A new security review of cryptocurrency exchanges suggests that basic defensive practices remain uneven across the industry, despite years of high-profile hacks and repeated warnings about operational risk. According to ICOrating, which examined 100 exchanges with daily trading volume above $1 million, 54% of platforms showed poor security in at least one area. The findings point to a market where many exchanges still fall short on baseline protections that users often assume are standard.
The report arrives against a familiar backdrop. From the early Mt Gox era to more recent breaches such as the attack on Zaif, exchange security has remained one of the most persistent vulnerabilities in crypto infrastructure. As digital assets increased in value, the expectation was that platforms would harden their defenses accordingly. ICOrating’s assessment, however, indicates that many have not consistently implemented even the most basic controls.
Basic account protections remain inconsistent
One of the clearest takeaways from the study is that weak password policies are still common. ICOrating found that 41% of exchanges allowed passwords shorter than eight characters, a threshold generally considered too low for strong account protection. In addition, 37% of exchanges permitted passwords made up of only numbers or only letters, further reducing resistance to brute-force and credential-stuffing attacks.
The review also identified gaps in account onboarding and authentication. 5% of exchanges allowed accounts to be created without email verification, while 3% did not offer two-factor authentication (2FA). These are notable findings because both measures are widely seen as foundational safeguards for online financial platforms. In an environment where user accounts can directly control access to valuable digital assets, the absence of such controls materially increases risk.
When ICOrating combined these four basic parameters into a single benchmark, the result was sobering: only 46% of exchanges met all four requirements. That means fewer than half of the platforms reviewed satisfied what many users would likely consider the minimum standard for account-level security.
Domain and registrar security are even weaker
The report went beyond user login protections and looked at exchange security from an infrastructure perspective, including registrar and domain protections. These measures matter because attackers do not always target wallets or credentials directly; in some cases, they compromise the web layer itself, redirecting users to fraudulent destinations or manipulating traffic through domain-level attacks.
Among the features reviewed were registry lock, which helps prevent unauthorized changes at the domain registry level, and DNSSEC, which is designed to reduce the risk of DNS cache poisoning. The importance of these protections is not theoretical. Domain and DNS weaknesses have been used in prior attacks against crypto-related services, including the kind of vector that has affected platforms such as Myetherwallet.
ICOrating found that domain security adoption was particularly low. Just 2% of exchanges used registry lock, and only 10% implemented DNSSEC. More broadly, only 4% of exchanges followed best practice in four out of five domain-security areas reviewed. These numbers suggest that for many exchanges, the public-facing access layer remains underprotected, leaving room for attackers to exploit weaknesses outside the core trading engine or custody stack.
No exchange reached 90 points
To summarize overall performance, ICOrating published an aggregated security ranking covering all 100 exchanges in the study. No platform scored 90 out of 100 or higher, underscoring the report’s broader conclusion that there is substantial room for improvement across the sector.
Coinbase ranked first with a score of 89, coming closest to the 90-point mark. Kraken followed with 80, while Bitmex and Gopax shared third place at 78. Other notable placements included Cobinhood in 8th, Ethfinex in 12th, Bittrex in 13th, and Binance in 17th. The spread in scores illustrates how uneven exchange security remains, even among recognizable names in the industry.
At the bottom of the ranking, Okcoin.cn scored just 15 out of 100. Other low-scoring exchanges highlighted in the report included Mercatox at 25, Zaif at 29, and Bithumb at 34. The presence of hacked or controversial platforms among the weaker performers reinforces the broader message that security shortcomings often become visible only after an incident has already occurred.
A snapshot, not a full audit
ICOrating noted that its study was detailed but not exhaustive. The methodology did not include every defensive control that might matter in practice, such as dynamic IP verification, withdrawal checks, or other operational safeguards exchanges may deploy behind the scenes. As a result, the rankings should be read as a structured snapshot of visible and measurable security practices rather than a complete audit of each platform’s internal systems.
Even with that limitation, the report remains significant because it evaluates core protections that are both observable and highly relevant to user risk. Password requirements, email verification, 2FA availability, registry protection, and DNS hardening are not exotic features. They are basic components of a mature security posture. If many exchanges are still falling short on these elements, the gap between market branding and actual defensive readiness may be wider than many traders assume.
What the findings mean for users and the industry
For users, the message is straightforward: exchange selection should involve more than liquidity, token listings, or name recognition. A platform’s security configuration—especially around authentication and domain protection—can be just as important as trading features. Users should favor exchanges that enforce stronger password standards, require email verification, support robust 2FA, and demonstrate credible infrastructure protection.
For the industry, the study highlights a persistent credibility problem. Crypto platforms often present themselves as security-conscious businesses, but the report suggests many still have not normalized basic standards. After years of breaches involving losses worth hundreds of millions of dollars, the expectation would be stronger, more uniform implementation of baseline controls. Instead, the data points to continued fragmentation, with some exchanges approaching best practice while many others lag behind.
Ultimately, the ICOrating findings do not imply that every low-ranked exchange will be hacked or that every high-ranked exchange is fully secure. What they do show is that the sector still has a broad structural security deficit. Until stronger practices become universal rather than optional, exchange risk will remain one of the defining challenges of the cryptocurrency market.

