Security of Cryptocurrency Exchanges - Overview"

    2025, Nov 06

    Cryptocurrency exchanges play a pivotal role in the digital asset ecosystem, serving as platforms for on-ramp, trading, storing, and converting cryptocurrencies. As central nodes in a highly valuable and rapidly evolving industry, these exchanges are frequent targets for cyberattacks and financial fraud.

    Threat Landscape and Attack Vectors

    The security risks facing cryptocurrency exchanges can be broadly categorized into external attacks, internal threats, and operational vulnerabilities.

    1. External Attacks
      • Hacking and Cyber Intrusions: Malicious actors often target exchanges to gain access to hot wallets—cryptocurrency wallets connected to the internet—where user funds are stored. Attackers use techniques like phishing, malware deployment, and API abuse to infiltrate systems.
        • Example: In 2014, Mt. Gox, a Japan-based exchange, was hacked, resulting in the loss of approximately 850,000 bitcoins. The breach led to the platform’s bankruptcy and highlighted the dangers of inadequate operational security.
      • Distributed Denial of Service (DDoS): Attackers can overwhelm an exchange’s infrastructure, disrupting trading and withdrawal services. Although these do not typically result in financial loss directly, they can undermine trust and disrupt markets.
    2. Internal Threats
      • Insider Attacks and Mismanagement: Employees or founders may misuse privileged access or mishandle customer assets.
        • Example: The 2019 collapse of Canadian exchange QuadrigaCX revealed that the founder had sole control of the private keys and allegedly misappropriated funds, leading to a loss of around $190 million in customer assets.
    3. Operational and Technical Failures
      • Code Vulnerabilities: Poorly written smart contracts or platform code can be exploited.
      • Lack of Cold Storage Management: Best practices recommend storing the majority of funds in offline (cold) wallets, with limited exposure to online wallets.
      • Insecure APIs or Third-party Integrations: Exchanges often rely on third-party services for features like analytics or trading bots, which may introduce vulnerabilities.

    Threat Models in Crypto Exchange Security

    A robust security model for a cryptocurrency exchange typically considers the following adversaries:

    • External Hackers: Sophisticated cybercriminals seeking unauthorized access to steal funds.
    • Malicious Insiders: Employees or contractors with privileged access and malicious intent.
    • Supply Chain Compromise: Vulnerabilities introduced through third-party services, software updates, or hardware components.
    • Social Engineering Actors: Attackers who deceive employees or users into revealing sensitive credentials.

    Security Practices and Industry Responses

    In response to these threats, many exchanges have adopted comprehensive security strategies that include:

    • Cold Storage Solutions: Keeping the majority (often 90%+) of digital assets in offline storage, disconnected from internet access.
    • Multi-signature Wallets: Requiring multiple keys to authorize a transaction, reducing single points of failure.
    • Bug Bounty Programs: Offering rewards for responsible disclosure of security vulnerabilities.
    • Regulatory Compliance: Implementing Know Your Customer (KYC) and Anti-Money Laundering (AML) practices to reduce fraud and improve traceability.
    • Insurance Coverage: Some exchanges secure insurance policies to cover losses due to theft or fraud, though coverage may be limited.
    • Penetration Testing and Audits: Regular security assessments conducted by third-party experts.

    Regulatory and Ecosystem Developments

    As the cryptocurrency sector matures, regulators and industry bodies are increasingly involved in setting security and operational standards for exchanges. Jurisdictions like the United States, European Union, Singapore, and Japan have introduced or proposed frameworks that emphasize cybersecurity, consumer protection, and operational transparency.

    Furthermore, decentralized exchanges (DEXs), which operate without central custody of assets, have emerged as alternatives that reduce certain types of risk (e.g., custodial theft) while introducing new vulnerabilities (e.g., smart contract exploits).

    Notable Cryptocurrency Exchange Hacks and Failures

    The following cases illustrate various causes of exchange failures, ranging from technical vulnerabilities and poor security hygiene to fraud and mismanagement

    Several high-profile breaches have shaped the industry’s security awareness.

    • Mt. Gox (2014): Loss of 850,000 BTC due to poor internal controls and compromised hot wallets.
    • Coincheck (2018): $530M stolen after attackers accessed hot wallet private keys.
    • QuadrigaCX (2019): Collapse following the founder’s sole control of wallets and missing customer funds.
    • FTX (2022): Failure linked to internal mismanagement and misuse of customer assets rather than direct hacking.

    These cases highlight that both technical security and governance are essential for protecting user assets and maintaining market confidence.

    Exchange Year Loss Cause Reference
    Mt. Gox 2014 850,000 BTC ($450M at the time) Hot wallet compromise due to poor security and lack of internal controls - justice.gov - Russian Nationals Charged With Hacking One - – Cryptocurrency Exchange and Illicitly Operating Another
    - darknetdiarie - EP 9: THE RISE AND FALL OF MT. GOX
    Bitfinex 2016 120,000 BTC ($72M at the time) Exploited vulnerability in multi-signature system provided by BitGo - bitfinex - 2016 Security Breach Bitcoin Recovery
    - ice.gov - Bitfinex Hacker Sentenced in Money Laundering Conspiracy Involving Billions in Stolen Cryptocurrency, www.justice.gov - 2016 Bitfinex Hack
    Coincheck 2018 ~$530M in NEM Private keys for hot wallet stolen; lacked multi-signature and cold storage - science - How cryptocurrency is laundered: Case study of Coincheck hacking incident
    - Taurus - How (Not) To Store Digital Assets: Lessons From 5 Crypto Custody Disasters
    QuadrigaCX 2019 ~$190M Alleged misappropriation; sole control of wallets by deceased founder - osc.ca - Downfall of Quadriga
    Binance 2019 7,000 BTC ($40M at the time) Phishing and API key compromise; hackers bypassed 2FA Binance Security Breach Update
    KuCoin 2020 ~$275M Private key compromise of hot wallets - Chainalysis - The KuCoin Hack: What We Know So Far and How the Hackers are Using DeFi Protocols to Launder Stolen Fund
    - Kucoin - The Latest Updates About the KuCoin Security Incident——Continually Updated
    - BBC - The real victims of mass crypto-hacks that keep happening
    Liquid Exchange 2021 ~$90M Compromise of warm wallets through unauthorized access - Fireblocks - Revisiting the Liquid exchange hack: Lessons for organizations working with MPC
    - TRM Labs - Liquid Hack: The Second Time Around
    Wired - Security News This Week: Hackers Stole Over $90M From Japan’s Liquid Crypto Exchange
    Bitmart 2021 ~$200M Stolen private keys leading to hot wallet breach - Bitmart - Bitmart Post-Incident Forensics Bounty Hunt
    - bbc - BitMart: Crypto-exchange loses $150m to hackers
    FTX 2022 ~$8B shortfall in assets Misuse of customer funds; accounting fraud; internal mismanagement  
    Atomic Wallet 2023 ~$100M Unclear vector; suspected private key compromise - Atomic Wallet - June 3rd Event Statement
    CoinEx 2023 ~$70M Hot wallet breach, suspected to be by Lazarus Group (state-linked) - SlowMist
    TRM Labs - Inside North Korea’s Crypto Heists: $200M in Crypto Stolen in 2023; Over $2B in the Last Five Years
    Huobi 2023 $7.9 million Hot wallet breached -Halborn - EXPLAINED: THE HUOBI EXCHANGE HACK (SEPTEMBER 2023)
    Lykke 2024 ~US$22.8 million Hot wallet breach - twentyessex.com - Out of Lykke – successful appointment of provisional liquidators and liquidators of UK cryptocurrency exchange
    - twentyessex.com - Out of Lykke – successful appointment of provisional liquidators and liquidators of UK cryptocurrency exchange
    Swissborg 2025   Staking - Halborn - EXPLAINED: THE SWISSBORG HACK (SEPTEMBER 2025)

    See also Hacken Lazarus group

    Details

    Mt. Gox hack

    Bitcoin Core client’s wallet.dat encryption feature.

    • Early Bitcoin wallets were stored in a file called wallet.dat.
    • This file contained private keys in plaintext, so if an attacker got a copy of it, they could immediately spend your coins.
    • In August 2011, Bitcoin Core (then just called the Bitcoin client) released version 0.4.0, which introduced wallet encryption.
      • Users could now encrypt wallet.dat with a passphrase.
      • Spending coins required unlocking the wallet with that passphrase.
    Why This Matters for Mt. Gox
    • The Mt. Gox incident started in June 2011, before this feature existed.
    • That means Mark Karpelès didn’t have a built-in way to encrypt the exchange’s wallets against theft at the time.
    • He could have built custom protections (segmentation, manual cold storage, encrypted containers like TrueCrypt), but the official Bitcoin client itself didn’t yet support wallet encryption.
      • The “new” functionality was the wallet encryption option in Bitcoin Core (v0.4.0, August 2011).

    Reference:

    Quadriga CX

    Quadriga later gained international attention when, on January 14, 2019, it announced its founder Gerald Cotten had died in India in December 2018, leaving Quadriga owing 76,000 clients a combined $215 million.3

    Most news reported that the founder of Quadriga had died without sharing the passwords to the cold storage of virtual assets held by Quadriga, which meant that the client assets recorded in that storage were inaccessible

    However, the Ontario Securities Commission later found that that inaccessibility of cold storage did not explain the shortfall at all; rather, Quadriga CX had been operating as a classic Ponzi scheme, paying off older debts to clients with new incoming funds, and even before Mr. Cotten’s death, Quadriga simply did not have sufficient assets to support its clients’ holdings

    Reference: Overview Report – Quadriga CX

    Observed Patterns and Lessons

    • Hot Wallet Vulnerability: Many of these attacks succeeded because a large portion of funds were kept in hot wallets without sufficient protection.
    • Lack of Multi-signature Safeguards: The absence of multi-signature access control contributed to several breaches.
    • Insider and Governance Failures: Incidents like QuadrigaCX and FTX show that human factors and governance failures can be as damaging as technical breaches.
    • Phishing and Social Engineering: Attacks on platforms like Binance involved compromising user or employee credentials via phishing.

    Conclusion

    Exchanges face multiple types of threats, including external attacks, insider misuse, and technical vulnerabilities.

    • External threats include hacking incidents that target hot wallets, phishing campaigns, or denial-of-service attacks.
    • Internal threats stem from mismanagement or insider abuse of administrative privileges.
    • Operational risks often relate to inadequate key management, insecure APIs, or poorly designed smart contracts.
    Feel free to contact me on
    # wallet # hack # FTX # Mt.Gox # QuadrigaCX

    Share button

    You might also enjoy

    Hypergraph and Hypertree - Overview

    Tornado Cash Circuits - Overview

    Recurrent Neural Networks (RNNs) - Overview