Your Exchange Account is a Target
Exchange accounts are high-value targets for attackers. Unlike a self-custody wallet where the attacker needs your seed phrase, an exchange account can potentially be compromised through password theft, SIM swapping, email account takeover, or phishing. Every security feature the exchange offers should be enabled.
Use a Strong, Unique Password
- Use a randomly generated password of at least 16 characters
- This password must be unique — never reused from any other site
- Store it in a reputable password manager (Bitwarden, KeePassXC)
- If the exchange is compromised, a unique password limits the damage to that one account
Enable Two-Factor Authentication (2FA)
2FA is the single most important security feature on your exchange account. Not all 2FA methods are equal:
Attackers call your phone carrier, impersonate you, and transfer your phone number to their SIM card. They then receive your SMS 2FA codes. High-value crypto holders are specifically targeted. Switch to TOTP or hardware keys immediately.
Set Up Anti-Phishing Codes
Many exchanges let you set a personal anti-phishing code — a custom word or phrase that appears in every legitimate email from the exchange. If an email claims to be from the exchange but does not contain your code, it is a phishing attempt.
Enable Withdrawal Address Whitelisting
Withdrawal whitelisting restricts withdrawals to a pre-approved list of addresses:
- Even if an attacker gains access to your account, they cannot withdraw to their own address
- Adding a new address to the whitelist typically requires 2FA confirmation and a 24-48 hour waiting period
- This delay gives you time to detect and respond to unauthorized access
Secure Your Email Account
Most exchange account recovery processes rely on email verification. If your email account is compromised, an attacker can reset your exchange password, bypass 2FA, and withdraw funds. Your email account needs the same level of protection as the exchange account itself.
- Use a strong, unique password for your email account
- Enable 2FA on your email (hardware key preferred)
- Consider using a separate email address exclusively for crypto exchanges
- Disable email forwarding rules — attackers sometimes set forwarding to intercept verification emails silently
Session and Device Management
- Regularly review active sessions and recognized devices in your exchange settings
- Remove any devices or sessions you do not recognize
- Enable login notifications so you are alerted when your account is accessed from a new device or location
- Log out of exchange sessions when not actively trading
API Key Security
If you use API keys for trading bots or portfolio trackers:
- Only grant the minimum permissions needed (read-only for portfolio trackers, no withdrawal permission for trading bots)
- Restrict API keys to specific IP addresses when possible
- Rotate API keys periodically
- Revoke keys immediately if a connected service is compromised
What to Do If Compromised
- Immediately: change your password and revoke all active sessions
- Disable API keys and remove any unrecognized withdrawal addresses
- Contact exchange support to lock the account if funds are being withdrawn
- Check your email for unauthorized forwarding rules or connected applications
- Document everything for potential law enforcement involvement
Summary
- Use a strong, unique password stored in a password manager
- Enable TOTP or hardware key 2FA — never rely on SMS alone
- Set up anti-phishing codes and withdrawal address whitelisting
- Secure your email account with the same level of protection
- Review sessions, devices, and API keys regularly
- Act immediately if you suspect any unauthorized access
Remember: the safest approach is to keep only what you need for active trading on the exchange and withdraw the rest to your own wallet.