Exchange Custody Risk: What Happens to Your Coins When a Platform Fails

When you buy bitcoin on an exchange and leave it there, you do not hold bitcoin. You hold a promise. FTX, Mt. Gox, Voyager, and Celsius each showed what happens when that promise breaks. Here is what the risks actually are.

The “not your keys, not your coins” problem

Every crypto in exchange bankruptcy is still being established through litigation. The FTX and Celsius bankruptcies both raised novel questions about whether customer crypto should be treated as the exchange’s property (to be distributed pro-rata among all creditors) or as customer property held in trust (to be returned ahead of other creditors). The courts reached different answers in different cases, and the law remains unsettled in most jurisdictions.

What can go wrong: four failure modes

Insolvency. The exchange owes more than it holds, either because it has lent customer funds without authorisation (as FTX did), invested them in illiquid or loss-making positions (as Celsius did), or accumulated operating losses exceeding its capital. Insolvency may not be apparent until a withdrawal run makes it visible, at which point it is too late for most customers to exit.

Hacking. In 2014, Mt. Gox lost approximately 850,000 bitcoin to theft that had reportedly been ongoing for years. Bitfinex lost nearly 120,000 bitcoin in a 2016 hack. Crypto.com lost $34 million in a 2022 attack. Despite significant security improvements across the industry, exchanges remain targets because a successful attack can move enormous value instantly and irreversibly. Hot wallets — those connected to the internet for operational liquidity — are the primary attack surface.

Regulatory shutdown. An exchange can be forced to freeze withdrawals or cease operations by a regulator. BitMEX founders were charged by the US Department of Justice in 2020; the exchange continued to operate but US users were excluded. BtcTurk, a Turkish exchange, had to deal with government blocking orders. Regulatory shutdown differs from insolvency in that the assets may still exist, but access to them is blocked by legal process rather than missing funds.

Exit scam. The operator of a smaller exchange simply stops processing withdrawals and disappears with the funds. This is most common in anonymous, unregulated venues. The Canadian exchange QuadrigaCX lost approximately $190 million in customer funds that could not be recovered after the reported death of its sole operator, Gerald Cotten, who appears to have been running what amounted to a Ponzi scheme.

How exchanges try to reduce custody risk

The standard industry practice for managing hot-wallet risk is to keep the majority of assets in cold storage: hardware wallets or hardware security modules not connected to the internet, requiring multiple human signatories to access (multi-sig custody). Coinbase’s custody arm has published extensive documentation of its storage architecture; Gemini holds a SOC 2 Type II certification for its custody practices. These systems are meaningfully more secure than poorly managed exchanges, but they do not eliminate risk — the 2016 Bitfinex hack occurred despite multi-sig custody, exploiting a vulnerability in the multi-sig implementation itself.

Segregated custody — holding customer assets separately from the exchange’s own operating funds — is the structural safeguard against the FTX model of failure. Regulated exchanges in the EU under MiCA and in the UK under FCA rules are required to segregate client assets. US regulation has moved more slowly, though the SEC’s proposed rules for crypto intermediaries would require segregation.

Insurance is increasingly offered as a feature. Coinbase maintains crime insurance for assets held in its hot wallets. Lloyd’s syndicates offer coverage for cold storage. The limits, exclusions and terms vary considerably, and insurance does not cover insolvency — a firm can be both insured and insolvent. Checking the actual policy terms rather than the marketing claim is necessary to understand what is actually protected.

Jurisdiction matters

Where an exchange is licensed affects what happens to your assets if it fails. Exchanges registered in the EU under MiCA or in the UK under FCA rules operate under frameworks that include custody segregation requirements, capital adequacy rules and bankruptcy priority provisions for client assets. Exchanges registered in offshore jurisdictions with lighter regulatory requirements may have no segregation mandate and may be structured so that customer assets are simply company assets in liquidation.

The FTX offshore entity was registered in the Bahamas. When it failed, Bahamas regulators initially took control of local assets before US bankruptcy proceedings asserted broader jurisdiction — a conflict that complicated the recovery process and contributed to the uncertainty customers faced about what they would ultimately receive. For coverage of how the regulatory landscape is evolving, see the learn/”>learn section. For model-based scenarios on the major assets, see the learn/”>wallets guide for the trade-offs in detail.

Sources

• DOJ: FTX founder indictment and charges (US Department of Justice, December 2022)
• Coinbase Custody architecture and insurance disclosures
• BIS Working Paper 1061: Crypto exchange failures and customer protection (Bank for International Settlements, 2023)

This analysis is for educational purposes only. It is not financial advice and is not a recommendation to use or avoid any exchange. Cryptocurrency custody risk is real; the regulatory and legal landscape continues to evolve. Always conduct your own research and consider your jurisdiction’s legal protections before depositing on any platform. Model-based scenarios. Not financial advice.