Fake Exchanges and Phishing Attacks: A Sri Lankan's Guide to Staying Safe
Fake exchanges and phishing attacks have stolen millions from Sri Lankan crypto users. Here is how to identify and avoid them.
Uvin Vindula — IAMUVIN
Published 2026-02-10 · Updated 2026-03-16
The Growing Threat in Sri Lanka
As crypto adoption grows in Sri Lanka, so do the scammers targeting Sri Lankan users. I receive messages almost daily from people who have fallen victim to fake exchanges or phishing attacks. The losses range from a few thousand LKR to entire life savings. This has to stop.
Fake Exchanges
How They Work
- Scammers create a website that looks exactly like a real exchange
- They promote it through social media ads, Telegram groups, or direct messages
- You create an account and deposit funds
- The "exchange" shows your balance growing (fake numbers)
- When you try to withdraw, they ask for more money ("withdrawal fee," "tax deposit," etc.)
- Eventually, the site disappears with your money
Red Flags for Fake Exchanges
| Red Flag | Details |
|---|---|
| Unbelievable fees | 0% trading fees or even "negative" fees (they pay you to trade) |
| No verifiable registration | Cannot find them on any financial regulator's list |
| Pressure to deposit quickly | "Limited time bonus" or "Special offer expires today" |
| Celebrity endorsements | Fake endorsements from Elon Musk, local celebrities |
| Withdrawal problems | Always a reason you cannot withdraw |
| URL issues | Misspelled domain names or unfamiliar domains |
Phishing Attacks
Common Phishing Methods
- Email phishing: Emails that look like they are from your exchange, asking you to "verify your account" or "reset your password"
- Social media DMs: Fake customer support accounts reaching out with "help"
- Fake apps: Counterfeit exchange apps on app stores
- Search engine ads: Scam sites that appear above real sites in Google results
- Telegram/WhatsApp groups: Fake admin messages in crypto groups
How to Protect Yourself
For Exchanges
- Only use well-known, established exchanges — research them thoroughly before depositing
- Bookmark the official URL and always access through your bookmark, never through links
- Check SSL certificate: Look for the padlock in the URL bar
- Start with a tiny amount: Deposit a small test amount first and try withdrawing before depositing more
For Phishing
- Never click links in emails or DMs — type the URL manually
- Enable 2FA on every account, preferably with an authenticator app (not SMS)
- Verify sender addresses carefully — scammers use similar-looking domains
- Real exchanges will never ask for your password via email, DM, or phone
What to Do If You Have Been Scammed
- Screenshot and document everything
- Report to local police and cyber crime units
- Report the scam site to the hosting provider
- Warn your community
- Do not pay any more "fees" to try to recover your money — that is part of the scam
Stay safe with our security guides on the learning center.
Disclaimer: This is educational content about cyber security threats. If you have been a victim of a scam, contact local law enforcement immediately. This article is for educational awareness purposes only and does not constitute security advice.
By Uvin Vindula — IAMUVIN
Sri Lanka's leading Bitcoin educator. Author of "The Rise of Bitcoin".
Learn more →Related Articles
The Bitcoin Brief: LK
Weekly Bitcoin insights, market analysis, and Sri Lanka crypto news. Join 1,000+ readers.
Unsubscribe anytime · Educational content only