Author: Gareth Jenkinson, CoinTelegraph; Translated by: Deng Tong, Jinse Finance
It sounds far-fetched, but it’s true. A vault in a secret nuclear bunker in the Swiss Alps is protecting a massive amount of Bitcoin.
Cointelegraph toured the facility to learn how multi-party computation (MPC) shards stored in a bunker are used to provide cutting-edge security for one of the world’s first Bitcoin banks.
Every Bitcoin user knows the phrase “not your keys, not your coins”, but you can’t hide your hardware wallet or seed phrase under your mattress forever. With an estimated 2 million Bitcoins irretrievably lost, how and where to store Bitcoin remains one of the most challenging aspects of owning digital assets.
For some, storing Bitcoin on an exchange is a risk they are willing to take. Others move their Bitcoin to cold storage.
Those willing to entrust their bitcoin to a third party can opt for the services of industry pioneers such as Xapo Bank, which uses a series of underground bunkers to protect its customers’ bitcoin.
Bitcoin’s Fort Knox
“You have five minutes, and then I need you to hand over your phone,” said Albert Rocca, Xapo’s senior headquarters account manager.
As our helicopter flew into the Swiss mountains, the former professional detective stuffed our smartphones into a discreet backpack. The inner compartment of the backpack was a Faraday cage that cut off our devices from any connection, making our location untraceable.
The helicopter landed on a small runway in the shadow of a steeply rising vista. At the bottom was a smooth granite surface with a military-style bunker door above it. It was the first of many sealed vault doors, keeping out the unknown secrets within.
Entry to this bunker requires a full security check. After an identity check and pat-down, visitors are given a magnetic card that they must use to gain access to various points within the facility.
The first major obstacle to entering the vault is the six-ton vault door, which is designed to withstand a nuclear blast. The guard scans his retina and enters a code that is updated every minute, and the huge vault door slowly opens.
The most important vault door leading to the facility weighs 6 tons. Source: Xapo Bank
We then entered a smaller space and set up another barrier, this time using a booby-trapped fence with bulletproof glass on either side to measure visitors’ weight and height. These biometric data are linked to the magnetic card that identifies you as you move through the facility.
Finally, we entered the bunker and saw a tunnel made of exposed rock that snaked into the mountain for about 30 meters and led to the next set of security doors. Entering here required the entrant to perform a specific action to pass through, which was another deterrent to confuse uninvited visitors.
The bunker is one of the few dry bunkers in Switzerland, meaning parts of its corridors are painted over bare rock. Credit: Xapo Bank
Behind this door was a hallway with vault doors on either side. Our entourage arrived at the door leading to the Xapo Bank vault.
Andrew Mannoukas, Xapo’s chief information security officer, is one of the few people who can access the innermost rooms of the vault. For this visit, his credentials were revoked so that he could not be hijacked and forced to let us in.
A small area in the bunker houses some infrastructure services protected by biometric scanners. Source: Xapo Bank
Behind the last door is the MPC shard, one of many shards stored in vaults around the world. It is required to sign transactions to manage Xapo Bank’s BTC assets.
According to Mannoukas, the sheer number of redundancies protecting the infrastructure makes it nearly impossible for an attacker to gain control of the bank’s BTC.
"Why a vault? It's all about defense in depth. Physical security — those military-grade bunkers — adds another critical layer of protection. It protects against insider threats, natural disasters, and physical theft attempts," Mannoukas explained.
Xapo’s shards are distributed in undisclosed locations around the world and are held by different entities whose exact locations are unknown to each other.
This geographic decentralization is designed to ensure that no single individual, organization, or entity can access all shards, as doing so would effectively grant them control of the complete private keys.
A bunker ready for anything
The Xapo Bank vault is one of many services offered at this secret bunker. The identity of the owner, who acquired the facility in a joint venture with the Swiss Air Force in the 1980s, is kept secret to maintain the security of the site.
Today, the labyrinthine bunker is independently owned and houses a variety of infrastructure, cargo and assets.
The facility retains all of its nuclear-resistant features. It is equipped with two 1-megawatt diesel generators and a sophisticated HEPA air filtration system that removes contaminants including toxins and radioactive particles.
Two 1 MW diesel generators automatically start up in the event of a power outage, providing a powerful backup energy source for the facility. Source: Xapo Bank
It also uses an underground lake to cool server rooms and other facilities within the bunker, eliminating the need for power-hungry air cooling systems.
Different parts of the bunker have higher security clearances. Access to hidden emergency exits requires permission from remote security services. The tunnels are equipped with timers, and the ambient green light illuminates the passage during the specified passage time.
The bunker has multiple sealed doors that separate the entrances and exits to various parts of the facility. Source: Xapo Bank
Another door weighing six tons guards this entrance. The entrance still features a military-era deterrent device - a small parachute that allows guards to throw grenades into the corridor outside. This bunker is truly a surreal experience. It blends decades-old Swiss bunker architecture with cutting-edge technology and infrastructure.
Replace multi-signature with MPC
Xapo Bank abandoned multi-signature in 2023 to protect its Bitcoin assets.
The company has used these bunkers since its founding in 2013, and the multi-signature process requires guards to manually complete the movement of BTC between hot and cold wallets every day.
MPC technology makes all of this unnecessary. Homomorphic encryption completely eliminates the risk of exposing private keys, adding an extra level of security.
Mannoukas explained that the MPC Signature process is like a group of chefs working together to cook a dish, with each chef having a secret ingredient.
The chefs add their ingredients to the pot, but do not show them to each other. They stir the pot together, mixing everything perfectly according to a special recipe. At the end, everyone tastes the final dish, enjoying the mixed taste, but no one knows exactly what ingredient the others added:
“This is similar to how MPC works, each participating chef (MPC shard) contributes their signature without revealing it, and when the shards are combined together, a valid signature is created that is able to sign the transaction.”
This allows the group to securely authorize transactions without any one individual or entity holding the full private key or having it assembled.
No expense was spared to provide this level of security. The bunkers alone cost millions of dollars per year to operate.
Comprehensive security measures remain one of Xapo’s main attractions. Its customers give up the responsibility of self-custody in exchange for technology and infrastructure that most modern banks don’t employ.