The Celsius collapse is the clearest real-world warning about what happens when a platform holds your assets for you: customer deposits were commingled, withdrawals froze in June 2022, and most users recovered only a fraction of what they deposited, years later. For tokenized real-world assets, the failure mode is similar, except the legal claim behind the token is often murkier than a crypto deposit. Custody choices made today decide who gets paid first when something breaks tomorrow.
Key takeaways
- Celsius commingled customer funds with its own treasury and with risky bets, so when it filed for bankruptcy, individual users became unsecured creditors behind lawyers, lenders, and employees.
- Most Celsius users recovered somewhere between roughly 40% and 80% of their crypto claim value, after waiting about two years, while some asset classes did much worse.
- The lesson does not stop with crypto: tokenized treasuries, money market funds, and private credit on-chain use the same custodian pattern, with extra legal layers that can fail in new ways.
- Verifying segregation, reading Proof of Reserves, and knowing when self-custody actually helps are the practical tools that turn this cautionary tale into a checklist.
What actually happened at Celsius
Celsius was a crypto lending platform that ran from 2018 until July 2022. It promised users high, almost savings-account-style yield, paid weekly, on deposits of Bitcoin, Ethereum, and a long list of smaller tokens. Behind the promise sat a familiar financial shape: take deposits from retail customers, lend or deploy those deposits into higher-return strategies, and pocket the spread. The pitch was "earn while you HODL," and at its peak Celsius reportedly held billions in user assets and signed up roughly 1.7 million users.
On June 12, 2022, Celsius froze all withdrawals, swaps, and transfers, citing "extreme market conditions." A month later it filed for Chapter 11 bankruptcy in the U.S. The court filings revealed what users had deposited. The collapse exposed a harder truth behind the friendly marketing: customer funds were not held in separate, labeled vaults the way a brokerage would ringfence client accounts. They were pooled with Celsius's own balance sheet and redeployed through loans, proprietary trading, and strategies like stETH depegging trades.
Deposits had also been tokenized in a narrow sense. Celsius issued its own internal accounting entries rather than an on-chain token tied 1:1 to the asset. So when the company paused withdrawals, users could not withdraw their crypto by presenting a token; they had to wait on the bankruptcy process and file claims with the court. That distinction between "an account balance on a platform" and "an asset you can move yourself" is the thread that runs through this entire article.
How Celsius commingled customer funds
"Commingling" is the unglamorous word at the center of this story. It means putting customer money into the same account, wallet, or strategy as the company's own money, or as other customers' money, without keeping clean records of who owns what. Banks, brokerages, and most regulated intermediaries are forbidden from doing this by default: customer cash must sit in segregated accounts, securities must sit in a custodian's nominee name, and the intermediary's creditors cannot reach those assets.
Celsius operated under different rules. It was not a bank, and its core lending product was not registered as a securities offering in the U.S., even though state regulators later alleged unregistered securities activity. The platform pooled user deposits into its own master wallets, then rehypothecated them, which is finance jargon for "used them as collateral or lent them out to other borrowers." Some of those loans went to other crypto companies that themselves later failed. Some went into proprietary trading strategies managed by Celsius itself, including large short and long positions on stETH, the staked-Ethereum derivative.
Because the funds were pooled, there was no clean allocation back to each depositor when withdrawals froze. Imagine a savings account where the bank took everyone's deposits and used them to fund a private equity fund, then the fund lost money. The depositors would not be able to point at their original deposit and say "this dollar is mine." They would be standing in a long queue with a general claim against whatever was left. That is the position Celsius depositors found themselves in. Pooled assets, missing segregation, and at the bottom of the capital stack.
The role of "not your keys, not your coins" in this story
The phrase "not your keys, not your coins" is a shorthand for a precise technical fact. A self-custody wallet stores the private key, the secret string of letters and numbers that authorizes a blockchain transaction, on a device you control. Anyone with the key can move the funds. Lose the key and the funds are unrecoverable, regardless of how much money is involved. Anyone without the key cannot move the funds, no matter how much they threaten you.
When you deposit crypto to Celsius, you sent your coins to a Celsius-controlled address. You no longer held the key. What you held instead was a promise: a balance in Celsius's internal ledger, a legal contract governed by the platform's terms of service, and a claim against the company. That promise is less powerful than a key. A key is enforced by mathematics and the global network. A promise is enforced by courts, lawyers, and the company's willingness and ability to pay.
Celsius taught a generation of crypto users the difference. Holders of self-custodied Bitcoin watched Celsius users get locked out, then watched as the bankruptcy process crawled through two years of disputes. Holders who deposited into Celsius waited, filed proof-of-claim forms, and watched the recovery percentage drift lower and lower as more surprises surfaced in the filings. The lesson is not that Celsius was uniquely evil. It is that the gap between holding a key and holding a claim is the gap between owning an asset and hoping a firm honors an IOU.
What users actually got back
Recovers from a large bankruptcy are rarely all-or-nothing, and Celsius was no exception. The bankruptcy estate negotiated sales, returned some assets held by third parties, and engaged in extended litigation. Public reporting on the Celsius estate recovery points to roughly two figures users should remember.
\p>First, on a percentage basis, many general unsecured creditors were projected to recover something on the order of 40% to 80% of their crypto claim values, depending on the type of claim, the asset mix, and how recovery calculations are measured. Different reporting frames produced different headlines, which is itself a clue: "recovery" in bankruptcy is a contested number shaped by legal rulings.
Second, on a time basis, the process took years. Deposits frozen in June 2022 were not fully resolved for most users until 2024, and some disputes, including clawback claims against users who had been paid out before the freeze, dragged on further. Holding an IOU through a bankruptcy is a multi-year project that requires paperwork, patience, and a tolerance for legal concepts most users never signed up to learn.
\p>A separate, harsher lesson hides in the word "clawback." Celsius sued some users who had managed to withdraw funds in the months before the freeze, arguing those withdrawals should be returned to the bankruptcy estate so they could be shared among all creditors. Even users who acted early and prudently sometimes ended up as defendants. The clearest protection against this scenario is the simplest one: do not leave more on a custodial platform than you can afford to lose, or than you can defend in a legal filing.
Why this matters differently for tokenized real-world assets
RWA stands for "real-world assets." In crypto it refers to tokens that represent a stake in an off-chain asset, such as a U.S. Treasury bill, a money market fund share, a private credit loan, or a piece of real estate. The wrapper is on-chain and looks like any other ERC-20 token (a technical standard for fungible tokens on Ethereum). The substance sits somewhere between a bank, a fund, and a securities custodian, and that is where the Celsius story gets a sequel.
Tokenized treasuries are the clearest example. A protocol issues a token like USDM or a wrapped share of a BlackRock Treasury fund. Behind that token sits a partnership with a regulated custodian, a bank account at that custodian, and a legal structure that is supposed to make each token represent a real dollar in that account. In principle this is more transparent than Celsius: balances are public on-chain, the issuer can publish Proof of Reserves, and a regulator oversees the underlying fund.
In practice the legal claim matters at least as much as the chain. If a tokenized Treasury fund's underlying bank account freezes, your token does not unlock the funds. The token is governed by the issuer's terms of service, and the underlying fund is governed by fund documents. Your recoverability depends on what those documents say and where the funds legally sit. This is the part new users often miss: a token on a chain does not automatically inherit the legal status of the underlying asset. The token is a digital receipt; the receipt's enforceability runs through paperwork.
Celsius failed because of poor risk management, alleged fraud, and an unregulated business model. RWA issuers are typically regulated and audited. But the structural risk that concerns a careful user is the same: pooled funds, custody concentration, and a legal claim rather than a key. A separate failure mode specific to tokenized assets is operational: the on-chain peg breaks because of a smart-contract bug, the off-chain custodian becomes insolvent, or a regulator pauses redemptions. The token in your wallet will not protect you from any of these.
What segregation does and does not guarantee
"Segregation" is the word you want to see in a custodian's documentation. Segregated assets sit in accounts that are legally separate from the custodian's own balance sheet, so if the custodian becomes insolvent, those assets are meant to pass to customers, not to the custodian's creditors.
Segregation is necessary but not sufficient. It tells you whether the assets are pooled with the custodian's house funds; it does not tell you whether they are pooled with the assets of other customers of that custodian, whether the underlying bank is healthy, whether the fund's documentation actually grants you a property claim, or whether the redemption queue will move at all in a stress scenario. Treat segregation as the floor, not the ceiling, of due diligence.
How to verify a custodian's segregation, in plain steps
Anyone holding tokenized assets on a third-party platform should be able to run this list. None of the steps require a law degree; they require a careful read of documents and a tolerance for asking annoying questions.
Step 1. Find the legal entity behind the token. The token in your wallet points to a smart contract. The smart contract was deployed by a company. Find that company's name, where it is incorporated, and what regulator oversees it. If you cannot find any of this in minutes, that is already an answer.
Step 2. Find the custodian relationship. Look for a named custodian: a bank, a qualified custodian, or a fund administrator. The team behind the token should publish this in their documentation. "Decentralized" or "DAO-managed" is not a custodian; it is a euphemism for "no one in particular."
Step 3. Read for the word "segregated" or "trust" or "client account." Customer assets should be held in segregated client accounts or trust accounts, distinct from the firm's own assets. If the documentation says assets may be commingled or rehypothecated, take that at face value.
Step 4. Check Proof of Reserves, but skeptically. Proof of Reserves is a cryptographic or accountant-signed attestation that on-chain balances match off-chain holdings. Useful, but limited. It can confirm assets are held; it cannot confirm those assets are legally yours, that liabilities match, or that the auditor is independent. Read it as one input, not a verdict.
Step 5. Read the risk disclosures. Every well-run product has a "risks" section that names the scenarios in which you might not get your money back. The presence of that section is a positive signal. The absence of one is a negative signal.
Step 6. Look up the custodian's regulator. A qualified custodian in the U.S. will be regulated by the SEC or by banking regulators. In Europe, look for MiCA-licensed custodians or equivalents. A regulated entity is not a guarantee, but it is a venue where complaints can be filed and audited.
Practical implications: when self-custody is overkill, and when it is essential
Self-custody is not free. It costs time, attention, and the risk of mistakes. The right answer for any individual depends on what they hold, how much of it, and for how long.
For small balances and short holding periods, paying a custodian 0.1% to 0.5% a year is usually worth it. The risk of a custodian failure on a small balance is low enough that insurance, redundancy, and the convenience of not running your own hardware make economic sense. This is true whether the asset is a tokenized Treasury fund or a Bitcoin ETF share at a brokerage.
For large balances and long holding periods, the calculus flips. A qualified custodian, a hardware wallet with multisignature access, and your own bookkeeping become worth the effort. The reason is not paranoia. The reason is that the longer and larger your exposure, the more likely you are to encounter at least one stress event, and at least one is enough to turn an "IOU" into a permanent discount.
For tokenized assets specifically, a middle path often makes sense: hold the tokens in a self-custody wallet so that you, not the platform, control the keys, but expect to interact with the issuer's redemption process when you want to exit. The technical control is on you; the legal claim is set by the issuer's documents and the underlying custodian's structure. This is the realistic shape of tokenized-asset ownership in 2026.
One pattern to avoid in any case: relying on a single platform for custody, redemption, and trading. The same entity that holds your tokens, runs the redemption queue, and fronts the trading interface has all the leverage. Splitting these functions across at least two independent providers reduces the chance that one operational outage, one regulator's action, or one bankruptcy freezes the whole chain.
Read RWA custody news critically with Zippfeed
RWA custody moves fast, and so does the news around it. Tracking issuer announcements, custodian changes, regulator statements, and on-chain Proof of Reserves updates by hand is a losing game for anyone who is not paid to do it full-time. Zippfeed surfaces tokenized-asset headlines with sentiment scoring (bullish, neutral, or bearish) and an importance rating, so you can see whether a custody update is noise worth ignoring or a real signal worth acting on.
For more on RWA custody, see our explainer on tokenized treasuries and our list of common crypto custody scams.
For background on the legal side, start with our primer on qualified custodians and Proof of Reserves.