Short answer: Kraken has the better security track record. It has never suffered a major exchange-level hack in 14+ years, publishes quarterly Proof of Reserves, and offers account-hardening tools Coinbase simply doesn’t have. Coinbase is a legitimate exchange — publicly traded, FDIC-covered for USD balances, and regulated — but it disclosed a significant insider-threat breach in 2025 that affected ~70,000 customers.
After I watched Celsius freeze withdrawals and eventually blow up, one question kept coming back to me: if an exchange goes down or gets hacked, what’s my actual recourse? Not their marketing copy — the real answer.
I’ve been trading and holding crypto since 2014. I’ve watched exchanges disappear overnight, seen billions in customer funds evaporate, and I personally lost money when Celsius collapsed. That experience changed how I think about where I keep my crypto. Now I evaluate exchanges the way a skeptical engineer would: what actually happens to my funds when things go wrong?
I’ve spent time using both Kraken and Coinbase. They’re the two most common recommendations for US-based retail investors, and they both get the “safe” label thrown around loosely. But their security profiles are genuinely different — and those differences matter more than most comparison articles admit.
Building your portfolio? See my full exchange guide for setup guides and comparisons.
Here’s the honest breakdown.
TL;DR
- Kraken has never suffered a major exchange-level hack in 14+ years (since 2011). It publishes quarterly Proof of Reserves, stores 95–97% of assets in cold storage, and has a Global Settings Lock feature that’s a genuine differentiator.
- Coinbase stores 98% of assets in cold storage, is publicly traded (NASDAQ: COIN), and audited annually by Deloitte. But it suffered a significant 2025 insider-threat breach affecting ~70,000 customers — and its $255M+ hot wallet insurance only covers roughly 2% of assets.
- FDIC at Coinbase covers USD cash only — not your crypto. This is widely misunderstood.
- For security-focused users, Kraken’s track record and account hardening tools are the stronger choice. Coinbase wins on regulatory familiarity and beginner experience.
Kraken vs Coinbase Security: The Quick Answer
If your primary filter is “which exchange has the better security track record,” Kraken wins — and it’s not particularly close.
Kraken has operated since 2011 without a single major exchange-level breach that resulted in customer fund losses. That’s 14+ years through some of the most chaotic periods in crypto history: the Mt. Gox collapse (2014), Bitfinex losing $72M (2016), Coincheck losing $534M (2018), and FTX’s implosion in 2022. Kraken stayed clean through all of it.
Coinbase has a more complicated story. It’s a publicly traded US company with strong regulatory oversight, institutional custody, and annual Deloitte audits. But in 2025, it disclosed a serious insider-threat breach that exposed personal data on roughly 70,000 customers — and its estimated remediation costs hit $180 to $400 million. That’s not ancient history. That’s last year.
If you’re just getting started and want to compare exchanges before committing, both Kraken and Coinbase are legitimate options. But once you’re holding real money — whether it’s $5K or $500K — the security nuances below are worth understanding.
Cold Storage: Where They Actually Keep Your Crypto
Both exchanges use cold storage as their primary custody method. Cold storage means the private keys controlling your assets are kept offline, physically air-gapped from the internet. This is the baseline for any exchange handling significant customer funds.
Coinbase: Stores approximately 98% of customer crypto assets in cold storage (as of 2025). The remaining ~2% sits in hot wallets to handle daily liquidity needs — withdrawals, trading, that kind of thing.
Kraken: Stores 95–97% of customer assets in air-gapped cold wallets under 24/7 surveillance. Some recent reviews (as of late 2025) cite the figure at 97%.
Both percentages are strong. The real question isn’t the percentage — it’s what happens to that other 2–5% in hot wallets, and what insurance (if any) covers it. More on that below.
One important caveat: neither exchange means your keys, your coins. When you leave crypto on any exchange, you’re trusting their custody setup. The cold storage percentages describe their internal process. If you want true self-custody, you’re moving to a hardware wallet — that’s a different article. But for exchange-held assets, these numbers matter.
I keep a portion of my portfolio on exchanges for liquidity. The rest goes to self-custody. If you’re not there yet, I’d suggest reading up on how to move crypto to cold storage safely before your holdings get large.
Hack History: The Only Scorecard That Actually Matters
Marketing copy can say whatever it wants. Hack history doesn’t lie.
Kraken’s track record: No major exchange-level breach resulting in customer fund losses since the exchange launched in 2011. Over 14 years. This is genuinely remarkable given how many exchanges have been compromised during that period. Kraken’s cold storage architecture, combined with strict internal security practices, has held up through everything.
Coinbase’s track record: More complex. Coinbase has never had its cold storage (98% of assets) breached. That’s important — the core custody has held. But the exchange has seen multiple significant incidents over the years:
- February 2023: Employees were targeted in a sophisticated phishing campaign by the hacker group “0ktapus.” Coinbase’s multi-layered security contained it.
- May 2022: A customer lost $96,000 in a SIM-swap attack and filed suit against Coinbase, alleging federal and state financial law violations.
- 2025 insider breach: This is the big one (covered in the next section).
The distinction I keep coming back to: Kraken has never lost customer funds to a hack. Coinbase’s cold storage hasn’t been compromised, but the exchange has had repeated incidents around the edges — employee phishing, SIM-swap attacks, and now a serious insider threat breach. These aren’t the same as Binance-level hacks, but they’re not nothing either.
The 2025 Coinbase Breach You Need to Know About
This happened last year and it’s still not getting enough attention in exchange security comparisons, so let me be direct about it.
In early 2025, Coinbase disclosed that attackers had bribed overseas customer support contractors to access internal systems and extract user information. The breach exposed personal data on approximately 70,000 customers. Coinbase estimated the remediation costs — reimbursements plus security upgrades — would run between $180 million and $400 million. They reported this in an SEC 8-K filing.
A former customer support agent was arrested in India in December 2025 in connection with the investigation.
This was not a cold storage breach. The attackers didn’t crack Coinbase’s cryptographic security. They bribed people. And that’s actually the scariest kind of breach for exchange customers — it means the attack surface isn’t just technical infrastructure, it’s human access controls.
What does this mean practically? For most customers, the breach exposed names, addresses, account data, and partial transaction history — not crypto holdings directly. But that kind of data enables targeted social engineering attacks. Coinbase warned customers in its incident communication: “Expect imposters. Scammers may pose as Coinbase employees and try to pressure you into moving your funds.”
I’m telling you this because it happened. The Celsius collapse taught me to never assume “too big to fail” or “too trustworthy to breach.” Coinbase is a legitimate company and they’re reimbursing affected customers. But this incident is part of the real security picture.
Insurance: What’s Actually Covered (And What’s Not)
This section is where I watch people get burned by misunderstanding. Let me clear up the two most common misconceptions.
Misconception 1: FDIC Insurance Covers Your Crypto at Coinbase
It doesn’t. Full stop.
FDIC insurance at Coinbase applies to your USD cash balances — the dollars sitting in your Coinbase account, not your crypto. If Coinbase failed as a bank (which it isn’t), your USD up to $250,000 per customer would be FDIC-protected. Your Bitcoin, Ethereum, and everything else? Not covered.
Coinbase’s own insurance page is explicit: “Coinbase is not an FDIC-insured bank and digital currency is not insured or guaranteed by the Federal Deposit Insurance Corporation.”
Misconception 2: Coinbase’s $255M Insurance Covers Most of Your Crypto
The hot wallet insurance that Coinbase maintains — approximately $255M+ covering theft and breaches — only applies to the hot wallet assets. That’s approximately 2% of customer funds. The other 98% in cold storage is not covered by this insurance policy.
Think about that ratio: if Coinbase holds $50 billion in customer assets, the insurance covers roughly $1 billion at most (and the cited figure is around $255M). That’s a coverage ratio of around 0.5–2%.
Kraken’s insurance situation: Kraken doesn’t publish a specific insurance figure for hot wallet assets. The exchange relies on its security architecture — 95%+ cold storage, minimal hot wallet exposure, and its clean breach history — rather than an insurance backstop.
Neither exchange offers comprehensive insurance against a catastrophic cold storage breach. The honest answer is: if either exchange’s cold storage were somehow compromised and billions of customer funds were lost, the insurance wouldn’t cover it. The protection is the security architecture itself, not an insurance policy.
This is why Celsius rattles around in my head every time I evaluate an exchange. Celsius had marketing that made people feel safe. The actual asset protection wasn’t there.
2FA and Account-Level Security Features
This is where Kraken’s advantage becomes most concrete for individual users.
Kraken’s Security Toolkit
2FA options: Kraken supports TOTP authenticator apps (Google Authenticator, Authy), hardware security keys (YubiKey, FIDO2/WebAuthn), and FIDO2-compliant Passkeys for login. SMS-based 2FA is notably absent from Kraken’s supported methods — which is actually good news, since SMS is the weakest 2FA method and the vector for SIM-swap attacks.
Global Settings Lock (GSL): This is Kraken’s biggest account-security differentiator and it’s underappreciated. When you enable GSL, critical account changes — modifying 2FA settings, adding or removing withdrawal addresses, changing your email — are frozen for a configurable delay (24 hours minimum, up to 7 days or more).
Here’s why this matters: if an attacker compromises your Kraken login, they can’t immediately change your 2FA and lock you out. They’d need to wait out the GSL timer, during which you have time to detect the intrusion and revoke access. It’s a dead-man switch for your account settings.
Withdrawal address whitelist: You can whitelist specific withdrawal addresses. New addresses require email confirmation and go through a cooldown period before they can be used. Combined with GSL, an attacker who gets your login credentials can’t just drain your account to their wallet.
Device and session management: Kraken lets you review and revoke active sessions, with configurable session timeout.
Coinbase’s Security Toolkit
2FA options: Coinbase supports TOTP authenticator apps, hardware security keys, and unfortunately still allows SMS-based 2FA — the weakest option. That SIM-swap lawsuit from 2022 was enabled partly by SMS 2FA. If you use Coinbase, disable SMS 2FA immediately and switch to an authenticator app or hardware key.
Account protection: Coinbase has address whitelisting, device approvals, and 2-step verification for withdrawals. These are solid baseline protections.
What Coinbase lacks: There’s no equivalent to Kraken’s Global Settings Lock. If someone gets your Coinbase credentials and 2FA code, they can act immediately. Kraken’s GSL adds a time buffer that doesn’t exist on Coinbase.
For serious holdings, I’d recommend using NordVPN when logging into any exchange on public Wi-Fi — VPN traffic obfuscation adds one more layer against network-level interception.
My setup: hardware key (YubiKey) as 2FA on both platforms, withdrawal whitelist enabled, GSL on Kraken set to 48 hours. If you’re not doing this, your account is softer than it needs to be.
Proof of Reserves: Who’s Actually Showing Their Work
After FTX, “proof of reserves” became something every serious exchange needed to discuss. The idea: an exchange cryptographically proves it holds the assets it claims, rather than rehypothecating customer funds.
Kraken: Publishes Proof of Reserves on a quarterly cadence, third-party attested. Most recent: September 30, 2025 — assets backed 1:1 and beyond. Also completed audits as of March 31, 2025 and June 30, 2025. Kraken also includes ADA for the first time in the March 2025 PoR. This is industry-leading transparency.
Coinbase: Does not publish a traditional Proof of Reserves. CEO Brian Armstrong explicitly declined, saying: “If you want audits, Deloitte audits us annually.” His argument is that as a publicly traded US company subject to SEC and FINRA oversight, the annual Deloitte audit provides equivalent (or superior) assurance.
Is Armstrong wrong? Not entirely. A Deloitte audit of a public company is genuinely rigorous. But it’s also not real-time, it’s not cryptographically verifiable by individual users, and it’s a different kind of assurance than a Merkle tree-based PoR where you can verify your own balance inclusion.
For post-FTX paranoia — which I fully understand and partially share — Kraken’s quarterly PoR is more reassuring than Coinbase’s “trust the audit.” The fact that Kraken publishes this proactively, not because they’re forced to, matters.
Regulatory Status and What It Means for Your Funds
Coinbase: Publicly traded on NASDAQ (ticker: COIN) since April 2021. Regulated as a US money services business (MSB), subject to SEC oversight for securities-related activities, FINRA-related compliance, and FinCEN registration. Annual Deloitte audit. This is the most regulatory exposure of any major US crypto exchange — which cuts both ways. More oversight means more compliance burden, but also more external accountability.
Coinbase also operates Coinbase Custody Trust Company, LLC — a New York-chartered trust company that provides institutional-grade custody separate from the retail exchange. For large holders, this is a meaningful additional layer.
Kraken: Registered with FinCEN as a money services business. Licensed in multiple US states and internationally. Kraken received a banking charter in Wyoming (one of the first crypto exchanges to do so), enabling it to operate as a Special Purpose Depository Institution (SPDI). Less publicly visible regulatory structure than Coinbase, but operationally serious.
Neither exchange is reckless on the regulatory front. The practical difference: Coinbase’s public company status means quarterly disclosures and SEC filings — which is why we know the 2025 breach cost $180–$400M in remediation. That transparency is valuable even when the news is bad.
The Bottom Line: Which Exchange Is Safer for Kraken vs Coinbase Security?
Here’s my honest assessment after 12+ years in this space.
Kraken’s security profile is stronger on the core metrics that matter most:
– 14+ years without a major hack
– 95–97% cold storage, air-gapped
– Quarterly Proof of Reserves (third-party attested)
– Global Settings Lock — a feature Coinbase doesn’t have
– No SMS 2FA option (eliminates SIM-swap vector entirely)
Coinbase’s advantages are in ecosystem and accountability:
– Publicly traded, SEC oversight, Deloitte annual audit
– 98% cold storage (slightly higher than Kraken’s stated figure)
– FDIC coverage on USD cash balances (again: not crypto)
– Larger US user base, better beginner UX, more on-ramps
The 2025 Coinbase breach doesn’t make Coinbase an unsafe exchange — it makes it a real company dealing with real operational security challenges. The cold storage wasn’t touched. Customers are being reimbursed. But the incident happened, and that matters in a “which is safer” comparison.
My personal approach: I use both. Coinbase for fiat on-ramps and occasionally to access Base network. Kraken as my primary trading exchange because the security architecture is better. If I’m holding significant amounts on an exchange — which I try to minimize — it’s Kraken.
If you’re just getting started, Coinbase is a reasonable first exchange for its ease of use and regulatory familiarity. As your portfolio grows and you start thinking more seriously about security, Kraken’s account hardening tools are worth learning. Check out my article on common Coinbase beginner mistakes — several of them are security-related.
If you’re actively trading and want the best fee structure alongside strong security, I’ve broken down Robinhood vs Coinbase Advanced fees in detail. And if bear market anxiety is driving the security paranoia, this is how I’ve survived three of them — position sizing matters as much as custody choices.
👉 Open a Coinbase account — easiest US on-ramp, publicly regulated, reimbursement policy for qualifying incidents.
Get started. Check my exchange guide for detailed comparisons.
FAQ: Kraken vs Coinbase Security
Has Kraken ever been hacked?
No. Kraken has maintained a clean security record since its founding in 2011 — over 14 years without a major exchange-level breach resulting in customer fund losses. This is a genuine distinction in an industry with a long history of exchange hacks.
Was Coinbase hacked in 2025?
Not in the traditional sense. Coinbase’s cold storage (98% of assets) was not breached. However, in 2025, attackers bribed overseas customer support contractors to access internal systems and extract personal data on approximately 70,000 customers. Coinbase estimated remediation costs at $180–$400 million and pledged to reimburse affected customers. A former support agent was arrested in India in December 2025.
Does FDIC insurance cover crypto at Coinbase?
No. FDIC insurance at Coinbase applies only to USD cash balances, up to $250,000 per customer. Your cryptocurrency holdings are not FDIC-insured. Coinbase’s own insurance page states this explicitly.
What is Kraken’s Global Settings Lock?
The Global Settings Lock (GSL) is a Kraken security feature that freezes critical account changes — modifying 2FA, editing withdrawal addresses, changing email — for a configurable delay (minimum 24 hours). It acts as a buffer against attackers who gain access to your credentials, giving you time to detect and respond before damage is done. Coinbase does not have an equivalent feature.
Does Coinbase have Proof of Reserves?
Coinbase does not publish a traditional crypto Proof of Reserves. CEO Brian Armstrong has said that Coinbase’s annual Deloitte audit (as a public company) provides equivalent assurance. Kraken publishes quarterly PoR audits with third-party attestation.
Which has better 2FA — Kraken or Coinbase?
Kraken’s 2FA options are stronger. Kraken supports TOTP apps, hardware keys (YubiKey/FIDO2), and Passkeys — but notably does NOT support SMS 2FA, which eliminates the SIM-swap vulnerability. Coinbase supports TOTP, hardware keys, and SMS (which is the weakest option and has been exploited in past incidents). If you use Coinbase, disable SMS 2FA immediately.
Is my crypto safe on Coinbase or Kraken?
Both exchanges have solid cold storage setups (98% Coinbase, 95–97% Kraken). Neither has had its cold storage compromised. The realistic risk on any major exchange is operational incidents — insider threats, phishing, social engineering — rather than a direct cryptographic break. The best practice is to hold only what you need for active trading on any exchange, and self-custody the rest on a hardware wallet. Here’s my take on crypto position sizing as it relates to exchange risk.