Logo
UNIT59INTELLIGENCE OPS
[UNIT59 // THREAT EDUCATION DIVISION]

FRAUD
AWARENESS

A structured intelligence briefing on the seven primary crypto fraud vectors currently active in global markets. Each entry details the attack mechanism, operational signatures, and explicit consumer red flags to enable immediate threat recognition.

ACTIVE FRAUD VECTORS

Seven distinct threat categories currently deployed against retail and institutional crypto holders.

[SOCIAL ENGINEERING][VECTOR 01]

Romance & Online Dating Scams

Attack Mechanism

Threat actors deploy fabricated digital identities — typically presenting as affluent, internationally mobile professionals — across dating platforms, social media, and messaging applications. The operator establishes a sustained emotional rapport with the target over days or weeks, systematically building trust before introducing a financial pretext. The end objective is the voluntary transfer of assets by the victim, who believes they are acting in the interest of a genuine relationship. Identity spoofing, AI-generated imagery, and scripted social engineering playbooks are standard operational tools.

Red Flags
  • Contact initiated by an unknown individual on a platform you did not use to seek them out
  • Profile imagery appears professionally produced or AI-generated; reverse image search returns no organic results
  • Relationship escalates to declarations of affection within days of first contact
  • Subject consistently avoids live video calls or provides implausible technical excuses
  • Financial requests framed as temporary emergencies, investment opportunities, or travel costs
  • Requests for wire transfers, cryptocurrency, or gift cards rather than traceable payment methods
[SYNDICATE OPERATION][VECTOR 02]

Pig Butchering Syndicates

Attack Mechanism

Pig butchering (Sha Zhu Pan) is an industrialized, long-duration hybrid fraud pipeline combining romance manipulation with fabricated investment platforms. Syndicate operators — often themselves victims of human trafficking operating from controlled compounds in Southeast Asia — execute a structured "fattening" protocol: building emotional dependency over weeks or months before introducing a fraudulent cryptocurrency trading platform. The victim is guided through small, profitable initial withdrawals to establish platform legitimacy before being induced to deposit maximum capital. The platform then executes a total exit, liquidating all deposited assets.

Red Flags
  • A new online contact introduces an investment platform or "exclusive trading group" unprompted
  • The platform is accessible only via a custom app or link — not listed on any regulated exchange registry
  • Initial small withdrawals are permitted to build false confidence before larger deposits are requested
  • Profits are displayed on-screen but withdrawal attempts trigger "tax holds," "verification fees," or "unlock deposits"
  • Platform customer support is unresponsive or routes all issues back to your original contact
  • The platform domain was registered within the past 12 months with no verifiable regulatory licensing
[SMART CONTRACT EXPLOIT][VECTOR 03]

Smart Contract Ice Phishing

Attack Mechanism

Ice phishing is a targeted smart contract attack vector that does not require the theft of private keys. Instead, the attacker deceives the victim into signing a malicious token approval or allowance transaction — granting the attacker's wallet unlimited or large-scale spending authority over the victim's ERC-20 or equivalent token holdings. The malicious transaction is typically disguised as a routine platform interaction, NFT mint, airdrop claim, or wallet verification prompt. Once the approval signature is broadcast to the blockchain, the attacker can drain the approved token balance at any time without further victim interaction.

Red Flags
  • A wallet connection prompt requests token approval permissions beyond the scope of the stated action
  • Transaction simulation shows a "setApprovalForAll" or "approve" function call to an unrecognized contract address
  • Airdrop, mint, or reward claim requires signing a transaction rather than simply connecting your wallet
  • The requesting platform has no verifiable audit history, team identity, or established community presence
  • Urgency framing: "Claim expires in 10 minutes" or "Limited slots remaining" to suppress due diligence
  • The contract address cannot be verified on a public blockchain explorer or matches no known legitimate protocol
[ADDRESS EXPLOIT][VECTOR 04]

Address Poisoning Loops

Attack Mechanism

Address poisoning is a precision wallet-targeting attack exploiting the common user behavior of copying destination addresses from transaction history rather than from a verified source. The attacker generates a vanity wallet address with matching leading and trailing characters to a legitimate address the victim has previously transacted with. The attacker then sends a zero-value or dust transaction from this spoofed address to the victim's wallet, inserting the malicious address into the victim's transaction history. When the victim next initiates a transfer and copies an address from their history, they may inadvertently select the poisoned address, routing funds directly to the attacker.

Red Flags
  • A transaction appears in your wallet history from an unknown sender with a zero or negligible value
  • An address in your transaction history visually resembles a known contact address but was not initiated by you
  • The first 4–6 and last 4–6 characters of an address match a known address but the middle segment differs
  • You are copying destination addresses from transaction history rather than from a verified, out-of-band source
  • Your wallet interface does not display full address strings, making character-level verification impossible
[DEFI EXPLOIT][VECTOR 05]

Liquidity Pool Rug Pulls & Exit Scams

Attack Mechanism

A rug pull is a developer-executed exit fraud within decentralized finance (DeFi) protocols. Operators deploy a new token or liquidity pool, generate artificial trading volume and community hype to attract investor capital, then execute a unilateral liquidity withdrawal — draining all deposited assets from the pool and rendering the token valueless. Variants include "hard rugs" (immediate total drainage), "soft rugs" (gradual developer token dumping), and "honeypot contracts" (smart contract code that permits token purchases but programmatically blocks all sell transactions, trapping investor capital).

Red Flags
  • Token contract has not been audited by a recognized third-party security firm
  • Developer team is anonymous with no verifiable identity, prior project history, or doxxed founders
  • Liquidity pool tokens are not locked in a time-locked contract or held by a reputable third-party custodian
  • A single wallet or small cluster of wallets holds a disproportionate percentage of the total token supply
  • Smart contract contains owner-privileged functions allowing minting, blacklisting, or fee manipulation
  • Community growth is driven by paid promotions, bot activity, or coordinated social media campaigns with no organic development activity
[EMPLOYMENT FRAUD][VECTOR 06]

Task & Employment Scams

Attack Mechanism

Task scams present as legitimate remote employment or micro-task optimization opportunities — typically advertised as "app optimization," "product review boosting," or "e-commerce rating tasks." Victims are onboarded into a controlled platform and assigned simple, repetitive tasks with small, visible earnings. The scam architecture requires victims to maintain a minimum account balance to "unlock" task sets or withdraw earnings. Operators progressively increase the required deposit threshold, citing "system errors," "account upgrades," or "VIP tier requirements," until the victim either exhausts their capital or recognizes the fraud.

Red Flags
  • A job offer arrives unsolicited via WhatsApp, Telegram, or SMS from an unknown number
  • The role requires no verifiable qualifications, interviews, or identity verification
  • Earnings are displayed on a platform dashboard but cannot be withdrawn without an upfront deposit
  • You are required to maintain a minimum balance or "top up" your account to continue working
  • The platform operates exclusively through a custom app or Telegram bot with no web presence
  • Customer support instructs you to deposit more funds to resolve withdrawal errors rather than processing your existing balance
[SECONDARY FRAUD][VECTOR 07]

Double-Dip Recovery Syndicates

Attack Mechanism

Double-dip recovery fraud is a secondary victimization operation targeting individuals who have already suffered a crypto fraud loss. Operators — posing as blockchain forensics firms, legal recovery specialists, or law enforcement liaisons — contact known fraud victims through social media, forums, or direct outreach. They present fabricated case files, fake regulatory credentials, and falsified recovery success rates to establish authority. The victim is then charged upfront "legal fees," "blockchain access fees," or "regulatory compliance deposits" to initiate a recovery process that does not exist. No funds are ever recovered.

Red Flags
  • An unsolicited contact claims to have already identified or traced your stolen funds
  • The firm requests upfront fees before any recovery action is taken or documented
  • Credentials, regulatory licenses, or court orders presented cannot be independently verified through official registries
  • The contact was initiated by the firm rather than through your own research and outreach
  • Payment for recovery services is requested in cryptocurrency, gift cards, or wire transfer rather than through a formal legal retainer
  • The firm cannot provide verifiable references from prior clients or documented case outcomes through public records
[OPSEC // HUMAN NODE DEFENSE]

THE FIVE RULES OF
OPERATIONAL SECURITY

Five non-negotiable cognitive protocols for any operator interacting with digital assets. These rules address the human attack surface — the primary vector exploited in the majority of active fraud operations.

01

01 // Enforce a Mental Time-Lock

Panic is the adversary's primary exploit. High-velocity urgency is a definitive signature of a live attack. Legitimate emergency protocols and institutional opportunities never expire in a ten-minute window. When urgency is forced, execute a hard operational pause.

02

02 // Mandate Out-of-Band Audits

Never trust incoming communication links, search engine ads, or direct messages. If an entity contacts you claiming to be an exchange, a regulatory body, or a legal firm, terminate the session immediately. Re-establish contact solely through an independently sourced, verified corporate registry or official domain.

03

03 // Reject Upfront Settlement Demands

No legitimate legal firm, sovereign law enforcement unit, or verified protocol contributor will ever demand upfront compliance deposits, access fees, or digital assets to "unlock" frozen capital or process an investigation. If you must pay money to get money, it is a secondary syndicate loop.

04

04 // Map the Capital Rationale

Riskless, asymmetric yield is a structural mathematical impossibility. Guaranteed high returns, insider alpha, and unverified private distributions do not exist. If a protocol or contact cannot explicitly map where the real economic yield is generated, you are the exit liquidity.

05

05 // Acknowledge Cryptographic Finality

Distributed ledgers operate with absolute indifference. Blockchain transactions know no mercy and have no recall mechanism. Treat every broadcasted signature as an irreversible payload deployment. Once the state change hits the ledger, it is gone.

[PREVENTION FRAMEWORK // ACTIVE PROTOCOL]

THE SECURE CUSTODY
STANDARDS

Four non-negotiable operational rules for global digital asset defense. These standards, applied consistently, neutralize the majority of active fraud vectors documented above.

[CS-01]

Cold Storage Wallet Isolation

Maintain a strict operational separation between hot wallets (connected to dApps and exchanges) and cold storage wallets (hardware devices held fully offline). Long-term asset holdings must never reside in wallets with active internet connectivity. Hardware wallet seed phrases must be recorded on physical media only — never photographed, typed, or stored in any digital format.

[CS-02]

Raw Hex Payload Inspection Before Signing

Before executing any cryptographic signature, decode and inspect the raw transaction hex payload. Verify the target contract address against a public blockchain explorer. Confirm the function selector matches the stated action. Any discrepancy between the displayed UI action and the underlying transaction data is a confirmed attack indicator — abort immediately.

[CS-03]

Out-of-Band Destination Hash Verification

Never rely solely on an in-app or in-browser address display to verify a transaction destination. Before executing any significant transfer, verify the destination wallet address through a separate, independent communication channel — a direct phone call, a previously established encrypted messaging thread, or a verified public record. Copy-paste address poisoning attacks are defeated entirely by this single protocol.

[CS-04]

Treat All Unsolicited Contact as Active Reconnaissance

Any unsolicited digital contact — regardless of platform, apparent identity, or stated purpose — must be treated as a potential social engineering reconnaissance operation until independently verified. This applies to investment opportunities, job offers, recovery services, and romantic contacts alike. The burden of proof for legitimacy rests entirely with the initiating party, not the recipient.

[ALREADY AFFECTED?]

If you have been targeted by any of these fraud vectors, submit your case now.

Our forensic team will conduct an immediate triage assessment at zero cost.

REPORT YOUR INCIDENT →