Inherent risks of third-party custodial services

(Image source: Simplilearn)


A recent CNBC investigative report interviewed users of Coinbase from around the United States and found thousands of instances of accounts being hacked and users’ funds stolen. Many of the users who had been victimized reported that they did not receive a satisfactory solution from customer service. To show the scale of the problem, there have been over 11,000 official complaints to the FTC and CFPB about incidents involving Coinbase customer service.

Coinbase, with over 68 million users and 223 billion dollars worth of assets under management, is possibly the largest cryptocurrency company in the world. If providing perfect protection for users were simply a matter of money, Coinbase certainly has enough financial resources to scale up their customer service operation to whatever size is necessary.

The fact that even Coinbase and other large cryptocurrency exchanges have not been able to eliminate the threat of theft by unauthorized access to users’ accounts — they have strong incentives to do so — indicates that there are inherent vulnerabilities in the third-party custodial storage model that can’t be addressed simply by throwing more resources at them. While these large businesses are constantly struggle to keep up with the evolving security threats, more and more people are coming to understand that the smarter alternative for bitcoin owners is to abandon the third-party custodial model altogether and instead use an offline cold storage wallet.

Some of the inherent vulnerabilities of third-party custodial storage are illustrated by the tragic stories in the CNBC report. The most common hacking technique used by hackers to access Coinbase accounts is called SIM swapping, which can give a hacker control of the victim’s phone and thus the ability to steal all of the funds in the account in less than 30 minutes.

Ben, who had been hacked of over $35,000, states that he utilized two-factor authentication (2FA) to log into his Coinbase account. This means that he was required to enter his login password and another numerical code from a different device, typically a phone. In order to access Ben’s account, a hacker would have needed to know Ben’s login information (which could have been stolen by a keylogger or some other malware) and also the code from Ben’s phone. Using the SIM swapping technique described above, a hacker was able to intercept the 2FA code from Coinbase intended for Ben’s phone number. With the login information and the 2FA code, the hacker logged into Ben’s account and withdrew all of the funds to his own wallet.

Ben was hacked despite enabling all possible protection measures available on Coinbase. Coinbase does have an insurance policy, however, it does not cover losses due to unauthorized access of individual user accounts. Since blockchain transactions are irreversible, there is no possible technical solution — even the greatest computer scientists in the world could not reverse a transaction, let alone ordinary customer service workers.


(Image source: iStock)


The Safer Way

The foundational principle of secure cryptocurrency storage is embodied in six words: Not your keys, not your coins. The tragic losses that the individuals in the CNBC story and so many others have suffered all could have been avoided if they had understood the meaning and importance of those words. But most newcomers to cryptocurrency are not taught the basic principles of crypto security. Of course, you wouldn’t expect custodial service companies to advise their users of the benefits of controlling their own private keys in a self-custodial wallet rather than entrusting their funds to the company.

There is a large selection of cryptocurrency wallets (devices that store your private key data) available, ranging from “hot wallet” software that can run on any computer/device to single-purpose electronic “cold wallet” hardware devices. Each of these wallets are designed to give users full and exclusive control of their private keys, as opposed to the third-party custodial model, where the danger of accounts being hacked seems to be an intractable problem.

For an easy, safe, reliable cold storage wallet that will give you true peace of mind, we recommend the Ballet REAL Series physical cryptocurrency wallet. Yes, we’re biased. But we stand by the recommendation. You won’t have to worry about SIM swaps, keyloggers, malware, social engineering, or any threats like that because Ballet wallets have no electronic components. Since there is no way to electronically connect to it, there is no way to electronically hack it. Just like cash or gold, you only need to take responsibility for physical security. Physical security has its own challenges, but it’s a lot more intuitive to most people than computer security. If you haven’t tried a Ballet wallet for yourself yet, you really should.

Go here to learn more about the Ballet REAL Series wallet:


About us

Ballet is a U.S. company that provides simple and secure cryptocurrency storage solutions for the global mainstream market. Ballet is the team behind the world’s first multi-currency, non-electronic, physical crypto wallet. The company was founded in 2019 by Bobby Lee and an international team of cryptocurrency industry veterans. Ballet is headquartered in Las Vegas, Nevada in the United States, and has an office in Shanghai, China.

For more on our products please check us out at:

Interact with us on our other social media platforms:











Leave a comment

Please note, comments must be approved before they are published