Case file · Exchange
Hodl Hodl
Non-custodial P2P Bitcoin with 2-of-3 multisig escrow - but it needs an email account and reserves the right to ask for ID.
The systematized overview
The bureau vs the internet.
6.6/10 · KYC-on-trigger
A well-run, genuinely non-custodial P2P exchange with a decade and no custodial hack - but it is not level 0. A verified email account is mandatory, and the terms reserve a discretionary right to demand identity documents on dispute or suspicion. Excellent custody, real reservations on identity.
3 recurring praises · 3 recurring gripes
Most praised: non-custodial and safe: no custodial hack in a decade. Most cited downside: slow or unresponsive support in some reports.
We track our editorial score and community sentiment separately — neither moves the other. Read together, they're the systematized overview.
The facts
Custody & jurisdiction.
- Jurisdiction
- Hodlex Ltd, Marshall Islands (UK governing law)
- Custody
- Non-custodial - 2-of-3 multisig, platform holds one key
- Escrow
- P2SH 2-of-3 multisig; keys: buyer, seller, Hodlex Ltd
- Traded
- Bitcoin only (plus BTC-collateralized lending via Lend)
- Fiat rails
- No - fiat settled directly between counterparties
- Payment methods
- 100+ payment methods; all fiat currencies
- Payment privacy
- No native Monero; peer-chosen fiat; email + IP collected by platform
- Disputes
- Hodlex support arbitrates within ~12h using its escrow key
- KYC trigger
- Discretionary: ID may be demanded "at any time" on law/policy, dispute or suspicion
- Open source
- No - only utility libraries public; core code closed
- Audited
- Yes - recurring third-party audits (e.g. 2021)
- Operating since
- 2016 (~10 years, no custodial hack)
The full read
Our analysis, in plain words.
Hodl Hodl is the interesting counter-example in this category: technically it is one of the safest places to trade - non-custodial 2-of-3 multisig, roughly a decade with no custodial hack, recurring audits - and yet it is not a no-KYC service by our definition. The reason is the identity layer, not the custody layer.
To trade you must create and verify an email account, which already rules out level 0. More decisively, the terms reserve a discretionary right to "introduce mandatory identification or verification procedures... at any time," and the privacy policy confirms government-ID is collected when that trigger fires - typically on a dispute or a fraud/suspicion flag. That is the textbook definition of KYC-on-trigger, so we place it at level 2. The independent kycnot.me listing reads it harder still, as "shotgun KYC."
None of that makes Hodl Hodl a bad exchange - for custody safety it outperforms most of the category, and being non-custodial means it cannot hold your escrowed coins hostage even if it demands ID. But a privacy-first buyer should go in clear-eyed: an email account is mandatory, IP and approximate location are logged with a five-year AML retention, US users are barred, and the core code is closed. It earns a solid mid-table score on the strength of its custody and track record, held back by identity.
The score, broken down
How the 6.6 is built.
Privacy
weight 50%What identity, data and metadata the service can demand or collect.
58 × 50% = 2.9 of 10
Trust
weight 30%Whether it can technically deliver what it claims — code, audits, age.
74 × 30% = 2.2 of 10
Reliability
weight 20%Whether the no-KYC claim holds under real-world pressure.
72 × 20% = 1.4 of 10
Weighted total 6.6 / 10 · no reliability rule triggered, so the score stands. See the rubric →
Every point, sourced
What earned the score.
Privacy
The fine print, read for you
The clause they bury.
“If required by applicable law or our internal policies, we may at any time introduce mandatory identification or verification procedures. Failure to complete required verification constitutes a violation of this Agreement and may lead to account suspension or termination.”
What it meansThis is the clause that keeps Hodl Hodl at level 2 rather than 0. "Our internal policies... at any time" is a discretionary trigger: they can require ID on dispute or suspicion, and the privacy policy confirms government-ID is collected when it fires. Because the platform is non-custodial it cannot hold your escrowed coins hostage, but it can suspend your account.
Read the source →A verified email account is required up front (so this is not level 0). Government ID is never required routinely, but the terms reserve the right to demand it "at any time" if required by law or their internal policies - in practice, on a dispute or a fraud/suspicion flag. The independent kycnot.me listing reads this harder, as "shotgun KYC" (their level 3).
Policy review — point by point
-
Mandatory email account
You must create and verify an email account before trading, so the service is not identity-free. ↗
-
Discretionary ID trigger
The terms reserve the right to require identification "at any time" per law or internal policy; ID is collected on dispute/suspicion. ↗
-
Non-custodial multisig
Hodlex Ltd holds only one of three keys and cannot unilaterally move escrowed funds. ↗
-
US fully barred
Current terms restrict the US entirely alongside sanctioned jurisdictions. ↗
The operator is Hodlex Ltd, incorporated in the Marshall Islands, with the terms specifying UK governing law and London courts. A Marshall Islands entity with UK governing law is a common offshore structure; combined with a five-year AML data-retention clause and a discretionary ID trigger, it signals a platform that intends to stay on the right side of regulators rather than a censorship-resistant, entity-free project.
We keep watching
Incident & policy timeline.
- Nov 2018
Began blocking US IPs
Hodl Hodl started blocking US users and offers, an early sign of tightening geographic policy.
source ↗ - Jul 2021
Security audit finds and fixes two issues
A hired auditor found a weak-password brute-force path and a front-end vulnerability on the Lend platform that could have exposed payment passwords or keys (reported unexploited); both were fixed, and Hodl Hodl says it runs recurring audits by rotating independent firms.
source ↗ - May 2024
Blocked US residents from Lend
Hodl Hodl blocked US residents and citizens from its Lend product, citing a stricter allowed-countries policy. The current terms bar the US entirely alongside sanctioned states.
source ↗
The verdict
Where it stands.
Strengths
- Genuinely non-custodial: 2-of-3 multisig, platform holds only one key
- Around ten years operating with no custodial hack on record
- Recurring third-party security audits
- 100+ payment methods; platform never touches fiat
Trade-offs
- A verified email account is mandatory - not identity-free
- Terms reserve a discretionary right to demand ID on dispute or suspicion
- Core exchange code is not open source / community-auditable
- US users are barred entirely under current terms
- Complaints about slow support and counterparty time-wasters
Across the internet
What reviewers report.
Consistently praised
- Non-custodial and safe: no custodial hack in a decade
- Wide payment-method support and global reach
- Straightforward multisig escrow that works as described
Recurring complaints
- Slow or unresponsive support in some reports
- Counterparty time-wasters and test-payment scam attempts
- Email account and ID-on-trigger disappoint privacy-first users
Trustpilot sits around 3.4/5. Complaints cluster on counterparty behaviour and support speed rather than the platform stealing or freezing funds - consistent with the non-custodial design. Synthesized from Trustpilot and the independent kycnot.me listing.
Ask the bureau
Hodl Hodl, common questions.
Is Hodl Hodl no-KYC?
Partly. It never requires government ID routinely and is fully non-custodial, but a verified email account is mandatory and the terms reserve the right to demand ID on a dispute or suspicion. We rate it KYC level 2 (KYC-on-trigger), not level 0.
Can Hodl Hodl freeze my funds?
Not your escrowed coins - trades use a 2-of-3 multisig where Hodl Hodl holds only one key and cannot move funds alone. It can suspend your account and, in a dispute, use its key with one party to resolve the 2-of-3.
Does Hodl Hodl work in the US?
No. The current terms bar US residents and citizens entirely, and the Lend product was explicitly blocked to US users in May 2024.
Has Hodl Hodl ever been hacked?
No custodial hack is on record in roughly a decade of operation, which is unsurprising given it never holds pooled customer funds. Audits in 2021 found and fixed some issues.
Your exact case not covered? The live Ask the bureau answers it and turns it into a public FAQ.