Safety First – Scams, Hacks and Common Mistakes

In 2023 and 2024, losses to crypto scams and hacks topped USD 5 billion per year across documented cases, according to reports from Chainalysis and the FBI. The victims were not naive or uneducated. Many were professionals, technologists, and experienced investors. They were targeted through precisely crafted deception that exploited the one vulnerability no code can fix: human judgment under pressure.

Bitcoin itself has never been hacked. The blockchain has run continuously since January 3, 2009, without a single successful attack on the protocol. Every major loss you have read about — from exchange collapses to stolen wallets — was a failure of the humans or organizations managing the keys, not of Bitcoin itself.

Understanding how these attacks work is the most practical security measure you can take.

Wallet Drainer Scams

A wallet drainer is a malicious smart contract or script that, when you connect your Bitcoin wallet to it and sign a prompt, gains permission to transfer your coins out of your wallet.

The mechanism is deceptively simple. You see a site offering a free airdrop, an exclusive NFT drop, early access to a new protocol, or some other reward that requires connecting your wallet. You connect. The transaction prompt appears. It looks routine. You sign it without reading the details. The malicious contract executes and your funds are gone — often within the same block.

This type of attack surged during the Ordinals and token inscription waves on Bitcoin in 2023 and 2024. Fake airdrop sites mimicking legitimate Bitcoin NFT marketplaces were widely distributed via Twitter, Discord, and Telegram.

Red flags: any site asking you to connect your wallet for something you did not specifically seek out; "free token" claims; any page requesting your seed phrase; any prompt that asks for unusually broad spending permissions.

Habit that stops this cold: never sign a transaction you do not fully understand. If the prompt does not clearly state exactly what it will do and you are not certain, reject it and close the tab.

Phishing Attacks

Phishing in the Bitcoin context means convincing you to submit your credentials, seed phrase, or two-factor authentication code to a website or service controlled by the attacker.

The execution ranges from sophisticated to crude. At the sophisticated end: you receive an email from what appears to be your exchange, with a legitimate-looking sender address, professional formatting, and a link to a login page that looks pixel-perfect identical to the real site. The URL is one character off — perhaps "kraken-security.com" instead of "kraken.com." You log in. The attacker captures your credentials in real time and simultaneously logs into the real site using your username and password. Within minutes they have initiated a withdrawal.

At the crude end: a Telegram DM claiming your account is at risk and you must verify your seed phrase immediately.

Both versions work. The success rate of sophisticated phishing is high enough that even technically aware people get caught.

What stops phishing: type exchange URLs directly into your browser and bookmark them. Never click login links from emails or messages. Use a hardware security key (such as a YubiKey) for two-factor authentication on high-value accounts — this is the only form of 2FA that is resistant to phishing, because the key only responds to the legitimate domain.

Fake Wallet Apps and Websites

In 2023, security researchers found multiple fake Ledger and Trezor wallet applications in major app stores, accumulating thousands of downloads before being removed. These apps appeared legitimate, showed professional interfaces, and immediately prompted users for their seed phrase during "setup." Users who entered their real seed phrase had their coins drained within minutes.

The same attack runs through fake websites. A domain like "ledger-live-app.io" or "trezor-wallet.net" (neither are real — do not search for them) captures seed phrases from users who found them through search ads.

The defense is simple and non-negotiable: only download wallet software from the official manufacturer's website. For Ledger, that is ledger.com. For Trezor, trezor.io. For any open-source wallet, the official GitHub repository. Type the URL directly. Do not search for it — search ads have been abused to serve fake wallet sites above legitimate results.

If a wallet app asks for your seed phrase during the initial setup of what is supposed to be a new device, stop. A legitimate wallet only asks for a seed phrase during recovery. Setting up a new wallet generates a new seed phrase — it never asks you to provide an existing one first.

Telegram and Social Media Scams

Bitcoin communities on Telegram, Discord, Reddit, and Twitter are heavily targeted by impersonators and fake accounts running a predictable set of schemes.

The most common variations:

Fake admins. Someone with a username nearly identical to a real admin of a crypto project messages you privately offering help, special access, or a fix for a problem. Legitimate admins of any reputable project never initiate private messages about financial matters.

Fake investment groups. A "read-only" channel posts screenshots of enormous profits from a mysterious trading platform. An invitation to join follows. The platform shows fabricated gains. Withdrawals are blocked or require "tax payments" to release funds.

Giveaway scams. "Send 0.01 BTC to receive 0.05 BTC back." These run on autopilot through automated accounts and have never once been legitimate in the history of Bitcoin.

Fake exchange migration. "Your exchange is migrating accounts. Verify your wallet immediately." Links to a phishing site.

The common thread: urgency, unsolicited contact, and an offer that requires you to either share sensitive information or send funds first.

Impersonation Scams

In 2024 and 2025, a pattern of phone-based impersonation scams targeting crypto holders became widespread across Europe and North America. Callers pose as exchange compliance officers, government officials, or lawyers. They tell you your account has been flagged for suspicious activity, your funds are at risk of being seized, or there is an urgent legal matter requiring immediate action.

The ask: move your funds to a "secure wallet" they provide, verify your identity by sharing a code they send you (actually a password reset code), or pay a "compliance fee" to avoid account termination.

No legitimate exchange, regulator, or law enforcement agency will call you and ask you to move funds or share authentication codes. If you receive such a call, hang up and contact your exchange directly through their official website.

Malicious Browser Extensions

Browser extensions for crypto wallets are a significant attack surface. Multiple fake Metamask, Phantom, and hardware wallet companion extensions have been identified in Chrome and Firefox extension stores. These extensions either directly steal seed phrases or monitor clipboard and page content to intercept transactions.

Even legitimate-looking extensions can be compromised. In 2022, the Hola VPN extension was found to inject malicious code. In 2023, several popular crypto extensions in the Chrome Web Store were found to contain address-swapping code.

What stops this: install only extensions linked directly from the official product website. Keep the number of browser extensions to an absolute minimum. For hardware wallet companion software (like Ledger Live or Trezor Suite), use the desktop application rather than a browser extension where possible.

Regularly review your installed extensions. Remove anything you do not actively use. Be skeptical of extension update prompts that appear in the browser — always verify through official channels.

Social Engineering and Pig Butchering

"Pig butchering" is the name given to one of the most damaging Bitcoin scam patterns of recent years. The FBI and Interpol have both issued repeated warnings. Losses run into billions of dollars globally.

The operation: a scammer — often part of a large organized group operating from Southeast Asia — makes contact through a dating app, LinkedIn, or a seemingly accidental wrong-number text message. They build a relationship over days or weeks. Gradually, they introduce the subject of crypto investments, perhaps mentioning returns they have made on a particular platform. They offer to guide you through setting up an account.

The platform — built by the scam operation — shows fabricated profits. Initial small withdrawals may succeed, which builds trust and encourages larger deposits. When the victim attempts a significant withdrawal, they are told there is a tax liability, a fee, a compliance issue. These charges are themselves fraudulent. Once the victim stops paying, contact ends and the platform disappears.

This attack is effective precisely because it is slow. The relationship feels real. The platform looks professional. There is no single moment of obvious fraud — the deception accumulates.

Red flags: any investment platform introduced by someone you met online and have not met in person; guaranteed or very high stated returns; inability to withdraw funds without paying additional fees; pressure to recruit others; secrecy around the platform's name or regulatory status.

If someone has directed you to an investment platform and you have concerns, stop. Check the platform's name against warnings from FINMA (Switzerland's financial regulator) and the FCA (UK), both of which maintain publicly searchable warning lists.

Clipboard Hijackers

This is a technically simple but underappreciated attack. Malware installs itself on your computer — often via a pirated software download or a malicious email attachment — and silently monitors your clipboard. When it detects a Bitcoin address being copied, it replaces it with an address controlled by the attacker.

You copy an address to send funds, paste it into your wallet, and confirm — sending your funds directly to the attacker. The malware does nothing else. It generates no pop-ups, no error messages, no obvious signs.

The defense: always compare the pasted address character by character against the source before confirming any transaction. If you are sending a large amount, verify more than just the first and last few characters — verify a middle section as well. Keeping your operating system and security software updated reduces exposure to the malware itself.

Practical Safety Checklist

Apply these habits consistently. Most documented Bitcoin thefts would have been prevented by one or more of the following:

Keep long-term funds in a hardware wallet. The private key never touches an internet-connected device.

Write your seed phrase on paper or metal. Store two copies in separate physical locations. Never photograph or type it digitally.

Use a unique, strong password for every exchange and crypto service account. A password manager helps.

Use app-based two-factor authentication (Authy or Google Authenticator) rather than SMS. For critical accounts, a hardware security key is stronger still.

Type exchange and wallet URLs directly into your browser or use saved bookmarks. Never click login links from emails, messages, or search ads.

Before installing any wallet app or extension, verify the download link directly on the official website.

Remove browser extensions you do not actively need.

Before sending any large amount to a new address, send a small test transaction first and confirm it arrives.

When in doubt about any transaction, request, or message, stop and verify through an independent channel before acting.

Risk Note

Bitcoin payments are final. A thief who moves your coins encounters no reversal mechanism, no fraud department, and no insurance. The responsibility for security rests entirely with you. The good news: consistent application of basic security habits eliminates the majority of known attack vectors.

Reader Takeaway

• No legitimate service will ever ask for your seed phrase. Ever. Full stop.
• Verify every URL, every app, every extension against the official source before trusting it.
• Urgency is a manipulation tool. Slow down, especially when someone is pushing you to act fast.
• Most successful attacks exploit human behavior, not technical vulnerabilities. Skepticism is your best protection.

Chapter Summary

• Wallet drainer scams trick you into signing a transaction that authorizes fund transfers. Never sign prompts you do not fully understand.
• Phishing attacks capture your credentials through fake websites that look identical to real ones. Always type URLs directly; use a hardware key for 2FA.
• Fake wallet apps and extensions are widespread. Only download from official sources linked from the manufacturer's own website.
• Social engineering (including pig butchering) builds artificial trust over days or weeks before extracting money. Any investment platform introduced by someone you met online deserves extreme skepticism.
• Clipboard hijackers silently replace copied Bitcoin addresses. Always verify the full address after pasting.
• Consistent use of a hardware wallet, secure seed phrase storage, and vigilant URL checking stops the vast majority of known attack methods.

References

• FBI Internet Crime Complaint Center (IC3): Annual Crypto Fraud Reports 2023–2025
• Chainalysis Crypto Crime Report 2024 and 2025
• FINMA warning list for unauthorized financial services
• FCA ScamSmart: unauthorized firm warnings
• Public alerts from FBI, state regulators, Europol, and cybersecurity firms on wallet drainers, phishing, fake apps, and pig butchering