I don't think you do really understand how Bitcoin works or what hot/cold wallet means... the only thing that changes after the first transaction out of a cold wallet is that the public key of that address is now known. As long as you trust in ECDSA, this is not really an issue. Also it is easy to see (if you look at where the transactions to the hot wallet come from) if they use a single address or several ones.