Basic exchange-account hygiene for normal operators who do not want to hand attackers a free map.
Crypto OPSEC does not need to start with bunker-grade paranoia. You do not need a Faraday cage, a secret identity, or a threat-model spreadsheet with seventeen tabs before you buy Bitcoin, run an exchange account, or use a trading bot.
But you do need to stop doing the easy-to-attack stuff.
Most account compromises are not magic. They are not movie-hacker keyboard storms. They are boring. Reused emails, weak passwords, SMS recovery, exposed phone numbers, fake support messages, fake Telegram admins, and API keys that have more permission than they should.
This note is the basic version. No fearmongering. No advanced spycraft. Just the floor.
Start with the email address
Do not use an email address with your name on it for crypto exchanges.
If your normal email is tied to your business, your social media, your car forum account, your GitHub, your LinkedIn, your bank, and half the internet, it is not a quiet login. It is a giant sign that says: start here.
A better setup is simple: use a dedicated email address or unique alias for each exchange. One for Kraken. One for Coinbase. One for Binance.US. One for Gemini. Whatever exchanges you use, split them up.
The goal is not to be theatrical. The goal is to avoid building a honeypot.
If one exchange, newsletter, forum, or random service leaks your email address, attackers should not automatically know the login address for every other financial account you own.
Unique passwords are not optional
Every exchange account should have a long, unique password generated by a password manager.
Not a clever password. Not your “normal but slightly modified” password. Not the same password with the exchange name added to the end like you just solved cybersecurity.
Use a real password manager. Generate the password. Save it. Move on with your life.
The point is not to memorize everything. The point is to make sure a leak from one website does not become a keychain for the rest of your accounts.
Turn on 2FA, but skip SMS
Two-factor authentication should be on for every exchange account.
But SMS/text-message 2FA is the weak version. Phone numbers can be targeted, ported, social-engineered, or abused through carrier-support failures.
Use an authenticator app instead. Google Authenticator, Microsoft Authenticator, Aegis, 1Password, or similar tools are all better than relying on a text message. If the exchange supports hardware security keys or passkeys, even better.
Also: save your backup codes somewhere safe.
Not in a screenshot folder named “crypto stuff.” Not in Telegram saved messages. Not in an email draft. Put them somewhere boring and controlled, ideally inside your password manager or another secure backup process.
No exchange is going to cold-call you to save your account
If someone calls you claiming to be from an exchange, treat it as hostile until proven otherwise.
Same for Telegram, Discord, X/Twitter, email, and random “support” DMs.
Real support should be reached through the official website or the official app. Do not click links from strangers. Do not trust caller ID. Do not trust urgency. Do not trust the guy with the exchange logo as his profile picture.
Scammers love urgency because urgency turns smart people into button-clicking raccoons.
- “Your account is being drained.”
- “Your withdrawal is pending.”
- “You need to verify now.”
- “We detected suspicious activity.”
All of that is designed to make you panic and bypass your own process.
Your process should be boring: close the message, open the official app or official website yourself, and check there.
Telegram: hide your phone number
Telegram is useful, but the default privacy posture can be sloppy if you never touched the settings.
If you are in crypto groups, trading groups, project channels, bot communities, or exchange-related chats, go into Telegram privacy settings and hide your phone number.
Do not let random group members map your handle back to your real phone number.
Also consider limiting who can add you to groups, who can call you, and who can see your profile details. The fewer breadcrumbs you leave, the fewer easy angles someone has.
API keys deserve discipline
If you run automation, bots, dashboards, portfolio trackers, tax software, or anything else connected to an exchange, API keys deserve their own discipline.
The sane default is simple: no withdrawal permission.
A trading bot does not need permission to withdraw funds. A dashboard does not need permission to place trades. A tax tool does not need permission to move money.
Give each API key only the permissions it actually needs. If the exchange supports IP allowlisting, use it. If you stop using a tool, delete the key. If you are not sure why a key exists, disable it and figure that out before re-enabling it.
Old API keys should not become archaeological artifacts buried in your exchange account.
The basic checklist
- Use one unique email or alias per exchange.
- Use one unique password per exchange, generated by a password manager.
- Enable authenticator-app 2FA.
- Avoid SMS/text-message 2FA unless there is truly no better option.
- Store backup codes somewhere secure.
- Hide your Telegram phone number.
- Reach exchange support only through official channels.
- Do not trust unsolicited calls, DMs, or “support” messages.
- Limit API keys to the minimum permissions required.
- Do not give bot/API keys withdrawal permission unless there is an extremely specific reason.
- Delete old API keys instead of forgetting they exist.
Closing thoughts from the night desk
Crypto OPSEC is not about being scared. It is about not being casual with accounts that can move money at 2 a.m. while you are asleep.
You do not need to make your life impossible. You just need to remove the easy paths.
Separate the emails. Generate the passwords. Turn on real 2FA. Hide the phone number. Stop trusting strangers with urgent messages. Lock down API keys like they matter, because they do.
None of this is glamorous.
That is the point.
The boring stuff is what keeps the machine alive.