Last Updated: March 2026
*Disclaimer: This article is for informational purposes only and is not financial advice. Crypto trading involves significant risk of loss. Never trade with money you cannot afford to lose. Always do your own research (DYOR).*
I'll be blunt with you. Crypto has made a lot of people rich, and it has made even more people poor because they got scammed. According to the FBI's 2024 Internet Crime Complaint Center (IC3) report, Americans lost more than $5.6 billion to crypto-related fraud in 2023, and the 2024 numbers came in near $9.3 billion. Chainalysis pegged total crypto scam revenue at roughly $12.4 billion for 2024 once illicit revenue from pig butchering, rug pulls, and address-poisoning schemes were combined. That is not a typo. Twelve billion dollars, siphoned out of ordinary wallets, grandmothers' retirement accounts, and teenagers' first trading stakes.
I have been in this industry since 2017, and I have watched the scam ecosystem evolve from clumsy Nigerian-prince-style emails into surgical, AI-powered operations that use deepfaked celebrity videos, spoofed Telegram support agents, and smart contracts designed to look honest until the moment they drain you. A friend of mine, a software engineer who should absolutely know better, lost roughly $48,000 in a single afternoon in 2024 to what he thought was a legitimate Arbitrum airdrop claim page. One signature. Gone.
This guide is the playbook I wish he had read before that afternoon. I will walk you through the ten most common scams active in 2026, the red flags I have learned to spot in seconds, a five-step verification checklist I run on any new project before I touch it, the tools I actually use to protect my own bags (including a hardware wallet setup I swear by), and what to do if you have already been hit. No fluff. No doom-scrolling. Just the stuff that keeps your coins yours.
If you are brand new to crypto and you only take one thing away from this article, make it this: self-custody with a real hardware wallet is not optional anymore. Grab a Ledger hardware wallet -> before you do anything else. I will explain why a dozen times below.
The 10 Most Common Crypto Scams in 2026
The scam menu keeps expanding, but ninety percent of losses trace back to the same ten playbooks. Know these cold.
1. Rug pulls. A team launches a token, hypes it on Twitter and Telegram, attracts liquidity, then either drains the liquidity pool, dumps the team supply into retail buyers, or abandons the project entirely. The classic public example is the Squid Game (SQUID) token from November 2021, which pumped to around $2,861 per token before the developers executed a rug and ran off with roughly $3.4 million. More recently, the Solana memecoin wave of 2024-2025 produced hundreds of pump-and-rug cycles per week, with pump.fun alone spawning over eleven million tokens in a twelve-month stretch, more than ninety-eight percent of which went to zero.
2. Phishing sites and fake dApps. Attackers clone popular sites (Uniswap, OpenSea, MetaMask, a specific chain's bridge) pixel-for-pixel and buy Google Ads or X ads to rank above the real URL. You connect your wallet, sign what looks like a normal approval, and a malicious `setApprovalForAll` or permit signature drains every token it can reach.
3. Pig butchering (sha zhu pan). This is the monster that ate 2024. A stranger matches with you on a dating app or sends a "wrong number" text, builds a weeks-long relationship, then introduces you to a "great trading platform." The site shows fake profits to encourage more deposits. When you try to withdraw, there are sudden "taxes" and "unlock fees." The FBI's IC3 report attributed more than $3.96 billion of 2023 losses to this single scam category, and the UN estimated in 2024 that over 300,000 trafficked workers are running pig-butchering compounds in Southeast Asia.
4. Fake exchanges. Entire exchange websites and mobile apps that look legitimate, accept deposits, show "balances," and then refuse withdrawals. The North Korean Lazarus Group has run multiple of these over the years. If you want to avoid this entire category, stick to regulated, publicly audited exchanges like Coinbase -> or Bybit ->.
5. Pump-and-dump groups. Telegram and Discord groups coordinate a buy on a low-cap token, the organizers front-run the group, retail pumps it, and the organizers dump on the group they just "signaled." SEC settlements in 2022-2024 have made this a federal crime in the US, but it still runs constantly on micro-cap chains.
6. Honeypot contracts. A token's smart contract is written so you can buy but only a whitelisted wallet can sell. You see a green candle, you buy, and your sell transaction reverts forever. Tools like Honeypot.is and DEXTools' contract scanner catch most of these, but never all of them.
7. Airdrop and claim scams. You see a tweet that "Arbitrum is airdropping a retro reward, claim here." The claim page asks you to sign a message or approve a contract. The signature is a blank-check `permit2` approval that lets the attacker move any ERC-20 out of your wallet forever. My friend's $48K loss? This one.
8. Impersonation and deepfakes. In 2024, a Hong Kong finance worker was scammed into wiring $25 million after a video call with a deepfaked version of his company's CFO. In crypto, deepfaked Elon Musk, Vitalik Buterin, and Michael Saylor livestreams have pulled in tens of millions of dollars per "giveaway." If a famous person is asking you to send crypto to "double it," it is a scam. Every single time.
9. Flash loan and oracle attacks. Less common for individual investors, but if you are providing liquidity on small DeFi protocols, a flash-loan attacker can manipulate a thin oracle, drain the pool, and walk away in a single block. Avoid LPing into unaudited or low-TVL pools.
10. Malicious smart contracts and approval drainers. Even a "legitimate" contract can contain a function that nukes your wallet later. Always read what you are signing, revoke old approvals monthly at revoke.cash, and never sign `setApprovalForAll` or unlimited `permit` without understanding exactly why.
Free: Crypto Trading Platform Cheat Sheet
Side-by-side fee comparison, ratings, and quick-pick recommendations for every major exchange and trading bot. Save hours of research.
No spam. Instant download on the next page.
Red Flags to Spot Before Investing
After a few years of watching this space, scams start to smell the same. If you learn to recognize the stink early, you will save yourself life-changing amounts of money. Here are the red flags I check in roughly the order they appear.
Guaranteed returns. Nothing in crypto is guaranteed. If a platform promises "12% monthly," "2% daily," or "risk-free yield," it is either a Ponzi, a pyramid, or about to be. Celsius Network promised "safer than banks" yields and went bankrupt in 2022 owing users around $4.7 billion. BlockFi, Voyager, Hodlnaut, Vauld, Babel Finance, all gone for similar reasons. High yield almost always means high hidden risk or outright fraud.
Urgency and scarcity manipulation. "Presale ends in 12 hours." "Only 50 spots left." "This is the last chance to get in before Coinbase listing." Real projects with real value do not need countdown timers. Urgency is the oldest trick in the fraudster's toolkit because it shuts down the analytical part of your brain and flips you into impulse mode.
Anonymous team with no LinkedIn footprint. I will not say anonymous teams are always scams, some legit projects (the original Bitcoin team being the obvious example) started anonymous. But in 2026, if you cannot verify the identity of at least one core contributor through a public profile, a conference talk, or a GitHub history that predates the project, your risk profile just went up five times. The burden of proof is on them.
Locked, unrenounced, or owner-privileged contracts. Use Etherscan, BscScan, or Solscan to read the contract. If the owner can mint unlimited tokens, pause trading, blacklist wallets, or change the tax rate at will, that is a loaded gun pointed at your wallet. Renounced ownership is not a perfect signal, but a contract with centralized admin keys and no multisig is a giant yellow flag.
Liquidity not locked. For any DEX token, check if the liquidity pool is locked (via Team.Finance, UNCX, PinkSale) for at least six to twelve months. Unlocked LP means the team can pull the rug literally any second.
Social proof looks bought. Ten thousand followers but posts get three likes. Telegram group with fifty thousand "members" but only the admin ever talks. Reviews on a "DEX review site" that all read like they were written by the same AI in the same hour. Scammers buy engagement because it works on lazy buyers.
Whitepaper plagiarism. Run a few sentences through Google in quotes. If the whitepaper is lifted from another 2022 project, you are looking at a ghost kitchen. I have caught at least a dozen 2025 projects this way.
Wallet connect on the homepage. Legitimate information sites never need you to connect your wallet just to view content. If the first thing a site asks is "connect wallet to continue," close the tab.
Nothing shipping on GitHub. A real project has public commits. A scam project has a beautifully designed homepage and an empty or copied repo.
How to Verify a Project is Legitimate: My 5-Step Checklist
Whenever a new token, platform, or yield opportunity lands in my DMs, I run this checklist before I even consider a dollar of capital. It takes about fifteen minutes and has saved me from two sure-thing scams just in the last ninety days.
Step 1: Identity-check the team. Pull up the team page. Click through to each founder's LinkedIn. Do their claimed previous employers match their LinkedIn tenure? Search their name on Google with the word "scam" and the word "fraud." Look for conference talks on YouTube, interviews on podcasts, prior startups. If three of the five "team photos" reverse-image-search to stock photos or unrelated people, you are done. Move on.
Step 2: Audit the audit. Any legit DeFi project has at least one audit from a firm like CertiK, Trail of Bits, OpenZeppelin, Quantstamp, or Halborn. But "audited by CertiK" on a homepage means nothing. Go to CertiK's site and find the actual audit report. Read the severity summary. Check the date. Confirm the audited contract address matches the one the project is currently using. Scammers love putting an old audit badge on a newly deployed malicious contract.
Step 3: Read the contract. Paste the token contract into Etherscan (or equivalent). Click "Contract" then "Read Contract." Check for: a) is ownership renounced (owner returns 0x000…0000)? b) is there a blacklist or pause function? c) what is the max transaction and max wallet? d) is there a buy tax and sell tax, and are they capped? e) is there a mint function available to the owner? Any one of these can be legitimate, but you need to understand them before you buy.
Step 4: Check the wallet distribution. Go to Etherscan's "Holders" tab. If the top ten wallets hold more than fifty percent of supply and none of them are a known DEX pool or a time-locked contract, you are buying into a rug waiting to happen. Healthy distribution looks like: LP pool, team multisig (locked), CEX cold wallets, a long tail of real holders.
Step 5: Cross-reference independent coverage. Search CoinGecko, CoinMarketCap, Messari, Delphi, The Block, Decrypt, Cointelegraph. Legitimate projects are covered by independent outlets who did not get paid. If the only coverage is from "crypto news blogs" that look like SEO farms, you are looking at paid PR dressed up as journalism.
If a project passes all five of these, I still only risk money I can afford to lose, and I never park long-term holdings in hot wallets. Those always go on my Ledger hardware wallet -> behind a PIN and a passphrase.
Protect Yourself: Tools and Best Practices I Actually Use
You cannot eliminate risk in crypto, but you can push your probability of getting drained from "roughly 1 in 20 per year for active DeFi users" down to "roughly 1 in 500" with a handful of habits. Here is the exact stack I run.
Hardware wallet, always. A hardware wallet keeps your private keys on a purpose-built secure chip that never exposes them to the internet, even when you are signing transactions. I use a Ledger Nano X -> for my primary long-term storage, and I have a second Ledger in a different physical location as a backup recovery sanity check. If you are holding more than a couple thousand dollars in crypto and you still have it on a mobile hot wallet or, worse, on an exchange, stop reading this article right now and go order a hardware wallet. I mean it. Ledger devices start around $79 for the Nano S Plus, $149 for the Nano X, and roughly $279 for the Ledger Stax. They are cheaper than the dinner you had last Saturday and they will save you a six-figure catastrophe.
Separate "hot" and "cold" wallets. Your hardware wallet never connects to random dApps. Ever. You have a separate hot wallet (MetaMask, Rabby, Phantom) funded with spending money for daily DeFi interaction, and when you want to move something to long-term holding, you send it to the hardware wallet address. If your hot wallet gets drained, you lose the float, not the fortune.
Use regulated exchanges for fiat on-ramps. When I need to move fiat into crypto or back out, I use exchanges that have actual regulatory oversight, real KYC, insurance funds, and a phone number you can eventually reach. For US and EU users, Coinbase -> is my go-to for fiat ramps. It is more expensive than a random DEX, but the SOC 2 audits, FDIC pass-through on USD balances, and regulated custody are worth it. For derivatives, perps, and advanced trading, Bybit -> offers institutional-grade security, proof-of-reserves reporting, and a $180M+ insurance fund. Keep your exchange balance at what you need for active trading only, withdraw the rest to your Ledger.
Transaction simulation. Before you sign anything, use a wallet or extension that simulates the transaction first. Rabby Wallet does this natively. Pocket Universe and Wallet Guard are Chrome extensions that preview what a signature will actually do. If the simulation shows "Your wallet will lose 100% of USDC," do not sign.
Revoke old approvals. Once a month, I visit revoke.cash or etherscan.io/tokenapprovalchecker and nuke every old ERC-20 approval I no longer need. This is free and takes ten minutes and has stopped me from getting drained at least once when an old protocol I had approved got exploited.
Dedicated browser profile. My crypto activity lives in a Chrome profile that has exactly two extensions: my wallet and Wallet Guard. No ad blockers, no coupon extensions, no productivity tools, no nothing. Supply-chain attacks on Chrome extensions are real, and a compromised "free PDF reader" extension can and will steal your seed phrase.
Never type your seed phrase into anything. The only thing that should ever see your 12 or 24 word recovery phrase is the hardware wallet itself during recovery. Not your email. Not your iCloud. Not a password manager. Not a "support agent." Not a Google Doc. Not a screenshot. If anyone, ever, asks for your seed phrase, the answer is no.
What to Do If You've Been Scammed
If you are reading this section because you just got hit, I am sorry. Take a breath. There are actual steps that can marginally improve your odds of partial recovery, and more importantly, can protect the remaining funds you still have.
Minute 0-15: Move everything you can. If you signed a malicious approval, an attacker is probably already draining you. Open a new wallet (ideally on a clean device), and send any remaining assets in the compromised wallet there immediately. If you have staked or LP'd tokens that cannot be moved instantly, at least withdraw them from the contract if possible. Sometimes you can front-run the drainer if you act fast and pay a high gas fee. It is a long shot, but I have seen it work.
Hour 1-24: Revoke and document. Go to revoke.cash and revoke every approval on the drained wallet. Screenshot the malicious transaction on Etherscan, including the attacker's wallet address, the signed message (if available), and the token amounts lost. Save everything. Write down the exact sequence of events while it is fresh.
Day 1-3: Report to the right agencies. File a report with the FBI's Internet Crime Complaint Center at ic3.gov (US), Action Fraud (UK), or your national cybercrime unit. Report the attacker's wallet address to Chainalysis (reactor.chainalysis.com), Crystal Intelligence, and directly to major exchanges' compliance teams. If the stolen funds land on a regulated exchange, and if the report is filed early enough, there is a small but non-zero chance of freezing the funds. Exchanges like Binance, Coinbase, Kraken, and Bybit have frozen hundreds of millions in stolen crypto this way in the last three years, but almost always when reports came in within hours of the theft.
Day 3-14: Tag the wallet publicly. On Etherscan, you can submit a "public tag" for the attacker's wallet ("Fake_Phishing123456"). This won't recover your funds, but it makes the attacker's address toxic and harder to cash out. Also file with the project you thought you were interacting with, if it is legitimate, because they will often pool user reports for law enforcement.
Skip "recovery services." Ninety-five percent of "crypto recovery experts" who DM you after you post about your loss are secondary scammers. If a "hacker" or "recovery firm" asks for an upfront fee to "trace and recover" your funds, it is a scam on top of your scam. The only legitimate recovery path is through law enforcement and the exchanges; everything else is fiction.
Protect your mental health. I know this sounds soft, but the psychological damage of a six-figure crypto loss is real. Suicides have been documented. Talk to someone. Join r/CryptoScams or scamhaters support groups. It was not stupidity; scammers are professionals and you were outgunned. Learn, rebuild, and keep your operational security tight on the next round.
Comparison Table: Scam Types vs Warning Signs
Here is a quick-reference table I built for my own notes, mapping the ten main scam categories to their most reliable red flags, the prevention steps that actually work, and roughly how often each appears in current loss reports.
| Scam Type | Top Red Flag | Typical Loss Vector | Main Prevention | 2024-25 Loss Share (est.) |
|---|---|---|---|---|
| Rug pull | Unlocked LP, anonymous team, 6-digit tax functions | DEX liquidity drain or dev wallet dump | Locked LP, audited contract, small allocation | ~12% |
| Phishing / fake dApp | URL typo, ad-ranked site, unusual signature request | Malicious approval or drain signature | Bookmark real URLs, use transaction simulation | ~18% |
| Pig butchering | Romance intro, "exclusive" trading platform, withdrawal fees | Fake CEX deposits, never withdrawable | Verify platform on public registries, never trade on apps found via dating | ~32% |
| Fake exchange | Can deposit but not withdraw, no regulation | Entire deposit balance | Use regulated exchanges only ([Coinbase](/go/coinbase/how-to-spot-crypto-scams), [Bybit](/go/bybit/how-to-spot-crypto-scams)) | ~8% |
| Pump & dump | Coordinated buy-time announcements, hidden presale | Exit liquidity for organizers | Ignore paid signal groups | ~5% |
| Honeypot | Can buy, cannot sell in test | Full token purchase amount | Test sell with tiny amount first | ~3% |
| Airdrop / claim scam | "Claim here" link outside official channels | Drain via permit or setApprovalForAll | Only claim from official project Twitter + verified URL | ~9% |
| Impersonation / deepfake | Celebrity "giveaway," deepfaked video | "Send to double" scam | Assume every celebrity crypto giveaway is fake | ~4% |
| Flash loan / oracle | Low TVL pool, thin oracle, new protocol | LP and stablecoin drains | Only LP in battle-tested pools with >$50M TVL | ~3% |
| Malicious smart contract | Unusual permissions in contract ABI | Delayed drain or backdoor | Read contracts, revoke monthly at revoke.cash | ~6% |
Percentages are my own rough aggregation from public Chainalysis, FBI IC3, and Elliptic reports. Real share varies by quarter and chain. What matters is that the top three alone (pig butchering, phishing, rug pulls) account for more than sixty percent of reported losses, and all three are fully preventable with the habits in this article.
FAQ
Q: Is it possible to recover funds after a crypto scam?
A: Sometimes, but usually not fully. If the stolen funds land on a regulated exchange within hours of the theft and you report immediately to that exchange's compliance team (plus the FBI's IC3 or your local cybercrime unit), partial freezes do happen. Chainalysis reported that roughly $1.5 billion in stolen crypto was frozen or recovered in 2023-24. But if funds go through a mixer like Tornado Cash, cross a chain via a sketchy bridge, or land on a non-KYC exchange, recovery odds drop to near zero. Budget your emotional energy accordingly, and never pay a "recovery service" upfront.
Q: How do I report a crypto scam?
A: In the US, file with the FBI's IC3 at ic3.gov and the FTC at reportfraud.ftc.gov. In the UK, use Action Fraud. Internationally, Interpol accepts cross-border cybercrime reports. Additionally, report the attacker's wallet address to Chainalysis, Crystal Intelligence, and the compliance teams of major exchanges (Coinbase -> and Bybit -> both have dedicated fraud intake forms). If the scam involves a specific project, report it in their official Discord or via their support portal, because they often aggregate reports for law enforcement.
Q: Should I use a custodial or non-custodial wallet?
A: Both, for different purposes. Custodial (on an exchange) is fine for active trading balances and fiat conversion; use reputable, regulated exchanges. Non-custodial (your own wallet with your own keys) is mandatory for long-term holdings. And your non-custodial long-term wallet should be a hardware wallet, not a hot wallet. My personal split is roughly ten percent on exchanges for active trading, ninety percent on a Ledger hardware wallet -> for long-term storage. The "not your keys, not your coins" rule is old but it is true; FTX, Celsius, BlockFi, and Mt. Gox users learned it expensively.
Q: Are deepfake celebrity scams really making money in 2026?
A: Yes, and getting worse. Generative video has become cheap enough that scammers routinely produce convincing livestreams of Elon Musk, Vitalik Buterin, Michael Saylor, and CZ "announcing giveaways" on YouTube and X. Tens of millions in losses are attributed to these annually. Rule of thumb: real billionaires do not need your 0.5 ETH to "verify your wallet" before they send you 5 ETH back. Ever. If a celebrity is asking for crypto, it is a deepfake.
Q: What is the single highest-impact change I can make today to protect my crypto?
A: Buy a hardware wallet and move long-term holdings off exchanges and hot wallets within the next seven days. Seriously. Everything else (revoking approvals, using simulation tools, checking contracts) is important but incremental. Moving $10,000, $100,000, or $1,000,000 from a hot wallet to a Ledger -> is a single afternoon of setup that removes the entire "remote drain" attack surface. If you do nothing else from this article, do that.
Affiliate Disclosure: This article contains affiliate links. If you sign up for Ledger, Coinbase, Bybit, or any other platform through links on this page, we may earn a commission at no additional cost to you. We only recommend products and services we use ourselves or would recommend to a close friend. All opinions, analysis, and scam-prevention advice are our own, and affiliate relationships never change what we say about a product's risks or shortcomings.
*Disclaimer: This article is for informational purposes only and is not financial advice. Crypto trading involves significant risk of loss. Never trade with money you cannot afford to lose. Always do your own research (DYOR).*