Securing customer funds and data is our top priority.
WCX has an incredible track record in keeping customer funds safe. We have never been hacked and no customer has ever had their funds compromised. This is in large part due to the security apparatus we've built, which we outline below.
We offer end-to-end encryption, comprehensive DDOS protection, 2-factor authentication, web authentication using security keys, and offline storage for client crypto keys (>98% of funds are stored in cold wallets).
WCX uses several different methods to ensure the safety of client digital currency wallets, our networks, servers, and software.
Over 98% of customers funds are preserved in cold storage, out of reach of software hackers. Since there is no automation or connection linked to these funds, they are technically impossible to compromise by external attackers.
Around 2% of funds are kept in hot wallets protected by industry-leading security. These hot wallet funds are used to process withdrawals quickly and are insured against loss in case of compromise.
We segregate our network and servers into different sub networks and availability zones, and protect traffic with strict routing, firewalling, and access control.
Our servers run the latest security software and our networks benefit from industry-leading distributed denial of service attack protection. They are designed to be highly available and to tolerate failures in infrastructure while maintaining continuity of operations.
Our data is aggressively backed up, encrypted, and stored in secure locations.
We offer full-account 2-factor authentication. When enabled (strongly recommended), 2-factor authentication provides an extra layer of security by protecting account access (log in) and withdrawal operations.
For security critical operations (e.g. withdrawals), we support authentication using public-key cryptography. This requires the use of hardware authenticators such as built-in biometric sensors (e.g. TouchID) or external FIDO2-enabled security keys (e.g. YubiKey 5 series).
All network traffic between the client and our servers is encrypted using High Assurance SSL.
Brute-force prevention is implemented client-side through CAPTCHA and rate throttling systems designed to protect against these types of attacks while preserving a pleasant user experience.
More than half of all Bitcoin exchange "hacks" are perpetrated by insiders. We hence consider it critically important to not only comprehensively vet and background check anyone who contributes to building WCX (employees, contractors, etc.) but to also keep customer funds accessible only by a small group of fully vetted, trusted, and tracked WCX directors, supported by a multi-signature access system.
It is strict company policy to ensure that these directors and the keys that they hold are always geographically distributed and that their location is never made public.
Company policy also imposes certain lifestyle restrictions on any key-holding directors. They are not allowed:
to consume any substances, including alcohol, to the point of inebriation or loss of consciousness;
to participate in any activity that may be deemed high-risk, such as extreme sports;
to travel to a high-risk or underdeveloped country;
to disclose the nature of their job to anyone outside their immediate family members.
As Bitcoin's popularity has grown, so has Bitcoin-related crime. Since our directors hold keys of company and client Bitcoin, they could serve as an attractive target for criminals and extortionists.
Hence, to ensure the highest level of customer fund security and personal safety of our team members, it is strict company policy to not publicly disclose the identifying information of any WCX team members. All of our team members adopt aliases (pseudonyms) online and in public.
For examples of recent Bitcoin-related crime that involved physical violence or murder with the purpose of robbing the target of their cryptocurrency, please see this list.
As Bitcoin transaction-tracking software improves and law enforcement cooperation increases across borders, we believe this risk will subside over time, at which point we may re-evaluate our pseudonyms-only policy.