What Is Gate.io and Who Runs It?

Gate launched in 2013 as Bter.com in China, relaunched as Gate.io in 2017 after Beijing banned domestic trading, and based itself in the Cayman Islands. A 2025 rebrand to Gate moved it to the Gate.com domain, with the old address redirecting. Founder Dr. Han still leads the group.

It runs spot, margin, and perpetual futures across 3,500-plus cryptocurrencies, one of the widest catalogs anywhere, alongside staking, earn products, crypto-backed loans, copy trading, an NFT marketplace, and a Visa-linked card. Newer additions include forex and metals trading priced in USDT and its own Layer-2 network.

Gate reported 27 million users in early 2025 and more than 40 million by November, ranking among the top two exchanges by spot volume. It blocks several regions, including mainland China and Canada, and US residents use Gate US instead. Our Gate restricted countries guide maps where it operates.

Is Gate Safe? How It Custodies and Audits Funds

On mechanics, Gate matches the top exchanges. Most user assets sit in cold storage, transfers need multi-signature approvals and MPC (multi-party computation) key management, and withdrawals pass automated risk screening. Account tools cover two-factor authentication, anti-phishing codes, withdrawal whitelists, and device management.

On solvency, Gate was the first major exchange to commit to 100% proof of reserves. Its dashboard uses Merkle-tree and zero-knowledge (zk-SNARK) proofs, so any user can confirm their balance sits inside the audited total. The March 2026 report put coverage near 122%, with Bitcoin around 147%. Security firm Hacken reviewed the zk-SNARK build and found no vulnerabilities at any severity.

On ratings, Gate carries an AA grade on CER.live, which scores penetration testing, bug bounties, and audits. One caveat: CER.live is run by Hacken, the same firm auditing Gate's reserves, so the stronger corroboration is CertiK's independent Skynet score, also in the high 80s out of 100. Gate holds ISO 27001 certification too.

A ratio above 100% means assets are fully backed with a surplus, the bar set after FTX failed in 2022. Read it as a solvency signal. It does not insure you against a hack.

Where Gate Holds Licenses, and Where It Doesn't

Gate's compliance footprint changed more this past year than in the prior five. In October 2025 its Malta entity, Gate Technology Ltd, won a MiCA license from the MFSA for exchange and custody, which passports across the EEA. A PSD2 Payment Institution license followed in February 2026.

That headline needs a caveat. A July 2025 ESMA peer review found the MFSA had granted a CASP license with some material issues unresolved. It did not name the provider, but a Malta passport, while genuine, sits inside a regime ESMA is pressing to tighten.

The other shift is the US. After blocking American users for years, Gate launched a locally registered arm, Gate US, in August 2025, with spot trading in 30 states by early 2026. Eligibility depends on your state.

Beyond those, Gate's authorizations span:

• Malta: MiCA license for exchange and custody (MFSA), plus a PSD2 Payment Institution license
• Italy: Virtual Asset Service Provider registration (OAM)
• Dubai: Virtual asset service authorization (DMCC)
• Hong Kong: Trust or Company Service Provider license (TCSP)
• Lithuania: Virtual currency exchange and wallet operator registration
• Bahamas: Digital asset registration (SCB)
• Gibraltar: Distributed ledger technology provider (GFSC)
• Australia: AUSTRAC digital currency exchange registration (Gate Australia)
• United States: State money transmitter licensing through Gate US
• Japan: Gate Japan K.K., after the 2024 acquisition of licensed exchange Coin Master

Each entry authorizes specific activities in one country, so a Malta license tells you nothing about your recourse if you trade through the Cayman Islands parent. Gate still holds no UK FCA registration and answers to no single home regulator of the kind Coinbase does.

Gate's Hack and Security Breach History

Gate's security record is the strongest argument for caution, and its most serious entry is one the exchange has never acknowledged. Here's a quick historical rundown:

• ‍The 2018 breach: US prosecutors documented a 2018 hack in which North Korean actors stole roughly $250 million from a virtual currency exchange they did not name. On-chain investigators including ZachXBT later matched those wallet clusters to Gate and alleged it never told users. Pressed on it, Gate cited its internal security and has never confirmed the loss, which is the root of the trust problem that still trails it.‍
• The 2015 Bter.com hack: Under its original brand, the exchange lost 7,170 BTC from a cold wallet. The funds were never recovered.‍
• The 2019 Ethereum Classic 51% attack: Attackers seized majority control of the ETC chain, cycled coins through Gate, then reorganized the chain to double-spend. Gate confirmed the attack and pledged refunds, absorbing about $270,000, and the attacker later returned roughly $100,000.‍
• The 2022 Twitter compromise: Gate's official account was briefly hijacked to push a phishing scam, a reminder that the attack surface reaches past the trading engine.

The contrast is the point. Gate handled the 2019 attack openly and made users whole, yet stayed silent on a loss many times larger. Keep only trading capital on the platform.

The Bigger 2026 Threat: State-Sponsored Exchange Theft

Gate's 2018 episode was an early case of what is now the defining risk to every centralized exchange. North Korea-linked groups, which the FBI tracks as TraderTraitor within the Lazarus umbrella, run the most damaging attacks in the market.

The clearest proof came in February 2025, when Bybit lost about $1.5 billion in Ethereum, the largest crypto theft on record. The attackers never breached Bybit's servers; they compromised a developer machine at Safe, the third-party signing provider, and altered what operators saw so a routine cold-to-hot transfer rerouted the funds. Chainalysis traced more than $2 billion of 2025's record theft to North Korea-linked actors.

Two lessons apply to Gate. Supply-chain and social-engineering attacks now defeat the cold storage and multisig every exchange advertises, so a polished security page guarantees little. And the response separates the survivors: Bybit froze withdrawals, replaced reserves within days, and kept publishing proof of reserves. Gate's 2018 silence is the opposite reflex, which is why analysts stay wary even as its systems now rank among the best.

Practical Risks to Weigh Before Depositing

Beyond the headline security questions, a few practical risks deserve weight before you fund an account:

• Transparency history: The 2018 silence means Gate has not shown the disclosure that builds lasting trust, whatever its current systems.
• Mixed user sentiment: Trustpilot ratings sit low (roughly 1.6 to 2.8 by domain), with recurring complaints over frozen accounts and slow support. A 4.4 on G2 has been flagged for likely manipulation, so weight the negatives more heavily.
• Support limits: Help runs 24/7 via live chat and email, but there is no phone line, and resolution times draw criticism in volatile periods. Treat any "Gate phone support" site as a scam.
• Geographic access: Reaching the global platform from a restricted region, including by VPN, risks frozen accounts and locked assets. US users belong on Gate US, where availability is still state-by-state.
• Altcoin liquidity: The huge token list aids discovery, but thinly traded pairs carry wide spreads, slippage, and delisting risk.

Is Gate.io a Legit Exchange? Our Final Verdict

Gate is a legitimate, established exchange, and its 2026 standing is the strongest in its history: a full MiCA license in Europe, a regulated US arm, audited zk-SNARK proof of reserves above 120%, an AA rating, and ISO 27001 certification. For an active trader after deep liquidity and the widest altcoin selection available, it is a credible venue.

The reservation concerns trust more than capability. The unresolved 2018 breach plus mixed support reviews keep it a notch below exchanges with cleaner records. Apply the rule that fits any centralized platform: turn on every account protection, keep only active trading capital on-exchange, hold long-term assets in self-custody, and verify your balance against the proof-of-reserves dashboard.

For a comparison with a platform that handled its worst breach in the open, see our Bybit review.