A new review of cryptocurrency exchange security suggests that many trading platforms still fall short on basic cyber defenses despite years of high-profile hacks. In a report covering 100 exchanges with daily trading volume above $1 million, ICOrating found that 54% of platforms showed poor security in at least one area, highlighting persistent weaknesses across the sector.
The findings are notable because exchange breaches have remained a recurring problem throughout the history of digital assets, from the collapse of Mt. Gox to more recent incidents such as the hack of Zaif. As the value of crypto assets has grown, platforms have had stronger financial incentives to improve operational security. Even so, the report indicates that many exchanges still fail to implement some of the most basic protections expected by users.
Basic account protections remain inconsistent
Among the most concerning observations were weak password policies and gaps in account verification. According to the report, 41% of exchanges allowed passwords shorter than eight characters. Another 37% accepted passwords made up of only letters or only numbers, a practice that can materially reduce account security. In addition, 5% of exchanges allowed accounts to be created without email verification, while 3% did not offer two-factor authentication (2FA).
When these four basic standards were combined, the result was still underwhelming: only 46% of exchanges met all four parameters. For an industry built around digital custody and online transactions, the data suggests that core account-level defenses are far from universal.
Domain and registrar security are even weaker
ICOrating also examined exchange security at the registrar and domain level, an area that often receives less public attention but can be crucial in preventing phishing and infrastructure attacks. The report looked at whether exchanges used protections such as registry lock, which can help block unauthorized changes to domain registration records, and DNSSEC, which is designed to reduce the risk of DNS cache poisoning.
The results were especially poor in this category. Just 2% of exchanges used registry lock, and only 10% had implemented DNSSEC. Overall, only 4% of exchanges were found to follow best practice in four out of five domain-security areas. These figures indicate that while exchanges may focus on wallet management and user authentication, many still underinvest in protecting the web infrastructure that users rely on to access the platform in the first place.
This matters because attacks on DNS and domain systems can redirect users to malicious websites, opening the door to credential theft and unauthorized withdrawals. The report noted that such techniques have previously been used against crypto-related services, making weak domain security a meaningful concern rather than a theoretical one.
Coinbase leads, but no exchange reached 90 points
To provide a broader comparative view, ICOrating published an aggregate security ranking for all 100 exchanges in the study. No platform scored 90 out of 100 or higher, suggesting that even the best-performing exchanges still had room to improve.
Coinbase ranked first with a score of 89, making it the highest-rated exchange in the report. Kraken followed with 80, while Bitmex and Gopax shared third place at 78. Other exchanges specifically noted in the rankings included Cobinhood in 8th place, Ethfinex in 12th, Bittrex in 13th, and Binance in 17th.
At the lower end of the table, Okcoin.cn ranked last with a score of 15. Other weak performers mentioned in the report included Mercatox at 25, Zaif at 29, and Bithumb at 34. The spread between top-ranked and bottom-ranked platforms illustrates how uneven security implementation remains across the exchange market.
A useful snapshot, not a full audit
ICOrating described the study as a detailed look at exchange security practices, but the report also has clear limits. It did not attempt to assess every protective measure that could affect platform safety. For example, it did not cover features such as dynamic IP verification, withdrawal confirmation controls, or other operational safeguards that may materially affect overall risk.
That distinction is important. A lower score in the report does not necessarily capture every internal control an exchange may use, just as a higher score does not mean a platform is immune from attack. Instead, the ranking serves as a snapshot of visible and testable security practices across a broad sample of exchanges.
Even with those limitations, the findings point to a larger industry issue: security messaging often exceeds actual implementation. Many exchanges publicly emphasize trust and protection, yet basic measures such as password enforcement, email verification, 2FA availability, and domain hardening are still missing or inconsistently applied on a significant number of platforms.
Why the findings matter for the industry
The report arrives in the context of a crypto market that has matured considerably since Bitcoin’s early years, but one where exchange hacks continue to shape user behavior and regulatory scrutiny. Security failures at centralized trading venues can affect not only direct customers but also broader market confidence, especially when losses are large or recovery is uncertain.
For traders, the takeaway is straightforward: platform selection should involve more than liquidity and listed assets. Visible security controls still matter, and the absence of simple defenses can be an early warning sign. For exchanges, the message is equally clear. As competition increases and users become more selective, weak cybersecurity practices are no longer just an internal risk—they are a reputational liability.
Ultimately, the report suggests that the crypto exchange industry has made progress, but not enough. Years after some of the sector’s most damaging breaches, a large share of platforms still appears vulnerable in areas where stronger protection should already be standard practice.

