How Nexo's security works, and how to strengthen your account

May 147 min read

Security in crypto is a shared responsibility. Platforms put measures in place — infrastructure controls, fraud detection, encryption — but a significant portion of account risk may come from the user side: weak passwords, unverified links, addresses that get swapped without anyone noticing.

This article covers both halves. What Nexo runs in the background, what independent auditors verify, and what you can enable yourself to make your account meaningfully harder to compromise.

What runs in the background

These operate by default. There's nothing to set up or enable — they're on for every account, every transaction.

Anti-scam engine

Every withdrawal on Nexo passes through an automated anti-scam engine that analyses transactions in real time before funds leave the platform. If something looks off — an address associated with known scam activity, an unusual transaction pattern, a destination that doesn't match prior behavior — you'll see a plain-language prompt explaining the concern. No jargon, no vague warnings. In rare high-risk cases, a transaction may be briefly paused for review.

The engine runs silently in the background. Most users will never encounter it. That's the point.

Encryption

Data in transit and at rest across the platform is protected with AES 256-bit SSL encryption — the same standard used by financial institutions and large-scale cloud infrastructure globally.

Independent audits

Nexo's infrastructure is independently audited against a stack of internationally recognized security frameworks, all renewed annually:

  • SOC 2 Type 2 — operational security controls and processes

  • SOC 3 — public-facing summary of the SOC 2 audit

  • ISO 27001 — information security management

  • ISO 27017 — cloud-specific security controls

  • ISO 27018 — protection of personally identifiable information in the cloud

  • CSA STAR Level 1 — cloud security assurance

They are conducted by independent third parties on a recurring basis.

What you can enable

The platform side covers infrastructure and transactions. What it can't cover is your account access — that depends on how you've set things up. These features are available to every user and take minutes to configure.

Two-factor authentication (2FA)

2FA adds a second verification step at login. On Nexo, the same verification — SMS, email, or authenticator app — is also required at sensitive actions: withdrawals, Address Book edits, and changes to security settings. So even if someone has your password, they can't move funds or change your setup without the second factor.

Authenticator apps (like Google Authenticator or Authy) are stronger than SMS-based 2FA. SMS is vulnerable to SIM swap attacks, where an attacker convinces your mobile carrier to transfer your number to a SIM they control. If you're using SMS 2FA, switching to an authenticator app is worth the two minutes it takes.

To enable: go to your Security settings and select your preferred 2FA method.

Important note: 2FA significantly reduces the risk of unauthorized access, but it's not a complete guarantee. Keep your recovery codes in a safe place — losing access to your 2FA device without a backup can lock you out of your account.

Anti-phishing code

Phishing — fake emails that appear to be from Nexo — is one of the most common attack vectors in crypto. The anti-phishing code is a personal string you set yourself that appears in the footer of every legitimate email Nexo sends you. If an email claiming to be from Nexo doesn't carry your code, it didn't come from Nexo.

To set it: open the Nexo apptap your profile Security & SettingsAnti-phishing code → enter a code of your choice.

Once set, treat any Nexo email without your code as suspicious — regardless of how convincing it looks.

Address whitelisting

One of the quieter attack vectors in crypto is address swapping — malware that silently replaces a copied withdrawal address with one controlled by an attacker. If you're not verifying the full address character by character before confirming, you may not notice.

Address whitelisting locks your withdrawals to addresses saved in your Address Book (up to 500). You can also set an Extra Security delay on newly added addresses — a configurable window before a new address becomes usable for withdrawals. This closes the swap window: even if an attacker gains temporary access to your account, they can't immediately withdraw to a new address.

To enable: go to your Security settings and turn on Address Whitelisting.

Channel validator

Before interacting with any email address, social media handle, or URL that claims to be Nexo, you can verify it at nexo.com/channel-validator. If it's not in the validator, it's not an official Nexo channel.

This is particularly useful for social media — fake Nexo accounts on X, Telegram, and Discord are common, and they typically impersonate support staff or run fake promotion campaigns.

What Nexo will never do

A few things worth knowing, because knowing them makes social engineering attempts easier to spot:

  • Nexo will never ask for your password or 2FA code

  • Nexo will never ask you to authorize a transaction through chat, email, or text

  • Nexo will never send you a login link via SMS

If anyone claiming to be from Nexo does any of those things, it isn't Nexo. You can report suspicious activity to the Client Care team at support.nexo.com/contact.

Where your account security actually comes from

No platform can eliminate all risk. What the measures above do — both the platform-side infrastructure and the user-side features — is reduce the attack surface and make your account significantly harder to compromise.

The infrastructure handles what users can't see or control. The user-side features handle what the platform can't — because no amount of backend security stops an attacker who has your credentials, or a user who clicks a phishing link.

Setting up 2FA via an authenticator app, enabling the anti-phishing code, and turning on address whitelisting takes under ten minutes. It's the highest-return security action most users haven't taken yet.

For a fuller overview of common threats and how to defend against them, see Common security threats and how to mitigate them.

Frequently asked questions

1. What is the anti-scam engine, and how does it work? 

It's an automated system that analyses every withdrawal in real time before funds leave the platform. If a transaction looks suspicious — based on destination address, transaction pattern, or other signals — you'll see a plain-language explanation. In rare high-risk cases, the transaction may be briefly paused. It runs by default with nothing to configure.

2. What's the difference between SMS 2FA and an authenticator app? 

Both add a second verification step at login. SMS 2FA is vulnerable to SIM swap attacks, where an attacker convinces your mobile carrier to reassign your number to a SIM they control. Authenticator apps generate codes locally on your device and aren't tied to your phone number, making them more resistant to this type of attack.

3. What should I do if I receive a suspicious email claiming to be from Nexo? 

Check whether it carries your anti-phishing code in the footer — if it doesn't, it didn't come from Nexo. You can also verify any email address, social handle, or URL at nexo.com/channel-validator. Report suspicious messages to Nexo's Client Care team at support.nexo.com/contact.

4. Can Nexo staff access my account without my permission? 

Nexo will never ask for your password or 2FA code, and will never ask you to authorize transactions through chat, email, or text. If anyone claiming to be Nexo support does any of those things, it isn't Nexo.

5. What is address whitelisting, and should I enable it? 

Address whitelisting restricts withdrawals to addresses you've pre-approved in your Address Book. It also lets you set a delay before newly added addresses become usable. This protects against address-swapping malware and limits what an attacker can do with temporary account access. It's worth enabling if you have regular withdrawal destinations.

These materials are accessible globally, and the availability of this information does not constitute access to the services described, which services may not be available in certain jurisdictions. These materials are for general information purposes only and not intended as financial, legal, tax, or investment advice, offer, solicitation, recommendation, or endorsement to use any of the Nexo Services and are not personalized, or in any way tailored to reflect particular investment objectives, financial situation, or needs. Digital assets are subject to a high degree of risk, including but not limited to volatile market price dynamics, regulatory changes, and technological advancements. The past performance of digital assets is not a reliable indicator of future results. Digital assets are not money or legal tender, are not backed by the government or by a central bank, and most do not have any underlying assets, revenue stream, or other source of value. Independent judgment based on personal circumstances should be exercised, and consultation with a qualified professional is recommended before making any decision.

The security measures described in this article reflect Nexo's infrastructure and features as of the date of publication. Security is an evolving field, and no system eliminates all risk. Users are encouraged to stay informed and take an active role in protecting their accounts.