What is a Cold Wallet? Hong Kong Beginner's Guide 2026 | Ooosh Tech Shop
Share
If you hold cryptocurrency on Binance, OKX, HashKey, or any other centralised exchange, your assets are stored in a hot wallet — a wallet the exchange controls, not you. This guide explains what that means, why it matters, and how a cold wallet gives you genuine ownership of your digital assets. No technical background required.
What is a cold wallet?
A cold wallet is a physical device that stores the private keys to your cryptocurrency completely offline — disconnected from the internet at all times. Because your keys never touch an online environment, they cannot be hacked remotely, stolen through a phishing attack, or lost if an exchange collapses. A cold wallet puts you — and only you — in control of your digital assets.
The word "cold" simply means offline. A cold wallet has no connection to the internet when it is not actively being used to sign a transaction. This makes it fundamentally more secure than any wallet that lives on your phone, your computer, or an exchange — all of which are considered "hot" wallets because they remain connected to the internet.
What is the difference between a hot wallet and a cold wallet?
This is the most important concept to understand before you decide how to store your crypto. The difference comes down to one thing: who controls your private keys, and where those keys are stored.
Connected to the internet
- Always online — accessible from anywhere
- Private keys stored on a server or app
- Exchange wallets are hot wallets by default
- Vulnerable to hacking and phishing attacks
- If the exchange is hacked, you can lose everything
- If the exchange collapses, your assets may be frozen
- Convenient for frequent trading
Offline by design
- Private keys never touch the internet
- Keys stored on a secure hardware chip
- You own and control your keys entirely
- Immune to remote hacking attacks
- Not affected by exchange hacks or collapses
- Physical device required to sign any transaction
- Best for long-term holding and significant balances
Are exchange wallets hot wallets?
Yes — and this is something many crypto holders in Hong Kong do not fully appreciate when they first start out. When you deposit cryptocurrency onto a centralised exchange like Binance, OKX, Bybit, or HashKey, you do not actually hold the cryptocurrency yourself. The exchange holds it on your behalf in their own hot wallet infrastructure.
In practice, this means that if the exchange is hacked, your assets could be stolen. If the exchange freezes withdrawals, you cannot access your funds. If the exchange becomes insolvent — as happened with FTX in 2022, which cost global users an estimated USD 8 billion — your assets may be lost entirely. The phrase used by security professionals is: "not your keys, not your coins."
What about SFC-regulated exchanges like HashKey?
This is an important distinction for Hong Kong investors. Not all exchanges carry the same level of risk. HashKey Exchange is one of the first virtual asset trading platforms licensed by Hong Kong's Securities and Futures Commission (SFC) — and being SFC-regulated means it must meet significantly higher standards than an unregulated offshore exchange.
Under SFC requirements, licensed virtual asset trading platforms in Hong Kong must store at least 98% of client assets in offline cold wallets — meaning the exchange itself uses cold storage for the vast majority of your holdings. Licensed platforms are also required to maintain a minimum insurance coverage of at least 50% of custodied assets at all times. HashKey Exchange meets this requirement through a policy underwritten by Evertas, a Lloyd's of London coverholder backed by Arch Insurance International, covering at least 50% of its custodied assets. Client funds must also be held in segregated accounts, separated from the exchange's own operational funds.
HashKey Exchange's original 2023 insurance agreement with OneInfinity by OneDegree covered payouts from USD 50 million up to USD 400 million in the event of a claim. The policy was renewed and expanded in August 2025 with an 18-month arrangement covering at least 50% of all custodied assets — a figure that, given HashKey's total user assets exceeding HK$19 billion as of mid-2025, represents a substantially larger dollar amount than the original cap.
This level of regulated protection is meaningfully better than leaving assets on an unregulated exchange. However, there are important limits to understand. Insurance coverage protects against events like hacking and theft — it does not protect against exchange insolvency in all circumstances, and coverage is capped at a percentage of total assets rather than a guaranteed full recovery for every individual user. If total losses in a breach exceeded the insured amount, individual recovery would be proportional, not complete.
SFC regulation and insurance provide a meaningful layer of protection that unregulated exchanges do not. But they do not replicate the absolute ownership of a cold wallet. With a regulated exchange, your recovery in a worst-case scenario depends on insurance payout limits and legal processes. With a personal cold wallet, your assets are inaccessible to everyone except you — no insurance claim required, no waiting period, no cap on recovery.
A cold wallet solves this problem by giving you direct ownership of the private keys that control your cryptocurrency. No exchange, no third party, and no server stands between you and your assets.
SFC-licensed exchanges like HashKey are required to verify the identity of every user before allowing deposits or withdrawals. This means submitting a government-issued ID, proof of address, and passing a Know Your Customer (KYC) process before you can access your funds. A personal cold wallet has no such requirement. You can set up, load, and use a cold wallet without providing any personal information to any third party — keeping your asset holdings entirely private. For investors who consider financial privacy a priority, this is a significant distinction that no amount of regulated protection can replicate.
What is a private key?
A private key is a long, unique string of letters and numbers that proves ownership of a cryptocurrency wallet and authorises transactions. Think of it as the master password to your wallet — whoever holds the private key controls the assets inside. On a cold wallet, this key is generated and stored entirely on the device itself and never transmitted online.
You never need to see or type your private key directly. Your cold wallet handles it automatically in the background every time you sign a transaction. What you do need to understand and protect is what your private key is backed up as — which brings us to the seed phrase.
What is a seed phrase — and what is a recovery key?
When you set up a cold wallet for the first time, the device generates a seed phrase — also called a recovery phrase or recovery key. These three terms all refer to the same thing.
What a seed phrase looks like
A standard seed phrase is a sequence of 24 ordinary English words, generated randomly by your device during setup. It looks something like this:
nine · ten · eleven · twelve · thirteen · fourteen · fifteen · sixteen
seventeen · eighteen · nineteen · twenty · twenty-one · twenty-two · twenty-three · twenty-four
This sequence is the master backup for your entire wallet. Anyone who obtains these 24 words in the correct order can restore your wallet on any compatible device and access every asset inside it — no hardware required.
Write it down on paper. Store it somewhere safe and private. Never photograph it, type it into any website, share it with anyone, or store it digitally. Your cold wallet provider — including Ooosh Tech Shop staff — will never ask for your seed phrase.
Why the seed phrase matters so much
If your cold wallet is lost, stolen, or damaged, your seed phrase is the only way to recover your assets. Enter your 24 words into a new compatible device in the correct order and your entire wallet is restored instantly, on any device, anywhere in the world. Without it, your assets are permanently inaccessible to everyone — including you.
Your seed phrase and your private key are functionally equivalent. Protecting your seed phrase is exactly as important as protecting the cold wallet device itself. Most cold wallet security failures happen not because the hardware was compromised, but because the seed phrase was stored carelessly — photographed, typed into a computer, or kept in a single location without a backup copy.
What if I do not want a seed phrase? Tangem's seedless wallet explained
For many beginners, the responsibility of managing a seed phrase is the single biggest barrier to cold storage adoption. Writing down 24 words, storing them safely, and never losing them is genuinely important — and the consequences of losing them are permanent. Tangem has built a cold wallet specifically designed to eliminate this concern entirely.
How a seedless wallet works
When you set up a Tangem wallet and choose the seedless option, no seed phrase is generated at all. Instead of backing up a 24-word phrase, Tangem uses a different recovery model: the cards themselves are the backup.
Tangem is sold as a set of two or three identical NFC cards. Each card contains the same private key, generated on the card's secure chip during first setup. The key never leaves the chip — it cannot be exported, displayed, or transmitted. If one card is lost or damaged, you simply use another card from your set to access your wallet. As long as you retain at least one card, your assets are accessible.
There is no phrase to write down, no document to protect, and no digital backup to worry about. Your recovery is entirely physical — distributed across the cards in your set.
The trade-off: Because there is no seed phrase, your Tangem wallet cannot be restored on a different brand of hardware wallet. You are committed to the Tangem ecosystem. If all cards in your set are lost or destroyed simultaneously, recovery is not possible. This is why Tangem recommends storing cards in at least two separate physical locations.
Tangem's seedless model suits buyers who are confident in their ability to protect a physical card — the same way they protect a bank card or a passport — but who are less comfortable with the abstract responsibility of a written phrase. It is particularly well-suited to Hong Kong investors who are new to self-custody and want the simplest possible entry point into cold storage.
How does a cold wallet actually work?
Using a cold wallet is simpler than most beginners expect. Here is the basic process from first setup to making a transaction:
- 1Initialise the device. Power on your cold wallet for the first time. The device generates your private key and seed phrase internally. Nothing is transmitted online during this process.
- 2Record your seed phrase. The device displays your 24-word seed phrase one word at a time. Write every word down in order on paper. Store it safely offline.
- 3Set a PIN. Choose a PIN to protect access to the physical device. This is separate from your seed phrase and prevents someone from using the device if they find it.
- 4Connect to a wallet app. Install the companion app (Ledger Live, Tangem App, or OneKey App) on your phone or computer. The app communicates with your device to display your balances and prepare transactions.
- 5Transfer your crypto to cold storage. Send cryptocurrency from your exchange to the wallet address shown in the app. Your assets are now secured by your cold wallet's private key.
- 6Confirm transactions on the device. Whenever you want to send crypto, the transaction must be physically approved on the device itself. No approval can be made remotely — this is what makes cold wallets immune to online attacks.
"Investors across all age groups are becoming more aware of digital assets as an asset class, and a meaningful segment of that population is looking for in-person guidance rather than a purely digital purchasing experience. Our physical presence and device initialisation training directly serve that audience."— Jeffrey Cheng, Founder, Ooosh Limited
Which cold wallet should I buy in Hong Kong?
All three brands stocked at Ooosh Tech Shop are suitable for Hong Kong buyers — the right choice depends on your experience level and how you plan to use it.
Best for active users
15,000+ coins · Bluetooth · Secure Element EAL5+
HK$760 – HK$3,780
Best for: multi-chain, DeFi, NFTs
Best for beginners
NFC tap · No seed phrase · EAL6+ certified
HK$430 – HK$1,250
Best for: simplicity, first cold wallet
Best for tech users
Fully open-source · Air-gapped · EAL5+
HK$620 – HK$2,380
Best for: developers, open-source advocates
Buy Ledger if you...
- Hold multiple cryptocurrencies
- Use DeFi or NFT platforms actively
- Want the widest coin support
- Are comfortable managing a seed phrase
Buy Tangem if you...
- Are buying your first cold wallet
- Hold Bitcoin, Ethereum, or major coins
- Want no cables, charging, or seed phrase
- Want the simplest possible setup
Buy OneKey if you...
- Work in technology or blockchain
- Want fully auditable open-source code
- Want air-gapped transaction signing
- Are setting up a multi-sig wallet
Where to buy a cold wallet in Hong Kong
All three brands are available in-store and online at Ooosh Tech Shop — Hong Kong's authorised reseller of Ledger, Tangem, and OneKey. Every device arrives factory-sealed and tamper-evident. In-store purchases include complimentary device initialisation training, where our staff walk you through the full setup process in person — including seed phrase management and your first asset transfer.
- Online: oooshtechshop.hk
- In-store: 22/F, Tower 2, New World Tower, 16–18 Queen's Road Central, Hong Kong
- Opening hours: Monday to Friday 10:00am – 6:30pm · Saturday 12:30pm – 6:00pm
- WhatsApp: +852 9466 4231
Ready to take control of your crypto?
All three brands in stock · Same-day pickup in Central · Free setup training in-store
Jeffrey Cheng
Founder, OOOSH Limited