NewsDataAtlasBlogPortfolio
GuidesReviewed 2026-05
EN中文

Identifying Crypto Scams: Patterns, Tools, and Defenses

Every common crypto scam in 2026 — phishing, rug pulls, address poisoning, approval drains, fake support — with red flags and prevention checklist.

By Web3Wagmi Editorial17 min readReviewed by Web3Wagmi Research Desk
Identifying Crypto Scams in 2026: Patterns, Tools, and Defenses
Table of contents

The 2026 scam taxonomy

Five scam categories cause nearly all retail crypto losses in 2026: approval-drain phishing, address poisoning, rug pulls, pig-butchering/AI impersonation, and fake support. Last verified: 2026-05-27.

Crypto theft hit $3.4B in 2025 — with the February Bybit hack ($1.5B, attributed to North Korea's Lazarus Group) accounting for 44% of that total alone, per Chainalysis. Personal wallet compromises — phishing, poisoning, drainer kits — reached 158,000 incidents affecting 80,000 unique victims and $713M stolen, now representing 20% of total stolen value (down from 44% in 2024 as attackers increasingly pivot to larger institutional targets). Separately, Chainalysis estimates total crypto scam losses at $17B in 2025 (phishing, pig-butchering, impersonation combined), up from the prior year, driven by AI-assisted fraud. Scam Sniffer counts $83.85M in EVM drainer/phishing losses across 106,000 victims in 2025 — an 83% drop from 2024's $494M — meaning defensive tools are working on the phishing front even as AI-powered social engineering scales fast. Law enforcement clears under 5% of crypto theft cases. OFAC sanctions on mixer infrastructure remain in flux after the Fifth Circuit vacated Tornado Cash designations in November 2024, with Treasury ultimately delisting it in March 2025.

The five biggest categories in 2026:

Category2025 losses (est.)TrendDefended by
Approval-drain phishing$84M (drainer kits only, Scam Sniffer)Falling — down 83% YoYBookmarks + Rabby simulation
Address poisoning$50M+ (single incident alone, Dec 2025)Rising sharplyFull-address verification
Rug pulls / exit scamsHundreds of millions (varies by definition)ActiveToken Sniffer + Bubblemaps
Romance / pig-butchering / AI impersonation$17B total scam losses (Chainalysis, all types)Rising fast — AI-drivenNever invest based on online introductions
Fake support / impersonationIncluded in $17B aboveSteady — increasingly AI-voicedSupport never DMs first
How to spot crypto scams infographic — six sections: (1) common scams (pump & dump, rug pull, phishing sites, fake giveaways, fake apps & wallets, romance/pig butchering, impersonation); (2) red flags (guaranteed returns, high pressure, secret deals, no doxxed team, copied whitepapers, no audit, fake partnerships, over-the-top marketing, weird tokenomics, no real product); (3) how to protect yourself (DYOR, verify everything, secure your wallet, check before you click, use trusted communities, take your time); (4) useful tools (DeFiLlama, Token Sniffer, rugdoc.io, PooCoin, ScamAdviser, WHOIS, Revoke.cash); (5) pre-send checklist (verify website + contract, understand tokenomics, check team, confirm audits); (6) what to do if scammed (stop, don't send more, report, warn others, document — most crypto transactions are irreversible).

The 2026 crypto scam playbook — common patterns, red flags, the tools that catch them, and what to do if you get hit.

Scam 1: Approval-drain phishing

Approval-drain phishing (a phishing attack where victims sign a malicious setApprovalForAll or permit signature granting attackers token transfer rights) caused $83.85M in losses across 106,000 victims in 2025 — an 83% drop from 2024, but a new attack surface opened with EIP-7702 after Ethereum's Pectra upgrade in May 2025. Last verified: 2026-05-27.

How it works:

  1. You visit a fake site — usually arrived via a Google Ad for "Uniswap" or "Lido" pointing to a typosquat domain (uniswap-app.com, lidofinance.io, lid0.fi). Drainer kits are sold as a service to affiliates who run the ad spend.
  2. The site looks pixel-identical to the real one — most drainer kits clone the real DOM and proxy public RPC reads.
  3. You connect your wallet (this alone is safe; connection is just an address read).
  4. The site asks you to sign a "claim airdrop," "verify wallet," or "approve token" transaction. The signature is actually setApprovalForAll(drainer, true) for an NFT contract, or an EIP-2612 permit granting infinite USDC/USDT spend allowance.
  5. Within seconds (often under one block), the attacker's sweeper bot calls transferFrom and drains the approved balance. ERC-20 stablecoins go to a mixing service; NFTs go straight to Blur for instant sale at floor.

EIP-7702: the new attack surface post-Pectra. Ethereum's May 2025 Pectra upgrade activated EIP-7702, which lets an ordinary wallet (EOA) temporarily delegate execution to a smart contract via a single signed authorization. Wintermute reported that over 80% of EIP-7702 authorizations seen on-chain within weeks of the upgrade were used for malicious sweeper contracts rather than legitimate batching. Two major EIP-7702 drainer incidents in August 2025 alone caused $2.54M in losses. The attack works by embedding a malicious delegation inside what looks like a routine signature — the user sees "approve," the contract executes a full wallet drain in the same transaction. Rabby and Pocket Universe have added EIP-7702 simulation, but the attack surface is new and still evolving.

Drainer kit landscape. Pink Drainer announced shutdown in May 2024 after stealing approximately $85M from over 21,000 victims. Inferno Drainer — which had previously announced retirement in November 2023 — resurfaced after Pink's exit, transferred its toolkit to Angel Drainer in October 2024, and Inferno/Angel now operate as a single merged product. Security firms consistently warn that "shutdown" announcements in the drainer space are often rebranding events rather than genuine exits. Scam Sniffer's 83% drop in losses reflects improved wallet-simulation adoption, not disappearance of the underlying kits.

Real cases: The largest single phishing theft in 2025 totaled $6.5M in stETH and aEthWBTC via a Permit signature in September. Only 11 cases exceeded $1M in 2025 (down from 30 in 2024). In March 2026, Operation Atlantic — a joint enforcement action by the US Secret Service, UK, and Canada — froze $12M and shut down 120 scam sites, flagging 20,000+ compromised wallet addresses.

Red flags:

  • URL doesn't match the real site (extra hyphen, .xyz instead of .com, Cyrillic lookalike characters)
  • "Reward" or "airdrop" you never registered for
  • Unusual signature request — anything containing setApprovalForAll, permit, or an EIP-7702 delegation to an unrecognized contract address
  • Urgency cues ("claim expires in 5 minutes", "100 spots remaining")

Prevention:

  • Bookmark official URLs. Never use Google search to navigate to a wallet-connected dApp.
  • Use Rabby Wallet — it simulates signatures and shows asset impact in plain English ("This will let X drain all your USDC").
  • Install a transaction simulator like Pocket Universe as a second-layer check. Both now flag EIP-7702 delegation signatures.
  • Use a burner wallet for any "claim airdrop" interaction. The burner should never hold more than gas.
  • Read every signature. If it includes a delegation or approval you didn't initiate, reject.

Scam 2: Address poisoning

Address poisoning (an attack where lookalike addresses are seeded into a victim's transaction history so they later copy-paste an attacker-controlled address) tricks copy-paste senders by seeding lookalike addresses into transaction history — a single incident in December 2025 cost one trader $50M in USDT. Last verified: 2026-05-27.

How it works:

  1. Attacker uses a vanity-address generator (Profanity-style, GPU-accelerated) to mint a wallet whose first 4–6 and last 4–6 hex chars match an address you transact with regularly — a CEX deposit address, your hardware wallet, a frequent counterparty.
  2. Attacker sends a $0 transaction (USDT transferFrom with 0 value, or a token they minted) from that lookalike address to your wallet. Now it appears in your "recent" transaction history.
  3. Next time you transfer, you copy "your usual address" from wallet history — but it's the attacker's lookalike with matching first/last chars and 30 different chars in the middle.
  4. You send funds to the attacker. The transaction is irreversible.

Real example: In December 2025, a trader lost $49.999M in USDT after sending a small test transaction to confirm destination, then copying the poisoned address from their history for the main transfer. The attacker swapped the USDT for DAI and ETH within minutes and laundered proceeds through a mixer before any freeze could be applied — Tether can freeze USDT, but not DAI. The victim offered a $1M white-hat bounty; no return occurred. Earlier, in August 2023, a different trader lost $68M in USDT the same way; those funds were returned only after viral on-chain pressure — an outcome that almost never happens.

Prevention:

  • ALWAYS verify the FULL address before sending. Not first/last 4. The full string, character by character, or by pasting both into a diff tool.
  • Use the wallet's address-book feature (verify once when you save, then use the saved name).
  • Send a test transaction ($1–10) for any new recipient or large transfer — but then verify that the confirmation receipt matches your intended address, not just your transaction history entry.
  • Use ENS names where possible (vitalik.eth is harder to spoof than a raw hex address).
  • Wallets with address-poisoning protection: Rabby flags suspicious history; MetaMask added similar detection; Safe requires explicit address-book confirmation.

Scam 3: Rug pulls

A rug pull (when project insiders abandon a token and dump their holdings, crashing price to near zero) is when project insiders abandon a token and dump holdings — via liquidity removal, honeypot contracts, slow distribution dumps, or NFT roadmap ghosting. Last verified: 2026-05-27.

Common formats:

a) Liquidity rug. Token launches on Uniswap. Team holds majority of LP tokens. After hype builds, they call removeLiquidity — token tradeable at near zero. The Squid Game token (October 2021) is the canonical example: $3.38M removed, token went from $2,861 to $0.0008 in five minutes.

b) Honeypot. Contract code allows buying but blocks selling via a hidden modifier on transfer. Looks profitable on paper, can't exit. Token Sniffer's honeypot scanner specifically tests buy + sell against a forked node before you commit.

c) Slow rug. Team accumulates wallets via stealth allocations or team multisigs, dumps slowly over weeks. The April 2025 MANTRA (OM) collapse is the most-discussed recent case: 17 wallets deposited 43.6M OM tokens (approximately $227M) to exchanges over a short period, triggering a roughly 90% price crash from around $6.30 to under $0.50, wiping over $5B in market cap. The MANTRA team disputed rug-pull characterization, attributing it to forced CEX liquidations during thin weekend liquidity — on-chain data is ambiguous, and the disputed facts make it a cautionary example of token-concentration risk regardless of intent.

d) NFT rug. Project promises roadmap, raises mint funds, then ghosts. Frosties (January 2022) raised $1.3M and disappeared — the founders were charged by the SDNY for wire fraud and money laundering.

Tools to detect:

Red flags:

  • Top 10 wallets hold over 50% of supply (Bubblemaps shows this clearly)
  • LP not locked, or locked for under 6 months (check Unicrypt, Team Finance lock pages)
  • Contract not verified on the explorer
  • Team is anonymous AND token has unlimited mint function (mint() with no cap, owner not renounced)
  • Telegram/Discord deletes critical questions or bans users for asking about audits
  • Audit firm is unrecognized — real audits come from Trail of Bits, OpenZeppelin, Code4rena, Sherlock, ConsenSys Diligence, Spearbit, or Cantina

Scam 4: Pig butchering and AI-powered impersonation

Pig butchering and AI-assisted impersonation drove total crypto scam losses to $17B in 2025 (Chainalysis) — impersonation scams grew 1,400% year over year as AI tools lowered the cost of building convincing fake personas at scale. Last verified: 2026-05-27.

How pig butchering works: Long-form social engineering, industrialized out of compound-style operations in Myawaddy (Myanmar), Sihanoukville (Cambodia), and Tachileik (Myanmar–Thailand border), primarily run by Chinese organized crime networks using trafficked labor. Scammer builds a relationship over weeks via Tinder, Bumble, WhatsApp, LinkedIn, or Instagram. Eventually introduces a "guaranteed return crypto investment platform" — a fake CEX controlled end-to-end. Victim deposits, sees fabricated UI gains, deposits more. When victim tries to withdraw, "tax fees" or "verification deposits" are demanded. Funds gone.

AI acceleration in 2025. AI-enabled scam operations generated 4.5x more revenue per operation than traditional scams in 2025, per Chainalysis. The average scam payment rose to $2,764 (up 253% from $782 in 2024). Real-time deepfake video calls — used in the February 2024 Arup $25M fraud case — are now standard in high-touch pig-butchering operations targeting high-net-worth victims. Voice cloning now requires under three seconds of audio for an 85%+ match. The defense of "ask for a video call" no longer reliably distinguishes scammers from legitimate contacts; the new defense is demanding a live spontaneous action (specific gesture or phrase you choose in the moment, not a scripted call).

Huione ecosystem. Chainalysis analysis found that Huione — a Southeast Asia-based marketplace — processed nearly $100B in crypto since 2021, serving as a one-stop shop for scam operators: fake persona AI tools, money laundering services, and victim-targeting databases. OFAC targeted pig-butchering networks in November 2025, and APAC law enforcement froze $47M in pig-butchering funds in August 2025.

Red flags:

  • New "friend" pivots to investing within 2–4 weeks
  • They mention a CEX you've never heard of or a real-sounding name that doesn't exist
  • "Guaranteed" returns of any amount, often quoted as daily percentage gains
  • Withdrawal request triggers "tax/fee" demands payable from outside the platform
  • They use video calls but the video is unusually smooth, lighting never changes, or they refuse a spontaneous live gesture
  • Photos fit a "wealth display" template — yacht, business class, watch close-ups

Prevention:

  • Never invest based on social media or messaging recommendations from individuals you met online
  • Verify any exchange independently: CoinGecko listed, proof of reserves audited, multi-year track record, regulated in a named jurisdiction
  • If someone you met online recently is pitching crypto, end the relationship

Scam 5: Fake support impersonation

Legitimate support never DMs first. Coinbase, MetaMask, Ledger, Phantom, and Discord mods always wait for you to open a ticket on their official site. Last verified: 2026-05-27.

How it works: You post on Twitter/Discord/Reddit asking for help — "my MetaMask shows wrong balance," "can't withdraw from Coinbase." Within minutes, "official support" DMs you. They ask for your seed phrase to "verify your account," ask you to "import a configuration file" (a malicious wallet import), or direct you to a "support portal" phishing site. AI voice cloning is now used in phone-based variants: scammer calls you claiming to be Coinbase security, has your name and partial account details from data breaches, and instructs you to "secure your account" by moving funds to a "safe wallet" they control.

Universal rule: Legitimate support never DMs first. Ever. Not Coinbase, not MetaMask, not Ledger, not Phantom, not Trezor, not Discord mods, not "Twitter Blue Verified support reps." Chainalysis reports impersonation scams grew 1,400% in 2025 as AI tools made fake government-official and company-representative personas trivially cheap to construct.

Real support is always:

  • Initiated by YOU through their official ticket form (found by typing the URL or using your bookmark — not via search)
  • Never asks for seed phrases (no legitimate company will ever ask)
  • Never asks you to install anything (especially not "TeamViewer to fix your wallet")
  • Never asks you to "verify" by signing a transaction
  • Found at the official website URL (which you've bookmarked from a verified source)

Best crypto scam defenses by use case

Match the defense to the threat: bookmarks + Rabby for phishing, full-address verification for poisoning, Token Sniffer + Bubblemaps for rugs, and a hardware wallet for everything else. Last verified: 2026-05-27.

  • Best defense against approval-drain phishing — Bookmark official URLs + use Rabby's transaction simulation (EIP-7702 delegation alerts included post-Pectra).
  • Best defense against address poisoning — Verify FULL address (not first/last 4) + use ENS where possible + address-book whitelisting.
  • Best defense against rug pulls — Check Token Sniffer + Bubblemaps holder concentration + LP locked status before any buy.
  • Best defense against pig-butchering — Never invest based on someone you met online; verify any exchange independently.
  • Best defense against fake support — Universal rule: legitimate support never DMs first.
  • Best wallet for scam resistance — Hardware wallet (Ledger/Trezor) + Rabby for hot transactions.
  • Best browser setup for scam resistance — Pocket Universe + dedicated crypto profile + no extensions you did not install yourself.
  • Best monthly habit for scam prevention — Revoke.cash audit of all token approvals across all wallets.
  • Best response after a successful scam — Move funds to a new seed-phrase wallet immediately + revoke all approvals + IC3.gov report.
  • Worst recovery option — Hiring a "fund recovery service." These are second-stage scams targeting victims.

→ Find the right app with web3wagmi Atlas (most drains start at a fake lookalike site — pick what you want to do and reach the real protocol from a curated map instead of a search-ad imposter)

Universal safety checklist

Six monthly habits — revoke approvals, audit incoming transactions, update firmware, re-bookmark sites, re-verify saved addresses, confirm offline seed backup — neutralize most scam vectors before they trigger. Last verified: 2026-05-27.

Run these monthly:

  • Visit a token-approval revoker like Revoke.cash, review approvals, revoke unused
  • Audit your wallet activity for unfamiliar incoming transactions (poisoning prep — especially 0-value transfers or dust from unknown addresses)
  • Confirm your hardware wallet firmware is up to date
  • Confirm bookmarks for major sites (Coinbase, MetaMask, Aave, etc.) — re-bookmark from typed URLs, not search
  • Re-verify any "saved" addresses in your wallet's address book
  • Make sure your seed phrase backup is offline, paper or steel

Pre-send checklist for any large transfer

Run these five checks every time you send over $10k. They take 90 seconds and they catch the mistakes that cost real money.

  1. URL match. The dApp domain matches your bookmark exactly. No extra hyphen, no .io vs .xyz swap, no Cyrillic letters.
  2. Full recipient address. Paste both source and destination into a diff tool or compare character-by-character. Never trust first/last 4. The December 2025 $50M loss happened after a test transaction confirmed the wrong address from history.
  3. Transaction simulation. Rabby or Pocket Universe shows "you send X, you receive Y." If the simulation shows anything unexpected — extra approvals, wrong contract, EIP-7702 delegation — reject.
  4. Signature contents. If it's a signature (not a tx), read the raw payload. Anything containing setApprovalForAll, permit, permit2, seaport, or an EIP-7702 authorization code should match an action you understood and initiated.
  5. Test send. For any first-time transfer over $10k, send $10 first. Confirm receipt against the intended address directly in the block explorer — not from your wallet's history view.

What to do if you've been scammed

Move remaining funds to a new seed-phrase wallet, revoke approvals at Revoke.cash, document everything, report to IC3.gov and the receiving exchange. Never pay a "recovery service" — they are second-stage scams. Last verified: 2026-05-27.

  1. Move remaining funds immediately to a new wallet generated from a brand-new seed phrase. The old seed is burned — never use it again, not for a different chain, not for anything.
  2. Revoke all approvals at Revoke.cash for every chain you've used (Ethereum, Base, Arbitrum, Optimism, Polygon, Solana, BNB).
  3. Document everything — transaction hashes, screenshots, addresses, dates, the URL of the phishing site if known.
  4. Report:
    • IC3.gov (US) / Action Fraud (UK) / Europol's EC3 (EU) / your local equivalent
    • The exchange the funds flowed into — Binance, Coinbase, OKX all have abuse@ teams that can freeze if you're fast (within hours, not days)
    • Chainalysis Reactor or TRM Labs (on-chain tracing — they sometimes work pro bono on large cases)
  5. Don't pay "recovery services" — these are second-stage scams targeting victims. The pattern: a "blockchain forensics firm" finds you on Reddit or Telegram, claims they can recover for a fee. They cannot. Real recovery only happens via law enforcement and exchange freezes.

Looking ahead

Four signals to track over the next 12 months:

  • AI deepfake calls are now real-time and routine. By mid-2026, real-time deepfake video is standard in high-touch pig-butchering. The defense moves from "ask for a video call" to "demand a spontaneous live gesture or phrase you dictate in the moment." Voice cloning requires under three seconds of audio; assume any inbound call from "crypto support" or an investment contact is potentially cloned.
  • EIP-7702 drainer maturation. Ethereum's account-abstraction upgrade opened a new phishing attack surface where a single user signature can authorize a sweeper contract on an EOA. Wintermute found over 80% of early EIP-7702 authorizations were malicious. Expect drainer kits to shift toward EIP-7702 batch-drain attacks as the ecosystem tooling matures and user familiarity with the new signature type remains low.
  • Drainer consolidation and rebranding. Pink Drainer (shut May 2024) folded into Angel/Inferno. Expect the next "shutdown" announcement to be another rebrand rather than a genuine exit. Watch for new kits exploiting EIP-7702 and cross-chain bridge approval flows.
  • CEX liability for scam deposits. New York DFS and California DFPI are signaling that CEXs receiving pig-butchering deposits without flagging them may face fines. If enforcement lands, exchange compliance teams will freeze faster — making the first 4-hour reporting window after a scam more consequential.

The hard truth

Most stolen crypto is never recovered — under 5% of cases are cleared by law enforcement. Five basic habits prevent virtually every retail scam in 2026. Last verified: 2026-05-27.

Most stolen crypto is never recovered. Law enforcement clears under 5% of crypto theft cases. The December 2025 $50M address-poisoning victim offered a $1M bounty and received nothing. The August 2023 $68M victim got funds back only because the attacker miscalculated exposure — a one-in-a-thousand outcome.

All major scams in 2026 are preventable with five basic habits:

  1. Bookmark official URLs.
  2. Use a hardware wallet for over $5k holdings.
  3. Read every signature — including EIP-7702 delegation fields.
  4. Revoke approvals monthly.
  5. Trust nothing that DMs you first.

Related: Best Crypto Wallets 2026 · Best Crypto Bridges 2026

Frequently asked questions

What's the most common crypto scam in 2026?

Approval-drain phishing is the most pervasive by incident count — victims sign a malicious setApprovalForAll or permit signature on a fake site and the attacker drains tokens. Scam Sniffer recorded $83.85M in phishing losses across 106,000 victims in 2025, down 83% from 2024 thanks to better wallet simulation tools. The highest-value scam category overall is AI-assisted impersonation and pig-butchering, which drove total crypto scam losses to $17B in 2025 per Chainalysis.

What's a rug pull?

A rug pull is when project insiders abandon a token and sell their holdings, crashing the price to zero. Common in DeFi (liquidity removed from LP), NFTs (creator dumps and disappears), and meme coins. Tools like Token Sniffer and DEX Screener flag honeypots — tokens you can buy but not sell.

How do I avoid getting my wallet drained?

1) Use Rabby or Pocket Universe for transaction simulation. 2) Bookmark official URLs and never click links from DMs or search ads. 3) Revoke unused token approvals monthly via Revoke.cash. 4) Never sign setApprovalForAll or permit without knowing exactly why. 5) Use a hardware wallet for any meaningful balance. 6) Maintain a separate burner wallet for new dApps. 7) After Ethereum's Pectra upgrade, be alert to EIP-7702 delegation phishing — a single signature can now authorize a sweeper contract on your EOA.

Are crypto support tickets scams?

If anyone DMs you offering support for a crypto issue, they are scamming you. No legitimate company — not Coinbase, MetaMask, Ledger, Phantom — ever DMs first. Real support is only at official ticket links from their verified websites.

What is address poisoning?

An attacker generates a wallet with first/last characters matching yours (or someone you transact with). They send $0 transactions to/from your address so it appears in your wallet history. Later, when you copy-paste an address from history, you might paste theirs. In December 2025 a single victim lost $50M in USDT this way. Always verify the FULL address, not just first/last 4.

How can I check if a project is legitimate?

1) Audit history (look it up on Code4rena, Sherlock, OpenZeppelin). 2) Token sniffer / GoPlus security score. 3) Team doxx status (anon is not automatically a scam, but raises risk). 4) Smart contract verified on Etherscan/Solscan. 5) Token concentration (over 50% in top 10 wallets is a red flag). 6) Liquidity locked or burned. 7) Community sentiment (excessive shilling = caution).

What's the fastest red flag that tells me a project is a scam?

Unsolicited DM offering opportunity, tech support, or airdrop claim. Legitimate projects do not message users. Combine that with any of: telegram/Discord-only contact (no on-chain or website verification), unverifiable team identities, returns guarantees, urgency (claim before 24h), or a request to connect your wallet to an unfamiliar dApp. Any two of those signals = walk away regardless of how convincing the rest looks.

How do address-poisoning attacks actually work?

Attackers send 0-value transactions to your wallet from a vanity address that matches the first and last 4-6 characters of an address you have previously transacted with. When you copy-paste from your transaction history (looking for that recent address), you grab the attacker's similar-looking one instead. Defence: always verify the full address before sending, never trust your transaction history as a copy-source, and use wallets with address-book whitelisting (Rabby, Safe).

Are crypto recovery services legitimate?

Almost never. The vast majority of crypto-recovery services advertised online are themselves scams — they collect an upfront fee, do nothing, and disappear. Real recovery is possible only in narrow cases (Chainalysis-traceable stolen funds, lost-key services for known wallet types via Reclaim or Wallet Recovery Services). If anyone DMs you offering recovery after a scam, assume it is a follow-on scam targeting the same victim.

What is the most expensive type of scam in 2026?

Pig-butchering and AI-assisted impersonation scams. Chainalysis estimates total crypto scam losses hit $17B in 2025, with impersonation scams growing 1,400% year over year driven by AI deepfake tools. Average payment per victim rose to $2,764 in 2025, up 253% from 2024. Individual pig-butchering victims routinely lose $100k-$1M+ after months of relationship-building before the fake investment platform is pitched.

Sources & further reading

About this guide: written by Web3Wagmi Editorial · reviewed by Web3Wagmi Research DeskMore guides