OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Mar 13, 2026· 5 min read

How AI Turned Crypto Scams Into a $17 Billion Industry

Crypto scams stole an estimated $17 billion in 2025, according to Chainalysis. Impersonation fraud grew 1,400% year-over-year. AI-enabled operations were 4.5 times more profitable than traditional ones. The threat model has fundamentally shifted — from hacking systems to hacking people.

Key takeaways

  1. Chainalysis estimates $17 billion was stolen in crypto scams and fraud in 2025, with the average individual payment jumping 253% to $2,764 as criminals shifted from mass attacks to high-value targeting
  2. Impersonation scams grew 1,400% year-over-year, with AI-enabled operations generating 4.5 times more revenue per attack than traditional methods — averaging $3.2 million per operation
  3. The Coinbase impersonation case: a Brooklyn resident indicted in December 2025 for stealing $16 million by bribing a Coinbase support agent in India for 70,000 customer records, then impersonating Coinbase security to drain accounts
  4. Phishing-as-a-service operations run through Chinese criminal Telegram groups with 300,000+ members now sell turnkey scam infrastructure — fake government sites, SMS blasting, money laundering — all priced in stablecoins
  5. The shift matters for self-custody holders: AI scams are increasingly targeting people specifically because they hold real Bitcoin, not because they're careless

What Happened

Chainalysis released its 2026 Crypto Crime Report in January, and the headline is not a hack. It's a behavioral shift. Crypto scams and fraud stole an estimated $17 billion in 2025, up from $9.9 billion first reported in 2024. Impersonation tactics grew 1,400% year-over-year. AI-enabled scam operations averaged $3.2 million in revenue per attack, compared to $719,000 for operations without AI tools — a 4.5x profitability gap that is driving rapid adoption across criminal networks.

The Coinbase impersonation case captures the playbook in detail. In December 2025, Brooklyn prosecutors indicted Ronald Spektor, 23, for orchestrating a scam that stole nearly $16 million. Spektor's operation bribed a Coinbase customer service representative in India — who accepted $250,000 — for access to approximately 70,000 customer records. Armed with real names, emails, and account details, the operation called victims impersonating Coinbase security, warned of unauthorized access, and directed victims to transfer funds to 'secure' wallets controlled by the scammers. The technical security of the exchange was irrelevant. The attack went around it entirely.

TRM Labs, publishing its own 2026 Crypto Crime Report simultaneously, recorded AI-enabled scam activity rising roughly 500% over the past year. Large language models allow operations to run across languages and cultural contexts with minimal friction. Voice cloning tools produce convincing audio from seconds of sample audio. Deepfake video enables fake executive announcements and fraudulent support calls. The cost of manufacturing trust has collapsed.

The Infrastructure Behind the Number

The $17 billion figure is not the product of individual opportunists. It reflects an industrialized criminal supply chain. Chainalysis identified Chinese criminal Telegram groups with more than 300,000 members operating full-service fraud marketplaces. Phishing design, hosting, SMS blasting, cash pickup, goods purchasing — all available as discrete services, all priced in stablecoins. TRM Labs describes this as 'laundering-as-a-service,' where Chinese money laundering networks handle proceeds for operations ranging from pig butchering scams to North Korean state hack proceeds.

The forced labor dimension adds a layer most coverage ignores. Chainalysis documented strong connections between scam operations and compounds in Cambodia, Myanmar, and other parts of Southeast Asia where trafficking victims are forced to operate fraud scripts around the clock. These are not freelancers running scams from laptops. They are industrial operations with staffing, quotas, and management hierarchies, funded by proceeds that move through stablecoins and laundered through DeFi bridges and decentralized exchanges.

The average payment per scam victim rose from $782 in 2024 to $2,764 in 2025. That 253% increase reflects a deliberate strategic shift. Spray-and-pray phishing campaigns that net hundreds of small payments are being replaced by targeted, research-driven operations that identify high-value holders, build rapport over weeks or months, and execute a single large extraction. Pig butchering — the term for romance-based investment scams where victims are 'fattened' before the account is drained — remains a dominant category. But it is increasingly blended with AI impersonation, making the fabricated relationship harder to detect.

Why Self-Custody Holders Are a Specific Target

The conventional assumption is that self-custody protects you from exchange hacks and custodian failures — which is true. But the scam data reveals a different vector. Criminals are increasingly targeting people precisely because they hold real Bitcoin. On-chain wealth signals are visible. Public addresses linked to significant holdings, Bitcoin-adjacent social media activity, and participation in communities that signal financial sophistication all create a target profile.

The Coinbase impersonation attack illustrates how exchanges become attack surface even for self-custody holders. If you've ever used an exchange — for an on-ramp, for a trade, for anything — your KYC data exists somewhere. Breached or bribed, that data becomes the hook. The call arrives with your real name, your real email, and accurate details about your account history. The psychological pressure is immediate and credible. 'Your account has been accessed from an unknown device. We need to verify your holdings before we can lock it down.' That framing is designed to induce urgency before skepticism can engage.

AI voice cloning compounds the problem. A scammer with three seconds of audio, sourced from a YouTube video, a podcast, or a voicemail, can generate a convincing call from someone you know. Chainalysis and TRM both flag this as an accelerating vector. The old heuristic of 'does it sound like them?' is no longer reliable.

What This Means for You

Verify independently, never in the moment. Coinbase, your hardware wallet manufacturer, your node provider, and any legitimate institution will never call you with urgent security instructions and ask you to move funds. If that call arrives, hang up. Use a number you looked up yourself to call back. The scam depends on you acting inside their frame before you step outside it.

Treat your KYC footprint as attack surface. Every exchange or financial platform that holds a copy of your ID and email is a potential source for the data that makes impersonation convincing. Minimize that footprint where possible. Use aliases and dedicated email addresses for crypto-adjacent services. If you receive a communication that references accurate personal details, do not interpret that as proof it's legitimate — interpret it as proof your data has been compromised.

Establish out-of-band verification protocols for significant transactions. If someone — even a person you know — contacts you requesting a Bitcoin transfer, verify the request through a separate channel before acting. A phone call asking you to confirm a wire is not out-of-band verification if the call itself is the attack. A message through a pre-established Signal thread, or an in-person confirmation, is.

What to Watch

Watch for the next major KYC breach at a mid-tier exchange. The Coinbase impersonation operation demonstrated that customer data is the primary raw material for high-value scams. Every breach makes future attacks more credible. The pattern of bribing support staff rather than breaching systems technically is cheaper and harder to detect — expect it to continue.

Watch also for AI voice cloning to move into the inheritance and estate planning attack surface. The combination of voice synthesis, known family relationships (sourced from social media), and emotional context around death or financial emergency is the next evolution of the impersonation vector. It has not become common yet. It will.

The threat model has shifted. They're not hacking your wallet. They're hacking you.

Sources

  1. [1]Chainalysis — '2026 Crypto Crime Report: Scams', January 13, 2026, chainalysis.com
  2. [2]CoinDesk — 'Chainalysis: Impersonation and AI scams are becoming crypto's biggest threat', January 14, 2026
  3. [3]TRM Labs — '2026 Crypto Crime Report', trmlabs.com
  4. [4]BrokersView / FastBull — 'Chainalysis 2026 Report: Crypto Scam Loss Estimated at $17B in 2025', January 2026
  5. [5]Cyber Magazine — 'Chainalysis: AI drives impersonation scams up 1,400%', January 16, 2026
  6. [6]Yahoo Finance / Reuters — 'Crypto analytics firm Chainalysis says impersonation, AI crypto scams stole $17 billion last year', January 14, 2026

More in Threats

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price