Exchange Security Checklist 2026

Why This Checklist Exists

Would you hand £10,000 to a stranger without checking their credentials first? Between 2014 and 2022, cryptocurrency investors collectively lost over $12 billion by doing exactly that — depositing funds on exchanges that later collapsed. You can avoid the same mistake by running five structured checks before your first deposit, whether you plan to trade tokens, stake assets, or simply hold Bitcoin.

Consider the track record you should know about. Mt. Gox cost its depositors 850,000 BTC — your loss would have been approximately $28 billion at today's prices. QuadrigaCX locked C$250 million behind a dead founder's passwords — your funds would have been permanently inaccessible. FTX commingled $8 billion in customer deposits with a sister trading firm — your money funded someone else's trades. Each failure had warning signs you could have spotted months or years in advance. You simply had no structured way to look for them.

This page gives you that structure. You will learn four concrete checks you can run on any centralised exchange in under an hour, plus a fifth bonus check. Here is what you will verify: does your exchange demonstrably hold what it claims (Proof of Reserves)? How are your funds stored and who controls the keys (custody architecture)? Which jurisdictions can hold your exchange accountable (regulatory licensing)? What account-level protections can you enable (withdrawal controls)? How does your exchange behave when things go wrong (operational signals)?

You should keep two caveats in mind before you begin. First, passing all five checks does not make your exchange safe — it makes it safer than one that fails them. You should treat this framework as a risk reducer, not a risk eliminator. Second, if you have already chosen an exchange and want the full onboarding plan, you should start with our first 30 days on a crypto exchange guide instead. This page is Day 0 — the due diligence you should complete before registration, not after.

Each check below explains what you should look for, how you can verify it independently, which exchanges currently meet our standards, and which red flags should make you reconsider depositing. The three case studies at the end show you what happens when these checks are skipped — with real losses, real timelines, and real recovery outcomes as of April 2026.

How long should this take you? Running all five checks on a single exchange takes under an hour using publicly available sources. You can complete the red flags quick-scan in under five minutes. The investment of your time is trivial compared to the cost of depositing on an exchange that later collapses — as the case studies below will demonstrate.

Check 1: Proof of Reserves

What Proof of Reserves Actually Proves

How do you know your exchange actually holds your crypto? Proof of Reserves (PoR) is a cryptographic attestation that answers this question for you. You can think of it as a balance sheet audit — your exchange proves it controls at least as many assets as it owes to you and every other customer.

How does this work technically? Your exchange uses a Merkle tree — a data structure built on the same blockchain cryptography that secures cryptocurrency transactions — to let you verify your own balance is included in the total without revealing anyone else's. You can check this yourself on exchanges that provide verification tools. Your exchange publishes its total customer liabilities and then proves, via on-chain wallet addresses and third-party attestation, that it controls at least that amount in your assets — including every token, staking position, and stablecoin balance.

Where did this start? Kraken conducted the first cryptographic PoR audit in March 2014, completed by auditor Stefan Thomas. You should know that since then, PoR has become an industry expectation — but implementation quality varies enormously, so you must evaluate each exchange's approach individually.

What You Should Check in a PoR Report

Not all PoR reports are equal. When you evaluate an exchange's attestation, you should look for these specific elements:

• Snapshot frequency: Is the report a one-time snapshot or published on a regular schedule? You should prefer monthly reports (such as OKX) over periodic ones. A single snapshot proves solvency at one moment but tells you nothing about the days between reports.
• Auditor independence: Was your exchange's attestation conducted by an independent third-party auditor, or is it self-attested? You should treat self-attested PoR with significant scepticism — it is like grading your own exam.
• Asset coverage: Does your report cover only BTC and ETH, or your full range of deposited assets including stablecoins? You should be concerned if the PoR proves BTC reserves while ignoring your USDT liabilities.
• Liabilities side: Does your exchange's report include customer liabilities, or only asset proof? For example, showing that an exchange controls 100,000 BTC is meaningless without proving that customers are owed less than 100,000 BTC. You must check for this — it is the critical distinction that FTX exploited.
• User verification: Can you independently verify that your own balance is included in the Merkle tree? You should test this — OKX and Kraken provide tools that let you check your inclusion proof directly.

Current PoR Status You Can Verify (as of April 2026)

How do your options compare? Kraken has maintained continuous PoR since 2014 — you can verify your own balance using their audit tools. Binance launched its PoR system in late 2022 and you can check periodic attestations covering BTC, ETH, USDT, and other major assets.

OKX publishes monthly PoR reports with Merkle tree verification that you can check yourself. For example, you can confirm that their March 2026 report showed 101% backing for BTC, 103% for ETH, and 100% for USDT. Coinbase takes a different approach — as a publicly traded company on NASDAQ, you can read its quarterly Deloitte audits and 10-K filings with the SEC rather than relying on cryptographic attestation.

What PoR Cannot Tell You

Here is the critical limitation you must understand. PoR proves that your cryptocurrency assets exist on-chain at a specific moment, but it cannot tell you whether those assets are pledged as collateral elsewhere, lent to a sister company, or locked in DeFi smart contracts with governance obligations. This is exactly how FTX maintained an appearance of solvency — your deposits sat in wallets FTX controlled, but they were simultaneously committed to cover Alameda Research's trading losses and token positions.

This limitation is why you should treat PoR as necessary but not sufficient. If an exchange refuses to publish any form of PoR, you should consider that a strong red flag. But passing PoR alone does not mean your funds are safe. You need the remaining four checks to build a more complete picture of whether your chosen exchange can be trusted.

Check 2: Custody Architecture

Hot and Cold Storage Ratios

Where are your funds actually stored? Every exchange you use maintains hot wallets (connected to the internet for quick withdrawals) and cold wallets (offline, holding your funds securely). You should look for exchanges that keep 95% or more of your assets in cold storage — this is the industry standard that you can verify. Binance, OKX, Kraken, Bybit, and Coinbase all claim 95-98% cold storage ratios for your deposits.

Why should you care about this ratio? Because hot wallets are where your funds face the most risk. For example, the 2020 KuCoin hack cost approximately $285 million — and your funds would have been exposed only if they sat in the internet-connected hot wallet portion. KuCoin recovered 84% of stolen funds through coordination with other exchanges and covered your remaining losses from their own reserves. If you see your exchange quoting a lower ratio — or declining to disclose the split — you should investigate further before depositing.

Key Management: MPC, Multisig, and Single-Key

How does your exchange manage the private keys that control your cryptocurrency funds? This is as important as where your funds are stored — whether you hold Bitcoin, Ethereum staking positions, DeFi tokens, or NFT assets. You should understand three architectures:

• Multi-signature (multisig): Your transaction must be authorised by multiple distinct private keys — for example, 3 out of 5 keys held by different people. You should prefer this approach because no single person can move your funds alone, and it is the most battle-tested architecture natively supported on Bitcoin and Ethereum.
• Multi-party computation (MPC): Your private key is split into encrypted shares across multiple parties, and the shares combine mathematically during signing without ever reconstructing the full key in one place. You should know that MPC can work across more blockchains than multisig, but it is a newer technology with less independent security research behind it.
• Single-key: One private key controls all your funds — if that key is compromised or lost, you lose everything. You must avoid any exchange still using single-key custody because this is the architecture that caused the Mt. Gox and QuadrigaCX disasters.

Third-Party Custody Providers

Some exchanges outsource your cold storage to specialised custody firms like Fireblocks, BitGo, or Copper. Why should this matter to you? Because third-party custody means your exchange cannot unilaterally move your funds — the custody provider must co-sign every transaction from its vaults. You benefit from this separation because it prevents the kind of internal fraud where a rogue executive redirects your deposits.

How can you verify this? First, you should check whether your exchange publicly names its custody provider. Then you should check whether that provider publishes a SOC 2 Type II audit report. What is SOC 2 Type II? You can think of it as an auditing framework that evaluates your provider's security, availability, and privacy controls over a sustained period of 6-12 months — not just at one point in time. If your exchange holds this certification, you can be more confident that your security controls function reliably.

Insurance Coverage

What happens if your exchange's security fails despite good custody? Insurance adds a financial recovery layer for you. You should check for two types: commercial insurance (such as Lloyd's of London policies) and self-insurance funds. For example, Binance maintains the SAFU fund valued at over $1 billion to cover your losses from security breaches. You can also verify that Coinbase holds a commercial crime insurance policy from Lloyd's, and OKX maintains an insurance fund exceeding $500 million for your protection.

Should you rely on insurance alone? No — it is a last resort, not a substitute for good custody. You should also know that most insurance policies exclude losses from fraud committed by the exchange itself, which is exactly the scenario you are trying to detect with this framework. Check whether your exchange has coverage, but do not let it be your reason to skip the other four checks.

Custody Red Flags You Should Watch For

• Your exchange refuses to disclose its hot/cold storage ratio or key management architecture
• You cannot find a named custody provider or auditor for cold storage
• You see "trust us" messaging without verifiable technical detail
• You can identify single-key wallets controlling large balances through on-chain analysis
• Your exchange discloses no insurance fund or commercial insurance policy

Check 3: Regulatory Licensing

The Regulatory Landscape in 2026

What does "regulated" actually mean for your exchange? The answer depends entirely on the jurisdiction. Some regulatory regimes impose genuine oversight with real consequences for non-compliance. Others offer a licence that amounts to little more than a registration fee. You should understand the difference before trusting any regulatory claim:

• United States: You can check for FinCEN MSB registration at the federal level, state money transmitter licences, and the New York BitLicense — the most demanding state-level crypto licence you will find globally.
• European Union: MiCA became fully applicable on 30 December 2024, so you can now verify whether your exchange holds a unified EU licence. MiCA requires capital reserves, client asset segregation, and ongoing compliance reporting — all of which should protect you as a depositor.
• United Kingdom: You should check the FCA register for cryptoasset firm registration. This covers AML/KYC compliance but does not impose the same capital adequacy requirements as MiCA — so your protection is narrower.
• Dubai (UAE): VARA grants licences for exchange operations that you can verify on the public register at vara.ae before you deposit.
• Singapore: MAS regulates crypto services under the Payment Services Act, so you should verify your exchange's MAS registration directly before committing your funds.
• Japan: The FSA requires exchange registration — one of the earliest national licensing regimes, established after the Mt. Gox collapse specifically to protect customers like you.

Where Can You Verify Major Exchange Licences?

You should check your specific exchange's licences before depositing any of your funds. You can verify that Binance holds a full VARA licence in Dubai (upgraded from MVP in April 2024), a France AMF registration, and an Abu Dhabi ADGM licence (operational from January 2026). If you are in the EU, the French AMF registration should cover you. You must check the supported-countries page for your specific location before you send any money.

Kraken should give you the most confidence on regulatory breadth if you value multi-jurisdictional oversight. You can verify its FinCEN MSB registration (US), FCA registration (UK), MiCA compliance (EU), FINTRAC registration (Canada), AUSTRAC registration (Australia), and FSA registration (Japan). You should recognise that this breadth across six demanding jurisdictions is a strong trust signal you can verify independently.

What about OKX and Coinbase? You can verify that OKX operates licensed entities in Malta, Japan, Singapore, and the UAE — each one checkable on the relevant regulator's register. Coinbase is the only major exchange listed on NASDAQ (ticker: COIN), which means you can read its quarterly Deloitte audits and SEC filings yourself — a level of financial transparency that should give you more confidence than any privately held exchange can offer.

How to Independently Verify a Licence

You should never rely on what the exchange claims on its own website. Every major regulator maintains a public register where you can verify whether a specific entity holds a valid, current licence:

• UK FCA: You can search the Financial Services Register at register.fca.org.uk
• US FinCEN: You can search the MSB Registrant Search at fincen.gov
• EU/MiCA: You should check the national competent authority — for example, AMF in France or BaFin in Germany
• Dubai VARA: You can search the public register at vara.ae
• Singapore MAS: You should check the Financial Institutions Directory at mas.gov.sg

One important detail you must remember: search for your exchange's legal entity name, not its brand name. For example, you should search for Binance FZE (Dubai) or Binance France SAS (EU), not just "Binance." If you cannot find the legal entity on the regulator's register, you should investigate further before depositing your funds — the licence claim may be false or your exchange may operate under a name you do not recognise.

What "Regulated" Does Not Guarantee

Can you trust a regulated exchange unconditionally? No — and you should understand why. FTX held licences in the Bahamas and was registered with FinCEN, yet it lost $8 billion in customer funds that could have been yours. You should note that the Bahamian licence came from a small jurisdiction with limited supervisory capacity, so you must weight the quality of the jurisdiction as heavily as the existence of the licence itself.

What should you prioritise when checking your exchange's licences? You should look for an FCA registration or a MiCA licence because these impose ongoing capital requirements, regular audits, and real enforcement consequences that protect you. You should be wary of offshore licences with minimal supervisory infrastructure — these provide legal cover for your exchange, not meaningful protection for your funds. If your exchange is licensed only in jurisdictions without serious banking oversight, you should treat that as a yellow flag at minimum.

Check 4: Withdrawal Controls

Withdrawal Address Whitelisting

What happens if someone gains access to your exchange account? With withdrawal whitelisting enabled, they still cannot steal your funds — because they can only send to addresses you have pre-approved. You should enable this feature immediately after creating your account. Adding a new address triggers a mandatory 24-48 hour cooldown, during which you receive email and app notifications that give you time to detect and block unauthorised changes.

How should you set this up? On Binance, navigate to Security, then Withdrawal Whitelist, then toggle the feature on and add your wallet addresses. On OKX, go to Security Centre, then Withdrawal Addresses, and add your trusted addresses. On Kraken, you should use Security, then Global Settings Lock — this locks your entire security configuration behind a 24-72 hour time-delay that you can configure.

Why does Kraken's approach deserve your attention? Unlike basic whitelisting, Global Settings Lock delays every security modification — even by someone with full account access — and triggers notifications on every registered contact method. This is the strongest withdrawal control you can enable on any major exchange as of 2026.

Which 2FA Method Should You Use?

Not all 2FA methods protect your account equally. Here is the hierarchy you should follow from weakest to strongest, so you can choose the best option for your situation:

• SMS (weakest): You should avoid SMS 2FA if possible. SIM-swap attacks — where an attacker convinces your mobile provider to transfer your number to their SIM card — can intercept all your SMS verification codes. SIM swaps have been used to steal millions from individual crypto holders — you must avoid this method.
• TOTP authenticator apps (strong): You should use Google Authenticator or Authy as your minimum standard. These apps generate codes locally on your device, so they cannot be intercepted remotely. If you lose your phone, you will need the backup codes you recorded during setup — so you must write those down and store them securely.
• Hardware security keys (strongest): You should consider a YubiKey or Google Titan key for maximum protection. These use the FIDO2/U2F protocol, which verifies the domain cryptographically to protect you from phishing. Even if you visit a perfect phishing replica, your hardware key refuses to authenticate because the domain does not match. You can use hardware keys on Kraken, Binance, Coinbase, and OKX.

How to Secure Your API Keys and Sub-Accounts

Do you use trading bots or portfolio trackers that connect via API? Then you must verify that your API key has the minimum necessary permissions. Your portfolio tracker should have read-only access only. Your trading bot should have trade permission but nothing more. You should never grant withdrawal permission to either — doing so creates an unnecessary attack surface that could cost you your entire balance if the API key is compromised.

You should also consider sub-account isolation if you trade actively. Sub-accounts on Binance and OKX let you separate funds into independent accounts with their own API keys. If one key is compromised, only that sub-account is exposed — your main account stays safe.

The Best Withdrawal Control: Self-Custody

Every control discussed above operates within your exchange's infrastructure — and ultimately depends on the exchange functioning honestly. What is the strongest withdrawal control you can implement? Move your cryptocurrency to a wallet where you hold the private keys directly. A hardware wallet removes the exchange from the equation entirely — your tokens sit on the blockchain, controlled by a key that only you possess, immune to exchange insolvency or governance failures.

You should also consider gas fee costs when planning your withdrawal strategy — moving assets from your exchange to a personal wallet costs you a blockchain transaction fee that varies by network congestion and the token you are transferring. You can learn how to select and configure a hardware wallet in our hardware wallet security guide, which compares Ledger, Trezor, Keystone, and Tangem architectures. Our recommendation: you should keep only the amount you are actively trading on an exchange, and move everything above £1,000 to cold storage.

Withdrawal Control Red Flags

• You cannot find a withdrawal whitelisting feature on your exchange
• Your exchange offers SMS-only 2FA with no TOTP or hardware key support
• You see no API permission granularity — it is all-or-nothing access
• Your exchange has no cooldown period on new withdrawal address activation
• You experience unexplained withdrawal delays or sudden limit reductions

Check 5 (Bonus): Operational Security Signals

Why You Need More Than Four Checks

Why should you bother with a fifth check? Because FTX passed the first four formally — it published reserve information, it held regulatory licences, and it offered you withdrawal whitelisting and 2FA. Yet your funds were still at risk because the fraud operated behind these compliant surfaces. You could only detect it through operational behaviour that no compliance checkbox can capture. This fifth check exists because FTX demonstrated that formal compliance alone cannot protect your deposits.

How to Read Incident Response History

How does your exchange respond when something goes wrong? This question should matter more to you than any marketing page. You should compare two contrasting examples to understand what good and bad responses look like for your protection.

In September 2020, KuCoin suffered a $285 million hot wallet breach attributed to North Korea's Lazarus Group. What did KuCoin do for its customers? They immediately froze deposits and withdrawals to protect your remaining funds, transferred assets to new wallets, and coordinated with other exchanges to freeze stolen cryptocurrency. You can read their detailed post-mortems published throughout the recovery process. Within weeks, they recovered 84% of stolen funds and covered the rest from their own reserves — so you would not have lost any money as a KuCoin customer.

Now contrast this with how Mt. Gox treated you as a customer. They experienced ongoing thefts from 2011 through early 2014 without telling you about any of them. When your loss of approximately 650,000 BTC became undeniable in February 2014, the exchange simply went offline — giving you no proactive communication, no recovery coordination, and no protection for your funds. Can you see the difference? You should look for exchanges that respond like KuCoin and avoid those that respond like Mt. Gox.

Transparency Indicators You Can Verify

• Public post-mortems: After any incident, does your exchange publish a detailed timeline and remediation plan? You should be able to find these on their blog.
• Bug bounty programmes: Can you find active programmes on HackerOne with published payout records? This tells you the exchange invests in proactive security testing rather than reactive crisis management.
• External audit frequency: Does your exchange conduct SOC 2 Type II audits annually and penetration testing quarterly? You should be able to find summaries of these results.
• Engineering transparency: Does your exchange maintain a public engineering blog or contribute to open-source projects? For example, Coinbase and Kraken contribute to blockchain node software, and Binance maintains open-source libraries.
• Team visibility: Can you find the CEO and senior leadership with verifiable professional histories? Do they give interviews and speak at conferences where you can assess their credibility?

Operational Red Flags You Must Not Ignore

• You cannot identify the founding team — no LinkedIn profiles, no conference appearances, no verifiable history. This should concern you because it was a primary warning sign for QuadrigaCX.
• You find no public record of any security incidents — this is suspiciously clean. Every exchange that has operated for more than two years has faced attack attempts.
• You see marketing that emphasises "guaranteed yield" or "risk-free returns" — language that no legitimate exchange should use because it is legally indefensible.
• You notice referral bonus marketing dominating over product marketing — a pattern you should recognise from schemes that prioritise new deposits over sustainable operations.
• You read claims of "we are the safest exchange" without published audits, PoR reports, or named custody providers. You should demand evidence, not assertions.

What Happens When Checks Fail: Three Case Studies

Mt. Gox (2011-2014): The Original Exchange Collapse

Imagine you had deposited your Bitcoin on the exchange that processed over 70% of all BTC transactions worldwide. That was Mt. Gox — and on 7 February 2014, it halted all withdrawals. Your funds were gone. This was the first demonstration that an exchange could simply vanish along with your money.

What went wrong with your funds? Court documents revealed that attackers systematically siphoned BTC from Mt. Gox hot wallets beginning as early as September 2011. For example, the first breach in June 2011 saw 25,000 BTC stolen from 478 accounts. You should note that Mt. Gox had no Proof of Reserves, no multisig custody, and relied on single-key architecture for your cold storage. If you had checked for these signals, you would have found none of them present.

On 24 February 2014, you would have seen the website go offline. On 28 February, your exchange filed for bankruptcy. Your loss disclosure reported 850,000 BTC missing — though 200,000 BTC were later discovered in a forgotten wallet, reducing your permanent loss to approximately 650,000 BTC worth more than $28 billion at today's prices.

How long did recovery take? You would have waited over a decade. The first BTC repayments to creditors began in July 2024 — more than ten years after the collapse. By March 2025, approximately 19,500 creditors had received partial repayments. The deadline has been extended to 31 October 2026. If you had deposited on Mt. Gox, you would likely never recover the full value of your original deposit.

What would our framework have caught? Check 1 (no PoR) and Check 2 (single-key custody). If you had run these two checks in 2012, you could have discovered the discrepancy between reported balances and actual reserves years before the collapse.

QuadrigaCX (2019): Single Point of Human Failure

QuadrigaCX was Canada's largest crypto exchange when its founder, Gerald Cotten, died on 9 December 2018 in Jaipur, India. Here is why that destroyed your funds if you were a depositor: Cotten was the sole custodian of all cold wallet private keys. When he died, your keys died with him — and C$250 million (approximately US$190 million) in customer funds became permanently inaccessible.

But the Ontario Securities Commission's investigation revealed something worse for you. QuadrigaCX had been operating as what the OSC called "effectively a Ponzi scheme." You should understand what this means: Cotten had created fake accounts, credited them with fictitious balances, and traded against real customers with phantom funds. Ernst & Young identified a C$169 million asset shortfall from Cotten's fraud — your losses existed before his death.

What did you recover if you were a creditor? In May 2023, Ernst & Young distributed 13.094% of proven claims — approximately C$39.5 million across 17,648 creditors. You lost 87% of your funds permanently.

What would our framework have caught? Check 2 (single-person custody — no multisig, no third-party custodian) and Check 5 (Cotten was the sole technical operator with no named team). If you had asked "who else can access the keys?" the single-person dependency would have been an obvious existential risk.

FTX (November 2022): When Formal Compliance Masks Fraud

FTX was the third-largest crypto exchange by volume. If you had deposited there, you would have felt safe — the brand sponsored the Miami Heat arena, Major League Baseball, and Formula 1 teams. Sam Bankman-Fried testified before the US Senate. Everything projected compliance and transparency.

What was actually happening with your funds? FTX was funnelling your deposits to Alameda Research — a trading firm also controlled by Bankman-Fried. Your shortfall reached approximately $8 billion. On 2 November 2023, you would have learnt that a jury found Bankman-Fried guilty on all seven counts. On 28 March 2024, he was sentenced to 25 years in prison and ordered to forfeit $11 billion.

How much did you recover if you were a creditor? The bankruptcy estate recovered between $14.7 billion and $16.5 billion through asset liquidation. By early 2026, approximately $7.1 billion had been returned to you. If your claim was under $50,000, you received approximately 119% including interest. If your claim was larger, you received up to 85%. But you endured years of uncertainty, and your repayment came in fiat — meaning you missed the cryptocurrency appreciation you would have captured in your own wallet.

Why does this case matter most for your framework? Because FTX formally passed Checks 1, 3, and 4. It held licences. It offered you 2FA and withdrawal controls. What could you have spotted? The warning signs were operational: over 130 affiliated entities, no independent board, an unnamed engineering team, and a CEO who discouraged questions about internal controls. You had to know to look for them — which is exactly why you should run Check 5.

What would our framework have caught? Check 2 (commingled funds — no genuine asset segregation) and Check 5 (operational opacity). This is precisely why you should never stop at the first four checks.

Red Flags Quick-Scan Checklist

Before you run the full five-check framework, you can eliminate clearly problematic exchanges in under five minutes. Any single red flag does not necessarily condemn an exchange, but if you spot two or more in combination, you should pause before depositing:

• You cannot find the legal entity name. If you search for the registered company name, jurisdiction of incorporation, and registered address and find nothing, your funds may have no legal protection in a dispute.
• You see licences only from jurisdictions without banking oversight. A licence from a small island territory with no crypto-specific supervisory capacity protects the exchange, not you.
• You find no Proof of Reserves. After the FTX collapse, you should treat refusal to publish reserve attestation as a strong negative signal. Self-attested reports without named auditors should also concern you.
• You can only use SMS for two-factor authentication. If your exchange does not support TOTP or hardware security keys, its security infrastructure is years behind — and your account is exposed to SIM-swap attacks.
• You cannot identify the CEO or founding team. No LinkedIn profiles, no conference appearances, no verifiable history? This should concern you — QuadrigaCX's minimal team visibility masked the absence of key management oversight.
• You see "guaranteed yield" or "risk-free" marketing. No legitimate cryptocurrency exchange uses this language because it is legally indefensible. If your exchange's marketing promises what financial markets cannot deliver, you should assume the operation is either reckless or fraudulent.
• You notice referral bonuses dominating over product marketing. When your exchange prioritises recruiting new depositors over improving its product, you should recognise the structural similarity to schemes that depend on capital inflow to survive.
• You find no record of any security incidents. Every exchange that has operated for more than two years should have faced attack attempts. A perfectly clean record is more suspicious than a disclosed incident with a good response.
• You see APY rates far above market. If your exchange offers 20% APY on a stablecoin when the rest of the market offers 3-8%, you should ask where that yield comes from. Legitimate staking rewards are constrained by consensus mechanism economics and validator returns — so your yield must come from somewhere, and that source is often unsustainable risk-taking with your funds through leveraged DeFi positions, dApp farming, or tokenomics that reward early depositors at the expense of later ones.

How We Apply This Framework to Our Partners

We do not recommend exchanges in the abstract — we evaluate every exchange referenced on this site against the same five checks described above. Our results drive our partner tier classification, and you can review our classification logic in our public configuration file (config/partners.ts in our open-source repository). Here is how we structure the three tiers that should guide your decision:

• Green tier: We classify an exchange as green when it demonstrates strong performance across the framework. You should look for these signals: regulated in at least one major jurisdiction, publishes Proof of Reserves, maintains insurance or a protection fund, has a long track record without major customer losses, and publishes transparent fees.
• Yellow tier: We use yellow when an exchange has at least one material concern that is partially offset by strength elsewhere. For example, a CeFi platform with custodial risk that is compensated by transparent fees and regulatory compliance.
• Red tier: We classify exchanges as red when historical failures or critical signals disqualify them from promotion. We maintain red entries for Celsius, BlockFi, Voyager, FTX, Hodlnaut, CoinLoan, and Zipmex — so they never reappear in our recommendations.

How do our current partners score? You can read the full analysis in each review. Kraken holds green tier — you can verify its licences in six jurisdictions, its PoR dating to 2014, and its 13-year breach-free record. Coinbase is green tier — you can review its SEC filings, Deloitte audits, and FDIC-insured USD balances.

Binance scores green with PoR, transparent fees, and expanding licences including Dubai VARA and Abu Dhabi ADGM — though you should check its regulatory standing in your specific EU member state. OKX holds green tier with monthly PoR reports you can verify yourself, transparent fees, and licences in Malta, Japan, Singapore, and the UAE.

We evaluate every partner against these five checks, and our results drive our classification — not the other way around. This is why we do not maintain referral relationships with red-tier exchanges, and why we removed some exchanges that previously appeared on this site during our 2026 content audit when their risk profiles no longer met our minimum threshold for your safety.

From Checklist to Confident First Deposit

You now have a structured way to evaluate any centralised exchange before you commit your funds — whether you plan to trade cryptocurrency, stake tokens through validator delegation, earn mining rewards, or access DeFi through exchange-integrated dApps. The five checks will not guarantee your safety, but they will help you distinguish between exchanges that have invested in verifiable security infrastructure and those that rely on marketing claims you cannot substantiate.

What happens if you skip these checks? The three case studies show you the cost. Mt. Gox depositors waited over a decade for partial recovery. QuadrigaCX customers lost 87% permanently. FTX creditors endured years of uncertainty and received fiat repayments that missed the crypto appreciation they would have captured in their own wallets. You can avoid these outcomes by spending one hour on due diligence before your first deposit.

Once your chosen exchange passes these checks, what should you do next? Register, complete KYC, and make your first trade. Our first 30 days on a crypto exchange guide walks you through Week 1 foundation setup through Week 4 security hardening — treating this security checklist as your Day 0.

And remember the most important lesson from all three case studies: you should not trust any exchange indefinitely with your long-term savings. For any amount above £1,000, your safest position is self-custody in a hardware wallet — where the only key holder is you.

Should you re-run these checks periodically? Yes — you should review your exchange against all five checks at least quarterly. Proof of Reserves reports are published monthly, regulatory status can change when an exchange gains or loses a licence, and operational signals like executive departures or withdrawal delays can appear at any time. Set a calendar reminder every three months and re-run the red flags quick-scan before making any large new deposit to protect your funds over the long term.

Sources and References

• Kraken — First Cryptographic Proof of Reserves Audit (March 2014)
• Binance Proof of Reserves
• OKX Proof of Reserves — Monthly Reports
• Ontario Securities Commission — QuadrigaCX Investigation Report
• US DOJ — Samuel Bankman-Fried Sentenced to 25 Years (March 2024)
• EUR-Lex — Markets in Crypto-Assets Regulation (MiCA) Official Text
• First 30 Days on a Crypto Exchange — Complete Guide (2026)
• Hardware Wallet Security — Complete Guide (2026)

Frequently Asked Questions

Is Proof of Reserves enough to trust an exchange?

No. Proof of Reserves confirms that an exchange holds enough assets to cover customer balances at a specific point in time, but it does not reveal internal liabilities, off-balance-sheet obligations, or commingled funds. FTX passed a form of reserve attestation while secretly funnelling customer deposits to Alameda Research. PoR is one essential check, but it must be combined with custody architecture review, regulatory licensing verification, and operational transparency assessment before you can form a reasonable confidence picture.

What is the difference between MPC and multisig custody?

Multi-signature custody requires multiple distinct private keys (for example, 3 out of 5) to authorise a transaction. Multi-party computation splits a single private key into encrypted shares distributed across multiple parties, and the shares are combined mathematically during signing without reconstructing the full key. MPC works across blockchains that lack native multisig support, making it more flexible for enterprise custody — but it is a newer technology with a smaller body of independent security research than traditional multisig.

Does a regulated exchange guarantee that funds are safe?

No. Regulation reduces risk but does not eliminate it. FTX held licences in the Bahamas and was registered with FinCEN in the US, yet it lost over $8 billion in customer funds. The quality of the regulatory jurisdiction matters: an FCA registration in the UK or a MiCA licence in the EU imposes stronger oversight than an offshore licence with minimal supervisory capacity. A licence means the exchange passed an initial compliance review and submits to ongoing scrutiny — not that your funds are guaranteed.

How often should an exchange be re-checked against this framework?

At least quarterly. PoR reports are published monthly (OKX, Binance) or quarterly. Regulatory status can change when an exchange gains or loses a licence. Operational signals — executive departures, withdrawal delays, sudden changes to terms of service — can appear at any time. Set a calendar reminder every three months and re-run the red flags quick-scan before making any large new deposit.

What two-factor authentication method is safest for exchange accounts?

Hardware security keys (YubiKey, Google Titan) provide the strongest protection because they require physical possession and verify the domain cryptographically — making them immune to both SIM swaps and phishing. TOTP authenticator apps (Google Authenticator, Authy) are the next safest option. SMS-based 2FA is the weakest because it is vulnerable to SIM-swap attacks where an attacker convinces your mobile provider to transfer your number to their SIM card.

If an exchange passes all five checks, is deposited money completely safe?

No. These five checks reduce your exposure to the most common and historically destructive failure modes, but they cannot protect against novel risks: a zero-day infrastructure exploit, a government asset seizure, or a fraud scheme that evades all public-facing indicators. The framework helps you make an informed decision, not a risk-free one. For holdings above £1,000, the safest approach is to keep only actively traded amounts on any exchange and withdraw the rest to a hardware wallet.

Should crypto be kept on an exchange or in a hardware wallet?

Both, for different purposes. Keep amounts you are actively trading or earning yield on in your exchange account — protected by 2FA, withdrawal whitelisting, and the security infrastructure described in this checklist. Move long-term holdings above £1,000 to a hardware wallet where you control the private keys directly. This split limits your exposure to exchange-specific risk (insolvency, hacks, regulatory freezes) while maintaining liquidity for active positions.

Financial Disclaimer

This content is not financial advice. All information provided is for educational purposes only. Cryptocurrency investments carry significant investment risk, and past performance does not guarantee future results. Always do your own research and consult a qualified financial advisor before making investment decisions.