Crypto exchanges have changed how we trade and invest in digital assets. But as the saying goes, with great power comes great responsibility—and significant security risks. Here are the top security problems with crypto exchanges.
1. Hot Wallet Hacks
Hot wallets, which are connected to the internet for liquidity, are a prime target for hackers. Exchanges that store a large portion of user funds in hot wallets are at greater risk of devastating thefts. In 2018, Japanese exchange Coincheck lost over $500 million in NEM tokens when their hot wallet was compromised. To reduce this risk, reputable exchanges now keep the majority of funds in cold storage—offline wallets not connected to the internet. They maintain only the minimum necessary liquidity in hot wallets.
2. Phishing and social engineering
Crypto exchanges are constant targets of phishing attempts aimed at stealing user login credentials. Hackers create fake websites that mimic the real exchange, tricking users into entering their username and password. Social engineering tactics like impersonating exchange employees to gain access to internal systems pose another major threat. Strict security protocols and employee training are crucial to preventing these breaches.
3. Insider Threats
Rogue employees with access to critical systems and user data can cause immense damage. Exchanges must implement strict access controls, limit employee privileges, and thoroughly vet all personnel. Monitoring for suspicious employee behavior is also key.
In a notorious inside job, a Bitstamp employee allegedly made off with roughly $5 million in BTC in 2015. While the funds were later recovered, the incident highlights the importance of guarding against insider threats.
4. Lack of Two-Factor Authentication (2FA)
Exchanges that don’t enforce 2FA, requiring a second form of verification beyond a password, leave user accounts vulnerable. SMS-based 2FA, while better than nothing, has been shown to be hackable. The most secure form of 2FA is a time-based, one-time password (TOTP) app like Google Authenticator or hardware security keys. Reputable exchanges now require, or at least strongly encourage, users to enable 2FA. Some even mandate it for higher-value transactions.
5. Weak Password Policies
Exchanges with lax password requirements make it easier for hackers to breach accounts through brute-force attacks or credential stuffing (using passwords exposed in prior breaches). Enforcing strong, unique passwords is a basic yet crucial security measure.
Dashlane, 1Password, and LastPass are popular password managers that help users generate and store complex passwords.
6. DDoS Attacks
Distributed Denial of Service (DDoS) attacks overwhelm an exchange’s servers with fake traffic, taking the platform offline. While funds may not be directly stolen, DDoS attacks are often used as a smokescreen for other hacks. They can also be used for market manipulation, causing prices to crash while the exchange is inaccessible.
Exchanges can protect against DDoS attacks by using services like Cloudflare that absorb and deflect malicious traffic. Having sufficient server capacity to withstand traffic spikes is also important.
7. Poor code security
Exchanges with sloppy code and lax security practices are vulnerable to exploits like the infamous Mt. Gox hack. Code audits, bug bounty testing, and penetration testing are essential to harden exchange security and catch vulnerabilities before they can be exploited.
Storing sensitive data like private keys in plain text, using outdated libraries with known vulnerabilities, and not properly sanitizing user inputs are some dangerous coding practices that have led to exchange breaches.
8. Lack of Transparency and Accountability
Opaque exchanges that fail to provide basic information about their security practices, team members, and company registration raise major red flags. Accountability and communication are also critical in the aftermath of a hack.
Following the major Bitfinex hack in 2016, the exchange kept users in the dark for months, leading to accusations of insolvency and mismanagement. In contrast, Binance’s prompt and transparent response to their 2019 hack was praised by the crypto community.
Related: 10 Platforms to Buy and Sell Bitcoin for US Residents
9. Inadequate Disaster Recovery Planning
Exchanges without disaster recovery and business continuity plans are at greater risk of prolonged downtime or even permanent closure after a major hack or disruption. Regular data backups, redundant systems, and clear contingency plans are a must.
When Canadian exchange QuadrigaCX’s CEO unexpectedly passed away in 2018, it was revealed that he alone had access to most of the exchange’s funds. The exchange soon folded, underscoring the importance of continuity planning.
10. Regulatory Non-Compliance
Failure to comply with relevant regulations, such as anti-money laundering (AML) and know-your-customer (KYC) requirements, can result in heavy fines, legal action, or even the forced closure of an exchange.
While some argue that regulation stifles innovation, most agree that a balanced regulatory approach is needed to prevent fraud and protect users. Reputable exchanges now work closely with regulators and go above and beyond compliance minimums.
Key Takeaway
1. Hot wallet hacks are a major risk, so exchanges should keep most funds in cold storage.
2. Phishing, social engineering, and insider threats can be prevented through security protocols, employee training, and access controls.
3. Enforcing two-factor authentication (2FA), especially app-based or hardware 2FA, is crucial for user account security.
4. Exchanges must require strong, unique passwords to prevent brute-force and credential stuffing attacks.
5. DDoS attack mitigation, code audits, bug bounty testing, and penetration testing are essential for exchange security.
6. Transparency, accountability, and communication are key traits of reputable exchanges, especially in the aftermath of a hack.
7. Disaster recovery plans and regulatory compliance are non-negotiable for exchanges to protect users and stay in business long-term.
Frequently Asked Questions
1: How can I protect my account from phishing attacks?
To protect against phishing, always double-check the URL of the exchange website before logging in. Enable 2FA, and never share your login credentials or 2FA codes with anyone. Be wary of unsolicited emails or messages claiming to be from the exchange.
2. What should I do if I suspect an exchange has been hacked?
If you suspect an exchange breach, immediately change your password and enable 2FA if you haven’t already. Contact the exchange’s support team to report the issue. Consider moving your funds off the exchange until the situation is resolved.
3. How can I tell if an exchange is reputable and secure?
Look for exchanges that have a long track record without major hacks, provide proof of reserve audits, and are transparent about their security practices. Check to see if they comply with relevant regulations and have insurance to cover user losses. Read reviews and consult crypto community forums for user experiences.
4. Is it safe to leave my crypto on an exchange?
As a general rule, only leave crypto on an exchange if you’re actively trading. For long-term storage, transfer your crypto to a personal wallet where you control the private keys. Hardware wallets are considered the most secure option for large amounts of crypto.
5. What happens if an exchange gets hacked and I lose my funds?
It depends on the exchange’s policy and the specifics of the hack. Some exchanges, like Binance, have insurance funds to cover user losses. Others, like Mt. Gox, have gone bankrupt, with users losing most of their funds. There’s often little legal recourse, so it’s crucial to carefully vet exchanges and practice good personal security.
6. Can regulation prevent exchange hacks?
While regulation can’t prevent all hacks, it does provide a framework for holding exchanges accountable and enforcing basic security standards. Regulated exchanges are required to implement KYC/AML procedures, maintain sufficient capital reserves, and submit to audits. This weeds out many fraudulent or insecure exchanges.