Bitcoin Safety Against Scams and Hacks
Bitcoin has never been hacked. The protocol has run since January 3, 2009 without a single successful attack. Every wallet drain you have read about traces back to a human or an organization holding keys badly, not to a flaw in Bitcoin.
The losses are still enormous. Chainalysis pegs 2025 at roughly USD 17 billion in scam losses and USD 3.4 billion in hack losses (2026 Crypto Crime Report; Chainalysis 2026 Scams). I work in the crypto self-custody space and I will tell you the victims are rarely the people you imagine. Most are professionals, engineers, founders, family-office staff. They lose money because somebody built a deception precise enough to bypass the one defense Bitcoin cannot harden: a person making a decision under pressure.
If you understand how the attacks work, you stop most of them before they start.
Wallet Drainer Scams
A wallet drainer is a website that gets you to sign a PSBT (Partially Signed Bitcoin Transaction) that moves your coins to the attacker.
The mechanics are dull and effective. The attacker clones an Ordinals marketplace, an NFT page, or an airdrop claim site. You click "list," "claim," or "verify." The signing prompt looks routine. You approve it without reading the outputs. The PSBT broadcasts and your UTXOs land in the attacker's wallet, sometimes in the same block.
This wave hit hard during the Ordinals and inscription mania of 2023 and 2024. The lure spread through Twitter, Discord, and Telegram, usually pinned to a fake airdrop.
Watch for sites that ask you to connect a wallet for something you never went looking for. Watch for "free token" claims. Anything that requests your seed phrase is a scam by definition. Any prompt asking for unusually broad spending permission is a scam in slow motion.
The habit that ends this category for you: never sign a transaction you cannot read. If the prompt does not tell you exactly which outputs go where, reject it and close the tab.
Phishing Attacks
Phishing means you hand over credentials, seed phrase, or a 2FA code to something the attacker controls.
At the high end it is invisible. You get an email that looks like it came from your exchange. Sender address looks correct. Formatting looks corporate. The link drops you on a login page that mirrors the real one pixel for pixel. The URL is one character off, something like kraken-security.com instead of kraken.com. You log in. The attacker forwards your credentials to the real site in real time and starts a withdrawal before your coffee cools.
At the low end it is a Telegram DM claiming your account is at risk and asking you to verify your seed phrase right now.
Both work. Sophisticated phishing catches careful people often enough that "I would never fall for it" is not a defense.
What actually stops phishing: type the exchange URL yourself and bookmark it. Never click a login link from an email or message. For any account holding real money, use a hardware security key like a YubiKey for 2FA. A YubiKey only signs against the legitimate domain, which makes it the one form of 2FA phishing cannot bypass.
Fake Wallet Apps and Websites
In 2023 researchers pulled multiple fake Ledger and Trezor apps out of major app stores after they had already collected hundreds, sometimes thousands, of downloads. Every fake worked the same way. Polished interface, "setup" flow, and a screen asking for your seed phrase. Users who typed in a real seed lost the coins within minutes.
The same playbook runs through fake websites. Something like ledger-live-app.io or trezor-wallet.net (neither exists, please do not search for them) buys Google ads, ranks above the real product, and harvests seed phrases.
The rule is short. Download wallet software only from the manufacturer's domain. Ledger lives at ledger.com. Trezor lives at trezor.io. Open-source wallets live in their official GitHub repository. Type the URL by hand. Do not search for it. Search ads have been weaponized often enough that you treat the first result like a stranger offering candy.
If a wallet app asks for your seed phrase during the first-time setup of what should be a fresh device, stop. A new wallet generates a seed. It never asks you to bring one.
Telegram and Social Media Scams
Bitcoin chats on Telegram, Discord, Reddit, and Twitter run on a small set of recycled scams.
Fake admins. Somebody copies an admin's avatar and username, then DMs you offering "support." A real project admin will not DM you about money first.
Fake investment groups. A "read-only" channel posts screenshots of huge profits from a mystery trading platform, then invites you in. The dashboard shows gains that never existed. When you try to withdraw, you hit a "tax payment" wall that does not lift.
Giveaway scams. "Send 0.01 BTC, receive 0.05 BTC back." This has never once been real.
Fake exchange migration. "Your exchange is migrating. Verify your wallet now." The link lands on a phishing page.
The common thread is urgency plus unsolicited contact plus an ask that needs your credentials or your coins first.
Impersonation Scams
In 2024 and 2025 phone-based impersonation went mainstream against crypto holders in Europe and North America. The caller poses as an exchange compliance officer, a regulator, a lawyer. The script always names a problem only you can solve, and only right now. Your account is flagged. Your funds will be seized. A court order is being prepared.
Then comes the ask. Move your coins to a "secure wallet" the caller provides. Read out a code they just texted you (that code is a password reset). Pay a "compliance fee" or lose your account.
No exchange, no regulator, no law enforcement agency calls you and asks you to move funds or share an authentication code. Hang up. Open the exchange yourself through a bookmark and check from there.
Malicious Browser Extensions
Browser extensions for crypto wallets are an attack surface most people underrate. Researchers have pulled fake MetaMask, Phantom, and hardware-wallet companion extensions out of the Chrome and Firefox stores more than once. Some steal the seed phrase directly. Others sit quietly and rewrite addresses on the page when you copy them.
Even legitimate extensions get hijacked. In July 2018 the Hola VPN Chrome extension was compromised and started redirecting MyEtherWallet users to a phishing site (BleepingComputer, July 2018). Google removed it in September 2021. Since then researchers keep finding crypto extensions in the Chrome Web Store that swap addresses or read clipboards, and Google keeps removing them on report.
What works: install extensions only from a link on the product's official site. Keep your extension count near zero. For hardware-wallet companion software like Ledger Live or Trezor Suite, run the desktop app, not a browser extension, whenever you have the choice.
Review the extensions you have every few months. Remove anything you do not use this week. Treat surprise update prompts inside the browser with the same suspicion you would give a stranger handing you a USB stick.
Social Engineering and Pig Butchering
"Pig butchering" is the name for one of the most expensive scam patterns of the last few years. The FBI and Interpol have warned about it repeatedly. Global losses run into the billions.
The operation usually starts in Southeast Asia. The scammer contacts you through a dating app, a LinkedIn message, or a "wrong number" text. They build a real-feeling relationship over weeks. The crypto investment topic enters casually, maybe through a story about returns they made on some platform. Then they offer to help you set up an account.
The platform is theirs. The dashboard shows fabricated gains. They will let your first small withdrawal succeed because that one withdrawal sells the rest. As your balance grows, you try to pull a bigger amount and run into a "tax liability" or "compliance fee." Pay it and a second fee appears. Stop paying and the operator vanishes with everything still in the account.
It works because it is slow. The relationship feels real. The dashboard looks like Coinbase. There is no single obvious lie, only an accumulation.
Signs you are inside one: an investment platform introduced by someone you met online and have never met in person, guaranteed or unusually high returns, withdrawals gated behind new fees, pressure to recruit others, vagueness about who runs the platform or where it is licensed.
If any of that fits, stop sending money today. Run the platform name against the FINMA warning list in Switzerland and the FCA ScamSmart list in the UK. Both are public and searchable.
Clipboard Hijackers
This one is technically trivial and underrated. Malware lands on your computer through a cracked download, a malicious email attachment, or a poisoned installer. It watches your clipboard in silence. The moment it sees a Bitcoin address get copied, it replaces it with the attacker's address.
You paste into your wallet, glance at the first four characters, confirm, and send your coins to a stranger. No popup. No error. The malware never speaks to you.
The fix lives in the verification step. Compare the pasted address against the source character by character before you confirm. On large sends, check a chunk in the middle, not just the ends. Keep the operating system patched. A hardware wallet that displays the full address on its own screen makes this comparison much easier and skips the compromised host entirely.
AI Deepfake Scams
In 2025 and 2026 AI deepfakes became the dominant scam vector in crypto. Chainalysis reports impersonation scams up roughly 1,400% year over year and AI-enabled operations pulling 4.5 times more revenue per campaign than the non-AI version (Chainalysis 2026 Scams). Attackers use cheap voice-cloning and video-synthesis tools to put Elon Musk, Michael Saylor, or your local TV finance personality on a fake livestream that holds up under casual inspection.
The format you see most often is a YouTube livestream of a familiar face announcing a "limited-time Bitcoin matching" giveaway. Send 0.1 BTC to this address, receive 0.2 BTC back. The streams run on compromised channels with hundreds of thousands of real subscribers, with fabricated viewer counts on top to project momentum. Millions of dollars walked into this in 2025.
A nastier variant skips the livestream and uses voice cloning on the phone. The caller sounds like your advisor, your CEO, a family member. They create urgency around moving money in the next hour. Some of these calls now pull from the target's own podcast audio.
How to defuse this. Check the URL of any livestream against the creator's verified channel. A real Saylor or Musk channel does not suddenly host a giveaway. Verify any surprise message through a separate channel you start yourself: a fresh phone call to a known number, a face-to-face check, a Signal message you initiate. No legitimate person, company, or platform has ever run a "send Bitcoin, get double back" promotion. In any form, from any source, that pitch is a scam.
Address Poisoning
Address poisoning exploits a habit most people do not realize they have: copying an address out of their transaction history.
The attacker sends you a dust transaction from an address whose first four and last four characters match one of yours. The middle is different, but the middle is the part nobody checks. Later you go to send funds, scan your history for the destination, copy the look-alike, and broadcast without comparing.
This style took off in 2024 on chains with frequent address reuse and visible histories.
The prevention is one rule. Never copy a destination address out of your transaction history. Pull it from the recipient's receive screen or your own saved address book, then compare the full string before you sign. A hardware wallet that shows the full address on-device makes the comparison faster and removes any compromised clipboard from the loop.
Practical Safety Checklist
Most documented Bitcoin thefts would not have happened if the holder had followed even a few of these:
Keep long-term funds on a hardware wallet so the private key never touches an online machine.
Write the seed on paper or metal. Keep two copies in separate physical locations. Never photograph it, type it into a cloud note, or store it in a password manager.
Use a unique strong password for every exchange and crypto service. A password manager handles this for you.
Use app-based 2FA like Authy or Google Authenticator instead of SMS. For accounts that hold real money, use a hardware security key.
Type exchange and wallet URLs yourself, or use saved bookmarks. Never click a login link from an email, a message, or a search ad.
Verify the download link for any wallet app or extension on the official site before installing.
Remove browser extensions you do not actively use.
Before sending a large amount to a new address, send a small test first and confirm it arrived.
When something feels off about a transaction, a request, or a message, stop and verify through a channel you control.
Risk Note
Bitcoin payments are final. A thief who moves your coins never meets a fraud department, a chargeback, or an insurance policy. Security sits with you. The good news is that consistent application of the basics kills most of the attacks documented in the last decade.
Reader Takeaway
- No legitimate service ever asks for your seed phrase. Not setup, not recovery, not support.
- Verify every URL, every app, every extension against the official source before you trust it.
- Urgency is a manipulation tool. The moment somebody pressures you to act now, slow down.
- Most attacks exploit human behavior, not code. Healthy skepticism does more for your security than any product you can buy.
Chapter Summary
- Wallet drainer scams get you to sign a transaction that hands over your coins. Never sign a prompt you cannot read end to end.
- Phishing captures your credentials through fake sites that mirror the real ones. Type URLs yourself and use a hardware security key for 2FA.
- Fake wallet apps and extensions are everywhere. Download only from the manufacturer's domain.
- Pig butchering builds trust over weeks before it extracts money. Any investment platform introduced by someone you met online deserves no benefit of the doubt.
- Clipboard hijackers swap copied Bitcoin addresses silently. Verify the full address after pasting, not just the first and last characters.
- A hardware wallet, a properly stored seed phrase, and disciplined URL checking shut down the vast majority of known attack methods.
References
- FBI Internet Crime Complaint Center (IC3): Annual Crypto Fraud Reports 2023 to 2025
- Chainalysis Crypto Crime Report 2024, 2025, and the 2026 update covering 2025 calendar-year data
- FINMA warning list for unauthorized financial services
- FCA ScamSmart: unauthorized firm warnings
- Public alerts from FBI, state regulators, Europol, and cybersecurity firms on wallet drainers, phishing, fake apps, and pig butchering
This content is educational and does not constitute financial advice.