Security
Hot wallet vs cold storage: which is right for your business bitcoin?
A practical guide for Canadian businesses on choosing between hot wallets and cold storage for bitcoin, covering security trade-offs and compliance.
If your business receives bitcoin, one question comes up fast: where do you actually keep it? The short answer is that hot wallets are connected to the internet and convenient for spending; cold storage is offline and much harder to steal from. Which one you need depends on how much you hold, how often you move it, and how much friction you can tolerate in daily operations.
Most businesses end up using both.
What a hot wallet actually is
A hot wallet is any bitcoin wallet whose private keys live on a device connected to the internet. That includes mobile apps like Muun or BlueWallet, software installed on a desktop, and the custodial wallets built into payment processors. When a customer pays you in bitcoin, the funds usually land in something like this.
The appeal is speed. You can receive, check, and send funds in seconds. If you're settling a daily sales total or moving bitcoin to an exchange to convert to CAD, a hot wallet is how you do it.
The risk is real, though. Connected devices can be compromised. Exchange accounts get phished. Software wallets on a general-purpose computer share that computer with email clients, browsers, and everything else. Hot wallet security depends heavily on the practices around it: two-factor authentication, device hygiene, and keeping the balance low enough that a breach doesn't ruin you. For what those practices look like in practice, protecting your business from bitcoin payment scams covers the threat model in more detail.
Custodial vs self-custodial hot wallets
Most small businesses start with a custodial hot wallet because it's the path of least resistance. The payment processor or exchange holds your keys; you log in with a password. That's convenient, and it means the provider handles some security, but it also means you're trusting them completely. If the platform freezes withdrawals or goes under, your access isn't guaranteed.
Self-custodial hot wallets give you the keys. You take on more responsibility, but you're not dependent on a third party staying solvent or cooperative.
What cold storage means for a business
Cold storage means the private keys are kept on a device that has never been connected to the internet, or on hardware specifically designed to sign transactions in isolation. Hardware wallets from companies like Coldcard, Trezor, or Ledger are the most common implementation. Paper wallets (printed private keys, generated offline) are another option, though they're fragile and easy to mishandle.
The security gain is substantial. An attacker can't remotely steal keys that aren't on a networked device. Even if your office computer is fully compromised, bitcoin in cold storage stays put.
The tradeoff is speed. Spending from cold storage requires physically accessing the device, connecting it to a signing machine, approving the transaction, and broadcasting it. For funds you're holding long-term or treating as a reserve, that's fine. For funds you're moving daily, it's a meaningful operational burden.
For Canadian businesses holding any significant amount, how to store the bitcoin your business receives safely goes into the operational setup in more depth, including backup and inheritance considerations.
Comparing the two approaches
| Hot wallet | Cold storage | |
|---|---|---|
| Internet connection | Always on | None (or air-gapped) |
| Speed for sending | Seconds | Minutes to hours |
| Remote hack risk | Higher | Very low |
| Physical theft risk | Lower | Present (device, seed phrase) |
| Good for | Daily float, payment processing | Reserves, long-term holds |
| Key custody | You or a custodian | You (self-custody) |
| Setup complexity | Low | Moderate to high |
Neither row in that table is automatically better. The right choice is about matching the tool to the use case.
How most businesses split the two
A common structure: keep a small operating balance in a hot wallet for day-to-day payment receipts and conversions, then move anything above a set threshold into cold storage on a regular schedule (weekly or monthly, depending on volume).
Think of it like a cash register versus a safe. The till holds enough to make change. The rest goes in the safe at the end of the day. You don't leave the entire week's revenue sitting in the register.
What counts as a "safe" threshold varies by business. A food truck doing $500/week in bitcoin sales has different needs than a software company holding $50,000 in bitcoin on its balance sheet. Set a number that makes operational sense, document it in your internal security policy, and stick to it.
For businesses that want stronger controls without full cold storage friction, multisig wallets for business bitcoin describes how requiring multiple approvals to spend can reduce single-point-of-failure risk while keeping funds reasonably accessible.
Canadian regulatory context
From a CRA perspective, how you store bitcoin doesn't change the tax treatment, but good storage practices make accurate record-keeping easier. Every transaction is a taxable event, and you need to track the cost basis of what you received and when. Hot wallets with clear transaction histories (exportable CSV logs) can simplify that; cold storage wallets require more manual tracking if you're moving funds between addresses.
FINTRAC's requirements apply to certain money services businesses dealing in cryptocurrency. If your business model puts you in that category, you have registration and reporting obligations regardless of storage method. FINTRAC's guidance on virtual currency is worth reviewing directly, and the rules have evolved, so confirm current requirements before acting.
One practical note: seed phrases and hardware wallets are taxable assets if they're business property. How you handle the loss or theft of a hardware wallet has accounting implications. This is worth discussing with an accountant who has crypto experience.
Common mistakes businesses make
Keeping too much in hot wallets. The threshold between "operational float" and "company reserves" varies, but most businesses draw it far too high. If the amount in your hot wallet would seriously hurt the business if stolen, it's too much.
Single hardware wallet, no backup. A hardware wallet is a signing device, not a backup. The actual backup is the seed phrase, stored separately, ideally in two locations. If you have one hardware wallet and one seed phrase in the same desk drawer, you have one point of failure.
No documentation for employees. If the person who set up the wallet gets hit by a bus, can someone else access or recover the funds? For self-custodial storage, that question has to be answered before it becomes urgent.
Confusing exchange accounts with cold storage. Bitcoin sitting on an exchange is not in cold storage. It's in the exchange's hot wallet, controlled by their keys. That's a meaningful distinction when assessing real security.
FAQ
Does it matter which hot wallet software I use?
It matters more how you use it than which specific app you choose. Two-factor authentication, using a dedicated device rather than a shared one, and keeping the balance low are more important than brand selection. That said, open-source wallets with public code audits are generally preferable to closed-source options where you can't verify what the software is doing.
How do I move bitcoin from hot to cold storage?
You generate a receiving address on your cold storage device while it's offline (or using its own screen), then send from your hot wallet to that address. The cold storage device never needs to go online to receive. Only when you want to spend from cold storage do you need to involve the device.
Can the CRA see my cold storage wallet?
The CRA can't see into your wallet directly, but the blockchain is public. If you're audited and required to produce records, you'd need to account for all transactions, including movements between your own wallets. Keeping records of your own wallet addresses and when you used them is good practice regardless of audit risk.
What happens if my hardware wallet is stolen?
If the thief has both the device and the PIN, they may be able to access funds. If they have only the device and don't know the PIN, most hardware wallets will wipe after repeated failed attempts. The real question is whether your seed phrase is stored somewhere separate and secure. With the seed phrase, you can recover access to the funds on any compatible wallet. Without it, the funds may be unrecoverable.
Do I need cold storage if I'm just accepting small amounts?
Not necessarily. If you're converting bitcoin to CAD quickly through a payment processor, your exposure window is short, and the operational overhead of cold storage may not be worth it. The answer changes as volume grows or as you start holding bitcoin on your balance sheet rather than converting it immediately.
This article is for educational purposes only. Nothing here is financial, tax, or legal advice. Tax treatment, FINTRAC obligations, and exchange regulations change over time — confirm current requirements with CRA directly and consult a qualified accountant or legal advisor before making decisions.