Safety Guide

Phishing sites are fake pages that mimic legitimate exchanges or wallet websites almost perfectly. Scammers distribute links via search engine ads, spoofed emails, or social media to lure users into entering their credentials — at which point their funds are immediately stolen.

The most common technique is making tiny changes to the domain name: replacing the letter "l" with the number "1", adding extra hyphens (e.g. binance-pro.com), or using a different top-level domain (.net instead of .com). Some advanced phishing pages even have valid HTTPS certificates, so a green padlock alone is not proof of legitimacy.

The most effective defence against phishing is to access your exchange only through bookmarks you set up yourself, never by clicking links in emails, Telegram messages, or social media posts.

Scammers on Telegram, Twitter/X, and Discord impersonate official exchange support staff and proactively contact users. A common trigger: you post a question in an official community, and within minutes a "staff member" sends you a private message.

The ultimate goal is almost always to extract your seed phrase or private key, or to have you transfer funds to a "verification" address. Real exchange support will never initiate DMs and will never ask for your password or seed phrase.

Another variant is the "screen-sharing" scam: the fake agent asks you to install remote-control software (like TeamViewer or AnyDesk) to "help fix" your issue, then uses it to transfer your funds.

High-yield scams promise stable daily returns of 1–5%, often claiming to use "arbitrage bots" or "quantitative strategies" for risk-free profit. In reality, these are Ponzi schemes: early investors are paid using funds from new investors, creating a facade of profitability until the scheme collapses and operators disappear with everyone's money.

Typical red flags: suspiciously stable returns regardless of market conditions, inability to withdraw principal freely, forced referral requirements, anonymous or vague project teams, and no verifiable trading records.

In crypto, Ponzi schemes appear in many forms: DeFi "high-APY" liquidity pools, mining rig "hosting" services, "AI trading" platforms, and traditional MLM structures.

Fake airdrop scams typically lure victims with "connect your wallet to claim free tokens." When you connect and sign the transaction, you are actually authorizing a malicious contract that drains your wallet. Some scams impersonate real project official airdrops using lookalike domains and cloned social accounts.

"Celebrity giveaway" scams are also widespread: fake posts impersonating Elon Musk, CZ, or other figures claim "send 1 BTC, receive 2 BTC back." These flood YouTube livestreams, Twitter, and Telegram. Victims have lost hundreds of millions of dollars collectively.

An exchange exit scam occurs when platform operators disappear with users' funds. These typically happen on small, unregulated exchanges with no clear legal entity. The pattern: the platform attracts deposits with high rebates or low fees → withdrawal functionality "goes under maintenance" → the website goes dark and operators vanish.

The FTX collapse (November 2022) was one of the largest exchange disasters in history, with over $10 billion in user funds misappropriated. It reminded the industry that even larger platforms carry risk — choosing regulated exchanges with Proof of Reserves is essential.

Top compliant exchanges like Binance, OKX, Bybit, and Bitget undergo third-party audits, publish Proof of Reserves, and have multi-year operating histories — making them the safest options available.

"Not your keys, not your coins." This phrase captures a core truth of crypto: your seed phrase (the 12 or 24 words used to generate all your private keys) gives whoever holds it complete control over your wallet. Protecting it is non-negotiable.

For large holdings, a hardware wallet (such as Ledger or Trezor) is the safest storage method. Private keys are stored on an offline chip; even if your computer is infected with malware, the hardware wallet remains secure. Small amounts for daily use can stay in software wallets, but your main holdings should be kept offline.

Your seed phrase must be backed up physically — handwritten on paper or engraved on a metal plate. Never photograph it, screenshot it, or store it in cloud services. Once a seed phrase is exposed, a wallet can be emptied in seconds, and blockchain transactions are irreversible.

Two-factor authentication (2FA) adds a second layer of protection beyond your password. Even if your password is compromised, an attacker cannot log in without the second factor. It is one of the most basic and effective security measures for exchange accounts.

Use Google Authenticator, Authy, or a hardware security key (YubiKey) as your second factor. Avoid SMS-based 2FA — attackers can perform a SIM swap attack to transfer your phone number to a device they control, bypassing SMS verification entirely.

When setting up 2FA, always securely back up the recovery codes in the same way as your seed phrase (physical backup). If you lose your phone without recovery codes, your account may be permanently inaccessible.

API keys allow third-party software (trading bots, portfolio trackers, tax tools) to access your exchange account. If a key is leaked or misconfigured with too many permissions, an attacker can place orders on your behalf or — if withdrawal permission is enabled — transfer your funds out directly.

Many users paste API keys into untrusted third-party tools, or hard-code them into public code repositories (GitHub). These are the most common exposure paths. Once a key appears online, automated scanners typically find and exploit it within minutes.

Best practices: grant minimum necessary permissions (never enable withdrawals), restrict to an IP whitelist, rotate keys regularly, and never hard-code keys in source code.