How to Avoid Exchange Hacks

Exchange hacks are one of the most consistent and costly risks in the crypto space. Since Bitcoin’s earliest days, centralised exchanges have been targeted by sophisticated attackers who understand that concentrations of crypto assets on a single platform represent an extraordinarily attractive target. The results have been devastating for users, with billions of dollars lost across dozens of major incidents over the years.

Understanding how exchange hacks happen, what you can do to protect yourself at the account level, and why the ultimate defence lies in how you structure your custody is the foundation of operating safely in this space. This resource covers all of it.

Why Exchanges Are Such Attractive Targets

The answer is straightforward: concentration. A single successful attack on a major centralised exchange can yield hundreds of millions of dollars in a matter of minutes. No bank robbery, no corporate fraud scheme, and very few other forms of financial crime offer the same potential return for a successful attacker.

Exchanges hold the private keys to enormous pools of user funds in centralised infrastructure. Unlike a hardware wallet that requires physical access to execute a transaction, exchange infrastructure is internet-connected by necessity. And unlike traditional financial institutions that have decades of security investment and regulatory oversight behind them, many crypto exchanges have grown faster than their security architecture has matured.

The fundamental tension is that exchanges need to be online and accessible to serve their users, and being online and accessible is what makes them attackable. This tension doesn’t go away regardless of how much a reputable exchange invests in security.

How Exchange Hacks Actually Happen

Understanding the specific attack vectors that have been used against exchanges helps you understand both the scale of the risk and what, if anything, you can do to mitigate it as an individual user.

Hot wallet compromises. Exchanges hold a portion of user funds in “hot wallets,” which are wallets that are connected to the internet to facilitate fast withdrawals. Hot wallets are necessary for operational efficiency but represent the most vulnerable portion of an exchange’s holdings. Attackers who compromise the private keys controlling a hot wallet can drain it almost instantly. Most major exchange hacks have involved hot wallet compromises.

Infrastructure attacks. Sophisticated attackers target the broader technical infrastructure of an exchange, including its servers, databases, APIs, and internal systems. Vulnerabilities in any of these components can provide access to sensitive data including private keys, user credentials, and withdrawal systems.

Social engineering of employees. Many of the most damaging exchange attacks have involved targeting exchange staff rather than technical systems directly. Phishing emails that trick employees into providing credentials, SIM swapping attacks on staff members with privileged system access, and impersonation attacks that manipulate employees into authorising fraudulent transactions are all documented methods. This is a threat that exists regardless of how strong the exchange’s technical security is.

Supply chain attacks. Attackers have compromised third-party software vendors, security providers, or other services that exchanges rely on, using that access as a backdoor into exchange systems. The exchange itself may have excellent security, but a vulnerability in a trusted third-party integration can provide an entry point.

Smart contract vulnerabilities. For exchanges that operate DeFi products or use smart contracts in their operations, vulnerabilities in those smart contracts have been exploited to drain funds. As covered in our yield farming resource, smart contract risk is a consistent feature of the DeFi landscape.

Insider threats. Exchange employees or contractors with privileged access have in some cases been involved in theft or have been coerced or bribed by external actors. This is one of the harder threat vectors to defend against from a user perspective because it operates entirely within the exchange’s own systems.

What You Can Control: Account-Level Security

As an exchange user, you have no direct control over the exchange’s infrastructure security, its employee practices, or its third-party integrations. What you do control is the security of your individual account. Hardening your account reduces the risk that your account specifically is compromised even in the event of a broader exchange incident that exposes user data.

Two-factor authentication with an authenticator app. This is the single most important account security measure. Use an authenticator app such as Google Authenticator or Authy rather than SMS-based two-factor authentication. SMS 2FA is vulnerable to SIM swapping, where an attacker convinces your mobile carrier to transfer your phone number to a SIM they control, allowing them to receive your verification codes. An authenticator app generates codes locally on your device and is not vulnerable to SIM swapping.

A strong, unique password. Use a randomly generated password that is unique to each exchange account and not used anywhere else. A reputable password manager makes this practical. A data breach on one platform should never provide access to another. As covered in our advanced crypto security resource, password hygiene is a foundational security measure that most people underinvest in.

Withdrawal address whitelisting. Most reputable exchanges allow you to restrict withdrawals to a pre-approved list of addresses. Enable this and add only your own hardware wallet addresses to the whitelist. Even if an attacker gains access to your account, they cannot withdraw funds to an address that isn’t on your whitelist. This is one of the most effective account-level protections available and is consistently underutilised.

A dedicated email address for exchange accounts. Use an email address that is exclusively used for your crypto exchange registrations. It should not be linked to your real name in its address, not publicly associated with your identity, and not used for any other purpose. This reduces the attack surface available to anyone attempting to compromise your exchange accounts through your email.

Anti-phishing codes. Many major exchanges allow you to set a personal anti-phishing code that appears in all legitimate emails from the platform. Any email claiming to be from the exchange that doesn’t contain your code is immediately identifiable as a phishing attempt. This is a simple, effective measure that takes seconds to set up.

Limiting API key permissions. If you use API keys to connect third-party tools or trading bots to your exchange account, ensure those keys have only the minimum permissions required for their function. An API key that has withdrawal permissions is a significant security risk if that key is ever compromised. Trading-only API keys without withdrawal permissions limit the damage of a key compromise to trading activity rather than fund loss.

Evaluating Exchange Security Before You Use a Platform

Not all exchanges invest equally in security, and the security posture of the platform you choose directly affects your risk exposure. Before committing significant funds to any exchange, the following factors are worth evaluating.

Proof of reserves. Reputable exchanges publish cryptographic proof that they hold sufficient assets to cover all user deposits. This prevents the kind of fractional reserve situation that contributed to the FTX collapse. Look for exchanges that publish regular proof of reserves audits from independent third parties.

Cold storage practices. How much of user funds does the exchange hold in cold storage versus hot wallets? Exchanges that hold the majority of user funds in cold storage offline reduce their exposure to hot wallet compromise attacks. Most reputable exchanges publish information about their cold storage practices. A high proportion of funds in cold storage is a positive indicator.

Security track record. Has the exchange suffered major security incidents? How did it respond? An exchange that has experienced a security incident and responded by fully compensating users, improving its security architecture, and maintaining transparent communication is different from one that denied, delayed, and deflected. Past behaviour in adversity is one of the strongest indicators of how a platform will behave in future adversity.

Insurance and compensation funds. Some major exchanges maintain insurance funds or user compensation programs that cover losses in the event of a security incident. Binance’s SAFU fund is the most well-known example. Understanding what protection, if any, exists for your funds in the event of a hack is part of evaluating any platform.

Regulatory compliance. Exchanges that are registered with AUSTRAC and operate under Australian regulatory requirements have a degree of accountability that unregistered platforms don’t. While regulatory compliance doesn’t guarantee security, it does create obligations around AML/CTF programs, customer protection, and operational standards that add a layer of accountability.

Our individual exchange reviews for CoinSpot, Swyftx, Independent Reserve, BTC Markets, Binance, Kraken, Coinbase, OKX, CoinJar, Coinstash, Digital Surge, and Crypto.com each cover security track record and practices for those platforms. Our best crypto exchanges Australia 2026 guide covers the comparison at a high level.

The Ultimate Defence: Self-Custody

Account-level security and exchange evaluation reduce your risk exposure. They do not eliminate it. The only way to fully protect your assets from an exchange hack is to not have your assets on the exchange.

As covered extensively in our resource on the risks of keeping crypto on an exchange, a hardware wallet you control directly cannot be drained by an exchange hack. Your private keys are stored offline on the device, never exposed to the internet, and only you can authorise transactions. No exchange insolvency, hack, withdrawal freeze, or regulatory action can affect assets held in self-custody.

The principle is simple: only keep on an exchange what you need for active trading or near-term transactions. Long-term holdings, assets you’re not actively trading, and any amount you cannot afford to lose in an exchange failure belong in a self-custody hardware wallet.

Our resources on choosing the right hardware wallet, which cryptocurrency wallet is right for you, and setup guides for Ledger, Trezor, Coldcard, SafePal, Bitbox, and Tangem provide everything you need to set up self-custody correctly. Our sending crypto to hardware wallet from exchange resource walks through the transfer process step by step.

Backing up your hardware wallet correctly from day one is equally important. Our step-by-step crypto wallet backup guide and advanced seed phrase storage resource ensure that self-custody is genuinely secure rather than simply shifting risk from the exchange to your own backup practices.

What to Do If an Exchange You Use Is Hacked

If you hear news of a hack or security incident affecting an exchange where you hold funds, act quickly and deliberately.

First, do not panic and do not make hasty decisions based on unverified information. Confirm the incident through official channels, the exchange’s official website and verified social media accounts, before taking any action. Social media is full of rumours during exchange incidents, and acting on false information can cause unnecessary losses.

If the incident is confirmed and your funds are on the platform, attempt to withdraw them immediately if withdrawals are still open. Many exchanges suspend withdrawals quickly after discovering a security incident, so the window may be short.

If withdrawals are suspended, monitor official communications from the exchange closely. Document your holdings with screenshots and transaction records. Preserve all evidence of your account balance and transaction history for any future claims process.

Contact the exchange’s support team through official channels to register your details and understand the process for affected users. Keep records of all communications.

For future reference, having accurate records of your holdings on every exchange at all times is both a security practice and a tax obligation. Our ATO crypto reporting resource covers the record-keeping requirements that apply to all exchange activity.

Key Takeaways

Exchange hacks happen through hot wallet compromises, infrastructure attacks, social engineering of employees, supply chain vulnerabilities, smart contract exploits, and insider threats. As an individual user, you cannot control exchange-level security, but you can harden your account with authenticator app two-factor authentication, strong unique passwords, withdrawal address whitelisting, a dedicated email address, and minimal API key permissions. Evaluate exchanges based on proof of reserves, cold storage practices, security track record, insurance arrangements, and regulatory compliance. And most importantly, only keep on an exchange what you need for active trading. Long-term holdings belong in a self-custody hardware wallet you control directly.

The crypto space rewards preparation. Investors who structure their custody correctly don’t need to worry about exchange hacks, because their significant holdings were never there to be taken.

For everyday investors building their security foundations and making the transition to self-custody, our Runite Tier Membership includes dedicated security and self-custody education designed to make the process straightforward from day one. For serious investors managing significant holdings who want a personalised security framework and direct specialist support, our Black Emerald and Obsidian Tier Members receive exactly that. Find out more at shepleycapital.com/membership.