Photo by Behnam Norouzi on Unsplash

It was November 2022 when the crypto world collectively gasped. FTX, valued at $32 billion just months earlier, evaporated almost overnight. But here's what most people missed: FTX wasn't an anomaly. It was a symptom. Since 2014, cryptocurrency exchanges have lost or misappropriated approximately $10 billion in user funds. That's not a typo. That's billion with a B.

The worst part? We keep repeating the same cycle. New exchange launches. Early adopters flock to it. The platform gets hacked, or the founder absconds with customer assets, or they simply "lose access" to the wallet keys. Rinse. Repeat. The infrastructure hasn't fundamentally improved—we've just gotten better at forgetting about it.

The Fractional Reserve Game Nobody Admits Playing

Before we talk about theft and hacks, let's discuss what most exchanges actually do with your coins when you deposit them: they lend them out. Immediately. Without telling you.

When you deposit Bitcoin on an exchange like Coinbase or Kraken, you don't actually own Bitcoin anymore. You own an IOU. The exchange holds the Bitcoin and can do whatever they want with it—lend it to institutional traders, use it as collateral for their own loans, or just sit on it. This is fractional reserve banking, the same system that caused the 2008 financial crisis, except with less regulation and more volatility.

Most exchanges maintain reserve ratios somewhere between 80-95%, meaning they actually have most of what you deposited. But some maintain less. Much less. Mt. Gox, before its spectacular collapse in 2014, was running with only about 50% reserves by the end. Users thought their coins were safely stored. They weren't.

The problem is there's almost no way to verify this. Exchanges don't publish detailed proof-of-reserves reports. Kraken tried it once in 2014, and nobody else followed suit. Why? Because transparency isn't profitable, and the regulatory arbitrage of operating in crypto-friendly jurisdictions like the Bahamas or Malta means they don't have to.

When Your Keys Aren't Your Coins (And Nobody Knows Why)

Then there's the custody problem. This is where things get properly dystopian.

Most people know the phrase "not your keys, not your coins," but they don't actually understand what it means in practice. When you use an exchange, you're trusting that exchange with cryptographic keys—the digital passwords that unlock your coins. A single person losing that password, or a hack that exposes it, means your funds are gone. Forever. There's no charge-back. There's no FDIC insurance. There's nothing.

Take the QuadrigaCX collapse from 2019. The Canadian exchange's founder, Gerald Cotten, died in India. Mysteriously. And guess what? He was apparently the only person who knew the passwords to access $190 million in customer funds. The funds were never recovered. Whether Cotten actually died, whether the funds were ever actually there, whether it was an elaborate scheme—nobody really knows. The exchange's physical servers were eventually recovered, but they were encrypted, and the encryption keys died with him.

Or did they?

That's the thing. We'll never know. The lack of transparency means we're all just taking these stories at face value. And the more stories you read, the more you realize how many of them end the same way: customer funds gone, explanation vague, founder vanished or dead, investors left holding nothing.

The Regulatory Theater That Protects Nobody

"But wait," you might say. "Can't regulators fix this?" They're trying. Sort of. The problem is that crypto exchanges operate in regulatory gray zones by design. FTX was registered in the Bahamas. Kraken operates under a BitLicense in New York, but that's more security theater than actual protection. The Bahamas has almost no oversight. When Sam Bankman-Fried needed regulatory approval for his derivatives exchange, he just asked the Bahamas Financial Services Board nicely. They said yes. No rigorous stress testing. No detailed audits. No proof of reserves.

Some jurisdictions are getting serious—the EU's Markets in Crypto Regulation (MiCA) requires exchanges to maintain segregated customer funds and prove reserves regularly. But MiCA doesn't take effect until 2024, and most global exchanges have already registered subsidiaries specifically to avoid it.

The United States is somehow even worse. Exchanges can operate for years without any federal banking license as long as they claim to be non-custodial. But users treat them like custodians anyway, depositing coins they expect to be protected. The SEC and CFTC keep feuding over who should regulate what, while actual theft happens in real-time.

What You Can Actually Do

So how do you protect yourself? The boring answer is the only answer that works: self-custody. Buy a hardware wallet like a Ledger or Trezor. Store your coins there. Own your keys. It's inconvenient and requires you to actually understand what you're doing—which is probably why most people don't do it.

If you absolutely must use an exchange, use it only as a temporary holding area. Deposit fiat, buy your coins, withdraw immediately. Treat it like a convenience store, not a bank. And if an exchange is offering you 12% APY for staking your coins? Run. That's not investment returns. That's a Ponzi scheme with better branding.

For deeper context on how centralized systems continue to fail despite knowing better, The Silent Killer of Crypto Dreams: Why Your Private Key Custody Method is Probably Wrong breaks down exactly why most people's security practices leave them vulnerable.

The $10 billion in missing funds isn't really missing. It's just been transferred from people who trusted the wrong systems to people who understood the systems better. Until we demand actual transparency and regulatory teeth from these platforms, we're all just participating in a high-stakes game of musical chairs. And when the music stops, most of us will be standing.