How it works: Cold outreach manufactures urgency and reroutes you to look-alike pages that steal logins, 2FA codes, or seed phrases. Variations include domain lookalikes (punycode/homoglyphs), fake support portals, OAuth “Sign in with X” traps that grant broad account access, and QR codes that request wallet permissions. The pressure—“final notice,” “account at risk”—is the engine.
Spot it
What to do
How It Plays Out
It starts polite: “We detected unusual activity. To avoid suspension, verify within 30 minutes.” The sender name looks right; the domain almost does. In the link, an accented character hides inside the brand—close enough at a glance, wrong on inspection. You’re between tasks, so you tap.
The page is perfect theater. Same logo, same layout, even a banner from last month’s promo. You type your email and password; the spinner thinks for a second, then asks for your six-digit code. You approve a push on your phone because MFA is good, right? Somewhere else, a login succeeds. The site then errors out—“Try again later.” That’s the handoff: your credentials are spent, the session lives elsewhere.
Sometimes the hook is OAuth. A friendly “Continue with Exchange” button opens a consent screen that looks harmless—until you read the scopes: read balances, create API keys, trade. You accept because it’s faster. Minutes later, a bot in their stack tests withdrawals on any venue where your API key allows them. Or the hook is a QR code that opens your wallet and asks for a broad permission—set approval for all—disguised as a “security re-verification.”
Another variant plays on panic: a MFA fatigue attack. Your phone floods with approval prompts at 1 a.m. In the fog, you hit accept to make it stop. That was the only yes they needed.
You can unwind most of this if you act like a professional instead of a character in their play. On a second device you know is clean, go straight to the official sites—no links. Change passwords to unique, manager-generated ones. Reset your authenticator seeds (don’t just move apps). In your account security pages, revoke every OAuth integration you don’t recognize. On exchanges, delete and recreate API keys with minimum permissions and IP allowlists; where possible, disable withdrawals on keys entirely. In your wallets, visit an approval viewer and revoke token approvals you don’t recognize. If a SIM-swap is suspected, set a carrier port-freeze and migrate critical accounts to app-based 2FA with recovery codes printed and offline.
When you return to the email, read it like a crime scene. The return path doesn’t match the display name. The footer points to a privacy policy on a different domain. The unsubscribe link goes nowhere. All of it was confidence on credit. Your future self pays it back unless you build the boring habits now: origin over inbox, bookmarks over search ads, second-channel confirmations for anything that touches custody.
Pocket anchors: If it’s urgent, navigate yourself. Approvals beat passwords; revoke what you don’t use. Do resets from a clean device, not the compromised one.
If section 1 saves your wallet, section 2 saves you.
The second half of this field guide isn’t about fake apps or bad links. It’s about the moments where you feel certain—and that certainty is the trap.
You won’t recognize them by code. You’ll recognize them by how they make you feel: rushed, special, safe, unstoppable.
That’s why you can’t stop here. If you walk away now, the first scam that talks to you—really talks to you—will take more than your coins. It will take your balance, your calm, and your sense that you can tell the difference.
Keep going.
Study section 2. The next pages show you how persuasion turns into permission—step by step—so you can freeze the frame and catch the move before it catches you.