You bought Bitcoin. Congratulations. That was the hard part, psychologically at least. You researched it, made the decision, and put real money into something most people still don't understand.
Now it's sitting on Coinbase. Or Kraken. Or Strike. Or wherever you bought it. And you're thinking: "It's fine. These are big companies. They have insurance. They're regulated."
You're not wrong about any of that. But you're also not as safe as you think. And the fix is simpler than you expect.
This isn't going to be a lecture about how exchanges are evil. They're not. They're a necessary bridge between the fiat world and Bitcoin. Without them, most people would never buy their first sat. But they're a bridge, not a destination. And leaving your Bitcoin on one is like leaving your car on a bridge because the drive was going well.
What You're Actually Trusting
When your Bitcoin is on an exchange, here's what you're trusting:
Their security team. You're trusting that every employee with access to hot wallet infrastructure is honest, competent, and not being blackmailed. You're trusting their code has no vulnerabilities. You're trusting their key management is sound. Every exchange hack in history happened because one of these assumptions failed.
Their solvency. You're trusting that the Bitcoin they show in your account actually exists. FTX showed customers a balance on screen while using their funds for trading and lending. Customers had no way to verify until it was too late. This wasn't a small exchange. It was the second largest in the world.
Their continued operation. Companies shut down. They get acquired. They lose regulatory licenses. They get hacked and can't recover. When an exchange closes, there's a process to get your funds back, maybe. It involves lawyers, bankruptcy courts, and timelines measured in years. Mt. Gox creditors waited over a decade.
Their compliance decisions. Exchanges comply with government orders. They freeze accounts, block withdrawals, and report transactions. These aren't theoretical capabilities. They're exercised regularly. If a government decides your funds should be frozen pending an investigation, the exchange will comply. They have to.
Their terms of service. Read them. Actually read them. Exchanges can suspend your account "at their sole discretion." They can impose withdrawal limits. They can require additional identity verification at any time. You agreed to all of this when you signed up.
You're not holding Bitcoin on an exchange. You're holding a promise from a company that they'll give you Bitcoin when you ask. That promise is exactly as good as the company, and no better.
The Track Record
This isn't ancient history. This is the last few years:
2022 — FTX: $8 billion in customer funds misappropriated. Customers waited years for partial recovery through bankruptcy proceedings.
2022 — Celsius: Froze withdrawals overnight. Filed for bankruptcy. Customers lost billions.
2022 — BlockFi: Went bankrupt after FTX exposure. Customer funds locked for months.
2022 — Voyager: Suspended trading and withdrawals. Filed for bankruptcy. Customers took significant losses.
2019 — QuadrigaCX: CEO allegedly died with sole access to cold wallets. $190 million in customer funds lost. Investigations later suggested fraud.
2016 — Bitfinex: Hacked for 119,756 BTC (worth ~$72 million at the time, worth billions today).
2014 — Mt. Gox: 850,000 BTC lost. The original exchange catastrophe. Creditors began receiving partial recovery in 2024, a decade later.
Notice a pattern? These aren't fringe platforms. Mt. Gox was the largest exchange when it collapsed. FTX was the second largest. The common thread isn't that they were small or sketchy. It's that they were custodians, and custodians fail.
"But My Exchange Is Different"
Maybe. Here's what the regulated, mainstream exchanges get right:
Coinbase is publicly traded, regulated in multiple jurisdictions, and maintains significant reserves. They've never been hacked (publicly). They offer institutional-grade custody through Coinbase Custody.
Kraken has one of the strongest security track records in the industry and provides proof-of-reserves attestations.
Strike, River, Swan are Bitcoin-focused companies with aligned incentives and strong reputations in the Bitcoin community.
We're not pretending these are the same as FTX. They're meaningfully different in transparency, regulation, and leadership. If you must leave funds on an exchange temporarily, these are the ones we'd point to.
But "better than FTX" is a low bar. And even well-run exchanges face risks that self-custody eliminates:
- Regulatory action is beyond the exchange's control
- Employee theft or insider attacks are statistical certainties over long enough timeframes
- The exchange's security posture can change with new management, acquisitions, or cost-cutting
- You can't verify their reserves yourself in real-time (proof-of-reserves is a snapshot, not continuous)
The question isn't "will this specific exchange fail?" It's "why take the risk when you don't have to?"
What Self-Custody Actually Looks Like
Self-custody sounds intimidating until you do it. Here's the actual process:
- Buy a hardware wallet. ($89-279. One-time cost. We sell several in our shop.)
- Set it up. (30-60 minutes the first time. The device walks you through it.)
- Write down your seed phrase. (The device generates it. You write it on paper or stamp it in steel.)
- Install Sparrow Wallet on your computer. (Free, open source. 5 minutes.)
- Connect your hardware wallet to Sparrow. (Export your public key. Watch-only wallet created.)
- Withdraw from the exchange to your new address. (Generate address in Sparrow, paste into exchange withdrawal.)
- Wait for confirmation. (Usually 10-60 minutes depending on fees.)
That's it. Your Bitcoin is now in your custody. No one can freeze it, seize it, or lose it on your behalf. You're your own bank.
Total time: About 90 minutes for the first withdrawal, including setup.
Total cost: The hardware wallet, which you only buy once.
Ongoing effort: Close to zero. You check your balance in Sparrow whenever you want. You use the hardware wallet only when you want to send Bitcoin.
"But What If I Mess Up?"
This is the real fear, and it's worth addressing honestly.
"What if I lose my hardware wallet?"
Your Bitcoin isn't stored on the device. The device holds your keys. If you lose it but have your seed phrase backup, you buy a new device, enter the seed phrase, and everything is restored. The hardware wallet is replaceable. The seed phrase backup is what matters.
"What if I send to the wrong address?"
Always send a small test amount first. Always verify the address on your hardware wallet's screen (not just your computer). Once you've done this a few times, it becomes routine.
"What if I lose my seed phrase?"
This is why backups matter. Steel plates survive fires and floods. Multiple copies in different locations protect against localized disasters. And this risk exists with exchanges too. If you lose access to your exchange account and can't pass identity verification, you're equally stuck.
"What if I die?"
Inheritance planning is important regardless of custody method. We have a full guide on Bitcoin inheritance planning. The short version: make sure someone you trust knows your backups exist and can access them.
"Isn't an exchange safer for beginners?"
It's more familiar. It's not safer. The risks of exchange custody are systemic (affects all users simultaneously). The risks of self-custody are individual (your mistakes affect only you). Individual risks can be managed with education and good practices. Systemic risks are beyond your control.
The Middle Path
Self-custody doesn't have to be all-or-nothing. Here's a reasonable progression:
Week 1: Buy a hardware wallet. Set it up. Move a small amount off the exchange.
Month 1: Get comfortable with sending and receiving. Move the majority of your holdings.
Month 3: Upgrade your seed phrase backup to steel. Consider a passphrase.
Month 6: Evaluate whether multisig makes sense for your holdings.
Ongoing: Keep a small amount on an exchange for quick buying/selling if you DCA. Move the rest to self-custody regularly.
You don't need to move everything at once. You don't need a perfect setup before you start. You need a hardware wallet, a seed phrase backup, and the willingness to take the first step.
Curious where your setup stands? Score yourself in 2 minutes:
Every week you wait is another week your Bitcoin sits on someone else's computer, protected by someone else's judgment, subject to someone else's terms of service.
You bought Bitcoin because you believe in financial sovereignty. The next step is to actually claim it.