Scams

In its 2026 crypto crime report released on Wednesday, TRM Labs said the use of large language models in scams increased fivefold in 2025. It reported $35 billion in crypto was sent to scammer addresses last year, down from $38 billion in 2024, while illicit wallets received about $158 billion and the illicit share fell to 1.2%.

TRM Labs' latest report finds crypto-related crime totaled $158 billion in 2025, up 145% from 2024, while illicit transactions comprised 1.2% of on-chain volume. The firm also measured a 2.7% share of deployable liquidity captured by illicit actors, down from 2.9%, as sanctions-linked stablecoin flows and major hacks drove activity.

On January 28, 2026, cybersecurity researcher Jeremiah Fowler reported uncovering a 96 GB database containing more than 149 million unique logins and passwords that had been left exposed online. The unprotected trove includes credentials for users of major services such as Gmail, Facebook, Instagram, TikTok, Netflix, Binance and OnlyFans, as well as accounts with .edu and .gov domains. Fowler says the records were accessible without encryption or password protection, and that the total number of entries increased between his discovery and the time access was restricted.

Thailand’s Department of Special Investigation said it uncovered an illegal Bitcoin mining network tied to four senior Provincial Electricity Authority officials. On January 19, officers seized 3,642 mining rigs under "Operation Copperhead," and investigators also confiscated thousands of rigs linked to an assistant PEA governor with cash deposits worth 19 million baht ($612.9K).

Open-source AI assistant ClawdBot founder Peter Steinberger said he has never issued a token and called projects tying him to a coin scams, after his GitHub and X accounts were squatted during a forced rename. On January 25, researcher Stitchdegen said the Solana meme coin CLAWD is not official; on January 27, developer Ozmen warned similar scams often target open-source projects.

Cybersecurity researcher Jeremiah Fowler reported uncovering a 149 million-record cache of credentials stolen by infostealer malware from compromised personal devices, including 420,000 Binance logins and tens of millions of major platform accounts. Security experts said the leak reflects end-user device infections rather than a breach of Binance systems, while warning that newer infostealer strains are increasingly targeting crypto wallets, exchanges and browser extensions.

On January 25, 2026, Matcha Meta warned that users who disabled One-Time Approvals may have been exposed through its SwapNet integration. By January 26, 2026, the platform said it was investigating while about $16.8 million had been drained via direct token approvals, with SwapNet contracts temporarily disabled and funds moved from Base to Ethereum.

Blockchain investigator ZachXBT alleged that an individual known as Lick, identified as John Daghita—the son of CMDSS CEO Dean Daghita—diverted funds from US government-controlled wallets. He traced activity including a $24.9 million transfer in March 2024 tied to Bitfinex seizure assets, and cited chat evidence showing balances and moves. No criminal charges have been announced.

Telegram-based escrow marketplaces tied to gambling operations moved a combined 414 million USDT over a 53-day span, with about 9 million USDT sent straight to major exchanges. Despite shutdowns of Huionepay and Tudou Guarantee in 2025, platforms integrated mini-app crypto payments and continued processing revenue. Wallets linked to Huione, Wangbo, and HWZF were central to settlement.

Indian police reported the arrest of four suspects linked to a fraudulent crypto investment scheme that allegedly defrauded a resident of Rs. 16.30 lakh, using WhatsApp and a fake trading app. The case was registered in November 2025 after the victim made multiple transfers to several bank accounts, believing he would earn high returns from crypto trading. Police made the first arrest on January 20 and detained three additional suspects on January 22, while also warning the public against engaging in online investment discussions with strangers.