One of the most important (and dangerous) characteristics of Bitcoin is that transactions are irreversible. This means that people need to be highly vigilant when sending Bitcoin to other addresses. However, just as important is where and how people store their Bitcoin. If you store your Bitcoin with a third party like an exchange, it is vital that you know the risks associated with giving your Bitcoin to a third party for safekeeping.
There have been countless exchange hacks since Bitcoin's inception. Despite exchanges operating best practices in storing client's Bitcoin, these exchange hacks continue on a monthly basis. There seems to be no end in sight for the continued threat that hackers pose to client funds. At the time of writing, there have been 57 known exchange hacks, with the most recent being last month.
This is one of the most relevant attacks that we have encountered in Bitcoin, and we hear of people on a weekly basis who have had their accounts cleaned out due to a phishing attack. The most common form of this attack is that people receive a spam email that looks like it comes from the exchange where the user stores their Bitcoin. The link within this email takes the user to a fictitious site, usually a URL that looks very similar to the exchange URL, but this site is controlled by the fraudsters. After entering their login details and two-factor information to the fictitious site, the fraudsters' application uses that information to enter directly into the exchange and drain the user's account. A big misconception is that two-factor authentication prevents this, but that is not the case. The attackers' application takes the user's 2FA information and immediately inserts it into the exchange application before the code expires.
There is a very big misconception that people have that if an exchange goes into liquidation, their Bitcoin is segregated from other creditors of the exchange. This is not the case. As a client of the exchange, the user is merely an unsecured creditor of the exchange. It is effectively an IOU from the exchange to the user. In the case of insolvency, all users' deposits would be grouped with the other creditors, and it is unlikely that the user will get all of their Bitcoin back. There are many exchanges that could be in financial difficulty, and due to the fact that they may not need to publish their financial information as they are private companies, there could be shortfalls on those companies' balance sheets.
Exchanges can be very opaque on how they handle customers' funds. The most notable example of this was the recent bankruptcy of FTX, which was using customer funds to make loans to other crypto businesses. In this instance, when the fraud is unveiled, the exchange goes into insolvency, and the abovementioned process is followed.
As users are not in control of their own keys, the exchange can freeze the user's account for any reason. Many of the exchanges take the viewpoint of the user being guilty until proven innocent. One of the most notable instances of this was due to the rising conflict between Russia and Ukraine, where Coinbase instantly froze the accounts of 25,000 Russian clients.
When a user relies on an exchange to store their bitcoins, they are not in control of the private keys associated with their bitcoins. In the bitcoin world, there is a saying that goes, “Not your keys, not your bitcoin.” Exchanges operate a bucket account policy where everyone's bitcoins are lumped into a single bucket, and the user only sees a representation of their bitcoins on their mobile device or laptop.
To check if you are in control of your keys, you can enter your bitcoin address into a block explorer. If you do not see your Bitcoin balance there, it means you are not in control of your keys. With BitDirect, you can enter any of your bitcoin addresses into a block explorer, and you will see your bitcoins directly attributed to your own unique address on the blockchain.