A fake exchange is the scam beginners fall for most — and find hardest to accept afterward. It doesn't rely on a slick pitch; it relies on "looking exactly like the real thing." You think you're logging into your exchange, but your password and one-time code are being relayed to the scammer in real time. This piece walks the whole thing front to back: how they steer you to the clone, the handful of disguises these sites use, the signals you can catch on the spot, and what to do if you've already typed something in.
- A clone and the real site are nearly indistinguishable by eye — the only reliable tell is the full domain in the address bar, not how the page looks.
- Never tap a login or download link anyone sends you (including "support" or an "account manager") — use your own saved bookmark or type the official domain by hand.
- If you've already entered your password, speed decides the loss: change the password, revoke devices, check the withdrawal whitelist — every second counts.
In one line: what it actually is
A phishing clone (also called a fake exchange or spoof site) is a fake site a scammer builds to look exactly like a real exchange. The page, the logo, the colors, the login box, even the live ticker can be indistinguishable — but it runs on a scammer-controlled address with a look-alike domain.
It usually does one of two jobs. The first is to steal your account: you enter your password and SMS or authenticator code on the clone, those are relayed in real time, and the scammer logs into your real account at the genuine exchange and withdraws your coins. The second is to milk your deposits: the whole "exchange" is a shell, the balances and profits you see are just numbers typed in the back end, and you can deposit but never withdraw — when you try, it invents excuses ("pay tax first," "account under risk review," "insufficient margin") to make you send more.
Both share one thing: the scam happens at the exact moment you feel safest — you're "logging into your exchange" or "topping up your account," which is precisely when your guard is down.
How scammers steer you to the clone
A fake site doesn't appear out of thin air — someone has to put the link in front of you. The common routes:
Search engine ad slots
You search "OKX official site" or "Coinbase login," and the top result marked "Ad" may be a slot a scammer paid for, leading to a clone. Plenty of people assume "the first result is the official one" — which is exactly what the scammer is counting on.
Links in DMs and group chats
"Support," an "account manager," a "signal mentor," or a "group admin" sends you a login or promo link: "claim your airdrop here," "verify your identity here," "new address, the old one's dead." If someone else sent it, treat it as suspect.
Fake "latest URL / backup address" claims
Scammers exploit the fact that exchanges occasionally adjust their domains, spreading "the official site moved, here's the latest backup URL" to push you to a clone. A real platform announces domain changes through official channels — never via a stranger's DM.
QR codes and shortened links
QR codes on posters or in DMs, and shortened links, hide the real domain until after you scan or click. By the time the page loads, you're already on the clone.
What a clone looks like: 5 domain tricks
The page can be copied pixel for pixel, but the domain can't — the scammer can only use one that "looks like" the real one. Learn these tricks and you'll know exactly where to look in the address bar. Below we use OKX's real official domain okx.com as the example (the fake domains here illustrate the technique, not any specific real site):
| Trick | Example | How to catch it |
|---|---|---|
| Typosquatting | 0kx.com (the digit 0 posing as the letter o), okx-vip.com | Compare character by character, especially o/0, l/1/I, rn/m |
| Subdomain disguise | okx.account-login.com (the real domain is actually account-login.com) | The real domain is the part right before the last dot |
| TLD swap | okx.net / okx.co / okx.app | Memorize the official suffix (OKX is .com) |
| Extra words | okx-official.com / login-okx.com / okx-bonus.com | Official main sites don't stuff "official," "login," or "bonus" into the domain |
| Homoglyphs (IDN attack) | A Cyrillic о swapped for the Latin o — nearly identical to the eye | Don't trust your eyes; let a bookmark / password manager match the domain for you |
Note: the domains above illustrate the techniques for teaching purposes and don't accuse any real site. Each exchange's official domain is whatever its own official announcements state — cross-check with our official domain checker.
One thing people miss: the padlock (HTTPS) doesn't mean safe
That little lock in the address bar only means the connection between you and the site is encrypted — it doesn't mean the site is genuine. Scammers can put HTTPS and a padlock on a clone just as easily. Never equate "has a lock" with "is the official site."
What really happens when you type it in
People often think, "I'm just logging in to look, I didn't transfer anything, what's the harm?" The problem: the act of logging in is itself enough to hand the scammer the key to your real account.
The typical chain: you enter your password on the clone, which instantly relays it to the back end; then the clone prompts you for "the SMS / authenticator code to complete login," you comply, and that code is relayed in real time too. Holding your password and code, the scammer logs into the genuine exchange in parallel. If you don't have a withdrawal address whitelist and your withdrawals have no extra delay, your coins can be gone within minutes.
The other version is the pure shell site: you register, deposit, watch the numbers climb, everything feels smooth — until you try to take the money out. That's when the obstacles appear. In reality, your money went into the scammer's wallet the moment you deposited.
5 signals you can catch on the spot
See any of these and you can basically call it fake
- Someone sent you the link, especially while rushing you with "hurry," "limited time," or "the old address is dead."
- The domain has extra words like official / login / vip / bonus / numbers, or the wrong suffix.
- It asks you to "deposit to activate" first, or pay "margin / fees / tax" before you can withdraw or unlock.
- An extra "security verification" pops up right after login, asking you to re-enter a code, your seed phrase, or your private key. No real exchange ever asks for your wallet seed phrase or private key.
- "Support" contacts you via Telegram / WhatsApp / direct message rather than an in-app ticket.
The right habit: how to reach the real site safely
Beating clone sites takes no technical know-how — just build the habits below:
- Once you've confirmed the official domain, bookmark it immediately and only ever enter through the bookmark — no more searching, no more clicking links.
- On your phone, only download apps from the Apple App Store or the exchange's official download page — never an installer anyone sends you.
- Use a password manager: it auto-fills only when the domain matches exactly, so it won't pop up on a clone — effectively doing a domain check for you.
- Turn on 2FA, preferring an authenticator app over SMS; turn on a withdrawal address whitelist to add a time lock to withdrawals.
- When unsure, run it through the official domain checker first, then walk it through the scam self-check. For larger firms you can also confirm registration on FINRA BrokerCheck or the FCA register (UK).
The one-line rule
To tell real from fake, don't look at how the page looks — look at whether the full domain in the address bar is the exact one you confirmed. Lock down how you enter (bookmark + official store) and you'll almost never walk through the wrong door.
Already caught — do these now
If you've just realized you may have typed your password or code into a clone, don't freeze — move fast, in order:
Change your password from the real site immediately
Enter your real account via your bookmark or by typing the official domain (confirm it's correct), and change your login and funds passwords at once.
Revoke suspicious devices / force logout
In your account security settings, review logged-in devices and sessions, kick out anything you don't recognize, and disable any suspicious API keys.
Check the withdrawal whitelist and 2FA
See whether an unfamiliar address was added to the withdrawal whitelist or your 2FA was re-bound. If so, revoke and reset it immediately.
Move assets or contact official support
If needed, move your assets to an address you fully control, and report the issue through official in-app support (not the "support" who DMed you).
Keep evidence and consider reporting
Screenshot the clone's domain, chat logs, and transfer records. In the US, file with the FBI Internet Crime Complaint Center (IC3) at ic3.gov and the FTC at reportfraud.ftc.gov; in the UK, report to Action Fraud. For the full evidence-and-reporting walkthrough, see what to do after you've been scammed.
Don't fall for the "recovery" second wave
Soon after being scammed, people offering to "recover your losses" will appear. These are almost always a second-wave scam targeting victims. See USDT recovery / unfreeze scams.
FAQ
How do I really tell a fake exchange from the real one?
Don't go by how the page looks — only verify the full domain in the address bar. The safest move is to never tap a link anyone sends, use your own bookmark or type the official domain, and read it character by character — watch for look-alike spelling, extra words, the wrong suffix, or a main domain that's actually a different, unfamiliar one. For a registered firm you can also confirm via the FCA register or FINRA BrokerCheck.
I typed my password and code into a fake site — is there still time?
Possibly, if you're fast. Go to your real account through an official channel, change the password, revoke unknown device logins, and check whether the withdrawal whitelist or 2FA was changed. If you'd already set up a withdrawal whitelist and authenticator 2FA, you'll have more reaction time. The faster you move, the smaller the loss. Then report to IC3 (ic3.gov) and the FTC (reportfraud.ftc.gov).
Is the top search result always the official site?
No. The top of the results page is often a paid ad, and scammers buy ads to push clones up. Judge by whether the domain itself is correct, not by where it ranks. The best move is to bookmark the official domain early and stop relying on search.
The site has an HTTPS padlock — doesn't that mean it's safe?
No. The padlock only means the connection is encrypted, and any site (including a clone) can get one. It says nothing about whether the site is the official one — those are two completely different things.
Instead of nervously checking domains every time, save the official entrance once
Clone sites usually win because a beginner walks through the door from a search ad or a stranger's link on step one. If you're going to trade, go straight to a major, regulated exchange through its official route, then bookmark it. OKX is one mainstream exchange; you can reach it through the official sign-up link below, and its official domain is okx.com.
Related reads
- Cloned apps (fake OKX / fake Binance) — the "app version" of a fake site, just as effective at impersonation.
- Fake support & "account unfreeze" scams — a lot of clone links are handed to you by fake support.