2025-08-30
In February 2025, the world-renowned cryptocurrency exchange Bybit suffered the largest hack in history, with $1.50 billion worth of ETH and stETH stolen from cold wallets, exposing the systemic risks of centralized exchanges. In contrast, HashKey Exchange stored 98% of user assets through cold wallets, deployed the KYT (Know Your Transactions) system, achieved zero security event records, and its compliance transaction ratio reached 99.2%.
Centralized exchanges adopt a "user custody + platform unified management of private keys" model, where user assets are actually stored in hot and cold wallets controlled by the exchange. In 2022, Binance lost $718 million due to a cross-chain bridge vulnerability. Hackers bypassed the verification mechanism by forging cross-chain messages and directly manipulated the platform's private keys to transfer assets. HashKey Exchange generates private keys through hardware security modules (HSM) and adopts a 2-of-3 multi-signature scheme. The private key sharding is stored in three vaults in Hong Kong, Singapore, and Switzerland, and requires authorization from both places to withdraw coins.
In the Bybit incident, hackers took advantage of a vulnerability in the smart contract code to illegally control the cold wallet by modifying the signature interface, even though it was stored offline. The cold wallet of HashKey Exchange, combined with the on-chain monitoring system, detects abnormal transfers in real time. In 2024, it intercepted 1,763 transactions involving sanctioned addresses such as Tornado Cash, with amounts exceeding $8.90 million.
FTX was fined $125 million by the SEC for misappropriating customer USDC for proprietary trading, which led to bankruptcy and a crisis of trust in the industry. HashKey Exchange ensures complete separation of user assets and platform funds through real-time fund auditing and customer asset segregation accounts. Its insurance plan covers $400 million assets and is verified by third-party independent audits.
Centralized exchanges can easily become a breeding ground for market manipulation. In 2025, a certain exchange was fined by multiple countries for not implementing the FATF Travel Rule, resulting in $43 million in USDT flowing into illegal funds. HashKey Exchange is connected to the Chainalysis system, which tracks the flow of funds in real-time and identifies risky transactions through 400 million address tag database. When a single transaction exceeds $1 million and involves anonymous coins, the system automatically freezes and triggers manual review.
The order book and matching engine of centralized exchanges are vulnerable to DDoS attacks. In 2022, a platform's system crash caused users to be unable to withdraw, triggering a run crisis. HashKey Exchange adopts a distributed architecture, processing threat and risk assessments of 5,000 transactions per second, and customizing risk thresholds through dynamic rule engines, such as triggering anti-fraud investigations with 20 small transfers within 5 minutes.
FATF's Travel Rule requires exchanges to share cross-border transaction information. A certain DeFi protocol was fined 2.30 million euros for not implementing the rule. HashKey Exchange achieved counterparty address profiling and dynamic risk rating by accessing OKLink's KYT system. In 2024, it intercepted more than 1,200 high-risk transfers through the address Interrelationship Digraphs spectrum.
Centralized exchanges store a large amount of user identity information. In 2024, a certain platform caused the leakage of KYC information of 100,000 users due to data leakage. HashKey Exchange uses zero-knowledge proof (ZKP) technology to complete identity verification while protecting privacy, which complies with GDPR data privacy requirements.
The risk of centralized exchanges is essentially the result of the centralization of technical architecture and the complexity of regulatory compliance. The practice of HashKey Exchange has shown that the risk can be reduced by 92% through cold wallet storage, KYT system and smart contract audit. Users need to keep in mind that any unlicensed platform claiming to be'decentralized 'is a typical signal of high risk.