Crypto scammers do not take breaks. As wallets get smarter and users become more aware, attack methods evolve to stay one step ahead. The scams dominating 2026 look nothing like the rug pulls and Ponzi schemes of 2021. They are more sophisticated, harder to detect, and designed to exploit the specific trust patterns that DeFi users have developed over years of on-chain activity. Here are the five most dangerous scams operating right now and exactly what you need to do to protect yourself from each one.
AI-Generated Phishing Sites
Phishing sites are not new, but the quality of phishing in 2026 has reached a level that makes them nearly indistinguishable from the real thing. Attackers are using large language models and automated web scrapers to create pixel-perfect clones of popular dApps in minutes, not days. These clones replicate every visual detail, including real-time price feeds, transaction histories, and even wallet connection animations.
The most dangerous variant is the AI-powered domain squatting attack. Attackers register domains that are visually identical to legitimate protocols using homoglyph characters, internationalized domain names that swap standard Latin characters for identical-looking characters from other alphabets. The URL uniswαp.org (with a Greek alpha) looks exactly like uniswap.org in most browser address bars. These phishing sites are promoted through compromised social media accounts, paid search ads, and even legitimate-looking Discord announcements.
How to protect yourself: Always bookmark the official URLs of every protocol you use and only access them through your bookmarks. Never click links from Discord, Telegram, Twitter, or search engine ads. Use a browser extension that checks domains against known phishing databases. If a site asks you to connect your wallet and immediately requests a transaction, slow down and verify the URL character by character.
Permit Signature Phishing
This is the fastest-growing scam category in 2026 and arguably the most insidious. Traditional wallet drainers require users to submit on-chain transactions, which cost gas and show up in transaction history. Permit signature phishing bypasses all of that. The attacker asks you to sign an off-chain message, typically disguised as a login step, an age verification, or a terms-of-service agreement. What you are actually signing is an EIP-2612 Permit or a Uniswap Permit2 authorization that grants the attacker's contract permission to spend your tokens.
Because Permit signatures are off-chain, they require no gas and produce no visible on-chain activity until the attacker submits them. Many users have been trained to think that gasless signatures are safe, which is exactly what makes this attack so effective. The attacker collects signatures from hundreds of victims and then submits them all in a single batch transaction, draining wallets en masse.
In January 2026, a Permit2 phishing campaign targeting Aave and Compound users stole over $4.8 million from 89 wallets. The phishing site posed as a protocol governance voting page. Users signed what they thought was a vote, but it was actually a Permit2 signature authorizing unlimited token transfers. None of the victims saw any gas fee or transaction confirmation, because there was no on-chain transaction to confirm.
How to protect yourself: Never assume a gasless signature is harmless. Use a transaction decoder that can parse EIP-712 typed data and show you exactly what the structured message contains. If a site asks you to sign a message that contains token addresses, amounts, or spender fields, treat it with the same caution as an on-chain transaction. Legitimate login signatures use simple plaintext messages like “Sign in to Uniswap” and do not contain contract addresses or token data.
Address Poisoning Attacks
Address poisoning is a deceptively simple attack that exploits a common user behavior: copying addresses from transaction history. The attacker monitors your on-chain activity and identifies addresses you frequently send tokens to. They then generate a vanity address that matches the first and last few characters of your real recipient address. Using this lookalike address, they send you a tiny transaction, often zero-value or a dust amount of a worthless token.
This transaction now appears in your wallet's transaction history. The next time you need to send tokens to your usual recipient, you scroll through your history, see what looks like the correct address, copy it, and paste it into the send field. But you just copied the attacker's lookalike address. Because most wallets truncate addresses to show only the first 6 and last 4 characters, the poisoned address looks identical to the real one. You send your tokens directly to the attacker.
In February 2026, a single address poisoning attack resulted in the theft of 1,200 ETH (approximately $4.2 million) from a single victim who was transferring funds between their own wallets. The attacker had poisoned the victim's transaction history weeks earlier with a zero-value transfer from an address that matched the first and last characters of the victim's cold wallet.
How to protect yourself: Never copy addresses from your transaction history. Always use your address book or contacts feature to store frequently-used addresses. When sending large amounts, always verify the full address character by character, or send a tiny test transaction first and confirm receipt before sending the full amount. Some wallets now filter out zero-value and dust transactions to prevent address poisoning, so make sure your wallet has this feature enabled.
Fake Airdrop Claim Drainers
Free money is the oldest lure in scamming, and it remains devastatingly effective in crypto. The fake airdrop claim has evolved from simple phishing pages into sophisticated multi-step funnels that mimic legitimate token distribution events down to the smallest detail. Attackers study upcoming airdrops from real protocols, create announcement posts before the official team does, and drive traffic to their phishing claim pages.
The modern airdrop scam typically works in three stages. First, the victim sees a convincing announcement on social media, often from a compromised account with a large following. Second, they visit the claim page and connect their wallet. The site shows a fake eligibility check that always confirms the user qualifies for a substantial airdrop. Third, the user clicks “Claim” and is presented with a transaction that looks like a standard claim function but is actually a setApprovalForAll() on their NFT collection or an unlimited ERC-20 approval.
Some sophisticated variants use a multicall pattern to bundle the malicious approval inside what looks like a legitimate claim transaction. The transaction simulation shows tokens being received, which makes it look safe. But buried in the same transaction is an approval that gives the attacker access to a completely different, more valuable token in the victim's wallet.
How to protect yourself: Legitimate airdrops are always announced through official channels with verified links. Never claim an airdrop from a link you found on social media. Wait for the official protocol team to publish the claim page on their verified website and official Twitter account. Use a transaction decoder to verify that the claim transaction is actually calling a claim function and not an approval. If the transaction requests any kind of token approval, it is almost certainly a scam.
Malicious Browser Extension Takeovers
The most terrifying scam of 2026 does not require you to visit a phishing site or sign a malicious transaction. It happens when a legitimate browser extension you already trust gets compromised. Attackers target small, popular browser extensions by purchasing them from their original developers, gaining access to the developer account through social engineering, or exploiting the extension's update pipeline. Once they control the extension, they push a malicious update that injects code into every page you visit.
The injected code monitors for wallet interactions and silently modifies transaction parameters before they reach your wallet. You think you are swapping tokens on Uniswap, but the extension has changed the recipient address to the attacker's wallet. Your wallet shows a legitimate-looking transaction because the modification happens before the wallet even receives the request. Transaction simulation confirms the swap will execute, because it will execute, just to the wrong address.
In December 2025, a widely-used crypto portfolio tracker extension with over 200,000 installs was compromised through a supply chain attack on one of its npm dependencies. For 18 hours before the malicious update was detected and pulled, the extension modified outgoing transactions on Ethereum and Base to redirect funds to attacker-controlled wallets. Over $3.7 million was stolen from users who had no reason to suspect their trusted extension had been weaponized.
How to protect yourself: Minimize the number of browser extensions you install, especially in the browser profile where you use your crypto wallet. Disable automatic extension updates and review changelogs before updating. Use a dedicated browser profile exclusively for crypto activities with only your wallet and essential security extensions installed. When making large transactions, always verify the recipient address on your hardware wallet's screen, as hardware wallets display the true transaction parameters independent of what your browser shows.
The Common Thread
Every scam on this list exploits the same fundamental weakness: users signing transactions and messages they do not fully understand. Whether it is a phishing site, a permit signature, a poisoned address, a fake airdrop, or a compromised extension, the attack succeeds because the victim cannot verify what they are approving. The single most effective defense against all five of these scams is a transaction decoder that shows you exactly what every transaction and signature does before you approve it. That is why we built WTF Am I Signing.
Scammers will continue to evolve. New attack vectors will emerge as the ecosystem grows and changes. But the core defense remains the same: understand what you are signing before you sign it. No legitimate protocol will ever require you to sign something you cannot verify. If you cannot read it, do not sign it. If it seems too good to be true, it is. And if anyone is rushing you to sign something quickly before an opportunity disappears, that urgency is the scam.
Stay skeptical. Stay informed. And stop signing blind.