Pig butchering, fake recovery agents, address poisoning — a tour of the nine crypto fraud patterns we currently see most often, and the on-chain signatures that give them away.
Lieke van der Velde
Lead Crypto Investigator
Crypto fraud has not slowed in 2026 — it has industrialised. Romance-driven pig butchering operations now run with call-centre discipline, address poisoning has moved from a curiosity to a default tactic, and an entire cottage industry of fake 'recovery agents' preys on victims a second time. This briefing maps the nine patterns our investigators see most often, and the on-chain signatures that give each of them away.
Long-form social engineering: the perpetrator builds rapport over weeks via a dating app or messenger, then directs the victim to a fake trading platform. Withdrawals work for the first few small amounts; once the deposit grows, fees and 'tax' demands appear. By the time the victim contacts law enforcement, funds have already been swept through several deposit addresses to a centralised exchange.
Once a victim posts publicly about being scammed, a second wave of operators contacts them claiming they can recover funds — for a fee, usually paid in stablecoins, of course. We have seen the same wallet networks reappear behind both the original scam and the supposed recovery service.
The attacker generates a vanity address whose first and last characters match an address the victim has recently transacted with, then sends a tiny dust amount. Wallets that suggest 'recent recipients' will offer the spoofed address. One paste later, six figures gone.
A phishing site asks the victim to 'verify' or 'claim an airdrop'; what they actually sign is an unlimited token approval to a drainer contract. Funds disappear the next time the victim moves them. The drainer kits are now sold as a service, with a 20-30% revenue share for the affiliate.
The classic 'too good to be true' yield. Often run on Tron or BSC because gas is negligible, with a polished dashboard and a small army of Telegram 'community managers'. The platform pays for two or three weeks to encourage referrals, then disappears.
Common in Southeast Asia and the Levant. Victims are promised easy work — clicking buttons, watching videos — but must 'unlock' tasks by depositing increasing amounts of stablecoins. Withdrawal is always 'one more deposit' away.
Not strictly a crypto-only scam, but the financial reward is what makes it worth the effort. Investigators should expect to need both telecoms records and exchange records to make a case stick.
A new token launches with manufactured hype, the team accumulates liquidity from retail buyers, then dumps. On-chain, you'll see a small handful of wallets receiving the bulk of token supply at deployment, and one or two large LP withdrawals at the end.
Old-school telephone fraud reborn for crypto. A polished cold call, a 'demo' account, and a steady drip of 'opportunities' to deposit more. We have helped recover assets in several civil proceedings against these networks together with specialised counsel.
How quickly do you need to act?
The first 24-72 hours are the most productive. After that, funds have usually been bridged across chains or off-ramped through OTC desks, and recovery becomes significantly harder.
Do you work directly with victims?
Yes — together with our partner law firms (Hupkes Advocaten and Tuerlinckx). We focus on the on-chain investigation; counsel handles the civil proceedings.
Do you train internal teams in crypto investigations?
Our Academy runs Chainalysis-, TRM- and DataExpert-curriculum courses for investigators, compliance officers and FIU analysts in English, Dutch and German.