Crypto's pseudonymous, irreversible transactions make it an attractive target for criminals. In 2025, over $2.3 billion was stolen from crypto users — not through hacking the blockchain, which remains extremely secure, but through social engineering and human error. Every one of these scams can be avoided once you know how they work.
Phishing: the #1 threat
Phishing attacks impersonate trusted entities — MetaMask, Coinbase, Uniswap, OpenSea — to trick you into entering your seed phrase or approving malicious transactions. They arrive via email ("your account is at risk"), Google Ads (fake website appearing above the real one in search results), Discord DMs ("you've won an exclusive NFT"), and fake browser extensions. The attack pattern is always the same: create urgency, direct to a convincing fake site, prompt you to enter your seed phrase or sign a transaction that empties your wallet.
Protection: bookmark the legitimate URLs for exchanges and wallets you use, and only ever navigate via those bookmarks. Never click links in emails or DMs. Check the URL bar carefully — "rnetamask.io" and "metarnask.io" are common fakes. Use a hardware wallet, which requires physical confirmation of every transaction, making most phishing attacks ineffective.
Rug pulls and fake projects
A rug pull occurs when a project's developers create a token, attract investors through hype and fake roadmaps, then drain all the liquidity (the money traders use to buy and sell the token) and disappear with the funds. The token price instantly drops to zero. Rug pulls are especially common on chains with low transaction costs where anyone can launch a token in minutes (Solana, BNB Chain).
Red flags: anonymous team with no verifiable identity or track record, no audit from a reputable firm (Certik, Hacken, Trail of Bits), unlocked liquidity (LP tokens held by the dev team, not in a time-lock), unrealistic APY promises, pressure to buy before a "launch window" closes. Tools like RugCheck.xyz and Token Sniffer can auto-analyze new tokens for these risk factors.
Romance scams (pig butchering)
The fastest-growing category. Scammers build romantic relationships over weeks or months via dating apps or social media, then introduce the concept of crypto investing. They show "screenshots" of their own profits on a custom platform. When you invest, you can see your fake profits growing — and may even make a few small withdrawals to build trust. When you try to make a large withdrawal, the platform demands "taxes" or "fees." The scammer eventually disappears with everything. These scams averaged $185,000 per victim in 2025. The rule is absolute: never invest in any platform suggested by someone you've met online and never met in person.
How to verify any project
Before investing in any new project: search the project name plus "scam," "rug pull," and "review" on Google and Twitter. Check the contract on Etherscan or Solscan — look for recent large transfers from the team wallet. Verify the team's identities — real founders have LinkedIn profiles, conference appearances, and can be reached directly. Check if the smart contract is audited and read the audit. Look at token holder distribution — if 50% is held by one wallet, that's extreme centralization risk.
Top 5 scam types — recognition and prevention
| Scam type | How to recognize | How to avoid |
|---|---|---|
| Phishing | Urgent emails/DMs with links | Use bookmarks only |
| Rug pull | Anonymous team, locked liquidity missing | Check RugCheck.xyz |
| Pig butchering | Online romance + crypto tip | Never trust online strangers |
| Fake giveaway | "Send 1 BTC get 2 BTC back" | Ignore. Always a scam. |
| Fake exchange | High returns, pressure to deposit | Only regulated exchanges |