How to identify and avoid crypto scams
If you have examples of scams or additional resources, please contact us on Twitter.
Consider donating to Airdrop Cartel on Xumm to help support our free service.
Part 1: Do your due diligence
Before you invest in ANYTHING you should research the project.
Here is the bare minimum on what to do:
✅ It’s ok to ask where a detailed whitepaper is. Projects should have a detailed description of what they intend on doing and what the future looks like. This is illustrated in a roadmap and detailed in a whitepaper.
✅ It’s ok to ask for more information about the project and what their intentions are. If there are gaps or more things you need to know: ASK THE PROJECT TEAM.
✅ It’s ok to confirm details about the project with the project team. THEY SHOULD RESPOND and provide you with a thorough explanation.
✅ It’s ok to request board member profiles and doxxed information about the project team. If you are going to give your money to them, you should know something about them and where they come from.
✅ It’s ok to question their project plans and what their intentions for the future are. If something doesn’t sound right, it’s possible the project doesn’t align with your values or investment plans.
Overall, you should feel 100% confident before investing.
If you aren’t 100% confident, reconsider your investment.
Part 2: Identifying potential future rugs
It’s not always easy to tell which projects are legit and which are going to dump and run.
We’ve listed some signs that project owners are intending on doing something nefarious.
These include:
🚩 SPELLING: The inability to correctly spell and punctuate their digital content shows either a lack of effort or a lack of care. If they can’t be bothered to spellcheck why would they be bothered to make you rich?
🚩 IMAGERY: They use a lack of original imagery on social accounts and their website or worse, they have stolen imagery from another project or imagebank. If you’re not sure, do a google reverse image search and post your results. A real project will have their own graphic design.
🚩 DUTY OF CARE: A rushed looking website, crappy whitepaper or low effort Twitter content shows they don’t care enough about their project to maintain it. So they don’t care about investors.
🚩 WHITEPAPERS: A whitepaper that sounds vague and doesn’t explicitly state their intentions is a big red flag. This document is the magna carta of the project and should be something the project team is proud of. If it sucks the project will suck too. Having NO whitepaper or having a half cooked shitty whitepaper is a red flag. If the whitepaper is ‘currently being written’ ask for the delivery date. Ask for an update. Ask for proof.
🚩 PRESALES: They tweet constantly about presale opportunities without any real detail as to why you should invest. The project my be hoping for their token price to rise, then they may sell, dump and run leaving investors holding worthless tokens. Do not get FOMO because of the perceived pressure they are pushing. It’s all designed to get you to invest and they will run away with your money.
🚩ROADMAPS: It takes a graphic designer about 10 minutes to create a roadmap image. A roadmap can be written by anyone, so a project should have evidence regarding the areas it claims they are working on. You can ASK PROJECT OWNERS for this evidence.
🚩 DETAILS: Their social accounts and website should include as much detail as possible. If they cared about their project they would want to tell people about it. A lack of care is a huge red flag. It should be EASY to immediately find out what the project is about, what their social channels are and who is involved.
🚩 GIVEAWAYS: They are posting dozens of tweets asking people to LIKE/FAV/RETWEET/TAG FRIENDS to win XRP. These are designed to give them wider awareness to lay a rug trap. If nobody wins, the scammers win. Look at the competition mechanic, is it reasonable? Is it repetitive? Do they post the same shit over and over and over? Has anyone actually won the previous giveaways? If it seems weird, it’s bullshit.
🚩AFFILIATION: If a project is piggybacking on an existing company or brand by naming their token after it and using copyrighted imagery ask them to confirm whether or not they are officially affiliated or have permission to represent. If they cannot prove a legal affiliation then they are stealing copyrighted imagery and may be illegally using an unapproved likeness.
🚩UTILITY: What is the point of their project? What is their token used for? Does it have real world application or is it another meme coin or garbage dump? A project should be looking to create longevity in their work and appreciation in value for their token. If it doesn’t, why are you investing in it?
🚩TOKEN POOLS: There appears to be a large amount of token proportions reserved in specific wallets, usually those of project owners. If the reasons behind this aren’t clearly stated the wallet owners could dump at any moment destroying the token’s value.
🚩LOCATION: If the company lists their location, open this on Google Maps street view and check if it’s a real building or not. Company address is listed at a pile of garbage or doesn’t exist? That’s a scam, bruh.
❎ Summarised: IS A PROJECT DOING WHAT THEY SAY THEY ARE? If not, reconsider your investment.
⚠️ NOTE: There are sometimes exceptions to the above.
These include:
ROADMAPS: Refer to a project roadmap (if one is available) to determine milestones and if the project is meeting these or reasons why they were delayed. Their progress should be constantly documented and deadlines met.
LEGIT PRESALES: Not all presales are a precursor to a rug. Before you become an early investor READ THE WHITEPAPER and research the project. It may become the next ship to moon town.
UNDER DEVELOPMENT: Maybe some items are under construction or still being written. An educated investor would be wise to wait until they are complete and published; available for viewing (which makes them open to questioning). Don’t FOMO yourself into a rug.
TOKEN ALLOCATION: Maybe large token pools are allocated for future events, like airdrops. Review wallets and the ledger and where they are connected. Does it look shady or is there an explanation? Is the project owner holding the king’s ransom? Or does it make sense.
If you are unsure or in doubt, contact the project team and ask for more information.
They should be more than happy to discuss it.
Remember: If you are not 100% confident, reconsider your investment.
Part 3: Examples of scams
Part 4: Resource documents
AcidicRating by @acidicworm
Scam Alerts by @shawnmayj
Scam Alert Discord by Airdrop Cartel
XRPL Token Monitoring by @skipper_xrp
https://docs.google.com/spreadsheets/d/1bNeRJNa3N1FQ529hf1e6_2nmCipnMUPXecIQSJmrb0w/edit#gid=0
Coins to avoid & deleted Twitter accounts by AirdropBishop
Part 5: Twitter accounts
There are many great users on Twitter providing databases of scams and updates.
I have listed a few below.
@rippleitinNZ
Regularly investigates and posts about linked token accounts and potential scam rings.
rippleitin.nz is an independent New Zealand based private provider providing server validation of, and information regarding, the XRP ledger.
@shawnmayj
Highlights scams and provides junk wallets to send rugged tokens to.
@AirdropBishop
Tracking deleted Twitter accounts and tokens/projects to avoid.
@skipper_xrp
Locating and highlighting scams and deleted project accounts.
More accounts to be added soon. If you have any suggestions please contact us on Twitter.
Part 6: How to Spot XRP Giveaway Scams
You’ve definitely seen them: YouTube accounts and Twitter posts from Elon Musk, President Donald Trump and Ripple CEO Brad Garlinghouse promising free cryptocurrency. These cryptocurrency giveaway scam posts include branding and profile pictures that look exactly like the imagery that the company or individual uses. Is this your lucky day? No.
These posts are scams. They exploit high-profile social media accounts to trick followers into enriching scammers at their own expense. In a time where misinformation is prevalent, it’s important to be aware of what is real and what is not.
“Giveaway scam” is an industry term that describes fraudulent attempts to convince unassuming consumers that if they send money, they will receive more funds in return—typically through an “airdrop.” These scams impersonate companies and individuals, and are often spread through fake social media profiles across YouTube, Twitter, Facebook and more.
Neither Ripple, nor any executive of the company, has offered—or ever will offer—free giveaways of digital assets. Any XRP giveaway is not endorsed by, affiliated with, maintained, authorized or sponsored by Ripple.
In an effort to shine a light on this dark shadow that is strangling the utility and adoption of cryptocurrencies, we outline advice for spotting and reporting these harmful giveaway scams.
How to Spot Giveaway XRP Scams
In many cases, the first warning that a giveaway ad is a scam is that in order to receive the reward, you must first send money and/or provide your personal financial account information. For any real sweepstakes, winnings are always free and never ask for money or financial account information upfront.
Impersonations are more challenging to spot—often because scammers create a sense of legitimacy by using logos, company executive social handles, profile images and graphics or branding that match real corporate imagery. The key here is personal due diligence.
If a giveaway looks real, we suggest first visiting the company’s main website and verified social channels to confirm if the ad is readily viewable. If an ad is real, more than likely the sweepstakes are also featured on the main pages of legitimate company sites. Also, you can contact the company directly and inquire about the contest.
Additionally, scammers will leverage legitimate accounts to falsify a sense of proof by commenting on top of social posts with fake accounts. Some quick visual signs that a commenting account is a scam is the lack of a profile picture, odd account names, or terminology in the comment that “loves” or “thanks” the company for the giveaway winnings.
Take Action Against Scams
Reporting suspicious behavior is a game of cat and mouse. As soon as one scam is reported and removed, a new scam quickly replaces it. Reporting of these scams largely relies on the company involved, i.e. Ripple, and social platform users to identify and request removals of fake accounts and harmful giveaway scams.
In response to the numerous XRP giveaway scams and impersonations, Ripple has hired an external cybersecurity and digital threat intelligence vendor to help with reporting and takedown efforts.
Where there is money, there will always be people looking to steal it. Be mindful of what you see on social media, check for signs of scam posts and protect yourself. No more of our community or global consumers need to fall victim to these harmful scams. In this uncertain environment, trust and security are critical. We’re in this together.
Best Practices for Avoiding Crypto Scams
- Don’t take any information at face value. Investigate the claims being made around any investment, especially if they seem too good to be true or promise overnight windfalls. The 2020 Twitter hack had scam written all over it.
- Don’t trust anyone—government officials, public figures, strangers—who contacts you directly asking for payments in cryptocurrency or offering you an “investment opportunity.”
- Never share your private key or the seed phrase to your cryptocurrency wallet with anyone, and store that information somewhere offline, aka a cold wallet.
- Enable two-factor authentication whenever possible on whatever kind of crypto wallet and exchange you use. But be aware that this is not a sure-fire solution, as we saw when Coinbase was hacked.
- Double and triple-check website URLs. Scammers attempting a phishing scam will copy the URL of legitimate sites and swap letters and numbers—an “l” for “1” or “0” for the letter “O,” for example.
- Reject any offer that requires an up-front fee no matter what, but especially if that fee has to be paid in cryptocurrency.
Part 7: How to Identify Common Scams
While some crypto scams are unique to the world of digital currency, many of them are twists on existing scams. Some target people looking to invest in cryptocurrency, while others rely on spreading digital cash around in order to steal money without getting tracked.
Investment Scams
If someone contacts you with a “once in a lifetime” investment opportunity, chances are you should run the other way. They’ll often claim their company or app is the next big thing, and that you can get rich if you get in on the ground floor. They’ll sell you hard on their product and couple that sales pitch with a sense of urgency, then disappear with your money.
Sometimes this scam takes the form of “investment managers” offering to help grow your assets by giving it to them to invest. They’ll set up what they claim is an investment account for your crypto, but you won’t be able to access your money unless you pay them a fee.
Other investment scams in the crypto space operate like pyramid schemes. The scammer will convince you to pay them in crypto for the right to recruit other people into their program, claiming you’ll make even more money once you bring in others. They claim the more you “invest,” the more you’ll make down the line, but all you end up with are broken promises.
Sometimes a scam company will launch a new cryptocurrency coin or token, claiming it solves some critical unmet need in the market. They’ll pitch you on their product and ask you to buy into their coin as an investment that will pay off a hundredfold later on, then vanish. The Squid Game-based coin is a perfect example of this.
When investing, check out the company’s website to see what they do to protect their customers. Be on the lookout for abundant grammatical errors and typos, which can signal a scam. Search for verifiable reviews from public sources. Searching the company name with “review” or “scam” is a good way to start.
Phishing Scams
Where conventional phishing scams go for your email or banking login credentials, crypto phishing scams try to get the keys to your crypto wallet. These can also be labeled “technical support scams,” since the person running the scam will often pose as tech support to try and get your information.
Representatives from fake companies—or claiming to be from legitimate ones—will contact you and offer to help manage your crypto if you’ll give them your login credentials. They might also say they need remote access to your computer or other device, or want you to send crypto to a suspicious wallet address.
Never provide sensitive information to people who make unsolicited contact, no matter how convincing or urgent they may seem. If they say they’re with a legitimate company, double-check their information. Coinbase, for example, tells people only to accept calls from the help number or email listed on their website.
Giveaway Scams
Since some celebrities and public figures talk about crypto fairly often on their social media accounts, scammers will organize fake giveaways using their names and likenesses to get money from people. They may even respond to the giveaway post with other fake accounts to make it seem legit. This is what happened when hackers compromised the Twitter accounts of high-profile users with bogus crypto promotions. If it seems weird or too good to be true, steer clear.
The scam posts will often include screenshots designed to make the giveaway seem real, and a link (or even QR code) to a website where people can go to enter. Once there, you’ll be required to “verify” your crypto wallet address by sending a payment. Never trust giveaways that require you to pay anything.
If you get a message on social media or a messaging app like Telegram asking for crypto, ignore it. Legit companies will never contact you unsolicited asking for payments or login credentials.
Extortion Scams
Some scammers will contact you claiming they have embarrassing or incriminating information about you and threaten to release that information if you don’t send them payment in cryptocurrency.
To make the scam more convincing, they might show you something they obtained via a data breach, like an old password. This will often be all they have, and the person is simply bluffing to get you to give in to their demands. If this happens, it qualifies as criminal extortion, and there are a few actions you should take.
First, mark the email as spam. You can then report the incident to the FBI’s Internet Crime Complaint Center (IC3) and local authorities. Make sure you run a malware scan on your computer or device, just to be safe. If the scammer shows you they have a password you’re currently using, change that password immediately wherever it’s being used. Remember, these scam messages are designed to scare you, which is why it’s called scareware. Don’t fall for it!
Loader/Load Up Scams
These scams are pretty brazen, and consist of someone asking you for your crypto wallet or credit card credentials because they need a higher account limit. In return, the scammer offers a portion of the proceeds they say they’ll make from their investments.
Instead, the victim’s crypto is stolen and they’re often left holding the bag on fraudulent credit card charges. They “load up” the victim’s account with crypto and then take it all for themselves, leaving the victim responsible for the transactions made with their wallet credentials.
Never provide your credentials to a third party, even if they say you can trust them. If you see this kind of behavior on a legitimate, regulated exchange, report it so they can put a stop to it.
Part 8: Common secret key management risks are:
- (BAD) Storing your secret key on your computer, while your computer is compromised (you may not be aware of this): an attacker checks your files and steals (copies) your secret key then either steals your funds straight away or waits until there are a lot of funds in your XRP Ledger account to steal them (remotely by re-creating the account in another app).
- (BAD) Storing your secret key in your cloud account: an attacker can gain access to your cloud account (eg. Google Drive, Dropbox, etc.), check your files to steal (copy) your secret key the either steal your funds straight away or wait until there are a lot of funds in your XRP Ledger account to steal them (remotely by re-creating the account in another app).
- Writing down your secret key on a piece of paper, then forgetting where that piece of paper is located.
- Writing down your secret key on a piece of paper, then losing that piece of paper.
- Writing down your secret key on a piece of paper in one place, where it is destroyed (think fire, water).
- Writing down your secret key on a piece of paper in multiple places, where one of the locations is compromised and someone steals the secret key.