Security & Anti-Phishing

Last updated: April 2026

Your safety matters. This page lists our official domains and social accounts, explains how to recognize phishing, and describes how to report security issues.

Official Domains

CoinKirin operates only under the following domains. Anything else is not us:

• coinkirin.com — Main website (public users).
• api.coinkirin.com — Public REST API.
• static.coinkirin.com — Static assets (images, CSS, JS) served via CDN.
• mcp.coinkirin.com — MCP server for AI agents.

We never ask you to log in via any other domain. If the URL in your browser is not one of the above, close the tab immediately.

Official Social Accounts

Our only official channels are listed below. Accounts claiming to be CoinKirin elsewhere are impersonators:

• Twitter / X — https://twitter.com/coinkirin
• Telegram — https://t.me/coinkirin
• Discord — https://discord.gg/coinkirin
• GitHub — https://github.com/coinkirin

How to Identify Phishing

Attackers may impersonate CoinKirin staff or lookalike domains. Keep these rules in mind:

• We will NEVER email you asking for your seed phrase, private keys, or wallet password. Anyone who does is a scammer.
• We will NEVER contact you first via Telegram, Discord, or WhatsApp DM asking for funds, verification, or credentials.
• Always check the domain spelling. Attackers use tricks like c0inkirin.com, coinklrin.com, or coinkirin.co.
• Check the SSL certificate — click the padlock icon in your browser. The certificate must be issued to coinkirin.com.
• Legitimate emails from us come from @coinkirin.com addresses. Always hover over links before clicking.

Reporting Security Issues

If you suspect phishing, impersonation, or have found a vulnerability, please email [email protected].

Please include:

• A clear description of the issue or suspected phishing attempt.
• URLs, screenshots, email headers, or reproduction steps if applicable.
• Your contact info (optional) so we can follow up.

Bug Bounty

A formal bug bounty program is coming soon. In the meantime, we gratefully acknowledge security researchers who follow responsible disclosure — valid findings will be credited in our security hall of fame.

Security Headers We Use

Every CoinKirin page is served with strict security headers:

• HSTS — Forces HTTPS-only connections for at least 180 days, including subdomains.
• Content-Security-Policy (CSP) — Strict Content Security Policy with nonces — blocks injected scripts and limits asset origins to our CDN.
• X-Frame-Options — Denies framing to prevent clickjacking.
• X-Content-Type-Options — Prevents MIME-type sniffing.
• Referrer-Policy — Strict-origin-when-cross-origin — limits referrer leakage to third parties.

Android APK Signing

Our Android app is distributed directly as an APK and signed with a stable key. Always verify the signing certificate fingerprint before installing or updating — if the fingerprint differs, the APK is not genuine.

SHA-256 signing certificate fingerprint:

1E:77:94:D0:80:F0:53:75:7E:F5:57:87:6A:E0:74:2F:99:66:0C:70:57:BB:84:ED:02:11:7B:AC:F9:FB:58:4C

You can verify the fingerprint via: apksigner verify --print-certs coinkirin-latest.apk. On your installed app, open Settings → About → Signature to view the fingerprint on device.

Responsible Disclosure Policy

We follow a 90-day coordinated disclosure window. Our commitments to researchers:

• We acknowledge receipt of your report within 5 business days.
• We will not pursue legal action against researchers acting in good faith who follow this policy.
• Public disclosure is coordinated with the researcher and typically occurs within 90 days of the initial report, or sooner once a fix is deployed.