Platform Risk Scores

Argent

software wallet

Argent is an Ethereum wallet built on smart contracts. Instead of a seed phrase, it uses social recovery guardians — trusted contacts or devices that can restore access. Non-custodial and open source. No known security breaches.

Binance

exchange

Binance is the largest cryptocurrency exchange by trading volume, founded in 2017. It serves over 280 million users globally and relocated its headquarters to Abu Dhabi, UAE. The platform is custodial — Binance holds private keys on behalf of users — and supports hundreds of assets across multiple blockchains. ## Security - **Cold storage:** The majority of user assets are held in cold storage, isolated from internet-connected systems. - **SAFU fund:** Binance maintains a $1 billion Secure Asset Fund for Users (SAFU), converted to 15,000 BTC as of early 2026. The fund is rebalanced if its value drops below $800 million. - **Proof of reserves:** Binance publishes periodic Merkle-tree proof-of-reserves reports. As of late 2025, $162.8 billion in user assets had been verified across 45 asset categories. Reports are self-published rather than independently audited by a third party. - **Account controls:** Two-factor authentication, withdrawal whitelisting, anti-phishing codes, and device management are available to all users. - **Custodial model:** Users do not hold their own private keys. For long-term holdings, a self-custody hardware wallet is a lower-risk option. ## Regulation - Binance holds regulatory licences in over 20 jurisdictions, including the UAE (ADGM), France (AMF), Italy, Australia (AUSTRAC), Japan (FSA), and Sweden. - In November 2023, Binance pleaded guilty to US Bank Secrecy Act and sanctions violations, paying a $4.3 billion settlement with the DOJ, FinCEN, and OFAC — the largest in US Treasury Department history at the time. A court-appointed compliance monitor was imposed; as of September 2025, Binance was in negotiations to modify that requirement. - The FCA in the UK has not authorised Binance to conduct regulated activities. - The main Binance.com platform is not available to US residents. Binance.US, operated by BAM Trading Services, is a separate entity. ## Incident History - **May 2019:** Hackers stole 7,000 BTC (~$40 million) from Binance's hot wallet using phishing and malware. All affected users were reimbursed from the SAFU fund. - **October 2022:** A vulnerability in the BNB Chain cross-chain bridge was exploited; approximately $100 million was drained before validators halted the chain. - **December 2025:** Trust Wallet, a Binance-owned product, was affected by a compromised third-party Chrome browser extension that stole user credentials. Approximately $7 million was lost; Binance pledged reimbursement to affected users.

Bit2Me

exchange

Bit2Me is a Spanish cryptocurrency exchange founded in 2014 and headquartered in Alicante, Spain. Originally built as a retail crypto-to-euro trading platform, Bit2Me has since expanded into institutional and business-to-business services, reporting approximately €5.3 billion in trading volume in 2025. The platform supports over 180 digital assets and offers custody, spot trading, and crypto financial products to users across Europe and Latin America. ## Security - The majority of crypto assets are held in cold storage through a custody partnership with Ledger Enterprise and Prosegur Crypto, using Hardware Security Modules (HSM) and Multi-Party Computation (MPC) - Wallets use a distributed multi-signature structure with geographic separation to reduce single points of failure - Bit2Me reports €150 million in insurance coverage for crypto assets and €100 million for fiat deposits held separately from company funds - Two-factor authentication (2FA) is mandatory for logins and withdrawals; users can also restrict account access by IP address and configure a withdrawal address whitelist - AI-powered transaction monitoring and a Web Application Firewall (WAF) run continuously - A bug bounty program accepts responsible disclosures at security@bit2me.com - The platform reports five consecutive independent financial audits with positive results ## Regulation - On 17 February 2022, Bit2Me became the first company in Spain registered by the Banco de España as a Virtual Asset Service Provider (VASP) - In July 2025, the CNMV (Spain's securities regulator) authorized Bit2Me as a Crypto-Asset Service Provider (CASP) under EU MiCA regulation — the first Spanish-speaking fintech to receive this authorization - The MiCA license allows Bit2Me to passport its services across all EU member states; the platform is listed on the ESMA register - All users are subject to AML and KYC verification requirements ## Incident History No publicly confirmed security breaches or theft of user funds have been reported for Bit2Me since its founding in 2014. The platform's active bug bounty program provides a structured channel for external security researchers to report potential issues. ## Availability Bit2Me serves users in the EU, EEA, and Latin America. US residents are not eligible to open an account. Fiat onboarding is limited to euros.

BitBox02

hardware wallet

BitBox02 is a hardware wallet manufactured by Shift Crypto AG, a Swiss company founded in 2015. It is available in two editions: Bitcoin-only and Multi (which adds Ethereum and ERC-20 support). The BitBox02 has been independently audited and is notable for its clean, minimal design and reproducible firmware builds. ## Security Architecture - **Secure element:** Uses an ATECC608B secure element for PIN verification and key storage, paired with an STM32 microcontroller for application logic. Neither chip alone can reconstruct the seed. - **Open-source firmware:** All firmware is published on GitHub and designed for reproducible builds, allowing users to verify that the binary they run matches the published source code. - **BitBoxApp:** The companion desktop application is open source and supports Windows, macOS, and Linux. No mobile app is required. - **Invisible seed words:** The OLED display allows the device to display seed words directly, so the recovery phrase is never entered on a connected computer. - **Independent audits:** Multiple external security audits have been published, covering both the firmware and hardware design. ## Limitations - Smaller ecosystem than Ledger or Trezor in terms of third-party wallet integrations. - The USB-C form factor, while modern, lacks the air-gap flexibility of QR-code-based devices. ## Incident History No publicly confirmed security incidents to date.

Bitfinex

exchange

Bitfinex is a centralized cryptocurrency exchange founded in 2012 and operated by iFinex Inc., a British Virgin Islands company that also owns Tether Limited, the issuer of the USDT stablecoin. The platform supports over 350 trading markets including spot, margin, perpetual futures, and OTC trading, targeting advanced and institutional users. As of December 2025, the exchange removed all maker and taker trading fees across all market types. ## Security - Approximately 99.5% of user assets stored in offline cold storage - Multisignature wallet architecture requiring multiple key approvals for withdrawals - Two-factor authentication via TOTP apps and U2F hardware security keys - Withdrawal address whitelisting to limit transfers to pre-approved destinations - IP monitoring and DDoS protection at the platform level - Custodial exchange: iFinex controls private keys on behalf of users ## Regulation - Not regulated by major Tier-1 financial authorities such as the FCA, FinCEN, SEC, or MAS - Incorporated in the British Virgin Islands - Holds a Digital Asset Service Provider (DASP) licence in El Salvador (issued 2023) - Bitfinex Derivatives holds a separate licence from El Salvador's National Digital Asset Commission (January 2025) - Holds a licence under the Astana International Financial Centre (AIFC) in Kazakhstan - Residents of the US, UK, Canada, Spain, and sanctioned territories are prohibited from accessing the platform ## Incident History - **August 2, 2016**: Attackers exploited a flaw in Bitfinex's multisignature withdrawal system, stealing 119,756 BTC (approximately $72 million at the time). All user balances were cut by 36%; affected users received BFX debt tokens, which Bitfinex subsequently redeemed at par. - In February 2022, US authorities arrested Ilya Lichtenstein and Heather Morgan after locating encrypted files containing private keys for the stolen assets. - In November 2024, Lichtenstein was sentenced to 5 years in prison and Morgan to 18 months. Approximately 80% of the stolen BTC — valued at over $10 billion at time of recovery — was returned to Bitfinex. - Bitfinex publishes Proof of Reserves on GitHub for independent verification of user balance coverage. ## Availability Bitfinex operates in over 180 countries but explicitly restricts access for residents of the United States, United Kingdom, Canada, Spain, and sanctioned territories.

Bitget

exchange

Bitget is a cryptocurrency derivatives and spot exchange known for its copy-trading feature. Registered in the Seychelles with a growing global user base. Offers futures, options, and spot trading with no major security incidents to date.

Bithumb

exchange

Bithumb is one of South Korea's largest crypto exchanges. It has suffered multiple hacks: approximately $30M in 2018, $13M in 2019, and $25M in 2020. Despite improved security measures since, its incident history warrants elevated risk scoring.

BitMart

exchange

BitMart is a global cryptocurrency exchange founded in 2018. In December 2021 it suffered one of the largest exchange hacks of that year — attackers drained approximately $196M from its Ethereum and BSC hot wallets. The exchange subsequently reimbursed affected users.

Bitpanda

exchange

Bitpanda is an Austrian fintech platform founded in Vienna in 2014, initially as a crypto brokerage and one of the first MiCA-regulated exchanges in Europe. In 2026, the platform expanded into a unified investing service covering stocks, ETFs, precious metals, and crypto indices alongside more than 600 cryptocurrencies. Over seven million registered users across approximately 48 countries use the platform, with the majority based in Europe and the EEA. ## Security - Customer crypto is held in cold storage (the majority of assets held offline) - 1:1 asset backing: user holdings are not rehypothecated or used for proprietary trading - Account controls include two-factor authentication (2FA), withdrawal address whitelisting, and IP whitelisting - ISO 27001:2022 certified and SOC 2 Type II attested - Bug bounty programme managed via Bugcrowd - Regular third-party penetration testing ## Regulation Bitpanda holds more than 17 regulatory licences across multiple jurisdictions: - **Austria**: Licensed by the FMA as a Crypto Asset Service Provider under MiCAR - **Germany**: MiCAR licence from BaFin, providing passporting rights across all 30 EEA member states - **Malta**: MiCAR licence from the MFSA - **United Kingdom**: Registered with the Financial Conduct Authority (FCA) - **France**: Registered with the AMF under the PACTE framework - **UAE**: VASP licence from the Virtual Assets Regulatory Authority (VARA) in Dubai - PSD2 E-money licence and MiFID II licence also held MiCAR compliance legally requires client asset segregation, capital reserves, and mandatory transparency disclosures enforced by national regulators. ## Incident History - No security breach resulting in confirmed customer fund losses has been publicly reported - In June 2025, a threat actor claimed to have stolen 5.4 million Bitpanda user records; Bitpanda conducted an internal investigation and denied any unauthorised access had occurred - A 2023 BaFin audit of Bitpanda Asset Management, the German subsidiary, identified more than a dozen compliance and information security violations — ranging from minor to serious — including gaps in cybersecurity testing and third-party provider monitoring; remediation measures were subsequently reported ## Availability Bitpanda is available in approximately 48 countries across Europe, the EEA, the UK, UAE, Switzerland, and Turkey. It is not available to users in the United States, Canada, or most of Asia-Pacific. KYC verification is required for all accounts.

BitPay

software wallet

BitPay is a Bitcoin and cryptocurrency payment processor founded in 2011, one of the oldest in the industry. It offers merchant payment processing, a consumer wallet app, and a prepaid Mastercard. BitPay is registered as a Money Services Business (MSB) with FinCEN and holds money transmitter licenses across numerous U.S. states. No major customer fund breaches have been reported in its operating history, though it has faced criticism for mandatory KYC requirements introduced in 2019.

Bitso

exchange

Bitso is the largest cryptocurrency exchange in Latin America, regulated by Mexico's CNBV. It focuses on remittances and fiat on/off-ramps across Mexico, Argentina, Brazil, and Colombia. No major security incidents to date.

Bitstamp

exchange

Bitstamp is a cryptocurrency exchange founded in 2011 in Slovenia and incorporated in Luxembourg. Widely cited as one of the world's longest-running crypto exchanges still in operation, it supports over 115 digital assets tradeable against USD, EUR, and GBP. Bitstamp was acquired by Robinhood Markets for $200 million in June 2025 and now operates as Robinhood's institutional crypto business. ## Security - Custodial exchange: Bitstamp holds customer assets on behalf of users - Over 95% of customer digital assets held in offline cold storage via third-party custodians BitGo and Copper - Remaining ~5% in hot wallets for active withdrawals - Security features include two-factor authentication, withdrawal confirmation emails, and IP whitelisting - Crime insurance policy covering theft and fraud, underwritten through the Lloyd's of London market - No cryptographic proof-of-reserves audit; Bitstamp undergoes annual financial audits by a Big Four accounting firm and holds ISO/IEC 27001 and SOC 2 Type 2 certifications - No SAFU-style emergency reserve fund ## Regulation - Licensed as a Payment Institution by the Luxembourg CSSF since 2016 — the first nationally licensed bitcoin exchange at the time - Granted a MiCA CASP licence by the CSSF in May 2025, the first exchange to receive this licence in Luxembourg, passporting across all 27 EU member states - Holds a MiFID MTF licence from Slovenia's ATVP (October 2024) - Registered as a cryptoasset business with the UK FCA (FRN 978690) - Registered with FinCEN as a Money Services Business and holds a New York BitLicense - Holds 50+ active licences and registrations globally; no enforcement actions from major financial regulators on record ## Incident History - **January 2015:** Bitstamp's hot wallet was compromised via a multi-month spear-phishing campaign targeting employees. Approximately 18,866 BTC (worth around $5.3 million at the time) were stolen. Bitstamp covered all customer losses from its own reserves and rebuilt its platform from scratch. - No security breaches have been publicly reported since 2015. ## Availability Bitstamp operates in 39 US states; it is unavailable in Alabama, California, Hawaii, Kentucky, Massachusetts, and several other states. Staking and lending products are restricted for US, UK, Canadian, and Japanese residents.

Bittrex

exchange

Bittrex was a Seattle-based cryptocurrency exchange that operated from 2014 until filing for Chapter 11 bankruptcy in May 2023. The exchange ceased all operations. Users with remaining balances were required to file claims through the bankruptcy process.

Bitvavo

exchange

Bitvavo is a Dutch crypto exchange founded in 2018 and headquartered in Amsterdam, Netherlands. With over 2.3 million users and an estimated 50% share of euro spot trading in Europe, it is the largest EUR spot exchange on the continent. The platform lists 430+ cryptocurrencies, offers maker/taker trading fees from 0.00% to 0.25%, and supports SEPA and iDEAL for euro deposits and withdrawals. Since December 2025, Bitvavo has offered short selling on major assets including Bitcoin, Ethereum, and Solana. ## Security - **Cold storage:** The majority of customer assets are held offline through Coinbase Custody International (insured up to EUR 255 million) and Copper Custody (insured up to EUR 500 million). - **Segregated funds:** Customer assets are held through Stichting Bitvavo Payments, a legally separate foundation, providing separation from company assets. - **2FA and access controls:** Two-factor authentication, withdrawal address whitelisting, and IP-based monitoring are standard. - **Account Guarantee:** Bitvavo covers up to EUR 100,000 per account against losses from unauthorized access. - **Proof of Reserves:** Quarterly attestations are published by The Network Firm, confirming 1:1 backing of customer balances with no fractional reserves. Data centers are ISO 27001-certified with regular external penetration tests. ## Regulation - Registered with De Nederlandsche Bank (DNB) as a crypto service provider since 2020. - In June 2025, Bitvavo received a full MiCA license from the Dutch Authority for the Financial Markets (AFM), authorizing custody, trading, and crypto transfer services across all 30 EEA countries. - Also registered with the French AMF as a PSAN. ## Incident History No customer crypto funds have been lost in a security breach. Notable incidents: - **September 2022:** A data exposure affected eight users; no funds were lost. - **January 2023:** EUR 280 million lent to Digital Currency Group was temporarily frozen when that company entered a liquidity crisis. Bitvavo stated the funds were later recovered. - **April 2024:** A limited customer data breach occurred with no crypto stolen. It was also disclosed that senior management had access to customer personal data until spring 2024. The former CEO departed in 2024. ## Availability Bitvavo operates across the EEA under its MiCA passport and is also available in the United Kingdom. EUR deposits and withdrawals via SEPA and iDEAL are supported. KYC verification is required.

Blockstream Jade

hardware wallet

Blockstream Jade is a Bitcoin and Liquid Network hardware wallet manufactured by Blockstream, a Canadian blockchain infrastructure company founded in 2014. It is among the lowest-cost hardware wallets on the market and features fully open-source hardware and firmware. ## Security Architecture - **Fully open-source:** Both the hardware design and all firmware are published under open-source licences on GitHub. This is one of the few hardware wallets where the entire stack — from PCB schematics to firmware — can be independently audited. - **Blind Oracle PIN protection:** Because Jade lacks a dedicated secure element chip, it uses a novel "Blind Oracle" design: the PIN decrypts an encrypted blob using a key held by a remote server, and the server only releases its share if the correct PIN is provided and the firmware is unmodified (enforced via remote attestation). Neither the device nor the server alone can access the key material. An offline mode is also available. - **Air-gapped option:** The Jade Plus model supports fully air-gapped operation via QR codes, with no USB data connection required. - **Liquid Network support:** Natively supports Liquid Bitcoin (LBTC) and Liquid assets, including confidential transactions. ## Limitations - No dedicated secure element chip. The Blind Oracle design compensates, but requires connectivity to Blockstream's server for PIN unlock unless configured for offline mode. - Bitcoin and Liquid only; does not support Ethereum or altcoins. ## Incident History No publicly confirmed security incidents to date.

BTC Direct

exchange

BTC Direct is a Dutch cryptocurrency broker founded in Amsterdam in 2013. Operating on a non-custodial model, the platform facilitates the purchase and sale of cryptocurrency without taking custody of user assets — crypto is sent directly to a wallet address provided by the customer at the time of purchase. It has served over one million customers across the EU, EEA, and Switzerland. ## Security - **Non-custodial model**: BTC Direct does not store or safeguard crypto-assets on behalf of users. Before completing a purchase, customers must link a verified wallet address to their account. Because assets are not held on the platform, users face no direct counterparty custodial risk from BTC Direct itself. - **KYC/AML compliance**: All users complete mandatory identity verification before trading. Transactions are monitored for anti-money laundering compliance, and BTC Direct may request proof of wallet ownership at any time. - **Two-factor authentication (2FA)**: Available for account access protection. - **Proof of reserves**: Not applicable given the non-custodial model — BTC Direct does not hold or pool customer assets. ## Regulation - **MiCA CASP license**: BTC Direct received its Markets in Crypto-Assets (MiCA) Crypto-Asset Service Provider (CASP) license from the Dutch Authority for the Financial Markets (AFM) on 18 June 2025, ahead of the EU-wide transition deadline of 30 June 2025. - **Historical DNB registration**: Prior to MiCA, BTC Direct was registered with De Nederlandsche Bank (DNB) as a virtual asset service provider. - **Supervisory split**: Market conduct supervision is handled by the AFM; prudential supervision — covering capital adequacy, governance, and financial soundness — falls under DNB. - **EU passporting**: The MiCA license enables BTC Direct to serve customers across all EU and EEA member states. The French Autorité des marchés financiers (AMF) has been separately notified. ## Incident History No major security breaches or incidents involving loss of customer assets have been publicly reported since BTC Direct was founded in 2013. The platform maintains a clean security record across more than a decade of operation. ## Availability BTC Direct serves customers throughout the EU, EEA, and Switzerland. It does not appear to accept customers based in the United States. The platform supports approximately 20 major cryptocurrencies, all priced and tradeable in euros.

CEX.IO

exchange

CEX.IO is a UK-registered crypto exchange founded in 2013. It offers spot trading, margin trading, staking, and fiat services. Registered with FinCEN in the US and HMRC in the UK. Has faced occasional security scrutiny over the years.

Changelly

exchange

Changelly is a crypto-to-crypto swap service that does not hold user funds. Swaps are executed through third-party exchanges. No account or KYC required for small amounts. Some users have reported transactions being delayed or frozen for AML compliance reviews.

Coinbase

exchange

Coinbase is the largest US-based cryptocurrency exchange by trading volume, founded in 2012 by Brian Armstrong and Fred Ehrsam. It became the first major crypto exchange to list publicly on the NASDAQ (ticker: COIN) in April 2021, subjecting it to SEC reporting requirements and a level of regulatory oversight uncommon in the crypto industry. ## Security - Holds approximately **98% of customer assets in cold storage**, offline and isolated from internet-connected systems - Carries **crime insurance with a $255 million limit** covering digital assets held online against theft and cybersecurity breaches - **USD cash balances are FDIC-insured up to $250,000** through custodial banking partners - Additional controls include 2FA, biometric login, time-locked vaults, SOC 2 Type II certification, and a public bug bounty program ## Regulation - Registered with **FinCEN as a Money Services Business** since 2013 — one of the earliest such registrations in the industry - **Listed on NASDAQ** since April 2021; subject to quarterly SEC filings and annual reporting - Licensed or registered in the **US, UK, EU, Canada, Australia, and Singapore** - The SEC civil enforcement action against Coinbase was **dismissed in February 2025**; Coinbase is pursuing a broker-dealer license to expand regulated securities offerings ## Incident History - **2021**: Approximately 6,000 customer accounts were compromised via an SMS phishing attack. No exchange funds were drained; affected users were reimbursed. - **May 2025**: Coinbase disclosed a significant data breach caused by rogue overseas support contractors who were bribed to steal customer data. Roughly 69,000 customers had names, Social Security numbers, bank details, and transaction histories exposed. No passwords, private keys, or wallet funds were compromised. Coinbase refused a $20 million ransom demand and offered the same amount as a reward for information on the perpetrators. Estimated remediation costs: $180–400 million. Coinbase has never suffered a platform-wide hot wallet drain. The 2025 breach was an insider threat via contractor compromise, not a direct external hack of the exchange infrastructure.

Coincheck

exchange

Coincheck is a major Japanese crypto exchange. In January 2018 it suffered the largest crypto exchange hack at the time — attackers stole approximately $530M worth of NEM tokens from its hot wallet. The exchange was subsequently acquired by Monex Group and has implemented significant security upgrades. Now holds a FSA licence.

Coinfloor

exchange

Coinfloor was the United Kingdom's oldest cryptocurrency exchange, founded in 2013. It ceased operations in November 2021 and is no longer accepting new customers or withdrawals. Any remaining balance queries require direct contact with the platform. Listed for historical reference.

Coinmama

exchange

Coinmama is a cryptocurrency broker that sends purchased coins directly to a user-provided wallet address — it does not hold custody of assets. In 2019 it suffered a data breach affecting around 450,000 user email addresses and hashed passwords. Requires KYC for all purchases.

Coinmerce

exchange

Coinmerce is a Dutch cryptocurrency exchange founded in 2017 in Amstelveen by two brothers. The platform operates as a broker, routing user orders through partner exchange order books rather than managing its own trading infrastructure. It lists over 375 cryptocurrencies, making it one of the broader platforms in Europe by asset count. Services include spot trading, crypto-to-crypto swaps, staking, and a lending product. The platform primarily serves retail buyers and sellers in the Netherlands and across the EU. ## Security - Custodial model: Coinmerce holds and manages user assets on their behalf - Majority of assets stored in cold storage using MPC (Multi-Party Computation) wallets, distributing private key management across multiple parties - Multi-signature withdrawal processes applied to reduce single-point-of-failure risk - 2FA enforced on all accounts; a 24-hour withdrawal cool-down period applies when adding new withdrawal addresses - Data encryption in transit and at rest; automated transaction monitoring for suspicious activity - Periodic external security reviews conducted by third-party firms; cooperation with law enforcement on fraud cases ## Regulation - Registered with De Nederlandsche Bank (DNB) since November 2020 under the Dutch Wwft (Money Laundering and Terrorist Financing Prevention Act) and Sanctions Act 1977; DNB supervises AML and sanctions compliance - Holds a MiCAR license from the Dutch Authority for the Financial Markets (AFM), permitting Coinmerce to offer crypto-asset services across the EU under the harmonised MiCA framework; MiCA registration supersedes earlier national DASP registrations in France and Spain - KYC identity verification required for all account holders - Not available to US-based users due to regulatory restrictions ## Incident History In 2023, a threat actor claimed to have the Coinmerce.io user database for sale on a hacker forum. The claim was flagged by third-party threat intelligence sources. Coinmerce has not publicly confirmed or quantified the scope of the alleged breach, and no customer asset losses were reported in connection with it. No other security breaches involving customer asset losses have been publicly documented since the platform's founding. Since then, Coinmerce has maintained a fraud prevention team and published guidance on protecting users from phishing and social engineering. ## Availability Coinmerce is primarily available to Netherlands and EU residents. Supported payment methods for deposits and withdrawals include iDEAL (Netherlands-specific), SEPA bank transfers, and credit/debit cards in euro. US-based users cannot access the platform.

CoinMotion

exchange

CoinMotion (Coinmotion Oy) is Finland's oldest cryptocurrency exchange, founded in Tampere in 2012. It operates as a custodial, fiat-to-crypto platform with EUR as the sole supported fiat currency, targeting retail users in Finland and Sweden seeking a regulated entry point to cryptocurrency markets. The exchange offers straightforward buy, sell, and storage functionality across approximately 18 digital assets, without derivatives, margin trading, leverage, or staking products. An OTC desk handles larger trades above EUR 5,000. ## Security - Customer crypto assets are held predominantly in cold storage with multi-signature wallet controls - Two-factor authentication (2FA) is required on all accounts - Full KYC and AML verification is required before trading can begin - Euro customer deposits are held in segregated bank accounts, separate from CoinMotion's operational funds - No crypto insurance fund or equivalent reserve is maintained for user assets - No major security breaches or theft of customer assets have been publicly reported since the exchange launched in 2012 ## Regulation - Authorised as a Crypto-Asset Service Provider (CASP) under MiCA by the Finnish Financial Supervisory Authority (FIN-FSA), with authorisation effective July 2, 2025 — the first such CASP authorisation granted in Finland - MiCA CASP status provides EU-wide passporting rights; Sweden was the first country to receive passported services - Previously registered with the Banco de España (Bank of Spain) for operations in Spain under pre-MiCA national rules - KYC and AML obligations are maintained under both Finnish national law and the EU MiCA framework ## Incident History No major security breaches or theft of customer funds have been publicly reported in CoinMotion's operating history. The exchange has maintained a clean record across more than a decade of operations since its founding in 2012. No regulatory enforcement actions or fines have been publicly attributed to the platform. ## Availability and Limitations CoinMotion primarily serves customers in Finland and Sweden. MiCA EU passporting allows expansion to additional EU/EEA member states, though rollout to individual countries is ongoing. EUR is the sole fiat currency; USD and GBP deposits are not accepted. The initial spot trading fee is 2%, decreasing with higher monthly trading volumes. Staking, lending, and yield products are not offered.

Coinone

exchange

Coinone is one of South Korea's major cryptocurrency exchanges, registered with the Korea Financial Intelligence Unit (KoFIU). Offers spot trading, staking, and OTC services. Operates primarily in the Korean market.

Coinsquare

exchange

Coinsquare is one of Canada's largest cryptocurrency exchanges. In 2020 the Ontario Securities Commission found it had engaged in wash trading to inflate volume figures. It later settled and registered as a restricted dealer. Has since undergone compliance improvements.

Coldcard Mk4

hardware wallet

Coldcard is a Bitcoin-only hardware wallet manufactured by Coinkite, a Canadian company founded in 2013. The Mk4 is widely considered the most security-hardened consumer hardware wallet available, designed for users who prioritise Bitcoin self-custody and operational security above all else. ## Security Architecture - **Dual secure element:** The Mk4 uses two certified secure element chips — an ATECC608B and a DS28C36B — so neither chip alone can access the private key material. This design means compromising one chip manufacturer's supply chain is insufficient to extract keys. - **Open-source firmware:** All firmware is publicly auditable on GitHub under a permissive licence. The hardware design files are also published, enabling independent verification. - **Air-gapped operation:** Transactions can be signed offline using a microSD card (PSBT workflow), keeping the device completely disconnected from any computer. The Mk4 also supports NFC for single-tap interaction. - **Duress PIN and brick-me PIN:** Users can configure a duress PIN that opens a decoy wallet, and a separate PIN that permanently destroys the secure element, making coercion attacks ineffective. - **No screen-sharing risk:** The device has its own keyboard; seeds and PINs are never entered on a connected computer. ## Limitations - Bitcoin-only: does not support Ethereum, Solana, or altcoins. - Requires comfort with a command-line or PSBT-based workflow; less beginner-friendly than Ledger or Trezor. - No companion mobile app. ## Incident History No publicly confirmed security incidents or supply chain compromises to date.

Crypto.com

exchange

Crypto.com is one of the world's largest cryptocurrency platforms by user count, offering spot trading, DeFi, NFTs, and a Visa card. In January 2022 it suffered an unauthorised access incident in which approximately $34M was withdrawn from user accounts. The company reimbursed all affected users and has since upgraded its security systems.

eToro

exchange

eToro is an Israeli social trading and investment platform offering cryptocurrency trading alongside traditional assets. Holds registrations with the FCA (UK), CySEC (EU), and ASIC (Australia). Crypto assets on eToro may not be transferable to external wallets on all plans.

Finst

exchange

Finst is a Netherlands-based investment platform licensed by the Dutch Authority for the Financial Markets (AFM), allowing users to invest in both stocks and cryptocurrencies. Strong regulatory oversight and a clean security record.

Foundation Passport

hardware wallet

Foundation Passport is a Bitcoin-only hardware wallet manufactured by Foundation Devices, a US company founded in 2020. It is one of the few hardware wallets with both fully open-source hardware and firmware, independently audited by multiple security firms. ## Security Architecture - **Fully open-source:** Hardware schematics, firmware, and the companion Envoy mobile app are all published under open-source licences on GitHub. Independent researchers have audited the codebase. - **Secure element:** Uses an ATECC608B secure element for PIN verification and key protection. The chip is paired with a Nordic nRF52 microcontroller for application logic. - **Air-gapped by default:** All transaction signing is done via QR code or microSD, with no USB data connection. The USB port is power-only — a hardware design decision that eliminates an entire class of USB attack surface. - **Open supply chain:** Foundation publishes the full bill of materials and sources components from well-known suppliers, reducing supply chain risk relative to proprietary designs. ## Limitations - Bitcoin-only: does not support Ethereum or altcoins. - Higher price point than some alternatives. - Requires the Envoy companion app (iOS/Android) or a compatible desktop wallet. ## Incident History No publicly confirmed security incidents to date.

Gemini

exchange

Gemini is a New York-based custodial cryptocurrency exchange founded in 2014 by Cameron and Tyler Winklevoss. It operates as a regulated trust company under New York Banking Law and listed on NASDAQ in September 2025 under the ticker GEMI. Gemini positions itself primarily as a compliance-focused exchange for US customers, though it has historically served international markets. ## Security - The majority of customer crypto assets are held in offline cold storage using hardware security modules (HSMs) and multi-signature controls. - Hot wallet crypto holdings are covered by Gemini's internal insurance program through Nakamoto, its Bermuda-licensed captive insurer; institutional custody carries up to $200 million in coverage. - 2FA is required for all accounts; hardware security keys (YubiKey) and passkeys are supported. - Optional withdrawal address allowlisting reduces unauthorised transfer risk. - Third-party certifications: SOC 1 Type II, SOC 2 Type II, ISO 27001. Annual penetration testing and a coordinated bug bounty program. - USD cash balances at partner banks may qualify for FDIC pass-through insurance up to $250,000 per depositor. ## Regulation - **United States**: Operates as a New York trust company and BitLicense holder under the NYDFS; money transmitter licenses in nearly all US states. - **European Union**: Holds a MiCA license from the Malta Financial Services Authority (MFSA) covering all 27 EU member states (granted August 2025). - **United Kingdom**: Held an FCA Electronic Money Institution (EMI) licence; ceased UK retail operations effective April 6, 2026. - **Singapore**: In-principle approval from the Monetary Authority of Singapore (MAS) for a Major Payment Institution licence. ## Incident History - **Late 2022**: A breach at Twilio (operator of Authy, Gemini's 2FA provider) exposed emails and phone numbers for approximately 5.7 million Gemini users. Gemini's own systems were not compromised. The leak triggered phishing campaigns against affected users. - **June 2024**: A breach at a third-party ACH service provider exposed personal data for approximately 15,000 Gemini customers. Gemini's internal systems were not affected. - **2022–2024 (Earn)**: Gemini Earn, a yield product routed through third-party lender Genesis Global Capital, froze in November 2022 when Genesis suspended withdrawals. Genesis filed for Chapter 11 in January 2023. By mid-2024, a settlement returned 100% of digital assets to all Earn participants; Gemini contributed $50 million to the recovery.

Keystone 3 Pro

hardware wallet

Keystone 3 Pro is a hardware wallet manufactured by Keystone HQ, featuring a triple secure element architecture — the most redundant hardware protection of any mainstream hardware wallet. It communicates exclusively via QR code, providing a fully air-gapped signing experience. ## Security Architecture - **Triple secure element:** Uses three separate certified chips — an ATECC608B, a DS28S60, and a MAX32520 (CC EAL6+) — for defence-in-depth. Compromising a single chip is insufficient to extract keys. - **Air-gapped via QR codes:** All transaction data is transmitted through the device camera and display as animated QR codes, with no physical data connections (USB is power-only). This eliminates USB-based attack surfaces entirely. - **Open-source SE firmware:** The secure element firmware is open source. The application firmware is partially open source. - **Large touchscreen:** A 4-inch colour touchscreen improves usability for transaction verification. - **Multi-coin support:** Supports Bitcoin, Ethereum, Solana, Cosmos, Polkadot, and hundreds of other assets. ## Security Update — March 2025 Keystone disclosed a critical vulnerability in March 2025 affecting Keystone 3 Pro firmware prior to v2.0.4. The flaw could allow a malicious transaction to be signed without the expected on-screen verification under specific conditions. Users on v2.0.4 or later are not affected. No confirmed exploitation in the wild was reported. ## Incident History - **March 2025:** Critical firmware vulnerability patched in v2.0.4. No confirmed user funds lost.

Kraken

exchange

Kraken is a US-based cryptocurrency exchange founded in 2011 by Jesse Powell and incorporated as Payward, Inc. Serving clients across 190+ countries, it supports over 300 digital assets tradeable against six fiat currencies, including USD, EUR, and GBP, and offers spot trading, margin trading, staking, and futures. Kraken is one of the longest-running centralized crypto exchanges, and in 2025 relocated its global headquarters to Cheyenne, Wyoming, after obtaining a Special Purpose Depository Institution bank charter. ## Security - Custodial exchange: Kraken holds customer assets on behalf of users - Approximately 95% of customer funds held in offline cold storage; roughly 5% kept in hot wallets for liquidity - Quarterly proof-of-reserves audits use Merkle tree cryptographic verification, allowing users to confirm their balances are backed 1:1 - Security features include two-factor authentication, a global settings lock, master key, PGP-encrypted email communications, and a bug bounty programme - No named insurance fund for retail users; customer protection relies on cold storage architecture and proof-of-reserves transparency ## Regulation - Registered with FinCEN as a Money Services Business and holds a Wyoming SPDI bank charter (US) - FCA-registered cryptoasset firm and electronic money institution (UK) - MiCA-registered crypto asset service provider via the Central Bank of Ireland (EU) - Holds an SEC broker-dealer licence and CFTC FCM licence (acquired via NinjaTrader, 2025) - AUSTRAC-registered digital currency exchange (Australia) - Settled with the CFTC in 2021 ($1.25M) for unregistered leveraged trading, OFAC in 2022 ($362K) for sanctions violations, and the SEC in 2023 ($30M) over unregistered staking services - A subsequent SEC lawsuit filed in late 2023 was dismissed in March 2025 with no penalty - Does not hold a New York BitLicense; New York state residents are ineligible ## Incident History - **June 2024:** A zero-day vulnerability in Kraken's deposit system was exploited by a blockchain security firm under the guise of responsible disclosure, allowing approximately $3 million to be withdrawn from Kraken's treasury — not customer funds. The vulnerability was patched within 47 minutes; funds were eventually recovered and redistributed to affected users. - No customer fund losses from an external security breach have been recorded since launch in 2011.

Kriptomat

exchange

Kriptomat is a custodial cryptocurrency exchange founded in February 2018 and headquartered in Tallinn, Estonia. Designed for European retail users, the platform serves over 400,000 registered accounts across 25+ countries and offers more than 400 tradeable cryptocurrencies alongside services such as automatic staking. Purchases are denominated in euros, with SEPA bank transfers processed at a flat €1 fee. Trading fees are 1.45% for bank transfers or up to 3.7% for credit card purchases. ## Security - 98% of customer crypto assets held in offline cold storage, distributed across hardware wallets placed in physical safety deposit boxes - ISO/IEC 27001:2013 certified — an internationally recognised standard for information security management systems - Two-factor authentication (2FA) available and recommended for all accounts - Bug bounty programme maintained to incentivise responsible vulnerability disclosure - Web Application Firewall and DDoS protection across all public-facing infrastructure - 24/7 account and platform monitoring with automated alerting - Sensitive data encrypted in transit and at rest across all platform services - Multiple independent AML compliance audits conducted each year - Customer assets are not lent out or used for operational purposes; the platform does not hold insurance on customer holdings ## Regulation - Virtual Asset Service Provider (VASP) licence issued by the Estonian Financial Intelligence Unit (FIU) - Additionally registered as a VASP with the French AMF, Spanish CNMV, Polish Tax Administration Chamber, Greek Hellenic Capital Market Commission (HCMC), and Croatian HANFA - MiCA authorisation process initiated in Estonia to obtain EU-wide passporting rights across all 27 member states - Full KYC/AML verification required for all users; compliant with EU AML directives and GDPR ## Incident History No major security breaches or significant customer fund losses have been publicly attributed to Kriptomat since its founding in February 2018. The exchange has not appeared in published lists of major crypto hacks or exchange failures. Its combination of cold storage, ISO 27001 certification, and multi-jurisdictional regulatory oversight has contributed to this clean record. ## Availability Kriptomat operates across EU and EEA member states, as well as Switzerland, Turkey, and select Balkan countries including Albania, Bosnia and Herzegovina, Montenegro, and Serbia. Only euro is accepted as fiat currency, and all deposits and withdrawals rely on SEPA payment rails, restricting the service to users with euro-denominated bank accounts. The platform is not available to US residents.

KuCoin

exchange

KuCoin is a global cryptocurrency exchange registered in the Seychelles. In September 2020 it suffered a major hack in which approximately $281M was stolen from its hot wallets. Most funds were subsequently recovered through blockchain analysis and exchange cooperation. The exchange has significantly upgraded its security infrastructure since.

Ledger

hardware wallet

Ledger is a French hardware wallet manufacturer founded in 2014 and headquartered in Paris. Its devices — including the Nano X, Nano S Plus, Ledger Flex, Ledger Stax, and Nano Gen5 — store private keys in an offline Secure Element chip, isolated from internet-connected devices. The company reports securing approximately 20% of the world's crypto assets across 6 million users in 200 countries. ## Security Architecture - Self-custody: private keys are generated and stored on the Secure Element (SE) chip and do not leave the device during normal operation - Current devices use a CC EAL6+ certified Secure Element (ST33K1M5); the older Nano X uses a CC EAL5+ chip - Ledger OS (BOLOS) isolates apps from each other and from the recovery phrase, so a compromised host computer cannot extract keys - Supports 5,000+ assets via third-party wallet integrations - Ledger Recover is an optional paid subscription ($9.99/month) that encrypts and shards the seed phrase across three custodians; using it introduces counterparty risk and, per Ledger's own acknowledgement, exposes shards to government subpoena ## Open Source - Apps and the Ledger Wallet companion software are open source - The firmware OS is **closed source**: an agreement with chip manufacturer STMicroelectronics prevents full code disclosure - Following community pressure in 2023, Ledger published a cryptographic white paper and partial source for the Recover service, but the full firmware stack cannot be independently audited ## Incident History - **July 2020:** Ledger's e-commerce database was breached via a stolen API key, exposing 1 million email addresses and the personal details — including home addresses — of approximately 272,000 customers. No private keys or funds were compromised. Data was published publicly in December 2020, fuelling widespread phishing and physical threat campaigns. In October 2024, France's CNIL fined Ledger €750,000 for GDPR violations related to the breach. - **December 2023:** A supply chain attack compromised Ledger's ConnectKit npm library, injecting a wallet drainer into DeFi front ends for approximately five hours. Around $600,000 in user funds were stolen before the malicious package was replaced. - **January 2026:** A third-party payment processor (Global-e) exposed Ledger customer names, email addresses, and postal addresses. No private keys or funds were affected.

Luno

exchange

Luno is a cryptocurrency exchange with a strong presence in Africa and Southeast Asia, founded in Cape Town in 2013. Owned by Digital Currency Group. Holds regulatory registrations in multiple jurisdictions including the UK (FCA registered), South Africa, and Malaysia.

Magic Eden

defi

Magic Eden was an NFT marketplace and multi-chain wallet founded in 2021, originally the dominant platform for Solana NFTs. It expanded to support Ethereum, Polygon, and Bitcoin Ordinals before shutting down its wallet service in April 2026 and closing its EVM and Bitcoin NFT marketplaces in early 2026. The company pivoted to focus on its Solana NFT marketplace and an iGaming platform called Dicey. No major smart contract exploits were attributed to Magic Eden directly, though users were affected by phishing incidents on Solana.

MetaMask

software wallet

MetaMask is a non-custodial software wallet developed by ConsenSys, first released in 2016 and headquartered in San Francisco, United States. It is among the most widely installed browser extensions and mobile apps for Ethereum and EVM-compatible networks, with over 100 million reported installations. In 2025, native chain support was extended to Solana (July) and Bitcoin (December). ## Security - **Non-custodial model:** Private keys and seed phrases are stored locally on the user's device. MetaMask's servers never hold or have access to them. - **Open source:** The full codebase is publicly available on GitHub. MetaMask applies LavaMoat, a supply chain security tool, to reduce the risk of dependency-based attacks. - **Phishing and transaction protection:** Blockaid integration surfaces warnings for known phishing domains and flags suspicious transaction requests before the user confirms. - **Bug bounty:** A public programme is operated via HackerOne. - **Hardware wallet support:** Compatible with Ledger and Trezor devices, allowing private keys to stay on the hardware wallet while using MetaMask's interface. - **No built-in 2FA:** MetaMask does not provide two-factor authentication for wallet access. Seed phrase management and device security are the main protective controls. ## Regulation - MetaMask is non-custodial software and holds no financial services licence with the FCA, FinCEN, MAS, or equivalent regulators. - In June 2024, the U.S. Securities and Exchange Commission charged ConsenSys Software Inc. — MetaMask's developer — with conducting unregistered offers and sales of securities through MetaMask Staking, and with operating as an unregistered broker through MetaMask Staking and MetaMask Swaps. The case was ongoing as of early 2026. - MetaMask restricts access for users in jurisdictions subject to U.S. and international sanctions. ## Incident History - **April 2023:** A third-party customer support provider used by ConsenSys was breached. Approximately 7,000 MetaMask users who had submitted support tickets had email addresses exposed. No private keys or seed phrases were accessed. - MetaMask's core wallet infrastructure has not been directly breached. User-level compromises are typically attributed to phishing sites, malicious browser extensions, or exposed seed phrases, rather than vulnerabilities in the wallet software itself. ## Availability MetaMask is available globally but restricts access in jurisdictions subject to international sanctions. A debit card feature introduced in December 2025 is limited to select markets including the EU, UK, Canada, Brazil, Mexico, Argentina, and Colombia.

MoonPay

exchange

MoonPay is a cryptocurrency on-ramp and off-ramp service founded in 2019, enabling users to buy and sell crypto using credit cards, bank transfers, Apple Pay, and other payment methods. It operates a non-custodial model and supports over 100 cryptocurrencies across more than 160 countries. MoonPay holds regulatory licenses in the U.S. (FinCEN MSB, 45+ state MTLs, NY BitLicense), UK (FCA), Ireland (Central Bank of Ireland), and Liechtenstein (FMA). No major customer fund breaches have been reported.

MyEtherWallet

software wallet

MyEtherWallet (MEW) is a free, open-source, client-side interface for the Ethereum blockchain, founded in 2015 and headquartered in Los Angeles, California. It allows users to create and manage Ethereum wallets, interact with smart contracts, and access decentralised applications without registering an account or providing personal information. MEW operates as a non-custodial platform — private keys are generated and stored entirely on the user's device and are never transmitted to MyEtherWallet's servers. ## Security - **Non-custodial**: MEW never stores private keys, seed phrases, or user data. The user is solely responsible for securing credentials — MEW cannot recover lost keys or freeze accounts. - **Client-side key generation**: All cryptographic operations occur locally in the browser or mobile app. The application can be downloaded and run offline for additional isolation. - **Hardware wallet support**: MEW integrates with Ledger and Trezor hardware wallets, enabling offline transaction signing and keeping keys off the host device entirely. - **Open-source codebase**: The full application source is publicly available on GitHub at github.com/MyEtherWallet, enabling independent security review. - **Bug bounty**: MEW operates an active programme through HackerOne to incentivise responsible disclosure of security issues. - **Enkrypt browser extension**: MEW's Enkrypt extension provides a dedicated browser wallet as an alternative to the web interface, reducing exposure to DNS-based attacks. ## Regulation MyEtherWallet does not custody user funds and does not exchange assets on behalf of users. As a non-custodial software interface, it is not required to register as a money-services business with FinCEN in the United States. MEW requires no account registration, no email address, and no identity verification. ## Incident History - **April 24, 2018 — BGP/DNS route hijack**: Attackers exploited a Border Gateway Protocol vulnerability in Amazon Route 53 DNS infrastructure. For approximately two hours, visitors to myetherwallet.com were redirected to a phishing server. Users who dismissed an invalid SSL certificate warning had their credentials captured. Approximately 215 ETH (around $152,000 at the time) was drained. MyEtherWallet's own code and servers were not breached; the attack exploited public internet routing infrastructure. No major security breaches involving MEW's own systems have been publicly reported since. ## Availability MyEtherWallet is available globally with no geographic restrictions. It supports Ethereum and a range of EVM-compatible networks including Polygon, Arbitrum, Optimism, Base, and BNB Smart Chain. The MEW mobile app is available on iOS and Android.

Nexo

exchange

Nexo is a Bulgarian crypto lending, borrowing, and exchange platform. It has faced regulatory pressure in several US states and international markets. In early 2023 it exited the US market. Bulgarian authorities conducted raids on its offices in 2023 as part of an investigation into alleged money laundering and tax violations.

OpenSea

defi

OpenSea is the largest NFT marketplace, founded in 2017 by Devin Finzer and Alex Atallah. It operates as a non-custodial platform where users connect external wallets to buy, sell, and mint NFTs across Ethereum, Polygon, and Solana. In February 2022 a phishing attack resulted in approximately $1.7 million in NFTs stolen from 32 users, and in June 2022 a third-party email vendor breach exposed 1.8 million user email addresses. OpenSea relaunched as OS2 in 2024 with a fee structure and SEA token.

Paxos

exchange

Paxos is a New York-chartered trust company regulated by the NYDFS. It issues regulated stablecoins (PYUSD, USDP) and operates a settlement platform for institutional clients. Customer funds are held in segregated accounts and are bankruptcy-remote.

Paybis

exchange

Paybis is a UK-based cryptocurrency broker that does not hold user funds — purchased coins are sent directly to a user-provided wallet address. Registered with HMRC in the UK. Requires identity verification for all purchases. No major security incidents.

Phantom

software wallet

Phantom is a non-custodial software wallet founded in 2021 and headquartered in San Francisco. Originally built for the Solana blockchain, it has since expanded to support Ethereum, Base, Polygon, Sui, and Bitcoin. As of 2025, the wallet reports over 8 million active users globally. ## Security - **Non-custodial**: Private keys are generated and stored on the user's device. Phantom does not hold or have access to them. - **Transaction simulation**: Phantom decodes and previews transactions before a user signs, helping to identify malicious requests. - **Domain blocklist**: Maintains a block list of over 50,000 known malicious domains and flags risky requests with approximately 95% accuracy. - **Biometric authentication**: Supported on mobile devices as an unlock mechanism. - **Bug bounty**: Rewards up to $50,000 for qualifying security disclosures. - **Third-party audits**: Audited by Kudelski Security and Least Authority. - **Closed source**: The wallet's codebase is not publicly available for independent review. ## Regulation Phantom Technologies Inc. is not registered as a money services business with FinCEN or licensed by the FCA. As a non-custodial wallet, it does not typically fall under US MSB registration requirements. In March 2026, Phantom received a CFTC no-action letter permitting it to facilitate user access to regulated derivatives markets without registering as a futures commission merchant or introducing broker. Phantom also submitted written comments to the SEC's crypto task force in June 2025. ## Incident History - **August 2022**: Approximately 8,000 Solana wallets were drained across multiple providers in a widely reported incident totalling around $5 million. Phantom's infrastructure was not compromised. Investigators attributed the root cause to the Slope wallet application, which transmitted user seed phrases to Slope's servers in plain text. Phantom users affected were those who had previously imported Slope-generated accounts. - **January 2025**: A developer reported the theft of approximately $500,000 in Wiener Doge tokens from their Phantom wallet. A lawsuit filed in April 2025 by 14 plaintiffs alleges that private keys were stored insecurely in browser extension memory, enabling the theft. Phantom has denied the claims as without merit. - **February 2025**: A phishing campaign distributed fake wallet update pop-ups targeting Phantom users via browser injection, attributed to a third-party attacker rather than any breach of Phantom's own infrastructure.

Rainbow

software wallet

Rainbow is a non-custodial mobile and browser extension wallet for Ethereum and EVM-compatible networks, founded in 2019 and headquartered in Brooklyn, United States. It is built for users who want direct control over their private keys while managing tokens, NFTs, and DeFi interactions across Ethereum mainnet and its Layer 2 ecosystem. The wallet is notable for its design-focused interface and integration of built-in swap and bridge functionality. ## Security - **Non-custodial:** Private keys are stored locally on the device. Rainbow has no server-side access to seed phrases or private keys at any time. - **Backup options:** On iOS, keys can be encrypted and backed up to iCloud; on Android, to Google Drive. - **Open source:** Both the mobile app and browser extension codebases are publicly available on GitHub under the `rainbow-me` organisation. This allows independent security researchers to review the code for hidden functionality or vulnerabilities. - **Flashbots MEV protection:** Ethereum mainnet swaps are routed through Flashbots Protect by default, reducing exposure to front-running and sandwich attacks. - **Hardware wallet support:** Compatible with Ledger hardware wallets. All transactions require physical confirmation on the device. - **Approval management:** Built-in tools to monitor and revoke outstanding DeFi smart contract permissions. ## Regulation Rainbow operates as a self-custodial software wallet — not as a custodial service, exchange, or money transmitter. It holds no regulatory registrations with bodies such as the FCA or FinCEN. No KYC is required to use the wallet. ## Incident History No security breaches affecting Rainbow's wallet infrastructure have been publicly reported. Reported user losses involving Rainbow have stemmed from external phishing campaigns or users approving malicious DeFi contracts — not from flaws in Rainbow's own codebase. The open-source codebase enables ongoing community-led review. ## Token Launch (2025–2026) In December 2025, Rainbow announced the $RNBW token, conducting an ICO with CoinList targeting a $3M raise at a $100M fully diluted valuation. Fifteen percent of the total token supply was allocated to an airdrop for active historical users. The token is a separate product from the wallet and carries its own risk considerations. ## Availability Rainbow is available globally on iOS, Android, and as a Chrome browser extension. It supports Ethereum mainnet and a broad set of EVM-compatible Layer 2 networks including Optimism, Arbitrum, Base, Polygon, BNB Smart Chain, and Avalanche. Non-EVM chains such as Bitcoin and Solana are not supported.

Satos

exchange

Satos is a Dutch crypto broker founded in 2013 and headquartered in Amsterdam, Netherlands. Operating as a Virtual Asset Service Provider (VASP) registered with De Nederlandsche Bank (DNB), it is one of the longest-standing crypto service providers in the Dutch market. The platform focuses on a curated selection of major cryptocurrencies and serves customers in the Netherlands and Belgium. Since late 2023, Satos has partnered with global exchange Bybit, with Bybit Dutch retail operations running under Satos VASP registration as "Bybit Powered by Satos." ## Security - **Custody model:** For direct purchases, Satos sends crypto to a user-provided external wallet address immediately after each transaction. The platform does not maintain persistent on-platform balances, which limits custodial exposure compared to exchanges that pool user funds. - **2FA:** Two-factor authentication is required for account access. - **KYC:** Identity verification through Sumsub is mandatory before trading. - **Transaction screening:** All transactions are screened via Chainalysis. Addresses linked to illicit activity are flagged, frozen, and reported to the DNB. - No public proof-of-reserves report has been issued. Given the non-custodial model for direct purchases, the traditional proof-of-reserves format is less applicable to Satos than to custodial exchanges. ## Regulation - Registered with De Nederlandsche Bank (DNB) under the Dutch Anti-Money Laundering and Counter-Terrorist Financing Act (Wwft). - DNB registration covers KYC and AML compliance obligations but does not constitute full prudential supervision. DNB does not oversee Satos for solvency in the way it supervises licensed banks. - Satos is not subject to conduct-of-business supervision by the AFM (Netherlands Authority for the Financial Markets). - In October 2024, DNB fined Bybit EUR 2.25 million for operating in the Netherlands without a VASP registration between 2020 and 2023 — before the Bybit and Satos partnership. Satos was not fined. ## Incident History No major security breaches involving Satos user funds have been publicly reported since the platform launched in 2013. Satos does not maintain pooled customer balances for direct purchases, which reduces the scope of any hypothetical breach. The DNB fine issued in October 2024 was directed at Bybit for historical unregistered operation and did not involve Satos or any loss of user funds. ## Availability Satos serves customers in the Netherlands and Belgium. EUR deposits use iDEAL in the Netherlands and Bancontact in Belgium. KYC identity verification is required for all users and trading is conducted in euros only. The broader Bybit Powered by Satos platform provides access to over 300 trading pairs for verified Dutch users through Bybit account integration.

SimpleSwap

exchange

SimpleSwap is an Estonian-registered crypto-to-crypto swap service that does not hold user funds. No account or mandatory KYC is required. Transactions are processed through partner exchanges. Some users have reported transactions being frozen for compliance reviews on larger amounts.

Transak

exchange

Transak is a fiat-to-crypto on-ramp and off-ramp infrastructure provider founded in 2019 and headquartered in London. It operates primarily as a B2B API service embedded into wallets and decentralised applications — users encounter Transak through a host platform such as MetaMask, Coinbase Wallet, or one of 600+ integrated projects rather than as a standalone exchange. Purchased crypto is delivered directly to the user's destination wallet address; Transak does not hold user funds. ## Security - Non-custodial model: crypto is never held by Transak — assets go directly to the user's destination wallet address - SOC 2 Type II certified and ISO/IEC 27001 v2022 compliant - Multi-level KYC with ongoing transaction monitoring aligned to AML regulations across all operating jurisdictions - No proof-of-reserves obligation applies, as Transak does not maintain crypto balances on behalf of users ## Regulation - **UK:** Transak Limited is registered with the Financial Conduct Authority (FCA) as a crypto asset firm - **US:** Transak USA LLC is a registered Money Services Business (MSB) with FinCEN (MSB #31000300682483); holds money transmitter licences in multiple US states including Alabama, Delaware, Illinois, and Missouri - **Canada:** Registered with FINTRAC as a Money Services Business - **Australia:** AUSTRAC registered as a Digital Currency Exchange Provider - **Poland:** Recognised as a Virtual Asset Service Provider (VASP) - **India:** Registered with FIU-India as a Virtual Digital Assets Service Provider - UK FCA registration does not extend FSCS or Financial Ombudsman Service protection to users for crypto asset losses ## Incident History - **October 2024:** Transak disclosed a data breach affecting approximately 92,554 users (around 1.14% of its user base). A phishing attack compromised an employee's laptop and gave an attacker access to a third-party KYC vendor's systems. The exposed data included names, dates of birth, and government-issued identity documents; no financial data or payment credentials were accessed. Transak engaged external forensic firms and a related US class action lawsuit was settled for $601,000. ## Known Limitations - Fees are layered (service charge, payment processor fees, and exchange rate spread) and may not be transparent before transaction completion - Some users report delayed transfers and unresolved customer support cases - No FSCS or Financial Ombudsman protection applies to crypto transactions

Trezor

hardware wallet

Trezor is a hardware wallet manufactured by SatoshiLabs, a Czech company that shipped the first consumer hardware wallet in 2013. It enables self-custody of cryptocurrency by storing private keys on an offline device, keeping signing operations physically isolated from internet-connected computers. Trezor's firmware is fully open source and auditable on GitHub. Current Safe series models support over 8,000 assets. ## Security - **Self-custody:** Private keys are generated and stored on the device. The host computer sends unsigned transactions; the device signs them offline and never exposes the private key. - **Open-source firmware:** All firmware is published under an open-source licence and verifiable by independent security researchers. Trezor Suite, the companion desktop application, is also open source. - **Secure element:** The Safe 3, Safe 5, and Safe 7 include a certified secure element chip that enforces PIN verification and resists brute-force attacks. The Safe 7 uses TROPIC01, an open-source secure element developed by Trezor's Tropic Square subsidiary. The Model One and Model T do not include a secure element. - **Passphrase:** Enabling a BIP39 passphrase (25th word) mitigates physical seed extraction risk on all models. Without one, researcher demonstrations have shown that seed phrases can be extracted from Model One and Model T units with physical access and specialised equipment. Separate research in March 2025 identified architectural weaknesses in Safe 3 and Safe 5 requiring physical access to exploit. ## Product Lineup - **Trezor Safe 3** ($59): Monochrome display, EAL6+ secure element, USB-C. - **Trezor Safe 5** ($129): Colour touchscreen, EAL6+ secure element, microSD slot. - **Trezor Safe 7** ($249): Colour touchscreen, TROPIC01 open-source secure element, Bluetooth, wireless charging, post-quantum cryptography. - **Model One / Model T:** Legacy models with no secure element. Passphrase use is recommended if still in active use. ## Incident History - **January 2024:** A third-party support ticketing provider was breached, exposing names and email addresses for approximately 66,000 users who had contacted Trezor support since December 2021. Attackers sent phishing emails requesting seed phrases. No user assets were compromised; forty-one cases of confirmed data exploitation were documented. - **March 2024:** Trezor's X account was briefly accessed via social engineering of a team member. No wallet security or user assets were affected. - No remote exploits compromising user assets have been publicly confirmed.

Trust Wallet

software wallet

Trust Wallet is a non-custodial multi-chain software wallet founded in 2017 by Viktor Radchenko. Binance acquired the project in 2018, though user private keys are not held by Binance or Trust Wallet — they reside on the user's device only. Available as a mobile app on iOS and Android and as a browser extension, it supports over 10 million crypto assets across more than 100 blockchains. ## Security - **Non-custodial**: private keys are stored on the user's device and never transmitted to Trust Wallet servers. - Core libraries are open-source and hosted on GitHub. - Third-party security audits have been conducted by Quantstamp and Halborn. - A bug bounty programme operates through Binance. - Mobile app supports biometric authentication and PIN protection; keys are stored using AES encryption. - The mobile app and browser extension are separate codebases with different risk profiles — both known security incidents have involved the browser extension only. ## Regulation - As a non-custodial wallet, Trust Wallet does not hold user assets and is not subject to custodial licensing requirements applicable to exchanges. - No registrations with the FCA (UK), FinCEN (US), or MAS (Singapore) have been publicly reported. - Trust Wallet is a subsidiary of Binance; enforcement actions against Binance do not affect Trust Wallet's custody model. ## Incident History - **June 2023**: A WebAssembly vulnerability in the browser extension allowed generation of cryptographically weak wallet addresses. Approximately $170,000 in losses was reported; affected users were identified and reimbursed. The vulnerability was patched. - **December 2025**: A supply chain attack on the browser extension resulted in approximately $7 million in losses across 2,596 wallets. Attackers exploited exposed GitHub secrets to obtain a Chrome Web Store API key and published malicious extension version v2.68, which exfiltrated seed phrases via a hijacked analytics channel. Trust Wallet released a patched version (v2.69), reimbursed affected users, and tightened release pipeline controls. The mobile app was not affected. ## Availability Trust Wallet is available globally with no reported geographic restrictions, spanning iOS, Android, and Chrome browser.

Uniswap

defi

Uniswap is a decentralized exchange (DEX) protocol built on Ethereum, founded in 2018 by Hayden Adams and maintained by Uniswap Labs in New York, United States. It introduced the automated market maker (AMM) model to DeFi, allowing token swaps directly from a connected wallet without intermediaries or a central order book. Uniswap consistently accounts for 50–65% of weekly DEX trading volume across Ethereum and multiple EVM-compatible networks. ## Security - Non-custodial: users retain full control of their private keys; the protocol never holds or custodies assets on behalf of users - Uniswap v4 (launched January 2025) completed nine independent smart contract audits before deployment - A $15.5 million bug bounty program covers critical vulnerability disclosures - Immutable v2 contracts and a governance timelock on v3/v4 limit unilateral protocol changes - The open-source codebase is publicly verifiable - Phishing sites impersonating the official interface are an ongoing risk; confirm the URL is app.uniswap.org before connecting a wallet ## Regulation - The protocol holds no regulatory license from the SEC, FinCEN, FCA, or comparable bodies - Uniswap Labs, which built and operates the front-end interface, is incorporated in New York and subject to US federal law - The SEC opened a formal investigation into Uniswap Labs around 2024 and closed it in early 2025 without enforcement action - In 2025, the Uniswap DAO adopted a Wyoming DUNA (Decentralized Unincorporated Nonprofit Association) structure for decentralized governance ## Incident History - **April 2020**: A reentrancy vulnerability in early Uniswap contracts was exploited in a limited attack; a related breach on Lendf.me followed within 24 hours - **July 2022**: A phishing campaign impersonating a UNI token airdrop drained approximately $8 million from liquidity provider wallets; the protocol contracts were not breached - **April 2023**: A sandwich MEV attack extracted approximately $25.2 million from eight Uniswap liquidity pools; no funds were recovered The core v2 and v3 smart contracts have not been directly exploited. Documented losses have resulted from phishing targeting individual users and MEV manipulation of pool pricing. ## Availability Uniswap is accessible globally via any EVM-compatible wallet. The official front-end restricts certain token types for users in the United States following regulatory guidance to Uniswap Labs. The underlying protocol contracts remain accessible through third-party interfaces.

Uphold

exchange

Uphold is a multi-asset trading platform founded in 2014 and headquartered in New York. It supports over 360 cryptocurrencies alongside precious metals, US equities, and 27 national currencies, enabling direct swaps between any two asset classes in a single transaction. As of 2026, Uphold reports more than 10 million registered users across 180 countries. The platform is primarily custodial, meaning Uphold holds private keys on behalf of users. ## Security - Around 90% of crypto assets are stored in AES-256 multi-signature cold storage; remaining assets are kept in hot wallets to support liquidity - Two-factor authentication, withdrawal address whitelisting, and a 24/7 Security Operations Centre - SOC 2 Type II, ISO 27001, and PCI DSS certified - Active bug bounty programme on Intigriti, with rewards of up to €25,000 for critical findings - Publishes a live Transparency page (Reserveledger) updated every 30 seconds showing customer liabilities alongside reserves; on-chain verification is available for crypto holdings, but reserves for non-crypto assets such as precious metals and equities are self-reported rather than third-party attested ## Regulation - **United States:** Registered as a Money Services Business (MSB) with FinCEN (NMLS ID 1269875), also regulated at the state level - **United Kingdom:** Uphold Europe Limited received FCA authorisation as a registered crypto asset firm in January 2026 — one of only 32 firms to hold this designation - **Canada:** Registered with FINTRAC - **Europe:** Registered with the Bank of Portugal - Full KYC verification is required for all users; the platform complies with GDPR, AMLD5/6, and MiCA frameworks ## Incident History - **July 2022:** Third-party email service provider Customer.io disclosed that a rogue internal employee had shared client contact data with an external party. Data exposed was limited to names and email addresses. No account credentials, balances, or private keys stored within Uphold's own systems were involved - No confirmed loss of customer funds from a direct breach of Uphold's core infrastructure has been publicly reported ## Availability Uphold is available in 140+ countries. New account openings are restricted in several markets including Germany, the Netherlands, India, Nigeria, Indonesia, and China. The platform is fully blocked in sanctioned jurisdictions including Iran, North Korea, Syria, and Cuba.