Cold wallet is shorthand for any setup that keeps the private key on a device that has either never touched the internet or stays isolated during signing. The opposite of a hot wallet — which holds keys on an internet-connected device — and the foundation of every serious crypto custody plan above a few thousand dollars.
Three forms you'll actually encounter
Hardware wallets. Ledger Nano S Plus, Trezor Safe 3, Coldcard Mk4, Keystone 3 Pro, OneKey Pro. A purpose-built device with a secure element that generates and stores keys offline. You plug it into a computer (or scan QR codes for air-gapped variants) only to confirm transactions; the key itself never leaves the device.
Paper wallets. Private key or mnemonic written on paper — or, better, punched into a steel plate like Cryptosteel Capsule or Billfodl. Cheapest form of cold storage, and surprisingly resilient: a properly stored steel backup will outlast almost any consumer electronics. The catch is operational: every time you spend, you have to import to a hot wallet temporarily, which breaks the cold property unless you immediately migrate to a fresh wallet.
Offline signing devices. A permanently-airgapped laptop or phone — typically an old iPhone with cellular and Wi-Fi disabled, or a fresh Linux laptop with no network drivers installed — that runs wallet software locally and signs transactions copied in via QR code or microSD card. Used mostly by holders with seven-figure stacks who want the operational flexibility of software but the security of an air gap.
What "cold" actually buys you
Cold storage defends against three specific attack categories. First, malware on your daily computer — Lumma Stealer and RedLine have stolen wallet credentials from hundreds of thousands of Windows users since 2023. Second, supply-chain compromise on hot software — the December 2023 Ledger Connect Kit attack would have failed against any properly air-gapped setup. Third, the slow erosion of operational discipline that comes with having keys on a phone you take to coffee shops.
What cold storage does not protect against
Cold storage does nothing for transaction-time decisions. If you're tricked into signing a malicious approval or a fake "ETH transfer," the hardware wallet will sign exactly what you tell it to. The Ledger device shows you the destination address; the OneKey Pro shows you the destination address; if you do not read the screen, the device is just a slow signing button.
The recommended layout for a US holder
Five-figure stack: one hardware wallet plus a steel backup of the seed. Six figures: hardware wallet plus a separate signing device plus Shamir 2-of-3 across home, parents, and bank deposit box. Seven figures: multisig 2-of-3 with three different hardware-wallet brands as coordinators (avoid single-vendor risk).
Further reading: Cold vs hot wallet, Hardware wallet, Air gap, Hardware wallet comparison.