Is Your Bitcoin Safe on an Exchange? The Brutal Truth About Crypto Custody in 2026

I need to start with some numbers that should make you uncomfortable if you have any cryptocurrency sitting on an exchange right now.

In 2025, hackers stole approximately $3.4 billion in cryptocurrency. That's not a typo. Three point four billion dollars. It was the worst year on record for crypto theft since 2022.

The single largest incident was the Bybit hack in February 2025, where attackers — attributed to North Korean state-sponsored hackers — exploited a private key leak in the exchange's hot wallet system and drained 400,000 ETH worth $1.4 billion. In minutes. Not hours. Minutes.

Let that sink in. One exchange. One vulnerability. $1.4 billion gone before anyone could react.

And Bybit wasn't some obscure platform. It was a top-tier, well-funded exchange. They survived the attack — they had enough reserves to absorb the loss — but the fact that it happened at all tells you something fundamental about the security model of centralized exchanges.

This article isn't about scaring you away from crypto. It's about making you understand, in granular technical detail, what "storing your Bitcoin on an exchange" actually means, what the real risks are, and what the alternatives look like. This is the conversation most crypto platforms don't want to have with their users.

What Happens When You "Store" Bitcoin on an Exchange

When you buy Bitcoin on Coinbase, Binance, Kraken, or any other centralized exchange, something important happens that most users don't fully grasp.

You don't actually hold Bitcoin.

What you hold is an IOU. A database entry on the exchange's servers that says "this account is entitled to X amount of Bitcoin." The actual Bitcoin — the private keys that control it on the blockchain — is held by the exchange. They pool your Bitcoin with everyone else's Bitcoin in their custody wallets: hot wallets (connected to the internet for liquidity) and cold wallets (offline for storage).

This is the same model as a bank. Your money in a bank account isn't cash sitting in a box with your name on it. It's a number in a database, and the bank uses your deposits however it sees fit, subject to regulations.

But here's the critical difference: bank deposits are insured. In the US, FDIC insures up to $250,000 per depositor. If your bank collapses, the government guarantees your money back.

Cryptocurrency on an exchange? Generally not insured. Some exchanges offer limited insurance on hot wallet holdings, but the coverage is typically a fraction of total deposits. If the exchange gets hacked, goes bankrupt, freezes withdrawals, or is seized by regulators, your recovery options range from "wait months or years for a bankruptcy proceeding" to "lose everything."

FTX proved this in spectacular fashion. When FTX collapsed in November 2022, $8.9 billion in customer funds evaporated. Users who had Bitcoin, Ethereum, and other assets on FTX woke up one morning to find their accounts frozen. As of early 2026, the bankruptcy proceedings are still unwinding. Some users got partial recovery. Many lost everything.

The Three Ways Exchanges Lose Your Money

1. External Hacking

This is the most obvious threat and the one that gets the most media attention. External attackers breach the exchange's security infrastructure and steal cryptocurrency from the exchange's wallets.

The attack vectors are well-documented: exploiting vulnerabilities in hot wallet systems, compromising private keys through social engineering, phishing exchange employees, infiltrating the supply chain of software the exchange depends on, and sometimes even bribing insiders.

Chainalysis data shows that just 22 centralized exchange incidents in 2025 resulted in roughly $1.8 billion in losses. The concentration is striking — a small number of mega-hacks account for the majority of losses. The top three hacks alone represented 69% of all service losses in 2025.

North Korean state-sponsored groups — primarily the Lazarus Group — have become the dominant threat actor in this space. They stole at least $2.02 billion in 2025, a 51% increase over 2024, and accounted for 76% of all service compromises. These aren't amateur hackers. They're nation-state operations with virtually unlimited time, patience, and resources, and they're explicitly funded to steal cryptocurrency as a sanctions evasion mechanism.

When security experts say "on-chain code is getting harder to exploit," they're right. DeFi protocol security has genuinely improved. But the attack surface has shifted to people. Social engineering, phishing, insider threats, and operational failures now account for the majority of losses. As one security CEO put it: "With the code becoming less exploitable, the main attack surface in 2026 will be people."

2. Internal Fraud and Mismanagement

FTX wasn't hacked. It was a fraud. Sam Bankman-Fried used customer deposits to fund risky trades through his hedge fund, Alameda Research. When those trades went bad, the money was gone.

FTX is the most dramatic example, but it's not the only one. The history of cryptocurrency is littered with exchanges that mismanaged customer funds, operated with inadequate reserves, or engaged in outright theft. QuadrigaCX, Mt. Gox, Celsius Network — the pattern repeats.

When you store crypto on an exchange, you're trusting that the exchange is solvent, honest, and competently managed. You have no way to verify this independently. Even "proof of reserves" audits, which some exchanges now publish, can be misleading — they show assets at a single point in time but don't reveal liabilities or what happens to the funds between audits.

3. Regulatory and Geopolitical Risk

Your exchange account can be frozen by regulatory action, legal disputes, sanctions compliance, or the exchange's own terms of service. If your government decides to crack down on cryptocurrency — as multiple countries have done — exchanges operating in that jurisdiction may freeze withdrawals, restrict trading, or shut down entirely.

In 2025, the Iranian exchange Nobitex was hacked for approximately $90 million by an Israel-linked hacktivist group. Iranian users had no recourse to international authorities, and the exchange's recovery was complicated by the country's sanctions status.

Even in well-regulated markets, exchange accounts can be frozen for compliance investigations, suspicious activity reports, or regulatory disputes. When Binance faced regulatory actions in multiple jurisdictions in 2023, users in affected countries experienced withdrawal restrictions and account limitations.

"Not Your Keys, Not Your Coins" — What It Actually Means

This phrase gets thrown around a lot in the crypto community, and it's worth understanding exactly what it means technically.

Bitcoin exists on a blockchain — a distributed ledger maintained by thousands of nodes worldwide. Ownership of Bitcoin is determined by who controls the private key associated with a specific blockchain address. If you have the private key, you can move the Bitcoin. If you don't have the private key, you can't.

When your Bitcoin is on an exchange, the exchange holds the private keys. You hold an account balance — a promise from the exchange that they'll honor your withdrawal request. That promise is only as good as the exchange's security, solvency, and willingness to let you withdraw.

When you move your Bitcoin to a wallet where you control the private keys — whether that's a hardware wallet, a software wallet on your phone, or a multisignature setup — you hold the actual Bitcoin. No exchange can freeze it. No hack of a third party can steal it (unless they compromise you personally). No bankruptcy proceeding can tie it up. No government can seize it without physically accessing your keys.

Self-custody means you are the bank. You are solely responsible for the security of your keys. You are solely responsible for your backups. You are solely responsible for not losing access. That's a significant responsibility — and it's not for everyone — but it eliminates the entire category of third-party risk that has cost the crypto ecosystem tens of billions of dollars.

The Spectrum of Custody Options

Custody isn't binary. It's a spectrum, and understanding where each option falls helps you make an informed decision.

Exchange Custody (Highest Convenience, Highest Third-Party Risk)

Your keys are held by the exchange. You interact with your balance through the exchange's interface. You depend entirely on the exchange's security, solvency, and continued operation.

When it makes sense: Active trading, small amounts you're willing to lose, users who are not ready to manage their own keys, DCA (dollar-cost averaging) purchases before periodic withdrawals to self-custody.

The risk you accept: Everything described in the previous section.

Software Wallet on Your Device (Moderate Convenience, Moderate Risk)

A software wallet — like Sparrow Wallet (desktop), BlueWallet (mobile), or Electrum (desktop) — stores your private keys on your computer or phone. You control the keys. No exchange is involved.

The trade-off: Your keys live on an internet-connected device. If your computer is compromised by malware, a keylogger, or remote access trojan, an attacker could potentially extract your private keys. Phone theft or loss with inadequate device encryption could also expose your keys.

Software wallets are significantly more secure than exchange custody against exchange-specific risks (hacks, fraud, insolvency), but they introduce device-level security risks. They're a good starting point for self-custody and work well for moderate amounts.

Hardware Wallet / Cold Storage (Lower Convenience, High Security)

A hardware wallet — like Ledger Nano X, Trezor Model T, Coldcard Q, or Blockstream Jade — is a dedicated physical device that stores your private keys offline. The keys never leave the device. When you want to send a transaction, the hardware wallet signs it internally and passes only the signed transaction to your computer — the private key itself is never exposed.

Even if your computer is completely compromised with malware, the attacker cannot extract the private keys from a properly used hardware wallet. They would need to physically steal the device AND know your PIN or passphrase.

Air-gapped hardware wallets like the Coldcard Q go even further. They never connect to your computer via USB at all. Instead, they communicate through QR codes scanned by a camera or through microSD cards. This eliminates even the theoretical USB-based attack surface.

When it makes sense: Any amount of Bitcoin you'd be upset to lose. Long-term holdings. Savings that you don't need to access frequently.

The cost: Hardware wallets range from about $60 to $250. For the amount of money they protect, that's the cheapest insurance you'll ever buy.

Multisignature (Highest Security, Highest Complexity)

Multisig requires multiple private keys to authorize a transaction. A typical setup is 2-of-3: three keys exist, and any two of them are needed to move funds. You might keep one key on a hardware wallet at home, one in a bank safe deposit box, and one with a trusted service like Casa or Unchained Capital.

If one key is lost, stolen, or compromised, your Bitcoin is still safe — the attacker needs a second key they don't have, and you can use the remaining two keys to move your funds to a new multisig setup.

When it makes sense: Large amounts. Long-term savings. Estate planning. Anyone who wants to eliminate single points of failure.

We'll cover multisig in much more depth in our next article.

What About "Proof of Reserves"?

After the FTX collapse, many exchanges began publishing "proof of reserves" — cryptographic attestations showing they hold assets equal to or greater than customer deposits. Binance, Kraken, Coinbase, and others have implemented various versions.

Proof of reserves is better than nothing, but it has limitations you should understand. Most attestations show assets at a single point in time — the exchange could move funds before or after the snapshot. They typically don't reveal liabilities — an exchange could have assets that match deposits but also have massive debts elsewhere. And third-party auditors have been known to miss things, as the collapse of Silvergate and Silicon Valley Bank demonstrated in traditional finance.

Proof of reserves reduces the risk of undetected FTX-style fraud but doesn't eliminate it. It's a useful signal, not a guarantee.

A Practical Security Framework

Here's how I think about crypto custody, and what I'd recommend to anyone who asks:

Amount you'd forget about if you lost it → Exchange is fine. The convenience is worth the risk for trivially small amounts.

Amount that would sting but wouldn't change your life → Software wallet with a properly secured seed phrase backup.

Amount that represents meaningful savings → Hardware wallet. Non-negotiable.

Amount that represents generational wealth → Multisignature setup with geographic distribution of keys, professional inheritance planning, and steel seed phrase backups.

The common thread across all of these except exchange custody: you control the private keys. The moment you take custody of your own keys, you eliminate the entire category of exchange risk — hacks, fraud, insolvency, regulatory freezes, withdrawal restrictions — that has destroyed billions of dollars in value.

That's not a theoretical benefit. It's a lesson paid for in real money, by real people, over and over again.

The Uncomfortable Conclusion

Here's the honest truth that exchanges don't advertise: the most secure place for your Bitcoin is not on their platform. It's in your own hands, protected by your own keys, backed up with your own recovery plan.

Self-custody requires more effort than leaving your coins on Coinbase. It requires learning how hardware wallets work. It requires understanding seed phrases and backup procedures. It requires taking responsibility for your own financial security in a way that the traditional banking system has never asked of you.

But the history of this industry — Mt. Gox, QuadrigaCX, Celsius, Voyager, FTX, Bybit — has shown us, over and over again, that third-party custody is the single largest point of failure in the cryptocurrency ecosystem. Not smart contract bugs. Not blockchain vulnerabilities. People and institutions.

You can wait for the next exchange collapse. Or you can take control now.

In the next article, we'll go deep into exactly how to set up advanced self-custody: hardware wallets, multisig configurations, seed phrase protection with steel backups, air-gapped signing, and inheritance planning so your Bitcoin is accessible to your heirs. Practical, step-by-step, no basics skipped.

Your keys. Your coins. No one else's problem.