Crypto phishing is any attack that tricks you into authorizing a transfer of funds or credentials yourself, by clicking a malicious link, signing a malicious transaction, approving a token contract, or sharing a seed phrase. The 2026 mix has five distinct attack categories, and three day-to-day habits beat almost all of them.
What you'll learn
The 2026 phishing taxonomy with current loss data
How signature phishing works and why it is the biggest 2026 vector
How fake support and impersonation attacks work
How lookalike domains and fake websites work
What zero-value transfer scams are, and why they are everywhere
How AI changes the phishing game in 2026
The three habits that beat most phishing attempts
What is a crypto phishing attack, and what is different in 2026?
A crypto phishing attack is any attack where the attacker tricks you into doing something that hands over funds or credentials. The "doing" might be clicking a link, signing a transaction, approving a token contract, or sharing a seed phrase. 2026 is different because the mix of attacks shifted. Signature phishing losses jumped 207% in January alone, with 4,741 victims and $6.27 million stolen in that month (source: Scam Sniffer monthly tracker). AI-generated lookalike sites scaled the impersonation problem. Zero-value transfer scams added a new vector that was rare before. Phishing drained roughly $311 million from crypto users in January 2026 alone, the highest monthly total in 11 months (source: Invezz coverage of CertiK January 2026 report).
The 2026 mix has five major categories. Signature phishing is the biggest line item by dollar volume. Credential phishing is the classic "fake login page" pattern. It continues at scale. Impersonation phishing covers fake support, fake KOLs, and fake admin DMs. It is the most common attack a beginner will see. Lookalike-domain attacks use homoglyph URLs and sponsored search slots. They feed all the other categories. Transfer-based attacks cover zero-value transfers and address poisoning at scale. These are the newest vector and are growing fast.
The defense did not change as much as the attacks. The habits that beat phishing in 2020 still beat phishing in 2026. Type URLs yourself. Check the URL bar before signing. Treat uninvited contact as suspicious by default. The reason this guide covers the attacks first and the defense last is that knowing the shape of the attack is what makes the defense feel obvious instead of paranoid.
2026 phishing taxonomy at a glance
Category | What it does | Why it works in 2026 | Where it lands |
|---|---|---|---|
Signature phishing | Tricks you into signing a transaction or approval that drains your wallet | Wallet drainer kits are commodity tools; approval scams scale on their own | Biggest dollar losses, fastest compromise to drain |
Credential phishing | Harvests email + password + 2FA via fake login pages | Exchange logins still gate large balances; SMS 2FA still common | Account takeover, then drain |
Impersonation phishing | Fake support, fake KOLs, fake admin DMs walk you through steps that hand over access | Telegram and Discord scale uninvited contact; AI made the polish better | Most common attack a beginner sees |
Lookalike-domain | Homoglyph URLs, sponsored search slots route you to a fake site | Google Ads accept paid placement above real results; browsers do not flag homoglyphs | Feeds the other categories |
Transfer-based | Zero-value transfers and dust transactions plant lookalike addresses in your history | EVM 40-char hex addresses make lookalike generation cheap | Newer 2026 vector, growing fast |
For the foundation security setups this guide assumes you understand, see two-factor authentication for crypto and how to set up a hardware wallet.
How does signature phishing actually work, and why is it the biggest 2026 vector?
Signature phishing tricks you into signing a transaction that does something other than what you think it does. The most common form is the approval scam. A malicious site asks you to "approve" a token or NFT for staking, claiming a free airdrop, or accessing a feature. The approval is actually permission for the attacker's contract to move that asset whenever it wants. Wallet drainers are the automated version. They scan for wallets that have granted approvals and drain them, sometimes weeks after the original signing.
The mechanism uses how token approvals work on EVM chains. An ERC-20 approval grants a specific contract permission to transfer some amount of your tokens on your behalf (source: Ethereum.org ERC-20 standard). Legitimate uses include DEX swaps and lending protocols. Bad approvals look the same in the wallet popup. But they grant unlimited approval to an attacker's contract. The attacker can then transfer your full token balance any time. The signing window does not show the approval amount in human-readable form on most wallets. So a beginner clicks "Approve" without seeing that the amount is "unlimited."
Wallet drainer kits are now commodity tools sold in scam-as-a-service marketplaces, with operators like Inferno, Angel, and Pink taking a 20-30% cut of stolen funds in exchange for hosting the infrastructure (source: Group-IB analysis of the Inferno Drainer ecosystem). The kit handles the fake site, the approval prompts, the post-signing drain, and the laundering. The buyer just needs traffic. They get traffic from sponsored search results, fake giveaway tweets, fake airdrop posts, and impersonation DMs. The economics are why signature phishing scaled in 2025-2026. The infrastructure is cheap. The payouts per successful approval are high.
Approval-scam walk-through
You click a link promising a free airdrop, NFT mint, or staking reward
The fake site loads and asks you to "connect wallet" to claim the reward
You connect. The site then prompts you to sign or approve a transaction "to receive the airdrop"
The signature is actually an ERC-20 approval granting unlimited transfer permission to the attacker's contract
The drain happens immediately or later, sometimes weeks after, when an automated bot sweeps the approval
The defense is two-fold. First, never sign or approve on a site you reached through a link. Type the URL yourself or use a wallet's built-in browser that only connects to verified domains. Second, audit your active approvals on Revoke.cash periodically and revoke anything you do not recognize. For the broader wallet hardening that complements approval-discipline, see hardware wallet guide.
How do fake support and impersonation attacks work?
Attackers create accounts impersonating exchange support, wallet support, or known crypto figures. They use Telegram, Discord, X (formerly Twitter), and email. They contact you first, usually right after you posted about a problem in a public channel. They walk you through "verifying" your account. What that really means is handing over the seed phrase or signing a transaction. No real support from Blofin, Coinbase, Ledger, Trezor, or any trusted wallet contacts users first. Any uninvited DM from "support" is a scam.
From Blofin's support inbox, the single most common phishing pattern is the user who got a DM from a "Blofin support" account on Telegram or Discord and was walked through "verifying" their account by sharing the seed phrase or signing a transaction. The pattern is so consistent we have a standing rule for new staff: Blofin support never contacts users first. Any DM that opens with "Hi, this is Blofin support" is a scam regardless of how legitimate the account looks.
Impersonation has expanded beyond support accounts. Fake KOL accounts copy a known figure's bio, avatar, and recent tweets. They then DM users with "investment chances" or "private channels." Fake admin accounts on Discord servers DM users with "your account is at risk, click here." AI deepfake videos of CEOs appear in fake livestreams promoting fake giveaways. The common thread is that real parties do not start contact through DMs about your account or money.
Impersonation red-flag checklist
The contact came first, before you reached out. Uninvited DM, email, call, or letter
The account looks slightly off. Username has an extra character, avatar is a recent copy, bio mentions help/support
The message creates urgency. Your account will be closed, your funds are at risk, the offer expires soon
The fix requires you to share a seed phrase, a private key, an authenticator code, or sign a transaction
The check path goes through a link rather than the platform's official URL typed directly
The defense rule is simple. Verify through a separate trusted channel. If a DM claims to be from Blofin, open blofin.com in a new tab yourself. Use the official support chat. If a call claims to be from a wallet maker, hang up. Call back through the official number on their site. The attacker controls one channel. They cannot control all of them. For the broader day-to-day discipline that pairs with this, see mobile wallet safety tips and physical security for crypto.
How do lookalike domains and fake websites work?
Attackers register domains that look like the real exchange or wallet site. Letter swaps. Different top-level domains. Homoglyph attacks using characters from other alphabets that look the same. They buy sponsored search slots above the real site in Google search results. The fake site looks identical. You log in. You sign. Funds drain. The defense is to type the URL yourself, use a bookmark, or use a wallet's built-in browser that only connects to verified domains.
Common lookalike patterns include letter swaps, different TLDs, added words, and homoglyph substitution. Letter swap: "rn" instead of "m" (so "blofin" becomes "blofln"). TLD swap: .co or .net instead of .com. Added words: "blofin-login.com" instead of "blofin.com". Homoglyph: the URL uses Cyrillic or other Unicode characters that look like Latin letters. The browser address bar shows what looks like the right URL. Behind it, the domain is registered by the attacker. SSL certificates are easy to obtain. The green padlock no longer means safe. It only means encrypted.
Sponsored search slots are the bigger 2026 issue. Google Ads accepts paid placement above organic results. Attackers buy ads for the brand name of the real site. The ad shows the lookalike URL. Or it shows the real URL as display text while linking to the lookalike. Users who type "Blofin login" into Google click the first result. The first result is sometimes the ad, not the real site. Browser-extension tools like Scam Sniffer, Blockaid, and Wallet Guard flag known phishing domains in real time. They are imperfect but useful as a backstop.
Lookalike-domain examples (illustrative patterns, not real attacks)
Type | Real domain | Lookalike trick |
|---|---|---|
Letter swap | blofin.com | blofln.com (lowercase L instead of i) |
TLD swap | binance.com | binance.co |
Added word | coinbase.com | coinbase-login.com |
Homoglyph | ledger.com | lеdger.com (Cyrillic "е" instead of Latin "e") |
Hyphen insertion | trezor.io | tre-zor.io |
Subdomain trick | metamask.io | metamask.io.secure-login.net |
The defense rule is short. Type URLs yourself, or use a bookmark saved when you knew the URL was real. Do not click through search results for login pages. Do not click links in email or DM that lead to login pages. If you must follow a link, paste it into the URL bar and inspect it character by character before pressing enter. For the related check ritual on wallet software, see how to verify your wallet software.
What are zero-value transfer scams, and why are they showing up everywhere?
A zero-value transfer is a transaction worth $0 that appears in your wallet history from an address designed to look like one you have used before. The attacker bets that the next time you send funds, you will copy "the address you used last time" from your history. The lookalike captures your funds. BSC alone saw over 100 million zero-value transfer attempts in early 2026. The defense is to never copy receiving addresses from transaction history.
The mechanism builds on EVM address format. Ethereum and BNB Smart Chain addresses are 40-character hex strings. Attackers use cheap GPU compute to grind out addresses whose first and last few characters match an address you recently used. They send a zero-value or dust transaction from that lookalike address to yours. Your wallet history now shows two entries that look almost the same at a glance. The next time you want to send to "that address you used before," you copy from history. You copy the lookalike instead. The funds go to the attacker. A 2026 Carnegie Mellon CyLab study catalogued roughly 270 million poisoning attempts across blockchains, with BSC alone hosting over 141 million zero-value transfers due to its low fees (source: CMU CyLab blockchain address poisoning study).
The reason this scaled in 2026 is the December 2025 Ethereum Fusaka upgrade, which dropped Layer-2 transaction fees by roughly 40-60% in the first month of activation as PeerDAS and expanded blob throughput took effect (source: Ethereum Foundation Fusaka mainnet announcement). The economics changed. Sending a dust transaction now costs a fraction of what it did. Attackers run bots that monitor the mempool for outgoing transactions. The bots identify the recipient address. They generate a lookalike. They plant a poisoning transaction within seconds. Scam Sniffer and similar tools flag known-bad patterns. But the attack scales faster than blacklisting.
The defense is the same as the one for address-poisoning generally. Never copy a receiving address from transaction history. Always get the address fresh from the recipient. Verify the full address character by character on your wallet's display or hardware wallet's screen before confirming. For the broader send-discipline that covers this and other transaction-time traps, see how to send and receive crypto.
How does AI change the phishing game in 2026?
AI tools made phishing faster, cheaper, and more convincing. AI-generated lookalike websites take minutes instead of days to produce. AI-cloned voices impersonate exchange support on live calls, sometimes using audio of the real support team scraped from public webinars. AI deepfake videos impersonate CEOs and celebrities promoting fake investments on social media livestreams. The defense did not change. Verify through a separate trusted channel. Never act under time pressure. Treat uninvited contact as suspicious. AI made the attacks more polished. It did not make them undetectable.
Three AI vectors matter most in 2026. AI-crafted phishing sites clone the real site's HTML, CSS, and even minor details like favicons and meta tags in minutes. The attacker just swaps the form submission URL. The site looks the same. Voice cloning can produce a convincing fake from as little as a few seconds of training audio, and a Consumer Reports assessment found most consumer voice-clone products ship without meaningful anti-fraud safeguards (source: Consumer Reports AI voice cloning assessment). Attackers call users posing as exchange support or family members. Video deepfakes of CEOs appear in fake livestreams promoting "limited-time" giveaways or recovery schemes. The viewer sees the CEO's face and voice. The promotion is fake.
The detection trick that still works is channel check. AI can fake the surface. The site, the voice, the video. It cannot fake control of a separate channel you choose. If "exchange support" calls you, hang up. Call back through the official number on the site. If a CEO is "live" promoting a giveaway, check the company's official social account directly. Type the URL yourself, not the link in the video. The channel defense bypasses the surface defense. That is exactly what AI made harder.
AI phishing red-flag patterns
Vector | Surface that AI fakes well | What AI cannot fake |
|---|---|---|
Site clone | HTML, CSS, copy, logo, layout | The actual domain in the URL bar |
Voice clone | The person's voice, accent, cadence | The number you would call them back on |
Video deepfake | Face and lip-sync of a known figure | The official social account's posts at the same time |
Generated text | Polished grammar, brand tone, urgency framing | The fact that real parties do not contact you first |
The broader pattern of unsolicited-contact discipline applies the same way, whether the incoming channel is a DM, a phone call, or a physical letter.
How do you spot a phishing attempt before you click or sign?
Three habits. Type URLs yourself, never click from a chat or email. Check the URL bar character by character before logging in or signing. Treat any uninvited contact (DM, email, call, letter) as suspicious by default. The discipline is repeatable. The technical bar is lower than the marketing for security tools implies. Most users who avoid phishing do so through three to five daily habits, not through advanced tooling.
The pattern we see in users who never end up in a phishing ticket is not technical sophistication. It is day-to-day discipline. They type wallet URLs directly. They check the URL bar before signing anything. They ignore DMs that arrive uninvited. They wait an hour before reacting to anything that feels urgent. The discipline is repeatable. The technical bar is much lower than the marketing for security tools implies.
Phishing-spotting habit checklist
Habit | What to do | Why it works |
|---|---|---|
Type URLs yourself | Open a new tab. Type the URL. Use bookmarks for sites you visit often | Most phishing starts with a click on a link the user did not type |
Check the URL bar before signing | Read the full domain character by character. Look for letter swaps and homoglyphs | Catches lookalike domains that the eye glides over |
Treat uninvited contact as suspicious | Assume DMs, emails, calls, and letters from "support" are scams until proven otherwise | Legitimate parties do not contact you first about money or accounts |
Wait an hour before acting on urgency | Urgent messages are designed to bypass deliberation. Waiting strips that pressure | Almost no legitimate situation requires action within 60 minutes |
Verify through a separate trusted channel | If "X" contacts you, reach X back through their own published channel | AI can fake one channel; it cannot fake your control of channel selection |
Use authenticator-app 2FA, not SMS | Switch every account that supports it from SMS to Google Authenticator, Authy, or hardware-based 2FA | SIM swap attacks bypass SMS but not authenticator apps |
Audit token approvals quarterly | Visit Revoke.cash, connect read-only, review the active approvals, revoke anything you do not recognize | Approval scams pay out months after the original signing |
The last habit, the revoke audit, is the one most users skip. Approvals you granted to real dApps a year ago are still active. If any of those dApps was compromised since, the approval is now a liability. Quarterly revoke audits are cheap insurance. For the recovery path if you suspect you have been phished, see how to recover a crypto wallet.
Frequently asked questions
How much money is actually lost to crypto phishing in 2026?
$311 million in January 2026 alone, per CertiK. Signature phishing losses jumped 207% compared to December 2025, per Scam Sniffer. Annual losses are tracking toward several billion dollars across all phishing categories. The numbers are concentrated in a few high-value drains rather than many small ones, but the small drains are far more common. The median victim loss is in the hundreds to low thousands of dollars; the tail goes into millions per incident.
Are hardware wallets safe from phishing?
Mostly, but not completely. Hardware wallets protect against credential phishing because the key never leaves the device. They protect against most approval scams because you have to physically confirm each signature on the device. They do not protect against signature phishing where you confirm a malicious transaction thinking it is legitimate. The defense is reading what the hardware wallet shows on its own screen before pressing confirm, not just clicking through. The full discipline is covered in the hardware wallet setup guide referenced earlier in this article.
What should I do if I think I clicked a phishing link?
Move funds first if you have time. Connect the wallet to a clean device and send everything to a fresh wallet you set up clean. Revoke any token approvals on Revoke.cash. Change passwords on any accounts touched. Run an antivirus scan. Open a support ticket through the official URL of the affected service, typed directly, not from a search result. If significant funds were lost, file with the FBI Internet Crime Complaint Center (US) or your jurisdiction's equivalent for the record (source: FBI IC3). The full step-by-step reporting workflow is covered in Blofin's guide to crypto scam recovery and reporting.
How is signature phishing different from regular phishing?
Regular phishing harvests credentials (email + password + sometimes 2FA code). The attacker uses those to log into your account later. Signature phishing harvests a signature. The attacker gets you to sign a transaction on your real wallet, and that signature lets them move your funds directly. No login required because the signature already authorized the transfer. Signature phishing is faster from compromise to drain.
Does using a VPN protect against phishing?
No. VPNs protect against network-level surveillance and some IP-based attacks. Phishing happens at the user layer: you click, you sign, you authorize. A VPN does not change any of that. The defenses against phishing are URL discipline, hardware wallet check, authenticator-app 2FA, and skepticism toward uninvited contact.
Can I report a phishing site and get it taken down?
Yes, sometimes. PhishDestroy maintains a community blocklist with over 130,000 confirmed phishing and wallet-drainer domains, available as a public feed and submission bot (source: PhishDestroy DestroyList on GitHub). Browser-extension tools like Scam Sniffer, Blockaid, and Wallet Guard flag known phishing sites in real time. Reporting goes through Google Safe Browsing, the domain registrar, and the hosting provider. Takedowns can take hours to weeks. Reporting helps the broader community even if you were not directly hit.
What is the single most important habit to avoid phishing?
Type URLs yourself. Almost every phishing attack starts with the user clicking a link they did not type. The link goes to a lookalike domain or a malicious dApp. If you type the URL yourself, or use a bookmark you saved when you knew the URL was real, the link never reaches you. The next most important habit is reading what your wallet displays before signing. Together those two habits prevent the majority of avoidable losses.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include CertiK's January 2026 crypto crime tracking, Scam Sniffer's monthly signature phishing data, the Carnegie Mellon CyLab address poisoning study, the Ethereum Foundation Fusaka mainnet announcement, the PhishDestroy community blocklist, and Group-IB's wallet drainer ecosystem research. All facts independently checked against cited sources current as of May 2026.
This article is educational and does not constitute financial, legal, or security-consulting advice. The phishing threat landscape changes constantly; specific attack patterns and statistics reflect early-2026 data. Defenses described here are general day-to-day discipline, not a guarantee against every attack. Blofin does not contact users first about account issues. Any uninvited message claiming to be from Blofin support is a scam. Use the official support channel through the typed-in Blofin URL only.