How to Store NFTs Securely

NFT security means two things — protecting the token record (wallet custody) and protecting the media it points to (on-chain vs IPFS vs centralized servers). This post explains both layers and where the real risks actually live.
Lewis Jackson
CEO and Founder

The phrase “NFT storage” is a bit misleading, and that confusion causes real security gaps.

When people ask where to store their NFTs, they’re usually asking two different questions at once: where is the NFT itself, and where is the image or file the NFT points to? These are distinct things. Mixing them up leads to situations where someone thinks their NFT is “safely stored” when they’ve only addressed half the problem.

What the NFT Actually Is (and Where It Lives)

An NFT — at the token level — is a record in a smart contract. Specifically, it’s an entry in a mapping that associates a token ID with a wallet address. That mapping lives on the blockchain. You can’t move it off-chain, back it up separately, or store it anywhere. What you’re actually protecting is the private key for the wallet address listed as owner.

This matters because securing an NFT is functionally the same as securing a wallet. The blockchain enforces ownership; your operational security determines whether that ownership stays intact.

The Part People Underestimate: Where the Media Lives

The token record is just a pointer. When your wallet holds an NFT, it holds a token ID. That token has metadata — usually a JSON file — and the metadata contains a link to the actual image, video, or file. Where that link points determines how durable the media actually is.

On-chain storage means the media is embedded directly in the contract or encoded in the metadata. It’s expensive, so most projects don’t do it — but when they do, the image exists as long as the chain does. Some generative art projects, Loot, and Bitcoin Ordinals work this way.

IPFS is more common. Content on IPFS is addressed by a hash of the content itself, not a server location — so ipfs://QmXyz... always points to exactly that file, and the link can’t be hijacked. The catch: the file still needs to be “pinned” by at least one node to remain accessible. If nobody’s actively pinning it, the file disappears even though the link is technically valid and the token still exists.

Arweave is designed for permanent storage. You pay once, the file is stored indefinitely by the network’s built-in economic incentives. More durable than unpinned IPFS in practice.

Centralized servers are the riskiest. If the metadata URL points to https://api.someproject.com/token/1 and that server goes offline, the image returns nothing. The NFT still exists on-chain — you still own the token — but there’s no image attached to it. This has happened to real collections.

For most established collections, metadata is on IPFS pinned by the project or a service like Pinata or NFT.Storage. But pinning isn’t guaranteed forever, and you generally can’t verify it without checking the actual metadata.

Protecting the Token: Hot Wallet vs Cold Wallet

The practical choices for custody come down to where the signing key lives.

A software wallet like MetaMask or Phantom is always connected to the internet. It’s convenient for active trading. It’s also the attack surface — any wallet with a compromised seed phrase or a bad approval sitting on it is a liability.

A hardware wallet like a Ledger or Trezor keeps the private key offline. When you sign a transaction, it happens on the device, and the key never touches your computer or network. For NFTs worth protecting, this is the standard recommendation — not because software wallets are inherently broken, but because offline signing removes a whole category of attack.

Moving NFTs to cold storage is a standard on-chain transfer: you send the token from your active wallet to the address controlled by the hardware wallet. After that, the NFT can’t move without a physical signature from the device.

The Approval Problem

This one gets overlooked more than it should.

When you list an NFT on OpenSea, Blur, or another marketplace, you’re granting that marketplace contract an approval to transfer tokens from your wallet on your behalf. That approval persists indefinitely — including after your listing expires. If that marketplace contract is exploited, or if you accidentally sign an approval for a contract pretending to be a legitimate marketplace, that approval can be used to drain your wallet.

Tools like Revoke.cash let you audit all active approvals for any EVM address and revoke the ones you don’t need. If you’ve used multiple marketplaces or have approvals sitting around from months ago, this is a straightforward risk reduction step.

Wallet Separation as a Security Practice

The cleanest security posture for serious NFT holders uses two distinct wallets.

One wallet is for active use — interacting with marketplaces, minting, participating in allowlists. It has limited NFTs, limited approvals, and gets regularly audited.

The other is a vault — cold storage, no marketplace interactions, no approvals granted. Assets that live here can’t be drained through a compromised marketplace approval because that wallet has never touched a marketplace.

The separation is simple and doesn’t require any specialized setup. You just keep them separate and don’t mix the workflows.

What’s Changing

Account abstraction (ERC-4337) and EIP-7702, which passed in Q2 2026, are beginning to change what “wallet security” means. Smart accounts can have programmable rules — transfer rate limits, multi-signature requirements, recovery mechanisms — built directly into the wallet. This makes the hot/cold binary less absolute over time. But as of mid-2026, most NFT holders are still using traditional externally owned accounts (EOAs), and the advice above remains directly applicable.

On the media side, on-chain storage is becoming marginally more practical as Layer 2 costs fall. If a collection stores everything on-chain, the media durability question goes away. This isn’t the norm yet.

Confirmation Signals

  • NFT appears in the expected wallet address on the relevant block explorer (Etherscan for EVM, Solscan for Solana)
  • Active approvals for that address show only intentional permissions — verify via Revoke.cash or the token approvals tab on Etherscan
  • The NFT’s metadata resolves correctly — the image loads from its IPFS or Arweave link, not a 404

Invalidation Signals

  • NFT no longer appears in the expected wallet (transferred without your knowledge)
  • A marketplace approval remains active on a wallet you haven’t used in months, meaning that attack surface is still open
  • Metadata URL returns nothing — the image is gone even though the token still exists on-chain

Timing

Now: Audit approvals on any wallet that’s interacted with NFT marketplaces. If you haven’t done this recently, it takes about five minutes via Revoke.cash. Move high-value NFTs to a hardware wallet address if they aren’t already.

Next: Watch how EIP-7702 smart account adoption changes wallet security patterns — the tooling is moving.

Later: On-chain media storage may become cost-effective enough to be standard on L2s, which would eliminate the metadata vulnerability layer entirely.

Boundary

This covers the two-layer security question: token custody (wallet) and media durability (where the file lives). It doesn’t address how to verify NFT authenticity, how to read NFT metadata, how to list an NFT for sale, or how to transfer one. It’s not a recommendation of any specific hardware device or storage service, and it doesn’t constitute financial or legal advice.

The NFT system works as described. Whether a specific piece is worth the custody effort is outside this scope.

Related Posts

See All
Crypto Research
New XRP-Focused Research Defining the “Velocity Threshold” for Global Settlement and Liquidity
A lot of people looking at my recent research have asked the same question: “Surely Ripple already understands all of this. So what does that mean for XRP?” That question is completely valid — and it turns out it’s the right question to ask. This research breaks down why XRP is unlikely to be the internal settlement asset of CBDC shared ledgers or unified bank platforms, and why that doesn’t mean XRP is irrelevant. Instead, it explains where XRP realistically fits in the system banks are actually building: at the seams, where different rulebooks, platforms, and networks still need to connect. Using liquidity math, system design, and real-world settlement mechanics, this piece explains: why most value settles inside venues, not through bridges why XRP’s role is narrower but more precise than most narratives suggest how velocity (refresh interval) determines whether XRP creates scarcity or just throughput and why Ripple’s strategy makes more sense once you stop assuming XRP must be “the core of everything” This isn’t a bullish or bearish take — it’s a structural one. If you want to understand XRP beyond hype and price targets, this is the question you need to grapple with.
Read Now
Crypto Research
The Jackson Liquidity Framework - Announcement
Lewis Jackson Ventures announces the release of the Jackson Liquidity Framework — the first quantitative, regulator-aligned model for liquidity sizing in AMM-based settlement systems, CBDC corridors, and tokenised financial infrastructures. Developed using advanced stochastic simulations and grounded in Basel III and PFMI principles, the framework provides a missing methodology for determining how much liquidity prefunded AMM pools actually require under real-world flow conditions.
Read Now
Crypto Research
Banks, Stablecoins, and Tokenized Assets
In Episode 011 of The Macro, crypto analyst Lewis Jackson unpacks a pivotal week in global finance — one marked by record growth in tokenized assets, expanding stablecoin adoption across emerging markets, and major institutions deepening their blockchain commitments. This research brief summarises Jackson’s key findings, from tokenized deposits to institutional RWA chains and AI-driven compliance, and explains how these developments signal a maturing, multi-rail settlement architecture spanning Ethereum, XRPL, stablecoin networks, and new interoperability layers.Taken together, this episode marks a structural shift toward programmable finance, instant settlement, and tokenized real-world assets at global scale.
Read Now

Related Posts

See All
No items found.
Lewsletter

Weekly notes on what I’m seeing

A personal letter I send straight to your inbox —reflections on crypto, wealth, time and life.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.