Why I Built ColdStack Instead of Using a Browser Extension for Crypto Key Management

The Problem

Browser extensions are convenient. They're also the single biggest attack vector in crypto. Every time you install a wallet extension, you're handing your private keys to a piece of JavaScript that runs inside the same browser you use for everything else — the one with 50+ extensions, 100+ tabs, and a decade of cached cookies.

The threat surface is staggering. Malicious updates can ship to a legitimate extension overnight. Supply chain attacks compromise the build pipeline before the code ever reaches your browser. Phishing extensions impersonate real wallets with near-identical branding. And browser zero-days? Those don't need an extension at all — they just need you to visit the wrong page.

Your keys live inside a browser that is actively under attack.

Between 2024 and 2026, hundreds of millions of dollars were drained through extension-based wallet compromises. Some were outright malicious extensions. Others were legitimate wallets that got compromised through their dependencies. A few were browser vulnerabilities that allowed attackers to read extension storage directly. The pattern is always the same — the keys were accessible from the browser, and the browser was accessible from the internet.

The Alternative

The answer isn't a better browser extension. The answer is no browser at all.

Offline key management has been the gold standard for institutional crypto custody for years. Hardware wallets, air-gapped signing machines, HSMs — these are the tools that custody billions of dollars professionally. The principle is simple: a key that never touches a network can't be stolen over a network.

I built ColdStack because I wanted that level of security without the $200 hardware wallet, without the proprietary firmware, and without the closed-source trust model. I wanted something I could run from a USB drive on any Windows machine, something I could audit myself, and something I could give away for free.

What ColdStack Does

ColdStack is a portable Windows application for offline crypto key management. It doesn't install. It doesn't phone home. It doesn't run in your browser. You drop it on a USB drive, plug it into any Windows machine, and double-click.

AES-256-GCM encryption protects your key vault at rest. The encryption key is derived using Argon2id — the same memory-hard KDF recommended by the IETF — which makes brute-force attacks computationally infeasible even with modern GPUs.

Version 3.0 ships with a built-in BIP39 derivation engine. That means you can generate a 24-word mnemonic and derive addresses for seven blockchain ecosystems directly inside the app:

• EVM chains (Ethereum, Polygon, BSC, Arbitrum, Optimism, and others)
• Bitcoin — with support for Taproot, SegWit, and Legacy address formats
• Solana
• Dash
• Sui

No more jumping between five different tools to manage keys across chains. One mnemonic, one vault, seven ecosystems.

The app also includes auto-lock — if you step away from your computer, ColdStack locks itself after a configurable timeout. Zero telemetry means no analytics, no error reporting, no usage tracking. Nothing leaves your machine unless you explicitly send it.

Why Offline by Default Matters

"You can't hack what isn't connected" isn't a marketing tagline. It's the fundamental principle of air-gapped security.

ColdStack makes exactly zero network requests on startup. None. No update check, no license verification, no telemetry ping, no "phone home for feature flags." The app is completely silent until you do something that requires a network connection — and the only thing that does is the manual "Check for Updates" button.

Even then, ColdStack asks first. A dialog pops up: "ColdStack wants to check for updates. Allow this network request?" You click Yes or No. If you click No, no bytes leave your machine. If you click Yes, it hits one endpoint — the GitHub releases API — and shows you what's available. That's it.

This is what "offline by default" actually means. Not "offline most of the time." Not "offline unless we need to sync." Offline. Full stop.

Open Source Security

ColdStack is open source on GitHub. Every line of code is auditable. Every security claim is verifiable. You don't have to trust me — you can read the code yourself.

This matters because "trust us, it's secure" is exactly what the browser extension wallets said. Security through transparency beats security through assertion every time. The code is there. Fork it, audit it, build it yourself. If I've made a mistake, you'll find it. If I haven't, you'll know why.

Download

ColdStack v3.0 is available now:

• GitHub: https://github.com/Roughn3ck/key_manager/releases/tag/v3.0
• Product page: https://executivemind.io/key-manager

Free. No subscription, no premium tier, no upsell. Download it, put it on a USB drive, and take control of your keys.

— Kris Racette, Founder of Executive Mind — Key Manager | krisracette.me | GitHub