7 views 17 mins 0 comments

How to Choose a Safe Cryptocurrency Exchange Without Losing Your Funds

In Crypto
July 10, 2026
HOW TO CHOOSE A SAFE CRYPTOCURRENCY EXCHANGE" and "PROTECT YOUR ASSETS.

How to Choose a Safe Cryptocurrency Exchange Without Losing Your Funds

Crypto exchanges don’t fail quietly. Mt. Gox lost 850,000 BTC to a breach that went undetected for years before its 2014 bankruptcy. FTX collapsed in November 2022 after roughly $8 billion in customer funds turned out to have been funneled to an affiliated trading firm. QuadrigaCX’s founder died in 2018 holding the only keys to the exchange’s cold wallets, leaving Canadian customers out roughly $190 million CAD. Bybit lost $1.4–1.5 billion in a single hack in February 2025 — the largest exchange hack in crypto history, despite the platform holding a MiCA license and a strong security reputation at the time. Independent researchers tracking crypto failures count more than 50 major exchange, lender, or protocol collapses between 2010 and 2026.

None of this means every exchange is unsafe. It means “safe” isn’t a marketing claim you take on faith — it’s something you can actually check, using the same evidence regulators, auditors, and security researchers use. This guide walks through exactly how to evaluate an exchange before you deposit a dollar, using verifiable signals instead of star ratings or affiliate rankings.

This article is part of our exchange-safety research series. For a full side-by-side breakdown of fees, liquidity, security, and compliance across 12 major platforms, see our pillar guide, The Global Crypto Exchange Cost Map 2026. For how these safety factors translate into recommendations by investor type, see Best Crypto Exchanges in 2026: Which Platform Offers the Best Value for Different Types of Investors? And if you’re specifically weighing the three most beginner-relevant platforms, our companion piece, Coinbase vs Binance vs Kraken: Which Exchange Is Best for Beginners?, applies this exact framework to those three.

Why Exchange Failures Keep Happening

Before the checklist, it helps to understand the actual failure patterns, because they repeat.

Affiliated trading firms without segregation. FTX’s collapse, Voyager’s exposure to Three Arrows Capital, and Celsius’s internal lending book all shared the same structural flaw: customer deposits were commingled with, or lent to, a related trading entity that could lose the money. When evaluating an exchange, it’s worth asking whether the company operates an undisclosed proprietary trading arm or hedge fund alongside its exchange business.

Withdrawal freezes are a warning, not a pause. Every major exchange collapse — Mt. Gox, FTX, Celsius, Voyager, Cryptopia — began with a halt on withdrawals framed as temporary. In the vast majority of documented cases, that halt was the beginning of insolvency proceedings, not a technical blip. Bitstamp’s 2014 freeze and Bybit’s February 2025 freeze are among the rare cases where normal service resumed. Treat any exchange-wide withdrawal suspension as a signal to move whatever you can, whenever you can, rather than waiting for reassurance.

Custody failures and hot-wallet hacks are a separate risk from insolvency. Mt. Gox (2014, 850,000 BTC), Bitfinex (2016, roughly 119,756 BTC via a multi-signature wallet exploit), Coincheck (2018, roughly $534 million), Binance (2019, roughly $40 million), the BNB Chain bridge (2022, roughly $570 million), and Bybit (February 2025, $1.4–1.5 billion) are all breaches — someone got into a wallet they shouldn’t have. This is a different failure mode than FTX or Celsius, where the platform itself misused funds. A safe exchange needs to defend against both.

Proof of reserves helps, but it isn’t sufficient on its own. A reserves audit verifies that an exchange holds enough assets at one point in time. It says nothing about the exchange’s liabilities, off-balance-sheet obligations, or whether those same reserves were borrowed specifically for the audit and returned afterward — a maneuver sometimes called “audit window dressing.” Treat proof of reserves as one input, not a guarantee.

The Four-Part Safety Check

1. Verify the Regulatory Footprint Actually Exists

Don’t take an exchange’s “regulated and licensed” claim at face value — check it against the regulator’s own public register.

  • In the US, legitimate exchanges hold state money transmitter licenses (check your state’s financial regulator site) and, in stricter states like New York, a BitLicense from the NYDFS. FinCEN registration as a Money Services Business is a baseline, not a strong signal on its own — plenty of failed platforms had it. Look for whether the exchange has also registered any entity with the SEC (as a broker-dealer or investment adviser) or the CFTC (as a designated contract market or futures commission merchant), which involves materially more oversight than a money transmitter license alone.
  • In the EU, the relevant credential as of 2026 is a Markets in Crypto-Assets (MiCA) Crypto-Asset Service Provider (CASP) authorization. You can check any exchange’s status directly on ESMA’s public CASP register, which is updated weekly — a platform that only cites an old national registration rather than a MiCA CASP license is not authorized to serve EU customers after the July 1, 2026 enforcement deadline.
  • A pattern worth noting: FTX, one of the largest collapses in the industry’s history, never obtained a meaningful license in a strictly regulated market like the US for its main international exchange. Regulatory friction is often the price of legitimacy, not an obstacle to avoid.
  • Past enforcement isn’t automatically disqualifying, but it’s informative. A resolved settlement with an installed compliance monitor (as with Binance’s 2023 DOJ/CFTC/FinCEN resolution) is a different risk profile than an active, unresolved fraud investigation. Read what the enforcement action actually alleged, not just the headline dollar figure.

2. Check How the Exchange Proves It Holds Your Assets

  • Look for cryptographic proof of reserves, not just a press release claiming “fully backed.” The strongest version uses a Merkle-tree method that lets an individual user verify their own balance was included in the audited total, rather than asking users to simply trust a summary number. This methodology has been published quarterly by at least one major exchange since 2014.
  • Check the cold storage percentage. Reputable exchanges disclose that the large majority of customer assets — typically cited in the 90–95%+ range by platforms that publish this figure — sit in offline, multi-signature cold storage rather than internet-connected hot wallets, since hot wallets are what got drained in nearly every major custody hack on record.
  • Look for an independent auditor, not an in-house claim. Reserves attestations conducted by a named third-party accounting or security firm carry more weight than self-published dashboards. Be aware that even here, auditor relationships can break down under legal pressure — one major exchange’s audit was abandoned mid-process in 2023 after its auditor cited legal uncertainty from a pending SEC lawsuit, which itself illustrates why a single audit shouldn’t be the only signal you rely on.
  • Ask whether there’s an insurance or reimbursement fund, and how it’s funded and governed. Some exchanges maintain investor-protection funds seeded from a share of trading fees, sized in the hundreds of millions to low billions of dollars, intended to reimburse users after a breach. These funds are useful but are managed at the platform’s discretion — they are not the same as government deposit insurance, and disbursement is not guaranteed by regulation the way FDIC coverage is for a bank account.

3. Research the Actual Security and Failure History

Search for the exchange’s name alongside terms like “hack,” “breach,” “insolvency,” and “withdrawal freeze,” and read primary sources — the exchange’s own incident disclosures, regulator press releases, and reporting from established crypto-focused outlets — rather than aggregator “top 10 safest exchanges” lists, which are frequently built by exchanges ranking themselves or by affiliate sites with a financial incentive to rank a partner highly.

Specifically look for:

  • Whether customer funds were ever lost, and if so, whether they were fully reimbursed and how quickly. An exchange that was hacked once, disclosed it promptly, and made customers whole (as happened after Binance’s 2019 hack) is a different risk profile than one that concealed a shortfall or is still in bankruptcy proceedings.
  • How the exchange has handled a breach involving data rather than funds. In May 2025, a wave of social-engineering attacks targeted customer-support staff at multiple major exchanges simultaneously. One platform’s overseas contractors were successfully bribed, exposing account data (though not funds or private keys) for a small percentage of users; two other major platforms facing the same attack pattern reported blocking it before any data was exposed. How an exchange responds to and discloses an incident is itself a signal — look for SEC filings or public postmortems, not just silence.
  • Any bug bounty program and how quickly disclosed vulnerabilities get patched. A documented case of an exchange patching a critical treasury-level bug within roughly an hour of discovery, for example, is a stronger signal than a platform with no visible bug bounty program at all.

4. Read the Fine Print on Custody and Withdrawal Rights

  • Can you actually withdraw to your own wallet, at any time, without excessive friction? Platforms that impose long holding periods, unusually low withdrawal limits, or opaque “review” delays on withdrawals deserve extra scrutiny — this was a late-stage symptom at several collapsed platforms before their formal failure.
  • Does the exchange lend out customer deposits, and do you know it? This is the core distinction between a straightforward exchange and a yield or lending product. If a platform is paying you a return on a “flexible” balance, that yield has to come from somewhere — read the terms to understand whether your assets are simply held, or actively deployed and therefore exposed to counterparty risk elsewhere.
  • Is the exchange a public company or otherwise subject to independent financial reporting? A publicly traded exchange files audited financials with a securities regulator on a recurring basis, which adds an additional layer of external scrutiny beyond the crypto-specific proof of reserves.

A Practical Pre-Deposit Checklist

Before funding a new exchange account, confirm you can answer yes to each of the following:

  • I checked the exchange’s license status directly on the regulator’s own site (state money transmitter database, NYDFS, ESMA’s CASP register, or equivalent) rather than trusting the exchange’s own claims.
  • I found independently audited or cryptographically verifiable proof of reserves, published within the last quarter.
  • I searched the exchange’s name plus “hack” and “insolvency” and read primary sources, not just aggregator rankings.
  • I know whether the exchange lends out, stakes, or otherwise deploys customer deposits by default, and I’ve opted in or out deliberately.
  • I’ve enabled two-factor authentication using an authenticator app or hardware key — never SMS-only, which is vulnerable to SIM-swapping.
  • I’ve set up a withdrawal address whitelist, if the exchange offers one, so funds can only be sent to addresses I’ve pre-approved.
  • I’m using a unique password for this exchange, not one reused from another account or breached database.
  • I have a plan to move funds off the exchange and into self-custody (a hardware or software wallet I control) for any amount I’m not actively trading.

That last point is the single most consequential lesson from every major exchange failure on record: proof of reserves, insurance funds, and regulatory licenses all reduce risk, but none of them eliminate it. The one protection that removes exchange-failure risk entirely is not depositing more than you need for active trading in the first place. Holding your long-term position in a wallet where you control the private keys means no exchange hack, freeze, or bankruptcy — regardless of how well-regulated or well-audited the platform was — can take it from you.

Frequently Asked Questions

Is proof of reserves enough to know an exchange is safe?

No. Proof of reserves verifies assets at a single point in time but says nothing about liabilities, related-party lending, or whether reserves were temporarily borrowed to pass the audit. Use it as one signal among several, not a standalone guarantee.

What’s the single biggest red flag when evaluating a crypto exchange?

An exchange-wide withdrawal freeze. Across documented exchange collapses since 2014, a paused withdrawal announcement was followed by insolvency in the large majority of cases. Treat it as an urgent signal to withdraw whatever you’re able to, rather than waiting for updates.

Does a regulatory license guarantee an exchange won’t fail?

No, but its absence is a meaningful warning sign. Several of the largest collapses in crypto history, including FTX, operated without a license in a strictly regulated jurisdiction like the US for their main exchange entity. A license doesn’t prevent failure, but it does mean an external regulator has reviewed the business and has authority to investigate and act if something goes wrong.

Should beginners keep funds on an exchange or move to self-custody?

For active trading, keeping a working balance on a reputable, audited exchange is normal and practical. For savings or long-term holdings you don’t need immediate access to, moving assets to a wallet where you hold the private keys removes exchange-failure risk entirely — it’s the only protection on this list that isn’t dependent on trusting a third party.