What TON balance justifies buying a Ledger?

Rule of thumb — the hardware wallet should cost less than 1–2% of the value it protects. A Ledger Nano S Plus ($79) makes sense from roughly $5,000–8,000 in TON. Below that, two non-custodial wallets on separate devices with a clean setup are enough.

Can I use the same seed phrase for hot and cold wallets?

Technically yes — the same seed opens the same address in both wallets. But it defeats the purpose of cold storage: compromising the hot device compromises the cold one. A cold wallet must have its own seed.

Ledger or paper wallet?

Ledger. Paper wallets are barely used in TON — there are no audited open tools to generate one, and a seed on paper is no better than a seed in a Ledger. The hardware device adds a physical confirmation step; paper does not.

How do I protect a seed phrase against fire or flood?

Stamp the seed onto a steel plate. Off-the-shelf options — Cryptosteel, Billfodl, Steelwallet. They cost $50–150 and survive fire, water, and impact. Paper survives decades in ideal conditions and only a few years in a real apartment before it's lost, damaged, or forgotten.

Does it make sense to split a seed across multiple locations?

Yes — Shamir Secret Sharing splits a seed into shares such that recovery requires k of n. Ledger Nano X / Stax support it natively. For an individual user, 2-of-3 is enough — three shares in three different physical locations, any two are sufficient.

How often should I check a cold wallet?

Every 3–6 months. The goal is to confirm that the device works, the seed is current, and that you remember the procedure. A test transfer is not mandatory — unlocking and reading the balance through Tonkeeper or MyTonWallet in watch-only mode is enough.

TON cold storage: strategies and tools for 2026

Cold storage is a strategy in which private keys are never connected to the internet at the moment of signing. For TON it becomes critical once the balance crosses the “I wouldn’t mind losing it” threshold. This guide is practical setups for different amounts and threat models — no theory and no marketing.

What cold storage means in TON

Basic definition: the key is generated and held on a device that is physically not connected to the internet. The transaction is signed on the device; an online wallet (Tonkeeper, MyTonWallet) only receives the already-signed transaction and broadcasts it.

In TON, cold storage is implemented through:

Hardware wallets (Ledger Nano S Plus, Nano X, Stax) — the mainstream option.
Air-gapped phone — an old smartphone with no SIM and no Wi-Fi, running Tonkeeper or MyTonWallet, brought online only when needed.
Multi-sig contracts — protection through distributed authority, see Multi-sig in TON.
Paper / steel seed backups — not a wallet on its own, but a way to back up any of the three options above.

Protection levels by amount

Amount in TON-equivalent	Minimum setup	Target setup
< $500	In-Telegram Wallet	Tonkeeper with biometrics
$500–5,000	Tonkeeper / MyTonWallet	Same + paper seed backup
$5,000–50,000	Tonkeeper + Ledger	Ledger + steel seed backup
$50,000–500,000	Ledger + steel backup in two locations	Multi-sig 2-of-3 on Ledgers
> $500,000	Multi-sig 2-of-3 minimum	Multi-sig 3-of-5 distributed geographically

This is a guideline, not dogma. If you’re paranoid, tighten it at any level.

Strategy 1: Ledger + steel backup (the mainstream standard)

This is the gold standard for individual storage in the $5k–500k range. The logic:

Ledger Nano S Plus or X — generates and stores keys in a secure chip.
Tonkeeper / MyTonWallet — interface for viewing balance and initiating transactions.
Steel plate (Cryptosteel Capsule, Billfodl) — the only physical backup of the device’s seed phrase.

The procedure:

Buy the Ledger directly from ledger.com.
Unbox, inspect the packaging (in 2026 the seals are sticker-style — check the photos on the Ledger site before buying).
Power on, choose “Set up new device” (never restore from someone else’s phrase).
Stamp the 24 words onto the steel plate immediately, not paper.
Install the TON app via Ledger Live.
Connect to Tonkeeper or MyTonWallet.
Send a $10 test transfer in both directions.
Only then move the main funds.

Strategy 2: air-gapped phone

The alternative to a Ledger is an old smartphone that is physically disconnected from the internet and only used for signing. The advantage — no extra device to buy. The downside — more failure modes and less “protection from yourself”.

Setup:

Old smartphone (Android or iOS, not used for daily life).
Do a factory reset, do not log into any accounts.
Enable airplane mode, turn off Wi-Fi and Bluetooth.
Install Tonkeeper or MyTonWallet via APK or App Store, on a separate Apple ID without iCloud.
Create the wallet, stamp the seed onto steel.
Turn on Wi-Fi only when you need to sign a transaction or check the balance.

Less robust than a Ledger because the phone has the OS attack surface. Cheaper, and works if you don’t trust shipping or sourcing of a Ledger.

Strategy 3: multi-sig

Distributes risk by requiring k of n signatures. In TON, multi-sig is implemented through the smart contract multisig-contract-v2 by the TON Core team, audited by Zellic and Trail of Bits in 2024.

Typical configurations for an individual user:

2-of-3 — three keys, two needed to sign. Lose one — funds stay accessible. One compromised — funds stay safe.
3-of-5 — for larger balances or teams. More fault tolerance and finer-grained access.

Each key can be a separate Ledger. Ideally — geographically distributed: one at home, one in a bank deposit box, one with a trusted lawyer.

Details — Multi-sig in TON: team security.

Seed phrase backup: how to do it right

What NOT to do

Don’t photograph the seed with your phone. The cloud syncs the photo within seconds.
Don’t save it to a password manager. A password manager is an online service with the same risk profile as an exchange.
Don’t send it to your Telegram Saved Messages. Worst option — Telegram is cloud-based, the account can be hijacked.
Don’t print it on a printer at the office. Networked printers cache print history.
Don’t write it in the same notebook as your card PINs. Find the notebook — find everything.

What to do

Steel plate — Cryptosteel Capsule, Billfodl, Hodlr Disk. Costs $50–150, survives fire, water, impact.
Two or three copies in different locations — home + bank deposit box + relative or lawyer.
Test recovery once a year — take one of the copies, restore on a new device, confirm it works, then wipe. Critical step — far too often people discover an error in their seed only when they actually need to recover.

Ledger Nano X and Stax support Shamir backup — the seed is split into 5 shares, recovery needs any 3. Advantages:

no single share reveals the seed on its own;
losing one or two shares is not critical;
shares can be distributed to different people without disclosure.

Downside — higher complexity, higher chance of error during recovery. Makes sense from $50k or for teams.

Operational security: what not to miss

Receiving on the public address

A cold wallet should only receive — incoming transfers don’t need a signature. The address can be shared freely; a public address is public by design.

Verification: every time you copy the address from the Ledger via Tonkeeper, compare the last 4 characters on the device itself. Clipboard substitution attacks are known.

Sending from a cold wallet

Every outgoing transfer requires physical confirmation on the device. Visually check:

recipient address (last 4 characters);
amount;
fee.

If the Ledger screen shows something different from the wallet — don’t sign.

Periodic device check

Every 3–6 months:

Power on the Ledger, unlock with the PIN (which you must not have forgotten).
Open Tonkeeper or MyTonWallet, connect the Ledger, see the current balance.
Confirm the firmware doesn’t need an urgent update.

No test transfer needed each time. Just confirm device and setup work.

Seed-based recovery

Once a year — a full restore drill. Take one copy of the seed, restore on a clean Ledger or a clean MyTonWallet (on a separate device), and verify the address matches. This is the only way to confirm the seed phrase is recorded correctly.

Details — How to recover a TON wallet from a seed phrase.

Real-world setups by tier

Tier 1: $1,000 in TON

Tonkeeper on the main phone.
Seed on paper, kept with personal effects.
Biometrics + PIN to unlock.
Enough. A Ledger is overkill.

Tier 2: $20,000 in TON

Tonkeeper for DeFi and small transfers on the main phone (hot, $500–1,000).
Ledger Nano S Plus for the main balance, connected to MyTonWallet on a laptop.
Ledger seed on a steel plate, two copies in different locations.

Tier 3: $200,000 in TON

Multi-sig 2-of-3 across Ledgers.
One Ledger at home, one in a bank deposit box, one with a trusted partner.
Each seed on a steel plate.
Balance check via any Tonkeeper watch-only mode.

Tier 4: team / DAO

Multi-sig 3-of-5.
Each team member — a Ledger.
Signing through a dedicated multi-sig interface.
All operations logged in an internal system.

What not to do

Don’t trust “secure” services that promise Ledger-level storage without a device. Either custody in disguise or fraud.
Don’t photograph the seed “just in case”. “Temporary” doesn’t apply to crypto.
Don’t use a generated seed from a sketchy source. Only the device or an official wallet.
Don’t store the seed in the same place as the Ledger. A thief finds both at once.
Don’t run “cold storage” on a phone with a saved cloud password. That’s a hot wallet in disguise.

The bottom line

Cold storage is not about complexity — it’s about separating roles. A hot wallet for daily ops (small money, convenient), a cold wallet for savings (large money, inconvenient by design). Ledger remains the standard for individuals in 2026; multi-sig — for teams and large balances.

The main rule: test setup first, transfer second. Most losses happen exactly at the migration moment from hot to cold, when the seed hasn’t been validated yet but the amount is already large.

Sources

docs.ton.org — wallet versions and multisig spec.
ledger.com — Ledger Live and original devices.
github.com/ton-blockchain/multisig-contract-v2 — TON Core multisig with Zellic and Trail of Bits audits.