Signal & Noise — Issue #1

Why Your Exchange Account Is Not a Wallet

Bitcoin Security Mastery⁠TM 5 min read

Here is the single most dangerous sentence in Bitcoin:

“I keep my Bitcoin on Coinbase.”

It sounds perfectly reasonable. Coinbase is a publicly traded company. It has insurance. It has a security team. It has two-factor authentication and withdrawal whitelists and all the trappings of a serious financial institution.

And none of that matters — because when you “keep your Bitcoin on Coinbase,” you don’t actually have any Bitcoin.

You have a promise.

The Difference Between Holding and Owning

Bitcoin is, at its core, a ledger. Every coin that exists is assigned to a specific address, and that address is controlled by a private key. Whoever holds the private key can move the coins. Whoever doesn’t hold the private key cannot.

When you deposit Bitcoin to an exchange, you send it to their address, controlled by their private key. In return, you get a number on a screen — a balance in your account. That balance is a database entry on the exchange’s servers. It is not Bitcoin. It is a record that the exchange owes you Bitcoin.

This is not a subtle technical distinction. It is the difference between holding a gold bar in your safe and holding a piece of paper that says a bank owes you a gold bar. One of those things survives the bank going under. The other does not.

The Graveyard of Broken Promises

If exchange IOUs were as good as real Bitcoin, the history of cryptocurrency would look very different. But it doesn’t. It looks like this:

Every one of these platforms had security teams. Most had regulatory approval. Several had insurance. None of it protected customers from the fundamental reality: if you don’t hold the private key, you don’t control the asset.

Why Smart People Still Make This Mistake

The mental model that trips people up is banking. We’re trained to think of accounts as safe places to store value. My money is “in” the bank. My stocks are “in” the brokerage. And for those systems, the mental model mostly works — because banks and brokerages operate under extensive regulation, deposit insurance, and legal frameworks designed to protect customers even when institutions fail.

Bitcoin has none of that. There is no FDIC for Bitcoin. There is no regulatory body that will make you whole if an exchange collapses. The entire point of Bitcoin is that it operates outside the traditional financial system — which means the traditional safety nets don’t apply.

This is not a flaw. It is the design. Bitcoin gives you something no bank account ever has: the ability to hold your own money with no counterparty risk. But that ability is only real if you actually use it.

What Self-Custody Actually Means

Self-custody means you — and only you — hold the private keys that control your Bitcoin. No exchange. No custodian. No third party of any kind.

In practice, this means using a hardware wallet (a dedicated device that stores your private keys offline), backing up your seed phrase (the 12 or 24 words that can recover your wallet), and learning the basics of how Bitcoin transactions work so you can verify everything yourself.

Is this more work than leaving coins on an exchange? Yes. Is it harder than clicking “Buy” on Coinbase and walking away? Absolutely.

But here is the question that matters: is the security of your Bitcoin worth an afternoon of learning?

If you’re reading this newsletter, you already know the answer.

Quick Hits
1
Ledger rolls out firmware 2.3.0 — Adds support for miniscript-based spending policies on Bitcoin. If you use a Ledger device, update via Ledger Live. As always, verify the update is legitimate before installing — phishing campaigns often follow firmware announcements.
2
Phishing campaign impersonating Trezor support — Emails claiming “your device firmware is compromised” are circulating. Trezor will never email you asking to enter your seed phrase. If you receive one, delete it immediately. Report it to phishing@trezor.io.
3
Bitcoin mempool clears below 5 sat/vB — If you’ve been waiting for low fees to consolidate UTXOs or move coins off an exchange into self-custody, this is a good window. Check mempool.space for current fee estimates before transacting.
Breach Watch
Funds Lost DMM Bitcoin Exchange — May 2024
What happened
Japanese exchange DMM Bitcoin lost approximately 4,502 BTC (~$305 million) in a single transaction from a compromised hot wallet private key. The breach was one of the largest exchange hacks in history.
What went wrong
Centralized hot wallet management with a single point of failure. One compromised key gave the attacker full control over a massive pool of customer funds.
The lesson
If a professional exchange with a dedicated security team can lose $305 million from one private key, how safe are your coins sitting on a similar platform? Self-custody eliminates this exact category of risk. Your keys, your coins.
One Thing to Do This Week
Check your exchange balances. Write down the number.
Log into every exchange where you hold Bitcoin. Write down the total amount sitting on each one. That number is your exposure — the amount of Bitcoin you don’t actually control. Over the coming weeks, we’ll walk through exactly how to move it into self-custody. But step one is knowing how much is at risk. Do it today.

Next issue: The Anatomy of a Bitcoin Phishing Attack — a step-by-step breakdown of how attackers target Bitcoin holders, with real examples and exactly what to look for. If you found this issue useful, share it with someone who still keeps their coins on an exchange.

← All Newsletter Issues

Never miss an issue

Get Signal & Noise in your inbox

Bitcoin security intelligence delivered to your inbox. No spam. No fluff. Just the signal.

Free forever. Unsubscribe any time.

You’re subscribed! Check your inbox.

You’ll receive the next issue of Signal & Noise when it drops.