What New Crypto Phishing Patterns Showed Up in 2026?

I refresh my phishing playbook yearly because this field evolves faster than most dApps. Reactions that blocked 2025 phishing miss the ball in 2026. This walks through patterns new in 2026 or newly common, with identifying cues.

I skipped the “old but still effective” stuff — fake exchange logins, fake support DMs — they have their own how to spot fake support scams. Below are only the new ones.

1. AI voice impersonation with a full forged-document chain

A class scaling fast in 2026 is multimodal AI impersonation:

• Voice plus video synthesized together, with real-time face-and-voice swap on video calls.
• Paired with forged screenshots, emails, and PDF IDs, forming a full “trust chain.”
• The target set widened from high-net-worth users to OTC sellers, community moderators, KOL assistants — anyone holding an info edge or funding rail.

Classic script: someone posing as “core project member” or “exchange compliance” calls for a “quick verification,” then uses forged screenshots to steer you to “click this link to confirm.” The familiar face is just a filter that drops your guard.

The defense isn’t “telling real voices from fake.” It’s: any instruction urging you to act immediately during a call gets hung up on and verified through a different channel. AI can mimic faces; it can’t mimic the physical act of cross-channel verification.

2. Smart-account delegation signatures (EIP-7702 and descendants)

As smart accounts and EOA-upgrade schemes spread on Ethereum and compatible chains, a new high-risk signature class shows up:

• Attackers disguise the entry as “wallet upgrade,” “gasless experience,” or “batch swap tool.”
• What you sign is an authorization that delegates your EOA to a contract — once signed, the attacker can act as your account and run a whole batch of operations, no longer limited to single-token approve.
• Wallet UIs don’t yet render these signatures as readably as a transfer, so most users can’t tell what they signed.

Root logic is the same as approval phishing, only the blast radius is bigger — from “one token gone” to full account takeover.

Hard cues:

• Signature type — keywords like “Authorization,” “Delegate,” or “SetCode.”
• Target address — a contract you’ve never heard of and can’t find on mainstream explorers.
• Origin — dressed up as “upgrade,” “migration,” or “claim.”

Any one uncomfortable, reject directly. A small gas fee is always cheaper than the whole account.

3. Telegram embedded dApps and Mini App spoofing

After Telegram Mini Apps scaled, scammers started impersonating embedded dApps:

1. A respectable-looking bot appears in a group, named after a protocol you use.
2. Tapping “Open” launches a full-screen Web view inside Telegram, indistinguishable from the real site.
3. WalletConnect or an in-app wallet asks for signatures — same logic as external phishing, just shelled in Telegram.
4. Some versions ask you to import your seed into an “in-app wallet” — that hands over everything.

Counter: never complete a wallet signature or seed input inside a Telegram embedded view. If you need to transact, copy the official domain to an external browser and follow your normal safety flow. This shadow is unpacked further in Telegram auto trading bot scams. Telegram is for chatting, not signing.

4. The “real contract plus malicious front-end” combo

The meanest one. Attackers don’t deploy an obviously malicious contract. Instead:

• They use a real, often widely integrated protocol contract as the backend.
• They manipulate the front-end — hijacking an aggregator domain, or compromising an acquired small tool site and swapping its scripts.
• Your “approve” or “swap” looks like it hits the real protocol. The allowance target or swap path actually points at an attacker address.

Mean because contract scanners see the real contract and rate the interaction safely. Your wallet history afterward only shows “interacted with a well-known protocol” — first-pass post-mortem misses the culprit.

Push back:

• Be extra wary of small tool sites that haven’t updated for months and suddenly push announcements.
• For any approve, read the spender address — at minimum check the last four match what you expect.
• Split important ops across wallets in clean layers — the same “casino wallet” logic from Pump.fun rug cases.

5. Official-style emails dressed as “compliance notices”

The last category isn’t novel, but production quality leapt. Backed by leaked KYC data, scammers send emails:

• Addressed to your real name with the last four digits of your registered exchange phone number.
• Using official-sounding language — “FATF compliance update,” “tax filing verification,” “platform asset migration.”
• Landing on a page indistinguishable from the official one, asking you to “verify identity to keep using your account.”

If you suspect you’re in a leaked KYC list, this hits several times harder. Run it through your exchange KYC data got leaked — now what: never enter through a link in the email — go in through your own saved official entry.

Five variants, one spine

These five look very different but share one spine: a plausible entry that lures you into a critical action you wouldn’t normally take. Signature, transfer, or seed input — that one moment decides the outcome.

Build your daily habits one by one, then layer in this five-pattern list. The rest is not granting yourself temporary exceptions — friend intros, hot group recs, “official upgrades” all go through the same flow. Exceptions are the favorite opening move of every scam.