New

Hacken is launching a monitoring tool. Get details and join our beta program

More

TOP-100 Exchanges By Cybersecurity Score #5

TOP-100 Exchanges By Cybersecurity Score #5
  • Insights
  • CER
  • Crypto exchanges
  • Cybersecurity Score

2 Feb 2022

According to the Crystal blockchain report, $400M were stolen from centralized exchanges and $1,8B from DeFi services in 2021. 

The largest hack in 2021 was the Bitmart incident when attackers stole $200M in various cryptocurrencies. The stolen virtual assets were withdrawn from the exchange’s hot wallet. The hack became possible due to the private key leakage.

New Metrics

At the end of 2021, CER included ISO 27001 and Exchange Funds Insurance in our methodology. Without these metrics, an exchange cannot get the maximum score.

ISO 27001 is a fundamental standard for crypto exchanges to follow. It covers important dimensions of securing information including confidentiality, integrity, and availability. ISO 27001 key areas are the development and maintenance of an ISMS (information security management system), which constitutes an overarching method of managing data protection practices.

To become compliant a project needs to perform a risk assessment, determine and implement security controls, and conduct their review regularly. The accredited bodies perform the audit of crypto exchanges to determine whether they are ISO 27001 compliant. For example, in 2019, one of the biggest crypto exchanges Binance was examined on 114 criteria across 14 categories. ISO compliant exchanges apply a structured approach to managing sensitive data and assets. ISO 27001 also covers internal control over private keys. Thus, if Bitmart had followed ISO 27001, very likely, it would not have suffered from the private key leakage.

The CER team also recommends crypto exchanges to become SOC 2 compliant. SOC 2 is a voluntary security standard developed by the American Institute of CPAs. The key characteristic of SOC 2 is flexibility. It covers 5 Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy, but only the first principle is mandatory. Both ISO 27001 and SOC 2 are globally recognized, but if you operate in North America, it is strongly recommended to be SOC 2 compliant. SOC 2 attestation is conducted by a licensed certified public accountant. SOC 2 compliance proves that an exchange has an effective process in place to monitor unusual system activity, authorized and unauthorized changes in system configurations, and access control. SOC 2 also focuses on whether an exchange has security alerting practices in place to immediately react to a security incident. SOC 2 compliance ensures the long-term efficiency of the exchange’s internal security practices.

2021 Results

In the current analysis, CER has reviewed 301 crypto exchanges. 

The primary goal of this report is to provide an expert view of the state of cybersecurity in the crypto exchanges industry.

In November 2021, we updated the score: now there are letters instead of figures, it resembles traditional ratings such as S&P.

Statistics

RatingNumber of Exchanges 
AAA6
AA2
A5
BBB19
BB5
B2
CCC2
CC6
C24
D230

Table 1. Scoring stats

The New CSS results show that 32 crypto exchanges (10.66%) out of 301 have received a “good” cybersecurity score (BBB and higher, see Table 1). X2 increase vs. 2021!

Fig. 1. Distribution of CSS results by rating

During 2021, we received >100 certification requests. Ratings have changed significantly based on the revelations of our latest research

Compared to the previous top 100 research, the number of exchanges running bug bounty programs has increased from 77 to 98 (+27%). Under the Cer.live methodology, the weight of self-hosted bug bounty programs is two times smaller than those managed by independent third-party platforms with large communities of ethical hackers. Only independent platforms can ensure the fairness of the program and guarantee that the hacker will be rewarded for every identified vulnerability.

Fig. 2. Bug Bounty Programs

The share of bug bounty programs managed by third-party platforms has increased by 50% since the beginning of 2021. The majority of bug bounty programs are hosted on the following platforms:

  • HackenProof
  • HackerOne
  • Slowmist
  • BugCrowd

According to our data, 51 (17% from all) exchanges regularly apply for pentests conducted by different cybersecurity firms. 

Thus, the crypto exchanges market becomes more mature year by year.

6 crypto exchanges have the highest rating AAA. They have almost all required cyber security components in place according to Cer.live methodology.

New Top-100 Exchanges by CSS

Below is the table with the cybersecurity rating (both in letters and figures) of each exchange calculated by CER according to the updated methodology.

#ExchangeCybersecurity ratingRating in figures
1CRYPTOLOGYAAA10,00
2KRAKENAAA10,00
3WHITEBITAAA10,00
4BINANCE_USAAA9,75
5BINANCEAAA9,55
6COINBASEAAA9,51
7GEMINIAA9,49
8CRYPTOAA9,35
9COINFLEXA9,00
10BLOCKCHAINA8,98
11HUOBIA8,88
12BITSOA8,53
13BITTREXA8,53
14BYBITBBB8,49
15CURRENCYBBB8,44
16BITMAXBBB8,43
17BIGONEBBB8,41
18P2PB2BBBB8,33
19WOOBBB8,27
20GATEBBB8,25
21LATOKENBBB8,20
22FTX_SPOTBBB8,18
23BITMARTBBB8,15
24BIKIBBB8,13
25LBANKBBB8,11
26BTSEBBB8,06
27BITRUEBBB8,03
28BITKUBBBB8,03
29BITFINEXBBB8,03
30KUCOINBBB8,02
31ZBBBB8,02
32HOTBITBBB8,01
33OKEXBB7,86
34COINMETROBB7,77
35COINEXBB7,76
36REMITANOBB7,74
37COINSBITBB7,57
38LCXB7,30
39NICEHASHB7,14
40BITFOREXCCC6,59
41POLONIEXCCC6,53
42CEXCC6,45
43ALTERDICECC6,43
44B2BXCC6,41
45HOOCC6,37
46AAXCC6,37
47BITCOIN_COMCC6,18
48BITHUMB_GLOBALC5,86
49INDODAXC5,79
50NARKASAC5,70
51BITOPROC5,69
52FTX_USC5,68
53STEXC5,65
54BITSTAMPC5,63
55MXCC5,61
56BTCTURKC5,61
57BHEXC5,59
58MAX_MAICOINC5,54
59TOKENIZEC5,46
60EXMOC5,45
61BKEXC5,42
62ZBGC5,42
63STORMGAINC5,41
64OTCBTCC5,39
65BITMEXC5,34
66BITBANKC5,31
67BIBOXC5,27
68KUNAC5,25
69XTC5,13
70BITGETC5,03
71DIGIFINEXC5,01
72COINBENED4,98
73COINSUPERD4,86
74BILAXYD4,50
75BITBNSD4,41
76BWD4,32
77ALTILLYD4,28
78BIT_ZD4,22
79OCEANEXD4,20
80DRAGONEXD4,17
81QTRADED4,10
82HITBTCD4,08
83TOKENS_NETD4,06
84QUOINED3,96
85DEXTRADED3,93
86OKEX_KOREAD3,88
87BTCSQUARED3,84
88ETOROXD3,84
89BITPANDAD3,82
90FELIXOD3,81
91BANKERAD3,78
92BTCMARKETSD3,78
93OKCOIND3,70
94FATBTCD3,69
95ZEBPAYD3,65
96DELTA_EXCHANGED3,64
97ETERBASED3,59
98EQONEXD3,48
99COINJARD3,43
100COINHED3,40

Conclusion

Research results show that crypto exchanges are paying greater attention to security since their security level increases every year. 

More than 10% of all reviewed exchanges have a good security level. However, there are still issues mostly related to private keys management. At least 3 exchanges were hacked due to private key leakage. Exchanges have to perform ISO 27001 and SOC 2 audits to prevent hacks.

We are going to release a big crypto tokens rating in February 2022. Stay updated!

About CER.live

CER.live is a cybersecurity ranking and certification platform that performs security assessments of digital asset platforms based on 18+ indicators. The platform has already evaluated the security of 300+ leading crypto exchanges. Since 2020, the platform has been a trusted partner of CoinGecko and the data provided by CER.live is a part of CoinGecko’s trust score given to exchanges.

CER.live Twitter

For more information about Hacken and recent news/updates, please refer to these channels:

Hacken Club Twitter

Hacken Club Telegram Chat 

Hacken Club Announcements 

Hacken Foundation Website 

Hacken MediumHacken Reddit

share via social

Subscribe to our research

Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email


    Interested in getting to know whether your systems are vulnerable to cyberattacks?

    Tell us about your project

    • This field is required
    • This field is required
      • whatsapp icon WhatsApp
      • telegram icon Telegram
      • wechat icon WeChat
      • signal icon Signal
    • This field is required
    • This field is required
    • This field is required
    • This field is required
    This field is required
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo

    1,070+ projects audited

    companies logos

    Apply for partnership

    • This field is required
    • This field is required
    • This field is required
    • This field is required
      • Foundation
      • VC
      • Angel investments
      • IDO or IEO platform
      • Protocol
      • Blockchain
      • Legal
      • Insurance
      • Development
      • Marketing
      • Influencer
      • Other
    This field is required
    This field is required
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo

    1,070+ projects audited

    companies logos

    Get in touch

    • This field is required
    • This field is required
    • This field is required
    • This field is required
    This field is required
    By submitting this form you agree to the Privacy Policy and information beeing used to contact you
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo