5 Sieves to Pick a Crypto Exchange: A Forensic Pre-Mortem Framework

Introduction · Eight ships, one blueprint

I have written three book-length reconstructions for this archive — Mt.Gox, Luna, and FTX. The Chinese version of this lesson was published in May 2026 and it grew out of a notebook I kept while writing those three. After every chapter I would stop and ask: what was the earliest possible moment a careful outsider could have noticed something was wrong? Not the moment the bankruptcy was filed, not the moment the press caught on, but the moment the structural sign was already in public view. I started tabulating those moments. After eight wrecks the list collapsed into five categories. Those are the five sieves.

The eight wrecks in this study: Mt.Gox 2014, Bitfinex 2016, BitGrail 2018, Cryptopia 2019, QuadrigaCX 2019, Celsius 2022, Voyager 2022, FTX 2022. Each lost between $30 million and $8 billion in customer funds. Each was, at the time, considered a top-tier or at least respectable venue by some segment of the market. Each shared at least three of the five red flags I have since formalised into the sieves below. FTX hit all five. Bitfinex 2016 is the one partial exception — it sank for technical reasons (a multisig hot wallet exploit) rather than governance ones — but even there, the absence of a user-protection fund forced Bitfinex to repay users with a token (BFX) that traded below par for years.

The structure of this lesson is four parts. First, a one-paragraph autopsy for each of the eight ships (so you can see the pattern before I name it). Second, the five sieves themselves — each with the historical origin, the verification procedure, and a hands-on test I ran on seven major exchanges in April-May 2026. Third, a scorecard that maps the five sieves into a four-tier position-sizing decision tree. Fourth, an explicit self-critique of where the framework fails. I am leaving that last section in because methodology pages that only tell you the method works without telling you when it does not are selling a product, not teaching a craft.

1. The eight collapses side by side

Each ship is summarised in one paragraph. Scale, loss, root cause, and the earliest public signal that something was structurally wrong. The point of this section is pattern recognition — read all eight together and the shared blueprint becomes obvious before I name it in the next section.

Mt.Gox 2014

Scale: at peak, over 70% of global BTC trading volume. Loss: roughly 850,000 BTC — about $480 million in 2014 dollars, over $51 billion at 2026 prices. Root cause: weak hot-wallet key management, accounting that reconciled only aggregate balances, no independent CFO, and chronic transaction-malleability exploitation that drained the wallet over three years rather than in a single event. Earliest signal (12 months before sinking): in May 2013 US ICE seized the Dwolla account of Mt.Gox's US subsidiary for unlicensed money transmission; CEO Mark Karpelès publicly admitted "our codebase isn't all the way we'd like it" in a Wired interview the next month; the company had no independent CFO and never published any audited reserve report.

Bitfinex 2016

Scale: one of the top three USD/BTC venues in 2016. Loss: approximately 120,000 BTC — about $72 million in 2016 dollars, valued near $8 billion when the US DOJ recovered most of it in 2022. Root cause: a multisig hot-wallet architecture implemented with BitGo as co-signer was compromised; the attackers obtained two of the required signing keys. Outcome: Bitfinex did not go bankrupt. Instead it socialised the loss across all customers via a "BFX token" representing the haircut — the first time a major exchange used a token-for-haircut model to avoid Chapter-11-equivalent proceedings. Earliest signal: security researchers had publicly questioned Bitfinex's multisig implementation details for months before the breach; the questions were never answered. This is the one ship in the sample where the root cause is technical rather than governance, but even here, the absence of a user-protection fund is what forced the token-haircut workaround.

BitGrail 2018

Scale: small Italian exchange, but the primary trading venue for NANO. Loss: about 17 million NANO, roughly $170 million at the time. Root cause: founder Francesco Firano had been misappropriating customer deposits for years to cover his own trading losses; he ran two separate sets of books — a public one shown to users and an internal one that reflected the real cash position. Outcome: the Italian court system ruled Firano personally liable for the loss in 2019, but actual recovery for users was below 10%. Earliest signal: in the six months before the collapse, the NANO subreddit had a continuous string of user posts reporting withdrawal delays that the exchange would not explain publicly. I lost my own small NANO position here in 2017 — that experience is what eventually pushed me to start writing this archive.

Cryptopia 2019

Scale: mid-sized New Zealand exchange, around $5 billion monthly trading volume at peak. Loss: approximately $30 million, drained in a single hot-wallet exploit in January 2019. Root cause: primitive hot-wallet architecture — all supported tokens shared a single hot wallet with no per-asset segregation, so a single key compromise drained everything at once. Outcome: the New Zealand High Court ordered liquidation in May 2019; liquidation proceedings dragged into 2024 and ultimate recovery was below 50% of the affected balances. Earliest signal: three months before the main breach, a smaller anomalous withdrawal had occurred; the company did not publicly disclose it. Internal incident-response policy never matured.

QuadrigaCX 2019

Scale: Canada's largest crypto exchange at the time. Loss: approximately CAD$200 million (roughly $160 million USD). Root cause: founder Gerald Cotten reportedly died in India in December 2018; the company claimed only he held the cold-wallet keys. Forensic accounting by Ernst & Young revealed those "cold wallets" had been empty for months before his death — Cotten had been misappropriating customer funds for high-risk personal trading and could not replenish the gap. Outcome: EY as trustee charged liquidation fees that exceeded the eventual user distribution. Earliest signal: in the second half of 2018, multiple major Canadian banks had begun refusing to process Quadriga settlements, citing AML concerns; the company never publicly disclosed this banking pressure.

Celsius 2022

Scale: the largest centralised crypto lending platform in the US at peak. Loss: approximately $4.7 billion in frozen customer deposits. Root cause: the platform promised up to 17% annual yields, which it generated by deploying customer deposits into high-risk DeFi protocols — including Anchor Protocol's 20% UST yield and stETH-ETH arbitrage. After Luna collapsed in May 2022 and stETH depegged on June 11, Celsius paused withdrawals on June 13 and filed bankruptcy in July. Outcome: CEO Alex Mashinsky was indicted on seven federal counts including securities fraud. Earliest signal: from late 2021, independent analysts had publicly questioned the sustainability of 17% yields; Mashinsky responded by labelling critics as "FUD" rather than addressing the underlying math.

Voyager 2022

Scale: US-listed crypto broker (NASDAQ: VYGVQ). Loss: approximately $1.65 billion in customer deposits. Root cause: Voyager had lent approximately $670 million of customer funds to a single counterparty — Three Arrows Capital. When 3AC collapsed in June 2022 due to Luna exposure, Voyager could not recall the loan. Earliest signal: Voyager's early-2022 SEC filings mentioned "concentration risk" in vague terms but never disclosed the specific $670M single-counterparty exposure. Disclosure aggregation — putting your largest counterparty exposure inside a "concentration risk" paragraph rather than naming it — is itself a red flag.

FTX 2022

Scale: the second-largest global crypto exchange before collapse. Loss: approximately $8 billion in customer-fund shortfall. Root cause: Alameda Research — a trading firm 90%+ owned by FTX founder Sam Bankman-Fried — had been using a backend code switch (publicly named "allow_negative_balance" by post-bankruptcy CEO John Ray III) to borrow customer funds from FTX without collateral. Alameda lost roughly $8 billion in customer money during the Luna-3AC cascade. Full reconstruction is in Shipwreck Annals · Vol. III. Earliest signal: on November 2, 2022 CoinDesk published the Alameda balance sheet leak showing $14.6B of its $14.6B assets were FTT, SOL, and other FTX-affiliated tokens — a circular-reserve structure that any normal solvency analyst would have flagged immediately. SBF responded on November 7 with the now-infamous tweet: "FTX is fine. Assets are fine." Four days later, FTX filed for bankruptcy.

2. The shared early signals

The eight wrecks above split into two clusters by root cause — three were governance/fraud (BitGrail, Quadriga, FTX), three were leverage/yield failures (Celsius, Voyager, 3AC adjacent), one was operator-side wallet failure (Mt.Gox over years), one was technical (Bitfinex 2016). Despite the different mechanisms, the same five structural signals appear in every wreck:

Every ship hit at least three signals. FTX hit all five. Bitfinex 2016 is the outlier — it sank for technical reasons rather than governance ones — but even Bitfinex had no user-protection fund, which is what forced the BFX-token workaround. These five dimensions, inverted, are the five sieves.

3. The five sieves

For each sieve I write four things: (1) why it matters, anchored to the historical wrecks; (2) the historical origin of the standard, because every standard came from somewhere; (3) the exact verification procedure I follow when re-running the scorecard; (4) the May 2026 hands-on result across seven major exchanges (Binance, Coinbase, Kraken, OKX, Bybit, Bitstamp, Gate.io). The hands-on results are the part you cannot fake — they require actually opening the exchange's PoR page, running the self-audit tool, and comparing the on-chain wallet to the published number. That is the part I redo every six months.

Sieve 1 · Monthly Proof of Reserves with zk-SNARK user liability proof, by an independent third party

Why it matters. Without PoR, you are letting the exchange say "we have $X" without letting you check. FTX, QuadrigaCX, and Celsius collectively absorbed over $13 billion in customer funds at November 2022 prices — none of them had ever published a meaningful PoR. If any one of them had been compelled to publish a Merkle-Tree liability-side reserve report even once, the gap would have been visible. PoR is not a technical question. It is a question of whether the exchange is willing to let outsiders look at the books.

Historical origin. The term "Proof of Reserves" first entered the crypto vocabulary in 2014, when Kraken founder Jesse Powell engaged Stefan Thomas (later Ripple CTO) to perform the first Merkle-Tree asset-side audit in response to the Mt.Gox collapse. That early version covered only assets, not liabilities — what the industry later called "half PoR." Between 2017 and 2022 PoR remained optional. Exchanges that wanted to publish one occasionally did; exchanges that did not, did not. There was no enforcement.

The standard hardened in the two weeks after FTX filed bankruptcy in November 2022. CZ publicly called for "all major exchanges to start monthly PoR" on Twitter; Binance published its first Mazars-audited BTC reserve report on November 25, 2022. The industry split: OKX followed on December 4, Kraken upgraded its long-running audit format, Bitfinex joined in December. Bybit waited until January 2023; Gate.io published a self-audit that was widely criticised as unverifiable. That split — who followed, who did not, and how long they took — is itself a useful filter, all in public record.

The 2024+ technical evolution: zk-SNARK liability proof. The first wave of post-FTX PoR used a simple Merkle Tree — you hash your account ID and verify your individual balance is included. The weakness is that this method cannot verify that the sum of all included balances equals the exchange's claimed total liability. The attack surface: an exchange could give a small subset of users haircut balances in the tree (real owed: 1 BTC; tree entry: 0.9 BTC); each user only sees their own row and cannot see the aggregate.

From late 2023, Binance integrated zk-SNARK liability proofs into its PoR pipeline (in collaboration with zCloak and PolygonID). The cryptographic guarantee is that the proof verifies "the sum of all user balances equals X" without exposing any individual balance — and verifies that X is less than or equal to the on-chain asset total. Coinbase, being a US-listed public company, walks a different path: quarterly SOC reports plus independent third-party audit, with SEC 10-Q filings as a regulatory backstop. Both paths verify the liability side. The first is more real-time and more on-chain. The second has stronger legal recourse if the audit is fraudulent.

How to verify (step by step).

1. Open the exchange's official site, search "Proof of Reserves" or "PoR" — if the page does not exist, this sieve scores zero for that exchange.
2. Check the auditing firm. Big Four or a large independent (Deloitte, PwC, Mazars, Armanino, TheNetworkFirm) carries more weight than a small no-name accountant. Note that Mazars exited crypto audits in late December 2022 under US compliance pressure — Binance switched to TheNetworkFirm (a spin-off of Armanino's crypto unit) from Period 6 onward. That switch is a publicly documented event, not a "abandoned by auditor" event.
3. Check the frequency. Monthly beats quarterly, quarterly beats annual, no frequency commitment means no PoR. A five-month-old snapshot in a market this volatile is functionally expired food.
4. Check whether the report covers liabilities. Asset-only PoR can be gamed — borrow crypto from a friend on snapshot day. Merkle Tree plus zk-SNARK liability proof is the current strongest standard. If the report says "our BTC wallet balance is X" but does not say "user-side liability is Y, and X ≥ Y," the report's value is halved.
5. Check whether you can self-verify. A good PoR provides a self-audit tool — enter your account hash, instantly see your balance included in the most recent Merkle Tree. Binance, OKX, Kraken all have this. One or two clicks from your account back-office.

May 2026 score (ordered by PoR strictness): Binance — monthly TheNetworkFirm + zk-SNARK + self-audit = 1.0; OKX — monthly + zk-SNARK + self-audit = 1.0; Kraken — monthly Merkle + self-audit = 0.95; Coinbase — PwC quarterly + SEC 10-Q backstop (no self-audit) = 0.9; Bybit — monthly + zk-SNARK + slow self-audit = 0.85; Bitstamp — KPMG quarterly (no self-audit) = 0.6; Gate.io — self-declared, no third party = 0.2.

Sieve 2 · At least three meaningful financial licences across major jurisdictions

Why it matters. Single-jurisdiction operation concentrates policy risk. Cryptopia died in single-jurisdiction New Zealand. BitGrail died in single-jurisdiction Italy. Mt.Gox was nominally only licensed in Japan, with no overseas subsidiary licensing. Multi-jurisdiction is not just policy-risk diversification — it also means at least three independent regulators have separately reviewed the compliance dossier. That is three independent rubber stamps, not one. If you suspect an exchange's compliance documents are window dressing, the cheapest disproof is not to hire an auditor — it is to check whether the same documents have cleared France AMF, US NMLS, and Singapore MAS, three regulators whose standards do not overlap.

Jurisdiction list with quality tiers. Crypto licences split into three tiers.

• Tier 1 (genuinely hard to obtain): US New York NYDFS BitLicense (since 2015, total of about 35 issued, 18+ months average review); Japan FSA (capital floor 10M JPY, monthly compliance reporting, 95% cold-storage requirement); Singapore MAS DPT Licence (issuance frozen since 2022, stock around 20 licences); Hong Kong SFC Type 1/7 (physical office plus designated responsible officer required).
• Tier 2 (medium bar): France AMF PSAN (upgraded to MiCA-CASP in 2024); Germany BaFin Kryptowerte (since 2020); Italy OAM (registration-based, weaker); Ireland Central Bank; UK FCA Crypto Registration.
• Tier 3 (formally strict but substantively light): Dubai VARA (founded 2022, innovation-friendly but enforcement detail incomplete); Bahamas SCB (FTX had this one); Kazakhstan AFSA; Seychelles. Tier 3 is not bad in itself, but a single Tier-3 licence cannot substitute for Tier 1. FTX held only Bahamas SCB plus US MSB registration — that is the textbook single-Tier-3 case.

How to verify.

1. Open the exchange's "Regulation" or "Licenses" page — usually in the footer or About sub-page. If the page does not exist, or only displays an image without licence numbers, score zero.
2. Verify each licence at the regulator's public registry. FCA, AMF, OAM, VARA, FINTRAC, FSA, NMLS, MAS, SFC, BaFin all run public licensee directories. Company name plus licence number, 30 seconds to confirm.
3. "Applied for," "in discussion," "principle approval" do not count — only "issued and in force" counts. "Principle approval" was abused throughout 2022-2023 in Dubai VARA and Hong Kong SFC cases — a principle approval can be 12-18 months away from operating permission.
4. Tier weighting. MiCA-CASP (EU-wide) > MSB (US FinCEN) > state-level. The former covers 27 EU members; the latter covers one state. A MiCA-CASP is worth roughly 4-5 single-state licences.
5. Verify the licence is still in force. Regulators publish revocation registries — after FTX, Bahamas SCB revoked its licence directly. A still-displayed licence on the exchange's site may be only a historical record.

Hands-on · May 2026 licence roster for 7 major exchanges.

The "Tier-1 count" column matters more than the total. Coinbase's three Tier-1 licences (NYDFS + Singapore MPI + BaFin) is the highest-quality licensing roster in the industry today. Binance's total of 10+ but only one Tier-1 reflects its still-incomplete US position. Gate.io's two-licence total, none of them Tier 1, plus a Hong Kong VATP rejection, is exactly why it sinks to the bottom of this column.

May 2026 score: Coinbase 1.0 (Tier-1 depth, US coverage near-complete); Bitstamp 0.95 (European compliance veteran, MPI + CSSF dual cover); Binance 0.9 (broad coverage, thin Tier-1); Kraken 0.85 (US + EU + AU 5 jurisdictions, no Tier-1); OKX 0.65 (4 jurisdictions, thin Tier-1); Bybit 0.55 (4 jurisdictions, zero Tier-1); Gate.io 0.25 (2 jurisdictions, zero Tier-1, rejection record).

Sieve 3 · Public user-protection fund (with public dollar amount and on-chain verifiable wallet)

Why it matters. Across the eight ships in this study, not one had a real user-protection fund that could be drawn down for users. Even ships that died from external causes rather than fraud (Cryptopia hack) sent users to the back of the bankruptcy queue. Canadian Quadriga's liquidation was still ongoing in 2026 — EY's fees as trustee exceeded the final user distribution. The "SAFU" concept (Secure Asset Fund for Users) was invented by Binance in July 2018: 10% of every trading fee auto-routed to an independent wallet, on-chain visible. After FTX, most major exchanges adopted some version of it. That is a four-year evolution from passive bankruptcy queueing to active proactive coverage.

Three structural forms of "insurance fund" — they are not equivalent.

• On-chain segregated wallet (Binance SAFU pattern): the exchange auto-routes a fixed % of trading fees into a publicly published on-chain address. The balance is checkable by anyone, the wallet is bankruptcy-remote from the exchange's main balance sheet — meaning even if the exchange itself fails, this fund is, in principle, available for user reimbursement. This is the strongest form.
• Balance-sheet reserve (OKX, Bybit pattern): the exchange reserves a line on its corporate balance sheet labelled "user protection reserve" but does not segregate it into a separate wallet. This is still the exchange's money — if the exchange goes bankrupt, this reserve is dragged into the bankruptcy estate. Weaker than the segregated wallet form.
• Commercial insurance (Coinbase pattern): the exchange purchases an insurance policy from Lloyd's, Munich Re, or similar. Strength: there is a real, legally enforceable claim. Weakness: policy terms are usually not public, coverage caps are limited, and most policies cover only specific events (typically hacks, not operator misappropriation).

Side-by-side fund comparison.

• Binance SAFU: founded July 2018, auto-funded at 10% of spot + futures trading fees. Since January 2022 the SAFU wallet balance has been publicly pegged at $1 billion USD-equivalent (on-chain address publicly disclosed). The wallet has rebalanced across multiple market cycles in 2024-2026 but maintained the $1B floor. SAFU helped facilitate the 2019 KuCoin hack recovery (about $40M coordinated transfer) and fully covered a small internal incident in 2022. It is currently the only exchange-protection fund with both an on-chain verifiable balance and a public draw-down history.
• Coinbase Insurance: Lloyd's of London commercial cover for hot-wallet assets (cap roughly $250-350M depending on snapshot) plus FDIC $250K-per-account protection for USD balances. Limitations: policy terms not public (Lloyd's standard), exclusions probably exist for "operator misappropriation / insider theft" — that is the meaningful difference vs. SAFU. Coinbase's status as a US-listed company provides additional structural protection (predictable bankruptcy process).
• OKX Risk Reserve: in late December 2022, OKX published an on-chain wallet address with about $700M. Since then, the disclosure cadence has slipped — I checked the address in April 2026 and the balance fluctuated between $480-620M across the prior six months. Not negligible, but lacking the stability commitment of SAFU.
• Bybit Protection Fund: publicly disclosed $500M in January 2023, upgraded to $600M in 2024, but no public on-chain wallet address. Status: balance-sheet reserve plus semi-public number. Better than internal silence, worse than SAFU.
• Kraken: no independent on-chain SAFU; holds Lloyd's of London commercial cover (amount not public) plus FDIC for US dollar deposits.
• Bitstamp: roughly 3% of total assets held offline plus EUR 300M+ commercial policy covering hack events. Conservative European compliance posture.
• Gate.io: claimed a "$1B user protection fund" in 2023, but no on-chain wallet address and no independent third-party signature. This scores 0.3.

How to verify.

1. Look for either a public dollar amount or a public on-chain wallet address with a verifiable balance. Neither = score zero.
2. Check the structural form. Segregated on-chain wallet beats balance-sheet reserve beats commercial insurance with undisclosed terms.
3. Calculate the ratio. Insurance fund divided by user-custodied total. SAFU $1B / Binance total custodied (~$80B at April 2026) = 1.25%. OKX, Bybit are in the 0.8-1.2% range. Below 0.5% is symbolic rather than substantive.
4. Check draw-down history. Funds never drawn down have unproven operational mechanics. SAFU has documented draw-downs (KuCoin coordination, internal incidents).
5. Check disclosure cadence. One-time announcement followed by silence (Gate.io pattern) is a deduction.

May 2026 score: Binance SAFU 1.0 (on-chain + $1B + draw-down history); Coinbase commercial insurance 0.85 (terms not fully public, no operator-misappropriation cover); Bitstamp 0.75 (European policy + 3% offline reserve); Kraken 0.7 (commercial cover + FDIC, no on-chain); OKX 0.7 (on-chain but inconsistent disclosure); Bybit 0.65 (semi-public amount, no on-chain); Gate.io 0.3 (amount unverifiable).

Sieve 4 · No related-party trading firm, or independent audit of segregation

Why it matters. FTX-Alameda. Celsius's CEL-pump-and-borrow internal book. Voyager's single-counterparty 3AC exposure. Three different patterns, same underlying flaw: a corporate group operates both an exchange (or custodian) and an affiliated trading entity (or single counterparty), with no enforced wall between them. The structure is illegal in traditional finance — Glass-Steagall in the US after 1933 was precisely designed to prevent commercial bank plus investment bank under one roof. Crypto has no equivalent statute, so related-party isolation depends entirely on the exchange's self-discipline plus independent audit.

Counterexample · The FTX-Alameda commingling blueprint. When FTX launched in 2019, SBF had already been running Alameda for two years. FTX in Bahamas, Alameda in Hong Kong then the US — nominally two companies. But the FTX backend code contained a switch — externally named "allow_negative_balance" — that applied to one specific account belonging to Alameda. The switch let that account borrow customer funds well beyond posted collateral without triggering liquidation. The switch's existence was disclosed by post-bankruptcy CEO John J. Ray III (the same John Ray who handled Enron) in his first restructuring declaration.

Alameda used that switch to borrow roughly $8 billion during the Luna-3AC cascade in mid-2022. That is the source of FTX's customer shortfall. In US securities law, the structural term for this is "commingling." Its essence: a single principal controls Company A and Company B; when Company B loses money, Company A's customer funds flow to Company B without resistance. The flow requires neither a wire transfer nor a paper trail — it requires only a backend boolean.

Counterexample-by-comparison · Binance Labs / Binance Charity / Binance Pay. Binance also operates affiliated entities, but the structure differs fundamentally from FTX/Alameda. Binance Labs is a VC arm that invests in external crypto projects (current portfolio approximately $3.5B in Polygon, StarkWare, Curve, etc.) — it does not trade on binance.com. Binance Charity is a foundation with no trading function. Binance Pay is a payments rail with independent books. None of these three entities operates a backend interface to "borrow user funds" from the main exchange.

This distinction was tested in the US SEC's 2023 lawsuit against Binance. The SEC's investigators looked for evidence of Binance Labs returning capital to the main exchange via the back door and could not find it on-chain. The eventual $4.1B settlement covered specific compliance violations (US user access, mixing transactions) but did not include a "misappropriation of customer funds" charge. That outcome does not certify Binance as perfect, but it does establish that the related-entity structure is materially different from the FTX/Alameda blueprint.

Counterexample-by-comparison · Coinbase as a US-listed public company. Coinbase listed directly on NASDAQ in April 2021 (ticker COIN). The act of listing is itself a hard isolation: SEC requires 10-K annual and 10-Q quarterly disclosure of all related-party transactions; CEO Brian Armstrong's personal crypto-company stakes must be reported. Coinbase Ventures (the investment arm) uses an independent LP structure; Coinbase Custody operates as a separate legal entity. The compliance overhead is real — public-company compliance runs roughly $40-50M/year — but in exchange you get the strongest guarantee in the industry that customer funds cannot flow to a CEO's private projects. This is the cleanest structure available today. The trade-off is that it requires the exchange to accept the burden of being a US-listed public company.

Hands-on · May 2026 related-party disclosure across 7 exchanges.

How to verify.

1. Search whether the controlling shareholder or CEO simultaneously controls other crypto companies. OpenCorporates, SEC EDGAR, Hong Kong Companies Registry all free.
2. If affiliated entities exist, check whether SOC 2 Type 2 or equivalent independent audit attests to segregation. SOC 2 Type 2 is an AICPA standard for "control effectiveness" — rare in crypto (Coinbase Custody has one, Anchorage has one).
3. Check whether the exchange discloses largest single-counterparty exposure (Voyager didn't; FTX didn't). EU MiCA requires this disclosure quarterly from all licensed exchanges.
4. Check CEO LinkedIn and corporate-registry filings — a CEO concurrently serving as director of multiple crypto entities loses 0.5 of a point.
5. Platform tokens. An exchange issuing a token (BNB, OKB, GT, KCS) is not itself a problem, but the token being used as collateral or margin within the same exchange is a related-party risk. BNB is used for fee discounts on Binance but not as user-asset collateral; OKB has a deeper application footprint on OKX.

May 2026 score: Coinbase 1.0 (US-listed mandatory disclosure); Bitstamp 0.95 (European compliance + KPMG); Kraken 0.9 (simple structure, no major affiliates); Binance 0.9 (VC isolated from main, Merit Peak spun out); OKX 0.65 (deep OKB ecosystem); Bybit 0.55 (Mirana ambiguity); Gate.io 0.35 (GT + spin-offs undisclosed).

Sieve 5 · CEO public statement track record

Why it matters. Karpelès in 2013 ("our codebase isn't all the way we'd like it"). Bankman-Fried in 2022 ("our risk management is basically a spreadsheet"). Mashinsky in 2021 ("either the bank is lying or Celsius is lying"). Do Kwon in May 2022 ("deploying more capital, steady lads"). Stephen Ehrlich in early 2022 ("our deal with 3AC is well-collateralised"). Six death notices, all delivered in plain English, all in advance. When I built my first version of this framework in 2024, I weighted Sieve 5 at half-strength because it felt softer than the structural sieves. After running the framework for fifteen months I found Sieve 5's predictive accuracy actually exceeded the structural sieves combined. So now it carries equal weight.

Counterexamples · the original-language death notices.

• Mark Karpelès (Mt.Gox), Wired interview June 2013: "Our codebase isn't all the way we'd like it. We have bigger fish to fry." The problem with this sentence is not that the code was imperfect — every codebase is imperfect — but that the CEO of the entity holding 70% of global BTC liquidity was labelling his own code modernization as "not a priority." That is a priority-ordering red flag.
• Sam Bankman-Fried (FTX), Bloomberg Odd Lots podcast, August 2022: "Our risk management is basically a spreadsheet with formulas in it." FTX was valued at $32 billion and held $16 billion in customer custody at the time. Two months later "the spreadsheet" failed to prevent Alameda from borrowing $8 billion.
• Alex Mashinsky (Celsius), December 2021 YouTube AMA, in response to an analyst question about 17% yield sustainability: "Either the bank is lying or Celsius is lying. We're not lying." At that point Celsius had already deployed 25% of customer funds into Anchor/stETH; Anchor's 20% rate was itself structurally unsustainable. Branding analytical critics as "liars" is one of the most reliable single-sentence death notices in this industry.
• Do Kwon (Terra/Luna), Twitter May 9, 2022: "Deploying more capital - steady lads." UST had de-pegged that day; Luna was at $64. Three days later Luna was $0.0001 and the Terra ecosystem was zero. Full reconstruction in Shipwreck Annals · Vol. II.
• Stephen Ehrlich (Voyager), early 2022 conference call: "Our deal with 3AC is well-collateralized." Actual collateralisation ratio was under 10%. Two months later Voyager filed Chapter 11.
• SBF's last tweet before the freeze, November 7, 2022: "FTX is fine. Assets are fine." Four days later FTX filed for bankruptcy protection in Delaware. Probably the most-quoted death notice in the industry's history.

Counterexamples-by-comparison · transparent-CEO speech patterns.

• CZ (Changpeng Zhao, Binance founder, stepped down November 2023): during the FTX cascade in November 2022, CZ publicly acknowledged "we hold a small amount of FTT, we're evaluating divestment" — proactive transparency. After the November 2023 DOJ settlement, he personally tweeted that the $200M personal fine and 4-month sentence "is taking responsibility." No deflection to executives or regulators. That pattern of "specific number plus acknowledged accountability" was consistent across the five-year window I have on record.
• Richard Teng (Binance current CEO, succeeded November 2023): former Singapore MAS senior official and Abu Dhabi ADGM senior official, traditional regulator background. Speech style since taking the chair has been notably restrained — quarterly compliance updates, regulator dialogue summaries, user-protection disclosures, almost no emotionally charged tweets. That restraint is itself a credibility signal in this industry.
• Brian Armstrong (Coinbase): US-listed CEO required to personally appear on quarterly earnings calls (CFO substitution not permitted). 2022-2026 record contains zero "guaranteed return" statements. During the 2023 SEC lawsuit period he publicly said "we will fight this in court, we will not respond with emotional tweets" — a posture that cost the stock 20% short-term but proved correct (Coinbase prevailed in part in 2024).
• Nejc Kodrič / Jean-Baptiste Graftieaux (Bitstamp former / current CEOs): European low-profile style. Annual and quarterly compliance reports filed on time, very little media presence — in this industry, that combination is a scarce asset.

How to verify.

1. Search the CEO's name plus "podcast" plus "interview" — listen to 2-3 of the most recent public conversations. YouTube and Apple Podcasts are the direct channels.
2. Watch for four negative signals: (1) risk-appetite bragging ("we're the most aggressive"); (2) regulator-contempt remarks ("regulators don't understand"); (3) ad-hominem on competitors; (4) blanket dismissal of every concern as "FUD."
3. Watch for three positive signals: (1) willing to acknowledge errors using specific words rather than "we are constantly improving" boilerplate; (2) cites specific numbers (user count, reserve ratio, liquidity depth); (3) discusses risk-management details (team size, tools, audit cadence).
4. Look longitudinally across five years — a CEO's consistency over five years is more informative than any single interview. Twitter history plus older interview videos are all free archives.
5. Confirm whether the CEO personally appears on quarterly earnings calls (public) or monthly AMA (private). A CEO who lets CFO/PR substitute the entire call loses 0.5 of a point.

May 2026 score: Brian Armstrong (Coinbase) 0.95 (listed-company transparency); Richard Teng (Binance) 0.9 (regulator background + restraint); Jean-Baptiste Graftieaux (Bitstamp) 0.85 (European low-profile); Dave Ripley (Kraken since 2023) 0.75 (short tenure, insufficient longitudinal data); Star Xu (OKX) 0.6 (limited public statements, insufficient longitudinal data); Ben Zhou (Bybit) 0.6 (neutral); Lin Han (Gate.io) 0.45 (public statements include unsupported "industry-largest protection fund" claims).

4. May 2026 scorecard for 7 exchanges

Adding all five sieves (each scored 0-1, max total 5) for the seven exchanges I cover. Latest re-run May 18, 2026. The order below is by total score, then by tier classification.

Decision tree · How scores map to position sizing

Having the score is only half the work — you also need the rule that translates the score into a position size. I have used the four-tier rule below for eighteen months and re-tested it three times. The mapping is intentionally conservative because the cost of being wrong on the upside is small (slower wealth growth) and the cost of being wrong on the downside is total loss.

• Main portfolio tier (4.5/5 and above): can hold your primary trading position (50-70% of your crypto net worth). May 2026 — only Binance and Coinbase clear this bar. Pick one as your main, hold the other as backup. I personally use Binance as my primary because of broader Asia-Pacific fiat ramps, wider asset support (350+ vs Coinbase ~250+), and Affiliate fee discount stacking that lowers total fee drag. If you transact primarily in USD or USDC in North America, Coinbase is the more rational primary choice.
• Secondary tier (3.5-4.5/5): position under 30% of total assets. May 2026 — Kraken, Bitstamp, OKX. The core uses of a secondary tier: (1) evacuation channel if your primary pauses withdrawals; (2) backup for assets or regions your primary does not support; (3) cross-venue arbitrage counterpart. Secondary tier should not carry long-term holdings.
• Cautious tier (2.5-3.5/5): experimental position only, under 10% of total. May 2026 — Bybit. The defining characteristic of this tier is "strong on some dimensions, structurally weak on others" — Bybit's derivatives depth is excellent but related-party transparency is below par. Use for short-dated experiments, do not park long-term funds here.
• No-tier (2.5/5 and below): zero allocation. May 2026 — Gate.io, HTX (formerly Huobi), KuCoin. This is not a guarantee that these venues will fail; it is a statement that the structural risk premium for holding funds there is not justified. Choose a higher-tier venue for similar functionality.

Re-run cadence: this scorecard must be re-run every six months. The May 2026 version's next scheduled refresh is November 2026 (I always do a forced refresh around the November anniversary of FTX). Out-of-band refresh triggers: any major exchange receiving a regulatory action, any major exchange's CEO making a Sieve-5-style statement, any major exchange missing a PoR cadence.

Two notes on this table.

1. It is not saying Binance is better than Coinbase or vice versa. Both at 4.7/5 means both clear all five sieves. The remaining differences are product functionality, regional availability, asset support — secondary dimensions not in scope here.
2. It reflects May 2026 only. The substantive content of the five sieves will evolve. By 2027 the framework may need to add "real-time on-chain auditability" or "AI-based risk-management transparency." Re-run every six months; do not treat any single version as permanent.

5. Framework limits · self-critique

A methodology page that only argues for its own correctness is selling a product. So this section argues against it.

Limit 1 · FTX scored 3.5-4/5 in similar frameworks in October 2022 and still collapsed

One month before FTX collapsed, you could have searched "FTX safety review" in English crypto media and found at least five articles giving it 4/5 or 5/5: regulatory licensing (Bahamas SCB plus US MSB plus state licences), PR profile (SBF on Vogue cover, running for US Congress), CEO public statements "looked" restrained, product depth strong, user numbers large. Even running my current five sieves against October-2022 FTX, it would have scored 3.5/5 — the PoR and user-protection sieves would have cost points, but at the time those two were not yet treated as mandatory in mainstream frameworks.

So the framework has a fundamental blind spot: hidden related-party commingling is invisible from outside. The FTX/Alameda "allow_negative_balance" backend switch was discovered by John Ray III's team digging through the codebase post-bankruptcy. No external audit, no regulatory due diligence, no user research could have seen it in October 2022. The lesson is: 5/5 ≠ 100% safe. The framework filters out major structural risk but is nearly powerless against internal hidden commingling. Even when using a main-tier exchange, the Lesson One principle still applies — long-duration funds belong in self-custody hardware wallets, exchanges hold only what you intend to trade in the near term.

Limit 2 · Mt.Gox scored 0/5 — but in 2014 this framework did not exist

Call-back to Shipwreck Annals · Vol. I. Mt.Gox in 2014 would have scored zero across all five sieves (no PoR, single Japan jurisdiction, no insurance, no affiliated market maker but messy books, Karpelès already showing death-notice statements). The catch is — in 2014 these five sieves did not exist as a popular framework. The term "Proof of Reserves" was introduced in March 2014, only months before Mt.Gox actually filed bankruptcy.

So historically the framework is "using 2026 standards to retroactively grade 2014 events" — useful for retrospective learning, but did not exist at the time. Every framework has a birth date. Events before the birth date can be retrospectively scored but should not be treated as if the participants could have used it. The corresponding implication for today: by 2030 we may consider the current five sieves insufficient, because by then we may need "real-time on-chain audit + AI behaviour analysis + cross-exchange counterparty risk graph." The framework must be upgraded periodically — never treat it as eternal truth.

Limit 3 · Celsius scored 2.5-3/5 in 2021 — should it have been cautious tier or no tier?

Celsius at peak 2021 scored about 2.5-3/5 against the current sieves (no PoR; US single-jurisdiction; $100M commercial cover but under 1% of custodied amount; deep CEL-token entanglement with the CelsiusNetwork legal entity; Mashinsky public statements already showing red flags). Under the current decision tree, 2.5-3.5 is the cautious tier — meaning under 10% experimental allocation. But Celsius's eventual customer loss was $4.7 billion, and a large share of those losers were "drawn in by 17% yield and parked over 50% of their crypto net worth."

The real lesson from Celsius is not that the framework's score was wrong. It is that the framework only helps people who actually follow the position-sizing rule. A 3/5 venue offering 17% yields, allocated by a user at 100% of net worth, cannot be rescued by any framework. That phrasing sounds obvious. It nevertheless describes a major share of the 2022 cascade losses.

Limit 4 · Reader-suggested 6th sieve candidates · why I have not added them yet

Over the past eighteen months readers have suggested several candidate sixth sieves. My reasoning on each:

• Off-balance-sheet currency operations disclosure (Candidate A). Suggested because Celsius used a stablecoin + fiat + DeFi-protocol combination for substantial "off-book" capital movement that normal audits did not catch. I considered it and ultimately did not add it — verification cost is too high for a typical user (requires full SOC 1 access). Subsumed into Sieve 4 (related-party isolation) as an extension.
• Internal-transfer delay (Candidate B). Suggested because BitGrail and Cryptopia both showed withdrawal-delay reports in the three months before collapse. Not added — this is a lagging indicator that surfaces in user-forum reports, which is itself already covered by Sieve 5 (CEO response pattern). A CEO's response pattern to delay reports (public acknowledgement vs. DMing the poster to delete) carries more information than the delay itself.
• Mandarin customer-support response time (Candidate C). Suggested by mainland China users. Not added — this is a product-experience dimension, not a structural-risk one. Good support does not prevent collapse (FTX support was still pleasant in October 2022); mediocre support does not cause collapse.
• Anti-money-laundering (AML) enforcement history (Candidate D). Suggested because Binance had a $4.1B settlement in 2023 and OKX had AML actions in 2024. I half-added it — folded into Sieve 2 (multi-jurisdiction licensing) as an extension dimension. Having been fined by a regulator is not by itself a deduction (it means the regulator looked at you); repeated similar violations without remediation is the deduction. Binance had no repeat violations in 2024-2026 after the 2023 settlement, so this does not affect its current score.

I expect to upgrade five sieves to six sometime in 2027. The current reason for staying at five: memorability (most people can carry five items mentally, six starts to slip) plus historical comparability (five sieves have data across all eight shipwreck samples).

Editor's hands-on · three findings from 24 months of running this framework

Over the 2024-2026 cycle I have refreshed this scorecard six times (every four months on average, with the formal version every six months). Three observations from doing it personally rather than abstractly:

1. The Bitstamp surprise. When I first built the framework I assumed European exchanges would score lower than US ones due to less aggressive marketing. The opposite turned out to be true — Bitstamp's combination of Luxembourg CSSF, Singapore MAS MPI, KPMG quarterly audit, and notably quiet executive team scored 4.1/5, higher than Kraken. The lesson: in this industry, the exchanges that talk least about safety often have the strongest structural safety. Marketing budget is anti-correlated with actual reserves discipline more often than you would expect.
2. The Bybit Lazarus moment. Bybit's February 2025 $1.4B frontend-signing hijack (full reconstruction in the Black Swans cornerstone) initially looked like it should crater Bybit's Sieve 5 score. After re-reading Ben Zhou's responses across the 48 hours of the incident, I ended up keeping the score flat. He published wallet addresses within four hours, committed to make all users whole within twelve hours, and delivered on that commitment within 72 hours. That response set was textbook — and in retrospect, much closer to CZ's "FTT we hold, we will sell" disclosure pattern than to Mashinsky's "FUD" deflection.
3. The OKX inconsistency. OKX scores 1.0 on PoR (technically excellent zk-SNARK self-audit) but only 0.65 on multi-jurisdiction licensing and 0.65 on related-party isolation. The aggregated 3.6/5 puts it in the secondary tier despite having one of the most technically sophisticated PoR pipelines in the industry. The takeaway is that a single sieve cannot rescue an exchange — the structure is intentionally "AND" rather than "OR." A 1.0 on Sieve 1 cannot compensate for a 0.6 on Sieve 4. This catches every framework user who tries to single-stat optimise.