How we checked this
We reviewed the linked sources and keep this page updated when the record changes. Use the source list below to verify the details.
Short answer
Summary: A real exchange may ask for information about the origin of money or crypto during compliance checks, sometimes described as source of funds, source of wealth, reverification, or enhanced due diligence. But a message that uses those terms is not proof that it is genuine. The safer response is to open the platform independently, confirm the request inside an official support or account path if possible, and never share passwords, one-time codes, private keys, or seed phrases.
What “source of funds” usually means
In public AML and compliance guidance, source of funds generally means where the money used for a transaction or account activity came from. It is different from source of wealth, which refers more broadly to how a person accumulated their overall wealth. Exchanges and other financial services may use these terms during customer due diligence or enhanced checks.
Because exchange procedures differ, readers should treat any document list as examples rather than a universal rule. The consistent safety point is that a real review should still be verified through the platform you trust, not assumed genuine because the wording sounds technical or official.
What legitimate reviews may ask for
A legitimate review may ask for documents or records that help explain where funds came from. Depending on the platform and the case, examples can include bank statements, payslips, tax-related records, sale agreements, or transaction records that support the origin of funds. These are examples drawn from public AML and compliance concepts, not a guaranteed list for every exchange.
What impersonators often get wrongImpersonators often focus less on verifying the origin of funds and more on taking over the account or stealing data quickly. Public cyber-safety guidance supports treating requests for passwords, one-time passcodes, seed phrases, private keys, or remote access as major warning signs. Those are account-access secrets, not normal proof-of-source material.
Real review vs. impersonation: quick comparison
| Check point | More consistent with a real review | More consistent with impersonation | Safer next step |
|---|---|---|---|
| How you verify it | You can confirm it by opening the exchange yourself | You are told to trust the message on its own | Log in through the official site or app you open yourself |
| What is requested | Limited records related to identity or origin of funds | Passwords, one-time codes, seed phrases, private keys, or remote access | Stop immediately if secrets or access are requested |
| Where documents go | An authenticated account area or official support route you can confirm | A random form, chat account, personal email, or link sent in the message | Do not upload until the destination is independently verified |
| Tone | Allows time to review and verify | Uses panic, threats, countdowns, or aggressive pressure | Slow down and verify first |
| Conversation path | Stays within official support channels you can check | Moves to Telegram, WhatsApp, social DMs, or another unofficial route | End the off-platform conversation and verify independently |
How to verify a source-of-funds request safely
Type the known web address yourself, use a saved bookmark, or open the official app already installed from a trusted source. Avoid treating the link in the email, DM, or chat as your starting point. That aligns with standard anti-phishing guidance.
2. Look for the same request in your account or official support areaIf the platform has an account inbox, case center, or authenticated support flow, check whether the request appears there too. That does not remove all risk, but it is stronger evidence than trusting an incoming message by itself.
3. Compare the request with what compliance reviews are actually aboutA source-of-funds review is about the origin of money or crypto, not about handing over credentials. If the request shifts toward login secrets, recovery phrases, or urgent “verification fees,” stop and reassess.
4. Check the sender and upload destination carefullyReview the domain, reply address, spelling, and where files would be uploaded. Slightly altered domains, unusual subdomains, and off-platform file collection are common phishing risks.
5. Send only what is necessaryIf you confirm the request is real, send only the specific material requested through the verified channel. Do not volunteer extra documents or unrelated personal data.
Practical checklist before sending documents
- Open the exchange or financial platform from a trusted URL or official app, not from the incoming message.
- Check whether the request can be confirmed inside your account or through an official support path.
- Make sure the request is about the origin of funds, not about login access or wallet recovery.
- Do not share passwords, one-time codes, seed phrases, private keys, or remote access.
- Review the sender address, domain spelling, and upload destination carefully.
- Send only the specific records requested through a route you independently verified.
- Keep a simple record of what you submitted, when, and under which case or ticket reference.
- If anything looks inconsistent, stop and open a fresh support request from the platform’s official entry point.
Red flags that matter most
This is the clearest red flag. A genuine compliance review may ask for records, but public safety guidance strongly supports refusing any request for passwords, codes, seed phrases, private keys, or similar access data.
Pressure to act immediatelyUrgency alone does not prove fraud, but it is a known phishing signal, especially when combined with threats of closure, suspension, or loss and a demand to click first.
Off-platform routingIf the conversation moves to social media DMs, messaging apps, or a personal-looking email address, caution should increase. A real-looking compliance explanation can still front a fake support flow.
What to do next if you are unsure
- Pause and do not click more links.
- Verify the request from inside the official site or app you opened yourself.
- Stop responding if the contact asks for credentials, recovery phrases, or remote access.
- Change your password promptly if you entered it on a page you no longer trust.
- Report the suspicious contact through the platform’s official support route.
- Consider reporting to a relevant cybercrime or consumer-protection channel in your jurisdiction, since reporting paths vary by country.
Date-checked note: This article was checked against the currently available public cybersecurity and government guidance used for this draft. Because exchange compliance procedures and support channels can change, confirm current requirements directly from the platform you use before sending documents.
Sources
- CERT Polska — official cybersecurity warnings and public guidance.
- NASK — official digital safety and cybersecurity resources.
- Gov.pl: Cyberbezpieczeństwo — public-sector cyber safety guidance.
Update log
- 15 Jul 2026Published with source tracking and reader-safety context.
- CorrectionsIf a source changes or a claim needs clarification, this page can be updated from the editorial desk.