• Hacken
  • Blog
  • Insights
  • TOP-100 Exchanges By Cybersecurity Score #5

TOP-100 Exchanges By Cybersecurity Score #5

7 minutes

According to the Crystal blockchain report, $400M were stolen from centralized exchanges and $1,8B from DeFi services in 2021. 

The largest hack in 2021 was the Bitmart incident when attackers stole $200M in various cryptocurrencies. The stolen virtual assets were withdrawn from the exchange’s hot wallet. The hack became possible due to the private key leakage.

New Metrics

At the end of 2021, CER included ISO 27001 and Exchange Funds Insurance in our methodology. Without these metrics, an exchange cannot get the maximum score.

ISO 27001 is a fundamental standard for crypto exchanges to follow. It covers important dimensions of securing information including confidentiality, integrity, and availability. ISO 27001 key areas are the development and maintenance of an ISMS (information security management system), which constitutes an overarching method of managing data protection practices.

To become compliant a project needs to perform a risk assessment, determine and implement security controls, and conduct their review regularly. The accredited bodies perform the audit of crypto exchanges to determine whether they are ISO 27001 compliant. For example, in 2019, one of the biggest crypto exchanges Binance was examined on 114 criteria across 14 categories. ISO compliant exchanges apply a structured approach to managing sensitive data and assets. ISO 27001 also covers internal control over private keys. Thus, if Bitmart had followed ISO 27001, very likely, it would not have suffered from the private key leakage.

The CER team also recommends crypto exchanges to become SOC 2 compliant. SOC 2 is a voluntary security standard developed by the American Institute of CPAs. The key characteristic of SOC 2 is flexibility. It covers 5 Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy, but only the first principle is mandatory. Both ISO 27001 and SOC 2 are globally recognized, but if you operate in North America, it is strongly recommended to be SOC 2 compliant. SOC 2 attestation is conducted by a licensed certified public accountant. SOC 2 compliance proves that an exchange has an effective process in place to monitor unusual system activity, authorized and unauthorized changes in system configurations, and access control. SOC 2 also focuses on whether an exchange has security alerting practices in place to immediately react to a security incident. SOC 2 compliance ensures the long-term efficiency of the exchange’s internal security practices.

2021 Results

In the current analysis, CER has reviewed 301 crypto exchanges. 

The primary goal of this report is to provide an expert view of the state of cybersecurity in the crypto exchanges industry.

In November 2021, we updated the score: now there are letters instead of figures, it resembles traditional ratings such as S&P.

Statistics

RatingNumber of Exchanges 
AAA6
AA2
A5
BBB19
BB5
B2
CCC2
CC6
C24
D230

Table 1. Scoring stats

The New CSS results show that 32 crypto exchanges (10.66%) out of 301 have received a “good” cybersecurity score (BBB and higher, see Table 1). X2 increase vs. 2021!

During 2021, we received >100 certification requests. Ratings have changed significantly based on the revelations of our latest research

Compared to the previous top 100 research, the number of exchanges running bug bounty programs has increased from 77 to 98 (+27%). Under the Cer.live methodology, the weight of self-hosted bug bounty programs is two times smaller than those managed by independent third-party platforms with large communities of ethical hackers. Only independent platforms can ensure the fairness of the program and guarantee that the hacker will be rewarded for every identified vulnerability.

The share of bug bounty programs managed by third-party platforms has increased by 50% since the beginning of 2021. The majority of bug bounty programs are hosted on the following platforms:

  • HackenProof
  • HackerOne
  • Slowmist
  • BugCrowd

According to our data, 51 (17% from all) exchanges regularly apply for pentests conducted by different cybersecurity firms. 

Thus, the crypto exchanges market becomes more mature year by year.

6 crypto exchanges have the highest rating AAA. They have almost all required cyber security components in place according to Cer.live methodology.

New Top-100 Exchanges by CSS

Below is the table with the cybersecurity rating (both in letters and figures) of each exchange calculated by CER according to the updated methodology.

#ExchangeCybersecurity ratingRating in figures
1CRYPTOLOGYAAA10,00
2KRAKENAAA10,00
3WHITEBITAAA10,00
4BINANCE_USAAA9,75
5BINANCEAAA9,55
6COINBASEAAA9,51
7GEMINIAA9,49
8CRYPTOAA9,35
9COINFLEXA9,00
10BLOCKCHAINA8,98
11HUOBIA8,88
12BITSOA8,53
13BITTREXA8,53
14BYBITBBB8,49
15CURRENCYBBB8,44
16BITMAXBBB8,43
17BIGONEBBB8,41
18P2PB2BBBB8,33
19WOOBBB8,27
20GATEBBB8,25
21LATOKENBBB8,20
22FTX_SPOTBBB8,18
23BITMARTBBB8,15
24BIKIBBB8,13
25LBANKBBB8,11
26BTSEBBB8,06
27BITRUEBBB8,03
28BITKUBBBB8,03
29BITFINEXBBB8,03
30KUCOINBBB8,02
31ZBBBB8,02
32HOTBITBBB8,01
33OKEXBB7,86
34COINMETROBB7,77
35COINEXBB7,76
36REMITANOBB7,74
37COINSBITBB7,57
38LCXB7,30
39NICEHASHB7,14
40BITFOREXCCC6,59
41POLONIEXCCC6,53
42CEXCC6,45
43ALTERDICECC6,43
44B2BXCC6,41
45HOOCC6,37
46AAXCC6,37
47BITCOIN_COMCC6,18
48BITHUMB_GLOBALC5,86
49INDODAXC5,79
50NARKASAC5,70
51BITOPROC5,69
52FTX_USC5,68
53STEXC5,65
54BITSTAMPC5,63
55MXCC5,61
56BTCTURKC5,61
57BHEXC5,59
58MAX_MAICOINC5,54
59TOKENIZEC5,46
60EXMOC5,45
61BKEXC5,42
62ZBGC5,42
63STORMGAINC5,41
64OTCBTCC5,39
65BITMEXC5,34
66BITBANKC5,31
67BIBOXC5,27
68KUNAC5,25
69XTC5,13
70BITGETC5,03
71DIGIFINEXC5,01
72COINBENED4,98
73COINSUPERD4,86
74BILAXYD4,50
75BITBNSD4,41
76BWD4,32
77ALTILLYD4,28
78BIT_ZD4,22
79OCEANEXD4,20
80DRAGONEXD4,17
81QTRADED4,10
82HITBTCD4,08
83TOKENS_NETD4,06
84QUOINED3,96
85DEXTRADED3,93
86OKEX_KOREAD3,88
87BTCSQUARED3,84
88ETOROXD3,84
89BITPANDAD3,82
90FELIXOD3,81
91BANKERAD3,78
92BTCMARKETSD3,78
93OKCOIND3,70
94FATBTCD3,69
95ZEBPAYD3,65
96DELTA_EXCHANGED3,64
97ETERBASED3,59
98EQONEXD3,48
99COINJARD3,43
100COINHED3,40

Conclusion

Research results show that crypto exchanges are paying greater attention to security since their security level increases every year. 

More than 10% of all reviewed exchanges have a good security level. However, there are still issues mostly related to private keys management. At least 3 exchanges were hacked due to private key leakage. Exchanges have to perform ISO 27001 and SOC 2 audits to prevent hacks.

We are going to release a big crypto tokens rating in February 2022. Stay updated!

About CER.live

CER.live is a cybersecurity ranking and certification platform that performs security assessments of digital asset platforms based on 18+ indicators. The platform has already evaluated the security of 300+ leading crypto exchanges. Since 2020, the platform has been a trusted partner of CoinGecko and the data provided by CER.live is a part of CoinGecko’s trust score given to exchanges.

CER.live Twitter

For more information about Hacken and recent news/updates, please refer to these channels:

Hacken Club Twitter

Hacken Club Telegram Chat 

Hacken Club Announcements 

Hacken Foundation Website 

Hacken MediumHacken Reddit

Subscribe
to our newsletter

Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.

Speaker Img

Table of contents

  • New Metrics
  • 2021 Results
  • Statistics
  • New Top-100 Exchanges by CSS

Tell us about your project

Follow Us

Read next:

More related

Trusted Web3 Security Partner