Skip to main content
Fully custodial wallets are available on request. Contact us if you would like to use this feature.
With a custodial wallet, Cobo holds and manages private keys on your behalf using institutional-grade infrastructure. This model is suited for users that prefer to delegate key management entirely rather than operate their own signing infrastructure. No individual — including Cobo — can access key material in plaintext. Keys are generated and stored inside hardware security modules where all signing operations execute within the hardware boundary itself. Security rests on physical and cryptographic controls, not on trusting any individual or team.

Three-tier asset segregation

Cobo’s custodial architecture separates assets into three tiers matched to security requirements and operational frequency. The vast majority of assets sit in the most secure tier and are never touched by day-to-day operations.
TierTypical shareAccess patternPrimary controls
Cold~95% of assetsOffline onlyFIPS-certified HSMs in physically isolated environments; no network connectivity
WarmOperational bufferPeriodicScheduled payouts, settlement, rebalancing between cold and hot
HotMinimalReal-timeOnline; HSM + Intel SGX secure enclaves + risk-control engine

Cold storage

Cold wallets protect long-term and high-value holdings. Private keys are generated and stored entirely within FIPS-certified HSMs in offline or physically isolated environments. Keys never leave hardware. All operations require strict approval workflows before any asset movement is initiated. Cold storage minimizes attack surface and ensures that the majority of assets remain unreachable from online systems under any operational condition.

Warm storage

Warm wallets serve as an intermediate buffer between cold and hot. They support periodic rebalancing, settlement, and scheduled payouts — medium-frequency workflows that do not require real-time execution but still need timely handling. Warm storage reduces hot wallet exposure while enabling smoother operational throughput.

Hot storage

Hot wallets are online and optimized for speed. They hold only a minimal share of total assets and power real-time business flows such as instant withdrawals, exchange operations, and API-driven interactions. Even in the online tier, additional controls protect against hot-wallet risk:
  • Bank-grade HSMs — private keys are stored in hardware even for online operations; keys never appear in plaintext outside the module
  • Intel SGX secure enclaves — hardware-level memory isolation for key operations, protecting against attacks that target running processes
  • Risk-control engine — real-time on-chain monitoring and policy-based controls (spend limits, address allowlists/blocklists, IP restrictions) that gate every outgoing transaction
These controls limit the impact of any hot-wallet incident and ensure that high-speed operational flows do not compromise assets in warm and cold tiers.

HSM-based key isolation

Across all tiers, private key security is anchored by FIPS 140-2 certified Hardware Security Modules (HSMs). HSMs provide a tamper-resistant environment where private keys are generated, stored, and used exclusively within hardware. If physical tampering is detected, built-in mechanisms trigger automatic zeroization of key material. The application layer above the HSM can request that a signature be produced, but it can never extract the key itself. Even an attacker with full administrative access to the host server cannot reach key material held inside the HSM boundary.

Infrastructure resilience

Cobo’s custodial infrastructure is deployed across multiple geographic regions and availability zones:
  • No single data center failure causes asset unavailability
  • Jurisdictional requirements for data residency can be met
  • Correlated failures in one region do not affect others
Physical data centers use controlled access, surveillance, redundant power, and environmental safeguards consistent with high-security infrastructure standards.