Crypto scams evolve fast, but their tells rarely do. Guaranteed returns, pressure to move the conversation off-platform, requests to pay “taxes” or “unlock fees” before withdrawals, unsolicited support calls, and wallet-connection prompts that ask for broad token approvals are classic red flags. In 2024, victims of investment fraud involving cryptocurrency reported more than $6.5 billion in losses to the FBI, and 2025 has already seen multi-billion-dollar thefts from services and users. Treat every unexpected offer, airdrop, or “support” outreach as hostile until proven otherwise.
What changed in 2025
Criminals are leaning on AI deepfakes, phishing via URLs and QR codes, and scalable “wallet drainer” kits that trick you into approving malicious transactions. Reports show URL-based phishing outpacing attachments, QR-code “quishing” rising, and drainer kits industrializing theft across web3. Global crackdowns are freezing hundreds of millions in scam funds, but recovery is still difficult—so prevention matters most.
The 15 biggest red flags (and how to respond)
1) Guaranteed or “risk-free” returns
Scammers promise high, consistent profits or “AI trading” that never loses, sometimes backed by fake dashboards. U.S. securities and commodities regulators have warned repeatedly about such pitches. Walk away from anything that guarantees performance.
2) Romance or “pig-butchering” outreach
New “friend” or “mentor” moves the chat to WhatsApp/Telegram, builds trust, then steers you to a fake platform and later demands “taxes” to withdraw. FinCEN and the FBI have detailed the method and its red flags; do not move money based on an online relationship.
3) “Pay a fee to unlock your funds”
Any site asking you to pay upfront “tax,” “verification,” or “release” fees before you can withdraw is almost certainly a scam, per regulator advisories. Stop and report.
4) Unsolicited calls or DMs from “support”
Impersonators spoof exchange numbers or claim to be recovery experts. Coinbase and the FBI emphasize that real support won’t ask for your 2FA codes, seed phrase, or to send assets to a new address. Hang up and contact the company through its official app.
5) Wallet drainer pop-ups and approval phishing
A fake dApp asks you to connect and approve unlimited token spending or sign suspicious permissions. Chainalysis describes drainers as phishing tools for web3 that steal funds after you authorize them. If a prompt looks odd or asks for broad approvals, reject it and leave.
6) Address poisoning
A scammer sends a dust transaction so a look-alike address appears in your history, hoping you’ll copy it next time. Always paste and verify the full address checksum, not just the first/last characters.
7) Fake airdrops, giveaways, and livestreams
“Connect wallet to claim” or “send 1 ETH to get 2 ETH back” are classic traps. Chainalysis and industry reporting note growth in livestream and airdrop scams; never send funds to “double your crypto.”
8) Look-alike domains, QR codes, and shortened links
CISA and HHS warn that phishers increasingly weaponize URLs and QR codes. Type URLs yourself or use trusted bookmarks; don’t scan random codes or follow shortened links from DMs.
9) “Crypto only” payment requirement
CFTC red-flag guidance calls out schemes that accept only digital assets and even coach you through converting dollars—precisely because crypto transfers are hard to reverse. Treat this as a serious warning sign.
10) Deepfake celebrity endorsements
Consumer watchdogs report rising losses from deepfake-backed investment pitches. Verify claims on the celebrity’s official channels; assume paid ads or edited videos can be fake.
11) Pressure to act fast or keep it secret
Urgency and secrecy are classic social-engineering levers. The SEC and FTC advise slowing down and verifying the entity and license before you move money.
12) New app or “exchange” with no regulator footprint
Cannot find registration details, physical address, or leadership? That is a red flag. Check disclosures with relevant authorities or trusted public records before depositing a cent.
13) “Recovery service” that asks for fees or wallet access
IC3 warns that scammers now target victims again by posing as law firms or investigators who can recover funds—for a price. Do not pay.
14) SIM-swap risks and OTP harvesting
Attackers can hijack phone numbers to intercept SMS codes or trick you into reading one-time passwords aloud. Prefer app-based authenticators or passkeys over SMS for exchanges.
15) Up-front wallet seed or passphrase requests
Legitimate staff will never ask for your seed phrase. If any site or person asks for it, stop immediately and move funds to a fresh wallet you control.
How to harden your setup in 10 minutes
- Turn on an authenticator app for exchange logins and withdrawals. Avoid SMS whenever possible.
- Enable withdrawal protections such as address allowlisting and a 24–48 hour lock on new addresses so a thief can’t instantly drain funds.
- Use an approval dashboard to review and revoke token allowances you no longer need. Revoke unfamiliar or unlimited approvals.
- Bookmark official domains; never search for support numbers or click “urgent” links in DMs.
- Before sending, verify the full recipient address or use an address book/QR you generated yourself to avoid poisoning mistakes.
If you think you’re being scammed
Act fast. Stop transacting, disconnect your wallet from the site, and revoke suspicious approvals. Document everything: addresses, TXIDs, domains, usernames, timestamps, and screenshots.
Then file official reports so investigators can act and so you’re on record:
- FBI Internet Crime Complaint Center (IC3).
- U.S. Federal Trade Commission (ReportFraud.ftc.gov).
- If funds touched a centralized exchange, open a ticket with that exchange’s fraud team immediately.
- Be wary of anyone offering to recover your funds for a fee; IC3 warns this is often a second-stage scam.
Why the numbers are so large
The FBI says investment fraud losses—especially those involving crypto—led all categories in 2024 at over $6.5 billion. Chainalysis’ 2025 updates show the service-hacking side of crypto crime remains severe, with multi-billion-dollar incidents and rapid laundering flows that complicate recovery. These realities make your personal defenses critical.
Frequently asked questions
How can I tell if a “wallet connect” prompt is safe?
Check the site’s domain against a trusted bookmark, read the permission text carefully, and never approve unlimited spending unless you’re sure. If in doubt, reject and inspect with an approval checker before trying again.
Should I use SMS for two-factor authentication on exchanges?
Use an authenticator app or passkeys where supported. New FCC rules aim to curb SIM swaps, but SMS remains vulnerable compared to app-based codes.
What about QR codes in packages, flyers, or emails?
Assume they can be malicious. Only scan codes from sources you already trust, and verify the URL preview.
