Why exchange security is your responsibility
Most exchange hacks are not database breaches — they are account takeovers targeting individual users. Phishing emails, SIM-swapping mobile numbers, password reuse across sites, malware on trading computers, and social engineering of customer support are the primary attack vectors. The exchange's security systems are only one layer; your personal security practices are the other.
In 2025, social engineering attacks cost crypto users an estimated $800 million. The targets ranged from retail traders with a few thousand dollars to high-net-worth individuals with eight-figure exchange balances. No balance is too small to attract an attacker, and no user is too sophisticated to fall for a well-crafted phishing attack. This checklist covers every layer of defence.
Choosing a secure exchange
Start security at the platform level. Not all exchanges are equal in security infrastructure:
- Proof of reserves: Choose exchanges that publish monthly cryptographic proof of reserves. Binance, Kraken, and Coinbase all publish reserves audited by third parties.
- Insurance fund and FDIC/SIPC coverage: Coinbase holds USD balances in FDIC-insured accounts up to $250,000. Kraken has a history of transparent cold storage ratios.
- Security incident track record: Check the exchange's history. Binance suffered a $40m hack in 2019 but covered user losses from its SAFU fund. No exchange is unhackable — what matters is how they respond.
- Regulatory compliance: Regulated exchanges face legal obligations to protect user funds. Coinbase and Kraken operate under US money transmission licences. See full reviews: Binance, Coinbase, Kraken.
Strong unique passwords: the baseline
Use a password that is at least 20 characters, randomly generated, unique to each exchange, and stored only in a password manager (Bitwarden, 1Password, or KeePass for offline storage). Never reuse an exchange password anywhere.
Password reuse is catastrophically dangerous in crypto. When a random website's database is breached, credential-stuffing bots automatically test those emails/passwords against every major exchange within minutes. A password unique to your exchange cannot be credential-stuffed.
Two-factor authentication: choose the right method
Two-factor authentication (2FA) is mandatory. But not all 2FA is equal:
- Hardware security key (best): YubiKey or Google Titan Key uses FIDO2/WebAuthn cryptographic authentication. Phishing-resistant — even if you enter your password on a fake site, the hardware key will not authenticate without the real domain. Used by Coinbase, Kraken, and Binance.
- Authenticator app (good): Google Authenticator, Authy, or Raivo OTP generate time-based one-time passwords (TOTP). Not phishing-resistant but far better than SMS. Store the backup seed offline.
- SMS 2FA (avoid for crypto): SMS is vulnerable to SIM-swap attacks — attackers convince your carrier to port your number to their SIM. Dozens of documented $1m+ crypto thefts have been enabled by SIM-swapping. Disable SMS 2FA on all exchanges.
Protecting against SIM-swap attacks
SIM-swapping bypasses your phone entirely. The attacker calls your mobile carrier, impersonates you, and transfers your phone number to a SIM they control. They then receive all your SMS codes.
- Contact your carrier: Set a carrier-level PIN or passphrase on your account. AT&T, Verizon, and T-Mobile offer this — it must be presented in-store or over the phone to make account changes.
- Request a port freeze or SIM lock: Some carriers allow you to freeze number porting. Requires explicit authorisation to unlock.
- Remove phone number from all crypto exchange accounts: If your exchange does not require a phone number, remove it. Phone numbers on exchange accounts are an attack surface.
- Use an authenticator app or hardware key instead of SMS everywhere: This eliminates the SIM-swap attack surface entirely for exchange 2FA.
Recognising and avoiding phishing
Phishing is the most common attack vector. It takes many forms: email claiming your account is compromised, fake exchange websites with near-identical domain names, Telegram messages from "exchange support," Google Ads serving malicious exchange clones, and Discord DMs offering help with a wallet issue.
- Bookmark your exchanges: Always navigate to exchanges via bookmark, not search. Attackers buy Google Ads to rank phishing sites above the real exchange.
- Check the domain carefully: bl1nance.com, coinbase-support.io, and kraken.cx are real phishing domains. Look for subtle character swaps and unusual TLDs.
- Exchanges never DM first: Legitimate exchanges will not send you a Telegram or Discord message unless you initiate contact. Any unsolicited "support" message is a scam.
- Verify email sender headers: Phishing emails often use display names that look official but have unrelated sending domains. Check the full email header.
- Never enter your seed phrase on any website: No legitimate service ever asks for your 12 or 24-word seed phrase online.
API key security
Exchange APIs enable algorithmic trading and portfolio tracking. Compromised API keys are a major attack vector for accounts with significant balances. Best practices:
- Restrict API key permissions to minimum: If your bot only needs to read balances, do not grant trading or withdrawal permissions.
- Always set IP whitelisting: Restrict API access to specific IP addresses. All major exchanges support this. An attacker with your API key cannot use it from an unauthorised IP.
- Disable withdrawal permissions on API keys: Trading bots should never have withdrawal access. This limits damage if a key is compromised.
- Rotate API keys regularly: Create new keys every 90 days and revoke the old ones. This limits the window of exposure if a key was silently stolen.
- Never commit API keys to version control: Use environment variables or secret managers. GitHub public repository scans are a common source of key theft.
Device and network security for traders
Your trading device is the perimeter of your exchange security. Even perfect exchange and password hygiene is defeated by malware on your computer.
- Dedicated trading device: Serious traders keep a separate computer used only for exchange access — no email, no browser extensions, no casual web browsing.
- Keep OS and browser updated: The majority of malware exploits unpatched vulnerabilities. Enable automatic updates.
- Avoid browser extensions in your trading browser: Malicious browser extensions have drained exchange accounts and wallets. Each extension has access to every page you visit.
- Use a VPN on public networks: Never log into exchanges on public WiFi without a VPN. Man-in-the-middle attacks are feasible on open networks.
- Enable full disk encryption: BitLocker (Windows) or FileVault (Mac) prevents physical access to browser-stored session tokens.
Withdrawal address whitelisting
Most major exchanges allow you to whitelist specific withdrawal addresses. Once set, withdrawals are only permitted to those pre-approved addresses. Any new address requires an email confirmation with a 24-hour delay.
Enable whitelist mode on Binance, Kraken, and Coinbase for all significant balances. This single feature eliminates most theft scenarios — even if an attacker gets full account access, they cannot withdraw to an address you haven't pre-approved.
What to do if your account is compromised
- Immediately change your password from a clean device not connected to the compromised session
- Revoke all active API keys from the API management page
- Contact exchange support via the official website (not email — use their live chat or verified phone line)
- Enable account freeze/lock if the exchange offers it
- File a report with local law enforcement (needed for exchange's insurance claim process)
- Check all connected email accounts for compromise — attackers often control the email first
- Inform your mobile carrier of potential SIM-swap and lock your account
Cold storage as the ultimate safety net
Any crypto you don't need for active trading should be in cold storage — a hardware wallet like Ledger or Trezor stored physically offline. On-exchange balances are always at risk from account takeover or exchange failure. For long-term holdings, see our exchange ratings and choose platforms with the strongest security records for any funds that must remain custodial.
This checklist is for educational purposes only. Security best practices evolve rapidly. Always verify current recommendations with your exchange's official security documentation.




