🟢 Trust Rating: High
Coldcard does the hard security things most wallets skip: it runs fully air-gapped, stores your seed across two secure elements from different chipmakers, and ships duress and brick-me PINs for coercion scenarios. It also stopped being open source in 2020 and now ships source-viewable firmware you cannot legally fork. That is a real downgrade in verifiability, and we say so below. For a Bitcoin-only holder with a serious threat model who is willing to learn the workflow, it still earns high trust.
What is Coldcard?
Coldcard is a Bitcoin-only hardware signing device made by Coinkite, a company based in Canada, shipping since 2018. It is not a multi-coin wallet and does not try to be. The whole design assumes you never plug it into an internet-connected computer if you do not have to. You move transactions in and out on a microSD card, or by NFC tap, or (on the Q) by scanning QR codes. The private keys never touch a networked machine.
Two models are current in 2026. The Coldcard Mk5 is the compact one: a 1.54-inch Gorilla Glass LCD screen, numeric keypad, sliding cover, priced at $169.94. The Coldcard Q is the bigger sibling: a 3.2-inch LCD, a full QWERTY keyboard, a built-in QR scanner with LED illumination, dual microSD slots, and AAA battery power for true air-gapped use, priced at $249.21. Coinkite gives a 5% discount if you pay in Bitcoin with the code CKBTC. The Mk5 launched on March 10, 2026, replacing the Mk4 that had been the flagship since 2022.
Critical Privacy Concerns
⚠️ Read This Before You Buy
- Not open source anymore. Coldcard firmware was GPLv3 until 2020, then Coinkite moved it to a license with a commons-clause restriction so competitors cannot resell their code. The result: you can read the source, but you cannot freely fork or redistribute it. Coinkite now calls the code "verifiable" rather than open source. Critics, including Foundation Devices founder Zach Herbert, publicly objected. Rival wallets like Trezor, BitBox02, and Foundation Passport are still genuinely open source.
- Steep learning curve. This is built for advanced users. Air-gapped PSBT signing, multisig setup, passphrase wallets, and the various duress features are powerful and easy to misuse. A beginner can lose funds through their own mistakes faster than any attacker could.
- Bitcoin only. If you hold anything other than Bitcoin, this device will not sign it. That is a deliberate design choice, not a bug, but know it going in.
Dual Secure Elements
Most hardware wallets use one secure element chip. Coldcard uses two, from different manufacturers: Microchip's ATECC608 and Maxim's DS28C36B, plus the main microcontroller. Your 24-word seed is split across both. The logic: a hidden backdoor or a fabrication-level flaw would have to exist in three separate chips from separate vendors at once to expose your keys. It raises the bar for a supply-chain or silicon-level attack well past what a single-chip design offers.
Duress, Brick-Me, and Anti-Phishing PINs
Coldcard is built around the idea that someone might physically force you to unlock it. The duress PIN opens a separate decoy wallet with no link to your real funds, so you can hand over "the wallet" under coercion. The brick-me PIN permanently destroys the secure elements and renders the device worthless on the spot. There is also a covert countdown-to-brick variant that quietly disables the device after a delay.
The anti-phishing login words defend against a swapped or tampered device. You enter the first part of your PIN, and the Coldcard shows you two words that are unique to that prefix. If the words are wrong, you are not looking at your real Coldcard, and you stop before entering the rest of your PIN. It is a simple, clever check that a fake device cannot fake.
Air-Gapped Operation
Air-gapped means the signing device never connects to a networked computer. Coldcard supports several ways to keep it that way. The classic method is microSD "sneakernet": your watch-only software builds an unsigned transaction as a PSBT (the BIP-174 standard), you carry it on a card to the Coldcard, sign offline, and carry the signed file back. The Mk5 adds an NFC tap for short-range transfers. The Q adds a QR scanner and screen so you can move PSBTs by camera with no card and no cable at all.
Works With Your Own Node
Privacy on Bitcoin is mostly about not leaking your addresses to someone else's server. Coldcard pairs with Sparrow, Electrum, and Specter, all of which can talk to your own Bitcoin Core node instead of a third-party backend. Point your coordinator at your node, keep the Coldcard air-gapped over microSD or QR, and no outside company learns which addresses are yours. That is the setup we would actually run.
Technical Specifications
- Coins: Bitcoin only
- Secure elements: Two, from different vendors (Microchip ATECC608 and Maxim DS28C36B), plus MCU
- Air-gap transfer: microSD (PSBT / BIP-174), NFC tap, QR scanning on the Q
- Coercion features: Duress PIN, brick-me PIN, countdown-to-brick, anti-phishing login words
- Firmware: Source-viewable, not OSI-approved open source since 2020
- Software: Sparrow, Electrum, Specter, own-node compatible
- Q extras: 3.2-inch LCD, QWERTY keyboard, QR scanner, dual microSD, AAA battery power
Pricing Structure
| Model | Price | Notes |
|---|---|---|
| Coldcard Mk5 | $169.94 | Compact, LCD, numeric keypad, NFC, sliding cover |
| Coldcard Q | $249.21 | LCD, QWERTY keyboard, QR scanner, dual microSD, battery |
Pay in Bitcoin with code CKBTC for 5% off. Prices are from Coinkite's own store and do not include shipping.
Coldcard vs. Alternatives
Coldcard vs. Trezor
- Coldcard: Bitcoin only, dual secure elements, richer coercion features, source-viewable firmware, harder to learn.
- Trezor: Multi-coin, fully open source, friendlier for beginners, but historically weaker against physical extraction on older models. See our Trezor review.
Coldcard vs. Foundation Passport
- Coldcard: Bitcoin only, source-viewable, dense feature set aimed at power users.
- Foundation Passport: Bitcoin only, still GPLv3 open source, phone-style interface that is easier to hand to a newcomer. Passport's founder was one of the loudest critics of Coldcard dropping open source. See our Foundation Passport review.
Coldcard vs. BitBox02
- Coldcard: Deeper coercion and air-gap tooling, two secure elements, steeper curve.
- BitBox02: Open source, Swiss, comes in a Bitcoin-only edition, simpler to use, single secure element. See our BitBox02 review.
Cross-shopping the whole category? Read our hardware wallet comparison and the case for open-source wallets, or browse every reviewed tool. If you are weighing a mainstream option, our Ledger review covers the other end of the spectrum.
When to Use Coldcard
Good Fit
✅ Bitcoin-only holders with a serious threat model who want duress wallets, dual secure elements, and true air-gapped signing.
✅ People running their own node with Sparrow, Electrum, or Specter who care about not leaking addresses to a third party.
✅ Advanced users comfortable with PSBT workflows and willing to read the docs before moving real money.
Wrong Fit
❌ Beginners who want to plug in, tap a phone app, and be done. The learning curve is real and mistakes here cost coins.
❌ Multi-coin holders. This signs Bitcoin and nothing else.
❌ People who require genuine open source they can fork and redistribute. Coldcard's firmware is readable but not that. Foundation Passport or BitBox02 fit better.
The Bottom Line
Consider Coldcard if:- You hold Bitcoin only and take physical-coercion and supply-chain threats seriously
- You want air-gapped signing paired with your own node
- You will actually learn the workflow instead of guessing
- You are new to hardware wallets and want a gentle first device
- You need multi-coin support
- Fully open, forkable firmware is a hard requirement for you
⚠️ Final Assessment
Coldcard is one of the most security-serious Bitcoin signing devices you can buy, and the dual secure elements plus the duress and brick-me PINs are not marketing theater, they solve real problems for people who are genuinely targeted. The honest knock against it is the 2020 license change: dropping open source for source-viewable firmware weakened the verifiability story, and open competitors exist. Buy it for the security engineering and the air-gapped workflow, go in knowing it demands homework, and do not pretend the code is as open as it used to be.