Key Facts
KuCoin launched the second edition of its Anti-Phishing Month initiative on 6 May 2026, combining user education, multi-factor authentication, and an incentive-driven Learn-to-Earn campaign.
According to KuCoin, SMS phishing and email phishing account for over 90% of phishing incidents reported by users, the dominant attack vectors against the exchange’s user base.
KuCoin’s phishing detection engine intercepts more than 5,000 high-risk access attempts daily across login, withdrawal, and API binding flows.
The campaign launches alongside global cybersecurity observances in May, including World Information Security Day, World Password Day, and ITU-led cybersecurity initiatives.
Quoted on the launch is Edwin Wong, Head of Risk Management at KuCoin; the Learn-to-Earn campaign offers exclusive rewards for completing educational modules, a quiz, and enabling Anti-Phishing Codes.
KuCoin has launched the second edition of its Anti-Phishing Month, returning the campaign for May 2026 with a Learn-to-Earn format that pairs security education with incentive rewards. The exchange is leaning into its 5,000-plus daily blocked access attempts and the dominance of smishing and email phishing — over 90% of the incident mix — to argue that user-side awareness is now the binding constraint on platform security, not the technical defences themselves.
Why phishing has become the defining vector
The threat picture KuCoin is responding to has shifted markedly over the past two years. Smart contract code exploits, once the dominant on-chain loss category, have given way to infrastructure compromises and direct user-targeted attacks. CertiK’s April 2026 Skynet Intelligence Report found that 76% of 2025 on-chain losses by value came from infrastructure compromises rather than code-level exploits.
For exchange users specifically, phishing has tracked the same trend. KuCoin says SMS phishing (smishing) and email phishing together account for over 90% of phishing incidents reported by its users, with the overall attack volume rising in recent years. The structural lever is straightforward: it is much cheaper to social-engineer a user than to compromise an exchange’s infrastructure, and centralised exchanges have hardened their server-side stacks faster than retail users have learned to interrogate inbound messages.
What KuCoin’s defence stack looks like
The exchange describes its approach as “security-as-a-service” — a framework that combines real-time risk detection, multi-factor protection, and continuous user education. The detection engine operates as the platform-level filter: KuCoin says it intercepts more than 5,000 high-risk access attempts daily, identifying and blocking suspicious login attempts and unauthorised withdrawal activity before they reach the user-facing interface.
On the user-action side, multi-factor authentication and real-time risk alerts are integrated across login, withdrawal, and API binding flows — the three actions that most commonly precede asset loss. KuCoin also operates a Security Score module that rates an account’s safety practices and prompts users to close gaps over time. The persistent Security Academy inside the app surfaces security knowledge, phishing case studies, and risk awareness content as on-demand reference material.
Edwin Wong, Head of Risk Management at KuCoin, framed the model as a recognition that platform-side controls are necessary but not sufficient. “In today’s threat landscape, relying solely on technical safeguards is no longer sufficient,” Wong said. “Effective security requires both strong platform capabilities and informed user behavior. Through Anti-Phishing Month, we aim to make security a daily habit — something users can understand, engage with, and actively practice, ultimately strengthening long-term trust between the platform and our users.”
The Learn-to-Earn campaign mechanics
The May 2026 campaign is built around a three-step Learn-to-Earn cycle that runs on the same logic as KuCoin’s broader engagement programmes. Users work through anti-phishing educational modules, complete a short quiz to demonstrate retention, and enable additional protection features — most notably the platform’s Anti-Phishing Code, which inserts a user-defined string into legitimate KuCoin emails so phishing attempts can be identified by its absence.
Participants who complete all three steps qualify for exclusive rewards. The mechanic is consistent with the format KuCoin debuted in August 2025 for the first Anti-Phishing Month, which the exchange has described as well received and now scaled up to a more permanent place in its security calendar.
Timing: May as cybersecurity month
The launch is timed to coincide with several global cybersecurity awareness observances clustered in May, including World Information Security Day, World Password Day, and ongoing cybersecurity initiatives led by the International Telecommunication Union (ITU). The pattern of stacking exchange-level user education on top of broader public-awareness moments is increasingly common across the centralised exchange sector and aligns the campaign with the moments when users are most likely to be exposed to security messaging from other sources.
For KuCoin specifically, the campaign also lands during a particularly active product month. The exchange has rolled out the TradingView integration for its perpetual futures data, the KuCoin Web3 Wallet integration with Ondo Global Markets, and the PROOF: Tomorrowland Edition trading campaign in the same window. The Anti-Phishing Month sits across all three product surfaces, with consistent anti-phishing messaging and account-level controls applied to spot, futures, wallet, and campaign flows.
Industry context
KuCoin’s renewed focus on user-driven security parallels moves at other major exchanges. Binance launched its Withdraw Protection feature earlier in May, allowing users to self-impose 1- to 7-day on-chain withdrawal locks the exchange cannot override. The two announcements come at the structural design layer from different angles — Binance from the post-compromise containment side, KuCoin from the pre-compromise prevention side — but both take the same view: meaningful security gains in 2026 come from giving users enforceable controls and the awareness to use them.
The wider sector has been pushed in this direction by the visible loss data. AmericanFortress’s recent disclosures cited US$1.2 billion in US crypto phishing losses for 2025, and the Anti-Phishing Working Group reported that global phishing incidents surpassed one million in Q1 2025 alone, with payment and financial platforms accounting for over 30% of the attack volume.
FAQ
What is KuCoin Anti-Phishing Month?
Anti-Phishing Month is a security awareness initiative KuCoin launched in May 2026, in its second edition. It pairs user education with incentive rewards through a Learn-to-Earn format, asking users to complete educational modules on phishing tactics, take a short quiz, and enable additional account protections such as Anti-Phishing Codes.
How does KuCoin’s phishing detection engine work?
The detection engine monitors login attempts, withdrawals, and API binding activity in real time, identifying suspicious patterns and blocking high-risk access attempts. According to KuCoin, the system intercepts more than 5,000 high-risk access attempts daily and is supplemented by multi-factor authentication and real-time risk alerts at every critical user action.
Why now?
May hosts several global cybersecurity awareness observances, including World Information Security Day, World Password Day, and ITU-led cybersecurity initiatives. KuCoin times the campaign to coincide with that broader awareness window, with the exchange citing a sustained rise in phishing attacks and SMS plus email phishing accounting for over 90% of incidents.
The strategic question for KuCoin and its peers is whether user-driven security campaigns translate into measurable reductions in successful phishing attempts. The exchange’s 5,000-per-day interception figure shows the scale of the threat reaching the platform; the metric that will define the next twelve months is how many of the attacks that slip past automated filters are stopped at the user level by an enabled Anti-Phishing Code or a flagged authenticator prompt — and whether the second edition of Anti-Phishing Month moves that needle in a way the first one did not.
