Advance-fee crypto scams: How fake platforms steal your money and data

A new twist on an old scam

Advance-fee fraud isn’t new. Traditionally, scammers promised unexpected money, like inheritance claims, lottery winnings, or business deals, which required a small upfront payment to receive a much larger reward. The core idea hasn’t changed, but the way scammers present it has.

Today, scammers build these schemes around cryptocurrency, a space many people still find complex or unfamiliar. They use that complexity to justify unexpected fees and technical-sounding explanations. Users who are less experienced in decentralized networks often comply without questioning the request.

Additionally, instead of making vague promises, the scammers show their targets what looks like a real platform. Users can log in, see a balance, and interact with a familiar interface. The process feels like a normal transaction, which lowers suspicion.

How an advance-fee crypto scam works

The cryptocurrency scams follow a clear sequence that leads people from curiosity to payment. Each step builds on the last, making the situation feel more real and reducing suspicion along the way.

Phase 1: A fake deposit notification

The advance-fee scam, like all social engineering attacks, usually starts with the bait — a message or an email claiming you’ve received a large cryptocurrency transfer, typically 15 bitcoin. The amount is intentionally high, often framed as a mistake or an unexpected credit. This message is designed to immediately capture attention, create a sense of urgency, and push the recipient toward quick action.

The message may suggest that the funds could be reversed if not claimed soon, encouraging the user to act without verifying the situation. To make the story more convincing, the email often includes login credentials and a direct link to access the funds.

Phase 2: A fake platform and balance trap

After clicking the link, users are taken to a website that closely resembles a real crypto exchange or wallet platform. These fake websites are often well designed, with familiar layouts, charts, and account dashboards that reinforce their legitimacy.

Once logged in, the user sees a large balance already credited to their account. This visual confirmation is critical because it reduces doubt and makes the situation feel real. At this point, many users begin to think about how to withdraw the funds rather than questioning their origin.

Before allowing any action, the platform pushes the user to “complete their profile” by entering personal information such as an email address, phone number, full name, and sometimes a new password. While it may appear to be a routine step, it allows attackers to collect valuable data that can be reused in future scams or sold on underground markets.

Phase 3: The advance-fee theft

When the user attempts to withdraw the funds, the scam reaches its final stage. The platform displays an error or restriction, explaining that the transaction cannot be completed without paying a required fee.

The fee is usually described using technical language, such as a “network fee,” “gas fee,” or “transfer tax.” Because these terms exist in real crypto transactions, they help make the request seem legitimate. However, in genuine transactions, fees are automatically deducted and do not require separate payments through external forms.

The user is then prompted to enter payment details, often through a credit or debit card form embedded within the platform. Once submitted, the money is taken immediately, and the victim receives nothing in return. In some cases, the platform may continue to request additional payments, each presented as the final step needed to release the funds.

Why these scams are effective

These campaigns succeed because they combine technical realism with psychological manipulation:

• They look legitimate. The platforms are often well designed, with dashboards, transaction histories, and branding that mimic real services. For someone unfamiliar with crypto platforms, it’s difficult to tell the difference.
• They create a sense of urgency. Targeted users are pushed to act quickly before the “error” is corrected without careful thinking or verification.
• They rely on perceived complexity. Cryptocurrency already feels complicated to many users. When a platform mentions fees or technical requirements, users are more likely to accept them without questioning the request.
• They escalate commitment. Each step (logging in, entering data, attempting withdrawal) increases the likelihood that the target will follow through.

The hidden danger: Data harvesting

Financial loss is only part of the damage. These scams are also designed to collect sensitive information that can be reused in other attacks. In the process, users may unknowingly open the door to these scams:

• An email and password combination can be used for credential stuffing attacks.
• Phone numbers can be used for targeted phishing or SIM swap attempts.
• Full identity details can lead to identity theft or fraudulent account creation.
• Payment data (the bank card number, expiration date, and CVV) can lead to financial fraud.

Even if you don’t pay the fake fee, entering your details can still put you at risk.

Known malicious domains

NordVPN’s investigation identified over 100 active domains impersonating cryptocurrency brands used to carry out these scams. 

Many of these domains rely on typosquatting — slight misspellings of legitimate brand names (like “zinance” instead of “Binance”) — or use less common top-level domains such as “.su” to appear credible at first glance. Many also follow similar naming patterns, usually “coin,” “koin,” or “bit.” 

Some examples include:

• coinpoint.su
• paypot.net
• coinlarge.net
• coinbond.net
• coinshore.net
• koincrane.com
• capitalkoin.com
• bitcount.net
• securecoins.net
• zinance.trade

How to recognize the scam early

The most reliable way to avoid these scams is to recognize the pattern before reaching the payment stage. Look for these warning signs:

• You’re told you’ve received crypto you didn’t expect.
• The message includes login credentials or unusual instructions.
• The platform asks you to “complete registration” before withdrawal.
• You see a large balance immediately after logging in.
• You’re asked to pay fees to access funds.
• Payment is requested before any real transaction happens.

How to protect yourself

Prevention is easier than recovery, especially since crypto transactions can’t be reversed. Staying safe requires a combination of awareness and the right tools:

• Be skeptical of unexpected crypto claims. Legitimate platforms don’t randomly deposit large amounts of cryptocurrency into user accounts. If it sounds too good to be true, it is.
• Never pay to unlock funds. In legitimate crypto transactions, fees are built into the process and do not require separate payments.
• Avoid logging in to unknown platforms. If you receive a link via email or message, don’t trust it. Always verify the platform independently.
• Use tools that block malicious sites. Scam platforms often rely on users reaching the site in the first place. Blocking access reduces risk significantly. Tools like NordVPN’s Threat Protection Pro™ can help detect and block known malicious domains before they load.
• Verify wallet addresses before sending funds. If you’re asked to send funds, double-check the destination using a crypto wallet address checker. Doing so helps identify known scam-linked addresses.

Methodology

This investigation was carried out in collaboration with the TechRadar security team using open-source intelligence (OSINT). All findings were cross-checked across multiple sources to ensure accuracy.

Researchers used advanced search queries (“dorks”) across major search engines, along with specialized platforms like Shodan and FOFA, to identify domains, websites, and exposed services linked to the campaign.

This approach helped map the full scope of the operation and distinguish actively malicious domains from those that only appeared similar. Additional investigations also looked into related scams, including a campaign exploiting FCKeditor and a Chinese-linked fake e-commerce network — you can read more about them in our other research articles.