Most large, regulated US exchanges are safe enough to use, and the biggest threat to your money is not the exchange getting hacked. It is you getting tricked into handing over access yourself. That one fact reshapes how you should think about safety in crypto. This hub serves two readers at once: the person deciding whether to trust a platform before they deposit a cent, and the person who has already been targeted and needs to act fast. If you are the second reader, skip ahead to the section on what to do right now. Everyone else, start at the top.

  • The exchange protects its own systems. It does not protect your account from a scammer you let in, and most losses happen that way.
  • Crypto transactions are final. There is no chargeback, which is why "approve this transfer" is the line every scam is built to reach.
  • A real exchange never sends you an unsolicited code with a phone number to call, never asks for your password or recovery phrase, and never tells you to move funds to a "safe wallet."
  • Your recovery phrase is the master key to a self-custody wallet. Anyone who sees it owns your crypto. It is never typed into a website or read aloud to anyone.
  • If you have been scammed, speed matters more than anything: cut off remote access, change passwords from a clean device, switch off text-message 2FA, then report it.
  • "Recovery services" that promise to get stolen crypto back are, in most cases, a second scam aimed at people who were just robbed.

Is your crypto safe? The short answer

A well-run, regulated exchange is reasonably safe to hold and trade on, and the failure mode that actually drains accounts is almost never a server breach. The largest US platforms are public companies or licensed money-services businesses that answer to financial regulators, keep most customer crypto in cold storage offline, and have survived years of attacks without losing those reserves. That track record is real, and it matters.

But "safe" is doing a lot of work in that sentence. An exchange can be well-defended and you can still lose everything in an afternoon. The lock on the front door is strong. The con artist who phones you pretending to be the locksmith is the actual problem. So the honest answer is yes, with a caveat that should change how you behave: the platform protects its own systems, not your decisions. Almost everything else on this page follows from that gap.

The gap exists because of one design choice. Crypto transactions are final. Send Bitcoin to the wrong address, or approve a transfer a fake support agent talked you into, and there is no bank to call and no chargeback to file. That finality is the whole point of the technology, and it is also why scammers prefer crypto to almost any other target. A wire fraud can sometimes be clawed back. A crypto transfer, once confirmed, is gone.

Five common ways crypto gets stolen: phishing for logins or seed phrases, fake support impostors, SIM-swap attacks on SMS codes, malicious token approvals, and paid recovery scams.
The routes attackers actually use. The through-line: never share your recovery phrase, and treat anyone who contacts you first as a stranger.

What an exchange actually protects, and what it doesn't

Knowing exactly where the protection stops is the most useful safety skill you can learn. Most people assume the protections are broader than they are, and that assumption is what scammers exploit. Here is the line, drawn plainly.

You are protected against You are on your own for
The exchange's servers being breached and cold-storage reserves stolen Anyone who gets your password and 2FA code, even if you handed them over
Loss of the company's own crypto holdings, often partly covered by crime insurance A scammer who talks you into sending crypto to their address
Internal accounting errors on the platform's side Crypto sent to the wrong address or a fake "support" wallet
US dollar cash balances, up to standard pass-through limits, if the partner bank fails The crypto itself, which is not covered by federal deposit insurance

Two points trip up almost everyone, and both are worth slowing down on.

First, federal deposit insurance covers US dollar cash held at a partner bank, not your crypto. If you have read that your funds are "FDIC insured," that applies to uninvested cash at the partner bank, and it pays out only if that bank fails. It does nothing if a token's price crashes, and nothing if your coins are stolen through your own login. Crypto on an exchange is not a federally insured deposit, full stop.

Second, the crime insurance some exchanges carry covers the company being robbed, not you being conned. If you approve a transaction, even under pressure from a fake support agent, most policies treat that as your authorized action. Read the exclusions, not the headline. The phrase that matters in those documents is some version of "losses arising from the user's own credentials," and that is exactly the category most scams fall into. The money is gone and no one reimburses it.

This is not a flaw unique to one company. It is how the system works. The protection an exchange offers is real but narrow, and the narrow part is where scammers live.

Has your exchange been hacked? What the breaches actually were

The big US exchanges have been hit, more than once, and it is worth being precise about how, because the pattern tells you where to spend your own effort. Early attacks often turned on text-message 2FA, where criminals hijacked a phone number to intercept the login code and drain accounts. Later incidents included a breach at one of the largest US exchanges that did not come from cracking the company's servers at all. It came from people. An overseas support contractor was reportedly bribed to hand over customer data, which scammers then used to impersonate the exchange and trick users into moving their own funds.

A word on how to read those reports. When a company files a securities disclosure or issues a statement, that is a verified fact. When a third party claims a specific cause or dollar figure before the company confirms it, that is an allegation, and the two deserve different weight. I will not print a breach count or a cost figure that is not nailed to a primary source, and you should be wary of any safety page that throws around precise numbers without one. The shape of these incidents is well established. The exact tallies often shift as investigations close.

Read the pattern twice, because it holds for the whole beat. In the breaches that cost users real money, the exchange's cold-storage reserves were not what got taken. The cold storage held. What failed was the human layer: a bribed contractor, a stolen phone number, a convincing phone call. The lesson is not "exchanges are unsafe." It is that the attack has moved from the vault to your phone, and your defenses need to move with it.

How do you spot a crypto scam? The red flags

Almost every crypto scam, whatever its costume, leans on the same small set of pressure tactics. Learn the tactics and you stop needing to recognize each new script, because they all rhyme. If a message, call, or "opportunity" carries any of these signs, treat it as a scam until you have proven otherwise through a channel you chose yourself.

The red flags that give a crypto scam away:

  • A guaranteed or unusually high return. No real investment guarantees profit. "Earn 2% a day" is not a strategy, it is the oldest line in fraud.
  • Pressure to act now. A pending withdrawal, an account "under attack," a deal that closes in minutes. Urgency exists to stop you from checking.
  • An unsolicited contact. A text, DM, call, or email you did not start, especially one that already knows your name or that you hold crypto.
  • A request for your recovery phrase, password, or 2FA code. No legitimate party ever needs these. Ever.
  • A request to install remote-access software so someone can "help" or "secure your account."
  • An instruction to move your crypto to a "safe wallet," "vault," or "cold storage" that someone else set up or controls.
  • Payment that must be in crypto, and only crypto, for something that has nothing to do with crypto: a tax bill, a job fee, a fine, a romantic partner's emergency.
  • A stranger who builds a relationship first, then introduces an investment. This is the romance-and-investment pattern, slow by design.
  • A platform or app you cannot independently verify, reached only through a link someone sent you.

Naming the common types makes each easier to spot in the moment. Impersonation scams pose as your exchange, your bank, a government agency, or a tech-support line. Investment and "pig butchering" scams build trust over days or weeks, often through a dating app or a wrong-number text, then steer you into a fake trading platform that shows fake gains until you try to withdraw. Giveaway and airdrop scams promise free crypto if you first "verify" your wallet by connecting it or sending a small amount. Phishing copies a real login page to harvest your password and 2FA. Fake apps and browser extensions mimic a real wallet to capture your recovery phrase the moment you enter it. Different costumes, the same handful of tactics underneath.

The "withdrawal code" scam, and how it works

This is the most common and most expensive trap aimed at exchange users right now, and almost no safety guide explains it. So here it is, step by step, because recognizing the script in real time is what saves your money.

It usually starts with a text. The message claims a withdrawal or a large transaction is pending on your account and includes a code along with a phone number to call if you did not authorize it. You did not authorize it, so naturally you call. The number connects you to someone calm and professional who says they are from the exchange's security team. They already seem to know your name and that you have an account, which makes the whole thing feel legitimate. That information often came from a data breach, not from any real access to your account.

From there the script runs in a predictable order:

  1. The "agent" tells you your account is under attack and they need to secure it immediately.
  2. They ask you to install remote-access software so they can "help," or they walk you through steps on your own screen.
  3. They get you to read out a real code, reset something, or approve a transfer, framing each move as a security measure.
  4. They direct you to move your crypto to a "safe wallet" or "vault" for protection. That wallet is theirs.
  5. The funds leave your account as an action you appeared to authorize, which is exactly why insurance will not cover it.

Here is the rule that makes the scam fall apart: a real exchange will never send you an unsolicited code together with a phone number to call. A legitimate security code is something you request to log in or to confirm an action you started, never something pushed to you with a "call us" number attached. And no real support agent asks you to install remote-access software, asks for your password or recovery phrase, or tells you to move your crypto to a different wallet to keep it safe.

The moment anyone asks you to install remote-access software, read out a code, or move your crypto to a "safe wallet" they describe, you are not talking to your exchange. Hang up. Do not call the number in the text. If you want to check your account, type the exchange's address into your browser yourself, or open the official app, and log in directly.

How do you secure your account? 2FA, SIM swaps, and the settings that matter

Most account takeovers are preventable with a few settings most people never touch. None of this is hard, and the payoff is large. The single highest-value change is fixing how you receive your second factor.

Two-factor authentication, or 2FA, means logging in takes two things: something you know, your password, and something you have, a one-time code. The problem is where that code comes from. Text-message codes are the weakest form, because a criminal can steal your phone number through a SIM swap and receive your codes directly. In a SIM swap, the attacker contacts your mobile carrier, poses as you, and convinces a representative to move your number to a SIM in their possession. From that moment, your calls and texts, including 2FA codes, go to them. You may not notice until your own phone loses signal.

The fix is to stop relying on text messages for anything that protects money. An authenticator app generates codes on your device itself, so there is nothing for a SIM swap to intercept. Better still is a hardware security key, a small physical device you tap or plug in to approve a login. A hardware key cannot be phished, copied, or intercepted remotely, which makes it the strongest second factor an exchange offers. If your platform supports one, use it.

Then add a SIM PIN with your phone carrier. This is a short passcode that stops anyone from moving your number to a new device without it, which shuts down the SIM-swap attack at the source. It takes a few minutes to set up and almost no one does it.

On the exchange itself, turn on address allowlisting if it is offered. This restricts withdrawals to crypto addresses you have pre-approved, so even an attacker inside your account cannot send funds to a new one. If your exchange offers a vault feature with delayed, multi-step withdrawals, use it for funds you are not actively trading; the built-in delay gives you time to cancel a withdrawal you did not start. And use a long, unique password stored in a password manager, never one you reuse. A reused password means one breached website hands an attacker the keys to your exchange.

What none of this protects you from is the scam where you do the work yourself. A hardware key will not save you if a fake agent talks you into approving a transfer. Settings harden the lock. They do not change the fact that you can still be talked into opening the door.

How do you keep your recovery phrase safe?

If you move crypto off an exchange and into a wallet you control, you take on one new responsibility that outweighs all the others: protecting your recovery phrase. A recovery phrase, also called a seed phrase, is the list of 12 or 24 words a crypto wallet generates when you set it up. Those words are the master key. Anyone who has them can rebuild your wallet on their own device and take everything, no password needed. Lose them, and if your device fails you cannot recover your own funds. There is no reset link and no support line that can restore them for you.

So the rules around a recovery phrase are stricter than for anything else in crypto, and they are worth stating without hedging.

Never type your recovery phrase into a website, a chat box, an email, or any app other than your wallet's own setup screen. Never read it aloud, never photograph it, and never store it in your phone, your email, a notes app, or a cloud account. No legitimate wallet, exchange, or support agent will ever ask for it. Anyone who asks is trying to steal your crypto.

The safe way to store a recovery phrase is offline and physical. Write it on paper, or stamp it into a metal backup plate made for the purpose, and keep it somewhere private and protected from fire and water. Some people split the words across two locations so no single place reveals the whole phrase. The common mistake is treating these words like a password you can save in a manager or screenshot for convenience. A password protects an account that can be reset. A recovery phrase protects assets that cannot. Treat it like the deed to a house and a stack of cash combined, because that is closer to what it is.

A hardware wallet raises the bar further by keeping the keys on a device that never connects to the internet, so even malware on your computer cannot reach them. But the recovery phrase still exists, and it is still the one thing that, if leaked, undoes all of it. The device protects the keys in daily use. You protect the phrase.

What to do right now if you've been scammed

If money just left your account, or you realize mid-call that something is wrong, the next hour matters more than anything else you will read here. Work through these steps in order. Speed beats perfection, and acting fast on the steps you can do beats freezing while you read about the ones you cannot.

  1. Cut off remote access first. If you installed any software an "agent" told you to install, turn off your Wi-Fi or unplug your network connection, then uninstall that software. While they hold remote access, they can undo anything you do next and watch you do it.
  2. Change your exchange password from a different, trusted device if you can. Then change the password on the email account tied to your exchange, because whoever controls your email can reset everything else.
  3. Switch off text-message 2FA and turn on an authenticator app or hardware key. Text-based codes are what most of these attacks exploit. Moving to an authenticator app or a physical security key closes that door.
  4. Lock down everything that touches your money. Freeze or pause your exchange account through official channels, contact your bank and card issuer to flag fraud and stop any linked transfers, and place a fraud alert with the credit bureaus.
  5. Report it. File a report with the FBI's Internet Crime Complaint Center at ic3.gov and with the Federal Trade Commission at reportfraud.ftc.gov. Report the incident to the exchange through its official site, never through a number a "support agent" gave you.
  6. Write down everything while it is fresh. Save the texts, the phone number, any wallet addresses funds went to, transaction IDs, and timestamps. That record is what investigators and your bank will ask for, and details fade fast.

Be clear-eyed about outcomes. Because crypto transactions are final, reporting rarely recovers the money, and I will not pretend otherwise. What it does is create a paper trail, help authorities track patterns across many victims, and occasionally freeze funds before they are cashed out. Report anyway. The honest reason is that it sometimes helps the next person more than it helps you, and the people tracking these networks need the data.

After a loss, you may be contacted by a crypto "recovery service" that promises to get your stolen funds back. In the large majority of cases, this is a second scam targeting people who were just robbed, and the FBI has flagged it directly. They ask for an upfront fee, or for access to your accounts, then they vanish or take what is left. No legitimate service guarantees recovery of stolen crypto, and no real investigator asks for payment in crypto to start. If someone contacts you out of the blue offering to recover your money, treat it as the trap it almost certainly is.

Is it safe to leave crypto on an exchange for the long term?

For trading, an exchange is the right tool. For long-term holding, it is the riskier choice, and the reason comes straight from everything above. While your crypto sits on an exchange, its safety depends on the platform's defenses and, far more often, on your account never being compromised. The longer it sits, the more chances a scammer has to reach you, and the more it is worth their effort to try.

The common approach among experienced holders is to keep on the exchange only what you are actively trading, and move the rest into self-custody, typically a hardware wallet you control. That shifts the responsibility onto you, including the duty to protect your own recovery phrase, which carries its own risks if you are careless. But it removes the exchange, and any phone call impersonating it, from the picture entirely. The choice is not self-custody versus exchange as a single verdict. It is a split: an active-trading balance on a platform like Coinbase, and the long-term holdings somewhere only you can reach. New to where to buy and hold in the first place, the buying crypto hub covers the ground before this one. The point is to make the call deliberately, not to leave a life-changing sum parked on an exchange by default.

How to tell if any exchange is safe: a checklist

The same questions work for any platform, not just the one you are looking at today. New platforms launch constantly, and a checklist outlasts any single review. Before you trust an exchange with real money, get clear answers to these five.

  • Is it regulated and registered? Look for registration as a money-services business and licenses in the regions it serves. A platform like Coinbase is a public company that files with the SEC, which means its finances and incidents face outside scrutiny. A faceless offshore platform faces none of that, and that absence is itself an answer.
  • Where is customer crypto held? The answer you want is that the large majority sits in cold storage, offline, with a qualified custodian. Hot wallets connected to the internet should hold only what is needed for daily operations. If a platform cannot tell you, that silence is the answer.
  • What does its insurance actually cover, and exclude? Find out whether any policy covers a company breach, then confirm what it does not cover, which is almost always losses from your own credentials being compromised. Read the exclusions, not the marketing line.
  • What 2FA options does it support? A serious exchange offers authenticator apps and hardware security keys, not just text-message codes. The range of options on offer tells you how the company thinks about security. An exchange that supports only text-message codes is behind, and it is telling you so.
  • What is its track record, and how did it handle past incidents? Every large exchange has faced attacks. The question is whether reserves were protected and whether the company was honest and fast when something went wrong. How a platform behaved on its worst day is worth more than how it markets itself on its best.

Run any platform through those five questions and you will know more than most people who deposit on it. Safety in crypto is not a single yes-or-no verdict. It is a set of habits, and the strongest habit is assuming the next "support agent" who contacts you is a scammer until you have proven, through a channel you chose, that they are not.