Crypto Exchange Security: Features and Track Records Compared
Compare crypto exchange security features across cold storage ratios, insurance funds, proof of reserves, and incident history.
Exchange Security Features at a Glance
Choosing a crypto exchange means trusting a third party with your funds. The security infrastructure behind that trust varies enormously between platforms. Some exchanges maintain robust cold storage practices, carry insurance, and publish cryptographic proof of reserves. Others have suffered billion-dollar breaches.
The following table summarizes security capabilities across six major exchanges. Each dimension is explored in detail throughout this guide.
| Feature | Coinbase | Kraken | Binance | Gemini | OKX | Bybit |
|---|---|---|---|---|---|---|
| Cold storage ratio | ~98% | ~95% | Not disclosed | ~95% | ~95% | Not disclosed |
| Insurance / protection fund | $255M (hot wallet) | None | $1B (SAFU) | $200M (cold custody) | ~$700M (Risk Shield) | Derivatives only |
| Proof of reserves | No (SEC filings) | Yes (quarterly) | Yes (monthly) | No (SOC audits) | Yes (monthly) | Yes (monthly) |
| Hardware key 2FA (FIDO2) | Yes | Yes | Yes | Yes | Yes | Yes |
| Withdrawal whitelisting | Yes (24-48hr delay) | Yes | Yes (~24hr delay) | Yes (7-day delay) | Yes | Yes (24hr delay) |
| SOC 2 Type 2 | Yes | Yes | Yes | Yes | Yes | No |
| ISO 27001 | No | Yes | Yes | Yes | Yes | Yes |
| Bug bounty max payout | $1M | $1.5M | $100K | ~$20K | $1M | $10K |
| Major breach history | None | None | $41M (2019) | None | None | $1.5B (2025) |
For a broader look at custody models beyond exchanges, see our custody comparison tool and the research article on Bitcoin custody solutions compared.
Cold Storage and Key Management
The percentage of customer funds held in cold storage (offline, air-gapped systems) versus hot wallets (internet-connected) is one of the most critical security metrics for any exchange. Hot wallets are necessary for processing withdrawals quickly, but they present a larger attack surface.
Coinbase reports storing approximately 98% of customer assets in cold storage, using air-gapped systems, hardware security modules (HSMs), and multi-signature authorization distributed across geographically separate vaults. Kraken and Gemini both maintain approximately 95% in cold storage with similar multi-layered architectures. OKX uses a semi-offline multi-signature system with encrypted private keys stored in bank-grade vaults, earning a CertiK "AA" security rating.
Binance does not publicly disclose its exact cold storage ratio, stating only that a "vast majority" of assets are held offline. Bybit similarly has not disclosed a verified ratio. The February 2025 Bybit breach revealed that its Ethereum cold wallet used Safe{Wallet} smart contract multi-signature infrastructure, which became the attack vector when a developer at the wallet provider was socially engineered.
Insurance and Protection Funds
No exchange insures 100% of customer deposits against all scenarios. Coverage typically applies only to platform-level breaches (hacking, insider theft) and does not protect against individual account compromises, trading losses, or market volatility.
- Coinbase carries $255 million in crime insurance through Lloyd's of London (via Aon) covering hot wallet assets against hacking, insider theft, and fraudulent transfers. USD balances are eligible for pass-through FDIC insurance up to $250,000 through partner banks.
- Binance established its SAFU (Secure Asset Fund for Users) in July 2018, funded by 10% of all trading fees. The fund holds approximately $1 billion, fully converted to 15,000 BTC in on-chain multi-signature cold wallets. It successfully covered the entire $41 million lost in the 2019 breach.
- Gemini operates Nakamoto, a captive insurance entity licensed by the Bermuda Monetary Authority, providing $200 million in cold custody coverage. Gemini was among the first exchanges to build a dedicated insurance vehicle.
- Kraken does not maintain a formal insurance fund or protection pool. It relies instead on operational security and has operated since 2013 without losing customer funds to a breach.
- OKX maintains a Risk Shield fund of approximately $700 million funded from platform earnings, though it explicitly states this is not an insurance policy and does not cover individual account breaches.
Proof of Reserves
Proof of reserves (PoR) became an industry focus after FTX's collapse in November 2022 revealed an $8 billion shortfall in customer funds. PoR systems use cryptographic techniques (typically Merkle trees) to let users verify that the exchange holds at least as much in assets as it owes to depositors.
Kraken publishes quarterly PoR reports audited by The Network Firm, a registered CPA firm. Each report includes Merkle tree proofs that individual users can verify against their own account balances. OKX has published 37+ consecutive monthly reports using Merkle trees combined with zk-STARKs, audited by Hacken. Binance adopted Merkle tree proofs with zk-SNARKs in early 2023 and publishes monthly, though its auditor situation has been unstable after Mazars Group suspended all crypto PoR work in December 2022.
Coinbase and Gemini do not publish PoR in the cryptographic sense. Coinbase argues that its SEC filings and Deloitte financial audits (as a publicly traded company) provide equivalent transparency. Gemini relies on NYDFS regulatory examinations and Deloitte SOC audits.
Limitation: Most PoR implementations prove only that assets exist at a single point in time. They do not account for off-chain liabilities, borrowed funds, or assets pledged as collateral elsewhere. As Vitalik Buterin outlined in his November 2022 framework, true proof of solvency requires both proof of assets and proof of liabilities.
Authentication and Withdrawal Controls
Two-factor authentication and withdrawal restrictions form the front-line defense for individual accounts. All six exchanges support TOTP (authenticator app) and FIDO2 hardware keys. The differences lie in additional hardening options.
Kraken stands out by deliberately refusing to support SMS-based 2FA, citing SIM swap vulnerabilities. Its Global Settings Lock (GSL) feature freezes all account changes for a configurable period up to 30 days, making it extremely difficult for an attacker who compromises credentials to modify withdrawal addresses or disable security settings. Kraken also uses PGP-signed emails instead of anti-phishing codes.
Gemini enforces a 7-day hold on newly whitelisted withdrawal addresses, the longest delay among major exchanges. Coinbase offers a Vault feature requiring multiple email approvals and a 48-hour cancellation window. Binance introduced Withdraw Protection in 2026, locking withdrawals for 1 to 7 days with no override. OKX provides account-level IP whitelisting beyond just API key restrictions.
For users who want to eliminate account-level attack surfaces entirely, self-custody removes the exchange from the equation. See our self-custody vs. custodial guide for a detailed comparison of the tradeoffs.
Major Security Incidents
Exchange hacks are not hypothetical risks. The following table documents the most significant incidents in crypto exchange history, totaling over $11 billion in losses.
| Exchange | Date | Amount Lost | Attack Vector | Users Made Whole |
|---|---|---|---|---|
| Bybit | Feb 2025 | ~$1.5B (401,347 ETH) | Supply chain attack on wallet provider developer | Yes (replenished within 72 hours) |
| DMM Bitcoin | May 2024 | ~$308M (4,502 BTC) | Social engineering via fake LinkedIn recruiter | Yes (exchange shut down, assets transferred to SBI VC Trade) |
| WazirX | Jul 2024 | ~$235M | Multi-sig wallet contract manipulation | Partially (85% returned Oct 2025) |
| FTX | Nov 2022 | ~$8B (fraud) | Customer deposits diverted to Alameda Research | Partially ($7.1B distributed by Nov 2025) |
| KuCoin | Sep 2020 | ~$280M | Hot wallet key compromise (Lazarus Group) | Yes (84% recovered, rest covered by insurance) |
| Binance | May 2019 | ~$41M (7,000 BTC) | Phishing and malware harvesting API keys | Yes (covered by SAFU fund) |
| Coincheck | Jan 2018 | ~$530M (523M NEM) | Phishing malware on hot wallet without multi-sig | Yes (all 260,000 users refunded) |
| Bitfinex | Aug 2016 | ~$72M (119,756 BTC) | Unauthorized transactions bypassing multi-sig | Yes (losses socialized, BFX tokens redeemed by Apr 2017) |
| Mt. Gox | 2011-2014 | ~$473M (650,000 BTC) | Prolonged hot wallet theft over years | Partially (repayments ongoing, deadline Oct 2026) |
A persistent pattern emerges: North Korea's Lazarus Group (TraderTraitor) has been attributed to at least four major incidents (Bybit, DMM Bitcoin, WazirX, KuCoin) totaling over $2 billion. These attacks increasingly target supply chain vectors (wallet software providers, developer endpoints) rather than exchange infrastructure directly.
Eliminating Exchange Risk with Self-Custody
Every exchange security feature described above exists to mitigate a fundamental problem: self-custody eliminates entirely. When you hold your own private keys, there is no exchange to hack, no insurance gap to worry about, and no proof-of-reserves report to trust.
Hardware wallets from manufacturers like Ledger, Trezor, and Coldcard store keys on secure elements that never expose the private key to an internet-connected device. For users who want additional protection, multi-signature setups distribute signing authority across multiple devices and locations.
On the Bitcoin network, Spark enables self-custodial Bitcoin and stablecoin transfers with instant settlement and near-zero fees. Unlike exchange-held balances, assets on Spark remain under the user's direct control. For a deeper comparison of custody models, see our research on self-custodial vs. custodial wallets.
How to Evaluate Exchange Security
When assessing an exchange's security posture, focus on these factors in order of importance:
- Track record: has the exchange ever lost customer funds? If so, were users made whole, and how quickly?
- Cold storage practices: what percentage of funds are held offline, and what key management architecture protects them?
- Regulatory oversight: is the exchange subject to financial regulators who enforce minimum security standards and conduct examinations?
- Insurance and reserves: does the exchange carry insurance or maintain a protection fund, and what does it actually cover?
- Account-level controls: does the exchange support hardware key 2FA, withdrawal whitelisting with time delays, and settings locks?
- Transparency: does the exchange publish proof of reserves, undergo third-party audits (SOC 2, ISO 27001), and run a bug bounty program?
No exchange scores perfectly across all dimensions. Coinbase and Gemini lead on regulatory compliance and clean track records but do not publish cryptographic PoR. Kraken combines strong PoR with no breach history but carries no insurance. Binance has the largest protection fund but a more complex regulatory history. The safest approach for significant holdings remains minimizing exchange exposure by withdrawing to cold storage or a self-custodial wallet after trading.
Frequently Asked Questions
Which crypto exchange has the best security?
No single exchange leads across every security dimension. Coinbase and Gemini have never suffered a major breach and operate under strict US regulatory oversight (Coinbase is publicly traded; Gemini holds a New York Trust Company charter). Kraken combines a clean track record with quarterly proof-of-reserves audits and the industry's most aggressive account lock feature (Global Settings Lock). Binance maintains the largest protection fund at $1 billion. The safest strategy is to use a well-regulated exchange for trading and withdraw to self-custody for long-term storage.
What happened in the Bybit hack?
On February 21, 2025, attackers stole approximately $1.5 billion (401,347 ETH) from Bybit in the largest exchange hack in crypto history. The attack was a supply chain compromise: North Korea's Lazarus Group socially engineered a developer at Safe{Wallet} (the multi-signature wallet provider), stole an AWS session token, and injected malicious JavaScript that altered transaction payloads. Bybit signers approved what appeared to be a legitimate transaction, but the payload redirected funds. Bybit replenished customer balances within 72 hours through emergency lending and OTC arrangements.
Does FDIC insurance cover crypto on exchanges?
FDIC insurance does not cover cryptocurrency holdings. It covers only US dollar cash balances held at FDIC-insured partner banks, up to $250,000 per depositor. Coinbase and Gemini offer pass-through FDIC coverage for USD balances (not crypto). If an exchange is hacked and crypto is stolen, FDIC insurance does not apply. Some exchanges carry private crime insurance (Coinbase holds $255 million through Lloyd's of London), but this covers the exchange, not individual accounts compromised through user credential theft.
What is proof of reserves and why does it matter?
Proof of reserves is a cryptographic auditing method that lets users verify an exchange holds enough assets to cover all customer deposits. Most implementations use Merkle trees: the exchange publishes a root hash representing all account balances, and each user can verify their balance is included without revealing other users' data. More advanced systems add zero-knowledge proofs (zk-SNARKs or zk-STARKs) to prove solvency without exposing the total balance sheet. PoR became critical after FTX's collapse revealed that customer funds had been diverted despite the exchange appearing solvent.
Is self-custody safer than keeping crypto on an exchange?
Self-custody eliminates exchange counterparty risk (hacks, fraud, insolvency) but introduces personal operational risk (key loss, physical theft, backup failures). For users who properly manage their seed phrase and use a hardware signing device, self-custody removes the largest category of historical crypto losses. The $11+ billion lost to exchange hacks and fraud dwarfs losses from properly secured self-custody setups. See our self-custody vs. custodial guide for a full breakdown of the tradeoffs.
How do exchanges protect against SIM swap attacks?
SIM swap attacks compromise SMS-based 2FA by convincing a mobile carrier to transfer the victim's phone number. Kraken mitigates this by refusing to support SMS 2FA entirely. Other exchanges recommend disabling SMS in favor of TOTP apps (Google Authenticator, Authy) or FIDO2 hardware keys (YubiKey). Withdrawal whitelisting with time delays provides a secondary defense: even if an attacker compromises 2FA, they cannot withdraw to an unwhitelisted address without waiting through the delay period, giving the account holder time to respond.
What is the Binance SAFU fund?
The Secure Asset Fund for Users (SAFU) is Binance's emergency protection fund, established in July 2018 and funded by 10% of all trading fees. It holds approximately $1 billion in 15,000 BTC stored in publicly viewable on-chain multi-signature cold wallets. When the fund value drops below $800 million due to BTC price movements, Binance rebalances to restore the target. SAFU covered the full $41 million lost in Binance's May 2019 hot wallet breach, making all affected users whole without delay.
This tool is for informational purposes only and does not constitute financial advice. Security features, insurance coverage, and incident details are based on publicly available information and may change. No exchange provides complete protection against all loss scenarios. Always verify current security practices directly with the exchange before depositing funds.
Build with Spark
Integrate bitcoin, Lightning, and stablecoins into your app with a few lines of code.
Read the docs →