Are Crypto Exchanges Safe? Hack History & Track Record Compared (2026)
An honest, data-backed look at the biggest crypto exchange security events — Bybit, Mt. Gox, Coincheck, KuCoin, Binance, Crypto.com and the FTX collapse — and what actually makes an exchange safe. The key signal isn’t whether it was ever hacked, but whether it made users whole and stayed transparent. Figures as of June 2026, with sources.
Updated June 2026 · Nakta
Quick answer
- Almost every major crypto exchange has faced a security incident — so “has it been hacked?” is the wrong question. What matters is whether it made users whole and stayed transparent.
- By that measure, exchanges still trusted today absorbed serious hacks: Bybit (2025, ~$1.4B — the largest ever, users made whole), KuCoin (2020, ~$281M, made whole), Binance (2019, ~$40M, covered by SAFU), Coincheck (2018, ~$534M, reimbursed).
- The worst user outcomes were not hacks. Mt. Gox (2014, ~850k BTC) was hacked into insolvency, and FTX (2022) was outright fraud — both caused permanent user losses a “clean record” would not have prevented.
- The real safety signals are: a crisis track record of reimbursing users, proof of reserves, an insurance/emergency fund, regulatory standing, and strong cold-storage design.
- Your own account is usually the bigger risk than an exchange hack — use app-based 2FA and withdrawal whitelists, and move large or long-term holdings to self-custody (“not your keys, not your coins”).
- This page gives the full incident table, the signals that matter, the honest caveats and sources. Not investment advice.
What this page covers
1. The finding: crisis response, not a clean record, signals safety
2. Exchange security at a glance
3. Full record: major exchange hacks & how they were handled (2026)
4. How to judge if an exchange is safe today
5. Three findings that contradict the hype
6. The caveats: what this data does and doesn’t capture
7. Where to sign up (security points stated honestly)
8. Next steps
1. The finding: crisis response, not a clean record, signals safety
2. Exchange security at a glance
3. Full record: major exchange hacks & how they were handled (2026)
4. How to judge if an exchange is safe today
5. Three findings that contradict the hype
6. The caveats: what this data does and doesn’t capture
7. Where to sign up (security points stated honestly)
8. Next steps
1. The finding: crisis response, not a clean record, signals safety
“Is this crypto exchange safe?” is the most important question a beginner can ask — and the honest answer isn’t found by asking whether an exchange has ever been hacked. Almost every major one has faced a security incident. What actually separates a safe platform from a dangerous one is how it responded: whether it made users whole, and how transparent it was.
Here is the core record of the largest exchange security events, as of June 2026:
| Event | Year | Amount | Outcome for users |
|---|---|---|---|
| Bybit | 2025 | ~$1.4B (largest ever) | Made whole — covered via reserves/loans; withdrawals stayed open |
| Coincheck | 2018 | ~$534M (NEM) | Reimbursed — exchange still operates (now under Monex) |
| KuCoin | 2020 | ~$281M | Made whole — ~84% recovered plus insurance |
| Binance | 2019 | ~$40M (7,000 BTC) | Made whole — covered by the SAFU insurance fund |
| Mt. Gox | 2014 | ~850,000 BTC | Collapsed — bankrupt; creditors still being repaid years later |
| FTX (not a hack) | 2022 | ~$8B shortfall | Fraud/insolvency — users lost access; bankruptcy repayments ongoing |
The one-line takeaway: the safest exchanges in this list aren’t the ones that were never attacked — they’re the ones that reimbursed every user and kept operating transparently (Bybit 2025, Binance 2019, KuCoin 2020, Coincheck 2018). The real disasters were Mt. Gox (hacked into insolvency) and FTX (not hacked at all — it was fraud). Judge an exchange by its crisis response and its custody model, not by a spotless-looking record. Figures as of June 2026; verify the current security posture on official sources.
2. Exchange security at a glance
The headline picture at a glance:
◉Crypto Exchange Security RecordWhat the hack history actually tells you — as of June 2026
| Largest hack ever | Bybit, Feb 2025 — ~$1.4B (users made whole) |
| The real safety signal | Not “never hacked” — but “made users whole + transparent” |
| Cautionary collapse | FTX 2022 — not a hack, but fraud/insolvency; users lost funds |
| Defunct after hack | Mt. Gox (2014, ~850k BTC) — creditors still being repaid |
| Best protection | Self-custody for large holdings + 2FA on the exchange |
| Insurance funds | Binance SAFU ≈ 15,000 BTC (~$1B), BTC-backed |
| As of | June 2026 (verify current security posture officially) |
The pattern below is the single most useful lesson in exchange safety: a hack is survivable for users if the exchange is solvent, insured and honest; an exchange that is insolvent or fraudulent is fatal even without a hack. That reframes the question from “has it been hacked?” to “could it make me whole if something went wrong — and would it tell me the truth?”
3. Full record: major exchange hacks & how they were handled (2026)
The full record of major centralized-exchange security events and how each was handled, as of June 2026. “Made whole” means users did not bear the loss.
| Exchange | Year | Loss | What happened | Outcome |
|---|---|---|---|---|
| Bybit | 2025 | ~$1.4–1.5B | North Korea’s Lazarus Group exploited the signing process for a multi-signature cold wallet — the largest crypto theft in history. | Users made whole. Bybit covered the gap via reserves and partner loans and processed withdrawals throughout. |
| Coincheck | 2018 | ~$534M | NEM (XEM) stolen from a hot wallet that lacked multi-sig — a major Japanese exchange breach. | Reimbursed. Coincheck repaid affected users and still operates (acquired by Monex Group). |
| KuCoin | 2020 | ~$281M | Hot-wallet private keys compromised; a wide range of tokens drained. | Users made whole. ~84% of funds recovered (asset freezes, token swaps) with insurance covering the rest. |
| Binance | 2019 | ~$40M (7,000 BTC) | A hot wallet was breached via phished API keys and 2FA codes. | Users made whole. Covered in full by the SAFU emergency fund (now ~15,000 BTC, ≈$1B, BTC-backed). |
| Crypto.com | 2022 | ~$35M | Unauthorized withdrawals bypassed 2FA for a number of accounts. | Reimbursed. Affected users were repaid; 2FA was overhauled. |
| Mt. Gox | 2014 | ~850,000 BTC | Years of undetected theft and mismanagement at what was then the largest exchange. | Collapsed into bankruptcy. Creditors are still receiving partial repayments more than a decade later. |
| FTX (not a hack) | 2022 | ~$8B shortfall | Customer funds were misused by the company itself — fraud and insolvency, not an external hack. | Users lost access. Bankruptcy repayments are ongoing; the founder was convicted. The cautionary tale of custodial risk. |
Sources & method: incident figures and outcomes compiled June 2026 from public reporting, exchange post-mortems and law-enforcement statements (e.g. the FBI/IC3 attribution of the Bybit hack to North Korea). Amounts are approximate at the time of each event. “Made whole” reflects public reporting that users did not bear the loss; always verify an exchange’s current security posture and reserves before depositing.
How to read this honestly: the exchanges still trusted today (Binance, Bybit, KuCoin, Coincheck) all suffered serious hacks — and earned trust by absorbing the loss and staying transparent. The two outcomes that actually destroyed users were an exchange hacked into insolvency (Mt. Gox) and one that committed fraud (FTX). Neither was prevented by a “clean” record; both were a custody-and-solvency failure. That’s the real risk to manage.
4. How to judge if an exchange is safe today
So how do you judge whether an exchange is safe today, beyond its hack history? These are the signals that actually matter.
| Signal | Why it matters |
|---|---|
| Crisis track record | Did it make users whole after past incidents, or pass the loss on? This is the single strongest predictor — it’s a revealed answer, not a promise. |
| Proof of reserves | Regular, verifiable proof that customer funds are fully backed 1:1. Post-FTX, this is a baseline expectation, not a bonus. |
| Insurance / emergency fund | A sizeable, transparent fund (e.g. Binance’s SAFU) that can absorb a breach without users bearing the loss. |
| Regulatory standing | Licensing or registration in credible jurisdictions adds oversight and recourse — though it is not a guarantee on its own. |
| Cold-storage & security design | The majority of funds in cold storage, strong key management, and account tools (2FA, withdrawal whitelists, anti-phishing codes). |
The honest hierarchy: a transparent, solvent, insured exchange that was once hacked is safer than an opaque one with a clean-looking record. Compare these signals across platforms in our best crypto exchanges guide and fees & availability comparison.
5. Three findings that contradict the hype
Three findings stand out from the data — and each corrects a common belief.
| Finding | Why it matters |
|---|---|
| 1. The biggest hack ever didn’t sink the exchange | Bybit lost ~$1.4B in 2025 — the largest crypto theft in history — yet users were made whole and the exchange kept running. Scale of loss matters far less than the exchange’s solvency and response. |
| 2. The worst user outcomes weren’t hacks | Mt. Gox and FTX caused the deepest, most permanent user losses. One was hacked into insolvency; the other was outright fraud. The lesson: custodial and solvency risk > hack risk. |
| 3. “Never hacked” is not the same as “safe” | A spotless record can mean strong security — or simply that a problem hasn’t surfaced yet. Reserves, transparency and a tested crisis response are more reliable signals than the absence of an incident. |
The pattern: the question “is this exchange safe?” is better asked as two questions — “is my money fully backed and would they cover a loss?” and “do they tell the truth when things go wrong?” An exchange that answers both well is safer than one that has simply been lucky.
6. The caveats: what this data does and doesn’t capture
A fair comparison names its limits. Here is what this data does and doesn’t capture.
| Caveat | Detail |
|---|---|
| Past response ≠ future guarantee | An exchange that made users whole before may not be able to next time. Track record is the best signal available, not a promise. |
| “No hack” can be incomplete | Exchanges with no major reported breach (e.g. Kraken, Coinbase, OKX, Gate, Bitget) have not necessarily “proven” permanent safety — verify their current reserves and security disclosures yourself. |
| Your account is the bigger risk | For most individuals, losses come from phishing and account takeover, not exchange-level hacks. App-based 2FA and withdrawal whitelists matter more than the exchange’s logo. |
| Custody is the deepest risk | Any exchange holds your keys. The FTX lesson is that “not your keys, not your coins” — for large or long-term holdings, self-custody beats any exchange. |
| Figures are approximate | Loss amounts are point-in-time estimates from public reporting and shift with price and recovery; treat them as orders of magnitude. |
Bottom line: keep only what you actively trade on an exchange, secure the account properly, and move large or long-term holdings to a wallet you control — see our wallet guide and scam-avoidance guide.
7. Where to sign up (security points stated honestly)
If you’re choosing where to trade, weigh the security signals above first. These are the exchanges we keep dashboard-verified sign-up guides for — each has made users whole through past incidents or maintains a clean reported record, with the security points noted honestly:
Bybit
Code: 5ZGKX#0
Installing the app directly? Enter 5ZGKX#0 in the “Referral” field at sign-up — that’s how your benefit (and our credit) attaches.
Largest-ever 2025 hack — users made whole, withdrawals stayed open
Binance
Code: CRYPTONAKTA
Installing the app directly? Enter CRYPTONAKTA in the “Referral” field at sign-up — that’s how your benefit (and our credit) attaches.
2019 hack covered by SAFU (now ~15,000 BTC) · 10% off fees with CRYPTONAKTA
KuCoin
Code: CXEM4JP5
Installing the app directly? Enter CXEM4JP5 in the “Referral” field at sign-up — that’s how your benefit (and our credit) attaches.
2020 hack — users made whole (~84% recovered + insurance)
OKX
Code: 46938989
Installing the app directly? Enter 46938989 in the “Referral” field at sign-up — that’s how your benefit (and our credit) attaches.
No major reported hack · proof-of-reserves published
Gate.io
Code: VFIWUQTAUQ
Installing the app directly? Enter VFIWUQTAUQ in the “Referral” field at sign-up — that’s how your benefit (and our credit) attaches.
No major reported hack · proof-of-reserves published
Affiliate disclosure: some links are partner links. We may earn a commission at no extra cost to you. This is not investment advice.
Honest reminder: no exchange is risk-free, and a referral or our coverage doesn’t change that. Secure your own account (app-based 2FA, withdrawal whitelist), keep only trading-size balances on any exchange, and treat any “guaranteed safe / guaranteed returns” pitch as a scam.
8. Next steps
The honest summary: every big exchange faces security risk, and the ones still trusted earned it by making users whole and staying transparent — Bybit through the largest hack ever in 2025, Binance via SAFU in 2019, KuCoin in 2020. The catastrophes were Mt. Gox (hacked into insolvency) and FTX (fraud), neither prevented by a clean record. So judge an exchange by its crisis response, proof of reserves and custody design, not by the absence of an incident — then reduce your own risk, which is usually the bigger one. Secure the account with app-based 2FA and withdrawal whitelists, keep only trading-size balances on any platform, and move the rest to a wallet you control. Compare platforms in our best exchanges guide and fees & availability comparison, learn the traps in the scams guide, and if you’re new to all of it, start at the complete beginner’s guide. Stay skeptical, verify reserves, and never keep more on an exchange than you’d be willing to lose.
Frequently asked questions
Q. Are crypto exchanges safe?
Major regulated exchanges are reasonably safe to trade on if you secure your own account, but none are risk-free. Almost every large exchange has faced a security incident; the safe ones made users whole and stayed transparent. The bigger risk for most individuals is account takeover via phishing, not an exchange-level hack — so app-based 2FA and withdrawal whitelists matter most, and large or long-term holdings belong in self-custody.
Q. Which crypto exchange has been hacked the most / the biggest?
The largest single theft in history was the Bybit hack of February 2025, at roughly $1.4 billion, attributed to North Korea’s Lazarus Group — and users were made whole. Other major hacks include Coincheck (2018, ~$534M), KuCoin (2020, ~$281M), Binance (2019, ~$40M) and the catastrophic Mt. Gox collapse (2014, ~850,000 BTC), which bankrupted the exchange.
Q. Did Bybit users lose money in the 2025 hack?
No. Despite losing roughly $1.4 billion — the largest crypto hack ever — Bybit covered the shortfall using its reserves and partner loans and kept withdrawals open, so users were made whole. It’s a clear example of why an exchange’s solvency and crisis response matter more than the size of a single breach.
Q. Was FTX a hack?
No. FTX’s 2022 collapse was fraud and insolvency, not an external hack — customer funds were misused by the company itself, leaving an ~$8 billion shortfall. It’s the most important cautionary tale in crypto because it shows that custodial risk (an exchange failing or lying) can be far more damaging than a hack, and a “clean” hacking record would not have protected users.
Q. How can I tell if a crypto exchange is safe?
Look for five signals: a crisis track record of reimbursing users, regular proof of reserves (funds backed 1:1), a transparent insurance/emergency fund, credible regulatory standing, and strong security design (cold storage, 2FA, withdrawal whitelists). A transparent, solvent exchange that was once hacked is safer than an opaque one with a spotless-looking record.
Q. What is Binance SAFU?
SAFU (Secure Asset Fund for Users) is an emergency insurance fund Binance created in 2018, funded from a share of trading fees, to cover users in the event of a breach. It covered the 2019 hack so users bore no loss, and as of 2026 it holds roughly 15,000 BTC (about $1 billion), now fully backed by bitcoin.
Q. Is it safer to keep crypto on an exchange or in a wallet?
For large or long-term holdings, a wallet you control is safer — “not your keys, not your coins.” An exchange holds your private keys, so you’re exposed to its solvency, honesty and security. Keeping only what you actively trade on an exchange, and moving the rest to a hardware or self-custody wallet, is the standard safe setup. See our wallet guide.
Q. Which exchanges have never been hacked?
Several major exchanges have no widely reported breach of customer funds — for example Kraken, Coinbase, OKX, Gate and Bitget — but “no reported hack” is not a guarantee of permanent safety; it can also mean a problem hasn’t surfaced. Verify each exchange’s current proof of reserves and security disclosures rather than relying on the absence of an incident.
Q. How do I protect my exchange account from being hacked?
Enable two-factor authentication with an authenticator app (not SMS), set an anti-phishing code, turn on a withdrawal-address whitelist, use a long unique password, and only ever reach the exchange by typing the address or using the official app. No exchange will ask for your password or 2FA code, and real support never messages you first. Move large balances off the exchange.
Q. Are these hack figures accurate?
They are approximate, point-in-time estimates compiled as of June 2026 from public reporting, exchange post-mortems and law-enforcement statements. Loss amounts shift with price and recovery, and details emerge over time. Treat them as orders of magnitude and verify the current security posture and reserves of any exchange on its official sources before depositing.
This page is for information and education only and is not investment, financial, legal or tax advice. Crypto is high-risk and you can lose money. The exchange security events, loss amounts and outcomes described here are approximate, point-in-time figures compiled as of June 2026 from public reporting, exchange post-mortems and law-enforcement statements; they are summaries, not a complete record, and details change over time. “Made whole” reflects public reporting that users did not bear the loss in a given incident and is not a promise of future conduct; no exchange is risk-free and past crisis response does not guarantee future outcomes. Always verify an exchange’s current security posture, proof of reserves and regulatory standing on official sources before depositing. Some links are partner links: using them costs you nothing extra and never changes what we recommend.
