The Risk of Holding Your Investors’ Private Keys

March 19, 2015

Imagine that you’re a wealth manager or a fund investor, and you just raised a $100 million fund with the promise of hefty returns.  You relish the moment as your investors stop by to drop off pallets of physical cash in your offices.  Once you have all the cash, you take great care to mark each bill, putting them in plastic envelopes (so they are mostly water proof), and then you transport them to a safety deposit box or lock them in a cabinet in your offices.  Every time you make an investment or a payout to your investors, you go to your storage location and remove physical cash in order to make a payout.  You pay for guards, surveillance, armored trucks, myriad security precautions, sparing no expense.  Everything is great until one day an unforeseen event occurs and the cash is lost.

This scenario should sound crazy. A prudent institution would keep the money in an FDIC-insured bank (or banks) and use the banking rails for transmitting value instead of physical cash.  It’s simply a more secure way — anything else would just seem reckless.  Further, in the event of a loss of the cash, the question would be asked why the better alternative wasn’t pursued, raising questions about judgment, fiduciary duties, and liability.

Amazingly, many institutions follow an analogous practice with respect to bitcoins. Using storage techniques like paper wallets or printed key back-ups, as required by certain storage solutions, is akin to managing a large swath of physical cash.  In actuality, attempting these methods of bitcoin storage is worse than the cash example, since private keys must be transmitted electronically at various points in the process and are thus vulnerable not only to physical theft, but also to theft online.  Like cash, the tangible wallet or printed back-up keys are also subject to potential theft during transportation or even while in storage.

Just like leveraging the security and insurance of banks for storing or transmitting cash, attempting to manage or even briefly touch private keys when a better option exists could be viewed as reckless and potentially result in personal liability in the event of a loss. In order to avoid this, a prudent fiduciary should 1) use a vetted and insured storage provider that specializes in security and 2) make sure that such solution never requires a fund or manager  to be responsible for private key creation or storage.

Xapo’s security architecture, products and services were all built with these concerns in mind. Xapo’s vault uses private keys that never touch the the client or the internet and are buried deep within geographically dispersed heavily guarded locations that leverage multi-signature technology for transaction signing.  Our processes have been rigorously penetration tested and successfully passed a SOC2 audit in August 2014 — the first of its kind.  Our customized security protocols further reduce the likelihood of theft through social engineering, phishing or brute force hacks.  Finally, in the unlikely event of a loss, the bitcoins held in Xapo’s vault are fully insured and Xapo is fully responsible.

Trust the bitcoin custodian used by top global hedge funds, venture capital, family offices and exchanges. Protect your bitcoins with Xapo.


Time to withdraw your Bitcoin Gold (BTG)

The time has come for you to withdraw your Bitcoin Gold (BTG) balance generated in your Xapo Wallet after the fork of October 24th, 2017. During this event, anyone owning Bitcoin (BTC) at the moment of the fork received an identical amount of BTG. So if you had BTC at Xapo at the time of…

By Federico Murrone

Xapo Card Closure Update - and what's next!

As of January 4th, 2018, Wave Crest Holdings, Ltd. issuer of the the Xapo Card Program, was instructed by Visa® to cancel all its Visa® Programs effective immediately. As a result, all the cards of the Xapo Cards Program were deactivated. As a consequence of this unanticipated closure of the Xapo Card Program, we’ve put…

By Anni Rautio

Xapo update about Bitcoin Gold

On Tuesday, October 24th at 1:20 am GMT approximately Bitcoin Gold (BTG) was created (or forked) as a new cryptocurrency based on the original Bitcoin Blockchain. Xapo is handling this fork according to its fork policy, just like we did with the Bitcoin Cash fork. If you had bitcoins in Xapo at the time of…

By Federico Murrone