By Tommy Tietze, CEO of ArrowTrade AG

An exchange hack sounds to many like a problem for the exchange. But it is not just that.

When a crypto exchange gets hacked, it does not only affect tech, hot wallets, or security teams. It affects your liquidity, your documentation, your tax data, and in the worst case, access to your crypto assets.

Chainalysis noted for 2025 that centralized services increasingly experience large losses due to attacks on private key infrastructure and signature processes. This is exactly why looking only at an exchange's brand name is not enough.

You must understand where your risk actually lies.

First: What Actually Gets Hacked?

During an exchange hack, "Bitcoin" is usually not what gets hacked. The blockchain keeps running.

The exchange's infrastructure is attacked. This includes wallet systems, internal approval processes, private keys, hot wallets, employee access, signature processes, or interfaces.

Chainalysis describes that centralized platforms can remain vulnerable to advanced attacks despite professional security teams if attackers bypass cold wallet controls or signature processes.

That is the crucial difference. Your Bitcoin is not broken. Your access can still be gone.

What Happens Right After a Hack?

Usually, one thing happens first: The exchange stops withdrawals.

This is understandable from the exchange's perspective. It must verify which wallets are affected, which assets were moved, and whether the attack is still ongoing.

For users, it feels different.

You might still see your balance in the account. But you cannot move it. This is exactly where it becomes clear that a balance on an exchange does not provide the same feeling as your own wallet.

Regarding the custody of crypto-based assets, FINMA points out that specific risks arise from the technology itself and robust technical infrastructure is required to limit these risks.

If the exchange is affected, you wait. Not because you acted incorrectly. But because your access depends on a third party's infrastructure.

Will I Get My Money Back?

The honest answer: It depends.

Some exchanges have reserves, insurance funds, or internal protection mechanisms. Binance describes SAFU as an emergency fund established in 2018 to protect user assets.

This is better than no protection at all. But it is no reason to ignore custody risk. A fund, a proof-of-reserves system, or a security promise does not replace your own risk assessment.

For crypto custody, FINMA particularly emphasizes the question of whether client assets are excluded from the custodian's bankruptcy estate in the event of insolvency.

This is phrased dryly. But for investors, it is central.

It is not just the hack that matters. The legal fate of your assets if the custodian fails is equally important.

Proof of Reserves Is Not Hack Protection

Proof of Reserves is often misunderstood.

Binance describes Proof of Reserves as evidence for assets held for users, explaining that users can verify their inclusion in specific reserve proofs via a verification page.

It is a transparency instrument. But Proof of Reserves does not prevent a hack. It does not automatically mean all internal processes are secure. It also does not automatically indicate how quickly you will regain access in a crisis.

Proof of Reserves primarily answers this question:

Are the stated reserves present?

An exchange hack asks different questions:

Are the keys secure?
Are withdrawals compromised?
Are internal approvals protected?
Are client funds segregated?
Is there legal insolvency protection?
Who bears the loss?

These are different levels entirely.

Hot Wallet, Cold Wallet, Custody

Exchanges need liquidity. Therefore, parts of the holdings are often stored so that withdrawals work quickly. Other parts can be protected more heavily. This is exactly where the classic conflict between access and security arises.

The faster assets can be moved, the more practical it is for daily use. But fast mobility also means attackers can quickly cause damage upon successful access.

FINMA lists cyberattacks, private key risks, technical infrastructure, and third-party custodians among relevant risk areas in crypto custody.

For investors, this means: An exchange is not automatically bad. A personal wallet is not automatically better. But both models carry different risks.

With an exchange, you partially hand over custody and infrastructure. With self-custody, you bear the private key responsibility yourself. Convenience is never free.

The API Key Problem

Exchange hacks are not the only risk. Many losses do not result from an exchange hack, but from compromised user accounts, phishing, incorrect API permissions, or poorly secured third-party tools.

Binance distinguishes API key permissions into read access, trading rights, and withdrawal rights, among others.

Withdrawal rights are particularly critical because an API key with withdrawal permissions can move assets. Binance explains in its API documentation that the "enableWithdrawals" option allows withdrawals via the API.

A system normally does not need withdrawal rights for automated spot trading.

This is one of the points we strictly enforce at unCoded: The API key should be able to trade, but not execute withdrawals. Your capital stays on your Binance account. The bot needs no permission to withdraw your funds.

This does not eliminate every risk. But it eliminates one very concrete risk.

An IP Whitelist Is Not a Minor Detail

Many treat API security as a technical afterthought. It is not.

Binance recommends restricting API keys to specific IP addresses and explains that IP restrictions are required for withdrawal operations.

An IP whitelist makes sense even without withdrawal rights. An API key with trading rights cannot withdraw funds. However, it can still place orders if misused. That can be enough to cause damage.

Therefore, a clean setup includes:

No withdrawal rights.
IP whitelist.
Separate API key per tool.
Regular review of active keys.
No API key creation during screenshares.
No sharing with "traders", "helpers", or Telegram contacts.

An API key is not a password to be shared casually. It is a technical access point to your account.

What a Hack Can Trigger Tax-Wise

A hack is not just a security event. It can also become a documentation problem.

If an exchange stops withdrawals, restricts data exports, or later provides only incomplete reports, tax preparation becomes harder. This is exactly why trade histories should not just be secured at the end of the year.

The first post in this series covered crypto taxes in Germany 2026 and why transaction data, fees, timestamps, and Euro values should be documented continuously.

type: embedded-entry-inline id: 2kA1pyMZJn94ImazMkpPbt

That fits directly here. If you trade on an exchange, your tax history is not just in your head. It is stored in systems you might not be able to access immediately during a crisis.

That is no reason to panic. But it is a good reason for monthly exports.

What You Should Check Before a Hack

The best time for security questions is before a problem arises. Check with your exchange:

Is there Proof of Reserves?
Is there an emergency fund or a clear policy for security incidents?
How are assets stored?
Which assets are held in hot wallets?
Is there clear information regarding client funds in the event of insolvency?
Can you cleanly export your transaction history?
Can API keys be controlled granularly?
Can you disable withdrawal rights?
Is there IP whitelisting?
Do you use 2FA with an authenticator app or a hardware key?

You will not get a perfect answer for everything. But asking the questions alone shows whether you are acting with control or simply hoping.

What You Should Do After a Hack

If your exchange is affected by a hack, the first rule is: Do not click frantically.

Many attacks trigger immediate phishing waves. Fake support emails, fake refund forms, alleged recovery websites.

The sequence of actions should be sober:

Check the official status page.
Do not click links in emails.
Log in only directly via the known domain.
Check API keys and disable them if in doubt.
Change passwords.
Check 2FA.
Export transaction history if possible.
Save screenshots and official statements.
Inform your tax advisor if relevant data or assets are affected.

If you use bots or third-party tools, it is better to sever access one time too early than one time too late. A deactivated API key is annoying. An abused API key is worse.

What This Means for unCoded

unCoded does not completely eliminate exchange risk. Claiming otherwise would be untrustworthy.

If you trade on Binance, you remain dependent on Binance as a trading venue. Your capital sits on your Binance account. Your execution runs through Binance. Your history comes from Binance data.

What unCoded does differently is how it handles control.

The bot requires no custody of your assets. It requires no withdrawal rights. It operates via API trading rights while your capital stays on your own Binance account.

This is not a security promise for the entire market. It is a clear design choice. Fewer unnecessary permissions. More control for the user. No capital transfer to the bot provider.

In crypto, this is not a detail. This is product architecture.

FAQ

What is an exchange hack?

An exchange hack is an attack on the infrastructure of a crypto exchange. Wallet systems, private keys, internal approvals, employee access, or withdrawal processes can be affected. For centralized services, Chainalysis specifically describes attacks on private key infrastructure and signature processes as a relevant risk.

Is my Bitcoin gone if an exchange is hacked?

Not automatically. It depends on which systems are affected, whether client funds were held separately, whether the exchange has reserves, and whether withdrawals are reopened.

Does Proof of Reserves protect against hacks?

No. Proof of Reserves is a transparency instrument for reserves. Binance describes Proof of Reserves as evidence of assets held for users.

Should a trading bot have withdrawal rights?

Withdrawal rights are normally not necessary for automated spot trading. Binance describes "enableWithdrawals" as an API option that allows withdrawals via the API.

What is the most important step after an exchange hack?

Check only official channels, disable API keys if in doubt, secure data exports, and do not click on alleged recovery links in emails or chats.

Conclusion

An exchange hack shows how much control you really have. Not in theory. In an emergency.

Can you move your assets? Can you export your history? Are your API keys cleanly restricted? Do you know what permissions you have granted? Do you understand which risks lie with you and which lie with the provider?

Serious Crypto does not begin with the next trade. It begins with the question of whom you grant access.

Note: This article is not financial, tax, or legal advice. Crypto trading carries risks. Past security measures of a provider are no guarantee for future security.