How to Choose a Legitimate Crypto Exchange

Thinking about buying crypto? Here’s how to choose an exchange that is safe and legitimate.

By
&
Tom Blackstone
Gabe TurnerChief Editor
Last Updated on Mar 30, 2022
By Tom Blackstone & Gabe Turner on Mar 30, 2022
The content on this page is provided for informational purposes only. Security.org does not offer financial or investment advice, nor does it advise or encourage anyone to buy, sell, or trade cryptocurrency. It is advised that you conduct your own investigation as to the accuracy of any information contained herein as such information is provided “as is” for informational purposes only. Further, Security.org shall not be liable for any informational error or for any action taken in reliance on information contained herein.

With the recent rise in cryptocurrency prices and popularity, many investors are becoming interested in crypto for the first time. But many folks also fear losing their crypto from exchange hacks and scams.

In the past, users have lost millions of dollars worth of crypto from using exchanges that had bad security or were outright scams.

For example, in 2017, Korean exchange BitKRX was discovered to be a fake exchange that stole users’ deposits.1 In Canada, QuadrigaCX was also revealed to be a Ponzi scheme in 2019.2

So you may wonder how you can tell the difference between a legitimate exchange and an unsafe or fake one. Thankfully, there are some surefire ways to sniff out the risky exchanges and stay safe while investing in crypto.

In this guide, I’ll explain exactly what to look out for when shopping for an exchange. I’ll go over reimbursement policies, security procedures, identity verification, and other issues. And I’ll touch on everything you need to know to decide whether a crypto exchange is legitimate.

Now let’s discuss the most important issue to look out for when choosing a cryptocurrency exchange: reimbursement policies.

Has the Exchange Reimbursed Users for Hacks?

Running a cryptocurrency exchange is an especially risky business. If an attacker circumvents an exchange’s security, the thief can transfer crypto into his own wallet, making it very difficult to trace.

By contrast, stock and forex exchanges don’t allow users to withdraw stocks or foreign currency. So the only threat these exchanges face is the danger of an attacker withdrawing cash through the banking system. In this case, the attacker can likely be tracked down by following their path through the banking network.

But this is usually impossible when a crypto exchange is hacked.

This simple fact makes providing security for a crypto exchange more difficult than for other types of exchanges. And because of this unique threat, even completely legitimate exchanges sometimes get hacked. For example, Binance, Bitfinex, Kucoin, and Crypto.com are all reputable exchanges that have suffered hacks in the past.

Did You Know: Getting hacked is not necessarily evidence that an exchange is illegitimate. But if a legitimate exchange gets hacked because of its own security flaws, it will always reimburse users who lost crypto due to the hack.

The reputable exchanges usually have a reserve fund set aside in case there is a major attack. This fund is used to make sure that users can always withdraw their funds. Binance calls their fund the Secure Asset Fund for Users (SAFU). And other exchanges have similar funds with different names.

In still other cases, the exchange may simply have to pay back users out of its own profits over time.

For example, Bitfinex experienced a major attack in 2016, losing over $70 million worth of Bitcoin. The company didn’t have the capital to reimburse users with Bitcoin or cash immediately, so it reduced each user’s account by 36% and issued BFX tokens as compensation for the loss. These BFX tokens represented the 36% debt owed to users.

In the following year, Bitfinex bought back all of the tokens and fully compensated users for their losses.

The Bitfinex hackers were finally caught in February 2022, and most of the stolen Bitcoins were recovered.3

In another example, Kucoin suffered a breach in 2020 and lost $280 million worth of cryptocurrency. The exchange managed to recover 84% of the stolen crypto, and it reimbursed users for the other 16% from an insurance fund.4

If an exchange has a policy of reimbursing users, you can bet it will try its best to protect itself against attacks, as reimbursements will come directly out of its bottom line. So if an exchange has a history of reimbursing users, this provides strong evidence that it is legitimate and safe.

FYI: Some exchanges have never been hacked. For example, hackers have never been able to circumvent the security of Bitpanda, Kraken, or Coinbase. In these cases, the fact that they have never been hacked also shows strong evidence that they are safe exchanges.

Now let’s consider some standard security practices that all legitimate exchanges will follow.

Does the Exchange Practice Standard Security Procedures?

Because of the unique risks that crypto exchanges face, there are certain standard security practices that each of them should follow. Here are a few of the most important ones to keep in mind.

Most funds are stored in cold wallets

If an exchange has most of its crypto in “hot wallets” on devices connected to the internet, this can allow an attacker to more easily steal the exchange’s crypto (compared to cold wallet storage). This can lead to massive losses and even bankruptcy.

Sure, an exchange always hopes that it’ll never be hacked. But truly safe exchanges also try to take steps to minimize the damage should an attack succeed.

Did You Know: A hot wallet is an account whose private key is stored on an internet-connected device, like a laptop or a mobile phone. By contrast, a cold wallet is an account whose private key is stored on a device with no internet access, like a piece of paper or a USB device. A cold wallet is the more secure option for long-term storage, but exchanges need hot wallets to handle withdrawals for users.

If an exchange has the vast majority of its crypto in cold wallets, then only a small amount can be lost in a hot-wallet hack. This is an effective way of minimizing the damage from a successful attack.

Figuring out how much crypto an exchange should keep online requires some balancing of tradeoffs. If an exchange doesn’t keep enough crypto in hot wallets, users may face delays when trying to withdraw. But most exchanges can get by with the vast majority of their crypto in cold wallets.

In fact, Coinbase has stated that 98% of its customers’ funds are stored off-line in cold wallets.5

FYI: Are you wondering what a “wallet” is? Be sure to check out our Beginner’s Guide to Crypto Wallets to learn all about hot and cold wallets, and how to choose the best one for you.

So if you want to know if an exchange is legitimate, look for a statement of its policy on cold wallet storage. And remember, a safe exchange will store a large amount of its crypto off-line, away from the hands of any possible attackers.

2FA is available

Hackers routinely try to gain access to users’ email accounts. So users need to have a way to protect themselves from total loss if their email account gets hacked.

This is where 2FA comes in. If you enable 2FA, you’ll be required to enter a code from your phone anytime you log in or make a withdrawal. This should help to prevent a hacker from resetting your exchange password if they get access to your email account.

All legitimate exchanges will offer some form of 2FA. Some will make 2FA mandatory, while others will simply allow it as an option.

FYI: Ideally, an exchange should give you the option of using Google Authenticator or another authenticator app to receive your 2FA code, instead of making you receive your code through a text message. A text message can be intercepted by an attacker if he manages to transfer your phone service to his own phone. So authenticator apps are generally safer than SMS.

You may also want to consider what the process is for resetting your 2FA if you lose your phone. If the exchange requires you to upload identity documents to reset your 2FA, this provides strong protection against an attacker being able to reset it. But if the exchange allows you to reset your 2FA with just an email confirmation and a waiting period, this is much easier for an attacker to circumvent.

An illegitimate or unsafe exchange may not offer 2FA at all. So if an exchange does offer the option, this provides at least some evidence that it’s legitimate and safe.

Other security practices

In addition to allowing 2FA and keeping most crypto in cold wallets, there are many other security practices that the major exchanges use to keep your crypto safe. Here is a list of some of the most important ones.

  • Notify you by email when a withdrawal is about to be made
  • Delay a withdrawal if it is to an address you’ve never used before
  • Block withdrawals for a period of time if you reset your password or email
  • Ensure cash accounts with a third party
  • Use SSL (https) on all pages
  • Use SQL injection filters to stop attackers from stealing data
  • Store passwords as hashes instead of text
  • Require employees with access to the database to encrypt their hard drives

These are a few of the practices to keep in mind when deciding whether a crypto exchange is legitimate and safe.

Now let’s talk about the crypto laws and regulations in the U.S. and how this affects the legitimacy of exchanges.

Registration With FinCEN

If you live in the U.S., consider checking the exchange to see if it has a money transmitter license with the Financial Crimes Enforcement Network (FinCEN).

Since 2013, FinCEN has been requiring cryptocurrency exchanges to obtain this license. In order to gain the license, the exchange needs to list its address, its owner, which states it operates in, and other general information. This is an important crypto regulation in the U.S.

Did You Know: Operating an exchange without a license can lead to fines or even jail time for the exchange’s owners. So any legitimate exchange is likely to acquire a license in order to avoid these risks.

If an exchange doesn’t have this license, this may be because it doesn’t want to do business with U.S. residents or because it is an offshore exchange that doesn’t realize it needs a license. But it also may not have a license because it’s a scam — and the owners simply don’t want to be identified.

So the lack of a money transmitter license is a red flag to watch out for. And you may want to avoid exchanges that lack this license.

Most legitimate exchanges will post their license on their website somewhere. But if you can’t find it, you can always use the official MSB Registrant Search page to confirm whether it exists or not.

Depending on what state you live in, the exchange may also need a license in your state. I’ll explain that more in the next section.

Registration With Your State

Ever since Bitcoin was first launched, U.S. states have wrestled with the question of how to regulate cryptocurrency. Is cryptocurrency a form of money, and should crypto exchanges be treated like PayPal, Western Union, or other money services businesses? Some states think so, but others say that crypto is not money at all and should be treated more like a regular consumer good.

Regardless of which side of this debate your state falls on, a crypto exchange that offers its services to you can face stiff penalties if it does so without following the laws in your state.

For example, Florida requires crypto exchanges to get a money services business license with the state government. Otherwise, an exchange that operates without this license can be forced to pay a fine of $100 per day for each day it has been in business.6

Given such a penalty, any reputable exchange that is available in Florida will probably have a license.

And the same is true for many states. If your state requires a license, an honest and safe exchange that serves users from your state will probably have this license. If it doesn’t, it might be a scam. So if it’s not following your state’s laws, you may want to consider avoiding the exchange until you’re able to confirm that it is indeed safe.

Did You Know: Crypto laws and regulations vary from state to state. Our guide to crypto legality by state can help you stay above-board and in-the-know throughout your investment journey.

Exchange Does Identity Verification

In the U.S., money transmitter services are required to verify the identity of their users. And since FinCEN regards crypto as “decentralized virtual currency,” this means that all centralized crypto exchanges in the U.S. have to verify their users’ identity to comply with the law.

This doesn’t mean that all legitimate crypto exchanges require identity verification. Some exchanges are headquartered offshore and have a policy of not accepting U.S. users. If you try to access one of these offshore exchanges with a U.S. IP address, you’ll see a warning that tells you the exchange doesn’t accept U.S. users.

Some of the most popular and reputable international exchanges fit into this category, including Binance, Bitfinex, OKX, and others.

But if you run across an exchange that officially accepts U.S. users, yet doesn’t require identity verification even for large purchases, this may be a sign that the exchange is fake.

This kind of exchange is likely to draw the attention of U.S. FinCEN. And in order to protect themselves, the exchange’s executives may need to hide their real identities or operate an office out of an unlisted address.

But the problem is that this very circumstance may make it hard to determine whether the business is a scam or not.

The following two sections will go into these issues in more detail. But for now, just note that if an exchange does not do identity verification, you may want to avoid it until it can straighten out its legal issues.

Pro Tip: Be sure to read our full report on How to Protect Your Crypto to learn about 2FA and other ways to help stay safe while investing in crypto.

Address Is Clearly Stated

If you are determined to use an offshore exchange that is not licensed in the U.S., one way to tell the difference between a scam exchange and a real one is that the real ones tend to have publicly declared office addresses.

binance address
The address for Binance

If the exchange’s country doesn’t require it to have a money transmitter license, the country may still require it to have a business license. And this license may state the office address of the company. In this case, the company is less likely to be a scam because scammers generally won’t want authorities showing up at their office asking questions.

Pro Tip: Beware exchanges with fake addresses. Some countries may have lax enforcement when it comes to checking business licenses. So a listed address on a business license doesn’t guarantee that the exchange’s office is actually located there.

Even if an exchange has a publicly declared address, and this address really does house the exchange’s office, this doesn’t do much good if the executives who work for the exchange are mysterious figures known only by their Twitter handles. So another important factor to consider is whether the exchange’s executives are doxxed.

Exchange’s Executives Are Public-Facing

One of the biggest risk factors to look out for on offshore exchanges is whether the team members are public-facing or not. If an exchange’s executives are only known by pseudonyms, this may be because they are planning to drain the exchange of funds and run off with the money.

Legitimate exchanges will usually have a list of executives available on Crunchbase, Datanyze, ICOBench, LinkedIn, or some other business-oriented site or on their own website.

okx team
The OKX team , listed at Datanyze

If no one knows who runs the exchange, you may want to avoid it, just to be safe.

Even if you find an exchange that is completely legitimate though, this still doesn’t mean that it’s the right exchange for you. So the next section will discuss a few things to keep in mind when choosing between multiple legitimate exchanges.

Factors Other Than Legitimacy

Finding legitimate exchanges is the first and most important step in choosing one. But there are other factors you may want to consider as well. Here are a few important ones.

Coin selection

Even if an exchange is legitimate and safe, it may not have the coins you want. Some exchanges carry a wide variety of coins, including ones with low market-caps or low liquidity. But other exchanges are more conservative and only offer the top coins.

If you only plan to purchase Bitcoin, Ethereum, or other large market-cap coins, the coin selection of the exchange may not matter to you much. But if you’re looking for new and exotic cryptos, you may want to only consider exchanges with a larger coin selection.

In the U.S., Coinbase has the largest selection, with over 9,000 different coins available. Kraken and Crypto.com also have more than 100 coins each. So if coin selection is important to you, you may want to pick from one of these.

Fees

Even if an exchange is legitimate, its fees may be too high for your purposes. This is especially important if you are a frequent trader because it can significantly eat into your trading profits if they are too high.

In the U.S., some exchanges with very low fees include Crypto.com, Binance.US, and Kraken. So if fees are the most important factor to you, one of these exchanges may be the best for you.

Deep Dive: Want to take a deeper dive and get more tips on how to choose an exchange? Check out our complete rundown of Buying Crypto Safely in the U.S.

Deposit and withdrawal methods

Another factor to consider when choosing between equally legitimate exchanges is deposit and withdrawal methods. If you tend to make small and infrequent crypto purchases, you may want to go with an exchange that offers debit card deposits and PayPal withdrawals.

Debit cards are the fastest way to buy crypto. They’ll allow you to get crypto into your wallet in a matter of minutes. By contrast, ACH and wire transfers can take several days to be confirmed.

On the other hand, debit cards are also the most expensive way to buy crypto, especially for large purchases. So if you tend to make crypto purchases of hundreds or even thousands of dollars at a time, this feature may not be important to you.

PayPal withdrawal may also be an important feature if you sometimes need to dip into your savings to pay bills or deal with emergencies. In this case, you’ll be able to deposit crypto in your exchange, sell it, and have cash in your PayPal account within minutes. Without this feature, you may need to wait for a day or longer to receive your cash.

Still, some users rarely, if ever, have to sell their crypto to pay for personal needs. So if you don’t anticipate needing this feature, it may not be important to you.

In the U.S., debit card deposits are available at Coinbase, Binance.US, CEX.io, Coinmama, and eToro. Coinbase is the only U.S. exchange that currently offers PayPal withdrawals. Read our Coinbase review and Binance U.S. review for more info about these exchanges.

Wrapping Up

So that’s how to choose a legitimate crypto exchange. To recap, here are some factors to consider when trying to determine if an exchange is legitimate:

  • It has a history of reimbursing users when it has been hacked (or it’s never been hacked)
  • It keeps the vast majority of its crypto in a cold wallet
  • It allows you to enable 2FA
  • It practices other standard security habits (like alerting you when withdrawals are made)
  • It’s registered with FinCEN as a money services business
  • It’s following the laws in your state
  • It does identity verification
  • It has a clearly stated address
  • Its executives are public-facing

If an exchange does most or all of the things on this list, it’s probably legitimate (but of course, none of this can guarantee it’s not a scam).

Once you’ve got a list of legitimate exchanges, you can narrow down your search to the exchanges that have features you care about, like coin selection, low fees, and convenient withdrawal and deposit methods.

That way, you can stay safe and get the features you want in a crypto exchange at the same time. In other words, you can have your crypto cake and eat it, too!

Citations
  1. Coin Telegraph. (2017, Dec 25). South Korean Government Concerned With Scams in Bitcoin Market, Fake Exchanges.
    cointelegraph.com/news/south-korean-government-concerned-with-scams-in-bitcoin-market-fake-exchanges

  2. Reuters. (2020, Jun 11). Canadian cryptocurrency firm collapsed due to Ponzi scheme by late founder, regulator says.
    reuters.com/article/us-crypto-currencies-quadriga/canadian-cryptocurrency-firm-collapsed-due-to-ponzi-scheme-by-late-founder-regulator-says-idUSKBN23I3AF

  3. The United States Department of Justice. (2022, Feb 8). Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency.
    justice.gov/opa/pr/two-arrested-alleged-conspiracy-launder-45-billion-stolen-cryptocurrency

  4. Coin Telegraph. (2020, Nov 11). KuCoin recovered 84% of stolen crypto after $280M hack, says co-founder.
    cointelegraph.com/news/kucoin-recovered-84-of-stolen-crypto-after-280m-hack-says-co-founder

  5. Coinbase. (2022). SECURITY FOR YOUR PEACE OF MIND.
    coinbase.com/security

  6. The Florida Senate. (2006). 2006 Florida Statutes.
    flsenate.gov/Laws/Statutes/2006/560.117