What Happens If an Exchange Gets Hacked?
When an exchange gets hacked, whether user funds are recoverable isn't determined in the moment of the breach — it's determined by decisions the exchange made years earlier about custody architecture, reserve ratios, and insurance mechanisms.
That might sound backwards. But the hack itself is just the trigger. The actual outcome for users depends on what structure was in place before the attack.
What Exchanges Actually Hold
A centralized exchange doesn't give you direct access to on-chain assets. When you deposit crypto on Coinbase, Binance, or Kraken, you're handing over the asset and receiving an internal ledger entry in return. The exchange holds the private keys. Your balance is a promise, not an on-chain position.
This is the fundamental custodial trade-off: you get convenience — fast withdrawals, no seed phrase management, fiat on-ramps — and in return you introduce counterparty risk. The exchange can be hacked, can mismanage funds, or can fail.
When an exchange gets hacked, what attackers are targeting is those private keys — specifically the keys for hot wallets.
Professional exchanges keep the majority of user funds in cold storage: private keys that are physically offline, often in hardware security modules, sometimes across geographically distributed vaults. Cold storage funds can't be accessed remotely. To execute a withdrawal, the process is manual and multi-step.
Hot wallets are the operational float — funds kept online so the exchange can process withdrawals without manual intervention. They're necessary for liquidity, but they're the exposure point. If attackers compromise an exchange's infrastructure, the hot wallet is the accessible target.
A well-run exchange might keep 90–95% of funds in cold storage and 5–10% in hot wallets. That ratio is the single biggest determinant of how bad a hack can get.
How Hacks Actually Happen
Attacks on exchanges are usually sophisticated and multi-stage. Common vectors: social engineering employees who have access to key management infrastructure; phishing campaigns that compromise admin credentials; supply chain attacks infiltrating software vendors or cloud services; and in some cases, compromising the signing infrastructure itself.
The Bybit hack in February 2025 — roughly $1.5 billion in ETH, attributed to North Korea's Lazarus Group — worked by compromising the signing interface used to authorize multisig transactions. The UI displayed what looked like a legitimate routine transfer; the transaction being signed was actually a replacement for the multisig contract logic that drained the hot and warm wallet balances. Bybit's cold storage wasn't touched. But the warm wallet exposure was significant.
The Binance hack in May 2019 was more direct: attackers used a combination of phishing and malware to gather API keys and 2FA codes over time, then executed a coordinated withdrawal of 7,000 BTC — roughly $40 million at the time — in a single transaction.
Mt. Gox, between 2011 and 2014, lost approximately 850,000 BTC through a prolonged breach combined with internal management failures. It wasn't publicly discovered until the exchange collapsed entirely in early 2014.
What Determines Whether Users Get Their Money Back
Outcomes vary enormously depending on what infrastructure existed before the hack.
Case 1: Exchange has a sufficient insurance or reserve fund. Binance operates a Secure Asset Fund for Users (SAFU), funded from a percentage of trading fees since 2018. At the time of the 2019 hack, the fund was sufficient to cover the $40M loss in full. Users experienced no losses. Bybit similarly covered the 2025 losses — securing bridge loans and managing the situation — without user impact.
Case 2: Exchange is solvent but lacks pre-built insurance. Bitfinex was hacked in August 2016 — 119,756 BTC, about $72M at the time. The exchange survived but couldn't absorb the loss from its own reserves. Their approach: issue tokens (BFX) representing the proportional loss, then gradually redeem those tokens over roughly eight months as revenue was generated. Users accepted a temporary haircut and were eventually made whole.
Case 3: The exchange fails. Mt. Gox is the defining case. After suspending withdrawals in February 2014 and disclosing that 850,000 BTC had been lost, users became unsecured creditors in a Japanese bankruptcy proceeding. Partial recovery took a decade — Mt. Gox creditors began receiving partial BTC distributions in 2024. At 2024 prices, some received far more value than their original dollar claims, but only because of BTC's price appreciation, not because they were made whole in any legal sense.
The key variable is exchange solvency. If the exchange has sufficient reserves after the hack — insurance fund, assets, credit lines — users typically recover. If not, bankruptcy proceedings take over.
What's Missing from the System
Crypto exchange losses don't have an FDIC equivalent. Traditional bank deposits in the US are insured up to $250,000 per depositor per institution. No mandatory, comprehensive equivalent exists for centralized crypto exchanges in most jurisdictions.
Some exchanges hold insurance through Lloyd's of London or similar providers covering their hot wallet holdings specifically. But coverage limits are generally well below total custodied assets — and this insurance is voluntary, not required.
What's Changing
Proof of Reserves — cryptographic attestations that an exchange holds the assets it claims — has become increasingly common since the FTX collapse in late 2022. Exchanges including Binance, Kraken, and others publish Merkle tree-based proof of reserve attestations. These confirm solvency at a point in time but don't verify liability structure or cold storage security practices independently.
The EU's MiCA regulation, which came into force across 2024–2025, includes requirements for crypto asset service providers around segregation of customer funds and minimum capital requirements. US regulatory clarity on exchange custody standards remains unsettled as of mid-2026.
Hardware signing security has improved among major exchanges following the Bybit incident. Multisig signing infrastructure with hardware-isolated signing environments is now more standard among the tier-one players.
Confirmation and Invalidation
Confirmation: exchanges maintaining verified reserve ratios above 1:1, insurance funds tracked publicly, no material user losses from subsequent incidents at major regulated exchanges.
Invalidation: a major exchange failing where verified proof-of-reserve attestations had previously confirmed full backing — this would break the logical chain that PoR provides meaningful assurance. Or a cold storage breach at scale, which hasn't been documented at any major exchange.
Timing
Now — custodial risk is a present variable. The Bybit incident in early 2025 demonstrated that even sophisticated, well-funded exchanges with good security practices can lose significant sums from warm wallet exposure. Proof of reserve verification is worth checking for any exchange holding significant assets.
Next — regulatory custody standards across major jurisdictions will determine whether exchange insurance requirements become mandatory. MiCA implementation in Europe is the leading indicator.
Later — institutional-grade insurance products for custodied crypto may emerge, but the market for insuring concentrated custody risk at scale is nascent.
This post covers hacks of centralized exchanges — external attackers compromising hot wallet or signing infrastructure. It doesn't cover exchange insolvencies caused by fund misappropriation (FTX is the relevant example), DeFi protocol exploits, or losses from market conditions. "Not your keys, not your coins" is accurate as a technical description of custodial risk, but not always practically actionable — most users hold some assets on exchanges. Understanding what structure an exchange has in place before something goes wrong — insurance fund, cold storage ratio, proof of reserves — is a more useful frame than treating all custodial arrangements as equivalent.
