These Crypto Scams are Becoming More Sophisticated

By /
All it takes is a brief lapse in concentration, and you’re fucked.

Phishing, Ponzi schemes, giveaways, and the classic pump-and-dump are among the most common scams in crypto and other sectors. 
 
While many of these are more obvious than others, malicious actors are becoming more sophisticated over time. 
 
According to Chainalysis, APPs are one of the biggest threats aimed at financial institutions.
 
More than $10 billion of crypto is lost annually due to these elaborate scams. Updated data from the US Federal Trade Commission shows that this figure increased to $12.5 billion in 2024. 
 
Specifically for the USA, the FBI’s Cryptocurrency Fraud Report 2023 reported that Americans lost $5.6 billion to crypto scams. 
 
Today, we’ll cover some increasingly popular and more advanced schemes defrauding crypto investors. 

Authorised Push Payment (APP) fraud

 
Unlike many conventional scams, an APP involves the victim authorising the transfer of money or assets to the scammer via social engineering or impersonation. 
 
This typically involves the victim being coerced into sending funds due to a sense of urgency or fear. 
 
The most common scams in this category include investments and pig-butchering/romance scams, where the fraudster gradually builds trust with the victim by pulling on their heartstrings.
 
About 18 months ago, I received an email from someone who claimed to have “footage of me watching porn” and that I’d need to send $5,000 worth of Bitcoin to avoid them disseminating the video. 
 
Little did they know that this isn’t possible because I’ve been covering my selfie cameras for several years (courtesy of watching too much Black Mirror), but I digress. 
 
However, I can’t comment for everyone. It’s common for people to be scared when faced with these emails, believing that they have been caught, even if there is no evidence.
 
What’s the best course of action? Ignore them
 
After a few days, they started getting frustrated because I didn’t cave in. 
 
Once again, do not reply. 
 
I reported them to ScamWatch (in Australia). Even if it feels pointless, you’re still doing your bit by raising awareness among authorities about the extent of this fraud, which can help prevent further incidents from occurring. 
 
In terms of giveaways, if it’s too good to be true, it probably is. 
 
— Don’t fall for the pressure someone puts on you to send a certain amount of crypto by a specific date. 
 
— Don’t feel obligated to help someone you’ve never met on the other side of the world, especially if they claim to offer something in return. If it’s a one-off small donation through a reputable platform, that’s a different story. 

Texts that appear to be from legitimate sources

 
Good spelling and grammar, natural-sounding phrases, the use of a local number, and the name of the crypto company appearing in the message list give unsuspecting individuals the impression that the message is from the company being impersonated.
 
Hackers have become more sophisticated and convincing, so don’t let your guard down. 
 
While there are signs to indicate something is a scam, many people still fall victim to these cyber-attacks. 
 
I received two texts from scammers claiming to be from Coinbase and Ledger.

Image provided by author.

A few things that gave it away for me were: 
 
— These companies will never text you when there’s an urgent matter. The exceptions are when 2FA has been (de)activated or your password has been reset, but these don’t include a number to call. You might also get a new-device notification, which is typically provided via email, often when logging into an exchange server with a VPN. 
 
— You can see the number by clicking the contact icon next to the name. Neither of the texts listed above provided this option. 
 
When in doubt, reach out to the company directly and ask them about this matter. All reputable crypto companies should have resources that inform you about common scams bearing their name and what to do. 
 
— If you prefer talking to someone, I recommend doing so via the live chat feature so you can address this matter ASAP and have access to a written transcript (or at least screenshots) for future reference. 
 
— I don’t have the “Ledger recovery” option. Also, the lazy-f*ck scumbags didn’t check an important thing: The service is called Ledger Recover (capital letters, as it’s a proper noun).
 
If this were actually from Ledger, I highly doubt it’d make this mistake. 

Dusting attacks 

Although these are not new, they have gained popularity once again.
 
From my experience, this has mostly involved some unknown entity sending me 0.00001 XLM (a fraction of a penny). 
 
The idea is to get you to interact with the wallet address by sending your tokens (assuming you have enough in your wallet to justify moving them to an exchange) or spending them in some way. 
 
The idea is to get you to move your tokens to grow your digital footprint. With the high traceability of public blockchains, hackers can use this on-chain data to de-anonymise you by connecting anonymous wallet addresses linked to those targeted with an identity attack, such as on crypto exchanges.
 
Hackers can use this on-chain data to carry out phishing attacks or even blackmail you by threatening to reveal your identity. 
 
This blog post provides comprehensive details about dusting attacks and their privacy implications. 
 
It’s not worth jeopardising your privacy (or increasing the risk of revealing your identity) for chump change.
 
Trezor covers information about dusting attacks and airdrop scam tokens. Coinbase also has a resource about dusting attacks and how to avoid them. 
 
Based on these articles, dusting attacks are more common on networks that use a UTXO model (Bitcoin, Litecoin, Dogecoin) or cryptocurrencies with ultra-low transaction fees, notably XLM and XRP. However, other networks are not immune to these. 
 
If you receive dust or bogus airdrops, do not interact with the address anymore; leave it alone, especially if you have a small amount of cryptocurrency. 
 
A more advanced measure is to opt for a hierarchical-deterministic (HD) wallet that creates new cryptographic key pairs or addresses from a master key pair for every transaction. This enhances privacy by making it much harder for hackers to track your on-chain activity.
 
As a general rule, avoid reusing wallet addresses as much as possible. 

“Firmware updates available”

 
I’ve received emails from convincing addresses informing me about a reminder to download the latest firmware updates.

The hackers did a reasonable job of providing an email (and address) that resembles something official, but they’re not fooling me. 

Image supplied by the author.

Three things stand out here as being bogus: 
 
1) Notice that they didn’t bother using Ledger’s official logo in the header. 
 
2) They’re compelling you to update the software by a certain date. Official sources will rarely request this, especially on such short notice (I received this email within a few days of the event). 
 
3) This is less obvious, but Ledger’s official website lists the most popular scams bearing the company’s name. 
 
Fortunately, Proton Mail and many other end-to-end encrypted email services mention a security warning about spoofing. Nonetheless, always be vigilant. 
 
While many of us are on top of these things, minute details are not that apparent to casual crypto investors. 
 
If you need to perform a firmware update, always use the official in-house software suite, such as Ledger Live, Trezor Suite, or BitBoxApp
 
Don’t trust; verify.
 
Visit the official website of your respective hardware wallet provider(s) and look for the “Security”, “Firmware updates”, or “Support” tab to verify this information when in doubt.
 
More tech-savvy people can check these details on GitHub, particularly for open-source code. 

AI-generated videos and voice cloning

 
 While I’ve noticed a decrease in bogus videos about crypto giveaways — whereby malicious actors use AI-generated videos and voice cloning to impersonate famous tech personalities and crypto leaders — this problem will likely become increasingly prevalent. 
 
This will also become much harder to detect with the naked eye.
 
Celebrities aside, there’s a more nefarious aspect to all of this, with AI cloning the voices of family and friends to deceive people into sending money or crypto.
 
Thus, we’ll need “beneficial” forms of AI to fight the dangerous types, much like good vs bad bacteria, i.e., probiotics.
 
Crypto projects like OriginTrail (TRAC) hope to use blockchain technology to verify AI models’ claims. Others, such as those behind the Artificial Superintelligence Alliance (ASI), claim to be towards “beneficial AGI.”

“Dark Skippy”

DS is an exploit that tricks hardware wallet users into downloading a bogus firmware update that deploys malicious code. This extracts one’s recovery (seed) phrase — the 12 or 24-word set, sometimes 20 words when using Shamir backup — used to access one’s wallets again. 
 
The corrupted firmware can be configured to display small amounts of the recovery seed in secret nonces (“numbers used only once”) to verify Bitcoin transactions.
 
The hacker looks for signature irregularities in the mempool (a blockchain’s list of pending transactions) and deploys an algorithm such as Pollard’s Kangaroo Algorithm on the public nonces (allocated to a block in Bitcoin mining) to reveal the entire seed. In turn, this can then control a victim’s wallet.
 
This can be done with as few as two transactions from a wallet that has downloaded the compromised firmware.
 
I covered this vulnerability in detail last year. I’ve linked the article below.

Dark Skippy: Beware of This Hardware Wallet Vulnerability
And various ways to protect yourself from related attacks.cryptowithlorenzo.medium.com

In addition to the advice mentioned earlier to always use official firmware updates, consider adding a passphrase as an extra layer of protection for specific wallets linked to a recovery seed. 
 
Additional thoughts 
 
There is another popular scam, but I wouldn’t describe this one as advanced: verifying your keys. 

NEVER do anything like this or give your recovery seed to anyone. Even Ledger and Trezor remind people about this.

If you receive such an email and hover over the ‘Verify Your Keys’ tab, you will see a dodgy URL in the bottom-left corner. This is likely a phishing attempt to install malware on your system surreptitiously or a similar activity to extort you somehow.

I’ve noticed a significant increase in bots and other scammers flooding the comments section on Medium, although it’s not as bad as the cesspool I encounter under many YouTube videos. 
 
One person accidentally clicking these dodgy links is one too many. We have to report and block it as much as possible.
 
I spend a few minutes each day swiftly deleting and reporting these bogus accounts. While I understand that many (top) writers don’t have time or can’t justify flagging all of these, I encourage more readers to do so to ensure a better experience on Medium. 
 
The same applies to fully AI-generated content, especially pieces that manage to get monetised. I’m going to report it, no questions asked. 
 
Call me a male Karen (Kevin?), but this is Medium’s official stance. 

Medium is for human storytelling, not AI-generated writing
Updating our approach to AIblog.medium.com

In summary: 
 
— Seek as much information as possible directly from the crypto services you are using and for related news — hardware wallets, exchanges, company blogs/social media posts. 
 
— Be extra vigilant, particularly when sensitive personal information and large sums of crypto are at stake. 
 
— If there’s something suspicious, report it. It’s better than remaining silent about it. 
 
— 2FA is a bare minimum for all services you use. Ideally, you should opt for security over authenticator apps where possible. Nonetheless, both are still better than SMS one-time codes.
 
 What other important scams should be addressed here? Which ones have you seen on the rise in recent years? Comment below.

Affiliate link

If you’d like to purchase a Ledger or Trezor product, please use the following link to help support my channel. I receive a small commission per sale at no additional cost.

Ledger – Home of the first and only certified Hardware wallets | Ledger
Ledger offers certified crypto asset hardware wallets bringing optimal protection level to your bitcoins, ethereums…shop.ledger.com

Trezor Safe 3 | The Next Generation of Hardware Wallets
Explore Trezor’s newest hardware wallet-Secure Element protection, open-source design, and on-device confirmation.affil.trezor.io

I also have a referral link where you can get one month free of Proton Mail’s Plus subscription.

You might also be interested in these stories:

“Bitcoin is Going to Zero Within a Decade.”
Breaking down the arguments made by an economics expert.cryptowithlorenzo.medium.com

Why They Don’t Want Us to Be in Crypto
Is there any surprise about the wild fluctuations and persistent fearmongering in crypto?
 
Institutional investors…cryptowithlorenzo.medium.com

Why the Big Bucks Will be Made with Real-World Assets (RWAs)
Get ready for trillions of dollars to flow into this space.medium.com

Five Crypto Sectors With the Most Potential in 2025
15–20x opportunities for the rest of this bull market.cryptowithlorenzo.medium.com

Disclaimers

This blog post is for informational purposes only and does not constitute financial, legal, or investment advice. The author assumes no responsibility for any decisions based on the content provided.

• My opinions in this piece may not reflect those of any news outlet, person, organisation, or other entity listed here.

• Please do your own research before investing in any cryptocurrency assets, staking, NFTs, or other products associated with this space.
 
 • BTC and ETH account for approximately half of my crypto portfolio. ADA and XRP represent another 25%.

Image by The Yuri Arcurs Collection at Freepik

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top