When Upbit detected unauthorized withdrawals of roughly $36 million in Solana tokens from a hot wallet on Nov. 27, CEO Oh Kyung-seok went on record within hours. He stated:
“The entire amount will be covered by Upbit’s holdings, with no impact on customer assets.”
Six years earlier, Upbit said the same thing after losing 342,000 ETH, worth around $50 million at the time, to North Korea-linked hackers. Both times, customers saw no losses, and both times, the exchange absorbed the hit from its own treasury.
This is the hot wallet insurance model, where exchanges warehouse counterparty risk so that platform-level breaches don’t haircut users.
The system might have three forms: self-insurance from corporate reserves, dedicated emergency funds like Binance’s SAFU, and third-party crime policies with named limits.
The model has become standard practice at Tier 1 centralized exchanges, turning what would have been Mt. Gox-style insolvencies into operational losses that reopen within days.
But “users don’t lose” doesn’t mean markets don’t react. Even when deposits are ultimately safe, immediacy and liquidity are not. Hacks still freeze withdrawals, collapse order-book depth, widen spreads, and trigger reflexive pullbacks by market-makers.
The insurance model changes who eats the loss and how fast platforms can credibly reopen. It doesn’t erase counterparty risk.
Upbit: self-insurance from hacks as a corporate balance sheet
Upbit’s approach is, in effect, self-insurance with no explicit policy limit. The promise depends entirely on the exchange’s solvency and access to capital.
In both the 2019 Ethereum hack and the 2025 Solana breach, Upbit treated hot-wallet losses as operational expenses absorbed by Dunamu, its parent company.
The 2025 incident moved fast. Around 4:42 a.m. local time, roughly 54 billion won in various tokens from the Solana ecosystem tokens drained to an unknown address.
Upbit froze all Solana deposits and withdrawals, shifted remaining assets to cold storage, and froze a portion of the stolen LAYER tokens on-chain.
The exchange said it was working with projects and law enforcement to freeze even more of them, but the core commitment was immediate: no customer losses.
That commitment is credible because Upbit is large and liquid. But it’s not a statutory guarantee. There is no external insurer backstopping the promise, no deposit insurance scheme, and no formal reserve ratio that regulators audit.
The model works until it doesn’t: until a hack is large enough relative to equity that full reimbursement strains or breaks the balance sheet.
Binance and SAFU: a formalized internal fund
Binance created the Secure Asset Fund for Users in July 2018, diverting about 10% of trading fees into dedicated publicly visible cold wallet addresses.
Binance has repeatedly said SAFU is meant for “unexpected extreme cases” such as major hacks. As of press time, the fund was valued at around $1 billion.
When Binance suffered its May 2019 hot wallet breach, resulting in the loss of 7,000 BTC, it paused withdrawals and announced that all affected accounts would be made whole from SAFU, with no user losses.
Internal figures indicate that only about 2% of total exchange funds are in the compromised hot wallet, making it feasible to socialize the loss across the SAFU pool rather than push it to customers.
SAFU is an internal insurance fund: ring-fenced, pre-funded from fees, with an implicit commitment to cover large platform-level hacks, but it’s not a statutory guarantee.
If a breach exceeded the fund balance and Binance’s equity, customers would take losses. But the public visibility of the fund and the fee-funding mechanism make the promise more transparent than Upbit’s balance-sheet approach.
Crypto.com: mixing self-insurance with third-party cover
On Jan. 17, 2022, Crypto.com detected unauthorized withdrawals on a subset of user accounts and halted all withdrawals for about 14 hours.
Later disclosures put the loss at roughly $34 million in BTC, ETH, and other tokens, affecting 483 accounts. The exchange stressed that “no customers experienced a loss of funds” because it either blocked the unauthorized withdrawals in time or fully reimbursed affected users.
Subsequent communications highlighted a new protection program offering coverage of up to $250,000 per account in the event of certain third-party breaches.
Public reporting notes that exchanges like Crypto.com and Coinbase carry crime policies that pay out if the platform itself is hacked, but not if an individual loses funds due to their own credential compromise.
The distinction matters. Crime policies typically cover platform-wide breaches, insider theft, or fraudulent transfers involving the exchange’s own systems. They do not cover phishing, SIM-swaps, or users losing private keys.
Coverage is finite and conditional, with named limits and exclusions that can leave customers exposed if a breach falls outside policy terms or exceeds the limit.
Third-party policies and captive structures for hacks
Coinbase has long disclosed a crime insurance policy with a $255 million limit on its hot wallet balances, placed through Aon with Lloyd’s syndicates.
The policy is designed to cover platform-wide breaches but explicitly excludes losses from someone compromising an individual user’s login.
Gemini took the captive route, launching “Nakamoto Ltd.” in Bermuda to provide $200 million in coverage for Gemini Custody, topping up what the commercial market would offer.
Newer regulated exchanges now market “100% hot wallet insurance” as a selling point. HashKey Global says user assets are protected by comprehensive insurance, including 100% hot wallet insurance, with 90% kept in cold storage.
The spectrum runs from implicit promises backed only by equity and retained earnings, to ring-fenced internal funds, to formal insurance contracts with named limits and exclusions.
The market is maturing: recent research estimates the crypto exchange hot wallet insurance segment at about $1.4 billion in 2024, with projected growth to roughly $12 billion by 2033 as exchanges, custodians, and regulators push for more formalized loss mitigation.
Markets still react when users don’t lose
Even when users are made whole, hacks change how traders price counterparty risk. Bybit’s February 2025 $1.5 billion hack illustrates this perfectly.
Bitcoin market depth on Bybit collapsed from normal levels to about $100,000 immediately after the incident, then recovered to roughly $13 million by the end of the first quarter, in line with pre-hack conditions.
Spreads widened across BTC and the top 30 altcoins, only to tighten again over several weeks as market-makers returned.
Coinlaw data from November 2025 noted that even a technical KRW transfer suspension on Upbit coincided with an estimated 70% drop in liquidity and a sharp fall in Upbit’s share of global top 10 volumes, highlighting how quickly capital can step back from a single venue.
The pattern is consistent: frozen withdrawals, wider spreads, thinner depth, and a reflexive liquidity provider pullback. Even when deposits are ultimately safe, immediacy is not.
Traders who need to move capital or hedge positions face hours or days of illiquidity. Market-makers who provide depth pull back until they are confident the platform is stable.
What the model does and doesn’t solve
Hot wallet insurance greatly reduces the odds that a single exchange hack wipes out customer coins. It changes who eats the loss and how fast platforms can credibly reopen.
Upbit, Binance, and Crypto.com all absorbed platform-level breaches from reserves or internal funds and reopened within days, avoiding the years-long insolvency proceedings that followed Mt. Gox.
But coverage is finite and conditional. It often applies only to platform-level breaches, not to phishing or SIM swaps.
A sovereign guarantee doesn’t back it, the way bank deposits are. And it does nothing to stop the short-term fallout that actually moves markets: frozen withdrawals, wider spreads, thinner depth, and a reflexive pullback of liquidity.
The lesson is that hot wallet insurance is real and functional, but it’s not deposit insurance. It depends on the exchange’s solvency and liquidity, the adequacy of internal funds or external policies, and the platform’s willingness to honor promises when reserves are tested.
For users, the model means counterparty risk is lower than it was in the Mt. Gox era, but it’s not zero. For markets, it means hacks still dominate headlines and price action even when every customer ends up whole.
