Great losses and furious anger shall be rained down upon those who dare disagree with this immutable commandment:
Not your keys. Not your coins.
– The almighty crypto gods
This reads like a decree bestowed upon humanity by the almighty crypto gods.
It refers of course to self-custody. Specifically the importance of owning the private keys for your cryptocurrency. Without this private, cryptographic key—you don’t have the ultimate proof of ownership for your cryptocurrency. Because of this, many people move their crypto holdings off custodial exchanges and into private or self-custody crypto wallets. Doing this secures custody over their cryptocurrency.
But is this always necessary or are there exceptions to every rule?
The answer will depend on your risk tolerance and whether any of the benefits of leaving crypto on an exchange outweigh the potential risks.
Many illegitimate and unstable cryptocurrency exchanges have failed or fallen already. The worst case scenario here is that your exchange closes suddenly or locks you out of it unexpectedly. This could happen if the owners decide to skip town in the middle of the night, like QuadricaCX for example. Also consider what could happen if the rules and regulations were to change abruptly. Perhaps your entire country suddenly finds itself on the wrong side of global sanctions. There are a lot of Russians who are very much in opposition to what their president is doing. They would like to retain access to their crypto regardless of it.
Are there any scenarios in which it’s okay for an exchange to retain custody of your cryptocurrency?
Like a lot of security in crypto…. it really all depends on you
Different crypto exchanges practice different levels of security, meaning that in some cases, your private keys may indeed be safe with your exchange. We’ve reviewed the security and safety features offered by some of the largest fiat-to-crypto exchanges and we believe that for many of us, storing small amounts of crypto (as determined by you) on a central exchange, even if you don’t have the keys, is probably ok. It’s certainly a tolerable risk in most cases.
Security is so much better than it used to be
The largest centralized crypto exchanges today (Coinbase, Gemini, Crypto.com, Binance) are all much safer than man of the ones that existed a few years ago. That includes their former selves.
This doesn’t mean the largest and most reputable exchanges today are invincible, but they have earned the trust of many of their users.
Exchanges are getting better and better with their security practices. They are willingly audited and complaint with all government regulations. Many now store the majority, if not all their funds with third-party companies that specialize in securing digital assets. Usually offline in cold storage.
Some of the exchanges like Coinbase are publicly traded companies, so the odds of their CEO or a rogue financial officer disappearing along with access to all their customers’ cryptocurrency is non-existent. Safeguards exist to prevent this you can rest assured.
Since exchanges are more legitimate than ever, any security concerns will drive their customers to more secure exchanges.
Even if a hacker gains access to a custodial exchange, most of the crypto is now stored securely and disconnected from the internet where it can’t be reached without the highest levels of security clearance and physical access.
Also, just about every major exchange also offers a secure version of their app that acts as a private wallet and gives users the private keys to their own crypto. You can simply use Coinbase’s private (self-custody) wallet instead of leaving your Bitcoin on their exchange.
Did you know Binance once lost $40 million to hackers (back in 2019)!
But here’s the thing: this amount was only 2 percent of their overall Bitcoin holdings and they easily covered these losses out of their Secure Asset Fund for Users. So it’s not like hackers are taking crypto directly from users’ wallets, they’re targeting the larger holdings of the exchange itself. It’s more like robbing a bank vault where the customers are not directly exposed to the theft in nearly the same way.
Nevertheless, leaving your hard-earned crypto on an exchange is risking your money to some degree. It means trusting your exchange to keep and control your funds on your behalf.
Seems unnecessary – why do it?
Convenience and laziness are a big part of it. There’s some extra effort involved in moving your crypto to a new private wallet. It means finding another wallet (like Exodus), setting it up and managing that new wallet over time. It’s just one more thing to have to do and for a lot of busy people, it tends to get procrastinated.
Our verdict: Just do it. Being lazy or busy is not a good enough reason to keep your crypto on an exchange. A lot of them are trustworthy now but if you’re leaving lots of money on the exchange for this reason alone, it probably isn’t a great idea. Take responsibility and take ownership of your crypto. This is opinion and advice.
That being said, exchanges can let you earn rewards or interest by letting them use it. This is called staking and it does pay – usually anywhere from 2 to 14% APY depending on the coin or token. So it’s not completely dismissable on this basis.
The best advice here is that you can do this on a private wallet like Exodus, so why not keep control of your private keys and stake cryptos like SOL or ADA right in the wallet? It’s a better option.
Additionally, you can use your exchange as a “spot wallet” for making frequent trades, meaning you’ll pay fewer fees by keeping some money on the exchange. These are okay reasons for keeping some crypto up there.
But the bottom line is, if you’re storing a little bit on the exchange and it gives you utility for spot trading or staking, it’s a reasonable risk to take. Of course, the only way to absolve yourself of all these risks is to keep your crypto in a private wallet, with good security. The more security you want, the less convenient it is going to be. Using cold storage is very secure but you need to connect a physical device and enter a PIN every time you want to do anything with your assets.
Crypto Heists Have Given Cryptocurrency Exchanges a Bad Rap
Today cryptocurrency is often likened to the Wild West, cowboys and gunslingers running amok without any proper regulation. But years ago, at the start of crypto, the landscape was even more chaotic and less forgiving.
A Brief History of Exchanges and Hacks or Theft
While there aren’t nearly as many crypto heists today as there once were, history shows us that it remains a real possibility, and a genuine risk associated with storing your crypto in an exchange. Even on the largest exchanges like Binance and Coinbase, customers are vulnerable to certain types of attacks like SIM swaps. And don’t forget that if a hacker hacks your Gmail or cloud storage backup and finds a bunch of “secret” passwords then the exchange is not set up to prevent them from accessing your crypto. This should be kinda obvious.
February 2014: The Mt. Gox Heist
In February 2014, the exchange called Mt. Gox lost 850,000 Bitcoin. At the current price of around $40,000 this would equate to a staggering $34 billion dollars. This was the first large-scale hack of its kind, targeting an exchange responsible for seven out of every ten Bitcoin transactions at the time.
In the aftermath, the CEO of the exchange was arrested in Japan after finding 200,000 missing Bitcoin in his personal cold storage device. Later, some of the stolen Bitcoin were found laundered on an exchange in Greece.
This fiasco brought a lot more scrutiny and skepticism to cryptocurrency exchanges; a poll in 2018 conducted by Cointelegraph on Twitter found that almost 3 in 4 respondents believe that another Mt. Gox scale attack may happen in the future.
January 2018: The QuadrigaCX Scandal
In December of 2018, Gerald Cotten, the 30-year-old co-founder and CEO of the cryptocurrency exchange, QuadrigaCX died tragically on his honeymoon. Cotten was the only person with the keys to more than $190 million in cryptocurrency stored on that exchange.
Even before Cotten’s death, QuadrigaCX wasn’t doing very well financially, leading some to speculate that he faked his own death to avoid legal consequences. While the exchange was one of the most popular for Canadians since it emerged in 2013, it began experiencing difficulties starting in early 2018.
A Canadian bank froze more than $30 million of QuadrigaCX’s funds because the exchange could not identify who actually owned the money. People had trouble withdrawing their funds but were met with poor customer service, leading to a decline in trading on the QuadrigaCX platform. By October, the daily trading volume was a measly $600,000.
Due to poor security practices, more than $145 million from the exchange remains missing. Auditors recently determined that the amount of cryptocurrency stored in the cold wallets, which supposedly only Cotten had access to, only amounted to a few thousand dollars.
This is no doubt the worst-case scenario for anyone leaving cryptocurrency with an exchange. Rest assured, there is more stringent security on newer exchanges, especially those like Coinbase which are publicly-traded companies. Often, they have other companies look after cryptocurrency in cold storage, and distribute these funds so that they’re not all held within the same location.
As we discuss elsewhere in the article, however, even if you hold your cryptocurrency on your phone, forget your seed phrase, or fail to secure it properly with two-factor authentication, you are still vulnerable to losing your money.
May 2019: Binance Gets Hit
While people became more vigilant and concerned about the security of cryptocurrency exchanges, it didn’t prevent an enormous exchange from getting hit. In May of 2019, a sophisticated phishing attack stole 7,000 Bitcoin from the exchange’s own hot wallet.
Binance was able to use an emergency fund to restore user balances. It is unclear who conducted the hack but it is certainly troubling that they managed to compromise user profiles and two-factor authentication codes.
August 2021: Coinbase Accounts Taken Over
According to recent reporting by CNBC, Coinbase security and customer service have dropped the ball. Many people complained about their accounts being taken over and their crypto siphoned out of their wallet.
However, Coinbase claimed that the hack was not a breach of security, and instead of the result of a SIM swap attack, leaving many customers high and dry. Basically, a hacker gains your multifactor authentication codes by calling your phone provider and convincing them that they are you.
They have your phone number loaded onto their SIM card if they’re convincing enough, giving them access to your multifactor authentication codes that are sent through text. We have more detail on this later in the article.
Did You Know Custodial Exchanges Also Offer Customers Non-Custodial Private Wallets?
In many crypto heists, hackers tend to go for custodial exchanges — the ones that hold the private keys for large amounts of cryptocurrency across multiple accounts.
Many custodial exchanges including Coinbase offer their customers a safer option for storing crypto with them, while also allowing for easy trading and exchanges.
Coinbase now offers a separate hot wallet app, from which you retain custody of your private keys. This wallet still lets you use the Coinbase exchange directly; in many ways, it is similar to using another wallet for storage, be it MetaMask or Exodus. But if you are feeling like living life on the edge, you may still partake in using a custodial exchange.
Good Security Practices for a Custodial Exchange
If hackers break into an exchange through a network connection, they will instantly access anything within the exchange’s own custodial wallet. To evaluate risk, you can look for the security page on your favorite exchange’s website. Coinbase for example, stores 98% of funds offline, on cold storage devices that look like fancy USBs. These are also distributed across the world so that Coinbase doesn’t store all their (your) tokens in one basket.
Another important feature, which has become standard on many websites, is to use an encrypted secure sockets layer (SSL). You can quickly check for an SSL by making sure that the website’s URL starts with “https” rather than “http”. Or look for the lock icon to the left of the website address in your browser bar.
Let’s quickly compare the security features of a few top exchanges.
Many exchanges now allow you to whitelist specific addresses that you deem trustworthy. If someone enters your account and attempts to send a transaction to an address, not on this list, it will require multifactor authentication and even a 24-hour wait until the new address can be whitelisted.
|Support||Contact via Email/Twitter/
|24/7 online||24/7 online|
|Funds in Cold Storage||98%||100%||Not clearly stated|
|AES-256 Hot Wallet Encryption?||Yes||No||No|
|Is USD FDIC Insured?||Yes||Yes||Yes|
|Certifications||None (as of September 2021)||ISO/IEC 27701:2019, CCSS Level 3, ISO/IEC 27001:2013 and PCIDSS v3.2.1 Level 1 compliance, and independently assessed at Tier 4, the highest level for both NIST Cybersecurity and Privacy Frameworks||ISO/IEC 27001|
|Reported Hacks||August 2021||None (as of yet)||May 2019|
Shut Up About Your Awesome Crypto Gains Bro
Regardless of whether you plan to leave some crypto on the exchange, don’t blab to the entire world on Twitter or other social media. In fact, just keep things to yourself as much as possible. While you may even be using an anonymous account, a persistent hacker can take your tweet as a challenge.
Stealing Your Phone Number
People do get their accounts compromised through SIM Swap attacks, where the hacker calls your phone company impersonating you and getting the number swapped onto their phone. In the meantime, the victim’s phone service will stop working while the hacker is able to use 2FA authentication to get into their accounts.
In addition to not discussing your awesome crypto gains, you might want to use an authenticator app like Authy instead of relying on receiving a text message or email to log into your account.
Straight-Up Phishing Your Password
Another popular method involves tricking someone to log into the wrong website, thereby giving the hacker all of your credentials. You might receive a reputable-looking email from Coinbase or Binance which contains a login link. Make sure that your URL is directing you to the correct site, and report any phishing attempts or websites made to look like the official thing.
Note that even good security features may not prevent a large exchange from getting hacked, the rewards are just too enticing; however, this type of attack is unlikely to upset your personal balance. Even if you’re trading your crypto regularly, leaving a large chunk on the exchange is still dangerous and unnecessary. If you want to make a larger trade you can always move the funds onto the exchange at the exact right time instead of leaving them there and waiting.
Despite all of this sounding very negative and cautionary, there are some benefits of leaving crypto on an exchange:
Quicker to access for trading
Earn rewards on crypto we store on the exchange (depending on the coin/rate this can be around 5-15% annually)
You don’t need to worry about losing your phone or private keys because the exchange has your info
Many exchanges do have really good security
- Simpler not to download and set up another crypto wallet
Hey it’s still almost certainly better for you to use a non-custodial private wallet. Instead use a self-custody crypto wallet and earn rewards without giving up ownership. It’s your crypto and it’s you call.
You can easily retain full custody by moving your crypto to our favourite self-custody crypto wallet – the Exodus wallet. Then if you wanted the maximum security, you can also use a Trezor (integrates with Exodus wallet) to keep that crypto offline and somewhere physically safe – like in a safe.
All that being said, as long as you’re not storing the vast majority of your crypto in one exchange, it’s probably okay to leave some of your assets there.
Top cryptocurrency exchanges take steps to ensure the security of your investments and many of them also have apps that do offer you custody over your crypto.
As long as you don’t brag about your wicked crypto trading gains on Twitter or Reddit, there’s no reason for hackers to individually target you. Nonetheless, SIM swapping and phishing attacks remain common and risky; a phishing attack on someone working within these companies could also expose your personal data. Remember, just because an exchange hasn’t been hit yet, doesn’t mean it won’t get hit in the future.
Keep a small amount of crypto on an exchange, trade it, use it, do whatever you want with it. But if you’re taking a risk, make sure it’s for a good reason (like earning rewards) and not just because you didn’t want to go through the trouble of opening a new wallet (laziness).
“Your keys. Your crypto.”
– The end