An attacker who takes over your exchange account can drain your wallet, take out loans against margin, and post fraudulent P2P ads in your name. India saw a sharp rise in ATO attacks targeting P2P traders in 2023-25.
Common attack vectors
SIM swap: attacker convinces a telco to port your number to their SIM, intercepts SMS OTPs.
Phishing kit: cloned exchange login page, you type credentials, they capture and 2FA-bypass.
Password reuse: leaked password from another site grants exchange access.
Malware on your device: keyloggers and clipboard hijackers steal seed phrases and OTPs in real time.
Hardening checklist
Use a hardware security key (YubiKey) for the exchange wherever supported. SMS-based 2FA is the weakest form; authenticator apps are middle; hardware keys are strongest.
Unique strong password per exchange. Use a password manager.
Set withdrawal whitelisting — withdrawals can only go to pre-approved addresses, with a 24-hour delay on adding new ones.
Verify your phone is not on a SIM-swap watchlist; some Indian telcos let you set port-out PIN protection.
Anti-virus + EDR on your trading device. Don't trade from public/borrowed computers.
What to do if compromised
Disable account immediately via support channel (most exchanges have an emergency disable). Lock your bank UPI. File cybercrime complaint at cybercrime.gov.in. Contact your telco if SIM swap is suspected.
Key takeaways
- Hardware security key > authenticator app > SMS 2FA — choose the strongest your platform supports.
- Withdrawal whitelisting limits damage if compromised.
- Unique strong passwords; password manager; no reuse.
- If compromised: disable account, lock UPI, file cybercrime complaint immediately.
