Study: 54% of Crypto Exchanges Have Security Holes — Coinbase Tops Rankings

Study: 54% of Crypto Exchanges Have Security Holes — Coinbase Tops Rankings

N
News Editor 01
2026-07-09 02:20:19
A 2018 study by ICOrating.com reveals that 54% of cryptocurrency exchanges have at least one security vulnerability, including weak passwords, lack of 2FA, and poor domain security. Only 46% meet basic parameters. Coinbase scores 89/100, while Okcoin.cn ranks last with 15.
cryptocurrency exchangesecurity vulnerabilitieshackingCoinbaseICOrating

A comprehensive security assessment of 100 cryptocurrency exchanges with daily trading volumes exceeding $1 million has found that 54% of platforms suffer from at least one security flaw, exposing both the exchange and its users to potential attacks. The study, conducted by ICOrating.com and published in October 2018, evaluated password policies, two-factor authentication (2FA), email verification, and domain security measures.

Weak Password Policies: A Fundamental Failure

One of the most striking findings relates to password security. 41% of exchanges allow passwords with fewer than 8 characters, and 37% accept passwords consisting of only digits or only letters, significantly lowering the barrier for brute-force attacks. Furthermore, 5% of exchanges permit account creation without email verification, while 3% lack any form of two-factor authentication. Alarmingly, only 46% of exchanges meet all four basic password-related security parameters analyzed in the study.

These deficiencies are particularly concerning given the history of exchange hacks. Since the infamous Mt. Gox incident, billions of dollars in cryptocurrency have been stolen due to security lapses. As recently as the Zaif hack in September 2018, weak security practices were exploited. The study underscores that many exchanges still fail to implement even the most elementary protections that are standard in traditional financial services.

Domain Security: A Neglected Attack Vector

Beyond account-level security, the research examined domain registration and DNS protection. Only 2% of exchanges use registry lock, a mechanism that prevents unauthorized changes to domain registration records. Similarly, just 10% of exchanges implement DNSSEC, which protects against DNS cache poisoning — an attack vector previously used to compromise platforms like MyEtherWallet, resulting in significant user losses.

When evaluating five best-practice criteria for domain security (including registry lock, DNSSEC, and other registrar safeguards), a mere 4% of exchanges achieved compliance in four out of five areas. This indicates that even platforms with robust password policies often have weak domain security, leaving them vulnerable to phishing and redirection attacks that can bypass login protections entirely.

Exchange Security Rankings: Coinbase Leads, Okcoin Trails

ICOrating.com aggregated all security factors into a single score for each exchange. No platform scored above 90 out of 100. Topping the list was Coinbase with 89 points, followed by Kraken at 80, and Bitmex and Gopax tied for third at 78. Other notable exchanges include Cobinhood (8th), Ethfinex (12th), Bittrex (13th), and Binance (17th).

At the bottom of the rankings, Okcoin.cn scored a mere 15 points, the lowest among all exchanges surveyed. The hacked exchange Zaif received 29 points, while Bithumb scored 34, and Mercatox managed 25. The wide disparity in scores highlights that even large-volume exchanges can have serious security gaps.

While the study does not cover advanced measures such as dynamic IP verification, withdrawal whitelist checks, or cold storage ratios, it provides a critical baseline assessment. The researchers note that the overall security health of crypto exchanges requires substantial improvement, and users should prioritize platforms that demonstrate strong fundamentals in these areas.

As the cryptocurrency industry matures, exchange security remains a paramount concern. With regulatory scrutiny increasing globally, exchanges that fail to address these vulnerabilities may face not only reputational damage but also legal consequences. For traders, choosing an exchange with robust password policies, mandatory 2FA, and strong domain security is essential to safeguarding digital assets.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.