Cryptocurrency scams are becoming increasingly sophisticated. In 2024 alone, crypto scam losses exceeded $5 billion globally, according to blockchain analytics firms. While no single indicator is definitive proof of a scam, certain patterns appear repeatedly across fraudulent addresses. Recognizing these red flags can help you avoid becoming a victim.

Red Flag 1: Brand-New Addresses with No Transaction History

One of the most common characteristics of scam addresses is that they are newly created with little or no transaction history. Scammers frequently generate fresh addresses for each campaign to avoid detection and to prevent their addresses from being flagged in scam databases before they can collect funds.

A legitimate business or long-standing individual will typically have an established address with a history of transactions that can be verified. If someone claims to represent a well-known project but provides an address that was created days or hours ago, that discrepancy should give you pause.

Of course, new addresses are not inherently suspicious. Everyone starts with a new address at some point. The red flag arises when a new address is combined with claims of legitimacy, authority, or urgency. A new address attached to a high-pressure sales pitch is a strong warning sign.

What to do

Check the address on a blockchain explorer to see its creation date and transaction count. If someone claims the address belongs to a business or established entity but it has zero or very few transactions, request verification through an official channel before proceeding.

Red Flag 2: Funds Routed Through Mixing Services

Mixing services, also known as tumblers, are designed to obscure the trail of cryptocurrency transactions by pooling funds from multiple users and redistributing them. While there are legitimate privacy reasons to use mixers, they are also heavily used by scammers and money launderers to hide the origins and destinations of stolen funds.

If blockchain analysis reveals that an address has received funds from or sent funds to known mixing services, it does not automatically mean the address is a scam. However, in the context of a transaction where someone is asking you to send funds, mixer usage in their address history is a concerning signal. Legitimate businesses rarely need to obscure their transaction history.

Some mixing services, such as Tornado Cash, have been sanctioned by OFAC. Interacting with addresses that have direct connections to sanctioned mixers carries not only scam risk but also legal risk, as discussed in our article on OFAC sanctions.

What to do

Use Crypto404 to scan the address. The scan results will flag connections to known mixing services. If you see mixer-related flags, proceed with extreme caution and consider finding an alternative way to verify the legitimacy of the address.

Red Flag 3: Multiple Small, Rapid Transactions

Scam addresses often exhibit a distinctive pattern of many small incoming transactions followed by rapid consolidation and withdrawal to another address or an exchange. This pattern reflects the typical lifecycle of a scam: the operator receives small payments from multiple victims, then quickly sweeps the accumulated funds to cash out before the addresses get flagged.

This pattern is particularly common in "advance fee" scams, fake airdrops, and fraudulent investment platforms. The scam operator provides a deposit address, collects payments from many victims in small amounts, and then drains the address. The speed of the transactions is notable because the scammer wants to maximize collections before victims start reporting.

Another variation is the "dust attack" pattern, where tiny amounts of cryptocurrency are sent to many addresses. While not always a scam, dust attacks can be used for address tracking or phishing purposes. If you receive an unsolicited small amount from an unknown address, be cautious about interacting with the sending address.

What to do

Review the address's transaction history on a blockchain explorer. If you see dozens or hundreds of small incoming transactions from different addresses, especially within a short time frame, this is a strong indicator of scam activity. Report the address through Crypto404's reporting feature to help protect other users.

Red Flag 4: Addresses Linked to Phishing Domains

Phishing remains one of the most effective attack vectors in the crypto space. Scammers create fake websites that closely mimic legitimate platforms, complete with professional designs, copied logos, and similar domain names. These phishing sites display wallet addresses controlled by the scammer, tricking users into sending funds or connecting their wallets.

Common phishing patterns include fake token sale websites, counterfeit exchange login pages, fraudulent wallet interfaces, and impostor project websites. The addresses displayed on these sites are scam addresses, and any funds sent to them are lost. Additionally, connecting your wallet to a phishing site can result in approval transactions that drain your wallet entirely.

These phishing campaigns are often promoted through social media ads, fake search engine results, compromised social media accounts, and spam emails. The scammers invest significantly in making these sites look authentic, making visual inspection alone unreliable.

What to do

Always verify website URLs carefully before interacting with them. Bookmark the official sites you use regularly. Use Crypto404 to scan any address before sending funds, as addresses associated with reported phishing sites will appear in community databases. If you encounter a phishing site, report both the domain and the associated addresses.

Red Flag 5: Addresses Appearing in Crowdsourced Scam Databases

The crypto community has built several crowdsourced databases where users can report and check scam addresses. Platforms like ChainAbuse, BitcoinAbuse, and Crypto404's own reporting system aggregate reports from victims to create a collective defense against scammers.

If an address appears in one or more of these databases, it means at least one person has reported it as being involved in fraudulent activity. While individual reports should be evaluated critically, since false reports are possible, multiple independent reports about the same address are a very strong signal that the address is malicious.

Crypto404 integrates data from multiple community reporting platforms, including ChainAbuse, giving you access to a broad range of community intelligence in a single scan. The platform weighs the number and nature of reports to produce a risk assessment that reflects the collective knowledge of the crypto community.

What to do

Always scan addresses with Crypto404 before transacting. If an address has community reports against it, take them seriously. Read the details of the reports if available to understand the nature of the alleged scam. And importantly, contribute to the community's safety by reporting scam addresses you encounter through Crypto404's report feature.

How to Report Scam Addresses

If you have been scammed or have identified a scam address, reporting it helps protect others. You can report addresses directly through Crypto404's Report Address feature, which adds the information to our database and makes it available during future scans. Additionally, consider reporting to ChainAbuse, filing a complaint with the FBI's IC3 (Internet Crime Complaint Center), and alerting the relevant blockchain's community channels.