Author: Natalia Orlova | Exchange Risk Analyst | Former Head of Due Diligence at Galaxy Digital

November 2022. FTX collapses. $8 billion in customer funds vanishes. Sam Bankman-Fried goes from crypto savior to convicted fraudster. The industry's biggest exchange was a house of cards built on lies.

Two years later, what have we actually learned? More importantly — what have we changed?

What FTX actually did wrong

Let's be precise about the failure. FTX wasn't a market crash or a technical exploit. It was fraud. Customer deposits were secretly loaned to Alameda Research, SBF's trading firm. Alameda gambled and lost. Customer funds disappeared.

The mechanics were simple: no segregation of customer assets, no real accounting, no adult supervision. FTX operated like a personal piggy bank with a trading interface.

Warning signs existed. Alameda's balance sheet — when leaked — showed FTT tokens as primary assets. FTX had no CFO for years. Audits came from obscure firms. Corporate structure sprawled across 130 entities in multiple jurisdictions.

Professional investors missed all of it. Sequoia, Paradigm, SoftBank — sophisticated funds wrote checks without basic due diligence. The hype was too strong, the FOMO too real.

The proof-of-reserves response

The immediate industry response was proof-of-reserves. Exchanges published cryptographic attestations: here are our wallet addresses, here's how much we hold, users can verify on-chain.

Binance, Kraken, OKX, and others rushed to implement. Third-party auditors signed off. Transparency theater commenced.

The problem: proof-of-reserves proves assets exist but not that liabilities match. An exchange could have $10 billion in wallets and $15 billion in customer claims. The proof shows nothing.

Real proof-of-solvency requires proving liabilities too — what the exchange owes customers. That's harder. It requires complete transaction history, user balance verification, and actual auditing. Most "proof-of-reserves" implementations skip this entirely.

It's better than nothing. But it's not what the marketing suggests.

What has actually improved

Credit where due — some things changed meaningfully.

Regulatory pressure intensified. US enforcement actions multiplied. Binance paid $4.3 billion in settlements. Coinbase got sued but survived. The wild west era ended — operating a major exchange now requires actual compliance infrastructure.

Institutional custody improved. Coinbase Custody, BitGo, Fireblocks — regulated custodians with insurance, segregated accounts, and real audits. Institutions won't touch exchanges without qualified custody anymore.

User sophistication increased. People actually withdraw to self-custody now. Hardware wallet sales spiked post-FTX. "Not your keys, not your coins" went from cypherpunk slogan to mainstream caution.

Smaller exchanges died. The long tail of sketchy exchanges with fake volume and questionable practices — many just disappeared. Consolidation around larger, more regulated players.

What hasn't changed

Uncomfortable truths remain.

Most users still keep funds on exchanges. Convenience wins over security. People trade actively, don't want withdrawal fees, find self-custody complicated. The behavior that enabled FTX continues.

Offshore exchanges still dominate. Binance operates in regulatory gray zones. OKX, Bybit, MEXC — major volume happens on exchanges with minimal oversight. MiCA helps in Europe. Everywhere else, it's still buyer beware.

Proof-of-reserves remains inadequate. Two years later, no major exchange has implemented true proof-of-solvency with liability verification. The industry settled for the appearance of transparency without the substance.

VC due diligence is still broken. Investors learned nothing. The next hyped founder will raise billions on vibes and promises. The same funds that missed FTX red flags will miss the next ones.

How to evaluate exchanges today

Here's my framework for assessing exchange risk. None of this is financial advice — it's risk analysis.

Jurisdiction matters most. US-regulated exchanges face SEC, CFTC, FinCEN oversight. European exchanges face MiCA requirements. These aren't guarantees, but they're meaningful constraints. Offshore exchanges answer to no one.

Corporate structure should be simple. Can you identify the parent company, the jurisdiction of incorporation, the beneficial owners? If the structure requires a diagram to explain, that's a red flag.

Auditors should be reputable. Big Four accounting firms cost more but provide real accountability. An audit from "Prager Metis" or similar unknowns means nothing. Ask who the auditor is before trusting significant funds.

Reserve transparency helps but isn't sufficient. Check if the exchange publishes wallet addresses. Verify assets exist on-chain. But remember — this doesn't prove solvency, only that some funds exist somewhere.

History matters. How did the exchange behave during the 2022 crisis? Did withdrawals process smoothly? Any suspicious pauses or restrictions? Past behavior predicts future behavior.

The uncomfortable truth about CEXs

Centralized exchanges are fundamentally trusted third parties. The whole point of crypto was eliminating these. Every time you deposit to an exchange, you're trusting humans not to steal, not to get hacked, not to get regulated out of existence.

That trust has been violated repeatedly. Mt. Gox. QuadrigaCX. FTX. Hundreds of smaller failures. The pattern is clear: centralized custody eventually fails at scale.

DEXs exist. Uniswap, dYdX, GMX — you can trade without centralized custody. The UX is worse. The liquidity is sometimes thinner. But your funds stay in your wallet until the moment of trade.

I'm not saying never use CEXs. I use them. But I treat them like hot stoves — useful, dangerous, requiring constant attention. Deposit, trade, withdraw. Don't store. Don't trust.

My predictions for 2025

At least one more major exchange fails. Not necessarily fraud — could be regulatory, could be hack, could be bank run. The industry hasn't structurally solved the risks that killed FTX.

Proof-of-solvency standards emerge. Real standards, with liability verification, pushed by regulators who understand the limitations of proof-of-reserves theater. Implementation will be slow and resisted.

DEX volume share grows. Not majority — CEXs will still dominate. But the ratio shifts as DEX UX improves and CEX trust degrades. 20% DEX market share by end of year feels achievable.

Self-custody becomes easier. Hardware wallets get better. Smart contract wallets with recovery options go mainstream. The "too complicated" excuse becomes less valid.

The lesson of FTX was simple: don't trust, verify. Two years later, most people still trust and don't verify. The next disaster is inevitable until that changes.

Natalia Orlova analyzes exchange and custody risk for institutional investors. She previously led due diligence at Galaxy Digital and holds a CFA charter.