Option #2: Custodial Storage
Another option for storing your cryptocurrency is a custodial storage solution, such as an online wallet provider like Coinbase or Kraken. This outsources the decisions and effort that are required to secure your crypto to a third-party company. Reputable custodial services with good security records are a reasonable option for people with small cryptocurrency holdings, but we also believe self-custody alternatives have evolved to a point of usability where even users with fewer assets can benefit from holding their own keys.
The cryptocurrency community has a saying “not your keys, not your coins.” Many wrongly assume that because a network of third-party custodial banks was the best security solution for the legacy financial system, this third-party custody model will also work best for cryptocurrencies. But cryptocurrencies have substantially different properties than fiat. In our opinion, the risk of holding coins with a trusted third party is unacceptably high for users with large balances. Here are some reasons to avoid them:
- A history of loss. Many online services have suffered from hacks and internal theft that resulted in lost funds. This includes well-known and widely-used services. Sometimes, the company has gone out of business and been unable to reimburse their customers for the loss. At the time of the second MTGOX hack in 2014, it was the most widely-used crypto exchange. 650,000 bitcoin were lost. Although security practices have improved over time, hacks of market-leading service providers still happen regularly.
- A big target. Custodial services are responsible for holding millions or even billions of dollars worth of crypto, and that responsibility is not distributed to their users through self-custody, making them a honeypot. They are under constant attack by clever attackers from all over the world. These attacks come not only from individual hackers, but directly from nation states.
- Phishing risks. Users of well-known online services are prime targets for phishing attacks. Attackers send official looking messages to users asking them to login, but redirecting them to a fake web page instead of the real thing. These fake websites harvest credentials so that attackers can log in to their real accounts and drain them. Attacks like this were used to steal 7,000 bitcoin from Binance users in 2019.
- Identity spoofing. Since the administrators of a web wallet service have control over customer accounts, they are a target for social engineering attacks where an attacker convinces the service that they are you. Even reputable exchanges with no publicly-reported security leaks have had users lose funds due to identity spoofing attacks.
- Account freezes and seizure. A custodial storage service has the ability to deny you access to your funds. This might happen for several reasons. Your account could get flagged by automated fraud prevention algorithms. Government agents could choose to confiscate your funds. This might sound far fetched, but precedents exist, such as when Cyprus conducted a bank deposit seizure in 2010 or the 1933 seizure of monetary gold in the United States. In times of economic turmoil, seizing cryptocurrency deposits could become appealing to legal authorities.
- Unpredictable fork support. In the case that a contentious blockchain fork occurs, the custodian may only provide you with access to the assets on one branch of the fork if they deem supporting the other branch to be not worth the effort. You will only have full control to redeem and use forks if you have full control of your keys.