Crypto Scams
In order to protect users from scams, it is important to understand, name, and describe them.
A crypto scam is a malicious attempt to steal your crypto assets, made up of two distinct parts:
Deceit
How a scammer tricks you
How a scammer tricks you
+
Payload
What scammer does with your account
Malware is software an attacker tricks you into running on your local machine, giving them full access to your computer. While not specific to crypto, malware attackers often target computers that store crypto keys. Once the malware is running locally, private keys are sent back to the attacker, creating significant and irrecoverable problems for the owner of the wallet.
Imposter dApp
Users accessing dApps via their web browser (such as Uniswap, OpenSea, etc) need to carefully check they are on a valid, secure, official web site. Often search engine ads or direct message will lead users to web sites that appear identical to an official dApp, with similar-looking URLs, they web sites are malicious and interactions with these sites can be devastating.
Broken Promise dApp
dApp which promises something to the user, but fails to deliver on that promise. These are often promoted in chat rooms, via direct message, or via fake "support". Examples include:
-
NFT Trading site that, when issued approval, takes your NFTs for free
-
High interest rates on deposits. Often, these will pay out rewards for some period of time before taking all your assets via approval.
-
Wallet Synchronization site, usually given by fake support staff, as a solution to any crypto problem you are having, usually stealing your private key/seed phrase.
Fake Support
When anything goes wrong with a crypto account it can be tempting to ask for help in a public forum. Scammers are always lurking ready to "help", often asking for secret seed phrase or directing victim to a web site that asks for it.
Scam Payloads
Private Key Theft
When using a "software wallet" such as, any software running on your computer has access to your locally-stored private key.
Private Key Request
Whether it is a web-form, a user in a DM, or a "wallet sync" application, a user being asked for their private key will sometimes simply give it to the attacker willingly.
Token Transfer
A user willingly signing a token transfer that immediately transfers the asset into the scammer's wallet
Token Approval
While transferring a token is an immediate benefit to the scammer, it might lead to a larger payday to "approve" a token for future transfer, waiting for the account to grow in value before taking everything.