WALLETS & SECURITY
Not Your Keys, Not Your Crypto: What It Means
Five words. No technical jargon. No complex explanation required. “Not your keys, not your crypto” is the most important security principle in cryptocurrency, and it has been proven correct repeatedly by some of the most catastrophic events in the industry’s history.
The keys it refers to are private keys: the cryptographic credentials that prove ownership of cryptocurrency at a blockchain address and authorise transactions from it. The crypto are whatever cryptocurrency sits at those addresses. The principle is simple: if someone else holds the private keys to your cryptocurrency, they hold your cryptocurrency. You hold a promise. And in cryptocurrency, promises from third parties have a track record of failing at exactly the worst possible moment.
The Meaning Behind the Phrase
To understand the principle fully, it helps to understand what private keys actually are and why they matter.
Every cryptocurrency address on a blockchain is controlled by a private key: a unique cryptographic credential that is mathematically paired with the address. As covered in our private keys resource, the private key is what allows the holder to sign and authorise transactions from that address. Without the private key, no transaction can be authorised. With it, any transaction can be authorised instantly, irrevocably, and without requiring anyone’s permission.
This means that cryptocurrency ownership at the blockchain level is not determined by who has an account, who has a login, or who has a verified identity. It is determined by who holds the private key. The blockchain does not know or care about your name, your account number, or your customer relationship with any exchange. It only recognises valid signatures from the controlling private key.
When you buy cryptocurrency on a centralised exchange and leave it there, the exchange holds the private keys to the addresses where that cryptocurrency sits. Your account balance is an entry in the exchange’s internal database reflecting what they owe you. It is not the same as owning the cryptocurrency at the blockchain level. The exchange is the actual owner at the blockchain level. You are a creditor of the exchange.
That distinction, between being a blockchain level owner and being an exchange creditor, is everything.
Why This Principle Was Learned the Hard Way
The phrase “not your keys, not your crypto” did not emerge from abstract theory. It emerged from repeated, painful, real-world events in which people discovered that the cryptocurrency they believed they owned did not actually belong to them when the third party holding the private keys failed.
Mt. Gox, 2014. At its peak, Mt. Gox handled approximately 70% of all global Bitcoin transactions. In February 2014, it suspended withdrawals and filed for bankruptcy, revealing that approximately 850,000 Bitcoin belonging to customers had been lost or stolen over a period of years. Customers who believed they held Bitcoin on the exchange discovered they held claims in a bankruptcy proceeding. Recovery proceedings stretched over a decade.
Celsius Network, 2022. Celsius was a centralised lending and yield platform that allowed customers to deposit cryptocurrency in exchange for interest yields. In June 2022, Celsius froze all withdrawals and transfers, citing “extreme market conditions.” In July 2022, it filed for bankruptcy. Customers who had deposited Bitcoin, Ethereum, and other assets discovered that Celsius had been using their deposits in risky leveraged strategies. Their cryptocurrency had been lent, rehypothecated, and lost. The exchange’s private keys meant the exchange’s control, and the exchange had lost control of the assets.
FTX, November 2022. The collapse of FTX, at the time the second largest cryptocurrency exchange in the world, was the most significant custodial failure in the industry’s history. FTX customers held a combined approximately $8 billion USD in account balances that, it emerged, had been transferred to and lost by FTX’s affiliated trading firm Alameda Research. In a matter of days, withdrawals were frozen, the exchange collapsed, and bankruptcy proceedings began. Customers who had not withdrawn their cryptocurrency to self-custody faced potentially total losses on funds they believed were safely held on a regulated, reputable exchange.
Voyager Digital, BlockFi, and others, 2022. The same year saw multiple other custodial platforms fail, each leaving customers unable to access funds held in custodial accounts.
Each of these events followed the same pattern: customers trusted a third party with their private keys, the third party failed, and customers discovered that their account balance was a claim against an insolvent entity rather than actual ownership of cryptocurrency. The principle proved correct every time.
What You Actually Own When You Use a Custodial Exchange
When you hold cryptocurrency on a centralised exchange like cryptopot, Swyftx, Binance, or Kraken, what you actually own is a contractual claim against the exchange for the amount of cryptocurrency reflected in your account balance.
This is meaningfully different from owning cryptocurrency directly. Your claim is only as good as the exchange’s ability and willingness to honour it. That ability and willingness can be affected by:
Exchange insolvency. If the exchange becomes insolvent, your claim becomes an unsecured creditor claim in a bankruptcy proceeding. The outcome depends on the jurisdiction, the insolvency process, and the actual assets available for distribution. As the FTX and Celsius collapses demonstrated, customers may receive cents on the dollar, or nothing.
Exchange hacks. If the exchange is hacked and customer funds are stolen, as covered in our how to avoid exchange hacks resource, your claim depends on whether the exchange has insurance, a reserve fund, or sufficient remaining assets to cover the loss. Many exchanges do not. As covered in our risks of keeping crypto on an exchange resource, exchange hacks have resulted in permanent customer losses throughout the industry’s history.
Withdrawal restrictions. Even a solvent exchange can restrict withdrawals during periods of market stress, regulatory scrutiny, or operational difficulty. A withdrawal restriction at a critical moment, when you want to move funds in response to market conditions, means your claim is temporarily or indefinitely inaccessible regardless of the account balance shown.
Regulatory intervention. Regulatory actions against an exchange, including licence revocations, asset freezes, and enforcement actions, can directly affect customer access to funds. As covered in our AUSTRAC and your privacy resource, the regulatory landscape for cryptocurrency continues to evolve.
Misuse of assets. Some exchanges, Celsius and FTX being the clearest examples, use customer assets for their own trading or lending activities without customers being aware. This creates hidden risk that is invisible in normal conditions and catastrophic when it fails.
What Owning Your Keys Actually Means
When you hold cryptocurrency in a non-custodial wallet where you control the private keys, the dynamic is entirely different.
Your cryptocurrency sits at addresses on the blockchain, controlled by private keys that only you possess. No exchange insolvency can affect it: the exchange has no access to your private keys and therefore no access to your funds. No exchange hack can touch it: the attacker would need to compromise your specific private keys, not the exchange’s systems. No withdrawal restriction can prevent you from transacting: you can send cryptocurrency from your own wallet at any time, to any address, without requiring permission from any third party.
This is what cryptocurrency was designed to enable: direct ownership and control of digital assets without dependence on any intermediary. The blockchain was built to allow people to transact directly, without a bank or exchange in the middle. Self-custody is the fulfilment of that design.
The tradeoff is responsibility. As covered in our custodial vs non-custodial wallets resource, self-custody introduces self-custody risk: the responsibility for securing the private keys and seed phrase rests entirely with you. There is no customer service to call if you lose the seed phrase. There is no fraud protection if you send funds to the wrong address. There is no recovery process if the seed phrase is destroyed without backup.
Self-custody eliminates counterparty risk. It does not eliminate all risk. It replaces one category of risk with another, and the appropriate response is to manage the self-custody risks carefully rather than to avoid self-custody entirely.
The Spectrum Between Full Custody and Full Self-Custody
The choice between custodial and non-custodial is not binary in practice. Most investors occupy a position somewhere on the spectrum between full custodial reliance and full self-custody, and the right position depends on their specific situation.
Full custodial reliance. All cryptocurrency held on exchanges. Maximum convenience for trading. Maximum counterparty risk. Appropriate only for amounts specifically designated for active trading on that exchange, not for long-term holdings.
Custodial for trading, self-custody for savings. A defined trading float held on a reputable regulated exchange for active use, with everything beyond that float moved to a hardware wallet in cold storage. This is the approach most commonly recommended for investors with meaningful holdings. As covered in our cold wallet explained resource, long-term holdings in cold storage are not affected by exchange events.
Self-custody with a hot wallet for DeFi. A hardware wallet for long-term savings combined with a software wallet for active DeFi participation, sized appropriately for the hot wallet risk. Exchange access maintained for entry and exit liquidity.
Full self-custody. All cryptocurrency held in self-custodied wallets with no exchange holdings. Maximum control, maximum self-custody responsibility, minimum counterparty risk. Appropriate for investors with strong technical knowledge and robust security practices.
The right position on this spectrum is the one that appropriately balances the counterparty risk of custodial storage against the self-custody responsibility of holding your own keys, given the size of your holdings, your technical capability, and your specific use of cryptocurrency.
How to Take Your Keys: The Practical Steps
For investors currently holding cryptocurrency on exchanges who want to move to self-custody, the practical steps are straightforward.
Choose a hardware wallet. For significant holdings, a hardware wallet is the appropriate cold storage solution. As covered in our choosing the right hardware wallet resource, options including Ledger, Trezor, Coldcard, SafePal, Tangem, and BitBox each have specific strengths and supported assets. Purchase directly from the manufacturer or an authorised reseller.
Set up the wallet and back it up correctly. During setup, record the seed phrase on paper, verify it, and store it securely offline. As covered in our how to back up your crypto wallet and seed phrase storage advanced techniques resources, the backup process done correctly at setup prevents permanent loss from device failure.
Send a test transaction first. Before transferring significant holdings, send a small test amount from the exchange to the hardware wallet address, verify it arrives correctly, and confirm you can see it in the wallet interface. As covered in our sending crypto to hardware wallet from exchange resource, the test transaction confirms the address is correct and the wallet is functioning before the main transfer.
Transfer in stages if the holdings are large. There is no requirement to move everything at once. Transferring in stages, with each stage verified before the next, is a prudent approach for significant holdings.
Maintain exchange access for liquidity. Keeping a defined trading float on a reputable exchange for active trading and entry and exit liquidity is sensible. The goal is not to eliminate exchange use but to ensure that the cryptocurrency you intend to hold long-term is not sitting at exchange counterparty risk indefinitely.
The Limits of "Not Your Keys"
The principle is powerful and important, but it has limits worth understanding.
Self-custody protects against third-party failure. It does not protect against your own mistakes. Sending cryptocurrency to the wrong address, as covered in our wallet address poisoning resource, approving a malicious smart contract, falling for a phishing scam, or losing the seed phrase are all self-custody failures that result in loss regardless of whether you hold your own keys.
Self-custody also does not protect against DeFi protocol failures. As covered in our risks of DeFi investing resource, cryptocurrency deposited into a DeFi protocol is controlled by that protocol’s smart contracts, not by your private keys. A smart contract exploit that drains a DeFi protocol affects everyone who has deposited into it, regardless of whether they hold self-custody wallets.
The principle is specifically about the risks of third-party custody of private keys. Within that specific scope, it is an accurate and important guide. Beyond that scope, it is one principle among several that together constitute a comprehensive cryptocurrency security posture.
Key Takeaways
“Not your keys, not your crypto” means that cryptocurrency held in a custodial wallet, where a third party holds the private keys, is exposed to that third party’s solvency, security, and integrity. The industry’s history of exchange collapses including Mt. Gox, Celsius, FTX, and others has demonstrated the consequences of this counterparty risk repeatedly and at enormous cost to customers who believed their funds were safe.
Self-custody through non-custodial wallets, particularly hardware wallets for significant long-term holdings, eliminates counterparty risk by ensuring the private keys are controlled entirely by the owner. It introduces self-custody responsibility: the seed phrase must be backed up correctly, stored securely, and managed carefully. Most investors are best served by combining exchange access for active trading with self-custody for long-term holdings.
For everyday investors who want to understand self-custody properly and make the transition from exchange storage to genuine ownership of their cryptocurrency with confidence, our Runite Tier Membership provides the education, step-by-step guidance, and community support to do exactly that. For serious investors who want a personalised self-custody strategy and security architecture built around their specific holdings, our Black Emerald and Obsidian Tier Members receive direct specialist support.
Find out more at shepleycapital.com/membership.
WRITTEN & REVIEWED BY Chris Shepley
UPDATED: MARCH 2026
Choose your next topic from our Cryptopedia
