The crypto space is full of scams — from obvious grifts to sophisticated attacks that fool experienced users. In 2024 alone, over $5.6 billion was lost to crypto fraud according to the FBI. This guide covers the specific scam types you're most likely to encounter and exactly how to protect yourself.
Rug Pulls: The Fake Project Exit
A rug pull happens when developers create a token, hype it up, attract investment, and then vanish with the money. The token's price crashes to zero and the dev wallets are empty.
How to spot one:
- Anonymous team with no verifiable track record — faces generated by AI, fake LinkedIn profiles, no GitHub history.
- Liquidity isn't locked — if developers can pull the trading liquidity at any time, they probably will. Check DexScreener or similar tools.
- Unrealistic promises — "guaranteed 1000x," "risk-free returns," or "the next Bitcoin" are red flags, not features.
- Contract not verified or audited — if the smart contract code isn't published and verified on Etherscan, you can't know what it does.
Phishing: Fake Websites and Messages
Phishing is the most common crypto attack. You receive a message (email, DM, or even a Google ad) that directs you to a website that looks exactly like MetaMask, Coinbase, or another service. You enter your credentials or seed phrase, and it's sent directly to the attacker.
✅ metamask.io ❌ metamask-wallet.io
✅ coinbase.com ❌ coinbase-login.com
✅ rentahuman.ai ❌ rentahuмan.ai (Cyrillic м)
✅ app.uniswap.org ❌ app-uniswap.org- Bookmark official sites and always access them from your bookmarks.
- Never click links in DMs — if "Coinbase Support" messages you on Discord or Telegram, it's not Coinbase.
- Check the URL character by character — attackers use Cyrillic characters, extra letters, and creative misspellings.
Approval Scams: Malicious Smart Contracts
This is more subtle. You connect your wallet to a website (maybe to "mint an NFT" or "claim an airdrop"), and it asks you to approve a transaction. That transaction gives the contract permission to spend your tokens — all of them.
- Read every transaction you sign — MetaMask shows what permissions you're granting. "Approve unlimited USDC" is almost never what you want.
- Set specific amounts — instead of "unlimited" approval, approve only the exact amount you're spending.
- Revoke old approvals — use revoke.cash to check and revoke contract permissions you no longer need.
Social Engineering: The Human Element
Not all scams are technical. Some rely on building trust:
- "Recovery service" scams — after losing funds, you post about it online. Someone offers to "recover" your crypto for a fee. They can't. They just take the fee.
- Impersonation — someone pretends to be a project admin, exchange employee, or even a friend. They ask for "verification" involving your seed phrase or a transaction.
- "Overpayment" tricks — you receive crypto you didn't expect, then someone contacts you asking you to "return the excess." The initial payment was fake or dust — the money they want you to send is real.
The Non-Negotiable Rules
You only need to remember three rules to avoid 99% of crypto scams.
- Never share your seed phrase or private key — no legitimate service, support agent, or person will ever ask for it. Period. (More in our seed phrase guide.)
- Never click links in DMs or emails — navigate directly to official sites via bookmarks.
- If it sounds too good to be true, it is — no legitimate project guarantees returns. Free money doesn't exist.
What to Do If You've Been Scammed
- Act immediately — if you shared your seed phrase, create a new wallet and transfer remaining funds before the attacker does.
- Revoke all approvals — visit revoke.cash and remove every contract approval on the compromised wallet.
- Document everything — save transaction hashes, wallet addresses, screenshots, and any messages.
- Report the scam — file with the FTC (US), Action Fraud (UK), or your local authority. Report to the platform where it happened.
- Accept and learn — most stolen crypto is unrecoverable. Don't fall for "recovery services" that promise to get it back — they're scams too.
For more on protecting your accounts, see our security guide on 2FA and hardware wallets. And if you're evaluating a specific token, use our token legitimacy checklist.