Exchanges don't fail in one way. They fail in seven. Most users only learn about the next mode when it hits them — the FTX customer who could withdraw on Monday but not Wednesday, the Mt. Gox creditor still waiting eleven years later, the user in a sanctioned country who logged in to find their balance gated.
This is the third article in the Self-Custody Fundamentals series. The first, not your keys, not your coins, made the case. The second, custodial vs. non-custodial wallets, laid out the line. This one inventories the actual failure modes — what each looks like, when it has happened, and what you can do about it before it happens to you.
TL;DR
- An exchange is a custodian. A custodian can fail in at least seven distinct ways, and the failures usually compound.
- The seven modes: insolvency, hacks, regulatory freeze, exit scams, sanctions, KYC/account lock, and withdrawal halts.
- Each mode has historical precedent — Mt. Gox, FTX, Celsius, Bitfinex, QuadrigaCX, Bitzlato, BitMart, and many others.
- Insurance, regulation, and "audits" don't make any of these go away. They change who decides the bankruptcy waterfall, not whether one happens.
- The hedge for each mode is the same — hold the keys yourself, on devices that don't depend on a single venue staying solvent, online, or in legal good standing.
Mode 1 — Insolvency
The exchange runs out of money owed to customers. This is the canonical failure, and the one that retail users underestimate the most, because the exchange's UI keeps showing the right balances right up until withdrawals stop.
Insolvency happens for the boring reasons banks fail (bad loans, duration mismatch on a hot-wallet/cold-wallet float) and the crypto-specific ones (a venture arm that doubled as a market maker, a token treasury that was used as collateral, an internal-token "liquidity" balance sheet). The 2022 cascade — Celsius, Voyager, BlockFi, FTX — was an insolvency cascade.
The signal you get: customer withdrawals are paused "to manage outflows", an executive tweets that funds are safe, then a Chapter 11 filing two to seven days later. The funds were not safe. They had been lent, hypothecated, or never actually existed as user-identifiable balances on chain.
What you keep after: a claim, denominated in whatever the bankruptcy court chooses (often USD at the petition date, not the asset's current value). Mt. Gox creditors received distributions starting in 2024 — eleven years after the bankruptcy. FTX customers got better outcomes faster, but still settled at petition-date dollar values, missing the subsequent bull market.
Mode 2 — Hacks
The exchange's hot wallets (or in some cases cold wallets) are drained by an attacker. Different from insolvency in that the underlying business was solvent the morning of the hack; different from an exit scam in that the operator is the victim, not the perpetrator.
Historical examples: Mt. Gox (2014, ~850k BTC), Bitfinex (2016, ~120k BTC, partially recovered in 2022), Coincheck (2018, $530M NEM), KuCoin (2020, $280M), Bitmart (2021, $200M), Ronin Bridge (2022, $625M), DMM Bitcoin (2024, $305M), WazirX (2024, $230M).
What happens next depends on who's holding the bag. Some exchanges (Binance via SAFU, Bitfinex via post-hack tokens) socialized the loss and made customers whole over time. Others (Mt. Gox) couldn't. The pattern: if the exchange survives, you eventually get something back at potentially less-than-100% recovery. If the exchange doesn't survive, see Mode 1.
Common attack surfaces: hot-wallet key compromise (most common), social-engineering of an internal admin, supply-chain attack on the trading or signing infrastructure, smart-contract bug on a connected bridge. The cold-wallet/hot-wallet ratio the exchange publishes (when they do) is a partial indicator, but not a guarantee — see the WazirX 2024 case where the multisig signing infrastructure was the target, not the wallet boundary.
Mode 3 — Regulatory freeze
A court, regulator, or government agency orders the exchange to halt withdrawals or freeze specific accounts. The exchange is operating normally — solvent, not hacked — but legally cannot return funds until the order resolves.
This shows up in two flavors. Targeted: a specific account is frozen due to a court order, AML flag, or investigation (common, often resolves in weeks to months). Blanket: the entire exchange or a country's worth of accounts is frozen pending a regulatory action.
Examples of the blanket flavor: BitMEX (2020 CFTC action restricted US users), Bittrex (2023 SEC enforcement, US users had a withdrawal deadline), Binance.US (2023-2024 regulatory pressure restricted features and withdrawals), various Russian-user freezes across European exchanges following 2022 sanctions. The targeted flavor is constant background noise; users often find out when they try to withdraw and a previously-unknown KYC re-verification triggers.
What you can do during a freeze: usually wait. Sometimes you can transfer to another platform, sometimes not. The freeze doesn't unwind your claim, but it does mean the asset is illiquid for an indefinite period — long enough that the price you eventually receive may be unrecognizable.
Mode 4 — Exit scams
The operator absconds. Distinct from a hack in that the exchange itself is the attacker; distinct from insolvency in that the funds existed but were intentionally diverted, not lost to bad bets.
Two historical patterns. The straight rug: a small or mid-size exchange goes offline overnight with customer funds gone — examples include WEX (Russia, 2018, ~$450M after the BTC-e re-launch), Africrypt (South Africa, 2021, ~$3.6B claimed), and a long tail of smaller venues. The slow exit: the operator dies, disappears, or becomes uncontactable while holding the only set of cold-wallet keys — the QuadrigaCX case (Canada, 2019, ~$190M CAD locked when CEO Gerald Cotten died with sole custody) is the archetype, and the bankruptcy investigation later concluded the "death" was secondary; the operation had been a fraud well before.
The signal: opaque ownership, undocumented banking relationships, no audit, no published proof-of-reserves, withdrawal limits that seem unusual for the venue's claimed size. None of these are individually disqualifying, but the combination is. Be especially cautious of exchanges where one person is publicly the entire company.
Mode 5 — Sanctions
Your account is fine. Your jurisdiction isn't. A sanctions regime — OFAC in the US, equivalents in the EU, UK, UN — adds your country or a person you're related to a designated list. The exchange is now legally required to block your access, often immediately and without prior notice.
This has played out repeatedly since 2022. Iranian, Russian, Belarusian, and Venezuelan users have all faced sudden access blocks across major exchanges as new sanctions packages landed. The Bitzlato seizure (January 2023, FinCEN designation, accounts frozen, infrastructure seized in coordination with French authorities) is a particularly clean example: the exchange itself was the designated entity, and every account on it was instantly unreachable.
Note that sanctions don't only target nation-states. Tornado Cash addresses were OFAC-designated in 2022; exchanges that touched flagged addresses passed the consequences to their users. If you live in a sanctioned jurisdiction, or you transact with sanctioned addresses (even unknowingly, by receiving a tainted UTXO), the custodian carries that risk and will resolve it by closing your access.
Mode 6 — KYC / account lock
You are individually subject to a know-your-customer or anti-money-laundering hold. You're not sanctioned, the exchange isn't frozen, but a specific transaction or account profile triggered a review. Your account is locked pending document submission, which takes anywhere from 48 hours to never.
Common triggers: a deposit from a "high-risk" address (an exchange the compliance team doesn't like, a mixer, a privacy pool), a withdrawal pattern that matches a structuring template, a country change in your IP address, a new device login, a name change on your government ID. The exchange's compliance vendor flags you, the review queue is backlogged, and you sit.
The signal you get: an in-app banner, sometimes an email asking for a fresh photo of your ID and a selfie. The friction is the point — many users abandon a partial KYC and lose access entirely. For higher-value accounts, the review can demand source-of-funds documentation, bank statements, and explanations of specific transactions years in the past.
The risk isn't the temporary inconvenience. It's that the lock can be open-ended, and during it your assets are illiquid. The exchange isn't doing anything wrong, regulatorily — they're doing what they're required to do. The asymmetry is that you bear the cost.
Mode 7 — Withdrawal halts
The exchange pauses withdrawals "temporarily, for system maintenance". Sometimes that's literally true — a hot-wallet key rotation, a chain upgrade, congestion mitigation — and withdrawals resume in hours. Sometimes it's the first visible symptom of Mode 1.
You don't get to know which one in advance. The same banner appears in both cases. Mt. Gox halted withdrawals citing "transaction malleability" issues in February 2014 and was bankrupt three weeks later. FTX halted withdrawals in November 2022 citing "extremely high volume" and filed Chapter 11 within days. Celsius halted withdrawals in June 2022 citing "extreme market conditions" and filed Chapter 11 a month later.
This is the failure mode that turns the others from background risk into immediate loss. You can have a claim against an insolvent exchange and partially recover. You can lose access during a sanctions block and eventually get it back. But during the withdrawal halt — the days or weeks before you know which mode you're actually in — your assets are unreachable. The Mt. Gox/FTX/Celsius pattern shows that the time between a withdrawal halt and a full understanding of the situation can be anywhere from 12 hours to 11 years.
What this means for you
These seven modes are not edge cases. They're the regular operating modes of the custodial exchange business. Every long-term crypto user has been on the wrong side of at least one of them; many have hit several.
The hedge for all seven is the same: hold keys you control, on devices you control, behind a recovery setup you understand. There is no clever way to use an exchange that avoids these modes — the modes are inherent to the model. The right framing is operational: use exchanges for the specific things they're good at (fiat ramps, regulated trading, depth), and don't hold meaningful balances there longer than you have to.
SSP's 2-of-2 multisig addresses the equivalent failure modes on the self-custody side — losing a device, key compromise, or losing access during travel — by splitting the signing requirement across two devices rather than concentrating it in one. Seed-phrase best practices covers the recovery layer underneath.
The next article in this series, what self-custody actually requires of you, is the honest counterpart to this one: an exchange can fail in seven ways, and self-custody can fail in a handful of its own. The point isn't that one is risk-free. It's that you get to choose which set of risks you're holding.
