Several thousand people, every single day, lose money in crypto scams that route through Telegram, X, Discord, Tinder and LinkedIn. It is not just beginners. Some of the worst losses I have seen personally were taken by ten-year veterans who got tired one Tuesday afternoon and clicked the wrong popup. OKX's internal numbers for 2024 put global losses from phishing approval signatures alone north of $2.1 billion. The FBI's IC3 unit, looking at the US slice only, logged $5.6 billion in crypto-related fraud the same year — and that is only the reported portion. The eight playbooks below are the ones I have seen most often across a decade. Each case study unpacks the opening script, the technical mechanic, and why smart people still fall for it. Learn to recognize each pattern and you will save yourself at least a year of expensive lessons.
Fake exchange support · remote takeover of your account
Typical script
It starts with something that looks like a small problem on your account. A text message saying a withdrawal "could not be processed," or an email warning of "unusual login activity from a new device." 2024 industrialized this playbook — in a single week on Telegram I count five to eight DMs from "Binance support" or "Coinbase risk team," and none of them are real. A few minutes later someone "from support" reaches out by Telegram, WhatsApp or phone. They use your real name. The voice is calm and professional. They ask you to install a "remote assistance tool" so they can "check the issue" — AnyDesk, TeamViewer, or sometimes Quick Assist on Windows. You install it.
You watch the mouse move on your own screen. They open your exchange, change API permissions, rotate your withdrawal whitelist, push funds out. You hesitate to interrupt, because the "agent" is narrating each step as routine procedure. By the time you realize what is happening, the balance is gone.
What is actually happening technically
- The attacker already has your real name, partial phone number, and recent activity, scraped from past data leaks — the 2022 Binance KYC leak, the 2023 Coinbase third-party support breach via OctaPlus, and the standing ledger of compromised email lists on the dark-web markets. They sound legitimate because they know enough about you to sound legitimate.
- The "official" text and email are SMS spoofing and phishing — the From-address can be set to almost anything by an attacker with the right relay. The branding looks authentic because the attacker copies it pixel-for-pixel.
- The real attack is the screen-share moment. Once you have given control, the attacker is operating as you. 2FA, Google Authenticator, hardware-key prompts — they all flow through your own session, which the attacker is now driving. Your second factor is no longer a second factor.
Defense
- Legitimate exchange support never DMs you first. Not on Telegram, not on WhatsApp, not by phone. If you need support, you initiate it from inside the app — settings → help → live chat. Any unsolicited "agent" reaching out is 100% a scammer.
- Never install AnyDesk, TeamViewer, Quick Assist, or any remote-control tool at the request of someone you have not met. Real exchange employees do not ask for remote access. Ever.
- If a message tells you "your account is in trouble," ignore the link in the message and open the exchange app directly from your phone home screen. Real account-status notifications are visible inside the app and on the verified support pages — not buried in an email link.
- When in doubt, post a redacted screenshot on the exchange's official X / Twitter account and ask publicly. Real support responds. Scammers do not.
Real case — a Coinbase-targeted attack in 2024
Ric Edelman's case is the public one, but the more typical version goes like this. In late 2024 a US user in Texas got a call at 10 PM from someone identifying as "Coinbase Fraud Prevention," reading back the user's name, last four digits of his phone number, and the dollar amount of his most recent ACH deposit. The caller said the account had been "accessed from a Kyiv IP" and that they needed to "verify identity through assistance software." The user installed AnyDesk. What the attacker actually did during the so-called verification was enable API write permission and disable SMS-based withdrawal verification. Eighteen minutes later $300,000 of USDC had been split across six destination addresses, all converging into Tornado Cash. Law enforcement opened a case six months later; cross-border recovery rates on this category sit well under five percent. The money is gone.
"Trading guru" signal groups · using you as exit liquidity
Typical script
On X, TikTok or YouTube Shorts a "seven-figure trader" shows you portfolio screenshots, photos of luxury cars, screenshots of grateful followers wiring tribute payments. They funnel you into a Telegram or Discord group, where you get the first three signals "for free." Coincidence of coincidences, the first three are all winners. You make some small wins. The guru seems remarkable. Then the guru announces "the trade of the cycle," 10x leverage, in a signal that drops a few seconds before you have time to think. You go in heavy. You blow up. You return to the group and find that you have been silently removed.
The arithmetic of the con is survivor selection. The guru starts with a thousand DM targets. He tells half of them BUY and the other half SELL. Whichever side won is the half he keeps. He splits that half again. By round four or five he has a small group of "lucky students" who have seen him be right four to five times in a row, and they think he is a genius. That is the group he sells the final losing signal to.
What is actually happening technically
- The "PnL screenshots" inside the group are almost always Photoshop or demo-account screenshots. On-chain verifiable accounts — which are trivial to produce by linking a TradingView portfolio to a public wallet — are essentially never offered.
- Most of the "happy followers" in chat are sockpuppet accounts and bots running on a posting cadence: "Guru got me +50% on that call," "thank you sir," all within the first five minutes after a signal drops. Statistical timing fingerprints these instantly.
- The most aggressive version is the "house" variant: the platform the guru sends you to is a fake exchange where the guru is paid a cut of your losses. You are not just being mis-signaled — your counterparty is the guru.
Defense
- Real edge does not need followers. If a person can extract money from markets reliably, the income from trading dwarfs anything they could collect from VIP fees. The very fact that someone is collecting VIP fees is itself a strong signal that the actual edge is the fee, not the trade.
- Any guru who routes you to a no-name exchange to "open an account first" is 100% scamming. The route is the entire business.
- When someone posts profit screenshots, ask them to prove it with an on-chain wallet address. Exchange screenshots can be fabricated; a chain-linked wallet history cannot. The response to that question is the entire test.
- Time-stamp the "congratulations" messages inside any group. If forty messages land within five minutes of a signal and then traffic dies for hours, you are looking at bots.
Variant · the legit-platform copy-trading trap
In the last two years a more sophisticated version has emerged on real platforms — Bitget Copy Trading, Bybit Copy Trading, eToro CopyTrader. Some "high-ROI" trader runs a giant leveraged position on his public profile to flex eye-popping monthly returns, attracts followers, then secretly opens an opposite-direction position on a second account. When the followers copy his showcase trade, he profits on the opposite side as their copy trades push the market against them. Even regulated platforms cannot fully prevent this, because they have no way to know whether a trader is being authentic or running a setup. The defense is to never copy traders whose track record is under twelve months, whose maximum drawdown exceeds 30%, or whose equity curve looks like a hockey stick. Look for boring, smooth curves over multiple cycles, not the flashiest monthly return.
Approve drains · one signature empties the whole wallet
Typical script
You see an NFT project advertising an airdrop, or a DeFi yield product with an obscenely high APR. You click the link in a tweet (the URL is one character off from the official domain — uniswap-claim.com instead of uniswap.org). You connect MetaMask. You click "Claim Airdrop" or "Stake Now." MetaMask pops up a signature prompt. You scan it quickly — it looks like a normal approval. You click confirm. Within seconds your USDC, ETH, WBTC, and any blue-chip NFTs are gone. The wallet is empty.
What is actually happening technically
- You think you signed "claim airdrop." What you actually signed is
approve(attackerAddress, MAX_UINT256)— granting unlimited spending permission of one of your tokens to the attacker's contract. Once the approval is on chain, the attacker can drain that token at any time, without any further interaction from you. - For NFTs the worst version is
setApprovalForAll(attacker, true)— giving the attacker permission to transfer every NFT in your wallet from a given collection. One signature; entire CryptoPunks position gone. - The newest variant uses EIP-2612 Permit2 signatures. Rather than producing an on-chain approve transaction, the attacker collects an off-chain signature that allows USDC to be moved directly. No on-chain footprint until the attacker decides to drain — which makes detection much harder.
Defense
- Before signing any wallet popup, read the "Function" field. Transfer = transfer (the amount is visible and bounded). Approve = approval (the amount, especially MAX_UINT256, is what enables drains). Sign Message = a typed signature — usually safe, but Permit2 hides drains here, so check the recipient address.
- Verify every URL at the character level before connecting. Cross-check the link against the project's verified X account and Discord. Bookmark the official URL the first time you visit and never type or click the link again.
- Run a separate "hot wallet" for risky interactions — a fresh MetaMask address that holds only the ETH you need for gas. Your main holdings live in a separate wallet that never touches new contracts. If the hot wallet is drained you lose lunch money, not your savings.
- Audit your active approvals at revoke.cash every month. Revoke anything you are not actively using. Each revoke costs a few dollars of gas; it is the cheapest insurance in DeFi.
- Use a hardware wallet for serious holdings. A Ledger or Trezor displays the full transaction payload on its own screen before you confirm — an approve drain is conspicuously visible at that point in a way that it is not in a MetaMask popup.
Real case · the Ledger Connect Kit supply-chain attack (Dec 2023)
The Connect Kit JavaScript library that Ledger publishes for DApp developers — used by SushiSwap, Zapper, Revoke.cash itself, and many other front-ends — was compromised by a former Ledger employee whose npm credentials had not been revoked. For roughly five hours, every site that imported the library was a phishing site: connecting a wallet and signing what looked like a normal interaction actually triggered an approve to attacker-controlled addresses. Total losses across the window were about $600,000. The most painful detail is that even Revoke.cash, the standard tool for protecting against approve attacks, was compromised. The takeaway is structural: even tools you trust can flip in a moment. The wallet you use for any DeFi interaction must be separate from your main wallet — no exceptions, no convenience cases.
Fake airdrops · tokens that appear in your wallet unannounced
Typical script
You open MetaMask one morning and notice a new token sitting in your wallet. It is called something like "Visit Site Claim Reward" or "$25000_USDT_Reward." The displayed balance suggests it is worth thousands of dollars. Curious, you click through. A popup tells you to "go to the official site to claim." You land on a slick, professional-looking page that asks you to connect your wallet and sign. You sign. Your USDC and ETH disappear.
What is actually happening technically
- Attackers use the
airdropfunction to spray "tokens" to tens of thousands of wallets at once. Issuing a token is essentially free — gas is the only cost, and on cheap chains like Polygon or BSC it is negligible. - The tokens are honeypots. You can see the balance on the explorer but you cannot sell — the contract has a transfer restriction that allows only the deployer's addresses to move them. The "value" is a mirage.
- The token name itself contains the phishing URL. The point of the token is not the token; the point is to lure you to a website.
- Once you visit the site, the playbook collapses into CASE 03 — connect wallet, sign approve, get drained.
Defense
- Unexpected tokens in your wallet are 99% scams. Hide them; do not interact. Etherscan, Arbiscan, OKLink, and BSCScan all flag the obvious ones as "Spam" or "Phishing" — when you see those labels, simply mute the contract.
- Real airdrops are announced weeks in advance by the project's verified X account and Discord. You typically have to actively claim them, and the signature is a simple message proof, not an approve.
- Apply a 24-hour cooldown to any "limited-time airdrop." Real airdrops never have 24-hour cliffs; the urgency is the tell.
Real-airdrop vs. fake-airdrop checklist
- Real: announced weeks in advance from a verified project account with a credible history. Snapshot date is published. Claim site uses the project's main domain. The signature you sign is a plain message proof, not an unlimited approve.
- Fake: token appears in your wallet out of nowhere. Token name contains a URL. The "claim site" is on a sketchy TLD (.xyz, .top, .live, .app). Connecting your wallet immediately prompts for an approve on a large-balance token.
Uniswap, Arbitrum, Optimism, ENS, Jupiter, Wormhole, EigenLayer — every legitimate large airdrop in history maps to the "real" checklist. If you ever have doubt about whether an airdrop is genuine, the simplest verification is to look up the project's official Discord announcement channel. Real ones say "claim is live" or "claim has ended"; fake ones never have any official mention at all.
Fake exchanges · lookalike domains and clone apps
Typical script
You search "Binance download" on Google. You click the first ad result. You install the app. The interface is pixel-identical to Binance. You complete KYC, deposit USDT, and trade for a few weeks — everything appears to work. A few months later you try to withdraw. The app responds with "withdrawal requires a 30% tax clearance deposit before release." You pay. The app says it still needs more. You pay again, with rising doubt — but by now your balance no longer displays.
What is actually happening technically
- The attacker registers a lookalike domain (binance-us.app, binance-pro.live) and pays for the top Google search ad. Most users do not check the URL after clicking a sponsored result.
- The "exchange" is a clone front-end with the attacker's own back-end database. Deposits to the app go directly to attacker-controlled addresses; the app simply pretends to credit your account.
- On iOS, these apps are distributed via enterprise certificates (App Store would flag them). On Android, via direct APK side-load. The certificate trick is the giveaway — real exchanges live in App Store and Play Store full stop.
Defense
- Never download an exchange app from a search-engine ad. Go directly to the App Store, the Play Store, or the exchange's bookmarked main domain.
- iOS users: if an app prompts you to "install enterprise certificate" or "trust developer profile," it is 99% fake. Real exchange apps never require this.
- Before any meaningful deposit, run a small withdrawal test — deposit fifty dollars, withdraw fifty dollars, confirm it lands in your real wallet. Only after this round-trip succeeds do you scale.
- "Withdrawal verification bond," "tax clearance fee," "regulatory release" — these are all 100% scam triggers. Real exchanges do not ask you to deposit additional funds to withdraw existing ones.
How lookalike domains usually fool people
- Character substitution: "binance" written with a lowercase L instead of an uppercase i, or with a Cyrillic "а" instead of a Latin "a." The rendered domain looks identical in most fonts.
- TLD substitution: binance.com vs. binance.app, binance.live, binance.io. The prefix is correct; the suffix is the trap.
- Subdomain dressing: binance-us.com, binance-official.com. The legitimate-sounding hyphenated suffix lowers suspicion.
- Punycode homoglyphs: Unicode characters that render identically in the browser's address bar but represent different code points. Modern browsers warn for the most egregious cases, but not all.
The fix is mechanical: bookmark every official exchange URL on the day you first sign up, and after that, always reach the exchange through the bookmark. Never type the URL again, never click a search result. This single habit eliminates the entire category of attack.
Where the money goes after a fake-exchange deposit
USDT deposited to a fake exchange typically moves out of the receiving wallet in ten to thirty minutes. The path is industrialized — first to a hot collector, then split across dozens of mid-tier intermediary wallets, then converged into either a mixer (Tornado Cash, eXch) or pushed across a bridge to Tron or Solana to swap out of stablecoins entirely. The whole sequence completes in under two hours. That is why the small-withdrawal test must be run before any real deposit. After the deposit is in, even if you recognize the platform is fake immediately, the funds are already in the laundering pipeline and recovery is essentially impossible.
Pig butchering · romance + "guaranteed-yield trading platform"
Typical script
A match on Tinder or Bumble, a connection request on LinkedIn, a chance encounter on WeChat or Telegram. The profile is a polished young professional — Singapore-based investment banker, San Francisco product manager, Hong Kong fund analyst. The photos look real and the conversations flow naturally. Over weeks, the relationship deepens. They talk about life, work, family, ambitions. Eventually, the conversation drifts to investing. They mention that their uncle (or family friend) has access to an "internal trading system" that produces five to ten percent weekly returns in crypto. They are already participating. Would you like to try a small test trade together?
You put in $1,000. The platform shows a $200 profit. You request a withdrawal. The withdrawal arrives in your bank within hours. Encouraged, you deposit $10,000. Then $50,000. Then $100,000. The on-screen account keeps growing. The relationship continues to deepen. When you finally try to withdraw the full balance, the platform tells you it requires a "tax pre-payment" — typically 20 to 30 percent. You either pay it or watch the balance freeze. If you pay, a new fee appears. Then a new fee. Eventually you stop and try to call them. The phone is disconnected. The Tinder match has vanished. WeChat blocked. There is no person — there never was.
What is actually happening technically
- The "investment banker" is an industrial persona. The photos are scraped from Instagram or stolen from third-party social accounts. The conversational personality is run by a team of operators using a shared script, often working from compounds in Southeast Asia.
- The "trading platform" is a custom dashboard with no real settlement engine behind it. Deposits go directly to the operators' addresses; the screen-balance is a number in a database that is incremented to whatever the script calls for.
- The small withdrawal you receive early is bait. It is paid out of the same pool the next victim's deposit will fund — it costs the operators nothing relative to the eventual extraction.
Defense
- Any crypto investment "discovered through a new acquaintance" is pig butchering. The FBI's IC3 division logged $5.6 billion in US crypto investment fraud reports for 2024 alone, the overwhelming majority of which traces back to this pattern. No exceptions, no edge cases — if the lead came from someone you met on a dating app or LinkedIn within the last few months, walk away.
- A stranger online steering you to download an app or open an account on an unfamiliar platform is the textbook opening move. Treat the request itself as the red flag.
- If you do video calls, watch for telltale signs of AI face replacement — lip-sync drift on consonants, abnormal blink frequency, soft hair edges, lighting that does not match the room. Ask the person to wave a hand in front of their face; AI face filters often glitch on occlusion.
- Real relationships do not produce "internal investment opportunities" three weeks in. Real investing relationships are slow, boring, and start with a registered advisor — not a Bumble match.
The pig-butchering supply chain
The term "pig butchering" — a translation of the Mandarin shā zhū pán — is the industry slang for the full lifecycle: fatten the pig (build trust, induce larger deposits), then slaughter it (extract everything and disappear). This has industrialized into a global criminal supply chain over the past five years.
- Lead generation: teams of operators run hundreds of fake profiles on Tinder, Bumble, Hinge, LinkedIn, WhatsApp, WeChat, Instagram. A single operator can swipe-and-DM 200+ targets per day.
- Cultivation team: separate operators maintain the "successful young professional" persona, following a relationship-script playbook — good-morning texts, life sharing, gradual financial topic introduction. One cultivator handles dozens of marks in parallel.
- Tech team: builds and maintains the fake trading platforms, often using off-the-shelf SaaS scam kits. Generates the "account growth" displays victims see.
- Laundering team: handles outflows through mixers, bridges, on-chain P2P, OTC desks, and chains-of-shell-corp bank accounts in jurisdictions with weak supervision.
The compounds these operations run from are concentrated in Myanmar's Shan State, Cambodia's Sihanoukville zone, Laos's Golden Triangle special economic zone — regions where local enforcement is captured or absent. Recoveries hover at around 12% even when the FBI is involved; absent FBI involvement, recoveries are effectively zero. The only useful defense is to never engage in the first place. Any unsolicited stranger offering you a "way to make money in crypto" is a scammer, no exceptions, no benefit of the doubt.
Address poisoning · you think you copied your own address
Typical script
You have a wallet you transfer to often — call it 0xabc123...def456. One day you want to send funds and, out of habit, you copy the destination address from your recent transactions on Etherscan. You only glance at the first four and last four characters. They match. You paste, confirm, sign, send.
The funds arrive at an attacker-controlled address with the exact same first-four and last-four characters as your real target. The middle is different. You did not check the middle.
What is actually happening technically
- Attackers run on-chain crawlers that monitor large wallets for outgoing transfers. They see
0xabc123...def456as a recipient. - Using a vanity address generator with significant GPU brute-force, they generate a private key whose corresponding address starts with
abc123and ends withdef456. With modern GPUs, this takes hours, not weeks. - From the lookalike address, the attacker sends a tiny, zero-value transaction to your wallet. The point is to plant the lookalike address in your wallet's transaction history.
- The next time you check your history and copy the destination, you grab the poisoned address by mistake.
Defense
- Always verify the full address character-by-character before sending. Not just the first four and last four. Read or paste-compare the whole thing.
- Copy destination addresses from a trusted source — your own wallet's address book, a saved text file, the recipient exchange's deposit page — not from your transaction history.
- Run a small test transfer first ($1 USDC) before any large transfer. Confirm it lands at the intended target before sending the rest.
- Use the address-whitelist feature your wallet provides (MetaMask, Coinbase Wallet, exchange withdrawal whitelists). Outgoing transfers are restricted to addresses you pre-added under non-urgent conditions.
Real case · the $68 million address-poisoning whale (May 2023)
An anonymous large holder attempted to move $68M of USDT to their own cold wallet. They copied the destination address from a recent transaction history entry that turned out to be a poisoned lookalike. The funds flew straight to the attacker. The incident was tracked across X within hours, the attacker came under enormous public pressure, and — in an extraordinarily rare outcome — eventually returned the funds. Ninety-nine percent of address-poisoning victims never see their money again. The lasting consequence of that case is that hardware-wallet manufacturers now display the entire forty-character destination address on the device screen, with mandatory page-by-page confirmation. Ledger and Trezor both made this change in subsequent firmware. The mechanism that ate $68M from a whale was deemed too dangerous to handle in software alone.
Rug pulls and contract backdoors · the team vanishes overnight
Typical script
A new DeFi farm appears, advertising 5,000% APY. KOLs are retweeting it. The Telegram is buzzing with 20,000 members. The team published a one-page audit summary. You stake a few thousand USDC. Twenty-four hours later you come back to check. The liquidity pool reads zero. The token chart looks like a cliff. The project's X account is deleted. The Telegram link is dead. Nothing has been refunded; nothing will be.
What is actually happening technically
Rug-pull backdoors come in several common flavors:
- Unbounded mint function: the team can call
mint()at any time and dump the inflation onto the open market. - Owner can drain liquidity: the LP tokens are held by the deployer, not locked. One call and the entire pool of USDC and ETH walks out.
- Blacklist function: the contract can block specific addresses from selling, leaving retail unable to exit while the team disposes of its own bag.
- Fake audit: claims of "audited by CertiK" turn out to be a screenshot of someone else's audit, or an audit of a different contract.
Defense
- Any project advertising APY above 100% is 98% likely a Ponzi or rug pull. Sustainable on-chain yield sits in the 5-30% APY range — anything dramatically beyond that is being printed out of someone else's eventual loss.
- Inspect owner permissions. A contract whose owner can mint unboundedly, pause transfers, or blacklist users hands all power to the team. Treat ownership keys as the project's true governance.
- Check liquidity-lock status. Projects that lock LP for 12+ months on Unicrypt or Team Finance are meaningfully safer than projects that do not. "Locked liquidity" with no on-chain proof is not locked.
- Verify audits at the source. CertiK, Trail of Bits, OpenZeppelin, Halborn, Spearbit — their reports are published on the auditor's own site, not in PDFs hosted by the project itself.
- Size positions small. First week of a new project: pass. First month: small-bet position only. The amount you put into a brand-new project should be the amount you can write off as a learning expense.
Notable rug pulls of recent years
- Squid Game Token (Nov 2021): rode the Netflix series buzz to a 10,000x pump in five days, then the team cashed out and the token collapsed to zero. Estimated theft: $3.3M.
- AnubisDAO (Oct 2021): OlympusDAO-flavored fork raised 13,556 ETH (~$60M at the time) in hours; the funds were swept out of the multisig the same night.
- Snowdog (Nov 2021): Wonderland-flavored fork; the team exploited a pre-embedded backdoor 24 hours after launch and cashed out roughly $10M.
- Mantra OM (Apr 2025): the most recent reminder — a "compliant, mainstream" project audited by multiple firms and listed on tier-1 exchanges crashed 90% in a single afternoon, with strong evidence of coordinated insider selling. Audit and exchange listing are not protection.
The pattern: large market cap and long uptime do not immunize a project from rug behavior. The Mantra incident specifically caught a lot of people who had been confident that "mainstream" projects were past this risk. Never lower your guard because a project looks mature.
§ Industry data · the picture from chain analytics
Chainalysis's 2024 Crypto Crime Report puts global on-chain illicit volume at approximately $51 billion, with about $9.9 billion of that classified as scams, $2.2 billion as hacks, and $1.2 billion as ransomware. These are only the flows that touched the public ledger and could be traced. Off-chain pig-butchering losses — which often pass through bank rails, P2P wires, and OTC desks before they ever reach a blockchain — are estimated separately at $20-30 billion annually.
By category:
- Phishing / approve drain · approximately 35% of incidents — the single most common attack vector.
- Pig butchering · approximately 25% by count but with the highest dollar-per-victim ($50K-$100K average loss).
- Rug pulls · approximately 20% — DeFi's structural risk, slowly declining as audit norms tighten.
- Fake exchanges / clone apps · approximately 12% — disproportionately hits Asian retail and US users on Google ad results.
- Other (address poisoning, deepfakes, on-chain MEV abuse) · approximately 8% — but growing fastest.
Less than 5% of total losses are ever recovered. That is why the entire framing of this article is defense, not recovery. Once funds are gone, they are effectively gone.
§ Five rules that cut across every case
The eight cases above look mechanically different, but they all exploit the same two human levers: greed and fear. High APY hooks greed. "Your account is in trouble" hijacks fear. Time-limited airdrops manufacture FOMO that overrides judgment. The defenses below are deliberately general — they will protect you against scam variants that have not been invented yet.
- Anything that contacts you unsolicited is presumed hostile. Support agents, investment advisors, airdrop announcements, group "friends sharing tips" — they are all guilty until proven otherwise. The burden of proof sits with the contact, not with you.
- Compartmentalize wallets. Cold-storage main wallet (hardware, never online for risky interactions). Hot wallet (small balance for daily DeFi). Airdrop wallet (separate, only used for new contracts you do not yet trust). None of the three should ever be merged. Compromise of one does not compromise the others.
- Read every signature before approving. If you do not understand the function being called, close the popup and walk away. Any UX pressure to "sign quickly or miss out" is itself a 100% scam signal.
- 24-hour cooldown on any "limited-time" opportunity. Real opportunities survive a day's reflection. Scams require urgency to function. Adding 24 hours to your decision filters out 80% of attempted exploits.
- Audit approvals monthly. Visit revoke.cash. Revoke anything you are not actively using. Clear strange tokens that have appeared in your wallet. This monthly routine is the operational equivalent of changing the locks.
First minute: move any remaining funds from the compromised wallet to a brand-new wallet (cut off ongoing drains).
Immediately after: use revoke.cash to revoke every approval on the compromised address.
File: in the US, file with IC3.gov (FBI) and reportfraud.ftc.gov (FTC) — both within 72 hours. In the EU, file with your national cybercrime unit and submit a report to Europol.
Tag: use Chainabuse or MistTrack to flag the attacker addresses publicly — even if you do not recover, you prevent the next victim.
Beware second-scam: anyone DMing you offering "recovery services" after you go public is 90% running a follow-on scam. Real recovery work goes through law enforcement or registered firms — never through unsolicited DMs.
Multisig and timelocks · advanced defense
For meaningful balances, two structural upgrades are worth the operational cost:
- Multisig wallets: Gnosis Safe and similar (2-of-3 or 3-of-5 schemes). A single compromised key cannot move funds — a quorum of independent keys is required. Appropriate for family treasuries, team funds, and long-horizon HODL stacks.
- Timelocks: a 24-72 hour delay between when a transfer is initiated and when it can execute, during which the transfer can be cancelled. Gives you a window to catch your own mistakes (or a compromise) before funds leave. MakerDAO, Compound, Aave all use timelocks for treasury management.
The trade-off is operational friction — multisig is poorly suited to active trading. But for "long-term BTC and ETH I never want to touch," the friction is exactly the point. Set it up once, forget it, sleep better.
§ US/EU reader perspective · the playbook in your jurisdiction
The first eight cases above are jurisdiction-neutral patterns. The mechanics work whether you are operating from Manhattan, Berlin, Singapore, or São Paulo. But the regulatory recourse, the reporting channels, the insurance coverage, and the specific historical incidents that shaped how regulators react are all different in the US and EU — and ignoring those differences will cost you. This section is the part that does not appear in the Chinese version.
The SBF era · FTX, Voyager, Celsius, BlockFi and what changed
In November 2022, FTX — a $32 billion exchange with Super Bowl ads, Tom Brady endorsements, and a politically connected CEO — collapsed in 72 hours after a CoinDesk article exposed how much of sister-firm Alameda Research's balance sheet was the in-house FTT token. The collapse uncovered $8 billion in misappropriated customer funds. Sam Bankman-Fried was convicted on seven counts of fraud and conspiracy in November 2023 and sentenced to 25 years in federal prison in March 2024. FTX was not a one-off. In the same six-month window, Voyager Digital, Celsius Network, and BlockFi all filed for bankruptcy, taking US retail deposits down with them. Celsius had marketed itself as a "bank for crypto" with a chatty CEO who appeared on YouTube weekly; Voyager was a Nasdaq-listed lender; BlockFi had partnerships with Visa. None of them had FDIC coverage on the crypto deposits — that was buried in the terms of service that nobody read. The lesson burned into US retail consciousness from that period is the catchphrase that finally went mainstream: "Not your keys, not your coins." Funds on a CeFi platform are at the mercy of that platform's solvency. The 2022 cohort learned this the expensive way.
The 2024 Mango Markets precedent · what counts as crime
Avraham Eisenberg's 2022 exploit of Mango Markets — a $114 million extraction by manipulating MNGO token price across two thin venues — produced one of the most-watched court decisions in DeFi history. Eisenberg argued in court that his actions were a "legitimate trading strategy" that the protocol's code permitted. The Southern District of New York disagreed: in April 2024 he was convicted on commodities fraud, commodities manipulation, and wire fraud charges. The conviction established that "the code allowed it" is not a defense when the underlying trades constitute market manipulation under US law. For US-based DeFi participants, the implication is that "exploits" — including ones that look clever — can be prosecuted as crimes if the conduct fits manipulation statutes. The legal exposure for would-be exploiters is higher than the early-DeFi mythology suggested.
Pig butchering · the FBI IC3 picture
The FBI's Internet Crime Complaint Center recorded $5.6 billion in crypto-related investment fraud losses in calendar year 2024, the overwhelming majority categorized as pig-butchering scams. The typical victim profile in the US data is striking: middle-aged professional, college-educated, often previously divorced or widowed, contacted through Tinder, Bumble, Hinge, LinkedIn, or a "wrong-number" WhatsApp message that turned into a conversation. The average individual loss exceeds $200,000. Aggregate losses have grown roughly 50% year-over-year since 2021. If you are a US resident in your 40s-60s, this is statistically the single largest crypto-financial threat to your wealth — larger than market crashes, larger than exchange failures, larger than self-custody mistakes.
SIM swap attacks · the 2FA bypass nobody talks about enough
A SIM swap is when an attacker convinces your phone carrier (AT&T, T-Mobile, Verizon) to transfer your phone number to a SIM card the attacker controls. Once the swap is done, all SMS-based 2FA codes flow to the attacker, not you. Coinbase, Kraken, Gemini, and most US banks all support SMS 2FA as an option — and most US users use it because Authenticator apps feel intimidating. Documented SIM-swap losses in 2024 alone exceeded $400 million in crypto. The SEC's own X/Twitter account was SIM-swapped in January 2024, leading to a fake "Bitcoin ETF approved" tweet that moved markets before the actual approval days later. If even the SEC's social-media team got SIM-swapped, your carrier is not protecting your retail account either. The fix is binary: disable SMS 2FA everywhere and replace it with a TOTP authenticator app (Authy, Aegis, 1Password) or a hardware security key (YubiKey, Google Titan). Add a "port-out PIN" or carrier passcode that locks number transfers behind an in-store identity check. Both T-Mobile and Verizon now allow port-out lock at the account-protection settings level.
AI-generated deepfake livestreams · the 2024 surge
Starting in early 2024, YouTube hosted dozens of "Elon Musk live" deepfake streams every day — recycled Tesla earnings call footage retrofitted with synthesized lip sync over a "send 0.1 BTC and we will send 0.2 BTC back" voiceover. Total losses to these streams across 2024 are estimated at $50-80 million globally. The same playbook was applied with Michael Saylor, Vitalik Buterin, and Cathie Wood deepfakes. YouTube's content moderation is reactive — streams typically run for hours before being pulled, by which point new ones have already started. The defense is structural awareness: no legitimate public figure has ever run a "send X to get 2X back" promotion, and no legitimate exchange or project will ever ask you to send crypto to a "verification address" to prove ownership. The pattern itself is the tell.
Where to report and how recovery actually works in the US
The US has a fragmented but workable reporting ecosystem. The primary channels:
- FBI Internet Crime Complaint Center (IC3.gov) — the main federal database. Reports here feed into FBI investigations and inter-agency referrals. File within 72 hours for any incident over $10,000.
- FTC ReportFraud.ftc.gov — the civil-side complaint database. Feeds class-action prep and broader pattern tracking. File regardless of dollar amount.
- SEC TCR (Tips, Complaints, Referrals) at sec.gov — if the scam involves a "security-like" investment offering (most pig-butchering platforms do), an SEC filing adds civil-recovery pressure on top of criminal investigation.
- State attorney general — every state has a securities or consumer-protection unit. State-level cases can move faster than federal cases for smaller losses.
- Local FBI field office — for cases over $100,000, a phone call to your local FBI field office in addition to the IC3 filing meaningfully changes the priority on your case.
Recovery routes split between criminal (DOJ prosecution → asset forfeiture → distribution) and civil (private suit → judgment → enforcement). Criminal recoveries are slow (years), but produce the best outcomes when they happen because they can claw back from co-conspirators and money launderers. Civil recoveries are faster but rarely yield much if the bad actor is offshore and judgment-proof. Both paths benefit from contemporaneous documentation — screenshots, full chat logs, every transaction hash, every domain visited. Document everything within the first 24 hours, before evidence rots.
What FDIC and SIPC actually do and do not cover
A point that is consistently misunderstood in US retail: FDIC insures fiat deposits at insured banks, not crypto holdings at exchanges. When Coinbase displays "USD held in pass-through FDIC-insured accounts," that means dollars in a partner bank's account are FDIC-insured up to $250K; the BTC and ETH balances on Coinbase are not. SIPC, similarly, insures securities at broker-dealers — it does not extend to crypto. Coinbase has self-funded crime insurance of $255 million covering its hot wallet — that is meaningful but small relative to total custody balances, and it covers Coinbase's own losses (hack, theft) rather than insuring you against your own mistakes (you signed an approve drain, you got SIM-swapped, you sent to a poisoned address). Gemini carries similar self-insurance. Kraken does not publicly disclose a number. The practical implication: if you hold significant balances on a US exchange, do not assume any safety net beyond what the exchange's own crime-insurance policy explicitly covers. Move your long-horizon holdings to self-custody (see the wallet guide), and treat the exchange as a trading desk, not a vault.
The EU layer · MiCA, GDPR, and national reporting
For EU readers, MiCA (Markets in Crypto-Assets Regulation) entered full force in December 2024. The headline implication for scam defense: licensed exchanges operating in the EU must publish white papers, hold segregated client assets, and report incidents to national supervisors. This raises the bar at the platform layer, but does nothing about phishing, pig butchering, or SIM swap risk for the individual user — those remain consumer-side defenses. For incident reporting in Europe, the entry points are national: Action Fraud in the UK, BaFin's consumer-complaint unit in Germany, AMF Épargne Info Service in France, Polizia Postale in Italy. Cross-border cases ultimately flow through Europol's European Cybercrime Centre (EC3), but you almost always start with the national channel. GDPR gives EU users one significant tool that US users lack: you can compel exchanges (and even the scam platforms themselves, if they hold any personal data) to disclose what they have on you, which can produce evidence trails for civil and criminal cases. Use it.
State-of-mind difference · the US/EU defender's standing posture
A point of meta-defense that is particularly relevant for US and European readers: the institutional environment in this jurisdiction has trained you to expect backstops. Credit cards have chargebacks. Bank deposits have FDIC. Brokerage accounts have SIPC. Disputes have arbitration. None of those backstops cross over into crypto. Once a transaction is signed, it is final. There is no chargeback, no arbitration, no fraud-department refund. This is a different mental model than the one most US/EU adults default to, and it is the single most expensive misunderstanding I see new-to-crypto US/EU users make. Internalize that the defense layer is entirely on you — not on the platform, not on the regulator, not on insurance — and your decision-making improves immediately.
§ Why smart people still get scammed
A common pattern in the loss reports: a meaningful fraction of victims are software engineers, doctors, lawyers, executives — people with high cognitive horsepower who are not, by any normal measure, naive. Three reasons this happens:
- The smarter you are, the more you trust your own ability to spot a scam. On a tired afternoon, with a professional-looking popup in front of you, that confidence becomes a vulnerability. You click "confirm" because part of you assumes you would catch a real attack if it were one. Arrogance is the largest entry vector.
- Scams iterate; your knowledge is a snapshot. If you learned about approve drains in 2020, you may have no idea what a Permit2 signature is. Defense requires continuous updating. Reading articles like this once does not vaccinate you against attacks invented next year.
- Emotion bypasses reasoning. Pig butchering exploits attachment. Trading-guru groups exploit FOMO. "Your account is compromised" exploits panic. These all shut down the cortex and let the limbic system make decisions instead. Recognizing this — and applying a forced 24-hour cooldown to anything emotionally loaded — disables roughly 80% of attempted exploits before they reach a decision point.
§ Newest attack vectors · what to watch in 2024-2026
Three patterns that are growing fastest and deserve specific awareness:
1. AI voice cloning and video impersonation of family
Scammers scrape your social-media-visible photos and voice clips, train a personalized model, and produce a video call or voice message that appears to be from a family member or close friend: "I am in trouble and need you to send 5,000 USDC right now — I will explain later." The visual lip sync is convincing; the voice is indistinguishable. Hong Kong's Arup engineering firm was hit by a $25M deepfake-meeting scam in 2024 where every "executive" on a Zoom call except the victim was synthetic. Defense: establish a pre-agreed verification code with family members — a private question whose answer cannot be inferred from social media ("what was the name of my high-school chemistry teacher," "what was our cat's nickname when I was 12"). Any urgent money request via video must answer the code before any transfer.
2. MEV sandwich attacks and signature-route exploits
When you swap on Uniswap, PancakeSwap, or other public-mempool DEXes, MEV bots watch your pending transaction and front-run you with a buy that pushes the price up, then dump immediately after your trade to capture the slippage. This is not a "scam" in the social sense — it is on-chain extraction — but the outcome is the same: your funds quietly disappear into the bot operator's pocket. Defense: use MEV-protected RPCs (MEV Blocker, Flashbots Protect) or private-settlement DEXes (CowSwap, 1inch Fusion). Avoid swapping large amounts on public mempool DEXes when you have alternatives.
3. Fake "crypto recovery lawyer" follow-ons
After you have been visibly scammed and posted about it publicly, you will receive DMs from "law firms specializing in crypto asset recovery, 70%+ success rate, just a small investigation fee of $2,000 USDC upfront." Pay the fee and the firm vanishes — or asks for a translation fee, a bridging fee, a notary fee, indefinitely. Defense: any unsolicited DM from a "recovery specialist" after a loss is itself a scam. Legitimate recovery firms (Chainalysis investigations, CipherTrace, TRM Labs) do not cold-DM retail victims; they work with law enforcement under formal engagements. If you need recovery help, start with IC3, the FBI, or a personal-injury attorney who works on contingency — not anyone who messages you first.
§ Closing
These eight cases do not cover everything — new attack vectors appear every month. AI face replacement and voice cloning were a research demo two years ago; in 2024 they were the leading edge of attempted scams. The underlying psychology, however, never really changes: greed, fear, urgency, and trust are the four levers, and every scam pulls one or more.
Surviving as a beginner in crypto is not primarily about finding the next bull market. It is about not losing what you already have. The money you make in this space only matters if you still hold it next year. A single large scam can cost you what three years of grinding-bull-market discipline produced — and most people do not get another full bull market in time to make it back.
On a more personal note: getting scammed is not shameful. I lost 2 ETH myself in 2018 to a fake "private-sale insider" pitch on Telegram. At the time those 2 ETH were a few hundred dollars; today they are not. The thing that mattered then and matters now is acknowledging the loss quickly and moving on — not doubling down to "win it back," which is exactly the lever pig-butchering operators rely on for their final extraction. The victims who go on to lose the most are the ones who refused to accept the first loss and tried to chase recovery. The victims who recover their financial composure are the ones who write down the lesson, mark the calendar, and move on. Document the script that fooled you, the moment of mental blindness, the question you should have asked — that personal post-mortem is worth more than a hundred articles like this one because you lived through it.
Bookmark this page. Re-read it every three months. Each pass will surface a new "wait, I see that pattern in something happening to me right now" moment that the previous read did not catch. Security is layered habits, not a one-time installation. Stay paranoid, stay slow, stay skeptical — there is no shortcut in this business.
