Scam 1: Advanced phishing attacks
Advanced phishing attacks now target crypto wallets and exchange accounts using sophisticated tactics that exploit user trust to steal private keys or login credentials.
To carry out advanced phishing attacks, criminals create fake websites that mimic legitimate platforms. They send deceptive emails posing as trusted organizations or use social engineering tactics to trick victims into sharing sensitive information. Some impersonate support staff or design cloned interfaces to capture information.
Attackers may employ sophisticated tactics for such phishing attacks:
-
Wallet drainers: These are malicious programs or scripts used in phishing attacks. After a victim connects their wallet to a fraudulent site and approves a malicious transaction or grants token permissions, the attacker can automatically move funds out of the wallet.
-
Quishing: Fraudsters use malicious QR codes placed in emails, text messages or on public surfaces. When scanned, these codes redirect users to phishing websites or trigger harmful downloads that steal credentials and personal or financial information.
-
Spear phishing: Unlike general phishing, this method targets specific individuals or organizations. Scammers craft personalized messages, often using urgent phrases such as “Immediate Action Required.” The goal is to create a sense of panic and pressure victims into making quick, costly mistakes.
In August 2025, Zak Cole, a core Ethereum developer, discovered his crypto wallet had been drained after a malicious Cursor extension stole his private key. Earlier that year, in May 2025, an elderly US citizen fell victim to a $330-million Bitcoin (BTC) heist, where the attacker used advanced social engineering tactics to gain access to the victim’s wallet.
Did you know? The earliest recorded Bitcoin scam dates back to 2011, when a Ponzi scheme called “Bitcoin Savings & Trust” promised investors 7% weekly returns. It ultimately defrauded them of more than 700,000 BTC.
Scam 2: Rug pulls
Scammers often exploit the hype surrounding decentralized finance (DeFi) platforms and non-fungible token (NFT) projects to deceive investors. A common tactic is the rug pull, where developers suddenly withdraw liquidity and disappear with investors’ funds.
These schemes often imitate legitimate ventures, promising extraordinary returns or exclusive digital assets but ultimately diverting funds from unsuspecting users. Many are overhyped projects that rely on social media buzz without offering real value. Others are cloned platforms that replicate trusted DeFi or NFT websites to trick users into depositing their assets.
Warning signs of rug pulls include unrealistic promises of high returns with little to no risk, no transparent audits or publicly available code and anonymous teams unwilling to share their identities or qualifications.
Since the beginning of 2025, rug pulls have caused nearly $6 billion in losses across the Web3 ecosystem. By comparison, during the same period in early 2024, total losses from rug pulls were only about $90 million.
A prominent example is the LIBRA token on the Solana network. The token’s market value surged to $4.56 billion after it was mentioned by Argentine President Javier Milei on X. Following the deletion of the post, the token’s price fell by over 94%, leading to accusations of a rug pull.
Scam 3: Impersonation
Impersonation — often on social media — poses a serious threat to the crypto ecosystem, undermining trust and leading to significant losses. Scammers frequently pose as trusted influencers, developers or support staff on platforms like X.
In impersonation scams, fraudsters infiltrate conversations or create fake profiles to exploit users chasing quick profits. They often run fake giveaways, promising doubled returns in exchange for small “verification” deposits. Scammers may also operate impersonation accounts copying celebrities or send direct messages posing as exchange support to gain wallet access or prompt urgent fund transfers.
Red flags include accounts with slight misspellings (e.g., “@ElonMuusk”), unverified profiles without verification badges and any requests for direct crypto transfers, as legitimate entities never ask for these.
In 2024, crypto scams cost victims $9.9 billion globally, with impersonation fueling a fourfold rise, according to the Federal Trade Commission. In Hong Kong, scammers impersonated Chief Executive John Lee through a fake X account and a deepfake video promoting a supposedly government-backed digital currency.
Did you know? Even as blockchain security improves, scams continue to adapt. In 2024-25, scammers shifted from hacking smart contracts to manipulating human behavior. By 2025-26, their tactics had become even more advanced.
Scam 4: AI-powered deepfake scams
AI-powered deepfake scams have emerged as a major threat, using advanced technology to deceive users and steal assets. Criminals now leverage…
cointelegraph.com