Glossary
Crypto scam glossary
Plain-English definitions of the scams people actually run into — what they look like, how they work, and where to read more. Built for victims, lawyers, and accountants who need to put the right name on what happened.
Pig butchering
A long-con investment scam, usually started through a dating app, social-media DM, or a “wrong number” text.
The scammer builds trust over weeks or months, then steers the victim onto a fake crypto trading or “high-yield” platform that shows fabricated profits. Withdrawals work for small amounts to build confidence, then stop. By the time the victim tries to pull the money out, the platform is gone and the deposits have been routed through a chain of wallets to an exchange off-ramp.
Read the full guide →Rug pull
Token or project creators drain the liquidity pool and disappear, leaving holders with worthless tokens.
Most common in newly launched DeFi tokens. A small founding team controls the liquidity pool or has a hidden mint function in the contract; once enough buyers are in, they pull the underlying liquidity or mint a flood of new supply and dump it. On-chain, you typically see a sudden, large transfer from the pool to a fresh wallet, followed by rapid bridging or exchange deposits.
How to track the funds →Romance scam
A relationship — usually online and long-distance — is used to extract money or crypto, often by funneling the victim into a fake investment.
Largely overlaps with pig butchering: the “relationship” is the trust vehicle, the fake investment platform is the extraction mechanism. Pure romance scams (gifts, “emergency” wires, never invested) are typically wire-transfer fraud, but increasingly the ask moves to USDT or BTC because the payment is irreversible and harder to trace through traditional channels.
Related guide →Wallet drainer
A malicious smart contract or signed message that empties a wallet in a single transaction after the user is tricked into approving it.
Sold as off-the-shelf kits to scammer affiliates (Inferno, Pink, MS, Angel). The victim visits a fake mint page, airdrop site, or DeFi front end, connects their wallet, and signs what looks like a routine approval — but the call grants the drainer contract permission to move tokens or NFTs. The drain happens immediately, with proceeds split between the kit operator and the affiliate.
If this just happened to you →Approval phishing
A scam that gets you to sign an ERC-20 (or similar) approval letting an attacker spend your tokens without further interaction.
Different from a one-shot drainer in that the malicious approval can sit dormant. The attacker waits, sometimes weeks, then sweeps the tokens when balances are high or gas is low. Mitigation: periodically revoke unused approvals (revoke.cash, Etherscan token approval tools) and screen any wallet you’re about to interact with.
How to check a wallet first →Address poisoning
An attacker sends a tiny transaction from a vanity address that visually resembles your own deposit address, hoping you copy-paste it from history.
The attacker generates an address with the same first and last few characters as one you regularly send to. Their wallet then sends you a 0-value or 1-wei “transaction” so it appears in your address book. Next time you copy from history without checking the full string, the funds go to the lookalike. Always verify the full address — not just the bookends.
Fake recovery service
A scammer poses as a “crypto recovery expert” who promises to get a victim’s stolen funds back — for an upfront fee that is itself the scam.
Particularly cruel because it targets people already in distress. Real on-chain investigation can sometimes trace where funds went and identify exchange off-ramps that may freeze them through legal process — but no one can “hack the blockchain” to return stolen crypto. Pay-to-recover offers, KYC fees on “unlocked” funds, and demands for wallet seed phrases are all variants of this.
Report a scam wallet →SIM swap
An attacker convinces a mobile carrier to port your phone number to their SIM, then uses it to reset exchange and email passwords.
Not strictly a crypto-protocol attack, but devastating against centralized exchange accounts and any wallet relying on SMS-based 2FA. The fix is structural: move 2FA off SMS to a hardware key or authenticator app, and assume your carrier’s account-recovery process is the weakest link in your stack.
Sanctioned wallet
An address listed on OFAC, EU, UK, or UN sanctions lists — interacting with one can create direct legal exposure.
Includes wallets tied to designated mixers (Tornado Cash, Sinbad), DPRK-linked clusters (Lazarus), ransomware operators, and sanctioned states or individuals. Compliance teams screen every address against these lists at onboarding and on each significant flow. WalletDNA flags hits inline on every report.
How sanctions screening works →Mixer / tumbler
A service that pools many users’ crypto together and pays out from the pool, breaking the on-chain link between source and destination.
Some mixers (Tornado Cash) are sanctioned in the US; others (Wasabi-style CoinJoin, Whirlpool) are protocol-level privacy tools. Either way, funds passing through a mixer are typically treated as elevated AML risk by exchanges, and many exchanges will freeze deposits with recent mixer exposure pending source-of-funds documentation.
Why this matters for AML →Honeypot token
A token contract designed so anyone can buy it, but no one except the deployer can sell.
The contract includes a sell restriction — sometimes obvious, often hidden in proxy upgrades or fee logic. Price charts look great because there are no sellers. Victims discover the problem only when they try to take profit. Always check sell-tax and transfer restrictions on a low-cap token before buying.
ICO / token launch fraud
Funds raised in a token sale never go to the promised product; the team disappears or quietly redirects the proceeds.
Distinct from rug pulls in that the deception happens before launch rather than after liquidity is added. The on-chain pattern is similar: raised funds get bridged, mixed, or sent through chained wallets to centralized exchange deposits. Investigation typically focuses on identifying the exchange off-ramps where KYC was performed.
How forensics work →Exchange exit scam
A centralized exchange suspends withdrawals, blames technical issues, and disappears with customer deposits.
Classic pattern from QuadrigaCX, FTX-adjacent operators, and a long tail of regional exchanges. Withdrawals slow, then halt; support stops responding; the team becomes uncontactable. On-chain, you typically see large outflows from hot wallets to fresh addresses and bridges shortly before the public announcement. Hold balances on reputable, audited exchanges or in self-custody.
Dusting attack
An attacker sends a trivial amount of crypto to many addresses in order to track or de-anonymize them.
Often a precursor to phishing campaigns — once the attacker maps clusters of addresses controlled by the same user, they can target the highest-value identity. Dust transactions are usually harmless on their own, but they’re a useful signal that the receiving wallet has been profiled. Do not interact with unknown dust deposits.
Got a wallet involved in one of these?
Run it through WalletDNA — risk score, entity attribution, and a documented report in under 60 seconds.
Analyze a wallet