Centralized Exchange Token Risks: What You Need to Know Before Depositing Crypto
David Wallace 17 November 2025 13

Crypto Exchange Risk Calculator

How Secure Is Your Crypto?

Enter your security practices below to calculate your risk level when using centralized exchanges. The more security measures you use, the lower your risk.

Your Security Risk Level

Based on current exchange security statistics, 72% of exchanges experienced at least one security incident in 2023. Your risk level indicates how likely you are to be affected.

Recommendations

When you deposit crypto on a centralized exchange like Binance, Coinbase, or Kraken, you’re not really holding your coins. You’re trusting someone else to hold them for you. That’s the core trade-off: convenience for control. And that trade-off comes with serious, well-documented risks that most new users never fully understand.

Why Centralized Exchanges Are the Biggest Target

Centralized exchanges (CEXs) handle over 98% of all cryptocurrency trading volume. They’re fast, easy to use, and let you buy Bitcoin with your bank card. But that same structure makes them the perfect target. Every major hack in crypto history - from Mt. Gox in 2014 to FTX in 2022 and WazirX in 2023 - happened on a centralized platform. In 2023 alone, $3.8 billion was stolen from exchanges. Not DeFi protocols. Not wallets. Exchanges. And not one dollar was stolen from a non-custodial DEX like Uniswap that year.

The reason is simple: centralized exchanges hold your private keys. That means they control your money. If their systems are breached, your assets are gone. Even if the exchange says it’s insured, most policies cover only a fraction of losses. In emerging markets, insurance often covers just 15-25% of assets. In the U.S., it’s higher - maybe 50-75% - but that still leaves you on the hook for the rest.

Security Gaps You Can’t See

Most exchanges don’t make their security practices public. But when you dig into reports from Chainalysis, CipherTrace, and the Blockchain Transparency Institute, the picture is clear. Only 38% of the top 20 exchanges use true multi-signature wallets. That means a single employee with access could move funds if they’re compromised. The average exchange keeps only 63% of assets in cold storage - offline, secure vaults. Experts recommend 95% or higher. That leaves over a third of user funds exposed online, vulnerable to hackers.

Patch delays are another silent killer. According to CoinGecko’s 2023 Security Index, exchanges take an average of 47 days to fix known vulnerabilities. In that time, attackers can exploit the same flaw that’s already been patched elsewhere. The DMM Bitcoin hack in February 2024 stole $305 million before users were even notified - 14 hours later.

Even big names aren’t safe. Binance scored just 5.2 out of 10 on the OSL Academy’s 2024 security rating, mainly because of weak withdrawal verification. Coinbase and Kraken scored higher - 7.5 and 7.8 - but even they’ve had breaches. In 2021, Coinbase temporarily restricted withdrawals during a market crash, locking up $1.2 million in assets for days. That’s not a hack. That’s a systemic risk: when the exchange decides it’s too risky to let you access your own money.

Insurance Is Not Protection

You’ve probably seen headlines like “Exchange Insures User Funds.” It sounds reassuring. But here’s the fine print: most exchange insurance doesn’t cover you directly. It covers the exchange’s liabilities. If a hacker steals $100 million, the insurer pays the exchange. Then the exchange decides how much - if any - to refund users. In the WazirX hack, $235 million vanished. Users got nothing. Not because the insurance didn’t exist - it did - but because the policy terms didn’t guarantee payouts to individuals.

A Harris Poll from February 2024 found that 87% of users thought their funds were protected like bank deposits. They weren’t. No CEX offers FDIC insurance. Your crypto isn’t held in a bank. It’s held in a digital vault owned by a private company. That company can go bankrupt. It can be hacked. It can be seized by regulators. And you, as a user, have no legal recourse beyond what’s written in their Terms of Service.

Coinbase’s own Terms of Service (Section 4.2, updated 2023) state clearly: “Funds held in your Account are not your property until withdrawn to self-custody.” That’s not a loophole. That’s the business model.

A hacker exploits a server room with mostly online crypto exposed, while a user’s SMS 2FA fails with a red alert.

What Users Actually Do (And Why It’s Not Enough)

Most people think enabling two-factor authentication (2FA) is enough. It’s not. Over half of users still rely on SMS-based 2FA - the weakest form. Hackers can clone your SIM card or trick your phone provider into transferring your number. Only 41% use authenticator apps like Google Authenticator or Authy. Even fewer - just 22% - verify transaction signatures before approving withdrawals.

Withdrawal address whitelisting? Only 38% of active traders use it. That means if a hacker gets your login, they can send your coins to any address they choose. Hardware wallets? Only 12% of users connect them to their exchange accounts. That’s the gold standard for security - keeping your keys offline - but most people don’t bother.

And then there’s customer support. When something goes wrong, you’re stuck waiting. Tier-1 exchanges like Coinbase respond in about 8 hours on average. Tier-3 exchanges - smaller, less regulated ones - take up to 72 hours. During the WazirX breach, one user reported waiting 17 days just to get a reply. No compensation. No explanation.

The Regulatory Wild West

Regulations are catching up - slowly. The EU’s MiCA rules, effective since June 2024, require exchanges to hold minimum capital reserves and implement real-time monitoring. The U.S. SEC filed 57 enforcement actions against exchanges in 2023 - up from 29 the year before. That’s a sign the government is paying attention.

But enforcement is uneven. Exchanges like Thodex in Turkey collapsed in 2021 after regulators cracked down, leaving 400,000 users with nothing. Others, like Binance, quietly exited markets like Canada and the UK after regulatory pressure. You never know when your exchange might suddenly disappear - not because it was hacked, but because it broke a rule you didn’t even know existed.

A user holds a hardware wallet as a shield against exploding exchanges and regulatory chaos, standing strong amid digital destruction.

What’s Changing - And What’s Not

Some exchanges are trying to improve. Coinbase rolled out multi-party computation (MPC) wallets in March 2024, which split key access across multiple systems to reduce single-point failures. Kraken now offers 100% insurance coverage up to $1 million per user. Binance added mandatory withdrawal confirmation delays.

But these are exceptions. Most exchanges still operate on outdated models. And even these improvements don’t solve the core problem: you still don’t own your crypto while it’s on the exchange.

Institutional investors - the big players with millions to manage - have already moved on. 68% now use third-party custodians like Fireblocks or Copper, not exchange wallets. They know the risk. Retail users? 83% of new crypto buyers in 2023-2024 started on centralized exchanges. But 47% of them move their funds to self-custody within 18 months. They learn the hard way.

What You Should Do

If you’re using a centralized exchange, treat it like a temporary holding account - not a long-term wallet. Here’s what to do:

  • Withdraw to self-custody as soon as you can. Use a hardware wallet like Ledger or Trezor. Keep your private keys offline.
  • Use authenticator apps, not SMS, for 2FA.
  • Enable withdrawal address whitelisting - only allow transfers to addresses you’ve pre-approved.
  • Never keep large amounts on an exchange. Treat it like a cash register - only what you need for active trading.
  • Read the Terms of Service. Know what you’re signing up for. Most users don’t.

Bottom Line

Centralized exchanges made crypto easy to enter. But they also made it dangerous. The convenience of buying Bitcoin with your credit card comes with the risk of losing it all in a single hack, regulatory crackdown, or internal failure. The data doesn’t lie: exchanges are the weakest link. If you want real security, you need to take control. Your crypto isn’t safe on an exchange. It’s only safe when you hold it yourself.

Are centralized exchange tokens insured?

Most centralized exchanges carry insurance, but it doesn’t mean you’ll get your money back. The insurance typically covers the exchange’s liabilities, not individual users. Payouts to users are at the exchange’s discretion, and many policies only cover a fraction of losses - sometimes as little as 15-25% in unregulated markets. Always assume your funds are not fully protected.

Can a centralized exchange steal my crypto?

Technically, yes - because they hold your private keys. While most exchanges operate honestly, they have full control over your assets while they’re on their platform. If the exchange is compromised internally, if its staff is corrupt, or if it goes bankrupt, your funds are at risk. There’s no legal guarantee you’ll get them back. Coinbase’s own terms state your funds aren’t your property until withdrawn.

Why do people still use centralized exchanges if they’re risky?

Because they’re easy. Centralized exchanges let you buy crypto with a bank card, trade quickly, and access dozens of coins without needing to understand wallets or private keys. For beginners, that’s invaluable. But it’s a trade-off: convenience for control. Most users don’t realize the risk until they lose money - or see someone else lose it.

Is it safe to leave crypto on Binance or Coinbase long-term?

No. Even the most reputable exchanges like Binance and Coinbase are targets for hackers and regulators. In 2023, 72% of exchanges experienced at least one security incident. Binance has been hacked before. Coinbase has restricted withdrawals during market stress. If you’re holding crypto for more than a few days, move it to a self-custody wallet. Your money is safer in your hands than in theirs.

What’s the difference between a centralized and decentralized exchange?

A centralized exchange (CEX) holds your crypto for you - you don’t control the keys. A decentralized exchange (DEX) like Uniswap lets you trade directly from your own wallet. You keep control, but you also bear full responsibility. DEXs don’t get hacked the same way CEXs do - because there’s no central vault to break into. But they’re harder to use and lack fiat on-ramps.

How can I protect myself if I must use a centralized exchange?

Use a strong, unique password. Enable authenticator app 2FA (not SMS). Whitelist withdrawal addresses. Never keep more than you need for trading on the exchange. Withdraw to a hardware wallet as soon as possible. Check the exchange’s security whitepaper - most don’t publish one, and that’s a red flag.