Understanding how exchanges generally work is necessary before we can even begin to analyze the blockchain and make accurate inferences about the activity within it.
There are three types of wallets/addresses that most exchanges have.
1. Deposit addresses
2. Hot Wallets
3. Cold Wallets
How They Work:
Deposit addresses are the wallets give you to credit your account. For example, when you set up an account at Binance/Coinbase/whatever and you fulfill the KYC/AML or the e-mail registration or whatever you have have to do, you have an account at base level.
Of course, your account has 0 funds. But you want to trade!
So you click the ‘deposit’ button and the exchange gives you an address where you can deposit whatever crypto you want to send.
That address does not keep the funds. That wallet that the exchange creates for you, dumps those funds off to their hot wallet.
Above, is an example of a Kraken deposit address.
We placed a box around all of the funds that were sent to that deposit address to make it easier to read.
Notice that all of the funds are going immediately back out to “Kraken 5” — that’s their hot wallet.
As you’ve probably gathered at this point, the hot wallet is the ‘collection point’ for any and everyone that has sent funds to the exchange. They send funds to the deposit address, then the exchange ‘sweeps’ that deposit address and sends funds to the ‘hot wallet’.
I’m sure you’ll find some exception, but there are very few. This is generally how almost every (centralized) exchange works. Even the ones that are “scams” generally work on this principle.
Some exchanges use multiple wallets (this is more common w Ethereum), and some exchanges only use one. Binance, for example, only uses one hot wallet for Bitcoin.
At first glance, it probably seems like deposit addresses are an unnecessary part of this equation.
After all, if the funds you’re sending to the deposit address are always being swept to the hot wallet address, why not just save the transaction fees and hassle and just have people send funds to the hot wallet?
Every deposit address that an exchange creates is unique to that customer. Most of the time they are brand new addresses that are generated.
So if Billy Bob creates an account at Binance and says, “I want to deposit my Bitcoin here!” — then Binance will generate a brand new Bitcoin address for him. Let’s say (3XMAJF2383AF3AJA3Jsfa2) or something random.
In their internal system, they have marked that address as belonging to BIlly Bob. So any time funds are sent there, Billy Bob is credited.
He can send the Bitcoin today or tomorrow, it doesn’t matter.
If Binance said, “Hey Billy Bob just send the funds straight to our hot wallet”, then they would have no way of tracking Billy Bob’s funds.
Billy Bob could claim that the 20 bitcoin deposit that Binance’s hot wallet just got (hypothetically) belongs to him. Maybe it is his 20 bitcoin deposit, maybe its someone else’s. How would they know? They wouldn’t.
And because Binance is so massive and popular, they woudl be getting flooded with thousands of transcations from all over from folks claiming that they sent their funds to Binance.
Thus, deposit addresses help keep order.
One major takeaway from the Binance situation is that the hackers were only able to get 7,000 bitcoins.
The reason for that is because this was all Binance had in their hot wallet (they had a little more, but not much over top of 7k). Thus, in that regard, this situation exemplified why using a ‘cold wallet’ is imperative — because **** happens, no matter how good you think your opsec is.
As an exchange, you pray you never get hacked — but let’s face it, you’re a walking target and people will do everything they can to try to compromise you because that payday will allow that lucky hacker to fly to the Bahamas and live the rest of their life in bliss (i.e., Binance was hacked for $40 million worth of bitcoins).
So what do you do?
Prepare for a rainy day.
Most people know this, but we’re iterating it here again in case anyone doesn’t.
If you request a withdrawal from an exchange, 999/1000 times its going to come from that exchange’s hot wallet address.
Thus, exchanges must keep a certain amount in funds on their hot wallet in order to satisfy withdrawals.
But they don’t need to keep everything on there.
Only a certain amount of people are going to request their Bitcoin/Ethereum/Litecoin/whatever. So exchanges really only need to keep a certain amount ‘on hand’ to send funds out to customers.
A smart exchange calculates how much they typically need to send out on a day to day basis and they use this estimate to manage how much in funds they keep in their hot wallet. Anything they receive over top of that number is usually sent to something called a ‘cold wallet’.
This wallet is supposed to be offline and the only funds that they should be receiving should be coming from the exchange’s hot wallet address(es).
Note: A cold wallet should NOT be receiving funds from customers. Ever.
Any wallet sending funds to a cold wallet belongs to that exchange unless someone is making a generous donation.
What was stated above is really important to know when it comes to blockchain analysis (which is also very crucial), for the following reasons:
1. The vast majority of blockchain activity involves exchanges in some way. Yes, there are people that simply send funds directly from one friend to another — but the vast majority of funds are held at exchanges and exchanges are the primary entities that are used to send and receive crypto as well. Therefore, it is imperative that anyone seeking to glean information from the blockchain be well aware of how exchanges generally work.
2. This information will help you to figure out which addresses are ‘hot wallets’ and which ones are ‘cold wallets’. Some people have seen me ask, “Has anyone deposited ____ to [insert exchange] before?”. The reason why I ask that is because this information will help me figure out what that entity’s hot wallet address is.
3. This information helps us to figure out which addresses belong to customers and which ones belong to the exchange itself. This is a super important distinction, because the implications behind each can be massive. For example, if there is a hack (like what we saw with Binance) and those coins are sent directly to some exchange’s hot wallet address, then we should be extremely suspicious of that exchange and question them heavily. However, if those coins end up at a deposit address at an exchange, we cannot necessarily fault the exchange 100% because we cannot use that evidence alone to prove that they knowingly facilitated this theft. Of course, since this is public knowledge, we should be assuming that exchanges have certain measures in place to track certain funds and ensure that they are not liquidated down at their exchange.
4. Because hot wallet addresses are a collection pool for all funds, they are the ultimate ‘mixers’ in crypto. Thus, whenever stolen/scammed/illegal funds hit an exchange, the burden is on the exchange to provide the necessary information to assist the community/law enforcement/whoever in locating who those funds belong to or where they have went. If that exchange refuses for whatever reason, then this is a dead end. The only exception to this rule is an extremely stupid hacker that sends a very specific amount (like 1035.9239291381 bitcoins) and we see an amount that’s nearly exact being sent from the exchange later. This rarely happens, but when it does, it helps.
There are a number of additional conclusions we can make based on this information, but what we listed above are the most important — by far.
Without having this knowledge in hand, tracking funds on the blockchain is a futile effort because you will not know what you’re looking at or understand what it means. Or you may end up looking over really important information.