Cryptocurrency Scam Schemes

Goal of the Attack

To trick the victim into entering their private credentials (seed phrase, passwords, private keys) or signing a malicious transaction, by disguising a fake website as a legitimate crypto service.

Attack Scenario

The attacker creates a clone of a well-known crypto platform — an exchange, wallet, marketplace, or DeFi app — and distributes links through emails, social media, paid ads, or chat messages. A common trick is typosquatting: using domains that look almost identical to the real one (e.g., swapping one or two letters). The victim clicks the link, sees a familiar interface, and logs in — unknowingly sending their credentials to the attacker. Sometimes the fake page displays a prompt to “connect your wallet”, “claim rewards”, or “verify your seed phrase”. These forms are designed to capture sensitive data. In other cases, a pop-up window may request wallet access or a transaction approval. Believing it’s official, the user approves the action. Once credentials or signatures are collected, the attacker instantly drains the victim’s funds from accounts or connected wallets.

How to Protect Yourself

• Always check the full URL — don’t rely on logos or design. Save official pages in your bookmarks.
• HTTPS ≠ safety: phishing sites can also have SSL certificates.
• Never enter your seed phrase or private key into a browser — legitimate services will never ask for them.
• Verify URLs through official project channels (Twitter/X, documentation, or the verified website).
• Avoid clicking on ads or unsolicited links in emails or messages.
• Use a password manager — it will refuse to autofill on fake domains.
• Protect main accounts with hardware wallets and anti-phishing browser extensions that flag suspicious domains or scripts.
• Install script blockers and extensions that warn about phishing domains.

Goal of the Attack

To impersonate an official support agent and trick the victim into revealing sensitive access data — such as 2FA codes, seed phrases, private keys — or to convince them to approve a transaction in favor of the attacker.

Attack Scenario

The attacker creates a fake profile on platforms like Telegram, Twitter/X, or Discord, mimicking the name, avatar, and tone of the project’s official support team. They contact the victim under the pretext of a “technical issue”,“account verification”, or “urgent notification”. The conversation typically leads to a phishing link where the victim is asked to log in, share a 2FA code, or provide their seed phrase for “security verification” or “account recovery.” In some cases, attackers even call the victim, posing as official support staff and urging them to connect to remote assistance tools or transfer funds to a “safe wallet.” Another common trick is the creation of fake support tickets or invitations to private chats, where the attacker increases psychological pressure and creates urgency. These scams often target users who have publicly asked for help — for example, those posting about issues on forums or social media. Once the victim discloses private data or grants access, the attacker immediately takes control of their accounts and drains funds.

How to Protect Yourself

• Official support will never ask for your seed phrase, private key, or 2FA codes — ever.
• Always verify the account through the project’s official website or verified communication channels.
• Check for subtle differences in usernames, links, or spelling — fake accounts often use extra characters, dots, or underscores.
• Never click on personal links or share your screen or device access with anyone claiming to be support.
• Do not share 2FA codes or temporary access tokens with anyone, even if they appear “official”.
• Avoid DMs from new or unverified accounts; confirm support contacts through multiple official channels.
• If anything feels off — end the conversation immediately and reach out to support via the official contact form on the project’s website.

Goal of the Attack

Steal goods or other assets from a seller accepting crypto payments.

Attack Scenario

Anyone can deploy an ERC-20 smart contract and give it any name and ticker. A scammer deploys a token named “Tether USD” or “USDT”, mints tokens, and sends them to the seller’s address. The attacker then provides a TxID or a screenshot that appears to show a successful transfer of tokens. A rushed or distracted seller checks the transaction ID in a block explorer, sees a transfer labeled “USDT” and assumes payment is received — but the transfer is of a different token contract, not the official Tether contract. Because the explorer shows the token symbol and an amount, it’s easy to be fooled unless the seller inspects the token contract and full balance. After the seller hands over the goods, the attacker is gone.

How to Protect Yourself

• Check the receiving wallet balance, not just the TxID: open your wallet and confirm the token balance increased. Fake tokens often won’t show in wallet UIs because wallets query balances from the official contract address.
• The contract address is the single source of truth, verify it: cross-check the contract address shown in the transaction with the issuer’s official site (Tether’s docs), CoinMarketCap/CoinGecko listings, or other trusted resources. If they differ — it’s fake.
• In the transaction details on Etherscan (or other explorers), check if there's a dollar sign ($) next to the transfer amount. This may be absent in the case of counterfeit tokens.
• Look for verification/identity markers on the block explorer: on Etherscan (or other explorers) the legitimate USDT token page is typically verified and shows a verification badge. Fake tokens usually lack verified contract code or the verified badge.
• Inspect token metrics (holders / tx count / supply): click the token ticker on the explorer and check holders, total supply, and tx history. Real USDT has hundreds of thousands of holders and millions of transactions across chains. A new/low-activity token is suspect.
• When in doubt — refuse and ask. If anything looks off (new token contract, low holder count, unverified contract), pause the trade and verify through multiple channels.

Goal of the Attack

Trick the victim into sending fiat money while creating the illusion that USDT has been deposited to their exchange account.

Attack Scenario

A variation of the “Payment with Counterfeit Coins” scheme. The user wants to purchase USDT and encounters a scammer offering exchange services. The scammer insists they will send the payment only to the exchange deposit address, framing it as the proper or safer method. The attacker sends fake USDT tokens to the exchange address, then provides the victim with a TxID or block explorer screenshot showing a transfer labeled as USDT. They claim the deposit hasn’t appeared yet, blaming the exchange, and insist that they have fulfilled their part of the deal. Using the exchange as a “third party,” the scammer convinces the victim to release fiat money, creating the impression that any issues are the exchange’s responsibility. Once the victim sends the money, the scammer disappears. The tokens are worthless or never credited, and the victim loses their funds.

How to Protect Yourself

• Always confirm deposits directly in your exchange account, not via block explorer alone.
• Verify the token contract address — only the official USDT contract supported by the exchange is valid.
• Be cautious of pressure tactics or claims that “the exchange is slow” or “the problem is on their side.”
• Start with small test deposits to ensure the exchange credits the tokens properly.
• Do not release fiat or goods before the exchange shows a confirmed deposit.
• Red flags:

  • Scammer insists on using the exchange as a “third party.”
  • TxID or block explorer is provided as proof instead of the exchange account showing the deposit.
  • Claims that delays are the exchange’s responsibility.
  • Use of familiar token symbols with fake or incorrect contract addresses.

Goal of the Attack

Trick a user into sending funds to an attacker’s address (which closely resembles the intended address) by “poisoning” the user’s transaction history so the victim copies or selects the malicious address by mistake.

Attack Scenario

An attacker identifies a victim who repeatedly transacts with the same counterparty (their own wallet, an exchange deposit address, a vendor, etc.). Using address-generation tools, the attacker creates an address that matches several leading and/or trailing characters of the legitimate address so it looks visually similar.

Then, the attacker sends a micro-transaction (tiny amount of token) from the look-alike address to the victim’s address. That transfer appears in the victim’s wallet transaction history or block explorer and shows the attacker’s address in the same position as familiar entries. A more advanced scheme: the attacker deploys a scam-token smart contract that copies the name and logo of the token the victim frequently sends, and injects special events into that contract which are then broadcast to the blockchain. Block explorers and some wallet UIs parse those events and display a plausible but misleading transfer history. This creates a false sense of trust for the victim — because the history appears to show that they themselves made the transfer.

When the victim needs to copy their own or a counterparty address quickly, they open recent transactions, see a “familiar” entry (the poisoned one), copy it, and paste it into the recipient field. The transfer goes to the attacker’s address.

How to Protect Yourself

• Never copy addresses from recent history without verification.
• Always verify the full address before sending: paste → compare character-by-character. Don’t rely only on matching first/last 4 characters.
• Use a trusted address book / whitelist / saved contacts in your wallet instead of relying on the transaction list.
• Hardware wallets display the full destination address on-device before signing. Always confirm the address shown on the device screen.
• Disable autofill from transaction history.
• Use wallets that show EIP-55 checksums and warn about addresses that are visually similar to saved contacts.
• Send a small test amount first and verify the recipient received it before sending the full sum.
• Enterprise controls for large transfers: require multisig, dual approval, out-of-band confirmations (phone/video), and withdrawal limits.

Goal of the Attack

Collect transaction linkage data to de-anonymize an owner’s wallet(s) and build a profile for targeted follow-up attacks (phishing, SIM-swap, doxxing, or sale of user data).

Attack Scenario

An attacker sends tiny outputs — dust (very small amounts of coin) — to thousands of addresses. On UTXO chains (Bitcoin, Litecoin, etc.) these tiny outputs become spendable UTXOs in the recipient’s wallet.

When a recipient later spends, consolidates, or forwards those UTXOs (for example by sweeping small outputs into a larger transaction or using CoinJoin incorrectly), the attacker can follow the on-chain trails and link multiple addresses to a single cluster or user. Over time, combining on-chain links with off-chain signals (exchange deposits, public posts) allows the attacker to map an identity to addresses and assemble a profile of balances, counterparties, and activity windows.

The attacker then uses that profile for further attacks: targeted phishing attacks, SIM swaps, or offers to "delete" dust tokens through fake services that require a seed phrase. Sometimes, the metadata of dusted tokens contains links to phishing sites or trivial advertisements.

How to Protect Yourself

• Do not spend or consolidate dust blindly.
• Avoid sweeping tiny UTXOs into a single transaction unless you understand the privacy consequences. Consolidating dust can link previously separate addresses.
• Ignore links or instructions embedded in token metadata or OP_RETURN.
• Use address hygiene — separate funds by purpose.
• Keep public / merchant / tipping addresses separate from main / long-term wallets. Use different wallets (or accounts) for different purposes to reduce correlation risk.
• Wallets that allow selecting which UTXOs to spend (coin control) let you avoid spending attacker-supplied dust. Mobile wallets often lack coin control — be cautious.
• For users who need strong privacy, use well-audited mixing services (CoinJoin, Wasabi, Samourai/Whirlpool) correctly — but understand legal, fee, and operational risks. Mixing improperly can still link coins.
• Use an explorer or analytics tool to inspect the origin and pattern of dust. Mass distribution patterns indicate automated dusting campaigns.
• Any service or individual asking for your seed phrase or private keys to “remove” tokens/dust is malicious.
• Harden your external identity (lock down social profiles, enable highest security on email and phone, use hardware 2FA, contact exchanges to add withdrawal locks), and treat follow-up contact attempts with extreme suspicion.

Goal of the Attack

Convince a counterparty (merchant, seller, or person) to accept an unconfirmed transaction as payment, then replace that unconfirmed transaction with a conflicting one that returns the coins to the attacker.

Attack Scenario

A typical race attack exploits the window when a transaction is visible but not yet confirmed.

Preparation: The attacker first sends the required amount to their own address, setting the lowest possible transaction fee, ensuring that the transaction remains unconfirmed for The attacker times the attempt during higher network load and chooses a fee slightly below the level that would guarantee immediate confirmation. The goal is for the payment to remain unconfirmed long enough for the seller to act.

Broadcast the “payment”: The attacker broadcasts a transaction that spends coins to the merchant’s address. The merchant sees the incoming, unconfirmed transaction in their wallet or explorer and may interpret that as sufficient evidence of payment.

Psychological pressure: The attacker applies social pressure or urgency — asking the merchant to ship goods, release digital content, or transfer fiat immediately on the assumption that the unconfirmed payment will be confirmed.

Double-spend: After the merchant has acted, the attacker broadcasts a second transaction spending the same inputs but sending the funds back to themselves (or to another address) with a higher fee. Miners include the higher-fee transaction in a block; the original unconfirmed transaction becomes invalid and is dropped. The attacker ends up with the goods/fiat and retains the coins.

How to Protect Yourself

• Never treat an unconfirmed transaction as final.
• Require at least several confirmations (commonly 3–6 depending on chain and risk profile).
• Detect suspicious timing and low fees. If an incoming transaction uses unusually low fees or appears during network congestion, treat it as higher risk.
• Disable auto-release on unconfirmed transactions. Don’t automatically mark goods as paid until the required confirmations are seen by your wallet/explorer.
• Avoid trusting screenshots/TxIDs alone. A TxID or screenshot of an unconfirmed transfer is not proof of irrevocable payment. Confirm on a reliable node/explorer and check confirmation count.
• For high-volume merchants: implement monitoring & policies. Use whitelisting, delayed release windows, multisig custody, and reconciliation procedures; educate staff to refuse pressure to ship on zero-confirm payments.

• *Bonus: If you are certain that this type of attack is being carried out against you, it is theoretically possible to intercept the attacker’s coins. As soon as you notice an unconfirmed transaction, you may immediately create your own transaction that spends the same coins from the unconfirmed transaction but sets an exceptionally high transaction fee. In this case, either your transaction with the higher fee will be confirmed first — sending the coins to your address — or the attacker will raise their fee even higher and lose almost the entire amount in fees.

Goal of the Attack

Collect funds from project participants and then remove liquidity or assets, leaving token holders with worthless, illiquid tokens or crashing the token price.

Attack Scenario

A team (or attacker) creates a token and a liquidity pool on a DEX so people can buy the token. To attract buyers they run an aggressive promo campaign — social media, private chats, bots, promises of high returns and “exclusive listings.” They often build a polished website, a fake roadmap, and forged endorsements.

After a substantial inflow of funds the attackers either remove liquidity from the pool (liquidity-draining rug pulls, the most common) or dump large token holdings, causing the price to collapse and trapping holders with tokens that cannot be sold (exit-scam dumps).

How to Protect Yourself

• Inspect the contract using a block explorer: check for suspicious functions such as unrestricted mint, burn, pause, transferFrom overrides, or any code that can arbitrarily block transfers or change balances.
• Ownership & control: see who controls contract ownership (is ownership renounced? is there a timelock?). Renounced ownership is not a guarantee of safety, but a private, single private-key owner is a major red flag.
• LP tokens & liquidity distribution: check who holds the LP tokens. If a single address holds the LP tokens and they are not time-locked / burned, the risk is high. Also check whether liquidity is locked (and for how long) in recognized locking services.
• Tokenomics & supply control: be cautious if the team retains a huge share of supply or if large token allocations are not time-locked or vested. Large, easily-sellable team allocations enable dumps.
• Audits & reputations: prefer tokens audited by reputable security firms and verified contract source code. Lack of audit isn’t necessarily proof of fraud but raises risk.
• Marketing red flags: extremely aggressive marketing, guaranteed returns, fake celebrity endorsements, and pressure to buy quickly are common manipulation techniques.
• On-chain history & social checks: check transaction history, wallet reputation, and the team’s activity outside the project (LinkedIn, past projects). Look for inconsistent identities or newly created profiles.
• Practical rules: never invest more than you can afford to lose in unverified tokens; consider using small test buys first; avoid tokens where liquidity is not visibly locked.

Goal of the Attack

Trick a user into granting a token allowance (approve) so the attacker can withdraw any amount at will.

Attack Scenario

An attacker sets up a phishing website or app and lures the victim. When the user interacts with the fake interface, they are prompted to “approve” a token for swapping, claiming rewards, or participating in a program. The interface often suggests approving the maximum or unlimited amount for convenience. Users confirm the transaction without realizing they’ve given the attacker permission to withdraw any amount of that token. Once approved, the attacker can drain the tokens — sometimes gradually to avoid suspicion.

Common tactics include: fake buttons or misleading text hiding the actual approve request; messages like “Claim your tokens — just approve” to trick users into unlimited allowances.

Even legitimate DApps sometimes request unlimited approvals; the key difference is whether the DApp is trustworthy and audited.

How to Protect Yourself

• Read transaction details carefully: if it says “Approve unlimited,” either decline or set a specific limit.
• Use wallets with warnings: wallets like MetaMask or Rainbow show full transaction details and alert about unlimited approvals.
• Revoke old approvals regularly: use services like revoke.cash to check and revoke unnecessary token allowances.
• Set minimal allowances for unknown DApps: only approve the exact amount needed.
• Use separate addresses for experiments: avoid giving approvals from your main wallet.
• Hardware wallets: require manual confirmation for each transaction, reducing the risk of accidental approvals.

Goal of the Attack

Steal a user’s private keys or seed phrases, or automatically sign transactions in favor of the attacker via fake wallets or malicious browser extensions.

Attack Scenario

An attacker publishes a fake wallet extension in a browser store or spreads an installer through websites and social media. When a user installs the wallet: the wallet can intercept the seed phrase during setup or capture manually entered private keys. The extension may automatically sign transactions without the user’s approval, or alter destination addresses in the UI, redirecting funds to the attacker, or manipulate displayed addresses on websites to trick users into sending funds to the wrong place.

How to Protect Yourself

• Install only from official sources: check the developer, number of installs, and reviews. Avoid newly uploaded extensions with few reviews.
• Check permissions carefully: avoid extensions that request access to data on all websites.
• Keep seed phrases offline: never store them on a device connected to the internet.
• Use hardware wallets: they add a strong layer of protection even if a computer is compromised.
• Limit funds in hot wallets: if using hot wallets, only keep small amounts for active transactions.

Goal of the Attack

Gain control of a victim’s phone number to intercept SMS-based 2FA codes and recover access to email, exchange, and social media accounts, ultimately stealing crypto assets.

Attack Scenario

An attacker collects the victim’s personal data via phishing, data leaks, or social media. They then contact the mobile operator, requesting the number to be “transferred” to a new SIM card. If the operator performs insufficient verification, the attacker receives SMS messages, recovery codes, and access to accounts. With control of the victim’s email and 2FA, the attacker can reset passwords and drain crypto holdings. Sometimes attackers bribe operator employees or use social engineering to bypass checks. SIM swap attacks are often combined with phishing campaigns and leaked data to increase success rates.

How to Protect Yourself

• Switch 2FA from SMS to more secure methods: hardware keys (U2F/WebAuthn) or authenticator apps.
• Set a PIN or password with your mobile operator for SIM changes and enable notifications for any number transfer.
• Limit publicly available personal information and use separate email addresses for critical accounts.
• Enable login and password-change alerts on all accounts.
• Act quickly if you suddenly lose mobile service: contact your operator immediately to investigate potential SIM swap attempts.

Goal of the Attack

Trick users into buying fake NFTs, or gain control over NFTs through fraudulent approvals.

Attack Scenario

Attackers create replicas of popular NFT marketplaces or collection pages and advertise “discounts,” “sales,” or “airdrops.” When a user connects their wallet and signs a transaction, they might think they are purchasing an NFT, but in reality, they are: granting spending permissions (approve) to the attacker, or transferring ownership of their NFT.

Another common tactic is selling visually similar fake versions of rare NFTs using the same names and images. Scammers often set up fake Twitter or Discord accounts posing as curators and announce “exclusive sales” with secret links.

How to Protect Yourself

• Always verify marketplace URLs and the smart contract address of the NFT collection through official sources.
• Confirm ownership via a block explorer and check token metadata.
• Never sign approval transactions without fully understanding what permissions you are granting.
• Use hardware wallets to verify transaction details on-device.
• For large purchases: research the collection’s history, seller reputation, and look for official verification badges.

Goal of the Attack

Trick users into importing someone else’s seed phrase into their wallet so the scammer can steal the funds they send (usually for transaction fees) and generate a steady stream of small profits.

Attack Scenario

A scammer posts a message on forums, Telegram, Discord, Twitter, YouTube comments, Reddit, or any other platform — or sends a direct message — pretending to be a naive beginner and asking for help to transfer crypto. They share a wallet with tokens. A victim — usually a newcomer — either wants to help or is tempted to claim the 'free' tokens, and imports the seed phrase into their wallet, seeing real tokens inside. However, to transfer these tokens, the wallet requires paying network fees (gas) in the blockchain’s native currency — e.g., ETH, BNB, MATIC. The victim sends a small amount of ETH or another coin to pay the gas.

A scammer posts a message on forums, Telegram, Discord, Twitter, YouTube comments, Reddit, or any other platform, pretending to be a naive beginner. They share a wallet with tokens. A victim — usually a newcomer — imports the seed phrase into their wallet and sees real tokens inside. Excited by the opportunity, they rush to claim the “free” tokens. However, to transfer these tokens, the wallet requires paying network fees (gas) in the blockchain’s native currency — e.g., ETH, BNB, MATIC. The victim sends a small amount of ETH or another coin to pay the gas. Meanwhile, the scammer, constantly monitoring the wallet, immediately drains the deposited gas funds. Some scammers use multisig wallets to minimize their own risk, ensuring they act faster than any other potential “claimers.” The victim loses money, while the scammer earns a steady flow of small deposits from many unsuspecting users.

How to Protect Yourself

• Never import someone else’s seed phrase into your wallet.
• Check wallet balances safely: use online tools to generate addresses from a seed phrase and view balances via a blockchain explorer, without importing it into your own wallet.
• Keep your own seed phrase offline and never share it with anyone.

Goal of the Attack

Intercept and steal cryptocurrency during a transaction by replacing the recipient address with the attacker’s address.

Attack Scenario

The victim is tricked into installing software: a fake wallet, game patch, “crypto tool,” PDF/archive with embedded malware, a malicious link, infected USB drive, or a compromised installer. The malware gains access to the system and monitors the clipboard. When it detects text resembling a crypto address (e.g., starting with 0x for Ethereum), it automatically replaces it with the attacker’s address. The victim pastes the address (Ctrl+V) into the recipient field, believing it’s correct, and sends funds — which go straight to the attacker.

How to Protect Yourself

• Download software only from official sources and verified repositories.
• Check digital signatures or SHA256 hashes when available.
• Avoid running executables from emails, torrents, or suspicious links.
• Use isolated environments for crypto — separate PC, virtual machine, or separate user profile.
• Always verify the full recipient address, not just the beginning or end.
• Use hardware wallets — they display the recipient address on-device before signing.
• For large transfers:

  1. Verify the address via another communication channel (call, video, secure messenger).
  2. Send a small test transaction.
  3. Send the main amount after confirmation.

Goal of the Attack

Build a romantic or “trusted” relationship with the victim to emotionally manipulate them into sending crypto or sharing access to funds.

Attack Scenario

The scammer creates an attractive profile (stolen photos are common) and contacts the victims on a dating sites, Telegram, or Instagram. They often seek out victims in specialized crypto chats, sending them a private message asking for more information about the chat, a review of an influencer, or a recommendation for crypto courses. The conversation quickly turns to personal topics, with frequent messages, compliments, and emotional support. Over days or weeks, the scammer builds trust, shares personal "stories", supposedly sharing similar values, sometimes showing "photos", and making phone calls. They demonstrate a willingness to engage in financial relationships (joint purchases, investments, assistance).

When trust is high the scammer manufactures an emergency or opportunity that requires money — e.g., sudden medical bills, visa fees, “taxes” to withdraw funds, or a time-limited “exclusive investment.” They pressure the victim (guilt, urgency, secrecy: “don’t tell anyone”), push complex instructions (use this wallet/bridge/exchange), or ask for a direct crypto transfer. After the transfer the scammer may invent further needs (“one more fee”) until the victim completely stops communicating.

Variations:
• The scammer poses as an industry insider who can “help grow” or “rescue” funds (fake investment manager).
• Fake screenshots of balances, bogus deposit confirmations or staged “demo transfers” are used to convince victims.
• Scammers add fake third parties (lawyers, exchanges, escrow services) to seem legitimate.

How to Protect Yourself

• Never send crypto to someone you don’t know in real life. Crypto transfers are irreversible.
• Verify identity: check account age, followers, inconsistencies. New accounts or sparse social presence are red flags.
• Insist on a live, high-quality video call (good lighting, specific actions or a timestamp). Note: deepfakes/AI video are improving — video lowers risk but is not foolproof.
• Reverse-image search profile photos — the same photo used elsewhere usually indicates a fake.
• Keep finances private: don’t share wallet balances, exchange accounts, or custody details with new contacts.
• Refuse “help” with withdrawals or investing unless it’s through reputable, licensed entities with clear contracts. Real investment partners won’t demand upfront crypto transfers without legal paperwork and transparency.
• Use escrow / regulated services for any joint investment — never send money to a personal wallet.
• Red flags:

  • Urgent requests for money/crypto.
  • Pressure to keep the relationship or transaction secret.
  • Refusal of video or live communication.
  • Requests to send crypto to personal wallet addresses or to use obscure exchanges/bridges.

Goal of the Attack

Make the victim misread a numeric amount (due to dot/comma/space differences) and send a large “refund” or overpayment to the attacker.

Attack Scenario

The attacker and victim agree a payment — for example, $125. The attacker sends a small amount that looks ambiguous in certain locale formats (e.g. 1,125 USDT or 1.125 USDT) — which may mean one point one two five (1.125) in some locales and one thousand one hundred twenty five (1,125) in others.

Immediately the attacker contacts the victim claiming they accidentally sent 1,125 (one thousand one hundred twenty five) instead of 125, demanding an immediate refund of the “excess” $1,000 (one thousand). They rush and distract with calls/messages, pressure, or threats. The victim glances at a screenshot or a transaction listing and — reading the separator differently or misreading the display — thinks the attacker really overpaid, so returns the “extra” funds from their own wallet. In reality the on-chain amount was a tiny sum and there was nothing to refund.

How to Protect Yourself

• Don't rely on blockchain explorers or screenshots. The only reliable way to know how much has been received is to check your wallet's actual balance. Your wallet will display the actual amount in your preferred format.
• To be sure, compare this format with the amounts of other tokens. If you know for sure you have less than one bitcoin, look at the decimal point after the zero.
• Use working addresses with a minimum balance: If possible, keep the balance in addresses used for receiving payments to a minimum or zero.
• Train your team: If you manage a company or service that accepts cryptocurrencies, ensure all employees handling wallets are aware of this and other similar scams.

Goal of the Attack

Trick victims into using counterfeit or tampered hardware wallets so attackers can steal private keys, intercept seed phrases, or cause the device to sign transactions that benefit the attacker.

Attack Scenario

An attacker produces fake hardware wallets that look very similar to real brands (or rebuilds a genuine-looking shell with malicious internals) and sells them via unofficial marketplaces, auction sites, social media, or even in person.

Variants include:
• Pre-seeded devices: the device ships already initialized with a seed the attacker knows, so any funds moved to addresses shown by the device are drainable.
• Modified firmware / bootloader: device appears normal but runs malware that silently signs attacker transactions or displays spoofed addresses.
• Supply-chain tampering: genuine devices are intercepted, opened, and re-sealed with altered internals or added components.
• Fake accessories / cables: malicious USB cables or adapters that exfiltrate data or inject commands during setup.
• Cloned UI / apps: fake companion apps or drivers trick users into entering their seed on a computer or mobile device.

How to Protect Yourself

• Buy only from official channels: buy directly from the manufacturer’s website or an authorized reseller. Avoid third-party marketplaces and “like-new” listings for security devices.
• Check tamper evidence: genuine devices often have tamper-evident seals, holograms, branded packaging, and manufacturer serials — compare these with official images and documentation.
• Never use pre-initialized devices. If a device arrives pre-initialized, return it.
• Verify firmware & signatures: update and verify firmware only through the official companion app/site. Check cryptographic firmware signatures where the vendor provides them.
• Confirm address on device screen: always verify the receiving address on the hardware screen itself (not on your computer) before sending funds. If the device cannot display addresses clearly, do not use it for large amounts.
• Avoid entering seed into software: never type or paste your hardware seed into a PC or phone. The seed must be generated and stored only on the device (or on a secure backup you control).
• Test with small amounts first: do a small deposit and withdrawal to confirm the device behaves correctly before moving large balances.
• Use passphrases / multi-sig for large holdings: add a passphrase (BIP39 passphrase) or, better, keep large holdings in multisig setups so a single compromised device can’t drain everything.
• Keep trusted communication: verify the device’s serial/fingerprint with the manufacturer if you have doubts; contact official support channels for confirmation.
• Avoid used or gifted wallets: never accept a pre-owned hardware wallet unless you can fully factory reset it and verify it initializes as brand-new (and even then, prefer buying new).

Goal of the Attack

To trick users into believing they’ve found a profitable or exploitable smart contract — luring them to deposit funds that can’t actually be withdrawn.

Attack Scenario

In general, a Honeypot is the cheese in the mousetrap — something that looks irresistibly good, but exists only to lure the victim in. In the crypto world, it refers to any setup that promises easy profit, risk-free investment, or unrealistically favorable conditions — yet is designed so that only the scammer can win.

In first scenario, scammers mint a new token, add liquidity on a DEX, and aggressively market it (socials, influencers, Telegram, fake AMAs, “exclusive listing” claims). Price moves up as buyers enter, liquidity looks present, and charts look healthy — until holders try to sell. Due to hidden logic in the token contract, sell / transfer to a DEX router or transferFrom that would move tokens out of user wallets reverts, returns false, or is blocked by conditions (whitelists, huge sell tax, per-address flags, canSell checks, blacklists). The attacker can still transfer or swap tokens (often because they are exempted by a whitelist or isOwner condition), so they can withdraw liquidity or sell their allocation while others cannot.

Variants include:
• A contract that sets an effective 100% sell tax or burns tokens on sell so sellers lose funds;
• A contract that blocks transfers to router / pair addresses for non-whitelisted wallets;
• A contract that silently reverts only on sell paths;
• Tokens that behave normally for buys (so charts look good) but prevent approve/transferFrom behavior needed for selling.

In second scenario, attackers deploy a smart contract that looks vulnerable, such as one that appears to let anyone drain its balance or claim tokens. The code might contain a visible “bug” or permission flaw that tempts users to exploit it for quick profit. When a victim sends crypto to the contract in an attempt to trigger the “exploit,” they find that their withdrawal transaction fails — because the code includes hidden logic that blocks them, while still allowing the scammer’s own wallet to move funds freely.

How to Protect Yourself

• Don’t interact with unknown smart contracts, even if they appear to contain “obvious bugs.”
• Analyze the code carefully — or have it reviewed by someone you trust — before sending any funds. Look for logic that: checks to/from against a router/pair, uses whitelists/blacklists, applies variable fees based on sender/recipient, or has owner-only exemptions.
• Check contract interactions in a blockchain explorer: if all successful withdrawals come from the same address, that’s a red flag.
• Prefer audited tokens and reputable launches: audits that explicitly check for sell-blocking behavior and ownership controls reduce risk (but audits can be faked — verify auditor reputation).
• When in doubt — don’t buy: if you can’t fully understand the contract or the team is anonymous and aggressive marketing is present, skip it.
• Avoid random “leaked” opportunities on Telegram, Discord, or Twitter promising easy exploits or rewards.
• Remember: if a vulnerability looks too easy to exploit, it’s probably a trap — not a jackpot.

Goal of the Attack

Steal funds, credentials, API keys, or trick users into sending crypto by abusing trust in “automated trading” — either by selling worthless/rogue trading bots or by delivering malicious trading signals and instructions.

Attack Scenario

Scammers sell or promote “high-performance” trading bots, signal services, or automated strategies promising big, consistent returns — often backed by doctored performance screenshots, fake audits, or fabricated testimonials to build credibility and drive sales.

Common variants:
• Fake paid bots / scripts: A user buys a bot (or downloads a “free” one). The delivered software either contains malware (keyloggers, clipboard hijackers), exfiltrates API keys, or is simply non-functional (a scam).
• Poisoned bot (backdoor): The bot appears to trade normally, but includes a hidden backdoor that sends your API keys, places orders favoring the attacker, or cancels profitable trades and lets the attacker profit.
• Phony signal services / channels: Paid signal groups (Telegram/Discord) share winning-looking signals. Victims follow them and place trades on centralized exchanges or DEXes; the operator front-runs the signals, uses wash trading, or manipulates liquidity so subscribers lose.
• API key theft: Scammers trick users into pasting full API keys (often with withdrawal privileges) into a web form, a config file, or the bot UI. With those keys the attacker can withdraw funds or place orders.
• Social-engineering setup: The scammer offers “setup help” and convinces a user to grant remote access (TeamViewer/AnyDesk) — then steals keys or moves funds directly.

Victims may be experienced traders attracted by the promise of automation or newcomers chasing “easy alpha.” Losses range from subscription fees to full account drain.

How to Protect Yourself

• Never share full API keys with withdrawal permissions. Create API keys with only required permissions (trading, no withdrawals) and IP-restrict them where the exchange supports it.
• Buy only from reputable vendors and prefer open-source bots with visible, audited code. Be suspicious of anonymous sellers and unverifiable performance claims.
• Audit the code or get an expert to review it before running any bot, especially if it requires your API keys or runs on your machine/server.
• Run bots in isolated environments: use a dedicated VPS or container without personal data, and avoid running unknown executables on your main workstation.
• Prefer bots with client-side key storage (keys never leave your environment) or hardware-backed signing where possible.
• Avoid granting remote-access tools to unknown helpers. If you must use remote support, use screen-sharing only (no file transfer, no clipboard sharing) and revoke access immediately after.
• Check signal service transparency: require proof of live, verifiable trades on on-chain explorers or exchange order history (not just screenshots). Beware services demanding upfront private deposits or “seed funds.”
• Use monitoring & alerts: enable account notifications for new API keys, logins, and withdrawals; regularly review active API keys and revoke unused ones.
• Test with small amounts: when trying a new bot or signal, run it with minimal capital or paper-trade first.
• Red flags:

  • Promises of guaranteed returns or unrealistic, steady gains
  • Requests for API keys with withdrawal rights or remote-access requests
  • Pressure to act quickly, “limited seats” for a signal service, or exclusive pricing
  • Private DMs offering custom bots or one-on-one setup that requires sharing secrets
  • Sellers who refuse code inspection or show only static screenshots of profits

Goal of the Attack

Steal the victim’s cryptocurrency by gaining access to their wallet seed phrase.

Attack Scenario

The scammer arranges an in-person meeting under the pretext of a legitimate offline crypto exchange. They claim that the victim’s existing wallet might be “compromised” or “dirty” and insist that a new wallet must be created. While assisting or observing the wallet creation, the scammer covertly records or photographs the victim’s seed phrase using hidden cameras or a third party. Once the seed phrase is exposed, the scammer can empty the wallet remotely.

How to Protect Yourself

• Create wallets yourself in a private, secure environment
• Be cautious of anyone insisting on new wallets or claiming your wallet is unsafe
• Use hardware wallets and verify transactions without outside help