how compliance requirements are reshaping the architecture decisions exchanges make. This is increasingly the primary driver of institutional investment in custody infrastructure.
Regulatory frameworks in major markets are converging on a few common expectations [research.grayscale.com]:
- Exchanges must demonstrate that customer assets are segregated from operational funds.
- Custody arrangements must be auditable, with clear records of who authorized what and when.
- AML controls must extend to the transaction level to effectively monitor customer activity for suspicious patterns.
- Incident response procedures must be documented and tested.
These requirements do not describe technology choices directly, but they constrain what acceptable technology choices look like. An exchange that cannot produce an audit trail for a cold storage withdrawal is not compliant, regardless of how secure the underlying cryptography is.
This is one reason why institutions are increasingly treating compliance and security as a single integrated requirement rather than two separate workstreams.
How Are Institutional Exchanges Evaluating Digital Asset Custody Solutions?
Institutional crypto adoption reached a significant inflection point in 2026, with a large majority of institutional participants now exploring or actively using digital asset infrastructure [xbto.com]. The evaluation criteria for custody solutions have matured accordingly.
Exchanges evaluating a digital asset custody solution now look beyond basic security claims. The questions they ask include:
- Does the solution support multi-party computation (MPC) to eliminate single points of failure in key management?
- Can policies governing hot and cold wallet operations be configured programmatically, rather than requiring manual intervention?
- Does the solution produce the audit logs and reports that compliance teams and external auditors require?
- How does the solution handle the transfer of funds between tiers without creating a vulnerable moment in the process?
- What certifications back the security claims, and are those certifications current?
The answers to these questions separate infrastructure-grade solutions from those that were designed for smaller-scale or less regulated environments.
What Does a Well-Structured Institutional Wallet Operation Actually Look Like?
Building on the requirements above, the harder question is what good looks like in practice. A well-structured institutional crypto wallet operation has several characteristics that are visible from the outside:
Policy is codified, not informal. Rules governing withdrawal limits, refill triggers, signing authority, and cold storage access exist in written, versioned documents and are enforced by the system, not by individual judgment.
Technology matches the threat model. Hot wallets use MPC-based key management. Cold storage uses hardware security modules (HSMs) and requires multi-party authorization. The architecture removes single points of failure at every layer [cobo.com].
Compliance is embedded, not bolted on. AML checks run at the transaction level. Audit logs are produced automatically. The system is designed to support an external audit without requiring a special data extraction project.
Operations are tested. Recovery procedures, refill processes, and incident response plans are rehearsed regularly. The organization knows what it will do before it needs to do it.
This is the standard that institutional-grade infrastructure is built to support. Exchanges that operate at this level are positioned to meet regulatory expectations in 2026 and beyond [research.grayscale.com].
Cregis is built for exactly this operational context. The platform's Trust Vault Security Framework integrates HSM, TEE, and MPC in a single architecture, eliminating single points of failure across both hot and cold wallet operations. The Policy Engine converts risk parameters into automated controls on deposits, withdrawals, and fund movement between tiers, removing the reliance on manual process at scale. With certifications including SOC 2 Type II, ISO 27001, and PCI DSS, Cregis meets the compliance and auditability standards that regulated exchanges require. For exchanges building or upgrading their crypto exchange security posture, Cregis provides the infrastructure layer that makes institutional-grade operations achievable without building everything from scratch.
Frequently Asked Questions
What percentage of assets should a crypto exchange hold in hot wallets? There is no universal figure. The appropriate allocation depends on expected withdrawal demand, liquidity obligations, and the exchange's risk tolerance. Most institutional-grade operations keep the minimum necessary in hot wallets, often a small fraction of total assets, and hold the remainder in warm or cold storage.
What is the difference between MPC and multi-signature for institutional crypto wallets? Multi-signature requires multiple complete private keys to authorize a transaction. MPC distributes the signing computation across multiple parties without any single party ever holding a complete key. MPC is generally preferred at institutional scale because it reduces on-chain footprint and eliminates the key aggregation step that multi-signature requires.
How do exchanges handle the risk of moving funds from cold to hot storage? The transfer process itself is a high-risk moment and should be governed by strict multi-party authorization, logged in full, and triggered only by system-generated alerts rather than individual requests. Well-designed systems automate the trigger and require human approval for the execution.
What certifications should an institutional crypto custody provider hold? SOC 2 Type II, ISO 27001, and PCI DSS are the most commonly required. CertiK certification for smart contracts is increasingly relevant for platforms with on-chain components. Third-party audits against recognized standards provide credible assurance of security practices and operational controls.
How does on-chain user segmentation affect hot wallet architecture? Segmenting users by transaction behavior and risk profile allows exchanges to apply different withdrawal policies and monitoring thresholds to different user groups [chainalysis.com]. High-volume or high-risk segments may trigger additional authorization steps before a hot wallet transaction is approved.
What is the role of hardware security modules in cold wallet operations? HSMs store cryptographic material in tamper-resistant hardware and perform signing operations within a secure enclave. They prevent key material from being exposed in software memory, which is one of the most common attack vectors against custody systems.
Is institutional crypto custody the same as using a custodial exchange? No. Institutional crypto custody refers to a structured custody architecture, typically including self-custody options, MPC key management, and compliance controls. A custodial exchange holds assets on behalf of users in a pooled environment. Institutional custody is designed for organizations managing their own or their clients' assets with full auditability and control.
About Cregis
Cregis is an enterprise-grade digital asset infrastructure company serving 3,500+ businesses across 50+ countries. Cregis provides the foundational trust layer for institutional participants managing digital assets at scale. Its integrated platform covers institutional crypto wallet infrastructure, stablecoin payments, and programmable compliance controls, all built to meet the security and regulatory standards that banks, exchanges, and financial institutions require. Cregis holds SOC 2 Type II, ISO 27001, PCI DSS, and CertiK certifications, and has secured over $300B in transactions to date.
Ready to see how Cregis structures institutional wallet operations for exchanges and financial institutions? Visit cregis.com to learn more or speak with the team.
About Cregis
Founded in 2017, Cregis is a global leader in enterprise-grade digital asset infrastructure, providing secure, scalable and efficient management solutions for institutional clients.
Built to solve the challenges of fragmented blockchain systems and asset security risks, Cregis delivers MPC-based self-custody wallets, WaaS solutions, and Payment Engine, featuring collaborative asset control and a compliance-ready ecosystem.
To date, Cregis has served over 3,500 institutional clients globally. Our solutions empower exchanges, fintech platforms, and Web3 enterprises to adopt blockchain technology with confidence. Backed by years of proven expertise in blockchain and security, Cregis helps businesses accelerate their Web3 transformation and unlock global digital asset opportunities.
