State of Application Security at Top 250 Cryptocurrency Exchanges

GENEVA - Oct. 8, 2025 - PRLog -- Key Findings
7.8 million compromised user records found on the Dark Web
57% of exchanges are targeted by at least 1 ongoing phishing campaign
74% of web applications contained outdated software, libraries or frameworks
25% of web applications contained publicly known web security vulnerabilities
67% of web applications failed GDPR compliance, 58% failed PCI DSS compliance
32% of web servers had insecure or obsolete encryption protocols in their TLS stack
24% of mobile apps contained at least one high-risk mobile security vulnerability
1 in 5 mobile apps sends or receives some data using a plaintext HTTP protocol
1 in 3 web servers has no support whatsoever of Post-Quantum Cryptography
9 in 10 web applications had one or several privacy issues or failures
Top 3 most secure cryptocurrency exchanges – that had the least number of findings within the scope and methodology of this research – outperforming the others:

Coinbase - coinbase.com
UPbit - upbit.com
Crypto.com - crypto.com

According to Forbes, the global cryptocurrency market cap is over 4 trillion USD and is growing. In early October 2025, the price of Bitcoin, Ethereum, Solana and other popular cryptocurrencies surged to almost all-time record. In the meantime, last year at least 40.1 billion USD were moved to ledger addresses that are known to be connected to illicit activities according to a recent Chainalysis report.

The alarming trend is confirmed by statistics from Kroll, saying that 1.93 billion USD have been stolen in crypto-related cybercrimes in the first six months of 2025 alone, surpassing the total amount stolen in the whole of 2024 according to Kroll's Cyber Threat Intelligence team.

This research explores the current state of web and mobile application security of the largest cryptocurrency exchanges around the globe. In the past, numerous cases have shown how application security failures led to data breaches impacting cryptocurrency and DeFi companies, resulting in stolen funds, as well as long-lasting negative consequences both for the breached entities and their clients.

It is important to highlight that the mere presence of application security vulnerabilities, misconfigurations or weaknesses in web or mobile apps do not mean or imply that client funds or crypto assets are at risk. Likewise, compromised user credentials available on the Dark Web do not necessarily grant cybercriminals with an access to crypto wallets or custodial funds belonging to the victims.

The ultimate purpose of this research is to review the overall state of application security in the crypto industry in 2025, and to provide concise recommendations on what could be improved to enhance existing application security programs of cryptocurrency exchanges and other businesses active in crypto.

Read research here: https://www.immuniweb.com/research/state-of-application-s...