Flipside Crypto News

Sutton’s Law and the Security of Cryptocurrency Exchanges

 As investors become more interested in cryptocurrencies, trading venues are popping up left and right. But are these exchanges safe?

* * *

When a reporter asked infamous gangster Willie Sutton why he robs banks, he reputedly quipped, “because that’s where the money is.”

Willie Sutton, Infamous Bank Robber

Nearly a century after his criminal start, “Sutton’s Law” endures, used in medical schools to remind students one thing when making diagnoses: always consider the obvious.

Willie Sutton might be unable to comprehend the recent emergence of cryptocurrencies, but if alive today he surely would smell opportunity–1,500 new currencies, barely understood by legal authorities, that can be converted to real dollars? Sutton would be honing his coding skills at hackathons in no time.

As more investors wade into the crypto waters, the threat of hacks, thefts, and data breaches remains real, especially for those seeking out third-party venues to buy and sell cryptocurrencies. But if these venues are a target for fraud and theft­, how can an investor be confident exchanges aren’t swimming with criminals?


Looking at the short history of cryptocurrencies, it’s easy to understand the skittishness over crypto exchanges. In fact, a more disastrous start for the buying and selling of these assets couldn’t have been better scripted.

In 2014, as major news outlets were beginning to regularly cover cryptocurrency developments, the first bitcoin exchange to trade significant volumes, Mt Gox, declared bankruptcy after 850,000 BTC disappeared (approximately $7 billion today). The alleged theft was compounded by a number of things, including unsophisticated security protocols, extremely negligent management, and nearly zero transparency. The employees at Mt Gox, it turns out, had absolutely no idea how to run an exchange.

Right or wrong, reverberations from Mt Gox continue to tarnish the crypto markets, discouraging many of the crypto-curious from participating. And more recent hacks–Bitstamp in 2015, Bitfinex in 2016, and the Coinsecure theft this year–have provided plenty of reasons for individuals and institutions to remain cautious about trusting third-parties when investing in this emerging technology.

Today, however, crypto exchanges are slowly trudging through growing pains, working to find ways to address transparency, volatility and liquidity concerns. For the most reputable exchanges, developing more robust security measures is the most pressing priority.


There are over 100 (and counting) crypto trading venues, generally falling within two categories: those that offer direct peer-to-peer trading (a decentralized exchange) and those that act as brokers intermediating trades.

The largest in the US- Kraken, Bittrex and GDAX — account for a quarter of all cryptocurrency daily trading volume. These entities–sometimes mislabeled as unregulated–are subject to many US rules, including applicable regulations regarding securities trading, money transmission, and other consumer protection measures. Importantly, the exchanges are subject to the fraud prevention and anti-money laundering provisions of the Bank Secrecy Act and PATRIOT Act.

Regulatory uncertainties and a desire to protect customer assets (and provide a secure alternative to some of the fly-by-night exchanges) have led many brokered exchanges to take a measured, cautious approach to crypto trading.

One example is Coinbase’s GDAX, which employs a more conservative approach than most. The venue only supports more liquid cryptocurrencies (BTC, BCH, ETH, and LTC), and doesn’t allow margin or derivatives trading. Nearly one in five Coinbase employees work in compliance, which is not only a ratio surpassing most highly regulated banks, but also a sign of the regulatory seriousness and focus on security that is emerging among creditable exchanges.

As liquidity improves and market competition helps weed out bad actors, traditional exchanges are responding to meet the needs of crypto investors. The decision last year by CME Group and CBOE to offer bitcoin futures products means the same oversight and rules for the trading of commodities futures contracts is now applied to bitcoin futures. While a narrow part of the overall market, cryptocurrency futures may present a more secure, less fraud-prone approach to trading these assets. Only time will tell, but certainly progress is being made.


Undoubtedly, the rising popularity of crypto assets will continue to draw investors of every ilk: the technologists, the idealists, and even the criminal opportunists. But just because some of these exchanges are targets for crooks, doesn’t mean it’s unsafe to trade cryptocurrencies.

So how should you, as an investor, approach evaluating an exchange? For starters, think about what kind of trading you wish to do, taking into consideration your level of expertise with trading other assets. Maybe you’re a risk-averse individual simply looking to buy and sell bitcoin, or maybe you represent an institution looking to hedge risk through short-selling and margin trading of several different coins. Your trading goals should be an important factor in choosing how to participate in these markets.

Regardless of the type of investing you plan to do, evaluating an exchange should involve the same type of due diligence you would use when choosing a bank, brokerage firm, or any other entity handling your investments. Beyond the consideration of varying fees and exchange rates, things like an experienced team, clear cybersecurity protocols, and attention to regulatory compliance should be of paramount importance.

Any serious exchange should be willing to demonstrate enough of a track record and process transparency to give you confidence you aren’t helping fund a Ponzi scheme. And while most exchanges require ID verification–some now ask for multiple layers of verification–always consider the risks of investing with a venue that does not require an ID (they do exist).

As stakes rise, crypto trading venues will continue to find new ways to protect assets. Many are adopting “cold storage” for cryptocurrencies, an offline approach that utilizes encryption, geographically dispersed vaults, and even paper backups. In spite of these measures, you should always be wary of leaving large amounts of crypto assets with any one trading venue.

At the end of the day, investing in any asset class will–and should–involve taking necessary precautions to protect your money. And as Sutton’s Law advises, it’s important to remember the obvious–criminals will always follow the money, whether in banks or on a blockchain.