Asset Security

What New Crypto Phishing Patterns Showed Up in 2026?

2026-05-30 · 链上迷雾

I refresh my phishing playbook yearly because this field evolves faster than most dApps. Reactions that blocked 2025 phishing miss the ball in 2026. This walks through patterns new in 2026 or newly common, with identifying cues.

I skipped the “old but still effective” stuff — fake exchange logins, fake support DMs — they have their own how to spot fake support scams. Below are only the new ones.

1. AI voice impersonation with a full forged-document chain

A class scaling fast in 2026 is multimodal AI impersonation:

  • Voice plus video synthesized together, with real-time face-and-voice swap on video calls.
  • Paired with forged screenshots, emails, and PDF IDs, forming a full “trust chain.”
  • The target set widened from high-net-worth users to OTC sellers, community moderators, KOL assistants — anyone holding an info edge or funding rail.

Classic script: someone posing as “core project member” or “exchange compliance” calls for a “quick verification,” then uses forged screenshots to steer you to “click this link to confirm.” The familiar face is just a filter that drops your guard.

The defense isn’t “telling real voices from fake.” It’s: any instruction urging you to act immediately during a call gets hung up on and verified through a different channel. AI can mimic faces; it can’t mimic the physical act of cross-channel verification.

A split-screen composition with a laptop showing a fake video call on the left and a forged ID document PDF plus a transfer dialog on the right, dim cool blue office lighting, no identifiable faces

2. Smart-account delegation signatures (EIP-7702 and descendants)

As smart accounts and EOA-upgrade schemes spread on Ethereum and compatible chains, a new high-risk signature class shows up:

  • Attackers disguise the entry as “wallet upgrade,” “gasless experience,” or “batch swap tool.”
  • What you sign is an authorization that delegates your EOA to a contract — once signed, the attacker can act as your account and run a whole batch of operations, no longer limited to single-token approve.
  • Wallet UIs don’t yet render these signatures as readably as a transfer, so most users can’t tell what they signed.

Root logic is the same as approval phishing, only the blast radius is bigger — from “one token gone” to full account takeover.

Hard cues:

  • Signature type — keywords like “Authorization,” “Delegate,” or “SetCode.”
  • Target address — a contract you’ve never heard of and can’t find on mainstream explorers.
  • Origin — dressed up as “upgrade,” “migration,” or “claim.”

Any one uncomfortable, reject directly. A small gas fee is always cheaper than the whole account.

3. Telegram embedded dApps and Mini App spoofing

After Telegram Mini Apps scaled, scammers started impersonating embedded dApps:

  1. A respectable-looking bot appears in a group, named after a protocol you use.
  2. Tapping “Open” launches a full-screen Web view inside Telegram, indistinguishable from the real site.
  3. WalletConnect or an in-app wallet asks for signatures — same logic as external phishing, just shelled in Telegram.
  4. Some versions ask you to import your seed into an “in-app wallet” — that hands over everything.

Counter: never complete a wallet signature or seed input inside a Telegram embedded view. If you need to transact, copy the official domain to an external browser and follow your normal safety flow. This shadow is unpacked further in Telegram auto trading bot scams. Telegram is for chatting, not signing.

A messaging app interface with a list on one side and a full-screen embedded web view on the other, the embedded view dressed as a wallet with a prominent seed phrase input field, warning red glow framing the input

4. The “real contract plus malicious front-end” combo

The meanest one. Attackers don’t deploy an obviously malicious contract. Instead:

  • They use a real, often widely integrated protocol contract as the backend.
  • They manipulate the front-end — hijacking an aggregator domain, or compromising an acquired small tool site and swapping its scripts.
  • Your “approve” or “swap” looks like it hits the real protocol. The allowance target or swap path actually points at an attacker address.

Mean because contract scanners see the real contract and rate the interaction safely. Your wallet history afterward only shows “interacted with a well-known protocol” — first-pass post-mortem misses the culprit.

Push back:

  • Be extra wary of small tool sites that haven’t updated for months and suddenly push announcements.
  • For any approve, read the spender address — at minimum check the last four match what you expect.
  • Split important ops across wallets in clean layers — the same “casino wallet” logic from Pump.fun rug cases.

An abstract diagram showing a softly glowing legitimate protocol contract in the background while a hijacked front-end script in the foreground redirects glowing token streams to a hidden attacker address

5. Official-style emails dressed as “compliance notices”

The last category isn’t novel, but production quality leapt. Backed by leaked KYC data, scammers send emails:

  • Addressed to your real name with the last four digits of your registered exchange phone number.
  • Using official-sounding language — “FATF compliance update,” “tax filing verification,” “platform asset migration.”
  • Landing on a page indistinguishable from the official one, asking you to “verify identity to keep using your account.”

If you suspect you’re in a leaked KYC list, this hits several times harder. Run it through your exchange KYC data got leaked — now what: never enter through a link in the email — go in through your own saved official entry.

Pattern Key tell One-line catch
AI voice Video call urging immediate action Hang up, verify elsewhere
Delegation sig Popup includes Authorization/Delegate Reject, not by feel
Telegram embed Mini App asks for signing/seed Move to external browser
Real contract + fake UI Spender address unfamiliar Read spender, not name
Compliance email “Verify now” link inside Don’t click; enter site yourself

Five variants, one spine

These five look very different but share one spine: a plausible entry that lures you into a critical action you wouldn’t normally take. Signature, transfer, or seed input — that one moment decides the outcome.

Build your daily habits one by one, then layer in this five-pattern list. The rest is not granting yourself temporary exceptions — friend intros, hot group recs, “official upgrades” all go through the same flow. Exceptions are the favorite opening move of every scam.

This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.

Latest

Industry Events

BTC ETFs Bled for 10 Straight Days, $2.97B Out — What It Means for Ordinary Users

Through June 4, US spot Bitcoin ETFs posted ten consecutive sessions of net outflows totaling about $2.97B — one of the longest negative streaks since launch. This piece breaks down what the number says and, just as important, what it does not.

Mindset & FOMO

AI Is Siphoning Crypto Money — Should You Chase the Rotation?

Early June showed a clear flow: money rotating from crypto into AI. Nvidia at a new high, BTC and ETH softer. "Is crypto past its prime" surfaced again. This piece does not pick a winner. It answers how mindset should behave during sector siphon.

Mindset & FOMO

ETH Slipped Below 2,000 — How Should the Believers Recalibrate?

ETH crossed below the 2,000 psychological line in early June while on-chain activity softened. For self-described "ETH believers," this is a subtler mindset test than the 2022 bear: not one obvious red candle but a slow grind lower.

Mindset & FOMO

BTC Broke Below 67k — Should You Buy the Dip? A June Mindset Check

BTC sliced through 67k in early June and briefly tested 61k intraday. The dip-buying itch is back. This piece does not call the next candle. It asks one question: at this level, what rules should your mindset follow before you click buy.

Mindset & FOMO

US–Iran Tension Escalating — How Should a Crypto Portfolio React?

Early June saw a fresh US–Iran flare-up — oil spiked, risk assets weakened, BTC and ETH dropped together. Headlines change every half day; positions cannot. Here is how a crypto portfolio should behave under geopolitical shocks.

Asset Security

After a Drainer Empties Your Wallet, Is There Any Path to Recovery?

Once you discover a drainer has emptied your wallet, what you can do in the next hour is limited, but the order matters. This post lays out the recovery paths along a timeline: on-chain tracing, platform freeze requests, formal reporting, mixer realities, and longer-term recovery.