How to Choose a Crypto Exchange in 2026: 9 Questions Before You Trust Anyone With Your Money

If you Googled “how to choose a crypto exchange,” you’ve already seen the same 100 identical listicles: fees, security, regulation, customer support, mobile app. They don’t help you decide. They’re the crypto equivalent of “the best car has four wheels and a steering wheel” — technically true, completely useless.

The lists keep multiplying because writing them is easy. Actually deciding where to trust your money is hard. And the cost of getting it wrong has only gone up. In February 2025, North Korea’s Lazarus Group stole roughly $1.5 billion in Ether from Bybit in what became the largest crypto heist on record. In November 2022, FTX collapsed with an $8 billion hole in its books, leaving more than a million users locked out for nearly two years. In 2019, Quadriga’s CEO died on his honeymoon in India, allegedly taking the only password to roughly C$250 million (about US$190 million) in customer funds with him — a Ponzi scheme dressed up as a Canadian exchange.

Each of those failures was preventable — not by reading another generic checklist, but by asking the right specific question and refusing to deposit until the answer was clear. So here are 9 questions that actually divide crypto exchanges into “use this” and “do not trust with money.” Each is attached to a real failure case, not a marketing brochure. After the questions, there’s a decision tree for four common user types — because a Bitcoin HODLer and a daily trader don’t need the same things.

This is a guide to thinking clearly. It is not financial advice.

Why Generic Crypto Exchange Checklists Fail

Most “how to choose a crypto trading platform” articles fail because they grade exchanges on what marketing teams want you to grade them on. “Low fees, strong security, lots of coins” — every exchange that’s ever blown up could check those boxes the day before it imploded. FTX had low fees. Mt. Gox handled most of the world’s Bitcoin volume. Quadriga had lots of coins.

The questions that actually predict failure are awkward. They’re about custody, governance, transparency, and what happens on the worst day. That’s why they matter.

The 9 Questions

Question 1: Who actually holds your private keys while the trade is happening?

The answer you want: either you do, or the platform never controls them at all. The fewer seconds your funds sit in someone else’s wallet, the smaller the failure surface.

The single biggest divider between “use this” and “don’t” is custody. A custodial exchange holds your assets in pooled wallets it controls — you see a balance on a screen; the exchange sees the actual coins. A non-custodial swap service routes your funds through automated, often single-use addresses without pooling them with everyone else’s deposits.

Red flags:

• Funds sit on the exchange between trades by default
• Withdrawal queues, “maintenance,” or daily limits that stop you from leaving
• The platform’s wallets are not publicly disclosed
• The exchange tells you “your crypto is safe with us” without explaining how

How to verify: Read the platform’s own description of how funds move. Look for the words “non-custodial,” “atomic swap,” or “instant settlement.” Then test it: deposit a small amount, watch the on-chain transaction, and confirm whether the platform pooled your asset or passed it through.

Real-world failure: FTX. The exchange held an estimated $8 billion of customer funds in commingled wallets and quietly funneled them to its sister hedge fund Alameda Research to cover risky bets. According to the U.S. CFTC, customer deposits were treated as an “unlimited line of credit” for Alameda. When the run started in November 2022, the cupboard was bare. As John J. Ray III — the new CEO who had previously overseen the Enron bankruptcy — put it, he had never seen “such a complete failure of corporate controls” in his career. Custodial pooling without governance is the canonical fatal flaw. Non-custodial swap services like Godex are designed around the opposite assumption: the platform routes the trade but never warehouses the user’s holdings.

Question 2: Has this exchange survived a real adversarial event — and what changed afterward?

A platform that has never been seriously attacked is not necessarily safe; it might just be too small to be interesting. A platform that has been attacked and recovered transparently has actually proven something.

What you want to see is a documented incident, an honest post-mortem, and structural changes after — not silence, not vague “we’ve enhanced security” PR.

Red flags:

• A serious incident in the platform’s history that it doesn’t acknowledge on its own site
• Vague language about “isolated issues” without dollar figures or attack vectors
• No public timeline or third-party investigation report
• Founders who treat questions about past breaches as adversarial

How to verify: Search the exchange name plus “hack,” “exploit,” “breach,” “outage.” Read the post-incident documentation. Look for whether independent forensics firms (Chainalysis, TRM Labs, Elliptic, Mandiant) were involved.

Real-world failure: Bybit, February 21, 2025. The attackers — attributed by the FBI to North Korea’s TraderTraitor cluster within the Lazarus Group — compromised a developer machine at Safe, the third-party multi-sig wallet provider Bybit used. They injected malicious JavaScript into the front end so that when Bybit signers approved what looked like a routine cold-to-warm wallet transfer, they were actually signing over control of roughly 401,000 ETH worth $1.5 billion. Bybit’s response is the part worth studying: it disclosed the incident publicly within hours, published two technical post-mortems, took a bridge loan to keep withdrawals open, and launched a recovery bounty. Whether you trust Bybit going forward is your call — but the way an exchange behaves after a crisis tells you more than what it claims before one.

Question 3: Is there a real proof of reserves — and proof of liabilities?

The answer you want: both. Reserves alone tell you nothing if liabilities are hidden.

Proof of reserves (PoR) became table stakes after the FTX collapse, and most major exchanges now publish a Merkle-tree-based attestation that lets users cryptographically verify their balance is included. That’s a real improvement. But it’s a half-measure: a PoR snapshot shows what the exchange holds at a single moment, not what it owes.

Red flags:

• “Proof of reserves” with no third-party auditor named
• No way for individual users to verify their own Merkle leaf
• Reserves shown but liabilities not disclosed
• Audits run only when there’s bad news in the headlines

How to verify: Check whether the exchange names a real third-party auditor (Hacken, Mazars, a Big Four affiliate). Confirm you can independently regenerate your account’s Merkle leaf and walk it up to the published root. Then check audit cadence — Kraken pioneered PoR back in 2014 and now runs a quarterly cadence; MEXC moved to monthly PoR audits across 27 chains in 2025. Frequency matters.

Real-world failure: FTX, again, but for a different reason. In the months before its collapse, FTX appeared solvent because no one independently checked its liabilities. The Financial Times later reported its balance sheet showed roughly $9 billion in liabilities against $900 million of liquid assets — and even some “less liquid” assets were tokens FTX itself had created. A reserves snapshot wouldn’t have caught the gap. Reserves and liabilities, on the same audit, would have.

Question 4: What happens if the founder or a key signer disappears?

The answer you want: nothing important, because no single person controls the keys.

A surprising number of exchanges, even in 2026, still have catastrophic single points of failure: one developer with admin rights, one CEO with the cold wallet seed, one server room without redundancy.

Red flags:

• A single-named founder who is the public face and the technical operator
• No published information about the company’s executive team or board
• No multi-signature or threshold-signature scheme protecting custodial wallets
• “Trust me, bro” energy in any official communication

How to verify: Look up the exchange’s corporate registration. Check for a real legal entity, real addresses, and named directors. Look for published descriptions of how custodial keys are managed. The exchange doesn’t need to publish its full security architecture — but it should publish enough that you can tell a real organization from a one-person operation in a hoodie.

Real-world failure: QuadrigaCX. The founder, Gerald Cotten, was the sole director, sole holder of the cold wallet passwords, and — the Ontario Securities Commission later concluded — running an old-fashioned Ponzi scheme behind the scenes. He died in India in December 2018. Around C$250 million (US$190 million) owed to roughly 115,000 customers vanished with him, though the OSC’s investigation determined that most of the shortfall actually came from Cotten’s fraudulent trading, not lost keys. Either way, the structural failure was the same: no oversight, no separation of duties, no plan for the founder bus factor. Quadriga’s customers eventually received about 13 cents on the dollar.

Question 5: How does the platform handle your data after a transaction?

The answer you want is jurisdiction-specific, but the principle is universal: data the platform doesn’t store is data that can’t be leaked, subpoenaed, or sold.

Crypto exchange data breaches are routine. Coinbase confirmed a major insider/social-engineering breach in May 2025 affecting roughly 70,000 customers; Kraken disclosed two separate insider incidents involving its support team; similar campaigns have reportedly targeted other major exchanges. Even when funds aren’t lost, KYC documents — passport scans, addresses, selfies — make their way onto Telegram channels with depressing regularity.

Red flags:

• “We retain customer data indefinitely”
• Mandatory KYC for trades that don’t require it under any law that applies to you
• Marketing partnerships that involve sharing user data
• No clear data-deletion policy

How to verify: Read the privacy policy. Look for explicit retention periods. Look for whether the exchange sells, rents, or “shares with partners” any data. Check whether KYC is mandatory at signup, mandatory for withdrawal, or only for certain volumes — the differences are large.

Real-world failure: This is less about a single failure than a pattern. Major KYC-heavy exchanges have leaked or lost user identity documents in incidents going back years; once your passport scan is on the dark web, you can’t get it back. Non-custodial swap services that minimize data collection sit at the opposite end of the spectrum — Godex, for example, doesn’t require registration for swaps and states it deletes order information after roughly two weeks. That’s a model worth noting if data minimization is part of how you think about risk.

Question 6: Are user deposits siloed from the exchange’s own balance sheet?

The answer you want: yes, in writing, with auditable on-chain proof.

This is the single biggest lesson from FTX, and many exchanges still quietly avoid the question. Customer assets need to be held separately from operating funds — not just in a different spreadsheet column, but in wallets the company’s treasury cannot reach.

Red flags:

• The exchange runs its own venture fund, hedge fund, or trading desk
• The exchange has issued a native token used as collateral on its own platform
• “Yield products” that pay interest on deposited crypto without explaining where the yield comes from
• Terms of service that allow “rehypothecation” of user funds

How to verify: Check whether customer assets are held under a regulated trust structure. Check whether the exchange’s own token, if it has one, is part of the reserves backing user deposits — that’s the circular dependency that nuked Terra/Luna and effectively nuked FTX.

Real-world failure: FTX again. The CFTC complaint described how Alameda Research had a special account allowed to carry a negative balance — a privilege not given to any other user. Customer Bitcoin and Ether deposits were essentially treated as a credit line for Alameda’s directional bets. When markets moved the wrong way in 2022, the credit line couldn’t be closed.

Question 7: Does the regulatory jurisdiction match where you actually live?

The answer you want: the exchange is licensed somewhere your home country recognizes, or it explicitly does not solicit customers in your jurisdiction.

Regulation is not the same as safety, but it provides a recourse channel when things go wrong, and 2026 is the year regulation finally catches up with crypto in the EU.

Red flags:

• The exchange operates from a regulatory haven and offers services into your jurisdiction anyway
• Marketing aimed at U.S., EU, or U.K. residents from a platform without a license in any of them
• No clear “restricted jurisdictions” page
• Terms that disclaim all liability and require disputes be resolved in a single offshore court

How to verify: Find the exchange’s licensing page. For European users, check the ESMA register of authorized Crypto-Asset Service Providers (CASPs) under MiCA. The MiCA transitional period ends July 1, 2026, after which any exchange offering services to EU residents without a CASP license is, per ESMA, in breach of EU law. The U.S. has its own patchwork of state money-transmitter licenses and federal SEC/CFTC oversight; Australia has AUSTRAC and ASIC requirements; Singapore has the MAS regime. None of these are guarantees, but each gives you somewhere to file a complaint.

Real-world failure: Thodex, the Turkish exchange that abruptly halted trading in April 2021 with roughly $2 billion of user funds. The CEO fled the country and was eventually arrested in Albania. The lesson isn’t that any one country is uniquely risky — it’s that “no clear regulator anywhere” is uniquely risky, no matter the country.

Question 8: What is the all-in cost — fees plus spreads plus withdrawal costs combined?

The answer you want: a number you can calculate before you click “trade.”

The “lowest fee” claim in crypto exchange marketing is one of the most reliably misleading numbers in the industry. A 0.1% trading fee with a 1.5% spread on the order book is a 1.6% trade. A 0% fee with a 3% spread and a $25 fixed withdrawal is much worse than a 0.5% fee with a tight spread and a network-cost-only withdrawal.

Red flags:

• Headline fees published, spreads not
• “Maker rebates” that only apply to volumes you’ll never reach
• Withdrawal fees significantly higher than network gas costs
• Different fee schedules for screen prices and final invoice

How to verify: Run a small test trade. Compare the rate the platform quoted you against the simultaneous rate on a major reference index (e.g., the CME CF reference rates, CoinGecko’s volume-weighted average, or Kaiko data if you have access). The gap is your real cost.

Real-world example: Not a failure but an illustration: many on-ramps with “no fees” and “0.5% commission” actually charge 4–6% all in once spread is included. This isn’t fraud, it’s opaque pricing. Fixed-rate swap services that quote a final delivery amount up front sidestep this problem by combining all costs into a single number you see before approving the transaction.

Question 9: Can you actually exit when things go wrong?

The single most overlooked feature of any exchange is the door. You want to confirm it’s unlocked before there’s smoke in the building.

Withdrawal restrictions, “enhanced verification” requirements that appear only when you try to leave, and frozen accounts during volatile markets are not edge cases. They are how almost every collapsed exchange bought itself a few extra weeks.

Red flags:

• Withdrawal limits lower than deposit limits
• New KYC requirements triggered specifically by a withdrawal request
• Reports of “stuck” withdrawals during recent volatile periods on Reddit, Trustpilot, or BitcoinTalk
• Vastly different processing times for deposits (instant) and withdrawals (3-5 business days)

How to verify: Filter independent review platforms for the most recent quarter. Pay particular attention to reviews written during a recent market event — March 2025 after the Bybit hack, or any week with double-digit BTC moves. Any platform that handles inflows beautifully and outflows badly is showing you exactly what will happen at the moment you most want to leave.

Real-world failure: FTX, November 8, 2022. Withdrawals were halted “due to a lack of liquidity.” That is the moment retail customers found out their funds weren’t actually there. The lesson, in one sentence: if you cannot withdraw on demand, you do not own the asset — you own a claim against an institution.

A Decision Tree by User Type

The 9 questions above apply to everyone, but their weights differ. Here’s a starting framework — not a prescription — for four common profiles. Your top 3 criteria depend on what you’re actually trying to do.

If you’re a long-term Bitcoin (or major-asset) HODLer

Your top three questions are #1 (custody), #4 (founder/key risk), and #6 (siloed deposits). For multi-year holdings, the right answer is almost always not to leave them on any exchange at all. Use a centralized exchange to acquire, then withdraw to a hardware wallet you control. The exchange’s job is to be a transient on-ramp, not a vault. A platform’s longevity matters less than its withdrawal reliability.

If you’re a daily or active trader

Your top three are #3 (proof of reserves and liabilities), #8 (all-in cost), and #9 (exit reliability). You’re keeping real balances on the venue because you have to, so you need to trust the venue weekly, not just monthly. Frequent attestations (Kraken’s quarterly cadence, MEXC’s monthly cadence, or equivalents) and tight spreads matter more here than the brand on the homepage. Backup accounts on a second venue are not paranoia — they’re operational hygiene for anyone who needs to trade through a platform outage.

If you’re a privacy-conscious or no-KYC user

Your top three are #1 (custody), #5 (data handling), and #7 (jurisdiction match). Centralized exchanges that require full KYC are not designed for you, and trying to push them into that role is how people get accounts frozen. Non-custodial swap services were built for this profile — platforms like Godex, which requires no registration and retains exchange records for roughly two weeks before deletion, exist precisely because there’s real demand for trades that don’t generate a permanent identity record. Just confirm the service supports your jurisdiction (most reputable swap services restrict users from U.N.-sanctioned countries and the U.S.) and that the rate quoted up front is the rate you actually receive.

If you live in a tax-strict jurisdiction (U.S., U.K., Germany, Australia, Canada)

Your top three are #7 (jurisdiction), #5 (data handling — for you, in this case), and #2 (incident track record). You need a platform that integrates cleanly with your country’s tax framework, produces auditable transaction records, and is licensed somewhere your tax authority recognizes. Cost-basis tracking, 1099-DA-compatible reports in the U.S., MiCA-compliant statements in the EU, and ATO-friendly export formats in Australia are not optional. The lowest-fee exchange that costs you a $5,000 accountant fee is not the lowest-fee exchange.

Comparison: How the 9 Questions Map to User Types

What This Looks Like in Practice

Pick one platform you currently use or are considering. Run it through the 9 questions, in order. Score each one as green (clear answer, on the platform’s own site, that you can verify), yellow (answer exists but is vague), or red (no answer, evasive answer, or a documented failure).

If you have more than two reds or three yellows, you have a research problem to solve before you have a trading problem to solve.

The goal is not to find a perfect exchange — there isn’t one. The goal is to have a deliberate, written reason for trusting a particular platform with a particular amount of money for a particular length of time. Anything less than that is hope, and hope is not a strategy.

The crypto industry is not the same place it was when Mt. Gox went down in 2014, or Quadriga collapsed in 2019, or FTX imploded in 2022. Proof of reserves is real now. MiCA is real now. Independent attestation has become an actual market expectation. But the next failure case is already being written somewhere, by someone with great branding and a single point of failure they haven’t disclosed yet.

Use the 9 questions. Make people earn your money.

FAQ

Okay but after FTX, how do I actually know my funds are there? Real proof of reserves includes a named third-party auditor, a Merkle-tree attestation you can verify yourself, and published liabilities — not just assets. FTX looked solvent until someone checked what it owed. If an exchange won’t show both sides, treat it as a black box.

Is no-KYC actually safer, or just sketchy? No-KYC swap services reduce your data exposure — fewer identity documents stored means fewer documents that can be leaked or subpoenaed. The tradeoff is limited recourse on disputes. For straightforward swaps where you don’t need a paper trail, non-custodial services that delete order records within weeks are a lower data-risk option.

Does it actually matter which country an exchange is registered in? Registration jurisdiction determines your legal recourse when things go wrong. Under the EU’s MiCA regime, any exchange serving EU residents without a CASP license is in breach of EU law — that’s an enforceable lever. An exchange registered nowhere meaningful leaves you with no regulator to complain to.

Are “non-custodial swap” services actually safer or just marketing? Non-custodial swap services carry a structurally different risk profile from custodial exchanges: the platform routes the trade but never pools user funds, eliminating the scenario where an $8B shortfall builds undetected. The key verification points are whether the service settles at the quoted rate and whether your assets are held overnight.

Why do exchanges demand more verification specifically when I try to withdraw? Withdrawal-triggered KYC requirements are a documented delay tactic used by exchanges facing liquidity pressure. The correct test is to make a small withdrawal before depositing anything significant — a healthy exchange completes it within normal network settlement time with no new verification steps.

This article is informational and does not constitute financial, investment, or legal advice. Cryptocurrency markets are volatile and crypto exchange platforms vary widely in security, regulation, and reliability. Always do your own research, and consider consulting a licensed financial professional for advice specific to your situation.

Disclaimer: Please keep in mind that the content of this article is not financial or investing advice. The information provided is the author’s opinion only and should not be considered as direct recommendations for trading or investment. Any article reader or website visitor should consider multiple viewpoints and become familiar with all local regulations before cryptocurrency investment. We do not make any warranties about reliability and accuracy of this information.