noKYCme

Case file · Exchange

Hodl Hodl

Non-custodial P2P Bitcoin with 2-of-3 multisig escrow - but it needs an email account and reserves the right to ask for ID.

KYC-on-trigger · Level 2
Based
Hodlex Ltd (Marshall Islands; UK governing law)
Price
Platform fee on trades; fiat settled directly between peers
Reviewed
2026-07-15
Audited by
The noKYCme Bureau

The systematized overview

The bureau vs the internet.

What the bureau found

6.6/10 · KYC-on-trigger

A well-run, genuinely non-custodial P2P exchange with a decade and no custodial hack - but it is not level 0. A verified email account is mandatory, and the terms reserve a discretionary right to demand identity documents on dispute or suspicion. Excellent custody, real reservations on identity.

What the internet says

3 recurring praises · 3 recurring gripes

Most praised: non-custodial and safe: no custodial hack in a decade. Most cited downside: slow or unresponsive support in some reports.

We track our editorial score and community sentiment separately — neither moves the other. Read together, they're the systematized overview.


The facts

Custody & jurisdiction.

Jurisdiction
Hodlex Ltd, Marshall Islands (UK governing law)
Custody
Non-custodial - 2-of-3 multisig, platform holds one key
Escrow
P2SH 2-of-3 multisig; keys: buyer, seller, Hodlex Ltd
Traded
Bitcoin only (plus BTC-collateralized lending via Lend)
Fiat rails
No - fiat settled directly between counterparties
Payment methods
100+ payment methods; all fiat currencies
Payment privacy
No native Monero; peer-chosen fiat; email + IP collected by platform
Disputes
Hodlex support arbitrates within ~12h using its escrow key
KYC trigger
Discretionary: ID may be demanded "at any time" on law/policy, dispute or suspicion
Open source
No - only utility libraries public; core code closed
Audited
Yes - recurring third-party audits (e.g. 2021)
Operating since
2016 (~10 years, no custodial hack)

The full read

Our analysis, in plain words.

Hodl Hodl is the interesting counter-example in this category: technically it is one of the safest places to trade - non-custodial 2-of-3 multisig, roughly a decade with no custodial hack, recurring audits - and yet it is not a no-KYC service by our definition. The reason is the identity layer, not the custody layer.

To trade you must create and verify an email account, which already rules out level 0. More decisively, the terms reserve a discretionary right to "introduce mandatory identification or verification procedures... at any time," and the privacy policy confirms government-ID is collected when that trigger fires - typically on a dispute or a fraud/suspicion flag. That is the textbook definition of KYC-on-trigger, so we place it at level 2. The independent kycnot.me listing reads it harder still, as "shotgun KYC."

None of that makes Hodl Hodl a bad exchange - for custody safety it outperforms most of the category, and being non-custodial means it cannot hold your escrowed coins hostage even if it demands ID. But a privacy-first buyer should go in clear-eyed: an email account is mandatory, IP and approximate location are logged with a five-year AML retention, US users are barred, and the core code is closed. It earns a solid mid-table score on the strength of its custody and track record, held back by identity.


The score, broken down

How the 6.6 is built.

Privacy 2.9Trust 2.2Reliability 1.4 Headroom 3.4

Privacy

weight 50%

What identity, data and metadata the service can demand or collect.

58/100

58 × 50% = 2.9 of 10

Trust

weight 30%

Whether it can technically deliver what it claims — code, audits, age.

74/100

74 × 30% = 2.2 of 10

Reliability

weight 20%

Whether the no-KYC claim holds under real-world pressure.

72/100

72 × 20% = 1.4 of 10

Weighted total 6.6 / 10 · no reliability rule triggered, so the score stands. See the rubric →


Every point, sourced

What earned the score.

Privacy

  • +5No routine gov-ID; ID only if a discretionary trigger fires
  • +4Non-custodial: platform never touches fiat rails
  • +-4A verified email account is mandatory to trade
  • +-3Collects IP, approximate location; 5-year AML retention

Trust

  • +7Non-custodial 2-of-3 multisig; ~10 years, no custodial hack
  • +4Recurring third-party security audits
  • +-3Core exchange code is not open source

The fine print, read for you

The clause they bury.

Verbatim — the catch
“If required by applicable law or our internal policies, we may at any time introduce mandatory identification or verification procedures. Failure to complete required verification constitutes a violation of this Agreement and may lead to account suspension or termination.”

What it meansThis is the clause that keeps Hodl Hodl at level 2 rather than 0. "Our internal policies... at any time" is a discretionary trigger: they can require ID on dispute or suspicion, and the privacy policy confirms government-ID is collected when it fires. Because the platform is non-custodial it cannot hold your escrowed coins hostage, but it can suspend your account.

Read the source →
KYC trigger threshold

A verified email account is required up front (so this is not level 0). Government ID is never required routinely, but the terms reserve the right to demand it "at any time" if required by law or their internal policies - in practice, on a dispute or a fraud/suspicion flag. The independent kycnot.me listing reads this harder, as "shotgun KYC" (their level 3).

Policy review — point by point

  • Mandatory email account

    You must create and verify an email account before trading, so the service is not identity-free.

  • Discretionary ID trigger

    The terms reserve the right to require identification "at any time" per law or internal policy; ID is collected on dispute/suspicion.

  • Non-custodial multisig

    Hodlex Ltd holds only one of three keys and cannot unilaterally move escrowed funds.

  • US fully barred

    Current terms restrict the US entirely alongside sanctioned jurisdictions.

Jurisdiction analysis

The operator is Hodlex Ltd, incorporated in the Marshall Islands, with the terms specifying UK governing law and London courts. A Marshall Islands entity with UK governing law is a common offshore structure; combined with a five-year AML data-retention clause and a discretionary ID trigger, it signals a platform that intends to stay on the right side of regulators rather than a censorship-resistant, entity-free project.


We keep watching

Incident & policy timeline.

  1. Nov 2018

    Began blocking US IPs

    Hodl Hodl started blocking US users and offers, an early sign of tightening geographic policy.

    source ↗
  2. Jul 2021

    Security audit finds and fixes two issues

    A hired auditor found a weak-password brute-force path and a front-end vulnerability on the Lend platform that could have exposed payment passwords or keys (reported unexploited); both were fixed, and Hodl Hodl says it runs recurring audits by rotating independent firms.

    source ↗
  3. May 2024

    Blocked US residents from Lend

    Hodl Hodl blocked US residents and citizens from its Lend product, citing a stricter allowed-countries policy. The current terms bar the US entirely alongside sanctioned states.

    source ↗

The verdict

Where it stands.

Strengths

  • Genuinely non-custodial: 2-of-3 multisig, platform holds only one key
  • Around ten years operating with no custodial hack on record
  • Recurring third-party security audits
  • 100+ payment methods; platform never touches fiat

Trade-offs

  • A verified email account is mandatory - not identity-free
  • Terms reserve a discretionary right to demand ID on dispute or suspicion
  • Core exchange code is not open source / community-auditable
  • US users are barred entirely under current terms
  • Complaints about slow support and counterparty time-wasters
Visit Hodl Hodl No affiliate relationship. We link to the official site directly.

Across the internet

What reviewers report.

Consistently praised

  • Non-custodial and safe: no custodial hack in a decade
  • Wide payment-method support and global reach
  • Straightforward multisig escrow that works as described

Recurring complaints

  • Slow or unresponsive support in some reports
  • Counterparty time-wasters and test-payment scam attempts
  • Email account and ID-on-trigger disappoint privacy-first users

Trustpilot sits around 3.4/5. Complaints cluster on counterparty behaviour and support speed rather than the platform stealing or freezing funds - consistent with the non-custodial design. Synthesized from Trustpilot and the independent kycnot.me listing.


Ask the bureau

Hodl Hodl, common questions.

Is Hodl Hodl no-KYC?

Partly. It never requires government ID routinely and is fully non-custodial, but a verified email account is mandatory and the terms reserve the right to demand ID on a dispute or suspicion. We rate it KYC level 2 (KYC-on-trigger), not level 0.

Can Hodl Hodl freeze my funds?

Not your escrowed coins - trades use a 2-of-3 multisig where Hodl Hodl holds only one key and cannot move funds alone. It can suspend your account and, in a dispute, use its key with one party to resolve the 2-of-3.

Does Hodl Hodl work in the US?

No. The current terms bar US residents and citizens entirely, and the Lend product was explicitly blocked to US users in May 2024.

Has Hodl Hodl ever been hacked?

No custodial hack is on record in roughly a decade of operation, which is unsurprising given it never holds pooled customer funds. Audits in 2021 found and fixed some issues.

Your exact case not covered? The live Ask the bureau answers it and turns it into a public FAQ.