Learn how to borrow against crypto safely in 2026: a pre-borrow checklist, scams to avoid, DeFi and CeFi risks, and the mistakes that get borrowers liquidated.
Arkadii Kaminskyi
Head of Operations at Sats Terminal
Head of Operations at Sats Terminal with 5 years of experience in crypto. Specializes in DeFi, yield farming, and borrowing — has reviewed 50+ crypto products.

Learning how to borrow against crypto safely is less about finding a secret "safe platform" and more about building a repeatable process: verify before you connect, size your loan with a real buffer, and assume that anything promising free money is a trap. Borrowing against your Bitcoin or ETH can be a genuinely smart way to access liquidity without selling, but the borrowing side has its own distinct failure modes that selling never exposes you to. You are now interacting with smart contracts, granting token approvals, trusting custodians, and watching a liquidation price that the market can hit while you sleep. This guide is a borrower's safety playbook for 2026, built around a pre-borrow checklist, the scams that actually drain wallets today, the structural risks on both DeFi and CeFi rails, and the costly mistakes that turn a sensible loan into a forced loss.
This is not a platform review and it is not generic "what is a crypto loan" content. It assumes you have already decided to borrow and now want to do it without getting robbed, rugged, or liquidated. We will keep the numbers hedged because rates, parameters, and regulations move fast, and we will be honest about the trade-offs. Nothing here is financial, legal, or tax advice — treat it as a framework for asking better questions before you sign anything.
The honest answer to is borrowing against crypto safe is: the mechanism is sound, but the execution is where people lose money. Over-collateralized crypto loans are one of the oldest, most battle-tested primitives in the space. Aave, Compound, and Morpho have processed enormous loan volume across multiple market cycles. The math of pledging $100,000 of Bitcoin to borrow $40,000 of stablecoins is not exotic or fragile. What fails is everything around that math: the fake website you typed your seed phrase into, the unlimited approval you signed, the CeFi lender that secretly re-lent your collateral, and the position you opened at an 80% loan-to-value ratio with no plan for a 30% drawdown.
So safe crypto loans are real, but "safe" is a verb, not a noun. It describes how you borrow, not which logo is on the page. The crypto-collateralized lending market crossed roughly $70 billion in outstanding loans by late 2025 and has rebuilt around over-collateralization and stricter risk parameters after the 2022 wave of CeFi blowups. That maturity helps. It does not protect you from your own mistakes or from an attacker who only needs you to click once.
Rule of thumb: If any part of a "loan" requires you to send money before you receive money, it is a scam. Legitimate over-collateralized loans take collateral you control and then disburse funds. They never ask for an upfront "release fee," "insurance deposit," or "tax payment" to unlock a loan that does not yet exist.
Before you deposit a single satoshi, run every prospective lender — DeFi protocol or CeFi platform — through the same diligence. Most borrowers skip this because the interface looks professional. Professional-looking is exactly the bar that scammers have already cleared. Use this checklist as a hard gate.
Confirm you are on the genuine site, not a clone. Type the URL yourself or use a bookmark you saved previously — never click a sponsored search ad or a link from Discord, Telegram, or an unsolicited DM. For DeFi, cross-check the contract address against the protocol's official documentation and a block explorer before approving anything. For CeFi, confirm the legal entity, its registration, and whether it is authorized in your jurisdiction. In the EU, that increasingly means checking for MiCA authorization (more on that below).
For any DeFi protocol, look for multiple independent security audits, an active bug bounty, and — critically — time in production with real money at stake. A fresh fork with one audit and three weeks of history is a different risk class than a protocol that has held billions through several volatility events. Audits reduce risk; they do not eliminate it. Several 2026 exploits hit audited code through oracle and configuration flaws, not classic reentrancy bugs. Read our deeper explainer on smart-contract security and audits to understand what an audit does and does not cover.
Total value locked is a rough proxy for how much the market trusts a protocol, but treat it as one signal among many — TVL can be mercenary and leave fast. More telling is how a protocol behaved during stress: did it process liquidations cleanly during the last 20% single-day drop, or did it accrue bad debt? A protocol's history of handling failure tells you more than its history during calm markets.
If you are borrowing from a centralized lender, demand transparency about where your collateral goes. Look for cryptographic proof of reserves attestations, clear statements on whether they re-lend collateral, and segregation of customer assets. Proof of reserves is imperfect — it shows assets but not always liabilities — yet a platform that refuses to publish any is telling you something. Our guide to proof of reserves and transparency covers how to read these reports critically.
Know exactly who controls your collateral. In non-custodial DeFi, your Bitcoin (usually as wrapped BTC) sits in a smart contract whose rules are public and you keep your keys. In custodial CeFi, you hand your asset to a company and trust its solvency and honesty. Neither is universally "safer" — they fail differently. Read the trade-offs in custodial vs non-custodial lending before you decide which risk profile fits you.
Tip: Build a one-page diligence note for any lender before you commit funds: official URL, contract address, audit links, custody model, liquidation threshold, and what happens in a default. If you cannot fill in every line from primary sources, you are not ready to borrow there.
The scam landscape shifted hard in 2025 and 2026. Attackers increasingly skip the hard work of breaking code and instead manipulate people into signing away their own funds. According to industry trackers, phishing and approval-based attacks drove hundreds of millions in losses, with one analysis citing roughly $300 million stolen through phishing in January 2026 alone. Here are the crypto loan scams that specifically target people looking to borrow.
This is the classic advance-fee fraud dressed in crypto clothing. You are promised a large, instant, no-collateral loan — sometimes with "guaranteed approval, no credit check" — and then told you must first send a fee for "processing," "insurance," "taxes," or to "verify your wallet." You send the fee in crypto or a gift card, and the lender vanishes. There is no loan and there never was. Real over-collateralized lending works the opposite way: it takes collateral you control and then sends you funds. We unpack why genuine uncollateralized retail loans essentially do not exist in crypto loans without collateral: are they real and safe?
Attackers clone the exact look of Aave, a popular wrapped-BTC bridge, or a CeFi login page, then drive traffic via Google ads, fake X (Twitter) posts, and Discord links. When you "connect wallet" and approve what looks like a routine transaction, you are actually granting an unlimited token approval to the attacker's contract, or worse, signing over assets directly. Always navigate from a saved bookmark, verify the domain character by character, and be deeply suspicious of any "claim," "airdrop," or "migration" prompt that arrives unsolicited.
Drainers are the engine behind most modern wallet thefts. When you interact with a DeFi app, you grant the contract permission (an "allowance") to move specific tokens. A malicious contract requests an unlimited allowance, and once granted, it can sweep that token whenever it likes — even months later. Industry estimates put approval-based and phishing losses well into the hundreds of millions across 2024–2025. Defend yourself two ways: set finite approvals instead of unlimited where your wallet allows, and periodically audit and revoke stale allowances using a reputable tool such as Revoke.cash. Treat the "approve" step as the most dangerous click in DeFi.
Scammers send you tiny "dust" transactions from a vanity address engineered to match the first and last characters of an address you use often — a lender's contract, an exchange, your own cold wallet. Later, when you copy an address from your transaction history out of habit, you grab the poisoned one and send your repayment or withdrawal straight to the attacker. Poisoning attempts exploded into the millions per month by early 2026. Defense: never copy addresses from history. Use a saved address book, verify the full string, and send a tiny test transaction first for any new destination.
Some scams build an entire fake lending platform with a slick dashboard, fabricated reserves, and a referral program. Others are "real" companies running a doomed model: promising suspiciously high, "guaranteed" returns to depositors, which they can only pay by taking reckless, undisclosed risk with customer assets. The 2022 collapses of Celsius, BlockFi, Voyager, and Genesis are the textbook here — guaranteed yield is a marketing claim, not a financial reality. If a platform's lending product promises returns that look too good, the risk is being hidden, not removed.
| Scam type | How it hooks you | The tell | Your defense |
|---|---|---|---|
| Advance-fee "no-collateral loan" | Big instant loan, guaranteed approval | You must pay a fee before funding | Never pay to receive a loan |
| Fake dApp clone | Ads, DMs, fake migration prompts | URL is slightly off; unsolicited link | Bookmark official sites; verify domain |
| Wallet drainer / approval | Routine-looking "approve" transaction | Requests unlimited allowance | Finite approvals; revoke stale ones |
| Address poisoning | Dust from a look-alike address | Familiar first/last chars, wrong middle | Use an address book; test transactions |
| Fake CeFi platform | Polished dashboard, referral bonuses | No verifiable entity or reserves | Verify registration and proof of reserves |
| "Guaranteed yield" trap | High fixed returns on deposits | Returns disconnected from real rates | Assume hidden risk; demand transparency |
Warning: No legitimate lender, support agent, or "wallet verification" service will ever ask for your seed phrase or private key. Anyone who does is stealing from you, full stop. There is zero legitimate reason to type your 12 or 24 words into a website.
Borrowing on Aave, Morpho, or another on-chain protocol removes the counterparty risk of a CeFi company — no one can secretly run off with your collateral — but it replaces it with technical and market risks you now own directly. Understanding these is central to learning to borrow against crypto safely on-chain.
Your collateral lives inside a smart contract. If that code has an exploitable flaw, funds can be drained regardless of how careful you personally are. 2025 and 2026 saw substantial DeFi losses — industry trackers reported figures in the hundreds of millions across multiple quarters — from a mix of logic errors, permission misconfigurations, and bridge exploits. Mitigation: favor protocols with long track records, multiple audits, and large amounts of other people's money that has survived stress. Do not be the largest depositor in an untested market.
Lending protocols rely on price oracles to value your collateral and trigger liquidations. If an attacker can distort the price an oracle reports — by manipulating a thin liquidity pool or exploiting a misconfigured feed — they can borrow against worthless collateral or force wrongful liquidations. Several 2026 incidents followed exactly this pattern, including large losses where attackers whitelisted or mispriced obscure tokens. The practical lesson for a borrower: prefer markets that use robust, multi-source oracles and deep, liquid collateral assets like major wrapped BTC, not exotic long-tail tokens.
On DeFi rails, the approval risk discussed above is not just a scam vector — it is a default behavior. Many legitimate apps request unlimited approvals for convenience. Even on a trusted protocol, an unlimited allowance becomes a liability if that protocol is later compromised. A safety-first borrower grants only the approval needed and revokes it when done. The May 2026 rollout of the Ethereum "clear signing" standard, adopted by Ledger, Trezor, and MetaMask, makes this easier by showing human-readable transaction details instead of opaque hex — but the core rule is unchanged: never approve what you do not understand.
Centralized lenders offer a smoother experience, fiat off-ramps, and human support, but you are trusting a company. The 2022 cycle taught expensive lessons that remain relevant.
Rehypothecation is when a lender re-uses your pledged collateral for its own purposes — re-lending it, posting it elsewhere, or using it in trading strategies. It is how a "fully collateralized" loan can still blow up: your Bitcoin was never just sitting in a vault waiting for you to repay. Celsius routed deposits into uncollateralized loans and risky bets behind an opaque structure. Before borrowing from any CeFi platform, read the terms specifically for whether they rehypothecate your collateral, and prefer those with explicit no-rehypothecation policies and segregated custody.
If the lender becomes insolvent, your collateral can be frozen in bankruptcy proceedings for years, and you may recover only cents on the dollar — even though, on paper, you over-collateralized your own loan. BlockFi's failure traced to a single concentrated counterparty exposure. This is pure counterparty risk: you are exposed not just to your own position but to the lender's entire balance sheet and the other parties it deals with. Diversify across lenders, never park more collateral than necessary, and weigh whether the convenience is worth the solvency bet.
The common thread in every CeFi collapse was opacity — customers could not see how their assets were being used until it was too late. Demand transparency as a precondition, not a nice-to-have. A platform that publishes proof of reserves, discloses its lending practices, and clearly explains its liquidation policy is in a different category from one that hides behind marketing. For a structured way to compare lenders on these axes, see our framework for evaluating crypto lending platforms.
| Risk dimension | DeFi (e.g., Aave, Morpho) | CeFi (centralized lender) |
|---|---|---|
| Who controls collateral | Smart contract; you hold keys | The company; you trust it |
| Primary failure mode | Code/oracle exploit, bad debt | Insolvency, rehypothecation, fraud |
| Transparency | On-chain, fully auditable | Depends on disclosures |
| Recourse if it fails | None; code is law | Bankruptcy court, possibly years |
| Your key defense | Vet code, limit approvals | Vet solvency, proof of reserves |
For a fuller side-by-side, our guide on comparing DeFi vs CeFi lending walks through which model suits different borrower priorities.
Scams steal from the unlucky and the careless. Mistakes, by contrast, are self-inflicted, and they account for the majority of avoidable losses among people who borrow on legitimate platforms. If you want to avoid crypto loan mistakes, internalize this list — every item here has liquidated real positions.
The single most common mistake is maxing out your loan-to-value ratio. Just because a protocol lets you borrow up to, say, 73% of your collateral value does not mean you should. A high LTV means a small price drop triggers liquidation. Borrowing conservatively — many cautious borrowers stay at 25–40% LTV — gives your position room to breathe through volatility. The lower your LTV, the further the market has to move against you before you are in danger.
Closely related: opening a position whose liquidation price sits just below the current market price. If BTC trades at $100,000 and your loan would liquidate at $96,000, a single bad day ends you. Always compute your liquidation price before borrowing and ask whether you would be comfortable if the market moved 30–50% against you — because in crypto, it eventually will. Our sibling guide, how to calculate your liquidation price on a crypto loan, shows the exact math, and managing liquidation risk covers how to defend a position.
Bitcoin holders borrowing in DeFi usually need to wrap or bridge BTC to an EVM chain first. Bridges have historically produced some of the largest single-day losses in crypto. Choosing the wrong chain or an unvetted bridge can cost you everything before you even take the loan. Stick to established wrapped assets and well-audited bridges, double-check you are on the intended network, and read bridging and wrapping Bitcoin before moving funds across chains.
A loan without a repayment plan is just a slow-motion liquidation. Know where the repayment funds will come from, understand whether your rate is variable or fixed, and have a trigger for when you will add collateral or pay down the balance. Interest on a variable-rate loan can climb during high utilization, quietly pushing your debt up. See repaying crypto loans strategically for structured approaches.
Borrowing stablecoins against your BTC to chase a high "guaranteed" yield somewhere else is how leverage loops blow up. You now have two risks stacked: your collateral can fall (triggering liquidation) and your yield strategy can fail (leaving you unable to repay). If the yield is high enough to tempt you, it carries enough risk to ruin you. Borrowed money magnifies outcomes in both directions — never deploy it into anything you do not fully understand.
Numbers make the abstraction concrete. Prices below are illustrative for early-to-mid 2026 and will move — always recompute with live figures and current protocol parameters.
Suppose you hold 1 BTC at $100,000 and you borrow against it on a protocol where the wrapped-BTC market has a liquidation threshold around 75%. Compare two borrowers:
On interest: at an illustrative ~6% APR variable rate, the cautious borrower's $35,000 loan accrues roughly $2,100 per year, or about $175 per month, before any rate changes. The aggressive borrower pays double the interest and carries a fragile position. Add a liquidation penalty — often several percent of the liquidated amount — and the cost of getting liquidated dwarfs the cost of borrowing conservatively in the first place. The lesson: a lower LTV is cheaper, calmer, and safer all at once. For deeper tuning, see optimizing your LTV ratio and the glossary entry on health factor.
Rule of thumb: Pick your LTV based on the worst drawdown you can stomach, not the maximum the protocol allows. If you would panic at a 40% drop in BTC, your liquidation price needs to sit well below a 40%-lower price — which usually means an LTV in the 25–40% range, not 70%.
Beyond vetting platforms and sizing loans, a handful of operational habits stop the majority of real-world thefts. These cost almost nothing and pay for themselves the first time they save you.
Regulation has tightened meaningfully, which helps borrowers filter out the worst actors — but it is a signal, not a force field. In the EU, the Markets in Crypto-Assets framework (MiCA) set a hard authorization deadline: as of mid-2026, crypto-asset service providers must hold MiCA authorization to operate legally in the EU, with the transitional grandfathering window closing around July 1, 2026. A platform that is properly authorized has cleared real governance, capital, and AML hurdles. That is a meaningful filter, though authorization is not insurance against insolvency or your own mistakes.
Elsewhere, the regulatory picture remains a patchwork, and many DeFi protocols are not "providers" in the traditional sense at all. The practical takeaway: where a relevant license or registration exists, prefer lenders that hold it, and be extra cautious with any CeFi platform that cannot tell you which regime it operates under. Our overview of the regulatory landscape for crypto lending goes deeper, and our explainer on the centralized finance model covers why custodial lenders face different rules than on-chain ones. Tax treatment also varies by country — borrowing is often not a taxable event the way selling is, but confirm with a professional, as this is not tax advice.
Print this, screenshot it, or keep it open while you borrow. If you spot two or more of these, stop and reassess before committing any funds.
| Red flag | Why it should stop you |
|---|---|
| Any upfront fee to "release" a loan | Hallmark of advance-fee fraud; real loans never require it |
| "Guaranteed approval, no collateral, no credit check" | Over-collateralized lending is the only real retail model |
| "Guaranteed" or implausibly high yield on deposits | Hidden risk; the Celsius/BlockFi failure pattern |
| Request for your seed phrase or private key | Always theft; no legitimate party ever needs it |
| Link arrived via ad, DM, or unsolicited message | Primary delivery vector for fake dApp clones |
| Transaction requests an unlimited token approval | Standard drainer mechanism; grant finite approvals |
| Pressure to act immediately / fear of missing out | Urgency is an engineering tactic to bypass your judgment |
| No verifiable entity, audits, or proof of reserves | You cannot vet what a platform refuses to disclose |
| Protocol/market uses an obscure or thin-liquidity oracle | Opens the door to oracle-manipulation exploits |
| Liquidation price within a small percent of spot | You are one bad day from a forced loss |
Combine everything above into a single repeatable sequence, and most of the catastrophic outcomes simply stop happening to you:
Comparing offers carefully is part of safety too — the right rate and the right risk parameters often live on different protocols, and an aggregator can surface them side by side. Our explainer on what a crypto lending aggregator is covers how that comparison works without sending you hunting across a dozen risky tabs.
Common Questions
The core mechanism — pledging over-collateralized crypto for a loan — is sound and battle-tested. The risks are around it: scams, malicious approvals, custodial insolvency, and your own over-leverage. Borrowing is reasonably safe when you vet the lender, keep a conservative LTV with a real liquidation buffer, use a hardware wallet, and never pay an upfront fee. It becomes dangerous the moment you skip diligence or chase the maximum loan the protocol allows.