“Be your own bank” is actually very hard – particularly with “no chargebacks”, meaning that in the event of a theft or even a mistake you’re completely out of luck – so almost everyone who uses cryptocurrencies keeps their coins on an exchange. Exchanges also let you trade between different cryptocurrencies, crypto assets and conventional currencies, and some even offer short-selling and other margin trading, which are enormously popular.
Bitcoin exchanges were started by amateur enthusiasts. Most were computer programmers whose approach to anything outside their field was “I know PHP, how hard could running an exchange be?” As Dunning and Kruger pointed out in 1999,79 this approach tends not to work out so well.
In real securities trading, you can presume the exchanges themselves are not going to mess you around, and indeed that they’re basically competent. You can’t assume either with crypto exchanges. The gateways to the world of real money are stringently regulated – you’ll need to give amazing quantities of government ID to these people you know nothing about – but inside the exchanges it’s the Wild West.
Hacks, supposed hacks and exchanges just disappearing with all their customers’ money remain dismally regular occurrences. As of March 2015, a full third of all Bitcoin exchanges up to then had been hacked, and nearly half had closed.Since the exchanges are largely uninsured, unregulated and not required to keep reserves, depositors’ money goes up in smoke.
It’s not just scamminess on the part of the proprietors, but sheer jawdropping incompetence:
Bitomat, then the third-largest exchange, were keeping the whole site’s wallet file on an Amazon Web Services EC2 server in the cloud that didn’t have separate backups and was set to “ephemeral,” i.e., it would disappear if you restarted it. Guess what happened in July 2011? Whoops.
Bitcoinica was its sixteen-year-old creator’s first serious PHP project. He read up on PHP, Ruby on Rails, personal finance and startups, and wrote an exchange. It collapsed in May 2012: “No database backups
… Everyone had root.”83 The exchange’s remaining funds were lost in further hacks, after the administrators turned out to be using their (leaked) Mt. Gox password as their LastPass password.
BitPay claimed to be fully insured. It suffered a “phishing” attack in December 2014, when an attacker broke into an outside partner’s computer and sent an email posing as the CFO to the CEO and chairman telling them to send 5,000 BTC to the attacker. The insurer refused to compensate the company, pointing out they had taken out a policy that only covered BitPay computers and physical cash on BitPay’s premises, and bitcoins didn’t count as physical cash.
AllCrypt ran their exchange off a MySQL database … and were running WordPress on the same database, and their WordPress got hacked such as to allow access to the exchange data. The same thing happened to Bitcoin lending startup Loanbase.
Cryptsy appeared to collapse from a “hack” in January 2016 with much apology from the proprietor; the court-appointed receiver’s report details how the proprietor ran off with all the bitcoins and moved to China to start a new exchange.
Kraken publicly blamed web content distribution network Cloudflare for its website problems. Cloudflare’s CEO went so far as to publicly tweet that Kraken hadn’t paid its bill in months. “Let’s get the facts straight. Credit card provided for payment expired. After 3 warnings you were downgraded to a free account.”
To be fair, conventional banks say “Yes, Mr. Smith, I’m sorry, but it seems we misplaced all your money irretrievably. Yes, yours in particular. It’s gone. Forever. No, I’m sorry, but we aren’t liable. Have a nice day!” all the time. No wait, they don’t do anything of the sort. Not since regulation, insurance and central bank backing were put into place.