The Crypto Security Protocol

Verify us too

Official channels, and the promises we make

Scammers impersonate every public name in crypto, including ours. So this page begins by protecting you from anyone wearing our name. Hold us to the same rules we teach.

✕Crypto XLNC and Sim Khela will never DM you first. Not on Telegram, not on Instagram, not on X, not anywhere. All inbound DMs in our name are impersonators.
✕We will never ask you to send funds anywhere, with one exception: your invoice. When you have made profits, Crypto XLNC invoices its performance fee, and that is the only money we will ever ask you to send. The moment is unmistakable and verified several ways at once; the checkpoint below spells it out.
✕We will never ask for your seed phrase, your passwords, or your codes. No legitimate company on earth needs them. Ours included.
✕We will never offer to trade for you over chat or to recover lost funds. Anyone who does in our name is a criminal. Crypto XLNC operates only through the application form and your own exchange account.

This page will never ask you to connect a wallet, sign anything, or enter any credential. Any version of it that does is fake.

★ The security checkpoint

The verification checkpoint: your client dashboard

The client dashboard at dashboard.cryptoxlnc.com is where Crypto XLNC clients access everything, and it doubles as the central security checkpoint for every message we send. Inside it you will find a randomly generated verification code that belongs to your account alone. Every genuine message from Crypto XLNC, by email or any other channel, references that code.

A message arrives claiming to be from Crypto XLNC. Do not act on it yet.
Close the message and open the dashboard yourself, from your own bookmark or by typing dashboard.cryptoxlnc.com. Never through a link in the message.
Compare the verification code shown in your dashboard with the code in the message. A match means the message is really ours. No code, or a code that does not match, means an impersonator: delete it and tell us at wecare@cryptoxlnc.com.
Still unsure about anything? Ask in the official Crypto XLNC Telegram group and wait for us to confirm there, inside the group. Anyone who answers you in a private DM instead is an impersonator. For security, the group has no public link: it is only accessible through your own Telegram, where you were added as a client. Any join link sent to you in our name is fake.

This is Rule 2 of the Universal Protocol built into how we work: you verify us through a second channel you open yourself, every time. Bookmark the dashboard today.

The one time we will ask you to send funds: the invoice

Crypto XLNC charges its performance fee by invoice, only after you have made profits. That invoice is the only payment we will ever request, and when the moment comes it is designed to be obvious:

A confirmation in our official broadcast channel that invoices are going out.
A notice inside your dashboard telling you specifically that we are contacting you.
Your verification code inside the email or message, to match against the dashboard.
The exact wallet address for the payment, published with the invoice, so you can vet it character by character before sending.
And the Telegram group or wecare@cryptoxlnc.com to confirm everything first if you are unsure.

We verify it this heavily because a payment request is exactly what impersonators fake best. An invoice that arrives without these signals is not from us: no profits, no invoice; no invoice, no payment.

Client dashboard, the security checkpointdashboard.cryptoxlnc.com

Open the dashboard

Websitecryptoxlnc.com

Open

Telegram groupNo public link, for security. Only accessible through your own Telegram.

Invite only

YouTubeyoutube.com/@CryptoXLNC

Open

Xx.com/cryptoxlnc

Open

Instagraminstagram.com/cryptoxlnc

Open

TikToktiktok.com/@cryptoxlnc

Open

Sim Khela on LinkedInlinkedin.com/in/simkhela

Open

Portal to change API keys for tradingportal.cryptoxlnc.com/login

Open

Support emailwecare@cryptoxlnc.com

Write

Anything not on this list is not us. Bookmark this page as your source of truth. When in doubt, write to wecare@cryptoxlnc.com from your own email app and ask: did you send me this?

Join Crypto XLNCStart your application An invitation to the platform, not financial advice. Your assets stay in your own exchange account.

The master defense

The Universal Verification Protocol

You are the bank now. Every crypto transaction is final, there is no fraud department that reverses it, and even on an exchange, the moment crypto leaves your account it is gone. Scammers know this, so they do not hack computers. They hack people, with three tools: greed, fear, and urgency. The feeling itself is the alarm. The moment you feel rushed, scared, or excited about money, stop. Emotion is the attack surface. These three rules defeat scams that have not been invented yet.

The three rules illuminate in the order you apply them. Press any rule to read its full protocol below.

View the protocol as text

The Universal Verification Protocol, rule by rule
Rule	What it says	The move
1. Never act on inbound contact	Any message, email, call, DM, letter, or video call that comes to you about crypto is treated as hostile until proven otherwise.	Do not click, reply, or call back. Logos, badges, caller ID, voices, and faces can all be faked.
2. Verify through a second, independent channel	Never verify a message using the message itself.	Close it. Open the exchange app from your own bookmark. If the problem is real it is visible inside your account. Or open a fresh support ticket and ask: did you send me this? For people, call back on the number you already have.
3. The 24 hour rule	Anything demanding action now gets an automatic 24 hour wait.	Real opportunities survive a day. Real problems can be solved tomorrow. Scams evaporate. Urgency is the scammer's oxygen.

Rule 1Never act on inbound contact

Any message, email, call, DM, letter, or video call that comes to you about crypto is treated as hostile until proven otherwise. Logos can be faked. Verified badges can be faked. Caller ID can be faked. And now even faces and voices can be faked. The direction of contact is the tell: if it came to you, it does not get to be trusted.

Rule 2Verify through a second, independent channel

Never verify a message using the message itself. Do not click its links, do not call its number, do not reply. Instead:

Close the message entirely.
Open the exchange yourself, through your own app or your own bookmark.
If the problem is real, it will be visible inside your account.
Or open a fresh support ticket yourself through the official app and ask: did you send me this?
For people, call them back on the number you already have for them.

Rule 3The 24 hour rule

Anything demanding action now gets an automatic 24 hour wait. Real opportunities survive a day. Real problems can be solved tomorrow. Scams evaporate, because urgency is the scammer's oxygen. If a single rule had to carry you, this is it: money never moves in a hurry.

Say it until it is reflex

Nobody legitimate will ever contact you first, create urgency, or ask for your seed phrase, your codes, or your money.

You are the bank

No fraud department reverses crypto. No chargebacks. Every transaction is final, and even on an exchange, the moment crypto leaves your account the exchange cannot pull it back. The protections you turn on before anything happens are the only protections you get.

The feeling is the alarm

Scammers hack people, not computers. Their three tools are greed, fear, and urgency, and every scam uses at least one. The moment you feel rushed, scared, or excited about money, stop. That feeling is the attack arriving.

Your free security advisor

Before acting on any message, link, or pitch, paste it into Claude or another AI and ask: is this a scam, and what are the red flags? Thirty seconds, free, and it has seen every documented scam pattern. Honest caveat: AI is a powerful filter, not a guarantee. The standard is the AI check plus this protocol, never AI alone.

The consultant below is that reflex, built in. It knows the protocol on this page and will sanity check a message, a link, or a setup in seconds. It keeps no memory once you close the tab, and it is not a substitute for your own judgement or for deeper private work.

Security ConsultantAI Online · free · forgets everything when you leave

An AI assistant that knows this protocol cold and keeps no memory beyond this chat. For deep or private work, use your own paid AI. The standard is the AI check plus the protocol, never AI alone.

Enter sends, Shift and Enter for a new line. Nothing you type here is stored once the tab closes.

The number one exchange scam right now

The "security department" call

Customer data from breaches and insider leaks is sold to scam crews, so the caller knows your real name and may know roughly what you hold. They sound exactly like a professional security team. They are the thief. The FBI has warned about criminals posing as exchange employees in unsolicited calls, and Coinbase disclosed in 2025 that bribed support contractors leaked customer data precisely so criminals could impersonate Coinbase to its own users. That leak touched 69,461 customers, including balance data; Coinbase refused the 20 million dollar ransom, posted a matching reward, and reported 307 million dollars of related costs. Sources: FBI, Coinbase SEC filing

The caller

"Hello, this is the security team at your exchange. We have detected unauthorized access to your account and we are going to help you secure your funds."

The truth

Your exchange will never call you out of the blue. No major exchange cold calls customers about security. The call itself is the attack.

The caller

"I can confirm your full name and the approximate balance on your account, so you know this is genuine."

The truth

Knowing your personal details proves nothing. Your name, email, phone, and even balance may already sit in leaked databases. Scammers buy familiarity.

The caller

"We need to move your funds to a safe wallet while we investigate."

The truth

There is no such thing as a safe wallet your exchange moves you to. That sentence, in any form, from anyone, means thief. During a real incident the safest place is funds frozen in place behind your allowlist.

The caller

"To verify your identity, please read me the code we just sent to your phone."

The truth

That code is your 2FA. They are logging in as you right now. Codes are for typing, never for speaking. No legitimate employee of any company on earth needs you to read them a code.

The caller

"Please install this app so we can secure your device together."

The truth

That app is remote access to everything you own. Hang up.

The fire drill. Screenshot this.

Hang up. No conversation, no explanation, no goodbye needed.
Remember: there is no safe wallet. Anyone moving you to one is the thief.
Remember: knowing your details proves nothing. Familiarity is for sale.
Never read a code to anyone. Codes are for typing, never for speaking.
Open the exchange app yourself, look at your account, and contact support through the app. If something were truly wrong, it would be visible there.

The same script arrives by email and SMS as "call our security line at this number". Same treatment: never call numbers given to you. Find the official contact yourself, through the app.

Know the enemy

The eight attack vectors

Every crypto scam in circulation is a variation on eight patterns. Open each one to see how the attack works and the exact defense protocol. The scale is industrial, which is why the defense has to be habitual.

$17B

lost to crypto scams worldwide in 2025, about five times what hacks took

$7.2B

reported losses to crypto investment fraud in the US in 2025

$798M

lost to government impersonation scams in the US in 2025

20%

of all Bitcoin estimated lost forever, per a widely cited Chainalysis analysis

Deception, not broken code, is where the money goes. Sources: Chainalysis, FBI IC3 2025 Annual Report, Chainalysis via Decrypt

View the data

The scale of crypto crime, verified figures behind the band
Figure	What it measures	Source
About $17 billion	Estimated worldwide losses to crypto scams and fraud in 2025, roughly five times the $3.4 billion stolen in hacks, and the biggest hacks hit institutions rather than individuals	Chainalysis 2026 Crypto Crime Report
$7.2 billion	Reported losses to cryptocurrency investment fraud in the United States in 2025, the largest source of reported financial losses to Americans that year	FBI IC3 2025 Annual Report
$798 million	Reported losses to government impersonation scams in the United States in 2025, nearly double the 406 million dollars reported in 2024; crypto ATM and kiosk scams added about $389 million, with people 60 and older carrying roughly two thirds of kiosk losses	FBI IC3 2025 Annual Report
About 20 percent	Share of all mined Bitcoin estimated lost forever, about 3.7 million BTC that had not moved in five or more years as of the 2020 analysis	Chainalysis, 2020 estimate

Impersonation and deepfakesFake support, fake admins, fake bosses, fake family. A video call no longer proves a person is real.+

The attack. Support agents, admins, exchange staff, recruiters, celebrities, and government agents who arrive by DM, email, phone, or letter. The classic trigger: you ask a question in public, such as a stuck withdrawal, and "support" DMs you within minutes. Fake admins with one character changed in the username. Fake job offers. Fees to release a withdrawal that never existed. The security department call above is this vector's sharpest blade.

The 2026 upgrade. Voices cloned from seconds of audio. Faked live video. Celebrity giveaway livestreams running on hacked YouTube channels. Cloned voices of your own family calling in distress and needing money urgently. A video call no longer proves a person is real.

The government play. "This is the tax office. There is a warrant. Pay now via Bitcoin ATM or gift cards." Old fashioned impersonation drains more from ordinary people than almost any crypto native scam: the FBI logged 798 million dollars in government impersonation losses in 2025, and in an FTC analysis about 86 percent of reported Bitcoin ATM losses involved impersonation, with a median loss of 10,000 dollars. Sources: FBI IC3, FTC

The defense protocol

Real support never contacts you first, never DMs, never calls cold. All inbound "support" is the attack itself.
Never trust display names, caller ID, verified badges, voices, or faces. All of them are fakeable or hackable.
Verify through the second channel: close the message, open the exchange app yourself, check your account, contact support in the app.
Phone calls: hang up, find the official contact yourself, reach out through the app. Never call a number the caller gave you.
The family code word: agree one with your family today. Any urgent money request by call or video gets the code word test. No word, no money. Hang up and call them back on their known number.
Nobody doubles your money. Not Elon, not anyone, not on a verified account, not on live video. Livestream plus send to receive equals scam, automatically.
No government accepts payment by Bitcoin ATM or gift cards. Anyone demanding it is a criminal.
Harden Telegram: Settings, Privacy and Security, Phone Number, Nobody, and restrict DMs from strangers. Real admins never DM first. Read usernames character by character.
Never pay any fee to receive money. The fee is the scam. The locked balance never existed.
When in doubt, paste the whole conversation into AI and ask what the red flags are.

Proof it happens: in July 2020 hackers took over Twitter's internal admin tools and compromised 130 accounts, tweeting a "double your bitcoin" scam from 45 of them, including Barack Obama, Joe Biden, Elon Musk, and Apple, and collecting about 118,000 dollars in hours. Verified accounts get hacked. Nobody doubles your money. Source: New York DFS investigation

PhishingFake sites, fake emails, fake ads, fake QR codes, even fake letters. The login page that isn't.+

The attack. Near perfect copies of Kraken, Coinbase, Bybit, and OKX login pages that harvest your credentials and your 2FA codes in real time. Fake ads bought above the real search result. Emails identical to your exchange's, reporting a suspicious login you must secure. Lookalike domains, kraken.com versus kraken-secure.com. Malicious QR codes on posters, in emails, at events. Physical mail with official letterheads, and even tampered "replacement devices" sent after customer databases leaked. Address poisoning: dust sent from an address visually similar to yours so you copy the wrong one from history later.

The defense protocol

The golden rule: never log in through a link. Ever. Not from email, DM, ad, QR code, or letter. If an account problem is claimed, close the message, open the app or bookmark, and look. Real problems appear inside the platform.
Official mobile apps are your primary access. An installed app cannot be swapped for a fake the way a browser login can. On desktop, bookmarks set on day one, used forever. Never google your exchange; scammers buy the ad above the real result.
The link checking workflow for any link: hover or long press to preview the destination. Read the domain right to left from the first slash: secure-kraken.account-verify.com is account-verify.com, not kraken.com. Run it through a checker such as urlscan.io, virustotal.com, or Google Safe Browsing. Paste it into AI and ask if it is phishing. Then still do not log in through it. Navigate directly. Checkers are awareness, not permission.
QR codes are links you cannot read. Never scan one for anything crypto from posters, flyers, or strangers, and after any scan, read the URL before acting.
Verify the actual sender address, not the display name: support@bybit.com is not support@bybit-services.net.
Anti-phishing codes on Bybit and OKX: an email without your personal phrase is fake, delete it.
The password manager trick: if it refuses to autofill a login page, listen to it. It knows the domain is wrong even when your eyes are fooled.
Physical mail gets zero more trust than email. Companies never mail you asking to migrate, validate, or enter a seed phrase. Unrequested replacement devices go in the trash.
Address poisoning: never copy addresses from your transaction history. Use saved address books and your exchange allowlist. Verify the first six and last six characters on every send, and send a small test first for large amounts.
To confirm any communication, ask the platform's support yourself through the app. Thirty seconds beats a drained account.

Proof it happens: Ledger's 2020 marketing database breach exposed about one million email addresses, and the publicly dumped portion included names, home addresses, and phone numbers of about 272,000 customers. Victims then received convincing phishing letters and even tampered "replacement" devices by post. Sources: Ledger, BleepingComputer

Drainers and malicious approvalsOne signature on the wrong site is a blank check. It drains you later, not now.+

The attack. This is what waits the moment anyone steps from the exchange into self custody and Web3. You connect a wallet to a site and sign something. The signature does not move money; it grants permission, and the permission drains you later. A blank check signed while you thought it was a receipt. Delivered through fake mints, fake airdrops, "you have won" pages, and hacked Discord announcements. Related bait: mystery tokens airdropped into your wallet, honeypot tokens you can buy but never sell, and fake tokens sharing a real project's name and ticker.

The defense protocol

The beginner rule: do not connect your wallet to DeFi platforms, mint sites, or airdrop claims at all. Buy on your exchange, transfer to cold storage, hold, learn. DeFi is graduate school, and no airdrop is worth your savings.
Mystery tokens appearing in your wallet: ignore them completely. Do not sell, swap, or visit their website. Ignored, they are dust. Touched, they are the trigger.
When you graduate: the three wallet structure below. New or experimental sites touch only the burner wallet holding pocket change.
Never sign what you do not understand. Rejecting costs nothing. Signing can cost everything.
Use a wallet with transaction simulation, such as Rabby or modern MetaMask security alerts, that translates a signature into plain language before you approve it.
"Unlimited approval" is a memorized red flag. No legitimate claim needs unlimited access to your tokens.
Monthly: open revoke.cash, review your standing permissions, and revoke what you no longer use.
Buying tokens on a DEX: never search by name or ticker, because fakes share both. Paste the contract address from the project's official site or from CoinGecko.
Honeypot check on small caps: paste the contract into a honeypot checker or into AI, and confirm that people other than the team can actually sell.
Verify dApp URLs through the project's official X account or website, never through Discord links. Surprise mints get the 24 hour rule.
Hardware wallet users: trust the device screen, never the computer screen. The device shows the true destination.

Proof it happens: the Squid Game token of November 2021 wrote the exit into its own code. Its whitepaper's "anti dump" mechanism meant most holders could buy but not sell. After the price spiked to about 2,861 dollars, the developers vanished with roughly 3.3 million dollars while CoinMarketCap displayed a warning that holders could not sell. Anonymous team plus hype plus an unsellable token equals rug. Source: CBS News

Malware and device compromiseClipboard hijackers, fake apps, poisoned extensions, and the screen share "help" that watches you type.+

The attack. Clipboard hijackers that swap the address you copied for the thief's. Fake wallet and exchange apps inside official app stores. Fake browser extensions that read everything you type. Keyloggers riding cracked software. The screen share scam, where "support" asks you to install AnyDesk or TeamViewer to help you, then watches you log in or takes control. Malicious public WiFi intercepting logins.

The defense protocol

Never install software because someone asked you to. A remote access or screen share request about your crypto means thief, full stop.
Never screen share anything crypto related. Your screen exposes codes, balances, and addresses.
Download exchange apps and wallets only via the official website's link, or by carefully verifying the developer name in the app store. Fakes live inside official stores too.
Browser hygiene: minimal extensions, because every extension can read what you type. Ideal: a separate browser or profile used only for crypto.
Clipboard defense: after pasting any address, verify the first six and last six characters against the source. Every time. This single habit defeats every clipboard hijacker ever written.
Test transaction before any large send.
Clean ground: no cracked software, torrents, or random downloads on the device that touches your money.
Phone basics: strong PIN, biometrics on, no jailbroken phones for crypto, and lock screen notification previews hidden so codes are not readable off a stolen phone.
Public WiFi: never log into exchanges on it. Use mobile data, or a reputable VPN if you must.
Keep the operating system, browser, and apps updated from official sources.
The hardware wallet settles the malware question: even on an infected computer, nothing moves without physical confirmation on the device, and the device screen shows the true destination.

SIM swappingYour number moves to their SIM. Your phone goes dead. Your accounts fall like dominoes.+

The attack. The scammer convinces your carrier to move your number onto their SIM. They now receive your SMS codes, reset your email, then your exchanges, and your accounts fall like dominoes. Your phone going mysteriously dead is the first symptom. Exchange users are prime targets because the prize is immediate.

The defense protocol

Remove SMS 2FA from every exchange and from your email today. It matters enough to say twice on this page.
Carrier port freeze and account PIN. Five minutes, free.
A crypto only email with its own authenticator 2FA, so a captured number cannot reset it.
Check haveibeenpwned.com and retire leaked passwords.
Withdrawal allowlisting as the backstop: even a thief fully inside the account cannot redirect funds.
Remove your phone number as a recovery method everywhere it is optional.
The emergency drill: phone suddenly dead for no reason means active attack. From another device, change your email password and lock your exchange accounts immediately. Minutes matter.

Investment scams and pig butcheringGuaranteed returns, AI trading bots, and the patient stranger whose platform always shows profit.+

The attack. Guaranteed returns. AI trading bots. Fund managers and signal gurus. WhatsApp investment classes herding members into pump and dumps. Influencers shilling tokens they are quietly selling. Fake news ads about a celebrity's secret wealth platform. And pig butchering: a wrong number text or a dating match builds a relationship over weeks, then introduces "their" platform showing fake profits, allows one small withdrawal to build trust, then takes everything. The scale is industrial. The UN estimates East and Southeast Asia lost 18 to 37 billion dollars to cyber enabled fraud in 2023, with hundreds of thousands of people, many themselves trafficked, working inside scam compounds. Source: UNODC

The detail aimed at you. The fake platform often imitates a real exchange's look, or you are told to buy crypto on your real exchange and then send it out to the "platform's" deposit address. The real exchange is just the on ramp. The theft happens on the withdrawal you make with your own hands.

The defense protocol

The iron law: guaranteed returns do not exist. Fixed daily or weekly profits mean Ponzi, every time in history. Do the math: 1 percent daily compounds to double your money roughly every 70 days. If that were real, they would not need yours.
Never invest through a platform that a person you have never met in real life introduced you to. This single rule structurally defeats all pig butchering.
The withdrawal tell: when your own exchange shows a warning or holds a transfer as you withdraw to a flagged address, that is the system trying to save you. Coinbase risk scores destinations and may warn, delay, or block; Kraken may hold withdrawals or restrict accounts of suspected scam victims. Anyone coaching you on what to tell your exchange to get a withdrawal approved is a thief, by definition.
"AI trading bot" is this cycle's favorite costume for the same old Ponzi.
Platform verification before depositing anywhere: is it on the CoinGecko or CoinMarketCap exchange rankings? Registered with a real regulator, checked on the regulator's own site? Is the domain years old or weeks old? Is it in official app stores with history? Paste the pitch into AI.
A successful small withdrawal proves nothing. It is the hook. Ponzis pay early withdrawals from new victims by design.
Any fee, tax, or deposit required to unlock a withdrawal means the balance is fiction and the fee is the theft.
Reverse image search new online friends' photos. Ask for spontaneous video, and remember that video can be faked. Rule 2 of the protocol is the real defense.
The tell one person rule: before sending money anywhere new, describe it out loud to one trusted real world person. Scammers isolate and demand secrecy. "Do not tell anyone yet" is itself the red flag.
Influencer promotions: assume paid, and assume they sell while you buy.
Nobody competent trades your money via DMs.

Proof it happens: BitConnect posted fictitious returns averaging about 1 percent a day from a supposed proprietary trading bot and took in roughly 2.4 billion dollars before collapsing in January 2018. Sources: US Department of Justice, SEC complaint OneCoin sold a "cryptocurrency" with no real blockchain behind it and defrauded victims of more than 4 billion dollars; its founder, "Cryptoqueen" Ruja Ignatova, is still on the FBI's Ten Most Wanted list as of June 2026, with a reward of up to 5 million dollars. Source: FBI

P2P trading and payment scamsYou release the coins, their payment reverses. Crypto is final, most fiat is not. That gap is the scam.+

The attack. Buying or selling crypto person to person. The reversal scam: you sell, they pay by PayPal, bank transfer, or check, you release the coins, and the payment reverses or bounces. Crypto is irreversible; most fiat is not. That asymmetry is the entire scam. Plus fake escrow services, overpayment tricks, and cash meetups that become robberies.

The defense protocol

Beginners should not trade P2P at all. You have Kraken, Coinbase, Bybit, and OKX: regulated on ramps with real liquidity. P2P is for experienced users with specific needs.
If P2P is ever necessary, stay inside an exchange's official P2P system where the platform locks the seller's crypto until payment is confirmed. Bybit reserves the seller's coins and releases them only after the seller confirms receipt; OKX provides escrow within its P2P service. Never settle off platform, never "let's finish on WhatsApp".
Never release crypto until the fiat is final, not "showing as sent". Reversible payment methods are the scammer's tools.
Overpayment plus a refund request equals scam, automatically. Cancel the trade.
An "escrow" suggested by your counterparty is your counterparty.
Never meet strangers in person carrying crypto access or cash.

Physical and social exposureWhy hack you when threatening you is cheaper? Visibility is the vulnerability.+

The attack. Flashing gains makes you a target for robbery, extortion, home invasion, and targeted hacking. The five dollar wrench attack: why break encryption when threatening a person is cheaper? It is fed by social bragging, crypto merch, loose meetup talk, public addresses tied to your name, and leaked customer databases that have put names and home addresses of crypto holders in criminal hands.

The defense protocol

Tell no one your holdings. Not online, not at meetups, not extended family. Invisible, like cash under the mattress.
Never post balance or gains screenshots, even cropped.
Do not link your identity to wallet addresses publicly. Any address you must share belongs to a separate, lightly funded wallet.
No crypto merch while traveling.
At meetups, talk ideas, never amounts.
Hardware wallet orders: ship to a pickup point or PO box, not your home address. Vendor databases leak, and the Ledger breach proved it.
Advanced: a decoy wallet with a modest, surrenderable balance.
Seed locations known only to you and your estate plan.

The scammer called Oops

Self-inflicted losses

Beginners lose as much to their own mistakes as to thieves, and nobody teaches this. Seven mistakes, seven defenses. No scammer required.

1. Wrong network

Withdrawing USDT on one chain to a wallet or platform expecting another. Funds stranded or gone. The most common exchange user error, because every withdrawal screen asks you to pick a network.

The defense

The network selected on the sending side must match the receiving side, every time. The receiving platform's deposit page tells you which networks it accepts; read it. When unsure, ask support before sending. Always: small test transaction first.

2. Missing memo or tag

Some assets, including XRP and XLM, commonly need a memo or destination tag alongside the address when depositing to an exchange. Address right, memo missing, deposit lost in limbo. Kraken warns that a missing tag can make a deposit irretrievable in some cases.

The defense

When a deposit page shows both an address and a memo, copy both, always. Treat the memo as part of the address.

3. Wrong or mistyped address

One character off and the money is gone forever.

The defense

Copy and paste only, never type addresses. Verify the first six and last six characters. Use your exchange allowlist and wallet address book for repeat destinations. Test transaction before large sends.

4. Lost seed phrase

No scammer, just a house move, a flood, a forgotten hiding place. Roughly a fifth of all Bitcoin is estimated lost forever; a lost seed is a classic way it happens. Source: Chainalysis via Decrypt

The defense

Two physical copies, two locations, checked yearly. Metal beats paper against fire and water. And the recovery drill: before funding a hardware wallet seriously, wipe it and restore from your written seed once, proving the backup actually works.

5. 2FA lockout

Phone lost or broken with no backup codes saved: locked out of your own exchange for weeks.

The defense

Save backup codes on paper the day you enable 2FA, stored with your seed materials. Keep your authenticator app's own encrypted backup current.

6. No inheritance plan

If you vanish tomorrow, your family inherits nothing they cannot find or access. Exchanges do have deceased customer processes, but they are slow and only work if your family knows the accounts exist.

The defense

A sealed instruction set with a trusted person or lawyer: which exchanges, which wallets, where the device and seed are stored. Locations, never the seed itself written in the letter. Review it yearly. This is love expressed as paperwork.

7. Panic and haste

Fat fingered trades, sending before checking, clicking through warnings, including the exchange's own scam warnings.

The defense

Money never moves in a hurry. When your exchange throws a warning screen, read it as if it were written for you, because it was. Slow is safe, and in crypto slow is also fast, because mistakes are forever.

Where your money should live

The architecture of custody

You are not a trader, and you should not have to be your own bank. So the structure we recommend is simple, and it is about putting each kind of money in the right home. The capital you are actively investing belongs on a reputable, regulated exchange, where it can work. Your largest long-term holdings, and any idle cash sitting outside XLNC, belong with a qualified custodian. Holding your own keys, self-custody, is a real option for those who specifically want it, and the section covers how to do it safely. We work only with the most established, regulated exchanges, and we hold direct VIP relationships with them, so if anything ever goes wrong we can reach their priority team for you directly. The platforms that made headlines for the wrong reasons were a different animal: FTX was outright fraud, and Celsius was an unregulated yield scheme that told people banks were not their friends. Sources: US Department of Justice, FTC That is the real lesson, and exactly why we are careful about where client capital sits: choose regulated, audited, reputable venues, and never a platform promising a yield it cannot explain.

A reputable exchange

For the capital you are actively investing

Where the bulk of your working money belongs. The exchanges we use run security most individuals cannot match: the majority of assets in cold storage, independent audits, breach insurance, round-the-clock monitoring, and a real team behind it. We hold direct VIP relationships with them, so if anything ever goes wrong we reach their priority desk for you, fast.

A qualified custodian

For your largest long-term holdings and idle cash outside XLNC

When you are holding a very large amount for the long term, or a lot of cash sitting idle, a qualified custodian is purpose-built for it: regulated trust companies with institutional-grade security and insurance, designed to safeguard size. The most reputable names are just below.

Self-custody, only if you want it

For those who specifically want to hold their own keys

A real option, and a real responsibility. Your wallet is one set of words; lose them or let them be stolen and the money is gone for good, with no reset, no support, no recovery. For most people that is more risk, not less. If you choose it, the section below shows how to do it with the least risk.

The custodians we would point you to

For tier two: the largest long-term holdings and idle cash you are not actively investing. These are institution-grade, regulated custodians built to safeguard large balances, the way a bank vault holds gold. Most set minimums and a formal onboarding, which is exactly the point. Open any of them yourself from your own bookmark and verify the address.

Coinbase Prime

Institutional custody and prime services from a US-listed, regulated exchange.

coinbase.com/prime

BitGo

A regulated trust company and one of the original institutional custodians, with insurance.

bitgo.com

Anchorage Digital

The first federally chartered digital-asset bank in the United States.

anchorage.com

Fidelity Digital Assets

Institutional crypto custody from one of the largest asset managers in the world.

fidelitydigitalassets.com

Gemini Custody

A New York trust company offering regulated, insured cold-storage custody.

gemini.com/custody

A custodian holds the keys for you, under regulation and insurance, the way a bank holds your money. It is the opposite of self-custody, and for very large, long-term sums it is usually the calmer choice. None of these are Crypto XLNC; vet and choose your own.

Self-custody structure: three wallets

Funds flow cold to hot to burner. The burner touches the experiments. The vault touches nothing. Risk never flows backward.

View the data

The three wallet structure in plain words
Wallet	Role	What it may touch
Cold, hardware	The vault	Connects to nothing. Receives only.
Hot, mobile or browser	The checking account	Modest funds on established platforms only.
Burner	The disposable glove	Pocket change. The only wallet that touches anything new or DeFi.

If you hold your own keys: choosing a wallet

Self-custody is tier three, for people who want their own keys and accept the responsibility that comes with them. If that is you, do it with the least risk: the keys live on a device in your hand, not on a phone or a website. Three we would point you to, in the order most people should consider them. Buy only from the maker's own site below, never a marketplace, never second hand.

Tangem

Our pick · easiest

No seed phrase at all. The keys are created and sealed inside the card's secure chip, so there is nothing to write down, photograph, lose, or be tricked into typing. You tap the card to your phone to approve a move. You back it up by ordering a set of two or three identical cards and keeping them in separate safe places. For most people this removes the single most dangerous step in self custody. Our invite link gives you 10% off.

Get Tangem, 10% off →

Ledger

More involved

A traditional hardware wallet with its own screen and buttons. More steps to set up and use, and it does create a seed phrase you must protect, so the rules below apply in full. That friction is also a strength: harder and slower to use means harder for anyone to rush you into a mistake.

Visit Ledger →

Trezor

More involved

An open-source traditional hardware wallet, also seed based. Like Ledger it takes more care to set up and operate, and it is more secure precisely because every action is deliberate and confirmed on the device itself. A strong choice if you want fully open hardware and do not mind the extra steps.

Visit Trezor →

The trade is simple: Tangem removes the seed phrase and is the easiest to live with, while Ledger and Trezor keep the classic seed and ask more of you, which some people prefer because the extra deliberation is itself a defense. If you choose Ledger or Trezor, the seed phrase protocol below is mandatory.

The seed phrase protocol

You meet a seed phrase the day you set up your first hardware or mobile wallet. Get this right before that day. The concept: whoever holds the 12 or 24 words holds the money. It is not the password to the account. It is the account. A password can be reset. A seed phrase cannot.

The seven rulesNever typed, never photographed, never shared

Never type it into any website, app, popup, or form. There is no legitimate reason, ever. The words validate, synchronize, authenticate, migrate, claim, or import next to a seed request mean theft attempt, 100 percent of the time.
Never type it into any website, app, popup, or form, and never let it touch a phone photo, a notes app, plain cloud storage, email, or a chat. Phones auto upload photos, so one snapshot of your seed can live on someone else's server forever.
Back it up in two places. Best is offline and physical: pen and paper, or stamped metal, kept in two separate secure locations. If you know yourself well enough to know you will not keep paper safe, a reputable password manager, behind a strong unique master password and its own two factor authentication, is an acceptable home for one copy, paired with a second copy somewhere else, physical or digital. The honest trade: a password manager is far safer than a photo or a sticky note, but it is online, so it buys convenience for a small cost in security. Best of all, sidestep the whole question with a Tangem card, which has no seed to store.
Never share it with anyone, including "support". Real support never needs it. The wallet manufacturer never needs it. Your exchange never needs it and will never ask.
Never generate a wallet on a website. Online seed generators hand the thief a copy of your keys at birth. Keys are born on a hardware device or an official wallet app only.
The only time a seed is ever entered: restoring onto a hardware device you bought new, typed on the device's own screen, never on a computer.
Suspected exposure means a new wallet, a new seed, and moving everything immediately. Do not wait for proof.

Level 2This week, the vault. The biggest single upgrade.

Buy a hardware wallet only from the manufacturer's official site. Never Amazon, eBay, or second hand. A pre printed seed in the box means compromised. Ship to a pickup point, not your home; vendor databases leak.
Move only what you want under your own keys to the device; active capital stays on your exchange and the largest long-term holdings can sit with a custodian.
Seed in two places: offline on paper or metal in two locations, or one copy in a reputable password manager plus a second copy elsewhere. With a Tangem card there is no seed to back up.
Do the recovery drill before serious funding: wipe the device and restore from your written seed once, proving the backup works.
Verify receiving addresses on the device screen, not the computer screen.

Level 3The habits that hold the fortress

Verify every address, first six and last six characters, every time.
Match networks on both sides; copy memos where shown.
Test transaction before every large send.
Never sign what you do not understand.
Monthly: revoke.cash cleanup, exchange session review, API key review.
Quarterly: review where each tier of money sits, exchange, custodian, and any self-custody.
Yearly: check seed backups, refresh the inheritance letter.
The 24 hour rule on everything urgent.
The tell one person rule on every investment.
The AI check on every suspicious contact.
Tell no one your holdings.

Exchange inheritance, while we are being honest: exchanges do have deceased customer processes, with death certificates and legal documents, but they are slow and your family must know the accounts exist. Document your exchanges in your estate instructions. The inheritance letter in the mistakes section above is the how.

Train the reflex

Scam or legit?

Ten situations, straight from the field. Two of them are legitimate. Call each one.

Question 1 of 10

Loading the scenarios.

The litanyThe red flags, rapid fire. Every line ends the same way.

Anyone contacting you first about your money. Scam.
Anyone asking for your seed phrase, for any reason. Scam.
Anyone asking you to read them a code. Scam.
"Move your funds to a safe wallet." Scam.
Guaranteed or fixed daily returns. Scam.
Send X, receive 2X back. Scam.
Urgency, countdowns, last chance. Scam.
"Install this software" or "share your screen." Scam.
A new romantic interest who pivots to investing. Scam.
A fee, tax, or deposit to unlock a withdrawal. Scam.
"Don't tell anyone about this yet." Scam.
Coaching you on what to tell your exchange. Scam.
"Validate," "synchronize," or "migrate" your wallet. Scam.
A government demanding Bitcoin ATM or gift cards. Scam.
A platform only you and your new friend know about. Scam.
"I sent too much, refund the difference." Scam.
An unrequested device or letter about your wallet. Scam.

The recovery protocol

If you get hit

Scams reach careful people. Everyone in this community has been targeted, including us. What you do in the first hour matters most, and the very first thing to know is that the wolves circle twice.

First, before anything else

Beware the second scam

"Recovery services" promising to retrieve stolen crypto are scammers hunting fresh victims, and they wait in the comment sections where people ask for help. Anyone guaranteeing recovery for an upfront fee is thief number two. No legitimate service can reverse a blockchain transaction.

Exchange account compromised: hit the emergency brake you located in the checklist and lock or freeze the account. Then change the email password first, then the exchange password, then reissue 2FA. Review API keys and the allowlist for tampering before trusting the account again.
Wallet compromised: move everything that remains to a brand new wallet with a brand new seed, immediately. Never reuse the compromised seed. Revoke all standing approvals at revoke.cash.
Report fast. To your exchange first: stolen funds passing through exchanges that verify identity can sometimes be frozen if you are quick, which is a real advantage of the major venues. Then to local police, for the paper trail. Then to the FBI's Internet Crime Complaint Center at www.ic3.gov, or your country's equivalent.
Document everything: addresses, transaction hashes, screenshots, usernames, phone numbers. The trail is the case.
No shame. Everyone gets targeted. Shame is the scammer's accomplice; it keeps victims quiet and the next person unwarned. Speaking protects your people.

Five minutes that multiply

Protect your people

Your family is targeted with the same scripts, minus the preparation you now have. Four conversations to have this week.

The one rule for parents

Elderly parents are prime targets for government impersonation, Bitcoin ATM demands, and romance scams. Teach them one rule: "Anyone demanding payment by crypto, gift cards, or wire over the phone is a criminal. Hang up and call me."

The family code word

Set it with everyone tonight. Voice cloning means a call that sounds exactly like your child or parent in distress proves nothing. Any urgent money request by call or video gets the code word test. No word, no money, hang up, call back on the known number.

The teenager warning

Teenagers meet free crypto game scams and easy money mule recruitment on Discord and TikTok, and their hijacked accounts are then used to scam their friends. Talk to them before the recruiters do.

Your own accounts protect others

If your social accounts are hacked, they scam your friends in your name. Your two factor authentication protects your community, not just you.

The homework: walk one person you love through the Level 1 checklist this week.

The take home artifact

The one page protocol

Everything above, compressed to one sheet. Print it, or save it as a PDF, and put it where you will see it.

The Crypto Security Protocol

Crypto XLNC. Version 1.0, reviewed June 12, 2026. Lives at cryptoxlnc.com/crypto-security-protocol

The chant

Nobody legitimate will ever contact you first, create urgency, or ask for your seed phrase, your codes, or your money.

Verify any message from Crypto XLNC

Open the client dashboard yourself at dashboard.cryptoxlnc.com, from your own bookmark, and match the verification code shown there against the code in the message. No code, or a code that does not match, means it is not us. Still unsure? Ask in the official Telegram group, the one already inside your Telegram (it has no public link, by design), and wait for the answer in the group, never in a DM. The only payment Crypto XLNC ever requests is the performance fee invoice after profits, verified through the broadcast channel, your dashboard, the message code, and a published wallet address.

The Universal Verification Protocol

Never act on inbound contact. Anything that comes to you about crypto is hostile until proven otherwise.
Verify through a second, independent channel. Close the message. Open the app from your own bookmark. Look. Ask support yourself: did you send me this?
The 24 hour rule. Anything urgent waits a day, automatically. Real things survive a day. Scams evaporate.

The Level 1 fortress, one evening, free

Crypto only email created
Password manager, unique passwords everywhere
haveibeenpwned.com checked, leaked passwords retired
Authenticator or passkey 2FA everywhere, SMS deleted
Backup codes saved, two copies (password manager or paper)
Withdrawal address allowlisting on, every exchange
Anti-phishing code set on Bybit and OKX
Kraken Global Settings Lock, Coinbase Transfer protection, Bybit Fund Password
API keys reviewed, never with withdrawal permission
Sessions and devices reviewed, login alerts on
Carrier port freeze and PIN set
Phone hardened, lock screen previews hidden
Official apps installed, bookmarks set, never google the exchange
Telegram and Discord privacy locked down
Emergency brake located, family code word set, AI reflex installed

The red flags, every one means scam

Anyone contacting you first about your money
Anyone asking for your seed phrase, any reason
Anyone asking you to read them a code
"Move your funds to a safe wallet"
Guaranteed or fixed daily returns
Send X, receive 2X back
Urgency, countdowns, last chance
"Install this software" or "share your screen"
New romantic interest pivots to investing
A fee, tax, or deposit to unlock a withdrawal
"Don't tell anyone about this yet"
Coaching you on what to tell your exchange
"Validate," "synchronize," or "migrate" your wallet
Government demanding Bitcoin ATM or gift cards
A platform only you and your new friend know about
"I sent too much, refund the difference"
An unrequested device or letter about your wallet

If you get hit

Beware recovery services; guaranteed recovery for a fee is thief number two. Lock the account. Change the email password first, then the exchange password, then 2FA. Compromised wallet: new wallet, new seed, move everything, revoke approvals. Report to your exchange, local police, and www.ic3.gov. Document everything. No shame.

Set the family code word. Security is not a product, it is a practice. Slow is safe, and slow is rich.

Prints just the one page protocol, nothing else.

Plain answers

Questions people actually ask

Is my money safe on a crypto exchange?+

On a reputable, regulated exchange, it is well protected, and for the capital you are actively investing that is the right home. The leading venues keep most assets in cold storage, undergo independent audits, carry breach insurance, and run security operations most individuals cannot match. Crypto XLNC works only with the most established, regulated exchanges and holds direct VIP relationships with them, so if anything goes wrong it is escalated fast. Safety does depend on choosing the right venue: the platforms that failed, like FTX and Celsius, were fraud or unregulated yield schemes, not the regulated custodial exchanges we use. For your largest long-term holdings or idle cash sitting outside the market, a qualified custodian adds another layer. Self-custody, holding your own keys, is an option only if you want it, and it carries its own risk, because a lost or stolen seed phrase cannot be recovered.

What is a seed phrase?+

A seed phrase is the 12 or 24 words that generate every key in a self custody wallet. Whoever holds the words holds the money. It is not the password to the account; it is the account, and unlike a password it can never be reset. A seed phrase is never typed into a website, never photographed, never stored in a notes app or cloud, and never shared with anyone, including anyone claiming to be support. It lives on paper or stamped metal, in two copies, in two separate places.

Will Crypto XLNC ever contact me first?+

No. Crypto XLNC and Sim Khela never DM first, never ask for your seed phrase or codes, and never offer to trade for you over chat or to recover lost funds. The one payment Crypto XLNC ever requests is its performance fee invoice, after you have made profits, and that moment is verified several ways at once: a confirmation in the official broadcast channel, a notice inside your dashboard, the verification code in the message itself, and the exact wallet address published with the invoice so you can vet it before sending. Anyone doing those things in our name is an impersonator. The complete list of official Crypto XLNC channels is published near the top of this page; anything not on that list is not us. Crypto XLNC clients have one more checkpoint: the client dashboard at dashboard.cryptoxlnc.com shows a randomly generated verification code, and every genuine Crypto XLNC message references it. Open the dashboard from your own bookmark, compare the codes, and treat a missing or mismatched code as an impersonator. And when you are unsure about anything, ask in the official Crypto XLNC Telegram group and wait for the confirmation to arrive in the group itself; anyone who answers in a private DM instead is an impersonator.

What do I do if I already sent money to a scammer?+

Act in this order. First, do not hire a "recovery service": anyone guaranteeing to retrieve stolen crypto for an upfront fee is a second scammer. Lock or freeze any compromised exchange account, change your email password first, then the exchange password, then reissue two factor authentication. If a wallet is compromised, move whatever remains to a brand new wallet with a new seed and revoke approvals at revoke.cash. Report fast: to your exchange, because stolen funds passing through identity verified exchanges can sometimes be frozen, then to local police, then to the FBI's Internet Crime Complaint Center at www.ic3.gov. Document every address, hash, and screenshot. And no shame; silence only protects the scammer.

Is SMS two factor authentication really that bad?+

Yes. A SIM swap moves your phone number onto a criminal's SIM card, usually by social engineering your carrier, and from that moment every SMS code protects the thief instead of you. Remove your phone number as a two factor method and as a recovery method on your email and every exchange. Use an authenticator app, a passkey, or a hardware security key instead, set a carrier port freeze, and treat a phone that suddenly goes dead as an active attack.

What is the safest exchange setting most people miss?+

Withdrawal address allowlisting. Once it is on, crypto can only leave your exchange account to addresses you approved in advance, and adding a new address triggers a delay and confirmations. A thief who gets fully inside your account stares at your balance and cannot move it anywhere. Bybit calls it the Withdrawal Address Whitelist, OKX calls it the Allowlist, Coinbase calls it the Address book allowlist, and Kraken requires every new withdrawal address to be confirmed before use.

Do I need a hardware wallet if I only use an exchange?+

No. For most people a reputable, regulated exchange is a safer home than self-custody, because a hardware wallet hands you total control and total responsibility: lose or leak the single seed phrase and the money is gone for good, with no support and no recovery. Keep the capital you are actively investing on a hardened exchange account, place your largest long-term holdings or idle cash with a qualified custodian, and reach for a hardware wallet only if you specifically want to hold your own keys, in which case a Tangem card avoids the seed phrase entirely. If you do use one, buy it new from the maker's official site and do a recovery drill before serious funding.

Can stolen crypto be recovered?+

Stolen crypto usually cannot be recovered, because blockchain transactions cannot be reversed, which is why prevention carries this entire page. The realistic exception: if stolen funds pass through a major exchange that verifies identity, fast reporting can sometimes get them frozen there, so report to your exchange and to www.ic3.gov immediately. What can never recover funds is a "recovery service" found in a comment section; guaranteed recovery for an upfront fee is always a second scam.

Method and provenance

About this protocol

How this page was made

This page is the permanent companion to Sim Khela's crypto security talk for the Crypto XLNC community. Every named figure and case study was independently verified against primary sources in June 2026: Department of Justice and SEC filings, FBI and FTC publications, the New York Department of Financial Services investigation of the 2020 Twitter hack, United Nations reporting on scam centres, Chainalysis research, and company disclosures including Coinbase's SEC Form 8-K. Exchange feature names were checked against each exchange's current official documentation, because settings get renamed: this page says Coinbase Transfer protection where older guides say Vault, and notes that OKX has retired its separate fund password.

Scope: consumer security practice for exchange users and self custody beginners. The page teaches defense; it does not audit code, and no checklist makes loss impossible. The aim is to make you a hard target.

Last updated June 12, 2026. Protocol version 1.0. Reviewed quarterly, because scam patterns and exchange dashboards both move.

Sim Khela

Author

Sim Khela is a crypto markets specialist with more than 14 years of crypto market experience, who ran a crypto fund for 5 years. He serves as Indonesian Ambassador for the GBBC and is Co Founder of Farmsent, and is a regular voice across Real Vision, RVIP, Elevation Barn, and GRIM.

LinkedIn · GBBC · Farmsent

About Crypto XLNC

Crypto XLNC is automated, non custodial crypto investing that runs directly on your own exchange. Assets stay in your own account in your own name; Crypto XLNC holds limited, trading only API access and cannot withdraw or move funds. Spot only, no leverage. Supported exchanges: Kraken, Coinbase, OKX, and Bybit where permitted. A 20 percent performance fee on net profits with a high water mark, no management fees, and a 1,000 dollar minimum.

Join Crypto XLNC

Entities

Crypto XLNC: Crypto XLNC is the automated, non custodial crypto investing service that trades in your own exchange account through limited trading only API access. https://cryptoxlnc.com/
Sim Khela: Sim Khela is the author, a crypto markets specialist with more than 14 years of experience, Indonesian Ambassador for the GBBC, and Co Founder of Farmsent. https://www.linkedin.com/in/simkhela/
Farmsent: Farmsent is the food security platform that Sim Khela co founded. https://www.farmsent.io/
GBBC: The Global Blockchain Business Council is the industry association where Sim Khela serves as Indonesian Ambassador. https://www.gbbc.io/

Plain words glossary

Seed phrase: The 12 or 24 words that generate every key in a self custody wallet. Whoever holds the words holds the money. Never typed into anything, never photographed, never shared.
Two factor authentication, 2FA: A second proof of identity at login. The ladder, best to forbidden: hardware key or passkey, authenticator app, and never SMS.
Passkey: A phishing resistant login credential bound to your device or security key. It cannot be typed into a fake site, which is the point.
Withdrawal allowlisting: An exchange setting that restricts withdrawals to addresses you approved in advance, with a delay on new ones. The exchange setting that does the most work.
Anti-phishing code: A personal phrase, offered by Bybit and OKX, that appears in every genuine email so a fake is recognizable at a glance.
Hardware wallet: A physical device that keeps keys offline and shows the true transaction on its own screen. Nothing moves without a press on the device.
SIM swap: An attack that moves your phone number to a criminal's SIM so your SMS codes and resets arrive in their hands.
Wallet drainer: A malicious contract that uses a permission you signed to empty the wallet later. The signature is the theft; the drain just executes it.
Approval: A standing permission a wallet grants a contract to move specific tokens. Reviewed and revoked monthly at revoke.cash.
Pig butchering: A long con where a stranger builds a relationship for weeks, then introduces a fake investment platform and takes everything after a small trust building withdrawal.
Rug pull: A token whose creators drain its value and vanish, sometimes with code that quietly blocks holders from selling.
Destination tag or memo: An extra identifier some assets, including XRP and XLM, need alongside the address. Address right, memo missing, deposit lost in limbo.

Sources

US Department of Justice: BitConnect indictment, OneCoin prosecutions, FTX sentencing
US SEC: BitConnect complaint, Coinbase Form 8-K disclosures
FBI Internet Crime Complaint Center: 2025 Annual Report, exchange impersonation alerts
FBI Ten Most Wanted: Ruja Ignatova listing, checked June 2026
US FTC: Celsius complaint, Bitcoin ATM scam data
New York DFS: the 2020 Twitter hack investigation
UNODC and UN OHCHR: scam centre scale estimates
Chainalysis: 2026 Crypto Crime Report, lost Bitcoin estimate
Maine Attorney General: Coinbase breach notification
Ledger and BleepingComputer: the 2020 data breach and fake device mailings
The official exchange help centers: support.kraken.com, help.coinbase.com, bybit.com/en/help-center, and okx.com/help: current security feature names, checked June 2026
CBS News and CNBC: Squid Game token and Mt. Gox repayments

Paranoia is professionalism.

How do you actually keep crypto safe?

The ten rules

Official channels, and the promises we make

The verification checkpoint: your client dashboard

The one time we will ask you to send funds: the invoice

The Universal Verification Protocol

You are the bank

The feeling is the alarm

Your free security advisor

The Exchange Fortress

01Identity

02The 2FA ladder

03Withdrawal allowlisting

04Anti-phishing code

05Exchange specific armor

06Sessions, devices, API keys

07The SIM and the phone

08Access habits and your people

The "security department" call

The fire drill. Screenshot this.

The eight attack vectors

The defense protocol

The defense protocol

The defense protocol

The defense protocol

The defense protocol

The defense protocol

The defense protocol

The defense protocol

Self-inflicted losses

1. Wrong network

2. Missing memo or tag

3. Wrong or mistyped address

4. Lost seed phrase

5. 2FA lockout

6. No inheritance plan

7. Panic and haste

The architecture of custody

A reputable exchange

A qualified custodian

Self-custody, only if you want it

The custodians we would point you to

Coinbase Prime

BitGo

Anchorage Digital

Fidelity Digital Assets

Gemini Custody

Self-custody structure: three wallets

If you hold your own keys: choosing a wallet

Tangem

Ledger

Trezor

The seed phrase protocol

Scam or legit?

If you get hit

Beware the second scam

Protect your people

The one rule for parents

The family code word

The teenager warning

Your own accounts protect others

The one page protocol

The chant

Verify any message from Crypto XLNC

The Universal Verification Protocol

The Level 1 fortress, one evening, free

The red flags, every one means scam

If you get hit

Your complete security checklist

Exchange accounts Required

Wallets and keys Required for self custody

Phone, SIM and your people Required

Extra hardening Optional

Questions people actually ask

Related explainers

About this protocol

How this page was made

About Crypto XLNC

Entities