How to check the legitimacy of a cryptocurrency exchange? (Safety Checklist)

Regulatory Compliance and Licensing

1. Verify whether the exchange holds active licenses from recognized financial authorities such as the U.S. Financial Crimes Enforcement Network (FinCEN), Japan’s Financial Services Agency (FSA), or the UK’s Financial Conduct Authority (FCA).

2. Cross-check license numbers on official regulatory websites—not just the exchange’s own claims—to confirm authenticity and current standing.

3. Identify jurisdictions where the platform is explicitly prohibited; presence in blacklisted regions often signals non-compliance or deliberate avoidance of oversight.

4. Assess whether the exchange publishes regular attestations from third-party auditors regarding adherence to anti-money laundering (AML) and know-your-customer (KYC) frameworks.

Security Infrastructure and Custody Practices

1. Confirm that over 95% of user funds are stored in offline, geographically distributed cold wallets—this detail is frequently disclosed in transparency reports.

2. Examine whether the platform implements mandatory two-factor authentication (2FA) using time-based one-time passwords (TOTP), not SMS-based methods.

3. Look for evidence of multisignature withdrawal protocols, where at least three independent private keys are required to move assets from hot wallets.

4. Review historical incident logs: exchanges that openly document past breaches—including root causes and remediation steps—are more likely to maintain rigorous security hygiene.

Transparency of Reserves and Financial Health

1. Check if the exchange publishes real-time proof-of-reserves (PoR) data with cryptographic verification, allowing users to independently audit asset-liability alignment.

2. Ensure on-chain wallet addresses used for reserves are publicly listed and regularly updated, with hash-signed attestations timestamped and verifiable via blockchain explorers.

3. Scrutinize whether liabilities include only client deposits—or also incorporate leveraged trading positions, margin loans, or proprietary trading capital—which may inflate solvency risk.

4. Investigate whether independent accounting firms have issued attestation letters confirming reserve coverage ratios exceed 100% across all major asset pairs.

User Fund Protection Mechanisms

1. Determine whether client assets are legally segregated from corporate balance sheets under jurisdiction-specific trust or custodial arrangements.

2. Identify existence and scope of insurance policies covering digital asset loss—note that most policies exclude smart contract exploits or insider theft.

3. Evaluate withdrawal limits and processing delays: unusually restrictive thresholds or multi-day confirmation windows may indicate liquidity stress or internal control failures.

4. Assess whether the exchange maintains a dedicated, independently funded user protection fund—distinct from profit-sharing mechanisms or token-based incentives.

Operational History and Community Signals

1. Research founder backgrounds through LinkedIn, patent filings, and prior venture affiliations—repeated association with failed or sanctioned platforms raises red flags.

2. Monitor GitHub repositories for open-source components like wallet integrations or API documentation; stale or empty repositories suggest limited technical accountability.

3. Analyze social media sentiment across Reddit, Telegram, and Twitter using archived threads—not just recent posts—to detect recurring complaints about delayed withdrawals or KYC rejections.

4. Search domain registration records to identify shell entities, rapid ownership transfers, or use of privacy services masking beneficial controllers.

Frequently Asked Questions

Q: Does having a registered business address guarantee exchange legitimacy?Not necessarily. Many fraudulent platforms list falsified or virtual office addresses. Physical verification—such as cross-referencing utility bills or lease agreements—is essential before trusting operational claims.

Q: Can an exchange be licensed but still unsafe for deposits?Yes. Some jurisdictions issue licenses with minimal capital requirements or no ongoing supervision. A license alone does not equate to fund safety—especially if reserve disclosures are absent or unverifiable.

Q: What does “non-custodial” mean in relation to exchange legitimacy?Non-custodial exchanges do not hold user private keys, shifting custody responsibility to individuals. While this reduces counterparty risk, it also eliminates recourse in case of user error or device loss—legitimacy hinges on protocol integrity, not regulatory status.

Q: How reliable are third-party security ratings like those from CipherTrace or TRM Labs?These services provide valuable forensic insights but rely on observable on-chain behavior and public data. They cannot assess internal governance flaws, undisclosed debt obligations, or off-chain settlement risks—complementing, not replacing, direct due diligence.