Xapo Security

When you move your funds into the Vault, we place your funds in a computer that never has and never will have internet access. We then encrypt all the data, segregate it into different chunks, and copy it onto external drives and paper. Those backups are securely stored in physical vaults in geographically dispersed locations. 

It's important to understand how Xapo sends funds on behalf of our users to ensure that any refunds you are expecting back to you truly reach your Xapo account.

All wallet or vault addresses that are displayed within your Xapo account are receive-only addresses. Xapo uses a collection of Xapo-owned bitcoin addresses in order to send funds on behalf of our users. For that reason, Xapo bitcoin sending addresses are not designed to receive bitcoin for Xapo users. Any funds sent back to Xapo sending addresses will not reach your Xapo account.

Therefore, as stated in the section titled "Bitcoin Transactions" in the Xapo Terms of Use, Xapo cannot and does not guarantee that any bitcoin transaction reversed by a third party, and/or bitcoins sent directly to any Xapo sending address will be received by the intended Xapo user. If you are expecting to receive any funds back to your Xapo account, then you will need to give one of the Xapo receiving addresses shown in your account so as to ensure that you receive the funds!

Second-factor authentication (2FA) is a security process that requires two means of identification to perform certain actions within your account. When the system asks you for your 2FA, you will automatically get a 6-digit code sent to your mobile phone. You will need to install first our Xapo mobile app to receive your 6-digit code. If not, then you will need to wait for 2 minutes before you can request an SMS instead to be sent to your mobile phone.

A real email from Xapo will never ask you for your password or PIN. This type of email is a scam email knows as "phishing" or "spoofing", where someone is trying to obtain your information to compromise your account. NEVER share your password or PIN with anyone.

Cold storage refers to the process of storing bitcoins offline, but the private keys associated with this process may be online and/or exposed to the internet at some time during the generation of signing process. Deep cold storage, however, is a type of cold storage where not only are bitcoins stored offline, but also the system that holds the bitcoins were never online or connected to any kind of network. The private keys associated with that system were generated in offline systems, and the signing process of the transactions is also made in offline systems. The systems used in this type of storage never touch the Internet; they are created offline, they are stored offline, and they are offline when signing transactions.

Multi-signature, also called multi-sig, is a security protocol that is part of the bitcoin core in which multiple private keys are required to sign a transaction. The technology is designed to increase the security of bitcoin storage. It is a technology that allows the generation of a bitcoin address that requires more than one private key and can require a specific combination of private keys (for example 3 out of 5 keys) to sign a bitcoin transaction before the coins are released.

All Xapo Wallets, including Vault wallets have multi-signature. You can double check this by looking at the blockchain address for your Xapo Wallet - multi-signature addresses start with the number "3".

If you have a Xapo Wallet address from before we implemented multi-sig (an address that starts with the number "1" vs. "3"), it will continue to work (with no expiration), though we recommend you stop sharing it with others, so as to phase out your traditional wallet address that does not have the security features of multi-sig.

In order to make your Xapo account as secure as possible, try to treat your Wallet and Vault just as you would your physical wallet and your savings account. Just as you wouldn't carry around $5,000 of cash in your wallet, you shouldn't carry around $5,000 worth of bitcoins in your Xapo Wallet. Any bitcoin that you are not currently spending and would like to keep as your "savings" should be stored in deep cold storage in the Vault. It is extremely secure and takes 48 business hours to retrieve these coins from the Vault back into your Wallet!

To keep your account safe, it's important to always use common sense. Never give out your password to anyone.

Additionally, we highly recommend enabling second factor authentication (2FA). With 2FA, you will be asked to enter a 6-digit code every time you login to your account. This code will be sent to your registered phone number via SMS/call (or you can download the Xapo app or Google Authenticator for 2FA instead of relying on SMS!).

In short, be as diligent as possible with your bitcoin security!

You are responsible for making your account as secure as possible and ensuring that the personal information associated with your Xapo account is accurate and current, including your email address and mobile number. Additionally, you are also responsible for maintaining adequate security, control and confidentiality of your account information. This includes any sensitive account information such as PINs and passwords! If you believe your account has been compromised please contact us immediately.

Private keys to Xapo accounts are never given out to anyone - they are kept in a safe place for you. Xapo keeps most of your bitcoins in deep-cold storage, in offline servers that have never been online and will never be online. We have a process to move coins out of deep-cold storage once a day without ever exposing the private keys to the Internet. Xapo makes sure that private keys are never on your phone or your computer; private key security is always in our hands and if someone were to hack your device, they could never get your private keys because they are not there.
Begin by logging in to your Xapo account at Next, click on the "Vault" button on the top of the screen. You will then be prompted to enter your Vault password. After entering your password you will be directed to your Xapo Vault. Directly below your Vault address, click on the red button that says "Retrieve". You will then be prompted to input the amount of bitcoin that you would like to retrieve from your Vault to your Wallet.

After you tell us the amount you want to retrieve, we'll use multiple security layers to verify that you have authorized the request. This will initiate a sequence of secure steps to get your requested bitcoins transferred from your Vault to your Wallet within 48 hours business days. In the meantime, you can track the transfer's process in your transaction history.

The Xapo Vault is a core product because it is the safest place to store your bitcoins.

The Vault keeps your bitcoins in total lockdown using layers of proprietary security protocol to keep your bitcoin locked away in deep cold storage until you’re ready to access them. It is the preferred storage for large and small holders of bitcoin who need highly secure and diversified measures to protect their holdings.

Security is our foundation and we believe security should be the focus for all bitcoin companies.  Without security, nothing else matters, and Xapo’s core focus has always been — and will always be — providing highly-secure bitcoin storage for our users.  We believe this focus has made the Xapo Vault the most advanced bitcoin cold storage solution in the world.

Please note that the 2FA is a second security step built for your account protection enhancement and this cannot be removed. We suggest you activate the 2FA every time you log into your Xapo account.


The activation of your 2FA can be accessed from your Security Settings. These can be found by clicking on avatar on the top right-hand corner of your screen.



If this is the first time you activate your second factor authentication on your Xapo account, we’ll need first to verify your mobile number before we can enable these settings.



Once you receive your Verification Code you’ll be able to complete the procedure.

If you don’t receive a verification code, please make sure the SMS was sent to the correct phone number.



If you still don’t receive any SMS from us with your verification code, you’ll be able to troubleshoot any issue by following these steps.


Once your mobile number has been verified successfully you’ll be able to confirm the Second Factor Authentication for all your future account logins.


On your security settings page simply click on “Require second-factor authentication for login” and save.



You have now enabled second-factor authentication every time you log in.


When you are asked for a second-factor authentication, you will receive your 2FA on your Xapo mobile app or you’ll be able to request it to be sent by SMS instead!

For vulnerability coordination and reporting, please contact If you'd like to report suspicious activities or transactions, please contact our support team.