How to Tell If a Crypto Exchange Is Safe

Introduction: stop asking "is it safe," ask "how do I check"

The case files in my archive — FTX, Mt.Gox, Luna — are all stories about "after the fall." But what readers actually need is the checkup sheet for "before the fall": how do I know whether a platform has a problem before I put money on it? This lesson is that sheet.

Start with one counterintuitive fact: for the large majority of exchanges that blow up, the problem was publicly checkable before they blew up. The balance sheet that put 40% of Alameda's assets in FTX's own FTT token was reported in public by CoinDesk; before BitForex vanished with customer funds, people had already traced its multi-account wash trading on-chain; in the year before Hotbit shut down, its executives were summoned by law enforcement and some funds were frozen, all of which was publicly reported. The problem was never that the information didn't exist. The problem was that nobody went looking. What this lesson is really trying to do is make you willing to spend ten minutes looking.

It comes in three parts. First, 8 red flags you can recognize at a glance, no hands required. Then, 5 steps that do require a little hands-on work but where no single step takes more than a few minutes. Finally, the most common situation of all — what to do when you check and find nothing at all.

I. 8 publicly checkable red flags

These 8 aren't ordered by severity. They're ordered by how fast you can spot them. The earlier ones take seconds; the more of them an exchange hits, the harder you should turn around.

Red flag 1 · Promises of fixed returns, "guaranteed profit"

Anything advertising "1% daily," "30% APY, principal-protected," or "guaranteed gains" on its homepage — rule it out first. Crypto prices are violently volatile; no legitimate platform can guarantee a fixed return. A platform that promises fixed high yields is structurally a Ponzi: it pays the "interest" of earlier participants out of the principal of later ones, until it can no longer recruit new money. This is the oldest and most reliable filter there is.

Red flag 2 · You must pay a "tax / margin / unfreezing fee" before you can withdraw

This is the signature move of a withdrawal scam. A legitimate exchange only deducts the on-chain network fee (the miner fee) from your own assets when you withdraw — it will never ask you to "send money to the platform first to unlock your withdrawal." The moment you see scripts like "your account is flagged, pay a 20% margin to unfreeze" or "withdrawals require tax clearance first," you can essentially conclude that a phishing or Ponzi operation is harvesting its last round.

Red flag 3 · No self-verifiable Proof of Reserves (PoR)

After FTX, the industry default is that major exchanges publish Proof of Reserves on a regular cadence, and do so using a Merkle tree so that users can verify for themselves that "my balance is actually counted in the total reserves." Binance, OKX, Bybit and others now publish on a monthly cadence and provide a self-check entry point. If an exchange can't produce even one self-verifiable proof of reserves — only a line like "funds are all in cold storage, very safe" — the credibility of that line is zero. FTX said exactly the same thing.

Red flag 4 · The reserves are mostly the exchange's own token

This is the most expensive lesson FTX left the whole industry. If a large part of an exchange's "reserves" is the platform token it issued itself, those reserves are hollow — the moment the platform is in trouble, its own token goes to zero first, and there's simply no buyer on the other side. When you look at a proof of reserves, focus on how much of it is "hard money" like BTC, ETH, USDT, and USDC versus how much is the exchange's own token. The higher the latter, the more dangerous.

Red flag 5 · Extremely low download count and rating count in the app stores

BitoPro's official anti-fraud guide gives a genuinely useful quick test: go to the App Store or Google Play, check the download count and the number of ratings, and treat any platform with fewer than 100 ratings as a strong candidate for a pirated app or a freshly built operation. The logic is simple — a platform with hundreds of thousands or millions of real users cannot have a two-digit rating count in the app stores. This is the one thing clone sites and Ponzis can't hide.

Red flag 6 · You can't find the legal entity, place of incorporation, or any license

A legitimate exchange states its operating entity and place of incorporation in the site footer or an "About us" page, and most also list the regulatory licenses or compliance status they hold (even if it's just an MSB registration somewhere). If an exchange hides all of this — if you can't even find a company name that maps to the real world — that's not modesty, it's a deliberate choice not to let you look.

Red flag 7 · Support only reaches you via Telegram DMs and "signal groups"

If an exchange's "support" mainly reaches you through Telegram private messages, chat groups, or a "mentor giving trade signals" — adding you proactively, teaching you how to place orders, pushing you to deposit — that is almost the standard script of a pig-butchering scam. Real exchange support is a passive ticket system. It does not add you to teach you how to get rich.

Red flag 8 · A very new domain, a name that piggybacks on a major exchange

Many clone operations pick a name that looks a lot like a top exchange (one extra letter, a different suffix) while the domain itself was registered only a few months ago. A single whois or Wayback lookup reveals the domain's age. A platform that was set up recently and whose name seems designed to make you mistake it for some big exchange deserves extra caution. Part two below covers how to check a domain's age.

II. The 5-step hands-on checklist (with tools)

The red flags are "take a look." This part is "do something." For each step I've written down exactly which tool to use and what result to look for. The whole thing takes under fifteen minutes.

Step 1 · Check the app stores

Search the exchange's name in the App Store and Google Play and look at: the download tier, the rating count, and the date of the most recent reviews. A two-digit rating count, reviews that are all bot-style five-stars, or an exchange you can't find an official app for at all — only a webpage telling you to "download the installer" — gets bounced immediately. Cross-check that the developer name matches the official one; clone apps routinely use near-identical names to slip through.

Step 2 · Check the domain age

Use any whois lookup tool to see the domain's registration date, or use archive.org (the Wayback Machine) to see when the domain was first archived. A platform that wants you to deposit money but whose domain was registered only a few months ago is a clear deduction. While you're there, glance at the historical snapshots to see whether the domain used to be something else (some exit-scam operations buy second-hand domains).

Step 3 · Check the proof of reserves

Find the "Proof of Reserves / PoR" page on the official site. The point is not "does this page exist" but whether you can verify it yourself — a major exchange gives you an entry point where, after entering or logging in, you can confirm your own balance is included in the Merkle tree. Then look at the composition: the ratio of hard money (BTC/ETH/USDT/USDC) to the exchange's own token. A single static screenshot, no self-check entry point, or reserves dominated by the platform's own token are all warning signs. You can also cross-reference the on-chain data via DeFiLlama's exchange reserves page.

Step 4 · Check regulatory and warning lists

See whether the licenses the exchange claims can actually be found on the corresponding regulator's official site (the license number has to match — a logo alone doesn't count). More important is the reverse: check whether it has appeared on a regulator's warning list. Hong Kong's SFC, for example, publishes an "Alert List of unlicensed activity and suspicious virtual asset trading platforms," and many exchanges that later blew up can be found on lists like this after the fact. Searching "[exchange name] + warning / risk notice / investigation" also surfaces a fair amount of public reporting.

Step 5 · Check the on-chain reserve addresses

If the exchange has published its reserve wallet addresses, use a block explorer (such as Etherscan or Tronscan) or Arkham to see whether those addresses actually hold as much as it claims, and whether there have been unusual large outflows at odd times. Exchanges that blow up often show abnormal large consolidations or outflows on-chain in the days before they vanish — the "underground river" you can never see from the official website alone. This step is slightly more advanced, but it isn't hard, and it's worth learning.

III. What to do when you can't find anything

This is the most common situation, and the one people get wrong most easily: you run through all the checks above and find that this exchange has no findable legal entity, no findable license, no proof of reserves, can't be found in the app stores, and has no negatives either (because it's too obscure). A lot of people conclude: "I didn't find any bad news, so it's probably fine, right?"

That reasoning is backwards. The information vacuum is itself the answer. A platform that intends to operate long-term and wants you to deposit real money has no reason to make itself a black box you can't look into. It hides the information not out of modesty but because it doesn't want you to look — or because there's nothing worth finding. Between "can't find anything" and "checked out clean" there is an entire moat: the former is risk, the latter is what safety looks like.

So when you face an exchange where you can find nothing, the correct move is not "bet that it's fine," but switch to a transparent, verifiable exchange instead. Your money does not need to take a risk on a platform that doesn't want to be checked. There are plenty of large exchanges that publish monthly proof of reserves, have a clear entity and licenses, and sit right there in the app stores. There's no need to gamble on a black box.

If you want to see how these red flags played out one by one in real cases, read two case files from my archive: the PlusToken Ponzi traced on-chain and Luna's 36-hour collapse — both are living specimens of "there were signs before the fall." For a more systematic set of selection criteria, see Archive Lesson Two · Five criteria for picking an exchange. And if you're still unsure whether to keep money on an exchange at all versus self-custody, exchange or self-custody, and how beginners should split walks through the trade-off.

IV. The one-sentence decision frame

If you only want to remember one sentence, remember this: before you put money on an exchange, confirm two things — that it lets you self-verify its reserves, and that it maps to a findable real-world entity. If neither holds, don't put money on it.

Expanded into three actionable tiers:

• Walk away outright: hitting any one of red flag 1 (promised fixed returns), red flag 2 (pay-before-withdraw), or red flag 7 (DM support with trade signals).
• Raise your guard and keep checking: no self-verifiable proof of reserves, no findable license, a very new domain, a high proportion of the exchange's own token in reserves — hitting one or two, proceed with caution.
• Worth considering: monthly, self-verifiable proof of reserves; a clear operating entity and regulatory status; a large volume of real user reviews in the app stores; verifiable on-chain reserves — only when all of these line up are the risk signals genuinely low.

Note that even the last tier is only "low on risk signals," not "absolutely safe." Any centralized exchange holds your assets in custody, and that fact alone carries risk. The point of all this judgment isn't to find "zero risk." It's to keep your money out of the hands of platforms that won't even offer the most basic transparency.