"Not Your Keys, Not Your Coins" — What an Exchange Actually Holds

Hundreds of thousands of people woke up on November 11, 2022 to find they could not withdraw a single dollar from FTX. Their account balances were still visible on the screen. The numbers had not changed. But the coins those numbers were supposed to represent were gone — lent out, pledged as collateral, and ultimately lost in an $8 billion hole between what customers were owed and what the exchange actually held. The phrase "not your keys, not your coins" had always been a warning. That morning it became a reckoning.

What Owning Crypto Actually Means

On a public blockchain, ownership has a precise definition. Whoever controls the private key — the secret cryptographic value generated when a wallet is created — controls the coins at the associated address. There is no account number, no bank, and no intermediary that can reverse or freeze a transaction signed with the correct private key. A wallet address is simply a public identifier derived from that key. The coins belong to whoever can produce the key, full stop.

If someone else holds that key on your behalf, they own the coins. You own their promise to give them back.

This is the definition of custodial: a third party holds your private keys. The opposite — non-custodial — means the keys never leave your own device. Understanding what a crypto wallet actually stores makes this distinction tangible: a wallet does not contain coins any more than a password manager contains money. It stores the keys that prove ownership on-chain.

How Custodial Exposure Works

When a user deposits crypto to an exchange, the exchange takes custody of those coins and credits the account with an IOU balance in its internal database. That database entry is not an on-chain balance. It is a private ledger entry on servers the exchange controls.

The exchange pools all user deposits into wallets it manages. From the blockchain's perspective, all those pooled coins belong to the exchange — there is no record of which customer deposited what. The exchange owes each user their balance; whether it can pay depends entirely on its solvency and honest management.

This structure is not unique to crypto. It is identical to depositing cash at a bank — money is pooled, a ledger entry is made, and the institution owes the depositor the balance. The critical difference is that bank deposits in many jurisdictions carry government-backed insurance up to a limit. Crypto exchange balances in most jurisdictions carry no such protection.

How to Protect Yourself From Counterparty Risk

Counterparty risk is the possibility that the other party in an arrangement — in this case, the exchange — fails to meet its obligations. The cleanest way to eliminate counterparty risk in crypto is to move assets off an exchange into self-custody after any significant purchase.

Self-custody means holding a private key that no third party can access. The private key is typically derived from a seed phrase — a 12 or 24-word recovery phrase that can regenerate all keys in a wallet. Anyone who holds that seed phrase controls the funds, so it must be stored securely and never shared.

For larger holdings, a hardware wallet keeps private keys on a dedicated physical device that never exposes them to the internet — substantially reducing the risk of remote theft.

For exchange accounts that must be maintained for trading, concrete steps reduce (but do not eliminate) risk:

1. Enable two-factor authentication (2FA) using an authenticator app, not SMS. SMS-based 2FA is vulnerable to SIM-swap attacks.
2. Only keep on an exchange what is needed for near-term trading. Long-term holdings belong in self-custody.
3. Prefer exchanges that publish proof-of-reserves audits — cryptographic evidence that deposits are backed 1:1 by actual on-chain holdings. This is an imperfect but meaningful signal.
4. Regulated exchanges in transparent jurisdictions carry lower counterparty risk than unregulated offshore platforms — lower, not zero.

FTX: IOU Balances Are Not Real Coins

FTX illustrated the worst case. When the exchange filed for bankruptcy on November 11, 2022, its balance sheet revealed $9 billion in liabilities against roughly $900 million in liquid assets. The gap was not the result of a hack or a single bad trade. FTX had transferred customer deposits to its affiliated trading firm, Alameda Research, which used them for its own bets. The coins customers believed they owned had already been spent.

Approximately $473 million in additional funds were removed from FTX wallets through unauthorized transactions on the same day bankruptcy was declared, compounding the loss.

FTX customers held IOU balances in a private database. When the issuer of those IOUs became insolvent, the balances became worthless. There was no blockchain record to appeal to, no on-chain proof of ownership — because the coins had never been theirs in any meaningful technical sense.

Mt. Gox: The Original Custodial Failure

FTX was not the first lesson. Mt. Gox was handling an estimated 70% of all Bitcoin transactions globally at its peak in 2013. In February 2014, the exchange suspended withdrawals and filed for bankruptcy in Tokyo, disclosing that approximately 750,000 customer bitcoins — plus around 100,000 BTC of company funds — had been stolen over several years.

The theft exploited a transaction malleability bug, a technical flaw that allowed attackers to manipulate transaction identifiers and drain the exchange's hot wallet (the internet-connected wallet used for day-to-day withdrawals) without the discrepancy being caught in the internal accounting.

Approximately 127,000 creditors filed claims. Most waited a decade before receiving any partial repayment. Throughout that period, those creditors held claims against a bankrupt estate — not Bitcoin. Their on-chain coins were gone. Their IOU balances were all they had, and those IOUs were contingent on court proceedings that would take years to resolve.

Both FTX and Mt. Gox demonstrate the same fundamental point: a balance on an exchange reflects a promise, not ownership. The promise is only as good as the institution behind it.

What to Do Next

• Withdraw long-term holdings. If assets are sitting on an exchange and there is no plan to trade them soon, move them to a self-custody wallet.
• Secure the seed phrase. A recovery phrase stored safely offline is the foundation of self-custody. Losing it is permanent — there is no customer support to call.
• Use 2FA on every exchange account, and use an authenticator app, not SMS.
• Check for proof-of-reserves. Before trusting an exchange with significant funds, look for published audits showing 1:1 backing.
• Size exchange balances to your trading horizon. Treat anything on an exchange as operationally deployed capital, not savings.