Customer safety and security is our priority.


We use the latest technologies, alongiside our expert security team to keep your funds safe, and to stay ahead of vulnerabilities and exploitation attempts.

Trading safely

Steer clear of social engineering and phishing

We never initiate contact with our users with requests for information about your account. You should avoid responding to unsolicited direct messages and emails. Always be vigilant. If you think a scammer has messaged you, message our Customer Support immediately.

Keep private information to yourself

Always keep your account login details private. Do not share your password or private keys. Reach out to our customer support if you need help in logging in.

Be vigilant when performing transactions

Always be careful when transferring money or tokens. Liquid will never ask for your information to perform a transaction on your behalf.

Exercise basic web safety rules

Our website is protected with SSL/TLS to provide an additional layer to security and data integrity. We test our website for vulnerabilities on a daily basis. Please check that you are visiting

Email spoofing is commonly used by scammers to make it look like phishing attempts are coming from a trustworthy source.

You should only be receiving emails from [email protected], [email protected] and [email protected].

Always exercise caution and pay close attention to email domains to avoid interacting with suspicious senders, especially any asking for your private information.

Use 2-factor authentication

All Liquid users are required to set up 2-factor authentication to access the platform. We strongly recommend Google Authenticator and that you do not deactivate your 2FA.

We are here to help

Always exercise caution at emails or accounts that may look suspicious. If you ever need help with your account or want to get in touch, our Liquid Customer Support Champions are available 24/7 to assist via

Account security

2-factor authentication
2FA is mandatory for all accounts and required to complete all significant actions on Liquid, such as resetting password, registering a new withdrawal blockchain address and withdrawing crypto.
Strict password reset
We require having access to both 2FA and your registered email to reset your password.
Cooling-off period
When changes like a password reset are made, the user won’t be able to change their email address for at least 3 days. Similarly, if a password is reset or an email is changed, 2FA cannot be disabled for a period of time. We will always send you an email to verify your intent. During a cooling period, no withdrawals can take place for three days after an account setting has been changed. This is an additional step to prevent any hackers from withdrawing funds.
Withdrawal protection
If an account setting is changed, we halt withdrawals for a period to ensure funds are protected.
Approval queue for changes to account settings
At least two Liquid staff need to be involved to approve any changes to account settings related to password, email address or 2FA, adding an extra layer of security.
IP whitelisting
All computers and mobile devices connected to the Internet have an IP address. We will send an email to confirm any new IP address you use to access Liquid. This feature ensures that no-one can access your Liquid account outside the whitelisted addresses.

Asset protection

We are customer-centric and we keep your information safe. At Liquid, we do our due diligence in ensuring that our accounts are verified and detect malicious attempts early to prevent illegal trading activity on our platform.

Cold wallet
Liquid uses 98% cold storage for all customer assets. We use a combination of multisig and layered authentication for cold storage, where the majority of our fund is. Our warm wallets are powered by Unbound MPC technology.
We have robust verification policies on Liquid. Users must provide official ID documents and proof of address to fully access our exchange.
Fund management
Our customers can only trade from pre-funded accounts. We also use multisignature technology (multisig) for transferring funds out of cold storage. Multisig is a type of address where the private key is divided into multiple parts, requiring multiple private keys for transactions and eliminating single points of failure. All fund transfers require coordination from multiple employees.

Liquid Exchange

We utilize a 24/7 Security Operations Center to employ the latest techniques and tools to intercept attacks before they reach our website.

DDOS countermeasures
For DDoS countermeasures, we use unmetered DDoS mitigation to maintain performance and availability of Liquid.
Liquid has four stages of mitigating a DDoS attack:
Detection: We distinguish an attack from a high volume of normal traffic using IP reputation, common attack patterns, and previous data to assist in proper detection of a distributed attack.
Response: We respond to an incoming identified threat by intelligently dropping malicious bot traffic and absorbing the rest of the traffic.
Routing: By intelligently routing traffic, we will break the remaining traffic into manageable chunks preventing denial-of-service.
Adaptation: We constantly analyze traffic for patterns such as repeating offending IP blocks, attacks coming from certain countries, or specific protocols being used improperly.
Web Application Firewall
For countermeasures against illegal invasion, data falsification and vulnerability countermeasures, we use a Web Application Firewall (WAF).
Our security engineers constantly monitor the Internet for new vulnerabilities. When we find threats, we automatically apply WAF rules to protect our Internet properties.
DNS Security
We have also implemented DNS Security to prevent hijacking or spoofing of customer communications. This further secures the traffic from our servers to the customers’ browser and email inbox.
Penetration Testing
We conduct precautionary security measures such as regular risk analyses and application vulnerability assessments to ensure data protection.
In addition, we work with reputable penetration testing firms to conduct annual testing. We stay updated on security measures and constantly look to improve our security.
Internal Protection
All of our company computers have endpoint protection mechanisms and reside behind enterprise firewalls. We are up to date on all software, constantly monitoring for threats and utilizing a least-privileged and role-based-access approach for all connectivity.
Access Rights Procedures
We conduct periodic reviews of access rights to detect and eliminate unnecessary account access. All staff have to undergo stringent request procedures to determine the source or purpose of the access. This adds an additional layer of internal control to protect data integrity of the exchange.
API Key Security
We utilise Hawk authentication protocol, which implements hash message authentication code (HMAC) signing based on the API key provided, thereby enhancing our security.
Server Security
To prevent unauthorized requests to our internal network, our servers are protected with multiple security mechanisms to ensure a safe trading environment at Liquid.
Backups and Monitoring
Liquid uses snapshots and off hours backup for datastores to shielded instances within our cloud provider.
Our applications produce full audit logging for all activity and this information is analyzed via our SIEM and our SOC while being archived separately from our datastore.
All internal and customer actions produce a full audit trail, are reviewed 24/7 and have passed successful regulatory audit.
Incident Response
We implement a protocol for handling security events and product issues, which includes escalation procedures, quick remediation and post mortem of incidents.
All employees are dutifully notified before informing our customers via our communication channels such as Twitter.
Security questions?
If you think you may have found a security vulnerability, please get in touch with our security team at [email protected].

Step into Liquid

Get started