How to protect your account from intruders

Blockchain transactions are irreversible and final. That means that once the funds have left your account, there is no way to return them or to determine the receiver.

That is why it is vital to protect your account from intruders.

Set strong password

“Strong” means unique and brute-force protected. Please don't use simple words, dates, names, etc. as your password. It is also a good idea to change your password every few weeks.

It's important to keep your password safe and secure and not disclose it to anyone, even to us. We will never, ever ask you to reveal it!

Enable 2-factor authentication

This is a critical security feature. If anyone learns your password, he or she simply won't be able to use it. Read more about how it generally works.

We have 2 types of 2FA supported: 2FA based on code generating apps (commonly called Google 2FA) and YubiKey 2FA. Both can be enabled in the "Security" tab in your Settings. Read more about Google 2FA and YubiKey 2FA.

Be careful and always follow simple safety rules.

Your Devices

  • Keep them neat and orderly – be sure that you know what is installed on your devices. Ideally, have a dedicated computer for trading and do not install any applications that are not relevant to trading.

  • Getting Linux installed on your trading computer or just having a Mac is a good idea – although this does not guarantee you 100% safety, it significantly reduces the risks.

  • Do not install any plugins, especially those new to the market, as they can easily turn out to be password-collecting malware. Avoid saving your passwords in your browser.

  • Browser extensions from unknown developers can easily turn out to be malware. They could be used to steal your personal data, intercept your payment details or even to sneakily replace your own deposit address on a web page with the hacker’s address.

Make sure to maintain the same level of security on your phone, tablet, or any other device which stores your 2FA code and passwords. Enable fingerprint check (if available) and the remote erase to use if you lose the phone. Do not share your phone with anyone, especially your children. Uninstall and wipe out all applications that you do not use, upgrade your iOS or Android operating system to the latest version, and please do not jailbreak your phone if you are not a pro (and even if you are a pro, please do think twice before you attempt it!).

You can download the application for Android devices here. Do NOT install any other mobile applications advertised as HitBTC.


Don’t worry, simply using WiFi is not dangerous. Unless you connect to the network from a country with forcibly installed, state-owned SSL certificates, your data is transferred using the latest generation of SSL. If you still feel concerned about your safety, use VPN.


  • Do NOT use the same password more than once. That goes for your email and any other website. The most secure option is a combination of a randomly generated password and a trusted password manager, we recommend KeePass.

  • Do not share your password with anybody and never send it to third parties in any type of message. The only person who needs your password is yourself – a HitBTC support team representative will never ask for it.


We ask you to enable 2FA when you register at HitBTC because your security is our top priority. Please be sure that you enabled it.

Whitelist of withdrawal addresses

This brand new feature lets you create a list of approved addresses to withdraw your funds to. It is a great tool to prevent a withdrawal to an unknown address in the event that your account or even email gets compromised. This is a perfect way to triple-secure your funds (in addition to 2FA and confirmation emails).

Learn how to use it here.


We recommend that you set up a separate email address for trading. Gmail is a basic reliable option. Do not forget to enable the 2-step authentication, so that if your mailbox is accessed from an unknown device you’ll get notified.

Using your email

  • Never open unexpected attachments, especially if they contain files of unfamiliar or unknown type or documents/files you have not requested.

  • Never click on any unexpected external links sent to you in an email. Or, if you have to, please make sure you know why you are clicking it: for example, if you have just registered and we are asking you to confirm your email address and enable the 2FA. When receiving this type of email, please check the From line. If it came from [any mailbox title]@hitbtc.com (not “hlt”, not “heet” etc.), most likely it is a verified sender. One letter can make a huge difference.

  • Keep an eye on your Inbox. Whenever your account is accessed from a new IP address, we will promptly notify you via email. We will also send you emails about any other major events, such as withdrawals. Be on the lookout for such notifications: they will help you detect illegitimate activity as quickly as possible.

Phishing websites

Although new kinds of scam are being invented every day, the old tricks continue to work quite well: people naively click on links that look vaguely familiar that lead them to seemingly recognizable websites.

The one and only URL for HitBTC is hitbtc.com, any other URL is a phishing site. Do not trust lookalikes, do not enter your login and password if you have doubts about the website you just clicked. The best option would be to simply bookmark the legitimate HitBTC page or enter our address manually every time.

Please contact HitBTC Support immediately if you think you have received a suspicious message or noticed a suspicious activity. We monitor and promptly respond to all phishing activities, and your help would be greatly appreciated.

Contacting support

HitBTC does not currently have phone or voice support. Please do not call any line advertised as HitBTC support and hang up any phone call with anyone who claims to be a HitBTC support team rep.

The only HitBTC contacts are those you see in the “Contacts” section on our website. If in doubt, please contact support before you send an email message or chat to someone on Facebook or Twitter.

Last but not least: HitBTC NEVER asks you to send any money to participate in any contest or lottery. Please be careful, protect yourself with simple but reliable steps we recommend, pay more attention to the actions you take both online and offline, and use safe networks.


Done making sure that your account is secure? It's time to initiate your first deposit!

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.
Contact us