Hacken Token
$ -- --.--
TOP-100 Exchanges By Cybersecurity Score #4

TOP-100 Exchanges By Cybersecurity Score #4

According to the Ciphertrace report, a whopping $516 mln in crypto was stolen from centralized exchanges and DeFi services in 2020 alone. Although most of these hacks were focused on DeFi services, the total value of stolen funds from centralized exchanges was much higher. 

The largest hack in 2020 was the Kucoin hack when attackers stole more than a quarter-billion dollars in various cryptocurrencies. The cryptocurrencies were withdrawn from the exchange’s hot wallet. It is important to note that more than 25% of all Kucoin’s crypto was stored on the exchange’s hot wallet, which is considered a bad practice.

This hack, namely the causes behind it, inspired us to improve our methodology. We have included ISO 27001 and exchange Funds Insurance into our methodology. In the current analysis, CER has reviewed the list of 289 crypto exchanges. Compared to the previous reviews, we have listed derivatives exchanges on the top.

The primary goal of this report is not to promote or degrade any exchanges, but rather to provide an expert view of the state of cybersecurity in the crypto exchange industry.

METHODOLOGY UPDATE

For a more multifaceted and balanced evaluation, we have decided to add ISO 27001 compliance and funds insurance to our metrics. These features indicate that the clients’ funds are insured and demonstrate that their security meets international standards.

We have to clarify that the insurance fund must cover potential losses in case of hacks. Also, an exchange will be eligible for getting points for ISO 27001 only if the audit has been performed by a certified company authorized to perform such audits.

Statistics

The New CSS results show that only 14 crypto exchanges (4,8%) out of 289 have gained a “good” cybersecurity score of over 8 points (see fig 1).

Fig. 1. Distribution of CSS results by total score

Since the last methodology update, we have received well over 100 certification requests. Ratings have changed significantly based on the revelations of our latest research

Compared to the previous top 100 research, the number of exchanges performing bug bounty programs to improve their security has increased from 48 to 77 (+60%!). Under the cer.live methodology, we rate self-hosted bug bounty programs two times less than those managed by third-parties. The reason for this is that only neutral third-party platforms can ensure the fair performance of the bug bounty program and there is a guarantee that the hacker will be rewarded for every identified vulnerability. Also, third-party platforms engage more hackers in the bug bounty program that leads to superior cybersecurity outcomes.

Fig. 2. Bug Bounty

The share of bug bounty programs managed by third-party platforms has increased significantly since the beginning of 2020. Most of the bug bounty programs are hosted on the following platforms:

  • HackerOne
  • HackenProof
  • Slowmist
  • BugCrowd

According to our data, 42 (14,5% out of total) exchanges perform regular pentests with different cybersecurity firms. By the end of 2020, the number of received pentest reports increased significantly.

This shows us that not only have crypto exchanges have become more concerned and vocal about security they are beginning to finally put their money where their mouth is.

According to the gathered data, 8 crypto exchanges have been certified as those that meet the ISO 27001 standards, and just 6 exchanges have an insurance fund for the hack cases. And only the following 5 exchanges have both:

We have to notice that the ETH and BTC balances of each of these exchanges are more than $1 billion. 

New Top-100 Exchanges by CSS

Below is a table with the final results. It contains the current score positions, position change, and the exchange’s cybersecurity score (CSS) calculated by CER according to the updated methodology.

#ExchangeCybersecurity scorePosition change
1Binance US9,75+ 5
2Binance9,55+ 5
3Coinbase9,39+ 5
4Crypto9,04+ 5
5Kraken8,75+ 5
6Bigone8,41-5
7Bithumb Global8,36+ 5
8P2PB2B8,33-6
9Whitebit8,30-5
10Gate8,25+ 3
11Gemini8,24+ 3
12Mxc8,11+ 3
13Bitso8,03-10
14Hotbit8,01+ 2
15Bkex7,92+ 2
16Bitmex7,84+ 2
17Bibox7,77+ 2
18Lbank7,74-13
19Coinsbit7,64+ 1
20Bitget7,53+ 2
21Zebpay7,400
22Nicehash7,14+ 1
23FTX6,93+ 1
24Bitfinex6,91-13
25Bitmart6,640
26Okex6,610
27Bitkub6,580
28Dex-Trade6,430
29Okex Korea6,380
30Fatbtc6,190
31Bitforex6,180
32Bittrex6,03+ 2
33Currency5,96+ 2
34Indodax5,79+ 2
35Latoken5,70+ 2
36Narkasa5,70-3
37Bitopro5,69+ 1
38Blockchain.com5,57+ 1
39Bitstamp5,57+ 1
40max.maicoin5,54-8
41Otcbtc5,390
42Huobi5,380
43Poloniex5,280
44Kuna5,250
45ZB5,250
46Cointiger5,230
47Kucoin5,220
48Biki5,200
49Xt5,130
50Aax5,120
51Digifinex5,010
52Coinbene4,980
53Coinsuper4,86+ 3
54Bybit4,82-1
55Hoo4,82+ 2
56Bilaxy4,50-2
57Bitmax4,46-2
58Bw4,320
59Bitrue4,280
60Altilly4,280
61Bit-Z4,220
62Liquid4,200
63Oceanex4,200
64Dragonex4,170
65Qtrade4,100
66Hitbtc4,080
67Tokens4,060
68Coinflex3,950
69Cex3,950
70Alterdice3,930
71B2BX3,910
72Zbg3,900
73Huobi Korea3,86+ 1
74EtoroX3,84+ 1
75Bitpanda3,82+ 1
76Bankera3,78+ 1
77Btcmarkets3,78+ 1
78Okcoin3,70+ 1
79Exmo3,65+ 8
80Coinjar3,54+ 8
81Bitbns3,41+ 8
82Coinhe3,40+ 8
83Upbit3,32-3
84Phemex3,31+ 7
85Wazirx3,28+ 7
86Deribit3,28+ 7
87Unnamed3,25+ 7
88Paribu3,19-7
89Txbit3,18+ 6
90Btc-Alpha3,18-8
91Stex3,15+ 5
92Decoin3,13+ 5
93Btcturk3,11+ 5
94Bitfex3,08+ 5
95Bithumbsg3,03+ 5
96Bitsdaq3,02+ 5
97Coinmetro3,00+ 5
98Probit3,00+ 5
99Velic2,99+ 5
100FTX US2,98+ 5

Conclusion

Research results have shown that security becomes an increasing trend among cryptocurrency exchanges. Nevertheless, the overall safety assessment remains low. Less than 10% of the exchanges investigated have a good (8 or higher) level of security.

After the methodology update, except for 6 platforms, the score of most exchanges has decreased. Thus, a very small number of exchanges with large client bases got points for the features added to cer.live methodology. Ethereum and Bitcoin balances of these exchanges are well over $1 billion.
CER ranking will be updated in a week after the article publication. Exchange representatives can contact us through cer.live contact form to get a cybersecurity score review and submit certification data.

Subscribe to our research

Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.

    hackenproof logo

    The world trusted Bug Bounty Platform. Run custom-tailored Bug Bounty Programs to secure your business and assets.