Common Crypto Scams and How to Avoid Them

In 2023, a retiree in California matched with a charming stranger on a dating app. Over four months they exchanged hundreds of messages — recipes, family photos, plans to finally meet. Then came the investment tip: a "private" crypto trading platform with steady, beautiful gains. She deposited $10,000 and watched the dashboard tick upward. She deposited more. By the time she tried to withdraw her "profits," the website was gone, the messages stopped, and $1.2 million of her life savings had evaporated into a wallet she would never trace. There was no charming stranger. There was a warehouse of scammers running the same script on a thousand people at once.

This is not a rare horror story. The FBI's Internet Crime Complaint Center logged $5.6 billion in cryptocurrency fraud losses in 2023 — up 45% year over year — while Chainalysis pegged broader crypto-related crime north of $14 billion. And those are only the cases people reported. Shame keeps most victims silent, so the real number is almost certainly larger.

Crypto scams exploit the same ancient levers as every con before them — greed, fear, loneliness, and trust — but they are supercharged by three properties unique to this technology: transactions are irreversible, addresses are pseudonymous, and the culture genuinely celebrates assets that 100x in a week. When a token can legitimately moonshot overnight, the line between "incredible opportunity" and "obvious fraud" gets blurred on purpose. That blur is the scammer's entire business model.

What follows isn't an exhaustive encyclopedia. It's the handful of attacks that actually drain the most money — explained with enough mechanical detail that you can recognize each one before it reaches your wallet, and a concrete defense stack you can set up this afternoon.

Phishing causes more individual losses than any other attack vector in crypto, and the mechanic is brutally simple: a fake website that looks identical to a real one — same logo, same fonts, same layout, a URL that's off by a single character. You connect your wallet, you approve a transaction you assume is routine, and a malicious smart contract drains every token you just gave it permission to touch.

The amateur versions have typos and broken images. The dangerous versions are flawless. Google Ads have served phishing links for "Uniswap" and "MetaMask" that ranked above the real results. Accounts on X impersonate Vitalik Buterin or official protocol handles and post fake airdrop links to millions of followers. Discord bots fire off DMs with "exclusive mint" links the second you join an NFT server. In early 2024, a phishing campaign mimicking a "platform migration" email stole over $1.7 million in NFTs from OpenSea users — people who thought they were just confirming an account update.

The most insidious evolution is the wallet drainer — pre-built malicious code now rented out as "Drainer-as-a-Service," so even non-technical criminals can deploy a professional-grade theft kit. The drainer doesn't need your seed phrase. It just needs you to sign one transaction on a convincing page, and the signature does the rest.

The defense is boring, which is exactly why it works:

• Bookmark the real URLs and only ever navigate from your bookmarks — never from search ads, DMs, or social posts.
• Verify the URL character by character before connecting your wallet. Watch for swapped letters (rn vs m), extra hyphens, and lookalike domains.
• Read what you're signing. A wallet prompt that asks to "approve all" or grants spending on a token you're not actively trading is a red flag.
• Use a dedicated browser or profile for crypto, with a hardware or MPC wallet for anything valuable.

A developer launches a token. They hype it relentlessly on X and Telegram. The price climbs as buyers pile in. Then, in a single transaction, the developer pulls all the liquidity out of the DEX pool and walks away. The price goes to zero instantly. Every buyer is left holding a token they physically cannot sell, because there's no liquidity left to sell into. That's the "rug" being pulled out from under you.

Chainalysis tracked over $2.8 billion in rug pull proceeds in 2021 alone. The Squid Game token (SQUID) is the textbook case: it rose 75,000% before the developers vanished with $3.3 million, having written code that made it impossible for ordinary holders to sell in the first place. Most rug pulls are far smaller and faster — meme coins on launchpads that live for a few hours before the deployer yanks the pool.

Rug pulls come in three mechanical flavors, and it helps to know which is which:

• Liquidity theft (hard rug). The team seeds a liquidity pool to look legitimate, lets buyers add their money, then withdraws everything at once. Instant zero.
• Token dumping (soft rug). The team secretly holds the majority of supply, pumps the narrative, and quietly sells into your buy orders until the chart collapses. Slower, but just as final.
• The unsellable-token trap. The contract contains a hidden function — a "honeypot" — that blocks everyone except the developers from selling. You can buy all day; you can never get out.

The warning signs cluster together. No single one is proof, but two or three should stop you cold:

• Anonymous team with no verifiable track record.
• Liquidity not locked in a timelock contract (so the dev can pull it anytime).
• A mint function in the contract, letting the dev print unlimited new tokens.
• Concentrated holdings — a few wallets own most of the supply.
• Marketing that sells price, not product — all "100x" hype, no working utility.

You can check most of this yourself in five minutes. On a block explorer like Etherscan, confirm the contract is verified (the source code is public) and inspect the top holders. Run the token through a screener like Token Sniffer or Rug Doc to flag honeypot code and unlocked liquidity. If a token can't survive that five-minute audit, it doesn't deserve your money.

The grotesque name comes from the method: scammers "fatten up" a victim with affection and small fake wins before the "slaughter" — taking everything at once. It is now the single largest scam category by revenue in crypto, and Binance reported pig-butchering cases doubling (up 100.5%) from 2022 to 2023. Unlike a drainer that hits in seconds, this attack unfolds over weeks or months, which is precisely what makes it so devastating: by the time money is involved, the victim genuinely trusts the person on the other end.

It runs in four stages, and recognizing the shape is your best defense:

• 1. Contact. A "wrong number" text, a dating-app match, a friendly DM. The opener is always warm and never about money.
• 2. Grooming. Weeks of real conversation — daily check-ins, life stories, emotional intimacy. The scammer is patient, supportive, and relatable. No financial talk yet.
• 3. Fattening. They casually mention a "private" investment platform that's been good to them. You deposit a small amount and the dashboard shows lovely gains. They even let you withdraw a little to prove it's real. That single successful withdrawal is the hook.
• 4. Slaughter. Emboldened, you deposit your savings. When you try to withdraw, you're told you owe "taxes" or "fees" first — more money to chase money that was never there. Then the platform and the person vanish together.

The platform was a fiction from the first screen. The "gains" were numbers in a database the scammer controlled. The whole architecture was designed to manufacture trust and then weaponize it.

Some scams don't hide in a smart contract — they hide in a spreadsheet. A Ponzi scheme pays existing investors with money from new investors, not from any real profit. As long as deposits keep growing, the early "returns" look real and the testimonials are glowing. The moment inflows slow, the whole thing collapses, and everyone still inside loses everything.

Crypto supercharges this because outrageous yields can sound plausible. When a meme coin genuinely 50x's, a promise of "2% daily returns, guaranteed" doesn't immediately register as a fantasy — even though it compounds to more than 137,000% a year, a rate no honest business on Earth can sustain. The largest crypto Ponzi to date, BitConnect, promised ~1% per day, drew in billions, and detonated in 2018, vaporizing the savings of tens of thousands of people.

The tells are mathematical, and they don't lie:

• "Guaranteed" returns. All real investment carries risk. The word "guaranteed" next to a yield figure is the single biggest red flag in finance.
• Returns that are suspiciously smooth. Real markets swing. A chart that ticks up the same amount every single day is a fabricated number, not a trading result.
• Referral pressure. If your reward depends on recruiting others, the "yield" is just the next victim's deposit. That's a pyramid, not a product.
• Vague strategy. "Proprietary AI arbitrage bot" with no verifiable on-chain activity means there is no strategy — only your money paying the person who joined before you.

Apply one filter to every yield opportunity: where does the return actually come from? If you can't name the real economic source — trading fees, lending interest, staking rewards verifiable on-chain — then the source is probably the next investor, and you are the exit liquidity.

Not every scam is elaborate. Some are loud and crude and still work, because they target a moment of distraction. Impersonation and giveaway scams are the classic: a verified-looking account promises that if you "send 1 ETH to this address, you'll get 2 ETH back." Nobody doubles your money for free — ever. The math is the whole scam. AI has only sharpened it: deepfaked videos of Elon Musk or crypto founders now "host" live-stream giveaways that look professionally produced.

Two quieter cousins do more lasting damage:

• Malicious airdrops. You wake up to mysterious tokens in your wallet. Claiming them sends you to a site that asks you to connect and sign — and that signature is the trap. A legitimate airdrop never requires you to pay or sign a sketchy approval to "unlock" it. Treat unexpected tokens as bait, not gifts.
• Address poisoning. A scammer sends you a tiny transaction from an address engineered to look almost identical to one you use often — same first and last few characters. Later, when you copy a recent address from your history to pay someone, you grab theirs by mistake and send funds straight to the attacker. Always verify the full address, not just the ends.

Then there's the slow-motion threat sitting in your wallet right now: token approvals. Every time you trade on a DEX, you grant a smart contract permission to move a token on your behalf — and most interfaces default to unlimited approval. That permission doesn't expire. If that contract is later exploited, or was malicious from the start, it can drain the approved token months after you forgot the interaction ever happened. Old approvals on abandoned or compromised contracts are dormant trapdoors under your funds.

The fix is maintenance, not genius: periodically audit your approvals with a tool like revoke.cash or Etherscan's approval checker, and revoke anything you no longer actively use. Where you can, approve only the specific amount you need instead of granting unlimited access.

You don't beat scammers by being smarter than them in the moment — they engineer moments where nobody is at their sharpest. You beat them with structure set up in advance, so that even your worst click can't cost you much. Here is the stack, in order of impact.

1. Separate your wallets. Keep a "hot" wallet with minimal funds for daily interactions — connecting to dApps, claiming airdrops, minting NFTs. Keep the bulk of your portfolio in a hardware wallet or an MPC wallet that never touches random smart contracts. If your hot wallet gets phished, you lose pocket change instead of your net worth. This single habit caps your downside more than any other.

2. Practice URL discipline. Bookmark every real site you use and navigate only from bookmarks. Never reach a crypto platform through a search ad, a DM, or a "support" link someone sent you. Verify domains character by character before connecting.

3. Keep your approvals clean. Revoke old token approvals regularly and prefer specific spending limits over unlimited ones. A clean approval list means an exploited contract has nothing to grab.

4. Read every signature. Slow down before you sign. If a prompt requests "approve all," grants access to a token you're not trading, or arrives with a countdown timer, stop and verify. Urgency is manufactured.

Most catastrophic crypto losses trace back to one of two failures: a seed phrase stolen, leaked, or phished out of someone — or a centralized custodian that quietly mishandled funds, FTX-style. GaiaEx is architected to take both of those single points of failure off the table.

MPC key security — no seed phrase to steal. Your private key is never assembled in one place. Using Multi-Party Computation, it's split into encrypted shards held by independent parties, so no single server, device, or person ever holds the complete key. There is no master seed phrase for a phishing page to trick out of you, and no single file an attacker can exfiltrate. The most common cause of total loss — a compromised seed — simply doesn't exist in this model.

Non-custodial by design — no FTX scenario. You keep control of your assets. GaiaEx isn't a centralized vault where one executive can move customer money behind closed doors, because there is no closed door — settlement happens on-chain where anyone can verify it.

On-chain execution you can audit. Trades settle on Hyperliquid L1 with sub-second finality, on a public ledger. The trust isn't in GaiaEx-the-company keeping honest internal books; it's in the mathematical guarantees of the chain itself.

None of this makes you invincible. No exchange and no technology can stop you from signing a malicious transaction or wiring your savings to a "romantic" stranger's investment platform. The defense stack in the previous section is still your responsibility — wallet separation, URL discipline, approval hygiene, and the $0 test. What GaiaEx does is shrink the catastrophic-failure surface to the decisions you actually control, and remove the ones you shouldn't have to think about. That's the honest deal: the platform handles the cryptography so you can't lose a seed phrase you never had, and you handle the judgment calls no software can make for you.