Wall Street won’t buy ‘trustless’ security promises

Opinion Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email Wall Street won’t buy ‘trustless’ security promises Chen argues that crypto exchange security is still mostly theater, and that stricter enforcement is essential. By Gracy Chen | Edited by Betsy Farber Apr 15, 2026, 4:35 p.m. Make preferred on By 2026, ‘trust us’ costs too much. Crypto exchanges have become the primary venues where millions of people and businesses store and transfer digital money. According to industry data, the crypto market is currently seeing roughly $190–$192 billion in 24-hour trading volume. As exchanges expand into multi-asset venues, the security mechanism evolves beyond wallets into identity, permissions, pricing and settlement. Yet, despite growing pressure from regulators, their security is still failing. In 2025, more than $3 billion in crypto assets were stolen, according to industry estimates. Moreover, several single incidents caused losses of over $1 billion each. Were these small or underfunded platforms? No. The largest hacks happened at major global exchanges with ample capital and technology. So, a lack of resources allocated for protection wasn’t the issue — security, still treated as marketing, was. Much of the industry keeps treating security as a performance rather than an operating discipline. Exchanges invest in what appears convincing on the surface: dashboards, reserve snapshots, protection funds, public statements. It looks reassuring, but it doesn't prove how risk is managed day to day. That’s why, unless security is designed to be enforced, not shown off, even the biggest platforms will stay fragile. And when stress hits, that fragility spills over to users immediately. Performative Security is Dangerous In fact, what’s happening is what I call “security theater.” It’s when an exchange focuses on looking safe, but not actually being safe. So the focus shifts to optics, such as headlines and polished statements, while the real governance remains weak. I’ve seen how such a mindset takes hold. When a business is growing, it has to move fast and keep everything smooth for users. In such conditions, security controls are a friction. They slow down decisions by adding extra steps and triggering uncomfortable questions like “Who can approve this transfer?” And “what happens if the wrong person gets access?” That’s why many platforms prefer confidence on the surface over discipline inside. And the big problem is that this false confidence doesn’t survive stress. In July 2024, India’s WazirX suffered a roughly $235 million hot valuable wallet breach and suspended withdrawals. In my view, that’s a useful reminder of how quickly “everything looks fine” can turn into users losing access to their funds. And that’s the point. Security isn’t a page, a logo or a fund. It’s the daily rules that control how money moves, who has access and how cases are handled when something goes wrong. What exchanges must prove to earn real trust Genuine exchange security is a system that endures stress, and you can test that. From my experience, it has three core traits: it proves full backing of customer balances, it controls how money moves, and it responds fast in a crisis. Proof-of-reserves is a start toward demonstrating the system can withstand stress. Simply put, it's evidence that certain assets exist. Still, it says little about what the exchange owes you, what rules apply to your money if the exchange has troubles or whether the numbers are true when many users withdraw at once. That’s why transparency should be two-sided. It should clearly show assets and liabilities, with an independent check. And the “proof” should be verifiable, for example, through cryptographic methods that allow users to confirm inclusion without exposing balances. Then comes the part most “security pages” avoid — strict rules inside the company. No single person should be able to move customer funds, unusual activity should trigger reviews, and large transfers must require approval from at least two people. With these controls in place, one compromised account can’t cause a chain reaction across the platform. Since exchanges are becoming multi-asset platforms, those rules need one more goal: keeping a permission mistake or pricing anomaly from spilling into cross-asset liquidations. Quick incident response is the final test of real security. A serious exchange knows exactly what happens in the first hour, isolates the breach, pauses critical flows and communicates clearly. Delays and silence don’t buy time; they simply multiply damage. Of course, these measures don’t cover every possible risk. Even so, they form the backbone of true exchange durability — the kind that prevents routine incidents from turning into systemic failures. By 2026, ‘trust us’ costs too much If exchanges want to keep their customers and attract serious, institutional capital, they have to stop acting like performers in a safety show. Reassuring words and polished pages may calm people in quiet moments, but they fail when a big crisis hits. Big investors have already started treating security as basic counterparty risk. They want evidence of controls, separation of duties, independent assurance, and a response plan that works under pressure. So, in 2026, a simple “trust us” on a homepage won’t be enough. Can one mistake drain the platform or does the system stop it? Can you prove that with enforced limits and approvals, instead of explanations after the fact? These are questions that everyday users and large investors alike are starting to ask. After all, security is about building systems that mitigate damage, slow down bad decisions and hold up under stress. Exchanges that make that shift will keep trust. Those who don’t will keep learning the same lesson the hard way. Opinion Note: The views expressed in this column are those of the author and do not necessarily reflect those of CoinDesk, Inc. or its owners and affiliates . More For You DeFi’s shakeout is a stress test, not a death sentence By Alex Novozhenov | Edited by Betsy Farber Apr 12, 2026 Novozhenov argues that despite lingering governance, security and regulatory hurdles that have shuttered several protocols, DeFi remains resilient. Read full story Latest Crypto News Crypto Long & Short: Fighting fraud in the digital age: why state-led identity is the future 35 minutes ago Bitcoin developer Jameson Lopp says it's better to freeze 5.6 million BTC than let hackers have them 58 minutes ago Why Morgan Stanley's CFO sees tokenization as the next big step for its multi-trillion wealth business 1 hour ago Allbirds abandons sneakers in pivot to AI computing, shares surge 400% 2 hours ago TeraWulf stock declines on $900 million share sale to fund AI data center expansion 3 hours ago CoinDesk 20 performance update: AAVE rises 4.3% as trades flat 3 hours ago Top Stories Beyond ‘digital gold,’ Iran conflict forces a rethink of the nature of bitcoin 3 hours ago Trump-backed WLFI moves to unlock 62 billion tokens after $75 million loan controversy 3 hours ago A new class of crypto treasury companies is forming around Strategy’s high-yield stock 6 hours ago Why this ex-Solana exec is using a Wall Street trick to level the playing field in DeFi 6 hours ago Bitcoin developers are trying to build quantum defenses. Your coins could pay the price. 10 hours ago Bitcoin pulls back as $75,000 remains 'both the milestone and the ceiling' 5 hours ago