§ — · Glossary
Crypto-fraud terms,
defined plainly.
25 terms victims, investigators, and curious readers run into across crypto-recovery work. One-sentence definition first, context underneath. Every term has a permanent anchor link, so /glossary/#pig-butchering (and the others) point at the same definition forever.
A
-
Address poisoning
# address-poisoning - A wallet-targeting scam that seeds the victim's transaction history with a fake address that mimics the first and last characters of an address they recently used, hoping they will copy-paste the wrong one for a future send.
- The attacker sends a tiny (often zero-value) transaction from a freshly-generated wallet whose address starts and ends with the same characters as a legitimate counterparty the victim sends to regularly. The fake address now appears in the victim's wallet history. The next time the victim copies an address from history rather than from the actual counterparty, they may copy the lookalike and send funds to the attacker. Always verify the full address — not just the first and last few characters.
-
Approval phishing
# approval-phishing - A wallet attack where the victim signs a `setApprovalForAll` or unlimited `approve` transaction on a spoofed dApp, granting the attacker contract permission to move specific tokens out of the wallet at any later time.
- The signature looks routine and the victim assumes they are approving a single trade or mint. In reality they are giving an attacker-controlled contract ongoing authority to transfer tokens from the wallet. The drain can happen seconds later or weeks later, often after the victim has forgotten the approval. Defence: inspect every signature for `approve` / `setApprovalForAll` calls, prefer single-use signatures where possible, and periodically audit and revoke active approvals via Revoke.cash or the wallet's own approval manager.
Also: malicious approval · token approval phishing
B
-
Bridge attribution
# bridge-attribution - The forensic technique of following stolen funds across a cross-chain bridge by matching the on-chain deposit on the source chain to the corresponding withdrawal on the destination chain, despite the wallet identities differing.
- Operators routinely move stolen funds across bridges (THORChain, LayerZero, Wormhole, Stargate) to obscure the trail and to convert between chains the laundering infrastructure favours. Bridge attribution maps the source deposit transaction to its destination-chain mirror by matching block time, amount, and bridge contract event logs. This is how a trace continues from Bitcoin to Ethereum to Solana without losing the thread.
C
-
CEX vs DEX
# cex-vs-dex - A centralised exchange (CEX) custodies user funds and operates under regulatory authority; a decentralised exchange (DEX) is a smart contract that swaps tokens directly between wallets, with no custodian and no compliance team to escalate a fraud claim to.
- The distinction matters for recovery: stolen funds that reach a CEX can sometimes be frozen via compliance escalation, because the exchange controls the funds and answers to a regulator. Funds that move only through DEX swaps cannot be frozen — there is no operator to escalate to, only an immutable smart contract. Recovery work therefore prioritises identifying CEX deposit points in the laundering trail; once funds re-enter the CEX ecosystem, escalation becomes possible again.
-
CoinJoin
# coinjoin - A privacy technique where multiple Bitcoin users combine their transactions into a single multi-input, multi-output transaction so that an external observer cannot tell which input corresponds to which output.
- CoinJoin is not inherently a fraud tool — privacy-conscious users employ it legitimately — but operators routinely use it to break the on-chain trail between stolen funds and the wallet they ultimately end up in. CoinJoin output sets can sometimes be demixed using statistical heuristics (CoinJoin pattern analysis), but the success rate depends on the size of the mix and the patience of the analyst. Wasabi Wallet and Whirlpool are the two most common implementations.
-
Cold wallet vs hot wallet
# cold-wallet-hot-wallet - A cold wallet stores the private key offline (hardware device or paper); a hot wallet stores it in software connected to the internet — cold is materially safer against most wallet-drain and phishing attacks.
- The hot/cold distinction is about attack surface. Hot wallets sign transactions automatically when you click in a dApp, which is convenient but exposes you to malicious signature requests and clipboard-replacement malware. Cold wallets require physical confirmation on the device for every signature, which thwarts most approval-phishing and address-poisoning attempts. For meaningful holdings, the standard recommendation is cold storage with a hot wallet kept only for small operating balances.
-
Compliance hold (vs withdrawal-block extortion)
# compliance-hold - A genuine compliance hold is a regulator-driven freeze on funds at an exchange during AML/KYC review, deducted from the existing balance with no payment required from the user; a withdrawal-block extortion is a fake hold that demands the user pay an additional fee before any release.
- Real compliance holds: documented in the exchange's terms, communicated via in-platform messaging from the named compliance team, never require the user to wire fresh money in. Withdrawal-block extortion: invented on the spot ("tax clearance fee", "anti-money-laundering deposit", "tier-upgrade payment"), demands new funds, and produces a new fee request after each payment. Any "compliance" process that requires you to deposit more is the extortion variant, regardless of how official the language sounds.
D
-
Demixing
# demixing - The on-chain forensic analysis that attempts to reconstruct which CoinJoin inputs correspond to which outputs, restoring the link between sender and recipient that the mix was designed to obscure.
- Demixing uses a combination of timing analysis, amount analysis, address-cluster heuristics, and Wasabi/Whirlpool-specific pattern signatures. It is probabilistic, not deterministic: a successful demix returns a confidence-weighted set of probable links rather than a single answer. Funds that pass through Tornado Cash specifically are much harder to demix than those run through CoinJoin protocols, which is why Tornado-routed funds are often the realistic limit of recovery.
-
Drainer-as-a-service (DaaS)
# drainer-as-a-service - A subscription model in which a development team builds and maintains a wallet-drain smart contract and admin panel, then leases it to affiliates who run the front-end phishing sites and split the proceeds with the developers.
- DaaS turned wallet drains from a bespoke crime requiring smart-contract skill into a turnkey kit any phisher can rent. The most-named kits (Pink, Inferno, Angel, MS) collectively account for a substantial share of all reported wallet drains. Recovery-side: the on-chain drain contracts are reused across hundreds of campaigns, so wallet clustering of DaaS-related drains often yields larger usable evidence than the individual incident appears to warrant.
-
Dusting attack
# dusting-attack - A privacy attack in which the attacker sends tiny amounts of cryptocurrency to many addresses they want to deanonymise, then watches for the dust to be spent together with the recipient's other coins — confirming the addresses belong to the same wallet.
- Once two addresses are confirmed to share a wallet, the attacker can correlate the wallet's activity with off-chain identity signals (deposits to known exchanges, mention in a public post, etc.) to deanonymise the owner. Dusting is rarely the end goal; it usually feeds into a downstream phishing or extortion campaign targeted at the identified wallet owner. Defence: do not spend dusted UTXOs casually; many wallets now let you mark and isolate suspicious incoming dust.
Also: DaaS · wallet drainer kit
E
-
Evidence pack
# evidence-pack - The structured dossier an investigations firm assembles for a recovery case: transaction-hash trace, wallet-cluster analysis, counterparty attribution, supporting screenshots and communications, and a recovery-path recommendation, packaged to the standard a regulator or court will accept.
- A defensible evidence pack is anchored to specific transaction hashes and block heights — every claim in it must be reproducible from the public chain data. It includes the source data (raw transaction graph), the analyst's interpretation, and the confidence rating attached to each attribution. The standard difference between a real recovery firm and a recovery scam is whether they produce an evidence pack at all: real firms do, scammers offer vague reassurance.
L
-
Liquidity pool exit scam
# liquidity-pool-exit-scam - A scam in which the developers of a token launch a liquidity pool on a DEX, attract deposits, then withdraw all the paired liquidity at once — leaving holders with worthless tokens that cannot be sold.
- The setup looks like a normal DeFi token launch: a new token paired against ETH or a stablecoin in a Uniswap-style pool. The developers retain control of the LP tokens (or never lock them) and pull them at peak liquidity. Common red flags: anonymous team, no audit, locked-liquidity period under 30 days or absent entirely, founder wallets holding outsized token allocations. Recovery is rarely realistic because the operators were anonymous from the start and funds typically flow straight into mixers.
Also: rug pull
M
-
Mixer (cryptocurrency)
# mixer - A service or smart contract that pools cryptocurrency from many depositors and pays out equivalent amounts to fresh addresses, breaking the on-chain link between source and destination wallets.
- Tornado Cash (Ethereum) is the most-named example; Sinbad, ChipMixer, and Wasabi/Whirlpool are common Bitcoin equivalents. Mixers are heavily-used by operators of crypto fraud to launder stolen funds, which is why several have been sanctioned by OFAC and other regulators. Recovery is much harder once funds enter a true mixer than after they pass through a regular exchange — for Tornado Cash specifically, recovery is usually impossible without operator cooperation.
-
Multi-sig wallet
# multi-sig-wallet - A wallet that requires signatures from multiple private keys (e.g. 2-of-3 or 3-of-5) to authorise any outgoing transaction — meaning a single compromised key cannot drain the wallet.
- Multi-sig is the standard for institutional cryptocurrency custody and for individuals holding large balances. Common implementations: Gnosis Safe (EVM chains), Casa and Unchained (Bitcoin). Trade-off: multi-sig drastically reduces single-point-of-failure risk but adds friction to every transaction and depends on safe storage of multiple keys, which itself becomes the security problem.
Also: tumbler
P
-
Peel chain
# peel-chain - A laundering pattern in which a large amount of cryptocurrency is moved through a sequence of wallets, with a small fraction peeled off to an exchange or cash-out point at each hop while the bulk continues onward.
- Peel chains are designed to fragment a single large suspicious transaction into many small ones that fall below per-deposit AML thresholds at the receiving exchanges. They typically span hundreds of intermediate addresses and can take weeks to complete. Peel-chain unwinding is a specific on-chain forensic technique: each "peel" follows a recognisable pattern (large input, small output to an exchange, large change output that becomes the next input) that allows the analyst to trace through what looks at first glance like unrelated transactions.
-
Permit2 phishing
# permit2-phishing - A phishing variant exploiting Uniswap's `Permit2` signature standard, in which a victim signs an off-chain message that the attacker then submits on-chain to drain approved tokens — with no gas or on-chain trail until the actual drain happens.
- Permit2 was designed to let users approve token spending via a single signature instead of paying gas for a separate `approve` transaction. The downside: the off-chain signature is invisible until the attacker chooses to execute, making it harder to spot or revoke before the drain. Wallet UIs are catching up by parsing Permit2 signatures and showing what they authorise, but as of 2026 many wallets still display the signature as opaque "EIP-712 typed data" — read every signature dialog carefully.
-
Pig butchering (sha zhu pan)
# pig-butchering - A months-long romance-into-investment scam in which the operator builds emotional trust with a target over weeks, then introduces a fake trading platform that shows fabricated gains until the target deposits enough money to be worth extracting.
- The term is a translation of the Chinese 殺豬盤 ("kill the pig"), referring to the pattern of "fattening up" the victim with relationship-building before the extraction. Contact begins outside any investment context (dating apps, LinkedIn, misdialed-number openings) and the investment is "discovered" rather than pitched. Pig butchering is the single highest-loss category in crypto-fraud globally. CryptoLeek's dedicated guide: /scams/romance/.
Also: sha zhu pan · romance-into-investment scam
R
-
Recovery scam
# recovery-scam - A scam that targets prior victims of cryptocurrency fraud by cold-contacting them with unsolicited "recovery" offers and demanding payment with no written scope of work — never delivering any actual recovery and often draining additional money over multiple stages.
- Recovery scammers harvest contact details from public scam-report databases, social media posts, and recovery-themed forums. They cold-contact victims, name-drop credentials they cannot substantiate ("FBI partnered", "FCA-authorised"), claim to have already located the funds, and demand an "asset-freeze fee" or "filing fee" with no written, specific deliverables. Legitimate recovery firms do not cold-call, assess the case before quoting, and issue a written scope of work with a fixed retainer that lists exactly what the fee covers. The FBI's IC3 explicitly warns about the cold-contact + unscoped-fee pattern.
-
Rug pull
# rug-pull - A liquidity pool exit scam in DeFi, where token founders pull all the paired liquidity from a DEX pool at once, leaving holders with worthless tokens that cannot be sold for anything.
- See `liquidity-pool-exit-scam` for the mechanism. The term is colloquial and often used loosely to describe any DeFi project where the founders disappear with user funds, including more elaborate variants like governance attacks, malicious upgradeable contracts, and time-locked vault withdrawals that drain the vault. Whether classical liquidity-pull or governance-attack, the on-chain forensic profile is the same: trace the founder wallets, identify any CEX off-ramps, escalate where possible.
Also: second-stage scam
S
-
Self-custody vs custodial
# self-custody-vs-custody - In self-custody you control the private key and the platform cannot move your funds; in custodial setups (most exchanges, broker apps, fund managers) the platform holds the key and you hold a claim against the platform — meaning your "balance" is exposed to the platform's solvency and conduct.
- The distinction is the source of the "not your keys, not your coins" maxim. Custodial setups are convenient and offer customer support; self-custody requires you to manage your own backup, security, and compliance. A large share of cryptocurrency losses involve custodial platforms going insolvent, being hacked, or refusing withdrawals. For long-term holdings, the standard advice is self-custody in a cold wallet, with custodial use limited to active trading.
-
SIM swap (crypto context)
# sim-swap - An attack in which the attacker socially-engineers the victim's mobile carrier into transferring the victim's phone number to a SIM the attacker controls — then uses SMS-based 2FA codes to take over the victim's exchange accounts and email.
- SIM swap is the most-named non-phishing route into a cryptocurrency exchange account. The attacker may have learned the victim's details from a prior data breach, social engineering, or a paid insider at the carrier. Defence: do not use SMS as the second factor on any account that holds cryptocurrency or controls one — use TOTP (Google Authenticator, Authy) or hardware tokens (YubiKey). Mobile carriers will increasingly let you set a port-out PIN; use it.
-
Sweeper bot
# sweeper-bot - An automated program that monitors a compromised wallet (one whose private key the operator now knows) and instantly sends any incoming funds to an attacker-controlled address — making the wallet permanently unusable for the victim.
- When a victim discovers their wallet is compromised, they sometimes try to "save" funds by sending in ETH to cover gas for a rescue transaction. The sweeper bot front-runs them and takes the gas funds the moment they arrive, preventing the rescue. Defence: do not send anything to a compromised wallet; migrate any incoming funds at the source instead, or use Flashbots-private transactions to coordinate the rescue at higher priority than the bot can match.
See also: wallet drain
See also: wallet drain
W
-
Wallet clustering
# wallet-clustering - On-chain forensic technique that groups multiple cryptocurrency addresses into "clusters" believed to be controlled by the same operator, using shared-input heuristics, common-spending patterns, and behavioural fingerprints.
- A single fraud operation usually controls dozens to thousands of addresses, each used briefly before discard. Clustering algorithms identify which addresses behave like one wallet — for example by being co-spent in a single transaction (which proves they share a controller). Effective clustering is what makes recovery viable: it lets the analyst follow the bulk of funds even when the operator constantly creates new "fresh" addresses to receive them.
-
Wallet drain
# wallet-drain - An attack in which an operator gains the right to move tokens out of a victim's wallet — usually via a malicious token approval or stolen private key — and transfers the wallet's balance to an address they control.
- Wallet drains differ from investment-platform fraud because there is no platform to escalate to; the loss happens directly from the victim's self-custody wallet. The two most common vectors are (1) approval phishing (the victim signs a malicious token-approval transaction on a spoofed dApp), and (2) seed-phrase compromise (the victim enters their recovery phrase into a phishing site that pretends to be wallet support). Recovery is possible when the drained funds land at a regulated CEX before being laundered; less so when they go directly to a mixer. CryptoLeek's dedicated guide: /scams/wallet-drain/.
-
Withdrawal-block extortion
# withdrawal-block - The second-stage extraction pattern in which a fraudulent trading platform refuses to release the victim's "earned" funds until the victim pays escalating fees — tax clearance, AML verification, account-tier upgrades — none of which release anything.
- Almost every fake-investment-platform scam routes into a withdrawal block once the victim has deposited enough to be worth extracting from. The fees sound plausible (they borrow the language of real compliance procedures) and the platform interface continues to display the victim's balance as if it were real. Each fee paid generates a new fee request. The principal was extracted long before any of this — the withdrawal block exists purely to extract additional money. CryptoLeek's dedicated guide: /scams/withdrawal-block/.
Also: drainer attack
Also: frozen-withdrawal scam · release-fee scam