Crypto Phishing Scam Atlas 2026

The state of phishing in 2026

Phishing has been the largest source of retail crypto losses every year since 2018. The 2026 numbers, from the FBI IC3 annual report and Chainalysis's adversary tracking: roughly $4.4 billion in US-reported crypto fraud, of which 73% traces to social-engineering pathways — phishing emails, fake support calls, fake recovery sites, romance-investment scams. The actual figure is higher, since most retail victims do not file IC3 reports.

The atlas below catalogs the patterns operating in 2025-2026. Each section describes the mechanism, names a representative case, lists the defensive checks, and ends with what to do if you have already been hit. The catalog is not exhaustive — new variants appear monthly — but it covers the structures that account for most of the dollar-weighted loss.

Layer 1: identity-impersonation phishing

1.1 Fake Telegram support accounts

The mechanism: a Telegram account with a name like @Binance_Support_US, a verified blue checkmark (paid), and 10,000+ bought followers DMs the target. The message claims a suspicious login was detected; verification requires entering the 12-word seed into a "security bot." The bot is a human operator running a drainer.

Representative case: an Austin holder, August 2025, lost 47,000 USDT to @Binance_Support_US over nine minutes. The DM arrived hours after the holder had posted a complaint about a delayed Coinbase withdrawal on Twitter — the scammer had scraped the public mention.

Defense: Binance, Coinbase, Kraken, Gemini, Binance.US — none of them DM customers first. Ever. Any unsolicited Telegram/WhatsApp/X DM claiming to be exchange support is a scam, independent of username or verification badge. The Telegram blue check requires only $4.99/month plus a name match; it is not a business-legitimacy badge.

1.2 Fake phone-support numbers via sponsored search ads

The mechanism: a Google search for "Coinbase support phone number" returns a sponsored ad linking to a clean-looking landing page with a 1-800 number. The target calls; the voice asks for email and last-four of SSN, then walks the target through "verifying" their account by reading the TOTP code from their authenticator app. The drainer is now logged in.

Defense: no US-licensed exchange publishes a customer-support phone number. Not Coinbase, not Kraken, not Gemini, not Binance.US. The single channel is the in-app ticket system. A phone number in a search result for "[exchange] support" is fraudulent by definition.

1.3 X/Twitter reply-guy scams

The mechanism: post a complaint at @coinbase, get three replies within 90 seconds from accounts like @CoinbaseSupport_US, @CoinbaseHelp_Official. Each has the Coinbase logo as avatar and offers to help via DM. The DM funnel ends at a fake verification site that harvests seeds.

Defense: the username with padding ("_Support," "_Help," "_Official," "_Care," or numeric suffix) is fake by definition. The real account names are short and clean: @coinbase, @krakenfx, @binance. Block every fast-replying lookalike account; never accept a DM offer from one.

Layer 2: signature-trap drainers

2.1 setApprovalForAll on NFT contracts

The mechanism: a fake "BAYC season 2 claim" or "OpenSea verification" page prompts a signature labeled setApprovalForAll. The signature grants the operator address permission to transfer every NFT the wallet holds, or will ever hold, from the affected contract. Once signed, the drainer calls transferFrom with no further user interaction.

Representative case: a Boston holder, February 2025, lost three Bored Apes, one Pudgy Penguin, and one Doodle (floor-price loss $137,000) within four minutes of signing a "claim eligibility" prompt.

Defense: real airdrops use either a Merkle-claim function (you sign a transaction calling claim, no approval needed) or a direct transfer from the project (you sign nothing). If a "claim" page asks for setApprovalForAll, the page is a drainer. Recovery: revoke.cash, immediately, before the drainer moves the NFTs.

2.2 EIP-2612 Permit and Permit2 signatures

The mechanism: a fake DEX prompts a Permit or PermitBatch signature. The signature is gasless and looks harmless — no transaction is broadcast at signing time. But it grants the operator address spending authority over the signed tokens. The drainer calls transferFrom immediately after the signature is relayed.

The catch: because nothing was broadcast on-chain at signing time, revoke.cash cannot detect the pending threat before it executes. The defensive window is between signature and relay — often under a minute.

Defense: never sign a Permit, PermitSingle, or PermitBatch on a URL you reached through a Telegram link, Discord DM, or Google sponsored ad. Only sign Permit on bookmarked URLs of protocols you have used multiple times before. If you signed by mistake, send all token balances to a fresh wallet faster than the drainer can relay — minutes matter.

2.3 Session-key delegations (the new layer)

The mechanism: a fake "MEV protection" service or "smart wallet upgrade" prompt asks for a session-key signature. Session keys, introduced by EIP-7702 and related Ethereum upgrades, delegate signing authority to a third-party address for a specified scope and duration. A malicious session-key delegation gives the operator the ability to sign transactions from your wallet for the next hour, day, or indefinitely.

Defense: legitimate MEV protection (Flashbots Protect, MEV Blocker, Cowswap) does not require session-key delegation. It works by changing the RPC endpoint, not by delegating signing authority. Any service that asks for a session key while claiming to provide MEV protection is fraudulent.

Layer 3: malicious software impersonation

3.1 Fake browser extensions

The mechanism: a Chrome Web Store listing for "MetaMask Pro" or "Uniswap+ Trading" with bought reviews and a polished icon. Once installed, the extension reads every page including wallet RPC calls, injects script into wallet popups, modifies recipient addresses before MetaMask confirms, and submits pre-built Permit signatures silently.

Defense: install browser wallet extensions only from links on the wallet's official site (metamask.io, never search "metamask" in the Chrome Web Store directly). Verify the developer name matches exactly. Use a dedicated browser profile with only the wallet extension and an ad-blocker — nothing else.

3.2 Sideloaded mobile APKs

The mechanism: a Telegram alpha group shares an APK download for "Binance Pro Mobile" or "Trust Wallet Plus." The user sideloads it, logs in with real credentials, passes SMS 2FA on the same device. The APK forwards every credential, code, and API key to the operator in real time. The user sees a working interface; the operator drains the account.

Defense: never sideload a financial app. The Google Play Store has problems, but the binary has at least been scanned. APKs from Telegram, Discord, or Reddit bypass every protection layer. Disable "Install from unknown sources" permanently in Android settings.

3.3 Fake App Store listings

The mechanism: an Apple App Store listing for "Trust Wallet" by "Trust-Wallet Inc." (one character different from the real "Trust Wallet, Inc.") with 8,000 bought reviews. The app passes review by behaving normally for the reviewer; it uploads the seed phrase to the operator's server only when a user imports a seed with material balance.

Defense: cross-check the developer name on the wallet's official site. Trust Wallet, MetaMask Mobile, and the Coinbase Wallet (self-custody) app all list their App Store and Play Store links directly on their own .com sites. Click through from the site, not the other way around.

Layer 4: long-form social engineering

4.1 Pig butchering ("杀猪盘")

The mechanism: a romance or friendship match on Tinder, Hinge, Facebook, or LinkedIn. Weeks to months of relationship building. Eventually, the "partner" mentions a crypto trading platform they personally use and have profited from. The platform is fake — it looks real, has working KYC, shows realistic charts. Deposits work; small withdrawals work; large withdrawals require a "tax" or "verification fee" that is itself the final scam.

The 2024-2025 industry estimate: $3.5 billion in US losses to pig-butchering, scaled by compounds in Cambodia, Myanmar, and Laos employing trafficked workers running these scripts.

Defense: any "investment opportunity" introduced via a dating-app or social-media match is a scam. Search the platform name + "scam" before depositing. Never pay a withdrawal "tax" — no legitimate exchange charges to release your own funds. If you are in the middle of one, stop depositing now and report to ic3.gov.

4.2 Fake recovery services (the secondary scam)

The mechanism: a victim of a prior phishing loss searches "crypto recovery service" on Google. A sponsored ad leads to "ChainGuard Forensics" or similar — polished website, claimed FBI partnerships, $300M in recovered funds advertised. The service charges an upfront "case fee" plus a percentage of recovered funds. After payment, the service asks for additional "international cooperation fees," then goes dark.

Defense: real forensic firms (TRM Labs, Chainalysis, Elliptic) work with law enforcement and large institutions, not retail victims. They do not advertise on Google. Any "recovery service" charging upfront fees is fraudulent. Real recovery, when it happens, is contingent on funds being recovered and happens through law enforcement processes, not private firms.

4.3 Deepfake giveaways

The mechanism: a YouTube "live stream" featuring AI-generated video of CZ, Vitalik, Elon Musk, or Saylor announcing a Bitcoin giveaway. "Send any amount to this address, receive 2x back." The video loops; the chat is bot-generated with fake testimonials. The address is the drainer.

Defense: the mathematical proof. If anyone wanted to give away crypto, they would broadcast transactions to known addresses. The recipient would not need to send anything first. The "send X to receive 2X" structure exists only to extract value from the sender. There has never been a legitimate version of this offer in the history of crypto.

Layer 5: hardware and supply-chain attacks

5.1 Pre-initialized secondhand devices

The mechanism: an eBay or Mercari listing for a "new in box" Ledger Nano X below MSRP. The seller has pre-initialized the device with a seed they already know, then carefully resealed the packaging. The new buyer sets up the device, sees a "new seed" displayed on the device screen (which is actually the seller's pre-known seed), funds the wallet, gets drained weeks later.

Defense: buy hardware wallets only from the manufacturer's official website. Ledger.com, Trezor.io, Coinkite.com (for Coldcard). Never Amazon (even "Sold by [Brand]"), never eBay, never Craigslist. If you have to buy used, wipe the device by entering the PIN wrong three times (Ledger) or running a factory reset (Trezor), then re-initialize and verify the new seed is different from any initially shown.

5.2 Mailed "replacement" devices

The mechanism: a physical letter arrives with Ledger branding, claiming a "free security upgrade" related to the 2020 Ledger customer-data leak. Two weeks later, a package arrives with what appears to be a new Ledger device. The accompanying instructions ask the user to type their existing 24 words "to migrate funds." The new device is a drainer client.

Defense: hardware wallet manufacturers never send replacement devices unsolicited. The 2020 Ledger leak is now five-plus years old; no legitimate remediation program runs five years after the incident. Any unsolicited device shipment is a scam regardless of how authentic the packaging looks.

5.3 Supply-chain firmware compromise

The mechanism: a "Sold by [Brand]" listing on Amazon for a hardware wallet with tampered firmware. The device passes visual inspection but generates seed phrases in a deterministic range the operator can brute-force, or transmits the seed via side channel during first computer connection. Documented in the 2024 SatoshiLabs disclosure of a "compromised distributor" incident.

Defense: buy direct from the manufacturer. Verify firmware signature on first boot via the manufacturer's own software (Ledger Live, Trezor Suite). Run a "dust test" — send a small amount, hold 48 hours, check the address on a block explorer for anything anomalous — before funding seriously. Use a BIP-39 passphrase to defend against seed compromise at the supply-chain level.

Layer 6: cross-chain and bridge fraud

6.1 Fake bridges

The mechanism: a Google sponsored ad for "universalbridge.io" or similar appears at the top of a search for "USDC bridge arbitrum solana." The site looks like a polished bridge aggregator. The user approves USDC spending, submits the bridge. The funds leave the source chain; nothing arrives on the destination. There is no actual bridge — just a pair of wallets the operator controls.

Defense: use only audited, multi-year-old bridges. For USDC: Circle's CCTP. For general assets: Wormhole, Stargate, Across, deBridge. Find bridges through the official chain documentation (Arbitrum docs, Solana docs), not via Google. Bridge a $50 test amount first; verify both chains' explorers show the transactions before committing the full balance.

6.2 Wrong-chain "deposits"

Not a scam, but a self-inflicted loss frequent enough to mention. A user sends USDT from Binance to their hardware wallet, selects the wrong network (BSC instead of Ethereum, or Tron instead of BSC). The funds confirm on the wrong chain. Recovery is possible (sometimes, with exchange help, with fees) but takes 4-12 weeks and is not guaranteed.

Defense: every withdrawal screen has a network selector. Verify it matches the destination wallet's expected chain. For any withdrawal above $1,000, send a $20 test first. Save addresses in the exchange's address book with network labels.

Layer 7: emerging patterns (2025-2026)

7.1 Dust-and-bait token claims

The mechanism: a worthless token appears in your MetaMask sidebar, named to mimic a real airdrop ("USDT Airdrop Reward," "BlackRock Bitcoin ETF Claim," "USDC Compensation Pool"). The token's contract metadata links to a "claim" website. The claim page exploits your existing token approvals (USDT on Uniswap, etc.) to drain assets. The dropped token itself is never the target — it is the lure.

Defense: unsolicited tokens are bait, not gifts. Hide them; do not click their contract addresses; do not visit their "claim" websites. Audit your existing approvals monthly on revoke.cash to limit the damage if the bait works.

7.2 Late-claim airdrop scams

The mechanism: a holder missed a real airdrop snapshot. Days later, a fake "Foundation Late Claim Portal" account on X replies to their complaint tweet offering retroactive eligibility via a signature. The signature is a Permit2 batch on the holder's entire ERC-20 portfolio.

Defense: snapshots are final. Real projects do not run "second chance" portals. The fact that someone is offering retroactive eligibility is the proof the offer is fraudulent.

7.3 Account-abstraction phishing

The mechanism: as account-abstraction wallets (ERC-4337) become standard, new signature types appear. Each new signature type is a fresh vector for phishing — users don't yet recognize what is normal vs. what is malicious. Expect this category to grow in 2026-2027.

Defense: when a wallet shows a signature type you have never seen before, do not sign. Look up the signature type's documentation first. Better to miss the airdrop than to lose the wallet.

The 30-minute recovery protocol

If you have just realized you have been phished:

Minute 0-5. Open a clean device that has never had the compromised wallet. Generate a new seed on a fresh hardware wallet. Note the new addresses.
Minute 5-15. Move stablecoins from the compromised wallet to the new addresses. USDC, USDT, DAI, BUSD — in that priority. They are the attacker's highest-value drain target.
Minute 15-25. Move liquid majors. ETH, BTC, SOL, BNB. Then any high-value NFTs.
Minute 25-30. Move long-tail tokens. Anything not actively staked. Then revoke all approvals on revoke.cash.

The compromised wallet is now empty. Do not "save" it as a low-value wallet — it is permanently in the attacker's queue and will be drained the moment value reappears.

Within the first hour after rescue: audit all linked services for approvals or deposit addresses. File IC3 at ic3.gov with full transaction hashes. Treat any related credentials (email, exchange logins, password managers) as potentially compromised until proven otherwise.

The hard truths

Most compromises lose everything in the affected wallet. The recovery protocol works only for cases caught early.
Real recovery via law enforcement is rare. Industry estimates: 3-8% of crypto fraud losses see partial recovery within two years. The rest is gone.
The shame is the attacker's most effective tool for keeping victims silent. Talk to someone. The technical mistakes that led to the loss are not unique; the same patterns hit thousands of holders.
The defensive posture is structural, not psychological. You do not "outsmart" phishing by being skeptical. You design your custody so that one mistake does not lose everything.