Beyond the basic offline principle, a cold wallet works by keeping the private keys that control crypto assets on a device, or even a physical object, that is never connected to the internet during normal use. This stands in direct contrast to a hot wallet, which stays online for convenience but is constantly exposed to remote attacks.
The most common cold wallets are dedicated hardware devices from makers like Ledger, Trezor, and Coldcard, which generate and store keys inside a secure chip. To send funds, the transaction is prepared on an internet-connected computer or phone, then passed to the device over USB, Bluetooth, or a QR code, signed internally, and returned for broadcast. Because the key material never leaves the device, malware on the connected computer cannot steal it directly. Some designs push this further with full "air gapping," using only QR codes or microSD cards to move data, with no cable or wireless link at all.
Cold storage also includes low-tech options such as engraved metal plates or a written seed phrase kept in a safe, since these methods share the same core property: no digital exposure. Trade-offs include less convenience for frequent transactions, the risk of losing or damaging the physical device, and reliance on the user to back up recovery data securely.
Industry data consistently shows that most major exchange breaches and stolen-fund incidents involve hot wallets or online signing systems, rarely a properly used cold wallet. That track record is why exchanges, custodians, and long-term holders typically keep the bulk of reserves cold and only a small operating balance hot for day-to-day activity.