OpenBlock helps you understand crypto before you act.

Appearance
EN
Weekly Briefing
OpenBlock
Safety Guide

Fake Support and Impersonation

One of the oldest crypto scams still works because it begins with confusion and only asks for something dangerous after trust has started to form.

By Nina Park April 7, 2026 8 min read
Safety GuideScam WatchSecurity

Key points

Safety Guide
  • The scam path is chosen for you, not by you.
  • Familiarity is part of the trap.
  • The request gets more dangerous step by step.
OpenBlock security illustration
Why this matters

Impersonation works by borrowing the language, timing, and visual cues of a real support channel.

The defense is to stay anchored to official routes you chose yourself.

The scam does not need to look original.

It only needs to look familiar enough that you stop checking where the request came from.

Warning sign

If support appears before you found the official channel, slow down.

How it starts

It often starts in replies, direct messages, search results, or fake warning banners. The common feature is that the contact path is chosen by the scammer, not by you.

A common entry point is a post on X, a Telegram question, a Discord help request, or a paid Google result that sits above the real domain. The account name often borrows the exchange or wallet brand closely enough that the first glance feels familiar.

This works because the victim already has a problem to solve: a delayed withdrawal, a failed swap, a bridge screen that looks frozen, or a warning about account activity. The scammer is stepping into a conversation that stress already opened.

How it escalates

The ask usually gets more sensitive over time: move to another app, share a screenshot, connect a wallet, confirm a code, send a test transfer. Familiarity makes the next step feel smaller than it is.

Once the private chat starts, the attacker usually narrows your field of view. They ask you to leave the public thread, avoid opening a ticket, and follow one small instruction at a time: send a screenshot, confirm your balance, reconnect the wallet, or paste a code.

That sequencing matters. By the time a wallet popup or a transfer request appears, the dangerous step no longer feels like the beginning of a scam. It feels like the next checkbox in a support workflow you have already been trained to obey.

What they want

They want direct control, indirect access, or enough information to reach both later. Seed phrases, private keys, wallet approvals, device access, and verification transfers all serve that goal.

The end goal changes with the route. Sometimes they want a seed phrase for full takeover. Sometimes they want a private key, a wallet approval that can drain tokens later, a signature that unlocks permissions, or a small test transfer that proves the route works and that you will keep cooperating.

If any of those steps already happened, stop replying, close every link they sent, open the platform from a URL you typed or bookmarked yourself, and review email security, account sessions, wallet approvals, and recent device activity before you do anything else.

Common mistakes

  • Replying inside the route they chose

    A private chat, a top search ad, or a fresh DM is not neutral just because the tone sounds helpful.

  • Treating a signature as harmless

    The wallet popup may be the real action, even when the site copy above it sounds routine.

  • Waiting too long after sharing something

    The first calm operational checks usually matter more than another round of conversation with the attacker.

What you should do

Use the newsroom explainer when you want the shorter scam sequence, and the after-loss checklist if anything was already shared.

  • Stop replying inside the original chat or message thread.
  • Open the platform only from a URL you typed or bookmarked yourself.
  • Review wallet approvals, email security, and active account sessions immediately.