00:00Since our last video on crypto scams, things have arguably gotten a lot worse. In 2024 alone,
00:08scammers stole at least 9.9 billion in crypto. And scammers are only getting smarter and more
00:15creative every year. And danger isn't always obvious anymore. So this video is an updated
00:21breakdown of the latest crypto scams and how you can avoid becoming a victim.
00:29Let's start with the time-old social engineering. Scammers have always targeted victims through
00:35platforms and people that they already trust. But it's only getting scarily more believable.
00:41A few cases surfaced where scammers tried to get you to install malware onto your device via a fake
00:49Zoom link. Through a compromised account, they impersonate a co-worker, a friend, or someone
00:55that you've talked to before on Telegram. And they say that they want to catch up or discuss a project
01:00and then send you what looks like a Zoom link. And that fake link then takes you to a clone
01:06site that
01:07looks identical to the real thing. Then once you join the call, you'll likely see familiar faces,
01:13but they're not real. Just convincing enough deepfakes.
01:22And now that you're convinced that you're in a real Zoom call with people that you know,
01:28the real bait appears in the form of a small technical issue. They'll say that they can't
01:35hear you, that your Zoom version needs a quick update, and since the site is controlled by the
01:41attacker, a pop-up to install that update automatically appears. Now if you click it,
01:46that is all it takes to install malware that gives them access to your device, passwords,
01:52and crypto wallets. This kind of attack can take many forms, so make sure to never install
01:58or run anything you didn't get through official channels. Stay skeptical and verify contacts on
02:05another platform to make sure that it's really them. But these attackers aren't just exploiting people
02:11that you trust. Even sites you trust can be turned against you. In June 2025, CoinMarketCap displayed a
02:18fake verify your wallet pop-up on its website. Users who clicked it unknowingly gave hackers permission
02:26to drain their wallets. Attackers pulled this off by exploiting a vulnerability that made the fake pop-up
02:33appear as if it was coming from CoinMarketCap itself. A few days later, Cointelegraph was hit
02:39by a similar attack and briefly showed a fake airdrop banner to visitors. These kinds of attacks that
02:46take advantage of your trust in reputable platforms are not new. Attackers have in the past managed to
02:52compromise a shared toolkit used by multiple crypto apps to handle wallet connections. Suddenly,
02:59any app that used that tool would unknowingly run a wallet-draining script the moment a user connected.
03:07Then there's an even scarier attack called ether hiding where hackers use the blockchain itself to
03:16hide and deliver malware. It usually begins with social engineering where the attacker lures a
03:22developer through a fake recruitment process which includes a technical assessment that asks them to
03:29download or run malicious code from a normal source like GitHub. Once that code runs,
03:36it compromises the developer's system and lets the attacker slip their own code into the websites or
03:44projects that the developer manages. Then when someone visits that site, the hidden script quietly reaches
03:50out to a blockchain network like Ethereum or BSC and pulls a small chunk of data that's actually malware
04:00stored on chain. The malware runs right inside the visitor's browser, stealing passwords, draining wallets,
04:08or even showing fake login pages. And because it's coming directly from the blockchain instead of a normal
04:16server, there's no simple way to take it down. So one thing that you could do to minimize risk is
04:23to use
04:23separate browser profiles or even a dedicated browser or device just for crypto with no logged in sessions
04:31or extensions that could be hijacked. Also use wallets that warn you about risky permissions and also keep
04:39an eye on project updates so that you'll know quickly if a site that you use has been compromised.
04:46And then phishing has also evolved, making them harder to spot than ever. On mobile, some phishing sites
04:54can still fake the browser's address bar. It's an old trick, but it still works to make fake sites look
05:00real.
05:01In this demo, for example, you'll see a page that looks like HSBC's official site. It even shows the green
05:09padlock
05:10and www.hsbc.com in the bar. The real site is still visible at the very top, but the fake
05:17bar,
05:17it looks convincing enough that some people just wouldn't notice that they're on a phishing page.
05:23And then there's email phishing, except this time the scam emails actually come from what looks like
05:30a trusted source. Hackers have managed to send emails that appear to come directly from Google
05:35or Microsoft. And if you take the bait, you'll end up unknowingly sharing sensitive information
05:42with the scammer, or in some cases they'll try to get you to install malware on your device.
05:48Now, since these phishing emails can slip past spam filters and look pretty legitimate,
05:54don't trust an email just because of where it says that it's from. Always check the links before clicking,
06:02and if you get a critical alert, go straight to the official website or app to verify it yourself.
06:08And sometimes attackers don't even need to trick you into clicking anything. They'll just wait for you to
06:14install the wrong app. In June this year, researchers uncovered a spyware that had slipped into both the
06:21Apple App Store and Google Play Store. And its goal was to simply steal seed phrases and private keys
06:28from your phone. It hid inside innocent looking apps like a crypto portfolio tracker on iOS or a messaging
06:35app with crypto features on Android, each with thousands of downloads. But once it was installed,
06:42the malware quietly scanned your photo gallery and files for anything that looked like a seed phrase or
06:50wallet credentials. And if it spotted something resembling a seed phrase or private key, it flagged that image
06:56and uploaded it to the attacker's server. So the takeaway here is simple. Never save your seed phrase or private
07:03key
07:03in any digital form on your phone. Stick to trusted apps and avoid downloading random APKs. And finally,
07:12don't grant unnecessary permissions to apps. So scammers have also found a way to cash in on the gold rush
07:20created by meme coins. One of the tricks going around is the fake MEV trading bot. You've probably seen
07:27those YouTube videos that promise easy money. Just deploy this bot, send a little ETH and let it automatically
07:35find arbitrage opportunities for you. Except the moment that you do, your ETH is gone. The contract is
07:44built to drain your wallet and send the money straight to the scammer's address. In one case,
07:51a single address pulled in over $900,000 from people doing exactly this. And then AI. It has only made
08:02things worse. The people in these videos aren't even real. They're deep fake avatars working around the
08:09clock selling the same get rich story over and over. So as a rule, never deploy code that you don't
08:18understand. Especially not just because a random video told you to. If it sounds too good to be true,
08:24it probably is. So with that, you're all caught up on some of the more sophisticated scams that attackers
08:31are pulling off today. The reality is crypto scams are going to continue evolving and no matter how careful
08:38you think you are, all it takes is one moment of trust in the wrong link, the wrong update or
08:45the wrong app.
08:46So slow down, double check everything and question anything that feels too urgent or too good to be true.
08:54So hopefully this video helped you out and drop a comment if you've come across any of these scams.
09:00your experience might help someone else avoid becoming the next victim.
Comments