Crypto scams cost users billions of dollars every year. Unlike traditional finance fraud, crypto transactions are irreversible — once funds leave your wallet, recovery depends entirely on whether the recipient cooperates, which scammers never do. Understanding the most common attack vectors is the most effective prevention.
Phishing: The Most Common Attack
Phishing in crypto works the same way as in traditional banking, but the stakes are higher because the target is often a seed phrase rather than a password. Common vectors include fake MetaMask browser extensions (search-result ads for "metamask" frequently lead to clones), spoofed Uniswap or OpenSea sites with near-identical URLs (uni5wap.com vs uniswap.com), and Discord/Telegram messages from accounts impersonating project admins. The rule that no legitimate service ever asks for your seed phrase is absolute — no exceptions, no edge cases.
Smart Contract Approval Exploits
When you interact with a DeFi protocol, you often sign an "approval" transaction granting that contract permission to spend your tokens. Malicious contracts disguise these approvals as innocuous interactions — a "free mint," a token claim, or a "gas refund." Once approved, the contract can drain your wallet at any time. Protection: review approvals carefully in MetaMask before signing; use Revoke.cash to audit and revoke existing unlimited approvals; never interact with contracts linked from DMs or pop-up ads.
Rug Pulls and Exit Scams
A rug pull occurs when developers drain a protocol's liquidity pool and disappear. Red flags: anonymous teams with no verifiable history, contracts that haven't been audited by reputable firms (CertiK, Halborn, Trail of Bits), token liquidity that is not locked or time-locked, and promotional pressure to buy before "the presale closes." The 2022 Squid Game token — which rose 23,000,000% before developers cashed out and disappeared — is the canonical example. Checking whether liquidity is locked via DeFi locking services takes two minutes and eliminates most rug pull risk.
Pig Butchering: Long-Con Romance Scams
Pig butchering (sha zhu pan) is a sophisticated multi-week or multi-month scam originating largely from Southeast Asian fraud operations. Scammers build genuine-seeming relationships on dating apps, WhatsApp, or Instagram, then introduce their "successful" crypto trading as a natural part of conversation. They introduce victims to fake trading platforms showing fake profits, encourage increasingly large deposits, and eventually claim the victim owes "taxes" or "fees" to withdraw — then disappear. Losses per victim typically run from $10,000 to $500,000+. FBI data suggests pig butchering generated over $3 billion in losses in 2022 alone.
CEX Impersonation and "Customer Support"
Exchange support scams target users who post publicly about problems with Binance, Coinbase, or Kraken. Scammer accounts (often with slight username variations — @Binance_Support_Help) reply immediately offering to help, then move the conversation to Telegram and request remote access or "verification" seed phrases. Legitimate exchange support never initiates contact via Twitter/X or Telegram, never asks for seed phrases, and never requires remote access.
Basic Protection Checklist
Hardware wallets (Ledger, Trezor) keep private keys offline and are the most effective single protection against most attack vectors. Bookmark legitimate sites rather than searching for them. Verify contract addresses against official project documentation before any interaction. Enable withdrawal whitelist restrictions on CEX accounts. Use a separate "hot wallet" with minimal funds for DeFi experiments, keeping the bulk of holdings in cold storage. No legitimate crypto opportunity requires urgency — if something must be done immediately or the deal disappears, that urgency is manufactured to prevent you from thinking clearly.
