Scams

In a Wednesday report drawing on roughly 2,500 internal investigations, AMLBot found that 65% of the 2025 crypto incidents it handled involved social engineering and user access or response lapses rather than protocol flaws. By case count, investment scams led at 25%, followed by phishing at 18% and device compromises at 13%.

On February 17, 2026, blockchain security firm Cyvers reported a $600,000 loss tied to an address poisoning scheme that leveraged zero‑value transfers and a copy‑paste mistake. Similar incidents since December 2025 include $514,000 and $12.25 million losses, while researchers estimate more than one million poisoning attempts occur each day on Ethereum.

On Feb. 13, cybersecurity expert Dmitry Smilyanets reported receiving a fake Trezor-branded letter demanding an "Authentication Check" by Feb. 15 or risk device restrictions, with a QR code leading to a phishing site. The scam, which mislabels Trezor CEO Matěj Žák as "Ledger CEO," targets hardware wallet users whose postal data was exposed in past breaches and attempts to trick them into entering seed recovery phrases. Similar physical letters and QR-based attacks have been reported against Ledger users since at least October last year, following multiple data leaks impacting both Ledger and Trezor customers.

According to the report, scammers are mailing hardware wallet users letters that mimic Trezor and Ledger notices, pushing recipients to scan QR codes and enter recovery phrases. The messages cite urgent security checks and route to clone setup pages that accept 12-, 20-, and 24-word seeds. Hardware wallets are not compromised, but revealing a seed enables immediate wallet takeover.

On February 16, South Korea's Financial Supervisory Service said it will expand its AI-driven VISTA platform by adding an Nvidia H100 GPU using a 170 million Korean won ($117,640 USD) budget, aiming to improve real-time detection of market manipulation. The agency targets completing the hardware addition by the second quarter and is advancing algorithms to spot suspicious accounts and abnormal trading patterns.

Indian police conducted a nationwide crackdown from February 7 to 13, arresting six suspects linked to alleged investment, loan app and part-time job fraud involving crypto-related schemes. Authorities say they traced illicit funds across multiple states, recovered about Rs. 16.9 lakh for victims through court orders, and warned residents to be cautious when engaging with unknown contacts online.

Vietnam's crypto sector has cooled as the market retreated from October's record, with industry figures citing closures, layoffs, and relocations. In January, authorities began taking applications for licensed exchanges with a 10 trillion VND ($400 million) capital threshold, while executives say weak sentiment and unclear rules are keeping users and new ventures on the sidelines.

Ledger and Trezor hardware wallet users are being targeted in a postal QR code scam that attempts to steal their recovery phrases. Criminals are mailing fake compliance letters with a February 15 deadline, pushing users to scan QR codes that lead to phishing sites and submit their seed phrases. The fraudulent sites impersonate official domains and warn of lost wallet functionality to pressure victims into handing over full access to their funds.

Former SafeMoon CEO Braden John Karony was sentenced to 8 years in prison in Brooklyn federal court after a jury conviction in May 2025 for his role in a multi-million dollar crypto fraud involving SafeMoon’s liquidity pools. He was ordered to forfeit about $7.5 million, with additional restitution to victims still to be set, while prosecutors say more than $9 million in cryptocurrency was misappropriated to fund luxury cars and real estate.

On February 14, 2026, researchers at iVerify reported a mobile spyware platform called ZeroDayRAT that can fully compromise Android and iOS devices. The tool is reportedly sold on Telegram and lets attackers control phones, capture GPS data, access notifications from banking and crypto apps, and intercept SMS one-time passwords. Victims are infected through links in smishing texts, phishing emails, fake app stores, and messaging apps.