How it works
Coldcard is a Bitcoin-only hardware signing device built by Coinkite, a Toronto company that has shipped the product since 2017. It does one job: generate and guard the private keys for a Bitcoin wallet, then sign transactions without ever connecting to a computer over a trusted data link.
The workflow is deliberately indirect. A watch-only wallet on a desktop or phone — Sparrow, Electrum, or Coldcard's own tooling — builds an unsigned transaction in PSBT form. That file moves to the Coldcard on a microSD card, as a QR code, or over NFC on the larger Coldcard Q. The device shows the destination and amount on its own screen, the user approves with a PIN, and the signed transaction travels back the same way. The host machine broadcasts it but never touches the seed.
Keys sit behind two secure elements sourced from different manufacturers, so a break in one chip is not a break in the wallet. The case is transparent by design, to make physical tampering visible.
KYC & privacy
There is no account, no signup, no email, and no companion cloud service. Coldcard is a physical object, not a hosted service: once it is in hand, no server knows it exists, and there is nothing to subpoena, freeze, or log. The device does not connect to the internet at all, so it emits no telemetry.
Privacy then depends on how the device is paired. Coldcard signs transactions; it does not decide how a desktop wallet queries the network. A user who points a watch-only wallet at a stranger's Electrum server exposes their addresses to that server. Pairing Coldcard with a personal Bitcoin node closes that gap. The device itself collects nothing; the surrounding setup is where address privacy is won or lost.
Strengths and limits
The strongest argument for Coldcard is the threat model it assumes: every computer is hostile, including the owner's. Air-gapped signing, on-device verification, and dual secure elements make remote compromise hard and silent compromise visible. Eight years under one company, with vulnerabilities disclosed and patched rather than buried, is a meaningful record.
The limits are real. The firmware is published and reproducible, but it ships under a Commons Clause licence — source-available for inspection, not open source in the strict sense, a point the privacy community raises often. Past disclosures, including a 2020 testnet-display bypass, a 2020–21 multisig xpub registration flaw fixed in firmware 3.2.1, and a PIN-extraction weakness on the long-retired Mk2, were all resolved, but they show the device is not beyond scrutiny. It is also Bitcoin-only and asks for more care than a tap-to-sign mobile wallet.
Verdict
Coldcard suits the user who treats key management as a discipline rather than a convenience, and it will frustrate anyone who wants to move funds in seconds. The Commons Clause licence and the trail of disclosed bugs are real caveats, but neither undermines a device whose core promise — keep the seed off every networked machine — has held for eight years. Grade: A (9.4/10). Trust: TRUSTED.
Coldcard is a specialist's instrument: it rewards maximum-control users and frustrates anyone after convenience. The source-available licence and a history of disclosed-then-patched bugs keep it short of an unqualified rating, but the engineering and the eight-year record are strong. Grade: A (9.4/10). Trust: TRUSTED.
