Why scams thrive in crypto
Cryptocurrency is pseudonymous, irreversible, and borderless — three properties that attract scammers as reliably as they attract developers. When you send Bitcoin or USDT to a fraudulent address, no central authority can reverse the transaction. Chargebacks do not exist. Jurisdiction is unclear. Victims lose an estimated $9.9 billion to crypto scams globally in 2024 according to the FBI IC3 report, with 2025–2026 figures tracking higher as AI-generated content lowers the cost of convincing fraud.
Several structural factors amplify crypto scam prevalence. First, the technology is genuinely complex — even experienced users struggle to distinguish a legitimate smart-contract approval from a malicious one. Second, FOMO (fear of missing out) is weaponised constantly: rapid price movements make the promise of extraordinary returns feel plausible. Third, the regulatory patchwork means that fraudsters operating from low-enforcement jurisdictions face little legal risk. Fourth, AI deepfake audio and video now make impersonating trusted figures trivially easy.
This guide covers the eleven most active crypto scam categories in 2026, explains exactly how each one works, and gives you the specific red flags to look for before a single dollar leaves your wallet. For background on securing your funds, see the crypto wallet security guide and the wallet ratings.
Pig butchering (romance scam)
Pig butchering — sha zhu pan in Mandarin, the language of the Southeast Asian criminal networks that industrialised the model — is the highest-grossing crypto scam category of the 2020s. The FBI reports it was responsible for over $3.5 billion in US losses in 2023 alone, and the figure has grown year-on-year.
The mechanics follow a predictable arc. A stranger contacts you on a dating app, LinkedIn, WhatsApp, or Instagram — often claiming to be a successful professional, usually attractive, and always friendly. Contact is casual and patient; the scammer may spend weeks building genuine-feeling emotional connection before money enters the picture. The "pig" is you; the "butchering" happens when trust is established.
At some point the scammer casually mentions their investment success — usually on a platform you have never heard of. They offer to show you how it works. You deposit a small amount. You see big returns immediately (the platform is fake; the balance display is manipulated). You deposit more. Friends or family are recruited. When you try to withdraw, the platform invents fees, taxes, or compliance holds. The money is already gone.
- Red flag: any unsolicited contact that eventually pivots to an investment platform you cannot independently verify.
- Red flag: a trading platform that is not registered with any recognized financial regulator (FCA, SEC, ASIC, MAS).
- Red flag: withdrawal requests met with invented fees or delays.
- Defence: verify every investment platform independently on regulator blacklist databases before depositing anything.
Fake exchange and wallet apps
Counterfeit apps impersonating Coinbase, Binance, Ledger Live, MetaMask, Trust Wallet, and dozens of smaller platforms appear regularly in the Apple App Store and Google Play. Scammers submit apps with near-identical names, icons, and screenshots. Some slip past app-store review for days or weeks before removal — enough time to harvest seed phrases and login credentials from thousands of victims.
The damage is immediate and total. A fake wallet app that captures your seed phrase during setup has full control of every wallet derived from that phrase. A fake exchange app that steals your credentials can drain your balance, change your withdrawal address, and disable 2FA before you realise what happened.
- Red flag: app developer name does not match the official company (Coinbase, Inc. vs. "CoinBase Trading LLC").
- Red flag: app has fewer than 10,000 reviews or review dates cluster suspiciously in a short window.
- Red flag: app asks for your seed phrase at any point after setup — legitimate wallets never ask for this again.
- Defence: always navigate to the app via the official website (e.g. coinbase.com) and tap their official download link, not by searching the app store directly.
- Defence: use a hardware wallet like Ledger — even if you install a fake UI, the hardware device cannot be tricked into signing transactions without physical confirmation.
Address poisoning
Address poisoning exploits one of the most mundane human habits: copying a wallet address from your own transaction history. Attackers use automated scripts to generate vanity addresses that share the first 4–6 and last 4–6 characters with your legitimate counterparty address. They then send you a zero-value transaction from this look-alike address, so it appears in your wallet history alongside real transactions.
When you next need to send funds to that counterparty, you open your history, see what looks like the right address, copy it, and paste it into the send field. You send to the attacker instead. Because most wallet UIs truncate addresses to the first and last few characters, the substitution is not visually obvious unless you check the full string character-by-character.
High-value users are primary targets. Several DeFi treasuries and institutional wallets have lost millions via this vector. In 2024, one victim lost $68 million in WBTC in a single poisoning attack.
- Red flag: zero-value transactions appearing in your wallet from unknown addresses that look familiar.
- Defence: never copy addresses from transaction history — only from your original source (contact book, official site, QR code scan).
- Defence: verify the full 42-character (Ethereum) or equivalent address, not just the truncated display.
- Defence: use an address book / named contacts feature in your wallet and add addresses manually once.
Approval drainer attacks
Approval drainers exploit the ERC-20 token approval mechanism. When you interact with a DeFi protocol, you typically sign a transaction granting the protocol permission to spend your tokens. A malicious contract can request an unlimited approval, giving it the right to transfer every token in your wallet at any time in the future — even after you have left the site.
These attacks arrive via phishing links shared in Discord servers, Twitter/X DMs, fake NFT minting sites, and compromised project websites. You connect your wallet, sign what looks like a routine approval, and the drainer executes the transfer in the same or a subsequent transaction. Entire wallets are emptied in seconds.
Approval drainers became the dominant wallet-draining vector in 2023–2026, surpassing direct seed-phrase phishing in volume. Millions of dollars are lost monthly. The Permit2 signature standard (used by Uniswap and others) allows off-chain approval signing — meaning you can grant approvals without even broadcasting a transaction, making the attack completely invisible in some wallet UIs.
- Red flag: any site asking you to sign an approval for a token you did not explicitly intend to interact with.
- Red flag: approval requests with an unlimited or very large allowance amount.
- Red flag: Discord/Twitter links to "exclusive" mints, airdrops, or refunds that require wallet connection.
- Defence: use Revoke.cash or a similar tool to review and revoke existing approvals regularly.
- Defence: use a separate wallet with limited funds for DeFi interactions; keep main holdings in cold storage.
Rug pulls
A rug pull occurs when a project's developers abandon it and abscond with investor funds after artificially inflating the token price. The term comes from the image of pulling a rug out from under buyers. Rug pulls range from obvious (a token with no product, team, or code that pumps on social media and collapses within hours) to sophisticated (a project with a real product, audited contracts, and a year of development before the team executes a hidden admin key to drain liquidity).
The mechanics of a soft rug: developers hold a large supply allocation, quietly sell into buy pressure, and exit. The mechanics of a hard rug: developers use a privileged contract function (mint, pause, withdraw) to take liquidity directly. In 2024, the top 10 rug pull projects accounted for over $500 million in losses.
- Red flag: anonymous team with no verifiable track record or LinkedIn presence.
- Red flag: contract has not been audited by a recognised firm (CertiK, Trail of Bits, OpenZeppelin, Halborn).
- Red flag: audit exists but key issues are marked "acknowledged" rather than resolved.
- Red flag: liquidity is not locked; developer wallet holds a disproportionate share of supply.
- Red flag: token launches with extreme hype and urgency, targeting FOMO entry.
- Defence: use TokenSniffer, RugCheck, or GoPlus Security to scan contract addresses before buying.
AI deepfake celebrity endorsements
AI-generated video and audio deepfakes have become indistinguishable from genuine footage for most casual viewers. Scammers now produce convincing fake videos of Elon Musk, MicroStrategy's Michael Saylor, Vitalik Buterin, and other crypto figures "announcing" investment opportunities, giveaways, or presales. These videos are distributed via YouTube ads, Facebook, TikTok, and Telegram with fraudulent wallet addresses or links to fake investment platforms.
The giveaway scam format — "send 0.5 BTC, receive 1 BTC back" — has been used since 2018. AI deepfakes simply make it more convincing. In a well-documented 2025 incident, a deepfake of Coinbase CEO Brian Armstrong was used to promote a fake "Coinbase airdrop" that drained over $4 million from victims in 72 hours.
- Red flag: any celebrity video "announcing" a giveaway that requires you to send funds first.
- Red flag: livestream thumbnails using celebrity faces on YouTube or TikTok that you didn't subscribe to.
- Red flag: urgent countdown timers and "limited slots" creating artificial scarcity.
- Defence: verify any celebrity statement by checking the official account on X/Twitter and official company websites — not YouTube comments or shared links.
- Defence: legitimate giveaways never require you to send crypto first. This is always a scam, without exception.
Phishing emails, SMS, and Discord DMs
Phishing remains the highest-volume attack vector in crypto, adapting quickly to each new communication channel. Email phishing spoofs official domains with pixel-perfect recreations of Coinbase, Ledger, MetaMask, and Binance communications — warning of suspicious activity, account suspension, or mandatory "verification" that captures your login and 2FA codes. SMS phishing (smishing) sends texts from numbers that appear identical to your exchange's real sender ID due to SMS spoofing.
Discord phishing has become endemic. Compromised or imitation bot accounts, fake moderators, and hijacked server announcements direct users to "urgent" links. In 2024, more than 15 major DeFi project Discord servers were compromised in a single month, each broadcasting fake mint or airdrop links to tens of thousands of followers.
- Red flag: emails with urgency language ("your account is suspended", "action required within 24 hours").
- Red flag: sender domain is slightly off (coinbasse.com, ledger-support.net, metamask-wallet.io).
- Red flag: Discord DM from someone posing as official support — no legitimate project DMs you first.
- Defence: bookmark your exchange login URLs and never click email or SMS links — go directly to the site.
- Defence: use a hardware security key (YubiKey) for 2FA rather than SMS or TOTP codes, which can be phished via real-time relay attacks.
- Defence: turn off Discord DMs from non-friends in privacy settings.
Investment schemes and Ponzi structures
Classic Ponzi mechanics translate seamlessly to crypto. Platforms promise fixed high daily returns — "1.5% per day", "guaranteed 40% monthly" — funded not by legitimate trading but by new investor deposits. As long as inflows exceed outflows the scheme operates. When deposits slow, the platform halts withdrawals, invents technical issues, and eventually disappears.
In 2026, these schemes present as AI-powered arbitrage bots, "quantitative hedge funds", MEV strategies, or DeFi yield optimisers — anything that sounds technically legitimate and opaque enough to prevent scrutiny. The Forsage USDT scheme ($340 million), Hyperverse ($1.3 billion), and OneCoin ($4 billion) are the canonical large-scale examples, but hundreds of smaller operations run continuously.
- Red flag: any guaranteed fixed returns on crypto investment — DeFi yields are variable and never guaranteed.
- Red flag: referral bonuses that are proportionally higher than the underlying yield — a hallmark of multi-level Ponzi structure.
- Red flag: no verifiable on-chain transaction history for the claimed strategy.
- Red flag: withdrawal requires recruiting new members.
- Defence: any yield above 20% APY on a stablecoin or 50% APY on a volatile asset should trigger immediate scepticism. Cross-check current Bitcoin price and market conditions against claimed returns.
Exit scam exchanges
Exit scam exchanges are platforms built specifically to accumulate deposits and then disappear. They offer competitive rates, slick UIs, sometimes fake trading volume, and withdrawal processing for weeks or months to build credibility before halting all operations. Because crypto exchanges outside major jurisdictions face minimal licensing requirements, launching one is cheap.
The FTX collapse in 2022 — though technically a fraud rather than a pure exit scam — demonstrated that even large, credible-appearing exchanges can misappropriate user funds. Smaller exchange exit scams are vastly more common: dozens occur every year. Red flags are often visible before the collapse if you know where to look.
- Red flag: exchange is not registered with any recognized regulator in its claimed jurisdiction.
- Red flag: withdrawal delays without clear technical explanation, particularly after high-volume days.
- Red flag: exchange has no proof-of-reserves audit from a recognised accounting firm.
- Red flag: unusually high deposit bonuses or staking yields that are not economically sustainable.
- Defence: use only regulated, audited exchanges with transparent proof of reserves. See Coinbase review for what a well-regulated exchange looks like.
- Defence: never keep more on any exchange than you are willing to lose — withdraw to self-custody regularly.
Recovery scams (the scam after the scam)
Recovery scams target people who have already been defrauded. Posing as blockchain forensics firms, legal recovery specialists, or "ethical hackers", scammers contact recent victims — often scraping their names from public court filings, fraud forums, or social media — and offer to recover stolen funds for an upfront fee. They may produce convincing fake "blockchain analysis reports" showing the movement of your funds and claiming they can seize the wallet.
There is no such thing as reversing a confirmed blockchain transaction. Legitimate blockchain analytics firms (Chainalysis, Elliptic, CipherTrace) work with law enforcement and do not offer retail recovery services for a fee. Any company cold-contacting a fraud victim and requesting advance payment to recover crypto is running a secondary scam.
- Red flag: unsolicited contact from a "recovery specialist" after you have posted about being scammed.
- Red flag: upfront fee required before any recovery is performed.
- Red flag: claims of a 95%+ success rate — genuine recovery is rare and depends entirely on law enforcement action.
- Defence: if you have lost significant funds, file a report with the FBI IC3 (US), Action Fraud (UK), or your national regulator — do not pay a private recovery service.
- Defence: be especially cautious in the weeks after a loss when you are emotionally vulnerable and more susceptible to persuasion.
7-step checklist to protect yourself from crypto scams
Apply this checklist to every new platform, opportunity, or transaction before committing funds. A single "no" should trigger a full stop.
- Verify the platform independently. Search the platform name on your national financial regulator's website (FCA, SEC, ASIC). Check CoinGecko, CoinMarketCap, and community forums for independent reviews. If you cannot find third-party verification within five minutes, treat it as fraudulent.
- Check the smart contract. For any DeFi protocol, verify the contract address on the project's official GitHub and website — not via links in chat. Use TokenSniffer or GoPlus to scan for honeypot, rug-pull, and tax functions.
- Review your wallet approvals. Before and after every DeFi session, visit Revoke.cash and audit what contracts have approval over your tokens. Revoke anything you do not recognise or no longer use.
- Use a hardware wallet for significant holdings. Store anything above $1,000 in a Ledger or Trezor hardware wallet. Hardware wallets require physical confirmation for every transaction — they cannot be drained by software-only attacks.
- Never share your seed phrase. No legitimate wallet, exchange, or support team will ever ask for your 12 or 24-word seed phrase. Not for "verification". Not to "restore access". If anyone asks, close the conversation immediately.
- Slow down on any "urgent" opportunity. Scarcity and urgency are psychological manipulation tools. A legitimate investment opportunity will still exist tomorrow. If you feel pressured to act in the next hour, that pressure is itself a red flag. See current Bitcoin market data to ground yourself in actual market conditions rather than fabricated FOMO.
- Use regulated, audited exchanges for custody. If you must keep funds on an exchange, choose one with verified proof-of-reserves, regulatory oversight, and a track record of at least two years. Review the wallet ratings and Coinbase review to benchmark platform quality.
Crypto scams are preventable in the overwhelming majority of cases. The losses documented in FBI IC3 reports, Chainalysis Crypto Crime Reports, and CISA advisories share a consistent pattern: victims acted under time pressure, skipped independent verification, or trusted a platform recommended by someone they did not know offline. The architecture of blockchain is neutral — it enables legitimate transactions and fraudulent ones equally efficiently. Your protection comes from process, not luck.




