Some of the costliest crypto scams never touch the blockchain. They wait for you to make one wrong move, and a few simple habits are usually enough to stop them.
This guide was prepared with care by SimpleSwap and Cypherock to help you keep your crypto safe.
The address you copy may not be the one you send
Spotting the scam before you hit send has rarely mattered as much as it does this week.
On June 17, 2026, Microsoft’s threat intelligence team published an analysis of a strain of Windows malware that travels on USB drives disguised as ordinary documents and then monitors the clipboard about twice a second.
The instant it sees a copied wallet address, it replaces it with one controlled by the attacker, so the crypto you meant to send yourself lands with a stranger instead. Microsoft Defender flags the family as CryptoBandits.
The same code extends beyond one redirected payment. As it runs, it pulls seed phrases and private keys from the clipboard and quietly captures the screen, leaving enough for someone to drain the funds later on their own schedule.
None of this breaks the blockchain or defeats the cryptography your wallet relies on. It only changes what your machine shows and copies at the worst possible moment. It is the freshest example of a problem now measured in the billions.
The money is real, and so is the risk
Crypto fraud is having its biggest year on record, and a growing share of it targets individual holders rather than the platforms they use.
In 2025, Americans reported $11.37 billion in losses from cryptocurrency fraud, a 22% increase from the year before, according to the FBI’s annual Internet Crime Report.
These are not small mishaps: nearly 18,600 victims each lost more than $100,000, with the average reported loss exceeding $62,000. Worldwide, Chainalysis estimates that scams and fraud cost users up to $17 billion in the same year.
A lot of that money still vanishes in large-scale exploits of networks and platforms, which remain the single biggest category by value. PeckShield put 2025 exploit losses at roughly $2.67 billion, close to two-thirds of all crypto theft.
Those breaches deserve their own attention, but they are not the subject here.
The scams in this guide work differently, and that is exactly why they are worth understanding. They do not try to defeat the cryptography or break into a network.
They borrow the trust you already place in tools you know, then steer you into approving the loss yourself. A clever offer wrapped in a familiar logo is often all it takes: the attacker does the easy part, and your own hand finishes the job.
That shift in target changes what actually protects you.
The usual advice focuses on the technology, telling you to use a reputable app and guard your seed phrase. Yet many people are losing money in these schemes while following every word of it.
What breaks down is the single decision to act, the click or transfer that the scam was built to trigger. The rest of this guide lays out how scammers manufacture that decision and the habits that take it back from them.
The scam that wears a real interface
One pattern has been spreading fast on messaging apps. It is worth walking through in detail because it shows how convincing these tricks have become.
It starts with a tip that feels like insider knowledge: a flaw in a popular crypto service that supposedly lets you unlock a hidden bonus or claim a far bigger discount than the rules allow.
The pitch never says the company is being generous. It tells you that someone found a loophole and that you can cash in too.
All it takes is installing a browser extension and running a short script, and the sketchy setup gets reframed as the clever price of being in on the secret.
Once that script is running, it quietly rewrites the deposit address shown on the real website. You open the genuine service and send your crypto as you always have, looking at the same familiar interface.
Everything on screen looks right, but behind the scenes, the destination has been swapped to the attacker’s wallet. Your funds travel straight to a stranger. By the time anything feels off, the transaction has already been confirmed on-chain and cannot be reversed.
The tell is in the bait itself. The promise is not a gift but a loophole, a flaw you supposedly get to exploit, and that framing is what disarms you.
Chasing a clever exploit feels smart, so you never stop to ask whether it is real. It is not. Behind the promise sits only a script quietly redirecting your money.
The real weak point in the scheme is the temptation to believe you have outsmarted the service.
“The bait here is not generosity, it is the thrill of a shortcut nobody else knows about, and that is what gets people to run code they would otherwise never touch.
The blockchain behaves exactly as designed, and what gets compromised is the browser sitting in front of it. So when claiming some ‘secret’ value means installing an add-on or pasting in a script, the claim is the attack.
Verify every deposit address inside the official app, and treat any hidden shortcut to extra value as a warning rather than a win.”
— Stefan Lauer, Head of Infrastructure, SimpleSwap
Know the other plays in the deck
The fake-bonus trick is only one move. The same goal of getting you to act against your own interest drives several other schemes you are likely to meet.
Recognizing the shape of each one is half the defense.
Investment scams and social engineering. This is the largest category by losses, accounting for around $7.2 billion in the FBI’s 2025 figures.
The setup is patient rather than technical. A stranger builds rapport over days or weeks through a dating app or friendly message, points you to a polished investment platform that shows fake gains, then disappears once you send real money.
The FBI links many of these operations to organized scam centers in Southeast Asia that run on forced labor and scripted manipulation.
Fake support and bogus compensation forms. When a breach or outage makes headlines, scammers move in fast.
They flood social media and messaging apps with accounts impersonating official support, along with “compensation” forms that ask for your wallet details or seed phrase.
Real support does not chase you down in your DMs to fix a problem you never reported.
Fake airdrops and approval phishing. A site offers a free token drop and asks you to connect and sign a transaction.
The signature is not a claim at all; it hands the attacker standing permission to move your assets out later. Because these prompts are hard to read, many people approve without realizing what they granted.
Address poisoning. An attacker sends you a tiny, worthless transaction from an address that looks almost identical to one you use often.
Later, when you copy a recent address from your history to make a payment, you grab the lookalike by mistake, and your funds go to the attacker. A few seconds spent checking the full address closes this gap.
The habits that actually keep you safe
You do not need to become a security expert to shut down most of these schemes. A short set of habits handles the large majority of them:
- Treat any “loophole” or secret exploit that promises free value as a scam, especially if it requires installing or running something.
- Never install a browser extension or run a script because a file or a stranger told you to.
- Verify the deposit address in the official app or on the website before sending anything.
- Keep your seed phrase and private keys off every screen, because no real service will ever ask for them.
- When a breach makes headlines, ignore the “support” accounts and “compensation” forms that reach out to you first.
- Slow down your decisions, since urgency is the scammer’s favorite tool, and a short pause often reveals the trap.
For the trick that is hardest to catch, a screen quietly showing you the wrong thing, the strongest answer is to move the final check somewhere malware cannot follow.
A hardware wallet keeps your private keys offline and confirms the real destination address and amount on its own screen. Even if your browser has been tampered with, it cannot rewrite what you actually approve on a separate device.
“Every one of these scams leans on the same assumption: that you trust whatever your screen shows you.
Cypherock’s X1 Vault has no Bluetooth or Wi-Fi, and every transaction is verified on the device itself, so a compromised browser can’t quietly swap the address.
The same logic protects your key: instead of one seed phrase written on paper and exposed in full, Cypherock splits it across five components using Shamir’s Secret Sharing, so no single point of failure puts your funds at risk.”
— Akhil Jonnavithula, Director of BD at Cypherock
The bottom line
None of the scams in this guide requires breaking anything technical. They only need you, for a single moment, to trust the wrong screen or chase the wrong reward.
That makes your attention the one defense that travels with you everywhere.
Treat every too-good offer as a warning and confirm what you are sending inside official products. If you come across a suspicious file or set of instructions, report it through the official channels of whatever service it imitates.
The scammers are counting on a fast click, so slowing down is how you take that advantage away.
This guide was produced by SimpleSwap together with Cypherock.
SimpleSwap is a self-custodial multi-source swap aggregator that moves crypto from wallet to wallet across aggregated CEX and DEX liquidity. More at simpleswap.io.
Cypherock makes a hardware wallet that splits your private key across a vault and four cards using Shamir’s Secret Sharing, eliminating seed phrase vulnerability as a single point of failure. More at cypherock.com/store.
