OnChain Fog Start Here 中文
Exchange Safety

Which Crypto Exchange Should a Beginner Pick? 5 Criteria

2026-05-29 · 链上迷雾

Five criteria, laid out up front:

  1. Jurisdiction and licensing — where is it registered, who regulates it, does it hold any public licenses.
  2. Proof of Reserves (POR) — does it publish reserves regularly, can users verify their own balances are covered.
  3. Supported assets and fiat rails — does it list the coins you want, are the deposit/withdrawal channels available in your region, are withdrawals reliable.
  4. Security and 2FA — is the account security stack complete, is two-factor auth enforced, are there withdrawal cooldowns and address whitelists.
  5. Customer service and incident history — has it had incidents? How did it handle them? This one is the easiest to ignore and often the most accurate signal.

Each one expanded below. Then a “bonus” criterion most beginners miss.

Five stone tablets in a ring on sand, each carved with a different abstract symbol

1. Jurisdiction and licensing: where it lives, who watches it

“Regulated” is a vague word in crypto, but unpack it into concrete questions:

  • Registration: which country or jurisdiction does the operating entity sit in? Is it an offshore shell with no financial supervision, or does it hold full financial licenses?
  • Service availability: is your residence in its served-region list? Many exchanges geofence in jurisdictions that have tightened rules. Bypassing this with VPNs or foreign IDs leaves you with no recourse later.
  • Public licenses: does it hold payment, custody, or exchange licenses in major jurisdictions? Licenses don’t guarantee safety, but no licenses at all means it has made no commitments to any regulator.

Compliance is not safety (FTX was registered somewhere too), but a complete lack of it usually means that if something goes wrong, your legal options are extremely limited. As a beginner, give up convenience on a few coins before parking on a platform whose pitch is “we hold no licenses, but we have the lowest fees.”

2. Proof of Reserves: are your coins actually there

POR is a concept that has spread among exchanges only in the last few years. It means the exchange periodically discloses its on-chain assets in a publicly verifiable way, alongside its user liabilities (what it owes to users), to demonstrate “assets held ≥ liabilities owed.”

When reading POR, look for three things:

  • Frequency: quarterly, monthly, or only a one-off “emergency reveal” around bad news.
  • Coverage: only the major coins, or essentially all user balances.
  • Independent verifiability: does it publish a Merkle tree or equivalent so each user can confirm their balance is in the snapshot.

Why this matters: it maps directly onto the kind of disaster from Mt. Gox and FTXusers assumed the coins were there; the exchange had already moved them. POR doesn’t make this impossible, but an exchange that never publishes POR has chosen not to answer the single most important question.

3. Assets and fiat rails: can you actually do the trade

Beginners are often impressed by long coin lists, but what matters is not “how many coins” — it’s “the specific coins you plan to trade” and how smoothly money moves in and out.

What How to judge
Spot vs derivatives Beginners stay in spot; skip leverage/futures for now, see the real risks of crypto leverage
Fiat rails Can you deposit/withdraw via bank in your region, or does it require a third-party detour?
Crypto withdrawals Reliable? Frequent “maintenance” or “suspensions”? Does it support the chains you use?
Bank withdrawals Does the platform freeze large withdrawals? Any history of settlement delays?

The most useful test isn’t reading a feature list — it’s running a complete small-amount loop: deposit a little, buy a little, withdraw to your own wallet, sell some back, cash out to your bank. If the loop works end to end, that tells you more than any marketing copy.

A small steel safe slightly open showing stacked colorful tokens

4. Security and 2FA: is the default strong enough

For security, don’t read what it says about itself. Read what protections are on by default and how strict you are allowed to be.

  • Mandatory 2FA on login and withdrawal: hardware key > authenticator app > SMS. SMS 2FA has been proven vulnerable to SIM-swap attacks many times.
  • Withdrawal whitelist: can you restrict withdrawals to addresses you have pre-registered.
  • Cooldown on new addresses: when you add a new withdrawal address, is there a 24-hour or 48-hour delay.
  • Device/IP anomaly: does it force re-verification on new devices.
  • Granular API permissions: can API keys be scoped to “read-only / trade only / no withdrawal.”

This translates to every login and every withdrawal you ever do. If a platform doesn’t even enforce basic 2FA, it is betting your convenience against the chance you don’t get phished. That bet has no upside for you.

5. Customer service and incident history: how it talks when it breaks

This one is easiest to skip and says the most about the platform. Every exchange has had outages: downtime, delayed withdrawals, overwhelmed support. The question is not whether incidents happen, it is how the platform communicates when they do.

A few things to check:

  • Past incidents: search “platform name + downtime / withdrawals frozen / outage” for the last 1–3 years.
  • Communication style: did it post a notice immediately, or stay silent first? Was there a detailed post-mortem after?
  • Reimbursement history: when hacks or system failures caused user losses, did the platform cover them or push them onto users?
  • Public faces: is leadership identifiable or anonymous? Are there interviews and AMAs on record?

The reason this works as a filter: on the day something actually breaks, what you need is a counterparty that communicates. A platform that defaults to silence and blame-shifting in calm times will almost certainly do the same when it matters.

One more: have you tried it yourself

After running through the five criteria, there is one bonus that most beginners skip — have you personally walked through a small-amount round-trip.

Don’t treat it as a paper exercise; actually do it:

  1. Deposit the smallest amount your bank will let you, and confirm it shows up.
  2. Buy a small position in the most basic asset (say $50 of bitcoin).
  3. Withdraw to your own wallet, noting arrival time, fees, and whether the chain felt smooth.
  4. Sell some back into the platform and cash out to your bank, noting whether any manual review or extra documentation was triggered.

A complete loop will teach you more about the platform than ten reviews would, and even if you later scale up the amounts, every step’s uncertainty is already absorbed in advance. This shares its spirit with making your first crypto purchase safely — small first, always. Treated as an entry test, the money it saves usually dwarfs any fee comparison.

This article is informational, not investment advice. Choose a platform based on your own jurisdiction and risk tolerance.

This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.

Latest

Myths

Why Nine Out of Ten 'Insider Tips' Are Traps

"I have insider info" is the cheapest and most common opening line in crypto. Strip away the packaging and the real structure is almost never sharing — it's a carefully designed exit-liquidity funnel.

 Exchange Safety

Why Is Storing Crypto Long-Term on an Exchange So Risky? Lessons Before the Next Blow-Up

Leaving coins on an exchange is convenient and looks normal. But "long-term" on an exchange is a thing that has blown up repeatedly in this industry. This article lays out why it remains unsafe.

 Mindset & FOMO

Why You Should Not Flex Your PnL in Telegram Groups, and What It Actually Costs You?

Posting a PnL screenshot in a TG group feels like 5 seconds of pride, then 5 minutes of peer attention, then potentially 5 months of being targeted, copied, or kidnap-budgeted. This piece splits "why not to flex" into four layers — security, mindset, social, execution — and shows the bill on each.

 Asset Security

What the $284M Trezor Phishing Wave Teaches Hardware Wallet Users

The early-2026 Trezor phishing wave drained roughly $284M without breaking a single chip. It stole something simpler — users' trust in "official" email. Here is how the chain worked and what to do about it.

 Asset Security

Is My Wallet Actually Safe? How to Run a Thorough Self-Audit on Your Own

Most people only feel their wallet is "probably fine" and never sit down to verify. This article walks through a self-audit you can run alone — covering seed phrases, approvals, signatures, devices and asset distribution.

 Asset Security

Your Exchange KYC Data Got Leaked — Now What?

You wake up to find you're on yet another exchange KYC leak list. What to do in the first hours, what defenses to build long-term? This piece is an ordered checklist focused on "protect assets first, identity next, habits last."