Anti-Scam Crypto Master Playbook: 4 Rules + 7 Attack Patterns (2026)

This is a defensive playbook. For the pattern-by-pattern walkthrough of how the most common scams look, see Common crypto scams 2026. For the technical mechanism behind wallet drainers, see Wallet drainer explained.

Rule #1 — Never share your seed phrase. Anyone asking is scamming you.#

Your seed phrase is the master key to your wallet. There is exactly zero legitimate reason for anyone — your wallet provider, exchange support, a tax advisor, a friend — to need it.

If someone asks, they are scamming you. This includes:

• "MetaMask Support" DM
• "Phantom Helper"
• "Coinbase Verification Team"
• Any DM offering to "fix" or "verify" your wallet

Real wallet providers don't have access to your seed phrase. The math doesn't allow it. They can't help with seed-phrase-related issues. Take this rule to the extreme: if even your closest family member asks, refuse.

See Seed-phrase safety for the practical storage rules.

Rule #2 — Read every transaction before signing#

Wallet drainers work by getting you to sign a transaction that looks innocent but actually grants the attacker permission to drain a specific token. "Free NFT mint" → sign → USDT gone. "Claim airdrop" → sign → ETH gone.

The defense:

• Read every signature's actual asset movement before approving.
• Use Rabby instead of MetaMask — it simulates the transaction and shows "You will lose 1,000 USDC" in plain English, where MetaMask shows raw hex.
• If you use a hardware wallet, read the device screen too. The Ledger/Trezor screen can't be faked by the website.

Rule #3 — Bookmark every DApp. Never click links from DMs, ads, or unverified posts.#

There is a phishing copy of every major site: fake Uniswap, fake OpenSea, fake MetaMask, fake Etherscan. They rank in Google Ads, appear in Telegram links, and get pinned in "official" Discord channels by impersonator admins.

Defense:

1. Once you confirm a site is real, bookmark it.
2. Always navigate via that bookmark — never via search results or shared links.
3. On mobile, save to home screen.

Ten seconds of inconvenience prevents the single most common attack vector.

Rule #4 — If returns sound impossible, they are#

• "Guaranteed 10% per day" — pure Ponzi.
• "Mirror this whale wallet, automatic 50%/month" — fake copy trade.
• "Bitcoin doubling event from [celebrity]" — fake giveaway.

Bitcoin's long-term average has been extraordinary by traditional standards. Anyone offering more reliable returns than that is selling a fantasy.

The 7 attack categories that account for ~99% of losses#

Memorize the pattern and the one-line defense for each.

1. Phishing sites — a fake DApp clone steals seed phrase or tricks you into signing a drainer. Defense: bookmark real sites; never click search ads.
2. Wallet drainers — malicious "free mint" or "claim" transactions that grant token-spending permission. Defense: read transactions in Rabby; revoke old approvals quarterly via revoke.cash.
3. Fake support — DM from "MetaMask support" or "Coinbase team" asking for seed phrase or 2FA codes. Defense: real support never DMs first. Block and report.
4. Rug pulls — project creators drain liquidity and disappear. Defense: check liquidity lock and run a GoPlus scan before buying any new token.
5. Airdrop scam tokens — a token appears in your wallet with a name like "Visit-website-to-claim." Visiting triggers a drainer. Defense: never interact with unfamiliar airdropped tokens. Just ignore them.
6. Romance / pig butchering — long-game scam where someone befriends you on dating apps, then introduces an "investment opportunity." Most losses are $50k–500k. Defense: never invest based on advice from someone you met online and have not met in person.
7. Fake giveaways — "Elon Musk is giving away Bitcoin — send 0.1 BTC, get 1 BTC back." Defense: no legitimate giveaway requires you to send first. Period.

A sneakier variant: clipboard hijacking#

Malware can detect when you copy a crypto address and silently replace it with the attacker's. You paste, send, funds go to the wrong place.

Defense: always verify the first 5 and last 5 characters of any pasted address against the source before confirming. Hardware wallets show the destination on the device screen — read it.

Recovery scams — when you're already a victim#

After a scam, victims often get contacted by "recovery experts" or "blockchain forensics services" promising to retrieve funds for an upfront fee. These are second-stage scams. Real blockchain forensics firms (Chainalysis, Elliptic, TRM Labs) work with law enforcement, not with individual retail victims. Pay nothing upfront — that's always the giveaway.

What to do if you've been scammed#

1. Stop sending more. Most victims double down trying to "recover" losses, making it worse.
2. Document everything — transaction hashes, addresses, screenshots, dates.
3. Report to the platform. If the funds touched Coinbase, Binance, etc., file a support ticket. They sometimes freeze recipient accounts.
4. Report to law enforcement. US: IC3.gov. UK: Action Fraud. EU: Europol's EC3.
5. Report the scammer's address publicly — Twitter, Etherscan label, wallet providers (MetaMask phishing list).
6. Do NOT pay recovery services. They're follow-on scams.
7. Move remaining funds. If your wallet was compromised at any level, move everything to a fresh wallet with a new seed phrase. Don't reuse the compromised one.

Bottom line#

Crypto safety isn't complicated — it's behavioral. Four rules and a handful of patterns cover almost everything. The reason scams still work is that people don't actually follow the rules, especially when they're tired, excited, or under time pressure.

Next reads: Common crypto scams 2026 · Wallet drainer explained · How to keep crypto safe.