Only 3 of 24 leading cryptocurrency exchanges earn an A for their cybersecurity

Using a cryptocurrency exchange with known, unpatched critical vulnerabilities is an unnecessary risk, no different from trusting a company whose employee credentials are already circulating on the dark web.

These and other high-impact risk indicators are visible through external cybersecurity scans carried out by the Business Digital Index (BDI) platform. In this analysis, we assessed 24 leading cryptocurrency exchanges to identify services that have externally observable weaknesses that threat actors could exploit.

The Business Digital Index also evaluates the historical reuse of employee passwords. This is determined by analyzing verified breach data to identify instances where the same employee reused identical passwords across multiple services. Such patterns are a well-established indicator of elevated organizational security risk.

Beyond patching, data breach history, web application security and credential hygiene, the BDI assessment covers other risk domains, including email security (susceptibility to domain spoofing and phishing), system reputation (historical malicious activity associated with the domain), SSL/TLS configuration (certificate validity, encryption strength, and protocol hygiene), and hosting infrastructure (use of reputable and secure providers).

The complete 20-page methodology is available here.

A simplified, visual overview of the methodology is shown below.

Here are the rankings of leading cryptocurrency exchanges based on an external cybersecurity assessment conducted by the Business Digital Index (BDI) platform:

One important methodological consideration is that platform scale has an inverse effect on scoring. Larger exchanges typically receive lower scores because they operate more systems, increasing the surface area for unpatched components, misconfigurations, and potential employee credential exposure.

As a result, Coinbase, the largest US crypto exchange with over 100 million users, ranks second-to-last in our analysis.

We found 2,452 corporate credentials linked to Coinbase circulating on the dark web.

We also identified 24 patching vulnerabilities after scanning Coinbase’s systems. These do not automatically represent exploitable vulnerabilities; exploitability depends on the configuration context and the presence of compensating controls. Given Coinbase’s scale and maturity, strong internal security controls and monitoring likely mitigate much of this risk, though confirmation would require targeted testing.

In addition, we identified 346 SSL configuration issues on Coinbase, which isn’t necessarily concerning; it’s challenging to avoid SSL configuration issues entirely, and not all of them are particularly severe, which is why this risk factor is assigned a 5% weight in our methodology.

Safest cryptocurrency exchanges

On the other side of the spectrum stand Biconomy, Toobit, and Deepcoin exchanges, which receive the highest grades and exhibit barely any externally visible signs of cybersecurity weaknesses. These are the only exchanges to which no company-related credentials can be found in data-leak databases on the dark web.

Well, okay, we did find seven corporate credentials tied to Toobit on the dark web. Still, comparatively, that’s very little, as most other exchanges have over 100 password/email combinations tied to the company being sold on dark web marketplaces.

Password reuse is widespread

Another very concerning aspect to examine is password reuse rates. Our analysis revealed that 63% of companies (15 of 24) had employees reusing passwords across multiple services.

This doesn’t mean that employees of these companies are still using the previously breached passwords. Although this does indicate that they were using the same password across multiple platforms before, suggesting poor password hygiene among employees in these companies.

LBank might not be the best choice around

The only other company we’d like to give some extra attention to is LBank. This company has been criticized for its lackluster cybersecurity in the past and still appears to have many unresolved issues, including 49 unpatched vulnerabilities, with 11 of them being flagged as critical, meaning that if left unresolved, they are easily exploitable. This is the primary factor that lowers the company’s score, as software patching accounts for 30% of the total score.

LBank also faces email security issues and corporate credentials circulating on the dark web, but so do most other companies on the list. The most concerning aspect here is, again, the unpatched critical vulnerabilities.

We did not find any unpatched critical vulnerabilities in any of the other analyzed cryptocurrency exchange platforms.

Conclusion

In summary, historical data breaches and employee password reuse are the primary risk factors across most cryptocurrency exchanges. One notable exception is LBank, which exhibits more severe security issues.

For those who want to err on the side of caution, we recommend choosing to trust companies with the highest security grades in our analysis.

About Business Digital Index

The Business Digital Index is a cybersecurity reputation platform that provides organizations with real-time security ratings based on scans of their externally-facing systems. BDI continuously monitors external digital assets and evaluates them using a weighted scoring model that considers technical vulnerabilities and real-world attack patterns to deliver a clear, standardized view of the organization's external cybersecurity posture.

It’s important to note that the findings presented are based on external, passive scanning and should be understood as signals of potential weaknesses rather than definitive proof of existing vulnerabilities. Our assessment does not account for internal security measures, compensating controls, or organization-specific practices that may mitigate these risks. The purpose is to highlight areas worth further investigation, drawing on historical breach patterns to illustrate how similar categories of flaws have been exploited in the past.