If you keep crypto on an exchange, what you actually hold is not Bitcoin, not Ethereum, and not Solana. What you hold is a promise — an IOU in the exchange's database that says "we owe you X coins."
That IOU is only as good as the company behind it. When an exchange fails, the cause can be fraud, insolvency, poor controls, or a hack. The common risk is that your exchange balance is a custodial claim, not coins you directly control.
This isn't theory. Three prominent examples show the pattern clearly — each tells you something different about how exposed your exchange balance really is.
FTX (2022): The IOU That Had Nothing Behind It
In November 2022, FTX — at the time one of the largest exchanges by volume — filed for Chapter 11 bankruptcy. The headline was that billions of dollars of customer funds had vanished.
But the real story is worse. FTX's collapse was not primarily a wallet hack; it was driven by misuse of customer funds, although unauthorized transfers also occurred around the bankruptcy. Alameda Research, the sister trading firm, was borrowing customer deposits without meaningful collateral. When the run started, there was simply nothing left.
The reality for users: Withdrawals had already been halted around the collapse and bankruptcy filing, leaving users unable to access balances that still appeared in the database. The exchange held nowhere near enough actual crypto to cover what it owed.
Recovery status (2025–2026): Because FTX had recoverable assets (investments, real estate, seized funds), bankruptcy administrators clawed back billions of dollars. As of late 2024, a court-approved plan allowed for many customer claims to receive at least 118% of their petition-date USD claim value, not the same crypto amount — meaning most are expected to recover more than the USD value of their account when FTX filed. The first distributions began in early 2025.
The important caveat: recovery is based on the USD value at the November 2022 bankruptcy date, not the coins themselves. Someone who held 10 BTC on FTX gets the dollar-equivalent at the time of filing plus interest — not 10 BTC back. If Bitcoin's price rose significantly since then, they miss that upside entirely.
Mt. Gox (2014): The One Where the Coins Were Actually Stolen
Mt. Gox once handled the vast majority of global Bitcoin trading volume. In early 2014, it stopped processing withdrawals. It turned out that roughly 850,000 BTC had been stolen over years through a combination of security failures; transaction malleability was cited at the time, but the exact causal breakdown remains disputed.
The coins were literally gone from the exchange's wallets. Some were later recovered (about 200,000 BTC were found in an old cold wallet), but the vast majority never came back.
The reality for users: Mt. Gox users waited over a decade to see any recovery. The first repayments to creditors began around 2024–2025, and as of 2026 the process is still ongoing — the rehabilitation trustee has extended the repayment deadline to October 31, 2026. Many early Bitcoiners who lost coins on Mt. Gox missed the entire 2017 and 2021 bull runs — a compound opportunity cost far larger than the dollar value at the time of the collapse.
The lesson: Even an exchange that appears dominant and trustworthy can have a critical security vulnerability you'll never know about until withdrawals stop.
Celsius (2022): When "Earn" Means "You Loaned Them Your Coins"
Celsius was not a spot exchange — it was a crypto lender. Users deposited crypto into "Earn" accounts promising high yields. The terms of use, however, made something crucial clear: when you deposited into an interest-bearing account, you transferred ownership of the coins to Celsius.
When Celsius filed for bankruptcy in July 2022, a bankruptcy judge confirmed that coins in Earn accounts were property of the bankruptcy estate, not the depositors. Customers in separate custody-style accounts — a feature Celsius added during regulatory pressure — generally had a stronger path to asset return than Earn account holders.
The reality for users: Hundreds of thousands of Celsius customers with Earn accounts became unsecured creditors. Their odds of full recovery were far lower than FTX's, and the process has been slower and messier.
The lesson: Reading the terms of service is not optional. The second an exchange offers "yield" or "staking rewards" on deposited crypto, you may have legally given up ownership — even if the UI calls it "your balance."
No FDIC-Style Protection Exists for Exchange Crypto Balances
If your bank collapses in the US, the FDIC insures deposits up to $250,000. If a SIPC-member brokerage fails, SIPC can protect missing securities and cash up to its limits, but it is not the same as FDIC deposit insurance and does not cover market losses.
Crypto assets held on an exchange are not FDIC-insured bank deposits. SIPC generally does not protect digital or crypto assets that do not qualify as securities, and it does not protect against crypto market losses. The FDIC does not insure crypto products.
Some exchanges advertise "insurance policies" — and these are real, but limited. They typically cover losses from a breach of the exchange's own hot wallets, not from fraud, mismanagement, or bankruptcy. They are also usually capped at a small fraction of total assets under management. An exchange's insurance policy does not protect your specific balance in a Chapter 11 proceeding.
What Actually Protects Your Crypto?
There is no perfect solution, but there are layers of protection that dramatically reduce your risk.
1. Self-Custody ("Not Your Keys, Not Your Coins")
This is the most effective protection. If you hold the private keys, no exchange bankruptcy can touch your coins.
- A hardware wallet (Ledger, Trezor, Coldcard, etc.) keeps your keys offline
- A software wallet (Exodus, Electrum, or a wallet from the blockchain's own team) keeps them on your device — not on a server
- Paper wallets are sometimes discussed as a low-tech option, but for most beginners a reputable hardware wallet plus secure seed backup is usually safer
The trade-off is responsibility: you lose your seed phrase, you lose your coins. There is no "forgot password" button. Self-custody removes exchange risk but introduces personal risk — seed phrase management, phishing, and inheritance planning become your problem.
If self-custody feels intimidating, you can use CryptoToolbox's Kaspa Wallet Checker or check any address without exposing your private keys — read-only address checks do not require private keys, though users should still avoid entering seed phrases or sensitive wallet metadata into unfamiliar sites.
2. Proof of Reserves — But Read It Carefully
After FTX, several major exchanges began publishing Merkle-tree-based Proof of Reserves (PoR) reports. A well-scoped PoR can help verify, at a point in time, that specified on-chain assets cover specified customer liabilities included in the review.
What it does: Provides a cryptographic snapshot that the exchange's on-chain holdings match its stated customer liabilities at audit time.
What it doesn't do: Prove full corporate solvency or rule out hidden liabilities. A PoR is a point-in-time check, not a guarantee of future solvency. It doesn't prevent fraud, hacks, or the draining of wallets between audits.
Some exchanges, like Kraken, have maintained regular, audited PoR reports for years. Others adopted them reactively after FTX. A PoR is better than none — but it is not self-custody.
3. Cold Storage Percentage
Many major exchanges emphasize cold-storage practices — keeping the large majority of customer assets in offline, air-gapped, geographically distributed wallets. This protects against hot wallet hacks.
But cold storage does not protect you in bankruptcy. In some bankruptcy proceedings, whether customer assets are treated as estate property depends on the exchange's terms, custody structure, segregation practices, and applicable law. For instance, Celsius's Earn accounts were ruled estate property because the terms transferred ownership, while separate custody accounts were returned to users.
4. Regulatory Jurisdiction (A Nuanced Protection)
An exchange registered in a jurisdiction with strong crypto custody rules (like New York's BitLicense framework, or the EU's MiCA) faces stricter segregation requirements. Under MiCA custody rules, crypto-asset service providers (CASPs) must make arrangements to safeguard ownership rights of clients' crypto-assets and prevent use for their own account, and may not use clients' crypto-assets except with prior explicit consent. This makes it harder — though not impossible — for customer assets to be swept into a bankruptcy estate.
This is not automatic protection. It depends on the specific legal structure, jurisdiction, and whether the exchange actually complied with the rules (many that failed did not).
5. Insurance (Limited But Real)
Some exchanges carry commercial crime insurance that covers losses from theft or hack of hot wallets. Coinbase, for example, says it carries crime insurance for a portion of digital assets held in its custody.
The limits: Crypto is not FDIC or SIPC insured. Insurance policies have exclusions (fraud by executives, smart contract bugs, regulatory action). They cover specific events, not general insolvency. And the policy pays out to the exchange, which then distributes to customers — meaning you're still dependent on the exchange's solvency to receive your share.
How to Reduce Exchange Risk
If you want to lower your exchange risk exposure:
- Move long-term holdings off exchanges entirely — into a hardware wallet you control
- Keep only trading/swap funds on exchanges — and only as much as you're willing to lose
- Use read-only wallet checkers like CryptoToolbox's Alephium Wallet Checker to monitor your balances without exposing private keys
- For tools that need exchange data, use the Portfolio Rebalancing Calculator with API keys that have view-only permissions
Even self-custody has risks — seed phrase loss, phishing, hardware failure. The goal is not eliminating all risk, but understanding where each risk lives and choosing the trade-offs consciously.
The Bottom Line
The three big exchange collapses — Mt. Gox (2014), FTX (2022), Celsius (2022) — each failed differently, but the outcome was similar for users: their "balance" was frozen, and they became creditors in a years-long legal process.
The crypto industry has responded with Proof of Reserves, better custodial standards, and (in some jurisdictions) stronger regulation. But none of these change the fundamental truth: when an exchange holds your coins, you hold an IOU.
The day that IOU stops being honored is the day you find out whether the exchange actually had your coins or not. You don't want to find out that way.
Not financial advice. This article is for educational purposes only. Cryptocurrency held on exchanges carries custodial risk. Self-custody requires secure seed phrase management — lost keys cannot be recovered.
