Sources checked

How we checked this

We reviewed the linked sources and keep this page updated when the record changes. Use the source list below to verify the details.

Source links attached Safety context included Corrections open

Short answer

Summary: A real exchange may ask for information about the origin of money or crypto during compliance checks, sometimes described as source of funds, source of wealth, reverification, or enhanced due diligence. But a message that uses those terms is not proof that it is genuine. The safer response is to open the platform independently, confirm the request inside an official support or account path if possible, and never share passwords, one-time codes, private keys, or seed phrases.

What “source of funds” usually means

In public AML and compliance guidance, source of funds generally means where the money used for a transaction or account activity came from. It is different from source of wealth, which refers more broadly to how a person accumulated their overall wealth. Exchanges and other financial services may use these terms during customer due diligence or enhanced checks.

Because exchange procedures differ, readers should treat any document list as examples rather than a universal rule. The consistent safety point is that a real review should still be verified through the platform you trust, not assumed genuine because the wording sounds technical or official.

What legitimate reviews may ask for

Common examples of supporting material

A legitimate review may ask for documents or records that help explain where funds came from. Depending on the platform and the case, examples can include bank statements, payslips, tax-related records, sale agreements, or transaction records that support the origin of funds. These are examples drawn from public AML and compliance concepts, not a guaranteed list for every exchange.

What impersonators often get wrong

Impersonators often focus less on verifying the origin of funds and more on taking over the account or stealing data quickly. Public cyber-safety guidance supports treating requests for passwords, one-time passcodes, seed phrases, private keys, or remote access as major warning signs. Those are account-access secrets, not normal proof-of-source material.

Real review vs. impersonation: quick comparison

Check pointMore consistent with a real reviewMore consistent with impersonationSafer next step
How you verify itYou can confirm it by opening the exchange yourselfYou are told to trust the message on its ownLog in through the official site or app you open yourself
What is requestedLimited records related to identity or origin of fundsPasswords, one-time codes, seed phrases, private keys, or remote accessStop immediately if secrets or access are requested
Where documents goAn authenticated account area or official support route you can confirmA random form, chat account, personal email, or link sent in the messageDo not upload until the destination is independently verified
ToneAllows time to review and verifyUses panic, threats, countdowns, or aggressive pressureSlow down and verify first
Conversation pathStays within official support channels you can checkMoves to Telegram, WhatsApp, social DMs, or another unofficial routeEnd the off-platform conversation and verify independently

How to verify a source-of-funds request safely

1. Start from the platform, not the message

Type the known web address yourself, use a saved bookmark, or open the official app already installed from a trusted source. Avoid treating the link in the email, DM, or chat as your starting point. That aligns with standard anti-phishing guidance.

2. Look for the same request in your account or official support area

If the platform has an account inbox, case center, or authenticated support flow, check whether the request appears there too. That does not remove all risk, but it is stronger evidence than trusting an incoming message by itself.

3. Compare the request with what compliance reviews are actually about

A source-of-funds review is about the origin of money or crypto, not about handing over credentials. If the request shifts toward login secrets, recovery phrases, or urgent “verification fees,” stop and reassess.

4. Check the sender and upload destination carefully

Review the domain, reply address, spelling, and where files would be uploaded. Slightly altered domains, unusual subdomains, and off-platform file collection are common phishing risks.

5. Send only what is necessary

If you confirm the request is real, send only the specific material requested through the verified channel. Do not volunteer extra documents or unrelated personal data.

Practical checklist before sending documents

  • Open the exchange or financial platform from a trusted URL or official app, not from the incoming message.
  • Check whether the request can be confirmed inside your account or through an official support path.
  • Make sure the request is about the origin of funds, not about login access or wallet recovery.
  • Do not share passwords, one-time codes, seed phrases, private keys, or remote access.
  • Review the sender address, domain spelling, and upload destination carefully.
  • Send only the specific records requested through a route you independently verified.
  • Keep a simple record of what you submitted, when, and under which case or ticket reference.
  • If anything looks inconsistent, stop and open a fresh support request from the platform’s official entry point.

Red flags that matter most

Requests for secrets or account access

This is the clearest red flag. A genuine compliance review may ask for records, but public safety guidance strongly supports refusing any request for passwords, codes, seed phrases, private keys, or similar access data.

Pressure to act immediately

Urgency alone does not prove fraud, but it is a known phishing signal, especially when combined with threats of closure, suspension, or loss and a demand to click first.

Off-platform routing

If the conversation moves to social media DMs, messaging apps, or a personal-looking email address, caution should increase. A real-looking compliance explanation can still front a fake support flow.

What to do next if you are unsure

  • Pause and do not click more links.
  • Verify the request from inside the official site or app you opened yourself.
  • Stop responding if the contact asks for credentials, recovery phrases, or remote access.
  • Change your password promptly if you entered it on a page you no longer trust.
  • Report the suspicious contact through the platform’s official support route.
  • Consider reporting to a relevant cybercrime or consumer-protection channel in your jurisdiction, since reporting paths vary by country.

Date-checked note: This article was checked against the currently available public cybersecurity and government guidance used for this draft. Because exchange compliance procedures and support channels can change, confirm current requirements directly from the platform you use before sending documents.

Sources

Update log

  1. 15 Jul 2026Published with source tracking and reader-safety context.
  2. CorrectionsIf a source changes or a claim needs clarification, this page can be updated from the editorial desk.