Decentralized Finance (DeFi) is revolutionizing the financial sector by enabling permissionless transactions without central intermediaries through blockchain technology. Yet with innovation comes risk. The cryptocurrency ecosystem—from DeFi platforms to broader crypto ventures—has become a prime target for scams.
This article explores key vulnerabilities within DeFi, focusing on common threats such as Ponzi and pyramid schemes, rug pulls, and phishing attacks that endanger users and investors.
Crypto Wallets: A Gateway for Innovation—and Exploits
Before we dive into the world of DeFi scams, it’s helpful to first understand the core components that make up this ecosystem (read part 1 to learn the basics of DeFi). DeFi relies on smart contracts—self-executing agreements that automate transactions without human intervention. Users interact with DeFi through crypto wallets, which store digital assets and connect to decentralized applications (dApps).
In general, a crypto wallet is a digital tool that allows users to store, send, and receive cryptocurrencies. It doesn’t hold the coins themselves, but rather the private keys that grant access to digital assets on the blockchain. There are two main types of wallets:
Hot wallets: These are connected to the internet and commonly used for everyday transactions on DeFi platforms. They’re convenient and easy to access through apps or browser extensions, but because they’re always online, they are more vulnerable to hacks and phishing attacks.
Cold wallets: These are offline storage options, typically taking the form of hardware devices that must be physically connected to your computer (or paired via Bluetooth) to sign transactions. Since they stay offline when not in use, they offer enhanced security against cyber threats. Examples include devices like Trezor and Ledger Nano.
Wallets also serve as gateways to dApps which operate without central control. These applications enable a range of financial services, including lending, borrowing, staking, and trading. While DeFi’s openness and automation improve accessibility, they also introduce new vulnerabilities. Understanding these components lays the groundwork for recognizing scams that prey on unsuspecting users.
The Dark Side of DeFi: Common Scams
Scammers are constantly finding new ways to exploit users—especially those unfamiliar with how the space works. In 2024 alone, billions were lost to deceptive tactics such as rug pulls, phishing, and fraudulent investment platforms. For instance, the infamous Squid Game token scam saw developers drain all liquidity and disappear, while address poisoning attacks quietly tricked users into sending funds to lookalike wallet addresses.
These examples highlight just how varied and creative crypto scams can be. Understanding how these scams operate is essential to helping consumers better protect themselves. In this section, we examine the most common scams targeting DeFi users.
Ponzi and pyramid schemes
One of the oldest fraud models, the Ponzi scheme, has found new life in cryptocurrency. A Ponzi scheme promises high, guaranteed returns to investors—but pays earlier investors using funds from newer participants, not from actual profits. Similarly, pyramid schemes reward participants for recruiting others into the system, forming a pyramid of payouts that inevitably collapses without a constant influx of new members.
In the crypto world, these scams often masquerade as investment programs, high yield staking platforms, or ‘trading bots’ that claim to generate consistent profits.
How crypto Ponzi schemes work
Scammers typically launch a flashy project or investment platform, boasting too good to be true returns (e.g. 1% daily interest or doubling your money in a month). Early users may receive some returns, often paid out from the deposits of newer investors. This initial success creates a buzz and lends a false sense of legitimacy, encouraging more people to invest. However, the growth is unsustainable. Eventually, the scam reaches a tipping point where withdrawals exceed new deposits, and the entire scheme collapses—leaving most investors with heavy losses. The operators usually vanish with a large sum of the investors’ money.
Infection vectors for Ponzi schemes
These scams often spread through polished online ads, fake social media pages, and invitation-only groups on platforms like Telegram and WhatsApp. In many cases, scammers impersonate influencers or respected voices in the crypto community to promote their projects. Fake Facebook posts and YouTube ads—often featuring exaggerated profit visuals and urgent messaging—are common tools used to lure victims into clicking malicious links and depositing funds.
)
Red flags of a Ponzi scheme
Guaranteed high returns: Be wary of any scheme that promises consistent, significant returns with little or no risk. In crypto, no legitimate investment can guarantee profits.
Aggressive recruitment or referrals: If a project heavily incentivizes recruiting new investors—such as through referral bonuses or multi-level commissions—it could be a pyramid scheme.
Lack of transparency: Ponzi operators often keep their strategies vague. If it’s unclear how a platform is generating the returns it promises, that’s a major warning sign.
No real product or utility: In a pyramid scheme, there may be no genuine underlying product, or the so-called ‘product’ is merely a front.
Case study: OneCoin Ponzi scheme
OneCoin was a massive Ponzi scheme launched in 2014 by Ruja Ignatova, who promoted it as a groundbreaking cryptocurrency that would rival Bitcoin. In reality, it had no blockchain or real crypto asset—only a centralized database and a slick marketing front.
The scheme spread globally through multi-level marketing, with members earning commissions by recruiting others to buy ‘educational packages’ bundled with worthless OneCoin tokens. Promises of high returns, flashy events, and aggressive promotion across more than 175 countries fueled its rapid growth. Despite warnings from regulators, the scheme attracted over $4 billion from investors before ultimately collapsing.
Apart from recognizing the scam, it also helps to dissect it and carefully understand its inner workings. Using the F-Secure Scam Kill Chain, we can systematically analyze how this global fraud operated:
Reconnaissance: The scam fed on manual profiling (1.1)—targeting individuals interested in passive income, crypto, or online investing, particularly in regions with lower financial literacy.
Development: Scammers built an entire fake ecosystem—including websites, scripted seminars, and ‘education packages’ (2.2, 2.5)—to appear legitimate. They also established email servers and created promotional content (2.1) to manage outreach at scale.
Contact: Victims were pulled in through email (3.1), social media (3.4), and phone calls (3.2), often from other participants recruited into the pyramid model.
Persistence: The scheme relied on psychological manipulation (4.2)—creating a cult-like sense of exclusivity and urgency, pressuring members to reinvest and recruit others.
Access: Users willingly provided personal and financial information when signing up or purchasing packages (5.1).
Lateral Movement: OneCoin encouraged users to recruit friends and family (7.1), and in some cases, reset passwords or access linked accounts (7.2) to maintain control over their downlines.
Monetization: The scam generated billions through direct fund transfers (8.1) and fraudulent investment schemes (8.2), funneling money up the pyramid while leaving latecomers with worthless tokens and no genuine blockchain behind it.
Rug pull scams
A rug pull is a specific type of exit scam that has become notoriously common in DeFi, especially with the explosion of new tokens and yield farming projects. The term 'rug pull' comes from the idea of yanking the rug out from under investors. A rug pull occurs when developers abandon a project after attracting significant investment, withdrawing all liquidity and leaving investors with worthless tokens.
These scams generally fall into two categories:
Hard rug pulls: Malicious code is embedded in the smart contract from the beginning, allowing developers to steal funds. For example, the contract might include a function that permits only the owner to sell tokens or withdraw liquidity.
Soft rug pulls: Developers abruptly exit a project without warning, disappearing with investor funds. This often occurs after scammers gather enough capital and then dump their tokens or unlock liquidity to cash out.
How rug pulls work
Creation of a fake project: Scammers develop a token or DeFi platform, often supported by professional-looking websites and active social media engagement. They frequently copy-paste code from legitimate projects (or fork existing ones) to appear credible.
Liquidity pool setup: A decentralized exchange (DEX) is used to pair the new token with a more established cryptocurrency (e.g. ETH, BNB, or USDC) in a liquidity pool. This creates a market where people can trade the token.
Marketing and hype: Influencers and promotional campaigns drive up excitement around the new project. The fear of missing out pushes investors to rush in and buy tokens, inadvertently driving up the price. As the price rises and community enthusiasm grows, even more buyers are drawn in.
The rug pull: When project hype peaks, the scammers execute the rug pull. In a DEX liquidity rug pull, the scammers withdraw all liquidity from the pool (since they control it), leaving no backing for the token—its price crashes to zero as no trading can occur without available crypto balances.
Token dump scenario: Scammers rapidly sell off their holdings at the inflated price. The massive sell-off causes the price to crash, and the scammers disappear with the proceeds. In either case, regular investors are left holding tokens that are now essentially worthless.
)
Rug pulls vs pump-and-dump schemes
In a broader sense, pump-and-dump schemes can be orchestrated by anyone who can acquire large amounts of cryptocurrency at a low price. The effect is similar to a rug pull: an artificially inflated price followed by a sudden crash. In fact, many rug pulls use pump-and-dump dynamics, amplified by the added trust that comes from being the token’s developer. The key difference is that in a pump-and-dump, scammers rely on market manipulation and often lack special code privileges—they simply exploit hype and human greed.
Infection vectors for rug pull scams
A rug pull scam typically begins when scammers launch a new cryptocurrency project—whether a token or a DeFi platform—backed by flashy marketing, high-yield promises, and hype-driven community engagement. Victims are lured in through social media, influencer endorsements, airdrops, or seemingly legitimate platforms like decentralized exchanges (DEXs), where the token appears tradeable.
Once enough users have invested and added liquidity to the project, the scammers suddenly withdraw all funds by exploiting their control over the smart contract or liquidity pool—effectively ‘pulling the rug’ and leaving investors with worthless tokens. The lack of regulation, anonymous teams, and unaudited code makes these scams particularly effective and difficult to trace.
Red flags of a rug pull scam
Sudden, unexplained price spikes: If a little-known coin’s price skyrockets overnight without a clear reason—such as news or development updates—it could be the result of coordinated price manipulation.
)
Heavy social media promotion: Scam coins are often aggressively pushed by anonymous accounts or ‘crypto tip’ groups promising quick profits. Be cautious of phrases like "next 100x gem!" or unsolicited investment advice.
)
Low liquidity: Tokens with low trading volume or shallow liquidity are prime targets for pump-and-dump schemes. While the price can be driven up quickly, a sell-off often leads to a sharp collapse due to lack of market support.
Anonymous developers: If a project’s team is anonymous or lacks a credible track record, accountability is limited. Legitimate projects typically have identifiable developers or reputable auditors.
No external audit: Reputable DeFi projects usually undergo smart contract audits by known firms. The absence of a thorough audit—or the presence of only a superficial one—could indicate undiscovered vulnerabilities or intentional backdoors. Look for audit reports from firms like CertiK, Hacken, or Trail of Bits that include the firm’s name, audit scope, detailed findings, and dates.
Excessive developer control: If a contract enables developers to mint new tokens, change fees, or withdraw funds at will, it signals dangerous centralization of power. Truly decentralized projects typically renounce such control to ensure long-term trust.
Unusual tokenomics: Extremely high yields or reward rates—well above market norms—may be unsustainable and used as bait. Also review token distribution: if developers hold a majority share, they could dump it and crash the price.
Pressure and hype tactics: Scammers often create urgency through countdowns, limited time offers, or teasers of ‘big news’. If a project’s promotion outweighs its actual development or utility, that’s a strong warning sign.
Verifying DeFi project legitimacy
Investors can spot potential rug pulls by watching for the red flags listed above, such as anonymous development teams, unverified smart contracts, and excessive developer control over token liquidity.
To assess these risks, users can:
Check whether the project’s team is publicly known or linked to credible past projects
Verify the smart contract on blockchain explorers like Etherscan
Confirm whether the liquidity pool is locked, or if developers retain the ability to withdraw it at any time
Case study: Squid Game token
The Squid Game token (SQUID) rug pull in late 2021 capitalized on the popularity of the Netflix series. Anonymous developers launched the SQUID token on 20 October, and through aggressive viral marketing and media hype, its price skyrocketed from mere cents to over $2,800 in less than two weeks.
Unbeknownst to buyers, the smart contract was rigged so that only the creators could sell tokens, while regular holders could not. On 1 November—the day the token reached its all-time high—the scammers sold their holdings and drained the liquidity, causing the price to crash from over $2,800 to nearly zero within minutes.
The Squid Game token scam is a textbook rug pull—but when viewed through the lens of the F-Secure Scam Kill Chain, it becomes even clearer how each phase played a role:
Reconnaissance: Scammers likely performed automated scraping (1.2) of social trends, capitalizing on the popularity of the Netflix series Squid Game to spark interest and trust.
Development: They used software development (2.2) and created fake legitimacy (2.4) through a flashy website, fabricated partnerships, and an official-looking whitepaper.
Contact: Promotion spread via social media (3.4), relying on hype and the fear of missing out to attract unsuspecting investors.
Persistence: The scammers cultivated trust (4.2) through consistent updates and promises, giving the illusion of an active, growing project.
Access: Investors willingly shared information (5.1) by connecting their wallets to the platform and purchasing tokens.
Monetization: The stolen funds were converted via direct transfer (8.1) into other cryptocurrencies or cashed out—completing the scam kill chain.
Phishing attacks
Not all threats come from investing in the wrong project—many are active attacks that target individual users through social engineering. Phishing attacks are a pervasive problem in the crypto world, with attackers tricking users into revealing private keys, seed phrases, or granting approvals that allow them to steal funds. In DeFi, phishing often takes on more inventive forms, but the core idea is the same as traditional phishing: lure the victim with a fake identity or offer and exploit their trust or confusion.
Airdrop scams
Airdrops are a marketing tactic where crypto projects—especially new ones—distribute free tokens to attract users. Scammers exploit this system in several ways:
Sending fake airdrop notifications
Requiring users to connect wallets to phishing sites
Stealing private keys and draining funds
Scammers often post messages on platforms like X (formerly Twitter) promoting so-called exclusive airdrop schemes tied to new DeFi projects. These posts typically urge users to click a link directing them to a website where they can supposedly claim free tokens. The phishing site may closely mimic a legitimate DeFi application or crypto wallet interface, prompting users to connect their wallets.
Once connected, victims may be tricked into signing a malicious transaction—such as granting unlimited token spending approval—or even entering their seed phrase under the pretense of logging in. For example, a user might land on a site that looks like Uniswap (a popular decentralized exchange) or MetaMask (a crypto wallet browser extension) prompting them to ‘import wallet to receive airdrop’. In reality, the site is designed to steal their private keys.
Scammers also impersonate notable figures or trending topics—such as Elon Musk and the Grok token—to gain credibility and trick users into acting.
)
Address poisoning attacks
Scammers create phishing wallet addresses that closely resemble those frequently used by victims. They then send small amounts of cryptocurrency (often referred to as dust transactions) to the victim’s wallet, with the goal of having the victim accidentally copy the look-alike address in a future transaction. This scam is effective for several reasons:
Blockchain transactions are publicly visible, allowing scammers to monitor high-value wallets
Users often copy-paste wallet addresses without fully verifying them
Wallet addresses are long and complex, so many users only check the first and last few characters
By ‘poisoning’ a victim’s transaction history with a look-alike address, scammers increase the chance that the victim will mistakenly copy it from their wallet’s recent activity when sending or receiving funds. If this happens, the funds are sent directly to the scammer’s wallet—with no way to recover them.
)
Fake support and malware links
Scammers also target users on social media platforms who are seeking help. For example, someone posting "MetaMask issue, can’t send funds!" might receive replies from fake support accounts offering assistance—often with a link. These links typically lead to phishing sites that request wallet details or install malware.
Discord servers for crypto projects are another common hunting ground. Bots and fake admins may message users directly, offering to ‘help’ by directing them to phishing sites or prompting them to download fake wallet apps designed to steal sensitive information.
)
Case study: DeFi front-end hijack scam
A notable case occurred in 2022, when users of a popular DeFi protocol encountered a sudden pop-up prompting them to ‘upgrade’ their smart contract permissions. In reality, scammers had compromised the protocol’s front end through a DNS hijack and injected a fake MetaMask popup. Users who followed the prompt inadvertently granted the attackers access to their wallets—resulting in millions of dollars in stolen funds.
Breaking down this attack step by step reveals how each phase of the scam was carefully orchestrated—and helps identify where detection or intervention could have made a difference. The F-Secure Scam Kill Chain offers a structured way to analyze each stage:
Reconnaissance: The attackers likely scraped user behavior (1.2) or monitored wallet interactions to identify an active DeFi platform with a large, engaged user base to exploit.
Development: They acquired infrastructure (2.1) and built a spoofed front end (2.2) of the original DeFi site, closely mimicking legitimate UI components—including a fake MetaMask prompt.
Contact: Victims were exposed simply by visiting what appeared to be the legitimate site—a direct exposure method (3.6) that required no emails or messages. The phishing element was injected directly through the hijacked domain.
Access: Users unknowingly granted token approval permissions (5.1), believing they were completing a routine interaction.
Exfiltration: The malicious contract enabled direct access to the victims’ wallets (6.2), draining funds immediately upon approval.
Monetization: The stolen assets were likely funneled through mixers or peer-to-peer (P2P) transfers, matching direct transfer of funds (8.1).
How to Stay Safe from DeFi Scams
Navigating the DeFi and crypto landscape requires a combination of skepticism, knowledge, and strong security habits. Here are key best practices for consumers to protect themselves against the scams and exploits discussed in this article:
Do your own research: Always investigate a project thoroughly before investing. Check whether the code is audited, read community discussions or independent reviews, and verify any claims made. If possible, research the team’s background. Scam projects rely on users opting in without due diligence.
Verify websites and contract addresses: Only use official links—from a project’s website or verified social media—when interacting with DeFi dApps. Before approving a transaction, double-check the contract address and the permissions requested. On Ethereum-based chains, tools like Etherscan can help confirm if a token contract is verified or flagged as malicious.
Secure your wallet: Use a hardware wallet for storing large amounts. Keep your seed phrase offline in a secure, private place—never enter it on websites or store it digitally in plain text. Enable passwords or encryption on wallet apps and be cautious when installing browser extensions or mobile apps to reduce the risk of backdoored software.
Be skeptical of free offers: Scammers often lure users with ‘free’ crypto—such as airdrops, giveaways, or guaranteed returns. Stick to the basics: if something sounds too good to be true, it probably is.
Monitor and revoke approvals: Periodically review which dApps have permission to spend tokens from your wallet. Use tools to revoke access you no longer need. This helps limit damage if a dApp you once trusted is later compromised.
Stay updated and informed: The DeFi landscape evolves rapidly—and so do scams. Many new threats are reported quickly on social media and forums. Staying informed can prevent you from becoming the next victim.
Use reputable platforms: Whether you’re using an exchange, a lending protocol, or a wallet, choose services with a strong reputation and track record. While no platform is entirely risk-free, scams are far more common on obscure or newly launched services with limited scrutiny.
Start small with new platforms: When trying out a new DeFi service, begin with a small test transaction. Confirm that deposits and withdrawals work as expected before committing larger funds. Scammers often rely on users investing large sums right away.
Owning assets means owning your security
The world of cryptocurrency and DeFi offers unprecedented financial freedom and opportunity—but it also brings new forms of fraud and exploitation. Scams ranging from Ponzi schemes and rug pulls to phishing attacks and impersonation tactics continue to evolve. By understanding how these scams operate, investors and users can better protect themselves from deception.
In crypto, you are often in full control of your assets—which also means taking full responsibility for safeguarding them. Stay vigilant, verify everything, and never stop learning about the risks in this rapidly changing space. With knowledge and caution, DeFi users can enjoy the benefits while minimizing the risks posed by scammers.