What’s the Big Deal With Keeping Coins on Exchanges?
You may have seen the friendly reminders from time to time. You know, those pesky ones that suggest you keep all or the heavy majority of your Bitcoin, Ethereum, Dash, etc. in separate external cold (offline) wallets? The wallets you’ve seen vague mentions of that are intimidating and seemingly incomprehensible specialized USB drives with codes longer than an L. Ron Hubbard novel that we’re all supposed to bury deep inside our closets and sock drawers and never, ever lose? This repetitive drone of people whispering in your ear that exchange wallets “can’t be trusted” can be pretty annoying, especially when it’s so convenient to just keep your coins on Binance for easy and quick trading. But these pesky reminders keep coming up on your Twitter accounts and various crypto news feeds for a reason.
The only way you can truly safely protect your valuable cryptoassets is to go the route of pulling them off the exchanges where you purchased them and literally keeping them in your possession, where you and you alone have physical access to them. Even if it means costing you some time on capitalizing on price fluctuations the next time Coinbase Pro or Binance announces there might, possibly, potentially in the future, be some coins they will be adding to their exchanges.
Just like you keep your valuable tangible assets like gold, diamonds, and others in a safe at home, there is an undeniable need to hold your cryptocurrency quite literally close to the vest in a similarly secure fashion. Yes, cryptocurrency exchanges have become (slightly) safer and more reliable over time as the industry has grown. But there is still a significant degree of risk when it comes to holding your coins on exchanges that have no self-regulatory organizations in place.
I am going to discuss some of the reasons that people should be weary of leaving large allocations of their precious crypto portfolios on even the most popular and supposedly airtight and un-breachable exchanges (looking at you, Coinbase Pro). I will also provide a brief history of some notable famous exchange hacks and controversies that have left users kicking themselves wondering why they didn’t go through the relatively painless process of moving over at least the majority of their cryptocurrencies into external wallets.
As Olivia Wood, an author for Blokt, puts it,
“The blockchain ensures the anonymity of every transaction, so tracing a single purchase back to the purchaser can be very difficult if not impossible. Furthermore, reversing a cryptocurrency transaction, even a fraudulent one, is all but impossible. If your ATM card is stolen, you can probably get your money back. If your Bitcoins are taken, you are most likely out of luck.”
If you want to trade your crypto assets at the drop of a hat without any hassle or delays, of course there is no more efficient way to do it than by simply holding and swapping your coins directly on your exchanges. For people who came over from traditional stock exchanges and online brokerage worlds, leaving exchanges as the primary holder of your funds may not seem like a big deal at all. Fraud protection, FDIC backing, and asset protection guarantees are common among traditional online brokerages.
This means that traders can rest easy knowing their funds stored and regularly traded on the sites will be reimbursed if the worst happens and a hack to their exchange occurs. Many online brokers, such as Merrill Edge, are directly connected to user bank accounts. With this knowledge, treating the location of your traditional tradable assets like a bank is an acceptable proposition, considering you can literally link the assets directly to your bank account as you trade.
Unfortunately, this convenience does not currently translate to most cryptocurrency exchanges.
Leaving cryptocurrency assets on exchanges that you are not actively trading is doing so at your own risk.
With the anonymity associated with cryptocurrency (by design), nobody is going to call you and notify you of a fraud alert if someone successfully breaks into your account and sends all of your funds to their own main account. The assumption in cryptocurrency is that if someone logs in with your account, it must be you. And if it’s not you, you are the only person who should be expected to care. You are responsible for yourself.
Most crypto exchanges do not have the convenience of claiming a perfect track record of complete safety. There are some exceptions, such as Coinbase Pro and a handful of others, which have been deemed by some to be “un-hackable”. But this is dangerous thinking. Yes, the exchange itself has yet to be penetrated, but thousands of individual accounts have already been broken into, even those set up with 2FA security (which is generally considered to be the ultimate, de facto line of defense against hacks).
Regardless of exactly how secure any exchange out there is, does it really matter whether they have histories of being un-hackable? Does the advantage of being able to set precise limit orders that can fill in the middle of the night for you, outweigh the cost of potentially losing everything due to one simple security breach that compromises everything your exchange stands for?
Hot Wallets, Cold Wallets, Just Not Exchange Wallets
Whether using hot or cold storage separated from an exchange, they are both generally safer options than keeping your assets directly on an exchange. Yes, your exchanges will likely have no issue keeping your holdings safe and the coin values should remain accurately stored right down to the satoshi. But why take the chance of something that isn’t a complete certainty?
To the left are examples of both a mobile hot wallet and a ledger cold storage wallet, respectively. Both are great alternatives for holding your cryptoassets and ensure that they are not at risk of being lost due to any feared exchange hacks. Using them is actually a lot simpler than you may think. Just like exchange wallets, your hot wallet will be connected to the Internet, making it slightly less secure than the cold wallet alternative option. However, your own separate hot wallet has a few advantages:
- They are generally completely free to own
- Easy to access and understand compared to offline wallets
There are several options to choose from when it comes to hot wallet storage, and installation guides can walk you through the process of setting up your own key, saving your QR code, and securing it with 2FA if available. To access it any time, you can simply enter in your private key credentials from desktop websites, mobile websites, or apps associated with the wallet. Once inside your online wallet, you will have the option to view history, verify received payments, or enter address information for sending a transaction to another location.
As for the cold wallet storage option, several options are available through the means of a USB drive (pictured above) that can be accessed through:
- Any USB-compatible device
- A paper wallet that has information which can simply be printed and stored at the user’s convenience
- A novelty “physical Bitcoin” with pertinent private key and public address
- An actual hardware wallet that uses a device to keep a user’s private keys safe.
The main advantages of these cold wallet, offline options are:
- They are virtually un-hackable, as the codes are completely in your physical posession
- Nothing is stored online, making other IP addresses or any brute force hacks irrelevant
Hellish History of Hacking
Now, for a brief history lesson on some notable exchange hacks. In 2014, Mt. Gox was a massive Bitcoin exchange. In fact, it was the largest Bitcoin exchange at the time, and the host to 70% of the coin’s trading. In February of that year, a hack took place using a transactional malleability exploit that ended up being to the tune of 850,000 customer and company coins worth roughly $473 million during that period of time.
This amount translated to 7% of the entire world’s Bitcoin. To give an idea of how much a hack of that scale would be worth based on today’s current value, multiply that cash value by about 12.7 for a nice leisurely $5.7 billion. Within a few weeks after this scandal broke, the company was claimed to be insolvent. The major exchange was such a cornerstone of Bitcoin’s trading and value, that Bitcoin’s price ultimately dipped 36% by the end of March as a result of what is still the biggest crypto hack to date. As of today, Mt. Gox still has 650,000 Bitcoins missing, with a large portion of creditors and former users of the site still unpaid.
Andrew Norri at Blockonomi explains of the current state of the four year-old Mt. Gox hack:
“Although it remains an ongoing investigation and the facts remain unclear at this time, it is presumed that most of the bitcoins that were stolen from Mt. Gox were taken from its online (or hot) wallets, including all of the currency being held in cold storage, due to a “leak” in the hot wallet.”
Another infamous hack occurred on the still-existent exchange, Bitfinex. Based in Hong Kong, a multi-signature wallet hack allowed hackers to lift 120,000 Bitcoin off of the site in August 2016. The currently 5th ranked crypto exchange in terms of volume made the decision to provide multi-signature wallets for their users as an added security measure in 2015. However, this decision came back around to backfire on them, as hackers were able to have the exchange validate illegal Bitcoin transactions through the use of signatures that were shared by multiple accounts.
The process of the hack had far more complex aspects to it than the cliff note version I describe it, but the result was another 20% plunge in Bitcoin’s price. Bitfinex did get a black mark on its name for the incident, but it has since recovered impressively. The website issued its own BFX coins to users with stolen holdings and has slowly been buying them back as the website generates revenue to buy themselves out of their debt. Bitfinex also enhanced other aspects of their site, sped up withdrawals, and for this particular incident, was a fairly model example of how an exchange can earn back loyalty and avoid the death sentence that is probable for any company in these types of scenarios.
As of recent times, a name that you may have seen come up in the news a few times over the past year is South Korea’s largest exchange, Bithumb. On June 20th, the site was the victim of a $30 million hack. With the history of exchange hacks and the panic that typically follows, the price of Bitcoin predictably followed its familiar pattern and experienced a roughly 5% rapid drop. The exchange keeps funds on both a company-owned hot wallet and cold wallet, and if not for their quick action to evacuate a large amount of their funds from their online to offline addresses, it is reported that the damage of stolen funds could have been significantly worse. In the past year, this was actually the third successful hack on the exchange.
The lesson that should be taken from cryptocurrency exchange failings is not simply to avoid cryptocurrency altogether. Many people outside of crypto get the impression that all of these hacks surrounding crypto imply that it is by nature, an insecure asset that can’t possibly be kept shielded from theft and the prospect of being lifted from your possession at any time. This is not true, and there are several means to ensure your funds are 100% protected at all times. However, keeping funds on exchanges does put yourself at the exchange’s mercy, and it opens yourself to grey area security practices and unregulated standards and policies that we know very little about. Do yourself a favor, and spend a couple hours setting up a hot wallet or purchasing a cold wallet. When the next exchange hack rolls around with unrecoverable funds (and there will be another), you will be thankful you had yourself protected.
This article and related content is for informational purposes only. It should not be considered investment advice, and you should consult a financial advisor and do your own research and due diligence prior to making any investments. Where securities or commodities are referenced, it is only for illustrative purposes only, and does not imply any position on securities or commodities classification. To the extent that Samsa services are offered or discussed, those services are available only for Samsa whitelisted assets only.