The single biggest risk in cryptocurrency isn’t market volatility — it’s losing access to your funds through hacks, phishing, or simple mistakes. While the major exchanges we cover have strong infrastructure security, your account is only as secure as the practices you put around it. Here’s a practical guide to protecting yourself.
The fundamental principle: “Not your keys, not your coins”
Before we dive into exchange security, understand the most important principle in crypto: if you don’t control the private keys to your wallet, you don’t truly own the crypto.
When you hold crypto on an exchange, you’re trusting that exchange to honour your withdrawal requests. If the exchange is hacked, goes bankrupt, gets seized by regulators, or simply locks your account, you may lose access to your funds — sometimes permanently.
For long-term holdings, the safest option is a hardware wallet (Ledger or Trezor) under your sole control. Exchanges should be used for active trading and short-term holdings, not as a savings account.
That said, most people do keep meaningful balances on exchanges. Here’s how to do it as safely as possible.
Step 1: Enable proper two-factor authentication
This is non-negotiable. Without 2FA, your account is one phishing email away from being drained.
The hierarchy of 2FA methods, from worst to best:
- SMS 2FA: Better than nothing, but vulnerable to SIM swap attacks where attackers convince your phone carrier to transfer your number to them. Never use SMS as your primary 2FA for crypto.
- Authenticator app (Google Authenticator, Authy): Much better. Codes are generated on your device, immune to SIM swaps.
- Hardware security key (YubiKey, Google Titan): Best. The key must be physically present to log in. Immune to phishing because the key verifies the website’s authenticity.
If your exchange supports hardware keys (Coinbase, Kraken, Binance, OKX, and Bitstamp all do), use them. The $50 cost is trivial compared to the protection they provide.
Step 2: Use a unique, strong password
Your exchange password should be:
- At least 16 characters with a mix of upper case, lower case, numbers, and symbols
- Never reused anywhere else — if any other service you use is breached, attackers will try those credentials on every major exchange
- Stored in a password manager (1Password, Bitwarden, etc) — never in a browser, text file, or your head
If you’ve been reusing passwords, check Have I Been Pwned to see if your email has appeared in known breaches. If it has, change every password that used the breached one — especially for crypto accounts.
Step 3: Enable withdrawal whitelisting
Most major exchanges allow you to maintain a list of approved withdrawal addresses. Once you enable this feature, withdrawals can only be sent to addresses on your whitelist — even if an attacker somehow gains control of your account, they can’t drain it to their own wallet.
When you add a new address to the whitelist, most exchanges enforce a 24-48 hour cooling-off period before withdrawals to that address are allowed. This gives you time to notice and react if an attacker is trying to add their address.
This single feature would have prevented the vast majority of individual account drains. Turn it on for every exchange you use.
Step 4: Configure all available security alerts
Major exchanges provide multiple alert options:
- Login notifications: Email or SMS alert whenever your account is accessed
- New device alerts: Notification when login occurs from an unrecognised device
- Withdrawal notifications: Alert for every withdrawal attempt
- API key creation alerts: Critical, as API keys can be used to drain accounts via trading without triggering withdrawal alerts
- Settings change alerts: Notification when 2FA, password, or whitelisting is modified
Enable all of these. The minor email volume is worth the security visibility.
Step 5: Anti-phishing codes
Many exchanges (Binance, OKX, KuCoin, Bitget) offer anti-phishing codes — a custom phrase that legitimate emails from the exchange will always include. If you receive an “official” email without your anti-phishing code, it’s a phishing attempt.
Set up an anti-phishing code that’s unique to you and hard to guess. Don’t use anything an attacker could find on your social media.
Step 6: Beware of phishing
Phishing is the single most common way individual accounts are compromised. Common phishing vectors:
- Fake emails pretending to be from your exchange, asking you to “verify” your account or “claim” a reward
- Lookalike websites at domains like
binnance.comorkraken-login.com - Social media DMs from accounts pretending to be customer support
- Fake browser extensions that intercept logins
- SMS messages claiming suspicious activity and including a “login link”
Rules to live by:
- Always type the exchange URL manually or use a bookmark you created yourself. Never click email links to log in.
- Verify the SSL certificate — your browser should show a padlock and the correct domain name.
- Customer support never asks for your password, 2FA codes, or seed phrases. If anyone does, they’re an attacker.
- Be skeptical of urgency — phishing relies on creating panic. “Your account will be deleted in 24 hours unless you verify” is always fake.
Step 7: Watch out for SIM swap attacks
A SIM swap attack involves an attacker convincing your phone carrier to transfer your number to a SIM card they control. Once they have your number, they can:
- Receive SMS 2FA codes
- Use phone-based account recovery
- Receive password reset links
Defences against SIM swap:
- Use authenticator apps or hardware keys instead of SMS 2FA (covered above)
- Add a port-out PIN with your phone carrier that’s required for any SIM changes
- Don’t link your real phone number to crypto accounts where avoidable — consider a dedicated number through Google Voice or a similar service for account verification
Step 8: Be careful with API keys
If you use API keys for trading bots or portfolio trackers:
- Use unique keys for each application — never reuse
- Restrict permissions to only what’s needed (read-only for portfolio trackers, no withdrawal permission for trading bots)
- Whitelist IP addresses if your application uses a fixed IP
- Rotate keys regularly and delete unused keys
- Never share API keys with anyone — and never paste them into a Discord, Telegram, or “support” chat
Recent attacks have specifically targeted users running automated trading on KuCoin and Binance through compromised API keys.
Step 9: Use a clean device for crypto
This is more extreme advice but worth knowing:
- Avoid using public WiFi for crypto exchange access
- Keep your computer’s OS and browser updated — old software has known vulnerabilities
- Consider a dedicated browser profile for crypto, with no extensions installed
- Never click email links to crypto sites from a device that has your wallet
- Be cautious with browser extensions — many malicious extensions impersonate legitimate ones
For high-value holdings, a dedicated, hardened computer used only for crypto activity is the gold standard.
Step 10: Plan for the worst
Even with all of the above, things can go wrong. Plan ahead:
- Document your accounts (which exchanges, what email is associated with each) in a secure location — not on your computer or in cloud notes
- Tell a trusted family member how to access your accounts in case of emergency — without giving them your passwords directly
- Consider what happens if you die — without a plan, your crypto holdings could be lost forever
- Test your recovery methods before you need them — make sure password resets, 2FA backup codes, and recovery emails actually work
Bottom line
Cryptocurrency security is a habit, not an event. The handful of practices above — strong unique password, hardware 2FA, withdrawal whitelisting, anti-phishing codes, and phishing awareness — will protect against the vast majority of attacks. They take an hour to set up and could save you everything.
For large holdings, move long-term funds to a hardware wallet under your sole control. Exchanges are for trading; hardware wallets are for holding.