Several thousand people, every single day, lose money in crypto scams that route through Telegram, X, Discord, Tinder and LinkedIn. It is not just beginners. Some of the worst losses I have seen personally were taken by ten-year veterans who got tired one Tuesday afternoon and clicked the wrong popup. OKX's internal numbers for 2024 put global losses from phishing approval signatures alone north of $2.1 billion. The FBI's IC3 unit, looking at the US slice only, logged $5.6 billion in crypto-related fraud the same year — and that is only the reported portion. The eight playbooks below are the ones I have seen most often across a decade. Each case study unpacks the opening script, the technical mechanic, and why smart people still fall for it. Learn to recognize each pattern and you will save yourself at least a year of expensive lessons.

CASE 01

Fake exchange support · remote takeover of your account

// social-engineering + remote control · ~22% of all reported incidents

Typical script

It starts with something that looks like a small problem on your account. A text message saying a withdrawal "could not be processed," or an email warning of "unusual login activity from a new device." 2024 industrialized this playbook — in a single week on Telegram I count five to eight DMs from "Binance support" or "Coinbase risk team," and none of them are real. A few minutes later someone "from support" reaches out by Telegram, WhatsApp or phone. They use your real name. The voice is calm and professional. They ask you to install a "remote assistance tool" so they can "check the issue" — AnyDesk, TeamViewer, or sometimes Quick Assist on Windows. You install it.

"Hi, this is Mike from Coinbase risk operations, agent ID CB-5891. Our system flagged an unusual outgoing transfer on your account that we have already blocked, but we need to complete a short five-minute verification with you, otherwise the account will go into a 72-hour hold. Could you add me on Telegram and download AnyDesk so I can guide you through the verification screen…"

You watch the mouse move on your own screen. They open your exchange, change API permissions, rotate your withdrawal whitelist, push funds out. You hesitate to interrupt, because the "agent" is narrating each step as routine procedure. By the time you realize what is happening, the balance is gone.

What is actually happening technically

Defense

Real case — a Coinbase-targeted attack in 2024

Ric Edelman's case is the public one, but the more typical version goes like this. In late 2024 a US user in Texas got a call at 10 PM from someone identifying as "Coinbase Fraud Prevention," reading back the user's name, last four digits of his phone number, and the dollar amount of his most recent ACH deposit. The caller said the account had been "accessed from a Kyiv IP" and that they needed to "verify identity through assistance software." The user installed AnyDesk. What the attacker actually did during the so-called verification was enable API write permission and disable SMS-based withdrawal verification. Eighteen minutes later $300,000 of USDC had been split across six destination addresses, all converging into Tornado Cash. Law enforcement opened a case six months later; cross-border recovery rates on this category sit well under five percent. The money is gone.

CASE 02

"Trading guru" signal groups · using you as exit liquidity

// pump-and-dump psychology · ~18% of reported incidents

Typical script

On X, TikTok or YouTube Shorts a "seven-figure trader" shows you portfolio screenshots, photos of luxury cars, screenshots of grateful followers wiring tribute payments. They funnel you into a Telegram or Discord group, where you get the first three signals "for free." Coincidence of coincidences, the first three are all winners. You make some small wins. The guru seems remarkable. Then the guru announces "the trade of the cycle," 10x leverage, in a signal that drops a few seconds before you have time to think. You go in heavy. You blow up. You return to the group and find that you have been silently removed.

"Family, BTC just absorbed the support I flagged yesterday — congrats to everyone who took the long for +12% off the deck. Tomorrow I have a setup I can only share with the tight inner circle. VIP-only. DM 'IN' to upgrade."

The arithmetic of the con is survivor selection. The guru starts with a thousand DM targets. He tells half of them BUY and the other half SELL. Whichever side won is the half he keeps. He splits that half again. By round four or five he has a small group of "lucky students" who have seen him be right four to five times in a row, and they think he is a genius. That is the group he sells the final losing signal to.

What is actually happening technically

Defense

Variant · the legit-platform copy-trading trap

In the last two years a more sophisticated version has emerged on real platforms — Bitget Copy Trading, Bybit Copy Trading, eToro CopyTrader. Some "high-ROI" trader runs a giant leveraged position on his public profile to flex eye-popping monthly returns, attracts followers, then secretly opens an opposite-direction position on a second account. When the followers copy his showcase trade, he profits on the opposite side as their copy trades push the market against them. Even regulated platforms cannot fully prevent this, because they have no way to know whether a trader is being authentic or running a setup. The defense is to never copy traders whose track record is under twelve months, whose maximum drawdown exceeds 30%, or whose equity curve looks like a hockey stick. Look for boring, smooth curves over multiple cycles, not the flashiest monthly return.

CASE 03

Approve drains · one signature empties the whole wallet

// smart-contract permission hijack · ~$2.1B global annual losses

Typical script

You see an NFT project advertising an airdrop, or a DeFi yield product with an obscenely high APR. You click the link in a tweet (the URL is one character off from the official domain — uniswap-claim.com instead of uniswap.org). You connect MetaMask. You click "Claim Airdrop" or "Stake Now." MetaMask pops up a signature prompt. You scan it quickly — it looks like a normal approval. You click confirm. Within seconds your USDC, ETH, WBTC, and any blue-chip NFTs are gone. The wallet is empty.

"Uniswap V4 Airdrop · all ETH holders are eligible for 1,200 UNI · 48 hours only" — and the link is uniswap-claim.com rather than uniswap.org.

What is actually happening technically

Defense

Real case · the Ledger Connect Kit supply-chain attack (Dec 2023)

The Connect Kit JavaScript library that Ledger publishes for DApp developers — used by SushiSwap, Zapper, Revoke.cash itself, and many other front-ends — was compromised by a former Ledger employee whose npm credentials had not been revoked. For roughly five hours, every site that imported the library was a phishing site: connecting a wallet and signing what looked like a normal interaction actually triggered an approve to attacker-controlled addresses. Total losses across the window were about $600,000. The most painful detail is that even Revoke.cash, the standard tool for protecting against approve attacks, was compromised. The takeaway is structural: even tools you trust can flip in a moment. The wallet you use for any DeFi interaction must be separate from your main wallet — no exceptions, no convenience cases.

CASE 04

Fake airdrops · tokens that appear in your wallet unannounced

// honeypot contracts + phishing redirect · nearly every on-chain user has seen this

Typical script

You open MetaMask one morning and notice a new token sitting in your wallet. It is called something like "Visit Site Claim Reward" or "$25000_USDT_Reward." The displayed balance suggests it is worth thousands of dollars. Curious, you click through. A popup tells you to "go to the official site to claim." You land on a slick, professional-looking page that asks you to connect your wallet and sign. You sign. Your USDC and ETH disappear.

What is actually happening technically

Defense

Real-airdrop vs. fake-airdrop checklist

Uniswap, Arbitrum, Optimism, ENS, Jupiter, Wormhole, EigenLayer — every legitimate large airdrop in history maps to the "real" checklist. If you ever have doubt about whether an airdrop is genuine, the simplest verification is to look up the project's official Discord announcement channel. Real ones say "claim is live" or "claim has ended"; fake ones never have any official mention at all.

CASE 05

Fake exchanges · lookalike domains and clone apps

// phishing site + clone APK · disproportionately hits non-US retail

Typical script

You search "Binance download" on Google. You click the first ad result. You install the app. The interface is pixel-identical to Binance. You complete KYC, deposit USDT, and trade for a few weeks — everything appears to work. A few months later you try to withdraw. The app responds with "withdrawal requires a 30% tax clearance deposit before release." You pay. The app says it still needs more. You pay again, with rising doubt — but by now your balance no longer displays.

"Per anti-money-laundering regulations, please deposit 30% of the withdrawal amount as a verification bond to the address below. The bond and the withdrawal will be released to you together after compliance approval."

What is actually happening technically

Defense

How lookalike domains usually fool people

The fix is mechanical: bookmark every official exchange URL on the day you first sign up, and after that, always reach the exchange through the bookmark. Never type the URL again, never click a search result. This single habit eliminates the entire category of attack.

Where the money goes after a fake-exchange deposit

USDT deposited to a fake exchange typically moves out of the receiving wallet in ten to thirty minutes. The path is industrialized — first to a hot collector, then split across dozens of mid-tier intermediary wallets, then converged into either a mixer (Tornado Cash, eXch) or pushed across a bridge to Tron or Solana to swap out of stablecoins entirely. The whole sequence completes in under two hours. That is why the small-withdrawal test must be run before any real deposit. After the deposit is in, even if you recognize the platform is fake immediately, the funds are already in the laundering pipeline and recovery is essentially impossible.

CASE 06

Pig butchering · romance + "guaranteed-yield trading platform"

// long-form emotional + investment scam · seven-figure losses per victim are routine

Typical script

A match on Tinder or Bumble, a connection request on LinkedIn, a chance encounter on WeChat or Telegram. The profile is a polished young professional — Singapore-based investment banker, San Francisco product manager, Hong Kong fund analyst. The photos look real and the conversations flow naturally. Over weeks, the relationship deepens. They talk about life, work, family, ambitions. Eventually, the conversation drifts to investing. They mention that their uncle (or family friend) has access to an "internal trading system" that produces five to ten percent weekly returns in crypto. They are already participating. Would you like to try a small test trade together?

You put in $1,000. The platform shows a $200 profit. You request a withdrawal. The withdrawal arrives in your bank within hours. Encouraged, you deposit $10,000. Then $50,000. Then $100,000. The on-screen account keeps growing. The relationship continues to deepen. When you finally try to withdraw the full balance, the platform tells you it requires a "tax pre-payment" — typically 20 to 30 percent. You either pay it or watch the balance freeze. If you pay, a new fee appears. Then a new fee. Eventually you stop and try to call them. The phone is disconnected. The Tinder match has vanished. WeChat blocked. There is no person — there never was.

"My uncle runs the quant desk at Two Sigma and this system is the one he set up for the family — it is not public, you should not tell anyone. Let us just build it together quietly."

What is actually happening technically

Defense

The pig-butchering supply chain

The term "pig butchering" — a translation of the Mandarin shā zhū pán — is the industry slang for the full lifecycle: fatten the pig (build trust, induce larger deposits), then slaughter it (extract everything and disappear). This has industrialized into a global criminal supply chain over the past five years.

The compounds these operations run from are concentrated in Myanmar's Shan State, Cambodia's Sihanoukville zone, Laos's Golden Triangle special economic zone — regions where local enforcement is captured or absent. Recoveries hover at around 12% even when the FBI is involved; absent FBI involvement, recoveries are effectively zero. The only useful defense is to never engage in the first place. Any unsolicited stranger offering you a "way to make money in crypto" is a scammer, no exceptions, no benefit of the doubt.

CASE 07

Address poisoning · you think you copied your own address

// on-chain address spoofing · veterans get hit too

Typical script

You have a wallet you transfer to often — call it 0xabc123...def456. One day you want to send funds and, out of habit, you copy the destination address from your recent transactions on Etherscan. You only glance at the first four and last four characters. They match. You paste, confirm, sign, send. The funds arrive at an attacker-controlled address with the exact same first-four and last-four characters as your real target. The middle is different. You did not check the middle.

What is actually happening technically

Defense

Real case · the $68 million address-poisoning whale (May 2023)

An anonymous large holder attempted to move $68M of USDT to their own cold wallet. They copied the destination address from a recent transaction history entry that turned out to be a poisoned lookalike. The funds flew straight to the attacker. The incident was tracked across X within hours, the attacker came under enormous public pressure, and — in an extraordinarily rare outcome — eventually returned the funds. Ninety-nine percent of address-poisoning victims never see their money again. The lasting consequence of that case is that hardware-wallet manufacturers now display the entire forty-character destination address on the device screen, with mandatory page-by-page confirmation. Ledger and Trezor both made this change in subsequent firmware. The mechanism that ate $68M from a whale was deemed too dangerous to handle in software alone.

CASE 08

Rug pulls and contract backdoors · the team vanishes overnight

// pre-embedded smart-contract exits · DeFi's recurring sin

Typical script

A new DeFi farm appears, advertising 5,000% APY. KOLs are retweeting it. The Telegram is buzzing with 20,000 members. The team published a one-page audit summary. You stake a few thousand USDC. Twenty-four hours later you come back to check. The liquidity pool reads zero. The token chart looks like a cliff. The project's X account is deleted. The Telegram link is dead. Nothing has been refunded; nothing will be.

What is actually happening technically

Rug-pull backdoors come in several common flavors:

Defense

Notable rug pulls of recent years

The pattern: large market cap and long uptime do not immunize a project from rug behavior. The Mantra incident specifically caught a lot of people who had been confident that "mainstream" projects were past this risk. Never lower your guard because a project looks mature.

§ Industry data · the picture from chain analytics

Chainalysis's 2024 Crypto Crime Report puts global on-chain illicit volume at approximately $51 billion, with about $9.9 billion of that classified as scams, $2.2 billion as hacks, and $1.2 billion as ransomware. These are only the flows that touched the public ledger and could be traced. Off-chain pig-butchering losses — which often pass through bank rails, P2P wires, and OTC desks before they ever reach a blockchain — are estimated separately at $20-30 billion annually.

By category:

Less than 5% of total losses are ever recovered. That is why the entire framing of this article is defense, not recovery. Once funds are gone, they are effectively gone.

§ Five rules that cut across every case

The eight cases above look mechanically different, but they all exploit the same two human levers: greed and fear. High APY hooks greed. "Your account is in trouble" hijacks fear. Time-limited airdrops manufacture FOMO that overrides judgment. The defenses below are deliberately general — they will protect you against scam variants that have not been invented yet.

  1. Anything that contacts you unsolicited is presumed hostile. Support agents, investment advisors, airdrop announcements, group "friends sharing tips" — they are all guilty until proven otherwise. The burden of proof sits with the contact, not with you.
  2. Compartmentalize wallets. Cold-storage main wallet (hardware, never online for risky interactions). Hot wallet (small balance for daily DeFi). Airdrop wallet (separate, only used for new contracts you do not yet trust). None of the three should ever be merged. Compromise of one does not compromise the others.
  3. Read every signature before approving. If you do not understand the function being called, close the popup and walk away. Any UX pressure to "sign quickly or miss out" is itself a 100% scam signal.
  4. 24-hour cooldown on any "limited-time" opportunity. Real opportunities survive a day's reflection. Scams require urgency to function. Adding 24 hours to your decision filters out 80% of attempted exploits.
  5. Audit approvals monthly. Visit revoke.cash. Revoke anything you are not actively using. Clear strange tokens that have appeared in your wallet. This monthly routine is the operational equivalent of changing the locks.
⚠ Emergency playbook · if you have just been scammed

First minute: move any remaining funds from the compromised wallet to a brand-new wallet (cut off ongoing drains).
Immediately after: use revoke.cash to revoke every approval on the compromised address.
File: in the US, file with IC3.gov (FBI) and reportfraud.ftc.gov (FTC) — both within 72 hours. In the EU, file with your national cybercrime unit and submit a report to Europol.
Tag: use Chainabuse or MistTrack to flag the attacker addresses publicly — even if you do not recover, you prevent the next victim.
Beware second-scam: anyone DMing you offering "recovery services" after you go public is 90% running a follow-on scam. Real recovery work goes through law enforcement or registered firms — never through unsolicited DMs.

Multisig and timelocks · advanced defense

For meaningful balances, two structural upgrades are worth the operational cost:

The trade-off is operational friction — multisig is poorly suited to active trading. But for "long-term BTC and ETH I never want to touch," the friction is exactly the point. Set it up once, forget it, sleep better.

§ US/EU reader perspective · the playbook in your jurisdiction

The first eight cases above are jurisdiction-neutral patterns. The mechanics work whether you are operating from Manhattan, Berlin, Singapore, or São Paulo. But the regulatory recourse, the reporting channels, the insurance coverage, and the specific historical incidents that shaped how regulators react are all different in the US and EU — and ignoring those differences will cost you. This section is the part that does not appear in the Chinese version.

The SBF era · FTX, Voyager, Celsius, BlockFi and what changed

In November 2022, FTX — a $32 billion exchange with Super Bowl ads, Tom Brady endorsements, and a politically connected CEO — collapsed in 72 hours after a CoinDesk article exposed how much of sister-firm Alameda Research's balance sheet was the in-house FTT token. The collapse uncovered $8 billion in misappropriated customer funds. Sam Bankman-Fried was convicted on seven counts of fraud and conspiracy in November 2023 and sentenced to 25 years in federal prison in March 2024. FTX was not a one-off. In the same six-month window, Voyager Digital, Celsius Network, and BlockFi all filed for bankruptcy, taking US retail deposits down with them. Celsius had marketed itself as a "bank for crypto" with a chatty CEO who appeared on YouTube weekly; Voyager was a Nasdaq-listed lender; BlockFi had partnerships with Visa. None of them had FDIC coverage on the crypto deposits — that was buried in the terms of service that nobody read. The lesson burned into US retail consciousness from that period is the catchphrase that finally went mainstream: "Not your keys, not your coins." Funds on a CeFi platform are at the mercy of that platform's solvency. The 2022 cohort learned this the expensive way.

The 2024 Mango Markets precedent · what counts as crime

Avraham Eisenberg's 2022 exploit of Mango Markets — a $114 million extraction by manipulating MNGO token price across two thin venues — produced one of the most-watched court decisions in DeFi history. Eisenberg argued in court that his actions were a "legitimate trading strategy" that the protocol's code permitted. The Southern District of New York disagreed: in April 2024 he was convicted on commodities fraud, commodities manipulation, and wire fraud charges. The conviction established that "the code allowed it" is not a defense when the underlying trades constitute market manipulation under US law. For US-based DeFi participants, the implication is that "exploits" — including ones that look clever — can be prosecuted as crimes if the conduct fits manipulation statutes. The legal exposure for would-be exploiters is higher than the early-DeFi mythology suggested.

Pig butchering · the FBI IC3 picture

The FBI's Internet Crime Complaint Center recorded $5.6 billion in crypto-related investment fraud losses in calendar year 2024, the overwhelming majority categorized as pig-butchering scams. The typical victim profile in the US data is striking: middle-aged professional, college-educated, often previously divorced or widowed, contacted through Tinder, Bumble, Hinge, LinkedIn, or a "wrong-number" WhatsApp message that turned into a conversation. The average individual loss exceeds $200,000. Aggregate losses have grown roughly 50% year-over-year since 2021. If you are a US resident in your 40s-60s, this is statistically the single largest crypto-financial threat to your wealth — larger than market crashes, larger than exchange failures, larger than self-custody mistakes.

SIM swap attacks · the 2FA bypass nobody talks about enough

A SIM swap is when an attacker convinces your phone carrier (AT&T, T-Mobile, Verizon) to transfer your phone number to a SIM card the attacker controls. Once the swap is done, all SMS-based 2FA codes flow to the attacker, not you. Coinbase, Kraken, Gemini, and most US banks all support SMS 2FA as an option — and most US users use it because Authenticator apps feel intimidating. Documented SIM-swap losses in 2024 alone exceeded $400 million in crypto. The SEC's own X/Twitter account was SIM-swapped in January 2024, leading to a fake "Bitcoin ETF approved" tweet that moved markets before the actual approval days later. If even the SEC's social-media team got SIM-swapped, your carrier is not protecting your retail account either. The fix is binary: disable SMS 2FA everywhere and replace it with a TOTP authenticator app (Authy, Aegis, 1Password) or a hardware security key (YubiKey, Google Titan). Add a "port-out PIN" or carrier passcode that locks number transfers behind an in-store identity check. Both T-Mobile and Verizon now allow port-out lock at the account-protection settings level.

AI-generated deepfake livestreams · the 2024 surge

Starting in early 2024, YouTube hosted dozens of "Elon Musk live" deepfake streams every day — recycled Tesla earnings call footage retrofitted with synthesized lip sync over a "send 0.1 BTC and we will send 0.2 BTC back" voiceover. Total losses to these streams across 2024 are estimated at $50-80 million globally. The same playbook was applied with Michael Saylor, Vitalik Buterin, and Cathie Wood deepfakes. YouTube's content moderation is reactive — streams typically run for hours before being pulled, by which point new ones have already started. The defense is structural awareness: no legitimate public figure has ever run a "send X to get 2X back" promotion, and no legitimate exchange or project will ever ask you to send crypto to a "verification address" to prove ownership. The pattern itself is the tell.

Where to report and how recovery actually works in the US

The US has a fragmented but workable reporting ecosystem. The primary channels:

Recovery routes split between criminal (DOJ prosecution → asset forfeiture → distribution) and civil (private suit → judgment → enforcement). Criminal recoveries are slow (years), but produce the best outcomes when they happen because they can claw back from co-conspirators and money launderers. Civil recoveries are faster but rarely yield much if the bad actor is offshore and judgment-proof. Both paths benefit from contemporaneous documentation — screenshots, full chat logs, every transaction hash, every domain visited. Document everything within the first 24 hours, before evidence rots.

What FDIC and SIPC actually do and do not cover

A point that is consistently misunderstood in US retail: FDIC insures fiat deposits at insured banks, not crypto holdings at exchanges. When Coinbase displays "USD held in pass-through FDIC-insured accounts," that means dollars in a partner bank's account are FDIC-insured up to $250K; the BTC and ETH balances on Coinbase are not. SIPC, similarly, insures securities at broker-dealers — it does not extend to crypto. Coinbase has self-funded crime insurance of $255 million covering its hot wallet — that is meaningful but small relative to total custody balances, and it covers Coinbase's own losses (hack, theft) rather than insuring you against your own mistakes (you signed an approve drain, you got SIM-swapped, you sent to a poisoned address). Gemini carries similar self-insurance. Kraken does not publicly disclose a number. The practical implication: if you hold significant balances on a US exchange, do not assume any safety net beyond what the exchange's own crime-insurance policy explicitly covers. Move your long-horizon holdings to self-custody (see the wallet guide), and treat the exchange as a trading desk, not a vault.

The EU layer · MiCA, GDPR, and national reporting

For EU readers, MiCA (Markets in Crypto-Assets Regulation) entered full force in December 2024. The headline implication for scam defense: licensed exchanges operating in the EU must publish white papers, hold segregated client assets, and report incidents to national supervisors. This raises the bar at the platform layer, but does nothing about phishing, pig butchering, or SIM swap risk for the individual user — those remain consumer-side defenses. For incident reporting in Europe, the entry points are national: Action Fraud in the UK, BaFin's consumer-complaint unit in Germany, AMF Épargne Info Service in France, Polizia Postale in Italy. Cross-border cases ultimately flow through Europol's European Cybercrime Centre (EC3), but you almost always start with the national channel. GDPR gives EU users one significant tool that US users lack: you can compel exchanges (and even the scam platforms themselves, if they hold any personal data) to disclose what they have on you, which can produce evidence trails for civil and criminal cases. Use it.

State-of-mind difference · the US/EU defender's standing posture

A point of meta-defense that is particularly relevant for US and European readers: the institutional environment in this jurisdiction has trained you to expect backstops. Credit cards have chargebacks. Bank deposits have FDIC. Brokerage accounts have SIPC. Disputes have arbitration. None of those backstops cross over into crypto. Once a transaction is signed, it is final. There is no chargeback, no arbitration, no fraud-department refund. This is a different mental model than the one most US/EU adults default to, and it is the single most expensive misunderstanding I see new-to-crypto US/EU users make. Internalize that the defense layer is entirely on you — not on the platform, not on the regulator, not on insurance — and your decision-making improves immediately.

§ Why smart people still get scammed

A common pattern in the loss reports: a meaningful fraction of victims are software engineers, doctors, lawyers, executives — people with high cognitive horsepower who are not, by any normal measure, naive. Three reasons this happens:

  1. The smarter you are, the more you trust your own ability to spot a scam. On a tired afternoon, with a professional-looking popup in front of you, that confidence becomes a vulnerability. You click "confirm" because part of you assumes you would catch a real attack if it were one. Arrogance is the largest entry vector.
  2. Scams iterate; your knowledge is a snapshot. If you learned about approve drains in 2020, you may have no idea what a Permit2 signature is. Defense requires continuous updating. Reading articles like this once does not vaccinate you against attacks invented next year.
  3. Emotion bypasses reasoning. Pig butchering exploits attachment. Trading-guru groups exploit FOMO. "Your account is compromised" exploits panic. These all shut down the cortex and let the limbic system make decisions instead. Recognizing this — and applying a forced 24-hour cooldown to anything emotionally loaded — disables roughly 80% of attempted exploits before they reach a decision point.

§ Newest attack vectors · what to watch in 2024-2026

Three patterns that are growing fastest and deserve specific awareness:

1. AI voice cloning and video impersonation of family

Scammers scrape your social-media-visible photos and voice clips, train a personalized model, and produce a video call or voice message that appears to be from a family member or close friend: "I am in trouble and need you to send 5,000 USDC right now — I will explain later." The visual lip sync is convincing; the voice is indistinguishable. Hong Kong's Arup engineering firm was hit by a $25M deepfake-meeting scam in 2024 where every "executive" on a Zoom call except the victim was synthetic. Defense: establish a pre-agreed verification code with family members — a private question whose answer cannot be inferred from social media ("what was the name of my high-school chemistry teacher," "what was our cat's nickname when I was 12"). Any urgent money request via video must answer the code before any transfer.

2. MEV sandwich attacks and signature-route exploits

When you swap on Uniswap, PancakeSwap, or other public-mempool DEXes, MEV bots watch your pending transaction and front-run you with a buy that pushes the price up, then dump immediately after your trade to capture the slippage. This is not a "scam" in the social sense — it is on-chain extraction — but the outcome is the same: your funds quietly disappear into the bot operator's pocket. Defense: use MEV-protected RPCs (MEV Blocker, Flashbots Protect) or private-settlement DEXes (CowSwap, 1inch Fusion). Avoid swapping large amounts on public mempool DEXes when you have alternatives.

3. Fake "crypto recovery lawyer" follow-ons

After you have been visibly scammed and posted about it publicly, you will receive DMs from "law firms specializing in crypto asset recovery, 70%+ success rate, just a small investigation fee of $2,000 USDC upfront." Pay the fee and the firm vanishes — or asks for a translation fee, a bridging fee, a notary fee, indefinitely. Defense: any unsolicited DM from a "recovery specialist" after a loss is itself a scam. Legitimate recovery firms (Chainalysis investigations, CipherTrace, TRM Labs) do not cold-DM retail victims; they work with law enforcement under formal engagements. If you need recovery help, start with IC3, the FBI, or a personal-injury attorney who works on contingency — not anyone who messages you first.

§ Closing

These eight cases do not cover everything — new attack vectors appear every month. AI face replacement and voice cloning were a research demo two years ago; in 2024 they were the leading edge of attempted scams. The underlying psychology, however, never really changes: greed, fear, urgency, and trust are the four levers, and every scam pulls one or more.

Surviving as a beginner in crypto is not primarily about finding the next bull market. It is about not losing what you already have. The money you make in this space only matters if you still hold it next year. A single large scam can cost you what three years of grinding-bull-market discipline produced — and most people do not get another full bull market in time to make it back.

On a more personal note: getting scammed is not shameful. I lost 2 ETH myself in 2018 to a fake "private-sale insider" pitch on Telegram. At the time those 2 ETH were a few hundred dollars; today they are not. The thing that mattered then and matters now is acknowledging the loss quickly and moving on — not doubling down to "win it back," which is exactly the lever pig-butchering operators rely on for their final extraction. The victims who go on to lose the most are the ones who refused to accept the first loss and tried to chase recovery. The victims who recover their financial composure are the ones who write down the lesson, mark the calendar, and move on. Document the script that fooled you, the moment of mental blindness, the question you should have asked — that personal post-mortem is worth more than a hundred articles like this one because you lived through it.

Bookmark this page. Re-read it every three months. Each pass will surface a new "wait, I see that pattern in something happening to me right now" moment that the previous read did not catch. Security is layered habits, not a one-time installation. Stay paranoid, stay slow, stay skeptical — there is no shortcut in this business.