How to Prevent Cryptocurrency Account Takeover

Many cryptocurrency exchanges offer fraudsters an irresistible cocktail of low regulation, low-security friction, potentially high rewards, and lots of imaginative ideas from people who don’t quite understand the market. The possibility of scamming away a username and password from an ill-informed crypto trader, bypassing low-scrutiny follow-up security with that login data, then finding a stockpile of untraceable digital currency inside is, well, something account takeover (ATO) fraudsters are happy to get drunk on.

Falling under the broad umbrella of financial and money services, exchange operators doing business in regulated territories already had to adhere to anti-money laundering (AML) and Know Your Customer (KYC) mandates, but enforcement was sporadic. Now, with the recent high-profile instances of extreme customer safety negligence, regulators are under more pressure to make crypto services walk the straight line toward consumer protection.

While following those KYC and AML regulations will help crypto exchanges in some instances for account takeover fraud prevention, half the battle to keep accounts safe is done on the side of the account holder. How then, can you keep your blockchain valuables safe from the threat of account takeovers? 

What to Do When Your Cryptocurrency Account Is Hacked

Unfortunately, in the event that your account becomes compromised, there is little recourse to recoup your losses. The anonymity and decentralization that crypto trading offers are part of its appeal for many traders, but on the other side of the sword, decentralization means no centralized governing body, and less pressure on exchanges to offer their users security. Anonymity and the nature of blockchain technology mean there are few ways to get stolen crypto funds back.

If your account is hacked, it is likely that, by the time you realize the hack has occurred, whatever currency you had will be gone, and whatever personal information you stored in your account has been compromised. Your next actions should be damage control:

  • liquidate or transfer any funds that remain in the account
  • prioritize disassociating any compromised account information:
    • change associated passwords, particularly any that are the same as the compromised account
    • use a different email account for future registrations
    • consider formatting your device or changing it outright
  • report the breach to customer service, if it exists
  • consider reporting the theft to the authorities, more as a formality than a realistic way to recoup losses

Only the largest crypto operators will have customer service arms to handle these kinds of complaints, and they will inevitably be swamped. Regardless, having visibility on your account’s situation by either the exchange itself or policing authorities may be beneficial in the long run. 

Cases where funds are actually returned to wallets are rare. They are often part of large-scale policing efforts and class-action lawsuits. In those instances, maintaining an accurate paper trail is your best bet for covering losses.

Detect ATOs with SEON

SEON’s transaction monitoring and device fingerprinting can make sure your customers are who they say they are, not an account takeover fraudster.

Ask an Expert

Three Ways To Prevent Cryptocurrency Account Takeover

To keep your accounts as safe as possible in the crypto environment, relying on in-built safeguards that the exchange itself provides is not enough. Awareness of prevailing security threats is crucial and you should pair it with a healthy dose of skepticism.

If that kind of thinking doesn’t come naturally to you, follow these steps as best practice for your personal security.

1. Practice Good Password Hygiene

Password hygiene is not in reference to well-polished, squeaky-clean secret word choices. Rather, it means making a habit of organizing your login information using a secure method of some sort, such as a password manager program. With this, you can keep visibility on your various usernames/password combinations to:

  • avoid using common or easily guessed passwords
  • create strong alphanumeric passwords – many password managers can generate and store these for you
  • change passwords regularly – most password managers can remind you to do this
  • create a diversity of logins and passwords, so you don’t use the same combinations across multiple accounts

Following these steps secures your crypto accounts by, essentially, not putting all your security eggs into one basket, and making those single-egg baskets are much harder for fraudsters to reach into. In other words, if one of your accounts is broken into, that compromised login data can’t then be used in a credential stuffing attack on another one of your accounts. Brute force attacks that try to guess your password are statistically unlikely to succeed.

Remember: Crypto providers will never ask for your password, so anyone saying they require your login data is inevitably a phishing scam.

2. Be Aware of Prevailing Scams

Unfortunately, simply knowing a current list of the ways phishing scammers are managing to get access to customer accounts is not enough to keep you safe. Fraudsters are always developing new methods to deceive and manipulate and might approach from any channel available: email, text, social media, or even cold calling.

This makes the challenge of developing an internal system of red flagging even more crucial. Because of the prevalence of lists of security tips just like this one, there is a strong motivation among fraudsters to innovate. In general, if you are active in the crypto trading market, be on the lookout for:

  • alarming text messages that tell you one of your accounts has been compromised, or there is some other immediate risk, and then asking you to follow a link
  • falsified emails in the guise of:
    • unexpected or unknown invoices
    • email upgrades or updates that say your details need to be re-entered
    • unknown links to Google Docs
    • notifications to receive money or to update a PayPal account
  • too-good-to-be-true offers of crypto assets on social media or messaging apps

Any one of these, if followed without scrutiny, will lead to whatever data you submit being used in ATO attempts. If you’ve given up login data that matches your crypto accounts, the likelihood that fraudsters will breach those accounts is much higher.

In general, treat any unknown entity that approaches you online with suspicion, and if they ask you for personal information that is outside your comfort zone, disengage.

3. Control Your Connectivity

The most sophisticated account takeover fraudsters may be leveraging advanced tools to skim or manipulate your data from right out of the airwaves, so to speak. These methods might allow a fraudster to impersonate someone within your circle of trusted people, or even intercept security communications between a crypto domain and your devices.

Maintaining secure connections is a crucial part of securing your data from these advanced fraudsters. In order to cut down the likelihood of your data being invisibly intercepted, consider:

  • using a virtual private network (VPN) to connect to domains
  • avoiding using public Wi-Fi connections
  • enabling two-factor authentication (2FA) that uses a physical key or an authentication app, rather than SMS one-time passwords
  • implementing strong malware detection

Following these simple protocols goes a long way to securing your data from:

  • Man-in-the-middle attacks, where fraudsters invisibly position themselves between you and the domain you are connecting to, by setting up malicious Wi-Fi access points, pushing you through websites impersonating legitimate ones, or installing malware through corrupted links.
  • SIM-swapping fraud, where, by spoofing or otherwise obtaining your phone number or SIM information, fraudsters are able to claim your communications for themselves. This can even allow them to grab one-time passwords from SMS-based 2FA.
  • Synthetic identity theft: If you connect to a crypto exchange with a VPN, it gives your data a layer of protection that obfuscates your location data, IP info, and encrypts your communications. Each of these data points, particularly

In the crypto landscape, these three threats are extremely pervasive, so closing any loopholes in your online habits – or in your knowledge – will go a long way to securing your valuable accounts.

Why Is Account Takeover a Problem for Crypto Exchanges?

Cryptocurrency exchanges have a particular issue with ATOs because of the low scrutiny a decentralized economy inherently offers; little oversight means few safeguards. This not only makes stolen funds nearly impossible to recover but also attracts an outsized number of fraudsters and scammers seeking to take advantage of these de-emphasized security protocols.

As exchanges make their names largely on reputation and digital word-of-mouth, the potential for reputational damage to impact bottom lines is much greater if an exchange becomes associated with account takeovers regularly.

Conversely, retail-level crypto investors may be more likely to take their business to exchanges that have strong anti-phishing measures, multi-factor authentication, real-time transaction monitoring, or a consumer safety-focused refund policy. Not coincidentally, crypto exchanges that have these things in place are less likely to find themselves under the scrutiny of regulating bodies, and thus less prone to incurring potentially massive fines.

How Do You Detect Account Takeover in Cryptocurrency?

Fraudsters who have succeeded in taking over a user account can be detected through their behavior, which is very likely to deviate significantly from the behavior of the genuine account holder. Though every crypto exchange needs to determine what constitutes risky behavior individually, there is a certain perimeter of risk assessment that every exchange should try to stay within, or else risk intense government scrutiny.

To protect customers from the risks of ATO in a crypto exchange – and avoid fines from safety regulators – exchanges should implement and maintain practices such as transaction monitoring, IP analysis, device fingerprinting, and a strong system of account takeover alerts.

Let’s take a look at how SEON can address some of these needs.

Top Three Custom Rules for Account Takeover in Cryptocurrency

In tandem with both the risk management and customer services teams, SEON can help detect instances of ATO, as you tune it to suit the particular needs of your crypto exchange. These are some examples of rules that you can leverage on traffic and transactions to keep your customers safe from fraudsters and your bottom line safe from legal punishment.

#1: Suspicious Increase in Transaction Volume

One of the more obviously suspicious user behaviors that could indicate a crypto account has been compromised is a suspicious increase in the amount of currency being moved around, deviating from a user’s previous behavior.

As soon as a fraudster successfully takes over an account, it is most often the case that they will liquidate the funds therein by transferring any cache to another account they control. In crypto, even if this other account is known, there is little to do in terms of being able to recoup it.

The screenshot below shows how you can set up a custom rule with SEON to detect such behavior.

This particular example has been set to detect instances of transaction behavior where, within 24 hours, a crypto customer has suddenly had a 200% (or more) increase in their transactional volume. There may be any number of legitimate reasons this might take place, of course, but crypto exchanges would be wise to monitor for and review such instances for signs of ATO.

Note, also, that the velocity values – both the timeframe and the transaction volume – are instantly customizable, and you can adjust them based on your knowledge of transactional variances among your user base or your respective risk appetite. By the same logic, SEON allows you to set up rules to review instances where a “normal” user suddenly decides to drain their account.

#2: Excessive Numbers of Failed Login Attempts

Fraudsters armed with stolen username and password combinations will likely try to force those login details through various security gateways in credential stuffing attacks. They are hoping to find a domain where the user has re-used the same credentials as those stolen or purchased by the fraudster.

This is a security gap easily remedied with good password hygiene, as previously mentioned. In all likelihood, however, a user practicing at least the most basic password safety will probably not be using the same login credentials, so particularly in the cases of fraudsters who use automated bot attacks for credential stuffing, there may be a sudden flurry of failed login attempts.

Here’s a screenshot of how SEON can help remedy this issue.

Here, a custom rule has been set up to escalate any instance of 5 or more failed login attempts to manual review. Even in cases where the login attempts all fail, and thus the attacked account has not been taken over, review teams should have the capability to issue an alert to the account holder under attack.

Letting them know they have likely been involved in a breach and should be doing their due diligence in terms of password management may go a long way to securing them.

#3: Unrecognized Device Hash or Location

In all likelihood, a malicious fraudster who has executed a successful account takeover will not be connecting from the same location as the actual account holder, and certainly not from the same device.

These two points are easily scrutinized by SEON’s fraud-fighting platform. Though there may be any number of reasons why a person might be accessing your crypto exchange from a new device or location, the possibility of an ATO should at least give operators reason enough to let a member of the risk management team review the login, particularly if the device and location change suddenly.

Here is a screenshot of this rule in action.

This rule has been set up to add 10 points to the user’s overall risk score when the user connects from a new device. Depending on the risk appetites of your particular company, this can be changed, as can the overall score threshold to determine what actions need to be taken with this account.

Of course, there is nothing inherently suspicious with, say, buying a new phone and then connecting to an existing crypto wallet account with it, but a combination of suspicious markers, like a different IP from a potentially risky region alongside a new device should at least make your risk managers curious, and thereafter motivate them to investigate further before determining if this account has been breached.

How SEON Helps Crypto Exchanges with Account Takeover

All digital verticals offering their customers account-based transactions will inevitably have to deal with account takeovers and their snowballing risks.

While the infrastructure of a given crypto exchange doesn’t necessarily make it more or less vulnerable than any other ecommerce domain, in the DeFi (decentralized finance) world, risk appetites are necessarily higher.

Despite the clear value of a VPN detection test, in the context of cryptocurrency, many crypto customers will, as a baseline, be connecting via some connection-obfuscating service like a VPN for their own security reasons. Therefore, most crypto exchanges will certainly be unwilling to assign too much risk to a data point like the presence of a VPN or Tor client, lest they ban a significant portion of their users.

This can make detecting instances of account takeover somewhat more difficult, but SEON can rise to the challenge.

Even if a fraudster manages to gain access to one of your legitimate customer’s accounts with an accurate username/password combination – also while making themselves appear as close to the account holder as possible with a location-spoofing service – SEON can still find them. 

This is true of out-of-the-box deployment thanks to our blackbox machine learning, and it becomes even more consistent when trained on your historical fraud data. Anomalous transactional behavior can always be detected by SEON. Device and browser configurations associated with fraud can be scanned for among incoming traffic, so if a normal user’s PC suddenly turns into one that strongly resembles an automated account-stuffing bot attack, SEON will tell you.

Sadly there is no piece of software that can ensure that your domain remains unplagued by cybercriminals autonomously. Keeping your crypto exchange free of ATOs will always be a two-handed operation. While one hand should be concentrating on holding the fraud door closed, the other must be illustrating the pervasive threats of the day on the chalkboard, then tapping it repeatedly, to make sure your customers and staff stay informed and their accounts secure.

Reduce Fraud Rates Up to 90%

Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.

Ask an Expert


What methods do fraudsters use to attempt account takeovers?

Most commonly, ATO fraudsters hoping to find valid username/password combinations will use phishing, SIM-swapping, and credential stuffing to go about their attack, and often a combination of these.

Can scammed crypto be recovered?

The nature of blockchain currencies means that there is no mechanism to return stolen crypto, and indeed almost everyone claiming otherwise is likely a scammer themselves. In large-scale cases of massive ATO attacks, governing bodies may pursue funds over the course of legal proceedings, but this is rare, and has historically not recouped the entire amount stolen. 

How do I report stolen cryptocurrency?

It’s worthwhile to first report the theft to the exchange themselves, though the customer service department of many exchanges may be limited or even nonexistent. Depending on your location, you can then report to local governing bodies, such as the FTC, CFTC or SEC in the US, or the NCSC or the national police’s Action Fraud website in the UK. The data will help inform future action, and in the rare event of legal action against the fraudster, could help you stake your claim on any recovered currency.

Share article

Speak with a fraud fighter.

Click here

Author avatar
Bence Jendruszak

Bence Jendruszák is the Chief Operating Officer and co-founder of SEON. Thanks to his leadership, the company received the biggest Series A in Hungarian history in 2021. Bence is passionate about cybersecurity and its overlap with business success. You can find him leading webinars with industry leaders on topics such as iGaming fraud, identity proofing or machine learning (when he’s not brewing questionable coffee for his colleagues).

Sign up for our newsletter

The top stories of the month delivered straight to your inbox