Security choices for crypto asset custody: from the theft of US government addresses to Michael Saylor's "institutional custody" controversy

Author: Weilin, PANews

On October 25, the US government-related address was accidentally attacked, and about $20 million of USDC, USDT, aUSDC and ETH were transferred to the attacker's address. This incident once again aroused widespread concern about the storage security of Bitcoin and other encrypted assets.

At the same time, Michael Saylor, CEO of MicroStrategy, the listed company with the largest Bitcoin holdings, also sparked widespread controversy with his remarks about "institutional custody" of Bitcoin. Many users in the Bitcoin community believe that "institutional custody" violates the core spirit of cryptocurrency self-custody. What are the specific ways to custody crypto assets? This emerging custody market is also attracting the attention of traditional financial institutions.

The US government address was attacked, and Saylor's "institutional trusteeship" remarks caused controversy

On October 25, Arkham Intelligence tweeted that the US government-related address was suspected to have been attacked, and about $20 million of USDC, USDT, aUSDC and ETH were transferred from address 0xc9E...C34c to the attacker's address 0x348...0A9f. This US government-related address 0xc9E had received assets seized by the US government related to the Bitfinex exchange hack. Now, these funds have been transferred to wallet address 0x348 and started to be converted into ETH.

The hacker may be a novice player. The exchanged ETH was sent to the centralized exchange Binance and two new addresses. The hacker put the stolen funds into the centralized exchange, which was tantamount to walking into a trap. As expected, on the evening of October 25, the hacker was suspected to have begun to return funds to the US government. His wallet had sent 13.19 million aUSDC and 2,408 ETH (worth about 6.1 million US dollars) to the government address. At present, the hacker's attack method is still unclear, but this incident has triggered thinking about the storage security of whale Bitcoin and other encrypted assets.

Another storm in the past two days is also related to this topic. In an interview with the media, Michael Saylor, founder of MicroStrategy, said that it is recommended to hold Bitcoin through "too big to fail" financial institutions, such as regulated entities such as BlackRock and Fidelity, because he believes that this will be a safer option with less volatility and risk of loss. In response to concerns about increased centralization and government control, Saylor said that these views mainly come from "paranoid crypto-anarchists" and called such fears exaggerated.

As soon as this statement was made, it was strongly opposed by the Bitcoin community.

Saylor’s comments immediately sparked backlash from several prominent figures in the crypto community, including Ethereum co-founder Vitalik Buterin. “I’m happy to say that I think Michael Saylor’s comments are simply insane,” Buterin commented on X. “He seems to be explicitly advocating for protecting cryptocurrencies through regulatory capture. There are many precedents for such strategies failing, and to me, that is not the essence of cryptocurrencies.”

Jameson Lopp, co-founder and CTO of Casa, also said that Bitcoin's self-custody is not just about being a paranoid hermit. Letting people trust third-party custody will bring many long-term negative effects. First, concentrating coins in the hands of a few people increases the risk of systemic losses and confiscations. Second, Bitcoin holders will be disenfranchised when participating in governance activities such as node operation or transaction forks. In addition, because institutions do not care about more advanced encryption features, the debate on decentralization will become more conservative. Finally, permissionless scaling is downgraded because we can scale through trusted third-party IOUs.

Max Keiser, another prominent figure in the Bitcoin community, seemed to be more sarcastic in his response to Saylor’s comments. He wrote on X: “Recent comments attacking self-custody show a backwards bias in favor of the traditional centralized banking crooks who are ‘fixing’ Bitcoin.”

Michael Saylor had to appease the community and explained, “I support self-custody for those who are willing and able, support the right of everyone to self-custody, and support the freedom of individuals and institutions around the world to choose the form of custody and custodian. Bitcoin benefits from various forms of investment by all types of entities and should welcome everyone.”

Why is self-custody important and how do custodians custody crypto assets?

The rise of Bitcoin is closely related to its decentralized nature. If power begins to become too concentrated, it only takes a few people to collude to profit and pose a huge risk to network security. By holding their own private keys, Bitcoin users have full control over the accessibility of their assets.

Nevertheless, Michael Saylor's concerns are not unreasonable. After all, once the mnemonics and private keys are lost, or there are operational errors and hacker attacks, the assets cannot be recovered. Once whales like MicroStrategy and the US government address are hacked, it will have a huge negative impact on crypto assets.

Some custodians also provide services to store assets under such security or regulatory requirements, and support digital transactions through advanced encryption technology and hardware security measures. Usually, crypto custodians should use some security technologies (such as multi-signature wallets and offline cold storage) to prevent risks. Some custodian services for staked (PoS) coins also provide staking rewards to users.

With the Bitcoin ETF approved by the SEC in early 2024, more institutional capital is pouring into the cryptocurrency market. This trend makes strong custody solutions essential. This year, Robinhood Markets and Galois Capital recently settled with US regulators over custody-related mistakes, highlighting the importance of qualified custody for institutional investors.

There are three main types of custody solutions available to institutions: self-custody, where the institution manages the private keys of the cryptocurrency assets and is responsible for the security of the assets; co-custody, where the institution shares some of the management rights with a licensed third-party service provider; and centralized custody, where the institution relies entirely on the service provider to store the assets with multiple layers of security protection. The best approach depends on the institution's priorities, capabilities, and risk tolerance.

Currently, the main providers of custody services in the market include Coinbase Custody, BitGo, Gemini Custody, Anchorage, Hex Trust, Cobo Custody, Bakkt, Bitcoin Suisse, etc. Most of these are crypto-native custody companies. These companies build their services from scratch to meet the specific needs of digital asset storage and security.

Take Cobo, led by Shenyu, for example. The company's products include a fully managed wallet that uses a three-layer (hot, warm, and cold) storage architecture protected by bank-grade hardware including HSM and Intel SGX to protect asset security. In addition, it also provides an MPC (multi-party computing) wallet, and private key sharding ensures that no unauthorized party can unilaterally move the user's assets.

The managed services market is worth about $300 million

The cryptocurrency market, which is currently valued at around $2 trillion, has created a demand for crypto custody services. According to Bloomberg, the market is currently worth around $300 million and is growing at an estimated 30% annually. This has attracted the attention of traditional financial institutions.

However, protecting digital assets is expensive. Hadley Stern, chief commercial officer of Solana’s custody tool Marinade, said crypto custody fees can be ten times higher than protecting traditional assets such as stocks and bonds, reflecting the unique challenges facing this space.

Custody fees are usually charged as a percentage of the value of the custody assets, on an annual basis, and are usually less than 1%. For example, Gemini Custody's fee is 0.4% or $30 per asset per month, whichever is higher. There are also account opening fees and withdrawal fees, the latter of which is charged every time cryptocurrency is withdrawn from the custody account.

Despite the high costs, major players such as BNY Mellon, State Street and Citigroup have shown strong interest in entering the crypto custody space. But their full entry faces a major obstacle: regulatory uncertainty.

In general, with the development and controversy of the crypto asset custody market, the balance between security and decentralization has become increasingly important. Whether choosing institutional custody or self-custody, investors need to carefully evaluate their respective risks. Only by finding a balance between security, transparency and user control can the safe and efficient development of digital assets be ensured.