Bitcoin Magazine
How Coinkite Defines Cypherpunk Bitcoin Security
Advancing the standard for hardware wallet security and cypherpunk aesthetics, Coinkite, a small Bitcoin company out of Canada, is the third largest manufacturer in the industry.
Surrounded by hardware wallets that reach for mainstream adoption and seek to integrate every last altcoin in existence, Coinkite has taken a fundamentally different approach, sticking to their Bitcoin-only guns, and it’s been paying off.
“Coldcard is the ultimate HODL device — nobody else offers 10% of the features we have, and it’s all designed for Bitcoin. You literally cannot fork Coldcard for altcoins,” Rodolfo Novak, cofounder and CEO of Coinkite told Bitcoin Magazine in an exclusive interview.
“Coinkite is like a race car company or a specialty car company—a small team that makes something really, really good and has a market. Bitcoiners recognize it.”
A product of “security autism,” as he put it, Coinkite stands as one of the oldest companies in Bitcoin’s history, founded in Canada in 2013 by Rodolfo and Peter Gary.
But how did Coinkite survive for over a decade with less than 20 employees and become the third biggest manufacturer of hardware wallets, without getting into meme coins?
Cypherpunk Aesthetics
Defining the aesthetic of cypherpunk Bitcoin purism, the Coldcard devices show off their hardware behind a transparent shell, instead of hiding it. Not for show or style points, but for functional security.
“The transparent case allows users to see the hardware directly, verify that there are no external devices attached, things that might compromise the device,” Rodolfo explained. “We want people to be able to see it — it’s all functional.”
The Coldcard Q, their latest-generation device, builds on the same hardware and codebase as the older Coldcard Mk4, but adds a few new quality-of-life features like a bigger keyboard, external battery power input, independent camera module with lasers to scan even the sketchiest of QR codes, and even two micro-SD card inputs.
The device feels like a Game Boy Color console from the 2000s, but looks like it came back for revenge after surviving a throwdown with Sarah Connor.
“[Users] can easily scratch off the USB wires, to satisfy certain use cases and threat models,” added Rodolfo when explaining the depth of optionality the device offers.
Every chip, every wire, the whole architecture is observable, a choice that embodies their commitment to the “don’t trust, verify” ethos.
While it’s intimidating to look at the device at first, and the Q is generally considered a device for intermediary users, its default settings make it reasonably easy to use for anyone who is ready to take the step into hardware wallets and self-custody..
Coinkite refuses to compromise on critical security elements for user experience. For example, Coldcard Q’s large LCD screen is very simple with low power consumption, no touch screen, and a module chosen to reduce hardware complexity and keep the Coldcard an air-gapped device that can run on double AAA batteries. Coinkite also opted out of the Bluetooth standard altogether, even though it would enable new user experiences and connectivity, since it’s famously insecure.
Coinkite has no integration with anything other than Bitcoin either, avoiding the complexity and questionable security practices of many popular altcoins and also shrinking their potential customer base.
The benefits of this bitcoin-only strategy were seen recently in the Bybit hack when over a billion dollars in ETH were hacked and stolen from an exchange whose executives were using various hardware wallets, via a compromised dependency in the Safe web wallet. Executives at the exchange claim they unwittingly signed the compromised blob of hex code that represented the smart contract for their multisig, effectively blind signing away billions’ worth of the coin.
This kind of hack doesn’t happen in Bitcoin, because Bitcoin avoids that kind of complexity out of an abundance of caution. The kind of transactions that would move billions of dollars in bitcoin are far simpler and on-chain, only asking users to verify amounts, recipient addresses, and change addresses, rather than fully fledged Solidity smart contracts.
Source Available
Coinkite’s approach to transparency and verifiability goes deeper than the casing of their hardware. Their software and firmware have been open source since the beginning, going as far as to release the full schematic of their security products.
“Since version one, we always released schematics so people can go and build it themselves and prove the things. Because the whole point for us is provability. Every claim we make, we need to be able to substantiate in a way that the user can prove it themselves.”
According to Rodolfo, the devices are made of hardware that can be bought off-the-shelf, for enthusiasts and security professionals who want to leave nothing to trust.
“Some of these claims require you to be extremely advanced. But the point is somebody out there can go and prove it, right? And people do,” he added.
However, critics argue that Coldcard is not truly open source because of their licensing. The Coldcard codebase, originally released under GPL, was transferred to MIT with a commercial restriction in 2021 in reaction to a competitor who cloned their work and launched a competing device.
Rodolfo minced no words when asked about the matter; normally a mild-mannered and jolly Canadian, his passion for the topic was palpable.
“So we believe in, well, first of all, we don’t like assholes. And you can put that in the article. We’re functionally adversarial. That’s just our mindset. That’s with the code. That’s with the hardware. That’s with the law. Somebody went out there and, without mentioning to us, without anything, just took the code, didn’t even bother to change anything, contribute back, zero contributions back, and started a competing company. So we’re like, you know what, fuck you. And we changed the license.”
A rare stance in the open source ethos of the Bitcoin industry, and one which they get plenty of flak for, they are often accused of not being “open source” per se but rather “source available.”
“So we used to be GPL. And then we changed to MIT, which is even more open than GPL is. But we added a commercial clause. So anybody can copy our code, change our code, gift our code, use our code however the fuck they want. The only restriction that they have is they cannot start a competing business,” Rodolfo explained.
Critics argue that this approach limits how much review such products get, as there’s no commercial incentive to review the code, lowering the security benefits of such open-source products.
However, Rodolfo calls that a narrative. He claims that sales tripled after the event, that exchanges throughout the world use Coinkite products to secure customer funds, and that companies as well as OGs hire professionals to comb through all their code.
“There are exchanges who use our devices as part of their internal co-signing systems. There are a lot of OGs who use our devices with a lot of money in them. And we learn a lot from a lot of private conversations on attacks, on how people are using it—We get a lot of very interesting private emails with people who check the firmware every time we make an update, people who check the hardware, people who check everything.”
Forged in Chaos
Coinkite’s focus on making their devices verifiable to the core comes in part from their early roots in the Bitcoin industry.
“We wanted to do Bitcoin payments. We had the first Bitcoin payment terminal with Bitcoin debit cards and stuff like that,” Rodolfo recalled about Bitcoin and Coinkite’s infancy.
“But there weren’t any good wallets. And so we launched essentially a crypto bank for people to store funds. And then it became the multisig web wallet. I think at that time there was about $4 billion worth of bitcoin in the system. It was like 2014.”
Launching one of the first multisig wallets in the industry, the service hosted on Coinkite.com enabled users to manage multiple keys with early Trezor and Ledger hardware devices. Users could sign transactions with the kind of optionality and tooling advanced users expect from wallets today. “It was like BitGo before BitGo,” Rodolfo recalled about the web wallet that they launched in 2014 and closed down just two years later.
In a blog post at the time titled “Time To Be Your Own Bank,” Coinkite explained the reason for the closure of the web wallet, a pivot that would lead to the creation of the Coldcard:
“Being a centralized bitcoin service does attract attention from state actors and other well-funded pains in the butt, and as a matter of fact, we’ve been under DDoS since the first month we launched—over three years—yay. Plus we have put real fiat dollars into our lawyers’ pockets, to defend our customers from their own governments. This is not what we love to do, which is coding and delivering awesome services.”
This era of the Bitcoin industry was also littered with the graveyards of centralized exchanges and user-friendly web wallets. Not only were cybersecurity practices in Bitcoin a new paradigm, after all, irreversible digital money transactions had never existed before. But the regulatory uncertainty such companies faced was severe.
“We didn’t want to be in the business of holding people’s bitcoin, we wanted to empower users to hold their own keys, so we pivoted to focus on making the best hardware wallet we could.”
In 2016, Coinkite closed down the web wallet, but not before launching one of their most iconic products, the Opendime.
Challenging the limits of Bitcoin as a natively digital money, a system that requires a connection to the internet to have transactions validated by the network, the Opendime demonstrated a secure way to both lock up bitcoin value in a physical device without trust, and also allow recipients to verify its balance.
The Opendime, still in use today, features a hardware seal that generates the private keys from initial user input, but in a chip that does not reveal the private key to the user — only the corresponding public key. To see the private key and spend the bitcoin sent to it, a physical seal in the device has to be broken, leaving visible evidence of device tampering and triggering a red light when plugged in rather than a green light.
The Opendime has inspired a generation of Bitcoin artists to embed these devices into physical art, such as Madex and Johnny Dollar, often adding a bitcoin balance to the device as part of the art piece.
Perhaps the most iconic device they have produced is the Blockclock. Only 500 units ever made, this “electro mechanical” time machine was made to honor the first 10 years of Bitcoin’s life.
The 500 devices sold “Quick!” Rodolfo told Bitcoin Magazine, hitting the market for 1 BTC each in late November 2018, just one month after the 10th anniversary of Satoshi’s Bitcoin White Paper release. The price of bitcoin at the time was roughly $4,000.
Demand must have been high because two smaller versions followed, clearly designed for mass consumption at much more affordable prices, the Blockclock Mini and the Blockclock Micro.
Since their founding, Coinkite has created a long list of technologies, both physical and digital, many of them open source contributions and some of them servicing critical pieces of the market. In fact, they have created so many, with dedicated websites, that when asked how many, Rodolfo laughed and basically said he had no idea.
I’ll just leave you with the biggest hits:
- BBQr — high-security QR code protocol, backwards-compatible with normie standard.
- Bitcoin Security Guide — a noob-friendly step-by-step Bitcoin self-custody guide.
- Bitcoin Treasuries — a website that tracks the biggest public holders of bitcoin.
- Bitcoin Binaries bot — a bot that automatically builds critical Bitcoin software releases from source, looking to verify that the end result is the same packaged product normal users download.
- Check MSG — a simple site that verifies the cryptography of messages signed with Bitcoin key pairs.
- NFC PushTX — a simple protocol to send Bitcoin transactions from an air-gapped device like Coldcard to a web-enabled device like a phone, and then to the web.
- Bitcoin.Review Podcast — easily one of the best Bitcoin podcasts for technical Bitcoiners, especially those that suffer from insomnia.
This post How Coinkite Defines Cypherpunk Bitcoin Security first appeared on Bitcoin Magazine and is written by Juan Galt.
