Crypto scams are an ongoing threat in the current landscape. Even in the early stages of 2024, it is already clear that crypto scams will continue to be a prevalent risk for everyday users.

Last year, crypto users lost around $2 billion USD in scams, hacks, and rug pulls.

To safely navigate web3, you need to take security into your own hands. This guide covers the key threats and helps you find the tools you need to avoid becoming a part of 2024’s scam statistics.

1. Fake airdrops

One of the most widespread methods of stealing from crypto holders right now is through fake airdrops. 

Airdrops are a way of distributing new tokens to users, often as a reward and/or to further decentralize a network. Since airdrops mean being able to get free tokens, they can be an effective marketing tool for teams and a way for users to get their hands on an asset that could appreciate in value.

Unfortunately, a popular type of crypto scam involves exploiting the success of some airdrops in order to cloud users’ judgment and trick them into interacting with a malicious URL. 

The most common way this scam works is incredibly simple: bad actors create an airdrop token that contains the same name as a URL. The aim is to pique user interest to trick unsuspecting users into visiting, and interacting with, a malicious website.

A more sophisticated variation of this scam works by sending ‘free’ tokens to thousands of wallet addresses. When the recipients try to sell the new coins that they find in their wallet, they inevitably run into a hurdle that stops them from doing so.

These users may then be tempted to investigate the problem through a block explorer. Here, an ‘error’ contained within the block tells the user that they need to first activate or claim their tokens in order to proceed. 

This scam is common with both cryptocurrencies and NFTs, as NFT holders are often airdropped vouchers that supposedly allow them to claim a stablecoin or emerging token.

In these cases, the site that you are being pointed to could steal your crypto in one of two ways. It will either attempt to infect your device with malware, or try to deceive you into entering sensitive information like your private key or recovery seed.

How to stay safe: Some crypto wallets, such as Zerion and Rabby, have features that allow you to preview a transaction and simulate its outcomes, notify you of malicious URLs, and/or filter out spam NFTs from your gallery.

2. Copycat cryptocurrencies

While imitation is often said to be the highest form of flattery, this is not the case for copies of existing cryptocurrencies.

A common scam involves creating scam cryptocurrencies that, from a distance, appear identical to an existing digital asset in order to deceive traders. They may even have the same ticker symbol and icon as real cryptocurrencies, making them difficult to differentiate through some wallet interfaces.

The aim is for users to get confused and accidentally buy the wrong token. In some cases, these tokens can never be sold and can effectively be considered stolen.

If you are using Matcha, you can use the contract address shortcut above the trade module to see the block explorer and dive into contract details. This allows you to identify red flags which indicate that you are trying to trade a suspicious cryptocurrency.

How to stay safe: Exercise caution when trading. It is important to always triple-check that you are buying the right digital asset. 

3. dApp permission exploits

In most cases, the first thing you need to do to access the features of a decentralized app is connect your wallet and approve the necessary permissions.

Rather than ask users to provide the same permissions over and over again, many dApps simply ask users to grant an unlimited token approval. This saves time and can cut back on transaction costs, but it also presents a significant security vulnerability.

When you give a smart contract the ability to spend an unlimited amount from your wallet, the dApp or someone who hacks it could take advantage and steal funds from your wallet once you let your guard down.

This risk is not only present on untrustworthy platforms; even your permissions on trusted dApps could be putting your funds in danger. This is because hacks are incredibly common in the DeFi landscape. Any hacker that takes control of the dApp that you gave unlimited permissions to can easily steal the crypto in your connected wallet.

Just recently, the Socket cross-chain tooling platform was exploited, allowing the hackers to authorize payments from many wallets who had used Socket through other platforms and set unlimited approvals. Previously, the Ledger ConnectKit exploit saw a supply chain attack on a Javascript library that temporarily compromised dozens of major dApps like SushiSwap and Revoke.cash. This latter incident accounted for approximately $600,000 USD worth of stolen assets, while the former is still being investigated.

How to stay safe: Avoid giving dApps unlimited token approval. If you have already granted this permission in the past, consider revoking ongoing permissions in your wallet before it’s too late. The safest way to do this is to manually go to each individual dApp that you have authorized and revoking permissions manually, or using a service like revoke.cash.

4. Rug pulls

Rug pulls are one of the most prevalent types of scam in the crypto landscape for one key reason: they successfully prey on the innately-human fear of missing out.

These scams work by encouraging a large number — or a few particularly wealthy — users to buy coins associated with a crypto project. This project may seem great from the outside; complete with a flashy website, community interest, and even a widespread marketing push involving paid endorsements from public figures.

Behind the hood, however, these projects are really just a front that allow scammers to run off with everyone else’s coins. While there are honest actors in this space, there are also many projects that have no real intention of ever delivering on their promises to holders.

Rug pulls also work by encouraging a large number of people to buy a token, only to disable the ability to sell so that no one other than the project’s founders can ever sell their coins.

Importantly, even projects that start with good intentions can turn into rug pulls. This can happen when people with a significant stake in the project—be it the project’s founders, whales, or influences with a significant token allocation—notice an opportunity to keep the value locked in a network for themselves.

How to stay safe: Never let pressure cloud your judgment when it comes to buying crypto. Rather than race to get your hands on a coin, the safer option involves taking your time to research the coin’s fundamentals, its reputation, its token allocations to influencers, and its developers.

5. Phishing scams and fake exchanges

With the prevalence of deep fakes and other forms of digital impersonation, phishing has become one of the most common crypto scams in the landscape today.

Virtually anyone who has used the internet for more than a few minutes has probably seen a deceptive advert, fake endorsement, or email that tries to impersonate a legitimate brand or celebrity.

The trick here is simple: scammers want you to think you are interacting with a platform, team or wealthy influencer, in order to deceive you into approving a wallet connection, sharing your seed phrase, or sending money to someone who will never return your funds.

This scam has become so widespread that MicroStrategy’s co-founder and chairman, Michael Saylor, recently warned the community that his team has to constantly work to remove fraudulent videos from YouTube. 

These videos use deep fake AI technology to impersonate Saylor’s appearance and voice, promoting a scam that offers to “double” your bitcoin if you scan the QR code or visit a specific website.

In the crypto landscape, you also have to look out for fake exchanges. These are shady websites that impersonate a legitimate crypto trading platform. Behind the scenes, they are trying to trick you into entering your credentials so that they can steal your funds from the exchange that you actually intended to use.

How to stay safe: Make sure to always triple check the URL and security certificate to identify common spoofing practices. These include replacing letters with numbers, repeating characters, and registering brand names on foreign domain extensions.

In addition, you should never give sensitive information like your private key or your recovery seed to anyone.

6. Clipboard hacks and address poisoning scams

Crypto transactions are, in most cases, impossible to reverse. This is a core feature of the crypto movement, which was designed to prioritize immutability.

However, this also means that many scams simply involve trying to find ways to make you send money to the wrong wallet address. Clipboard hacks are a popular way of achieving this goal.

Due to their length and the risk of making a mistake, virtually no one enters wallet addresses manually. Instead, most users simply copy and paste addresses within their crypto wallet.

A clipboard hack uses a piece of malicious software that waits for you to copy a wallet address. Then, it covertly replaces the address you copied with a wallet address that the hacker has access to. 

When you paste the address to trade your coins, you might not notice that the wallet address has been changed, and could end up sending your money directly to the hacker.

Similarly, an address poisoning scam works by sending a small amount of crypto to your wallet from a wallet address created to look remarkably similar to your own.

For example, an address that reads 0x3D9465…d6a6f4 could be replaced with a vanity address created by an attacker that reads 0x3D9466…96a6f4. Hard to tell the difference at a glance, right? 

The idea is that, as part of a future transaction, you might accidentally select the copycat address rather than your own—which would also mean giving your coins directly to your scammer.

How to stay safe: Due to the stealthy nature of this type of scam, it can be incredibly effective. This scam is made more prevalent by the fact that many users only verify the first and last five characters of a wallet address.

The best way to get ahead of these scams is to verify every character of the wallet addresses that you transact with, and to use a wallet that allows you to easily view the entire address.

In addition, when you are using Matcha to trade millions of tokens at the best price, you can verify that you are trading with your intended recipient by verifying the token contract address located above the trade module.

Use DeFi’s best tools to stay safe from crypto scams

Staying safe in the crypto landscape requires diligence. Like in any industry, there are always going to be bad actors who are looking to take advantage of you.

Fortunately, by making the right choices, you can largely mitigate the risk of these scams impacting you. Remember to never interact with unknown URLs, practice healthy skepticism when interacting with any platform, avoid signing unlimited token approvals, and always verify the contract address of tokens that you buy and the entire address of the wallets that you trade with.

In addition, there are also great tools that you can use in order to lower the risk of falling victim to a crypto scam. With the right crypto wallet, for instance, you can mitigate some of the risks that we’ve rounded up here on our list. To find the right wallet for your needs, check out our guide to the best crypto wallets for DeFi.