How Crypto Exchanges Work, Why They Fail, and How to Protect Yourself

A clear guide to how crypto exchanges actually handle your money, what makes them vulnerable, and how to protect yourself when using one.

If you have ever bought, sold, or traded cryptocurrency, you have almost certainly used an exchange. Exchanges are the primary entry point into the crypto economy for most people. They are where fiat currency (dollars, euros, pounds) gets converted into digital assets like Bitcoin or Ethereum, and where those assets get traded between users.

But most people who use exchanges do not fully understand what happens to their money once it arrives on the platform. That gap in understanding is where mistakes happen, and sometimes, where significant losses begin. This guide explains how crypto exchanges actually work, what has gone wrong historically, and how to protect yourself whether you are just getting started or already trading regularly.

What a Crypto Exchange Actually Does

At its core, a crypto exchange is a platform that matches buyers with sellers. If you want to buy Bitcoin, the exchange finds someone willing to sell it at a price you both agree on. If you want to sell Ethereum for dollars, the exchange finds a buyer. The exchange sits in the middle, facilitating the transaction and collecting a fee for doing so.

This sounds simple enough, but the critical detail most guides skip is what happens to your money between the time you deposit it and the time you withdraw it. On a centralized exchange (the most common type), you do not hold your own cryptocurrency. The exchange holds it for you. You see a balance in your account, but the private keys that actually control those assets belong to the exchange, not to you. This is the custody model, and understanding it is the single most important thing about using an exchange.

Think of it this way: when you deposit cash at a bank, you become a depositor with legal protections (like FDIC insurance in the United States). When you deposit crypto on an exchange, you become something closer to a creditor. If the exchange goes under, your funds are not protected by any government guarantee. You are in line with every other creditor, hoping to recover what you can. This distinction has cost real people real money.

Centralized vs. Decentralized: Two Different Trust Models

There are two fundamentally different types of crypto exchanges, and the difference is not just technical. It is about who you are trusting with your money.

Centralized exchanges (CEXs) are run by companies. Coinbase, Binance, Kraken, and OKX are all centralized. You create an account, verify your identity, deposit money, and the exchange handles everything: order matching, custody, and transaction processing. They make trading fast and accessible, which is why most people start here. The trade-off is that you are trusting a company to safeguard your assets, and that trust has been broken more than once.

Decentralized exchanges (DEXs) work differently. Platforms like Uniswap and PancakeSwap do not hold your funds at all. Instead, they use smart contracts (self-executing code on a blockchain) to facilitate trades directly between users' wallets. There is no account creation, no identity verification, and no company in the middle. You connect your own wallet and trade peer-to-peer. The advantage is that you maintain custody of your own assets. The disadvantage is that if you make a mistake, there is no customer support to call, and smart contract vulnerabilities can still put your funds at risk.

Neither model is inherently "better." They serve different needs. Understanding which trust model you are operating under, and what risks come with it, is what matters.

How Exchanges Make Money

Exchanges are businesses, and understanding their revenue model helps you evaluate whether a platform's incentives align with your interests as a user.

Most centralized exchanges make money through several types of fees. Trading fees are the most visible: when you buy or sell, the exchange takes a small percentage of the transaction, typically structured as maker/taker fees (makers add orders to the book and usually pay less; takers fill existing orders and pay more). Deposit fees vary by payment method. Bank transfers are often free, but credit card deposits can cost 2% to 5%. Withdrawal fees apply when you move crypto off the exchange to your own wallet or to another platform. And listing fees are paid by cryptocurrency projects to get their token listed on the exchange.

That last one deserves attention. Some exchanges charge significant listing fees and may not conduct deep due diligence on every token they list. Just because a token appears on a major exchange does not mean it is legitimate or well-built. This is a common assumption that catches people off guard.

Decentralized exchanges typically charge a flat swap fee (often 0.3% per trade) that gets distributed to liquidity providers, the users who deposit their own tokens into the pools that make trading possible. There are no listing fees on most DEXs, which means the barrier to entry for new tokens is much lower, for better or worse.

What Happens When Exchanges Fail

Exchange failures are not rare outliers. They are a recurring pattern in crypto's history, and the scale has only grown over time.

The numbers tell a clear story: billions of dollars have been lost across the industry, and the trend is not improving. In 2025 alone, over $3.4 billion was stolen from crypto platforms, according to Chainalysis. The single largest incident was the Bybit hack in February 2025, where state-sponsored hackers (linked to North Korea's Lazarus Group) exploited hot wallet infrastructure and drained approximately $1.5 billion in Ethereum in a matter of minutes. That one breach accounted for nearly half the year's total losses.

But hacking is only part of the picture. The most instructive failure remains FTX, which collapsed in November 2022. FTX was the third-largest exchange in the world at the time, valued at $32 billion. The cause was not a hack. It was mismanagement: customer funds were quietly transferred to Alameda Research (a related trading firm) and used for high-risk investments, venture deals, and real estate purchases. When customers tried to withdraw their money, it was not there. The resulting bankruptcy left an $8 billion gap between what FTX owed and what it held.

The FTX collapse revealed a structural problem: on a centralized exchange, there is often no mechanism forcing the company to keep customer funds separate from its own operations. Without transparent reserves and independent audits, users have no way to verify that their money is actually there. This is the reason the "proof of reserves" movement gained momentum after FTX, with many exchanges now publishing cryptographic proof that they hold at least as much in assets as they owe to customers.

Before FTX, there was Mt. Gox, which was the largest Bitcoin exchange in the world when it collapsed in 2014 after losing approximately 850,000 Bitcoin to a combination of hacking and internal mismanagement. Creditors waited over a decade for partial recovery. The pattern across all of these failures is consistent: inadequate reserves, poor security practices, lack of transparency, and insufficient regulatory oversight.

How to Choose an Exchange You Can Trust

With roughly 600 cryptocurrency exchanges operating globally, many of them unregulated or lightly regulated, choosing the right platform requires more than picking the first name you recognize. Here is a structured approach to evaluating exchanges before you deposit any money.

Check regulatory status and licensing. Reputable exchanges register with financial regulators in the jurisdictions where they operate. In the United States, that means registration with FinCEN and compliance with Know Your Customer (KYC) and anti-money laundering (AML) requirements. In Europe, exchanges are increasingly subject to MiCA (Markets in Crypto-Assets) regulation. An exchange that operates without any regulatory oversight is a higher risk, full stop.

Look for proof of reserves. After the FTX collapse, many exchanges began publishing proof-of-reserves reports, which use cryptographic methods to demonstrate that the exchange holds enough assets to cover customer deposits. Not all proof-of-reserves systems are equally rigorous (some are audited by third parties, others are self-reported), but their existence is a positive signal. Their absence in 2026 is a red flag.

Understand the fee structure. Fees differ significantly between platforms. Compare trading fees (maker/taker), deposit fees (especially for credit card or PayPal), and withdrawal fees (both fiat and crypto). Some exchanges disguise costs in wider spreads rather than explicit fees, so compare the actual amount of crypto you receive for your money across multiple platforms. CoinMarketCap's exchange rankings can help you compare volume, fees, and trust scores.

Evaluate security practices. Look for cold storage policies (reputable exchanges keep 90% to 95% of customer funds offline), two-factor authentication options, and a public track record on handling security incidents. Exchanges that have been hacked before are not automatically disqualified, but how they responded matters. Did they reimburse users? Did they improve their systems?

Check supported payment methods. Make sure the exchange supports the payment methods available in your country. Look for bank transfers, card payments, and other options. The more payment methods available, the more flexibility you have for depositing and withdrawing funds.

How to Stay Safe on Any Exchange

Choosing a reputable exchange is the first step. How you use it is the second. These operational practices apply regardless of which platform you are on.

Enable two-factor authentication (2FA) immediately. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA. SMS verification is vulnerable to SIM-swapping attacks, where a hacker convinces your phone carrier to transfer your number to their device. In fact, use 2FA on every platform and app that supports it, especially anything connected to money. If a financial app does not offer 2FA, treat that as a warning sign.

Use a strong, unique password. Generate a random password of at least 12 characters with uppercase letters, lowercase letters, numbers, and special characters. Use a password manager rather than trying to memorize it. Never reuse a password from another site.

Bookmark the exchange URL in your browser. Phishing sites that mimic popular exchanges are one of the most common scam vectors in crypto. They replicate the login page exactly and capture your credentials. Always access your exchange through a bookmarked link, never through search engine results or links in emails. Apply this practice to any website where you store funds or sensitive information, including online banking.

Test small transactions first. When using an exchange for the first time, or when sending funds to a new wallet address, always start with a small test transaction. Blockchain transactions are irreversible. A typo in a wallet address, a wrong network selection (sending to the wrong blockchain), or an incorrect withdrawal setting can result in permanent loss. The small fee you pay for a test transaction is worth the assurance.

Do not leave large amounts on the exchange. Once you have completed a trade, consider moving your funds to a personal wallet for safekeeping. Exchanges are prime targets for hackers because they hold large concentrations of crypto in one place. Even exchanges that are not hacked face the risk of business failure, regulatory action, or bankruptcy. Your personal wallet (especially a hardware wallet for larger holdings) puts you in control of your own private keys.

Understand KYC and withdrawal limits. Most centralized exchanges require identity verification to comply with regulatory standards. While this process enables higher withdrawal limits and additional features, it also means trusting the exchange with personal identification documents. Make sure you are comfortable with the platform's privacy policies and security practices before submitting sensitive data.

Be careful with API keys. If you use an API key to connect your exchange account to a portfolio tracker (like CoinStats or CoinGecko), always disable the withdraw and trade permissions when creating the key. If your API key is compromised and it has withdrawal access enabled, an attacker can drain your funds directly.

Review token listings critically. Some exchanges list tokens without thorough vetting, particularly smaller platforms that profit from listing fees. A token appearing on an exchange does not mean it is legitimate. Research the project's fundamentals, team credibility, and community before investing. The Blockready crypto glossary can help you decode the terminology you encounter when evaluating new projects.

The Bottom Line

Crypto exchanges are essential infrastructure. They are how most people enter the market, and they serve a real purpose by providing liquidity, price discovery, and a bridge between traditional money and digital assets. But they are not banks, they are not regulated in the same way, and they do not offer the same protections.

The exchanges that have earned trust in this industry, Coinbase, Kraken, Binance, and a handful of others, have done so by investing in security, maintaining transparent reserves, and responding responsibly when things go wrong. But even on the best platforms, your safety depends on the habits you build: enabling strong authentication, using a personal wallet for long-term storage, testing before sending, and never assuming that any single platform is too big to fail. FTX proved that assumption wrong at a cost of billions.

Understanding how exchanges work at a mechanical level is not optional knowledge. It is the foundation of using them safely. And in a space where structured knowledge is the best risk management tool available, that understanding is worth building before you need it.