The cryptocurrency sector faces an existential threat on two fronts: none of the 2,138 web applications and 146 mobile apps tested by ImmuniWeb support post-quantum encryption, and more than 7.8 million user records are already circulating on the dark web.
As adversaries hoard encrypted data for future “Harvest Now, Decrypt Later” exploits, the industry’s failure to adopt NIST’s Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) standard signals a looming crisis. Without action, encrypted transactions could be laid bare by quantum computers.
Outliers like Coinbase, UPbit, and Crypto.com, ranked as the top three most secure exchanges in the study, prove that strong security is achievable. Each had the fewest overall security findings across all tested categories, demonstrating that robust application security is possible even in high-risk, high-growth environments.
Quantum blind spots leave exchanges wide open
None of the tested exchanges support ML-KEM, the new post-quantum encryption standard published by NIST. Its complete absence across the sector suggests a long migration lies ahead. Compounding this, nearly one-third of exchanges still support outdated protocols like TLS 1.0 and 1.1, leaving encrypted traffic exposed to interception.
Post-quantum cryptography (PQC) support in TLS
AI-driven threats and persistent weaknesses
The research also shows growing vulnerability to AI-driven threats, including automated scraping, impersonation, and infrastructure mapping. 45% of exchanges lacked a web application firewall leaving sites open to bot activity and reconnaissance.
At the same time, many are turning to GenAI to accelerate development. But without security oversight or coding standards, this introduces silent risks and creates attack surfaces.
While some of these problems are newly emerging, others are persistent issues the industry continues to overlook. These include:
- 74% of web applications using outdated software or libraries
- 67% failing GDPR compliance
- 25% with publicly known vulnerabilities
- 24% of mobile apps containing high-risk flaws
- 1 in 5 mobile apps transmitting data via unencrypted HTTP
Privacy implementation was similarly lacking. 40% of tested exchanges had no visible privacy policy, and over one-third deployed tracking cookies without user consent, putting them at risk of legal penalties and reputational damage, particularly in regulated markets.
Some encouraging signs of progress
The study also uncovered some encouraging results. Nearly 78% of web servers scored an “A” for TLS security implementation, suggesting that many exchanges are moving in the right direction on encryption. 52% of web applications earned an “A” privacy grade, indicating progress in adapting to regulatory requirements.
Likewise, 56.8% of main websites received an “A” in core web application security, with most weaknesses clustered in secondary subdomains or legacy components. These findings show that while the industry has significant work ahead, there are proven examples of strong security practices already in place.
To address the risk revealed in the research, researchers recommend that cryptocurrency exchanges:
- Implement risk-based, enterprise-wide application security programs
- Enforce privacy-by-design and security-by-default principles in development
- Establish governance frameworks for GenAI-assisted coding
- Migrate to encryption protocols and begin preparing for the post-quantum cryptographic transition
“Given that security incidents and data breaches may cause substantial damage to clients of crypto businesses, it is essential that the latter reconsider their investment priorities and pay more attention to their cybersecurity programs. Of note, spending more does not necessarily mean spending wiser. It is crucial to have a cybersecurity strategy based on a comprehensive risk assessment, bringing cybersecurity, legal and business professionals to the table to ensure a holistic and multidisciplinary approach to corporate cybersecurity governance. Otherwise, a company may triple its current cybersecurity budget but will still fall victim to a data breach. Likewise, continuous investment in employee education is crucial, otherwise, even the cutting-edge cyber defense mechanisms will bring little to no value,” said Dr. Ilia Kolochenko, Chief Architect & CEO at ImmuniWeb.
