In 2024, scams targeting Web3 startups and founders increased dramatically in crypto. According to Chainalysis, crypto scams alone received at least $9.9 billion on-chain in 2024, with “pig-butchering” schemes (long-term scams where fraudsters build trust over weeks or months before persuading victims to invest) growing nearly 40% year-over-year.
These schemes target startups directly, exploiting their fundraising needs and limited resources. For early-stage teams, a single misstep – whether signing a fraudulent “investment” document, clicking a malicious link, or trusting a fake advisor – can drain funds. Worse, these scams damage trust across the ecosystem, making it harder for legitimate players to build relationships.
The good news? Awareness and proactiveness can keep your blockchain project safe. Together with other Web ecosystem players from Hashlock, NOMINIS, Kima Network, Partisia Blockchain, and Koala Wallet, we have prepared 14 tips on how to protect yourself from online scams and fake investors.
But first…
1. Secure Your Wallet Backup Before Everything Else
“Before you can protect your startup from Web3 scams, you need to secure your most fundamental asset: your wallet itself,” shares Partisia Blockchain’s team. Proper wallet backup isn’t just a technical detail; it’s your first line of defense against losing everything to device failure, theft, or human error.
If you are interested in knowing more, our partner, Partisia Blockchain, has written about wallet backup best practices in its blog.
Partisia Blockchain’s ecosystem partner, Koala Wallet, shares security best practices that everyone in Web3 should implement:
Protect Your Secret Recovery Phrase Like a Master Key: Never share it with anyone, and never store it in screenshots, emails, or cloud files. Keep an offline backup on paper or durable material in a secure location.
Add 2FA to Strengthen Wallet Security: Protect your wallet with a strong PIN and two-factor authentication wherever possible. Extra verification dramatically reduces the chance of a single compromise leading to total loss.
Don’t Trust “Support Agents” With Your Keys: If anyone asks for your secret recovery phrase or private key, whether posing as support staff, an advisor, or an investor, it’s a scam. No legitimate service will ever ask for this information.
Migrate Fast if Compromised: If a secret recovery phrase or private key is ever exposed, treat it as permanently unsafe. Move your funds immediately to a new wallet with a fresh phrase.
Now that you know how to protect your wallet, let’s talk about other important ways to avoid crypto scams in Web3.
2. Protect Your Personal Information
Scammers thrive on oversharing in crypto. Be it your email, phone number, or wallet address – any piece of your personal data can be used against you. Fake investors and impersonators often lure Web3 founders into giving away data in casual Telegram chats or via Twitter messages.
The safest approach is to treat every interaction as potentially hostile until proven otherwise. Never share private info, credentials, or sensitive documents over chat apps. If someone presses for details early in the conversation, that’s your red flag.
Remember: legitimate investors don’t need personal data upfront. They ask for structured materials (like pitch decks) through secure, professional channels.
3. Control Who Can Invite You to Groups
Telegram and Discord remain the lifeblood of Web3 communities, but their openness is also their greatest weakness. Scammers use mass-invites to funnel users into fraudulent channels where they pose as admins, investors, or support teams.
These fake communities often look identical to the real thing, complete with copied branding, fake announcements, and pinned posts. For a Web3 founder juggling multiple channels, the risk of confusing one for another is alarmingly high. Entering such groups can expose your startup to phishing links, fraudulent “investment” offers, or requests for sensitive project information under the guise of due diligence.
One simple fix is to adjust your group invite settings so only your contacts can add you. This dramatically reduces exposure to fake communities designed to look like legitimate ones.
4. Stay Wary of Unrealistic Offers
“Guaranteed returns” and “too-good-to-be-true” deals remain some of the most effective hooks in a scammer’s playbook. Crypto fraudsters know that founders under pressure to secure funding are especially vulnerable to promises of instant success. They’ll dangle opportunities like “exclusive airdrops,” “fast-track listings on Tier-1 exchanges,” or “immediate fundraising approvals” to prey on urgency and FOMO.
Whenever you hear “guaranteed profit,” pause. Serious conversations, on the other hand, revolve around realistic projections, due diligence, equity distribution, and milestone-based funding. They acknowledge that Web3, like any other market, involves risk and volatility. If someone claims to guarantee profits or effortless fundraising with no strings attached, it’s a sign they’re not offering an investment-they’re setting a trap.
Walking away from flashy promises may feel counterintuitive when you’re chasing growth, but it’s often the smartest move. Ask yourself: would you rather lose out on a fake “opportunity,” or gamble your startup’s future on a scheme designed to collapse?
5. Verify Admins in Project Communities
Even inside real Telegram groups, scammers often pose as admins. They copy names, profile pictures, and titles to trick users into sharing private information.
Before acting on any admin’s instructions, slow down and double-check their identity. Cross-reference their messages with official channels such as the project’s website, verified X (Twitter) account, or official Discord announcements.
Many reputable projects are now introducing “verified admin” bots, which tag legitimate moderators to prevent impersonation. Still, no tool is foolproof-ultimately, it’s your vigilance that makes the difference. Ask for real-time verification (e.g., ask the admin to confirm their message in the group’s main announcements channel) to make sure you are talking to the right person.
6. Be Cautious with Links
“Only click the links you’ve specifically requested. Links in emails or documents may be deceptive-always hover to check the real destination before clicking, ” says Guy Vider, the CTO of Kima Network.
These links often imitate trusted brands-fake “Coinbase” logins, cloned DeFi dashboards, or phishing sites that mirror investor portals. Sometimes the difference is a single letter in the URL, making it easy to miss in the middle of a busy fundraising cycle. One careless click can expose login credentials, install malware, or sign a malicious smart contract that drains a startup’s wallets.
“Most cryptoscams start with just one careless click. Whether it’s a fake exchange login or a malicious investor portal, that single action can compromise your entire project. Web3 founders need to treat every unexpected link as a potential trap,” adds Kristoffer Lewinski, the Executive Vice President of Sales and Growth at Hashlock.
Build the habit of hovering before you click. Better yet, type URLs directly or bookmark official sites. It’s a small step that blocks one of the most common scam vectors in Web3.
7. Don’t Open Unexpected PDFs or Documents
Malware often hides in PDFs or Word files disguised as contracts. Scammers rely on founders skipping verification steps because they’re excited about a potential investor or partnership.
Guy Vider from Kima believes that you should “never open PDFs or documents unless you were explicitly informed they would be sent. Emails asking you to DocuSign something without prior notice are likely scams.”
The defense is simple but critical: slow down and verify. If you receive an unexpected document, don’t open it immediately. Confirm through another channel-such as a phone call, an official email, or even a quick message on a verified social profile-that the sender actually intended to share the file.
8. Don’t Respond to Random Direct Messages
Direct messages are the scammer’s favorite attack vector in Web3. They impersonate investors, journalists, or advisors and slide into your DMs with urgent requests.
As Guy Vider explains: “Companies do not DM users randomly. Avoid engaging with any direct messages on Telegram, WhatsApp, or Discord.” Genuine investors and professionals respect boundaries and use proper communication channels. If someone bypasses email, official forms, or introductions and shows up in your DMs instead, that’s a strong signal that something isn’t right. Scammers deliberately blur these lines because they know many Web3 founders are stretched thin and pressed for time.
The rule is simple: don’t engage. If the person is real, they’ll reach you through official, verifiable channels or even connect with you through mutual contacts.
9. Verify Investors in Real Time
A convincing deck and polished email signature aren’t proof of legitimacy. Scammers can generate convincing investor identities in minutes using AI, fake domains, and stolen branding.
During calls, insist that supposed investors verify themselves in real time. Ask them to send a quick tweet from the firm’s verified account or confirm details via corporate email.
“If you can’t verify who you’re talking to, assume they’re not real. Verified communication, through corporate emails, official channels, or KYC, is the only safe way to engage,” adds Fletcher Roberts, the Co-Founder and Director of Hashlock.
Equally important: always demand a camera-on call. Real investors have no issue showing their face, answering questions transparently, and demonstrating professionalism. Fraudsters, on the other hand, prefer to hide behind avatars or voice-only calls.
If they push back, walk away.
10. Require Corporate Emails
Generic email addresses like Gmail, Yahoo, or ProtonMail are red flags in an investment conversation. While these providers are convenient for personal use, legitimate investors and firms operate through professional domains tied to their organizations. If someone claiming to represent a fund reaches out from a free email account, it’s a strong signal that their identity may not withstand scrutiny.
Always check that the domain matches the firm’s official website. To further reduce risk, insist that follow-ups, contracts, and sensitive information be shared only through corporate email accounts. If an investor resists or claims their “work email isn’t available,” feel free to treat it as a dealbreaker.
11. Research Every Investor Thoroughly
Scammers excel at impersonation. They clone LinkedIn profiles, register near-identical domains, and even copy investor pitch decks.
Before engaging, always DYOR and cross-reference identities. If someone claims to be part of a well-known fund, verify if they are on the official team page. Double-check that their email matches the company’s verified domain and not a cheap lookalike. If doubts persist, contact the firm directly to confirm.
Real investors welcome scrutiny. If someone resists being verified, it’s a red flag, not an opportunity.
12. Require Investor KYC & AML Checks
Founders often assume Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements only apply to CEX/DEX exchanges or token holders. In reality, they are just as critical when bringing investors on board.
With the growth of AI used by illicit actors, verification of identities is more important than ever in blockchain. Just as compliance frameworks are vital in ensuring the legitimacy of crypto transactions, these background checks are just as important in real life to ensure you truly ‘Know Your Investor,” confirms Snir Levi, the Founder and CEO of NOMINIS.
For angel investors, request official ID verification and proof of residence. Be cautious: AI deepfakes can now mimic passports and driver’s licenses convincingly. This makes working with trusted KYC providers essential. They can authenticate documents and run background checks that simple visual reviews cannot catch.
Corporate investors demand an even higher standard. Always request incorporation documents, proof of ownership, and transparency on where their funding originates. This ensures you’re not unknowingly tied to illicit capital and keeps your startup aligned with AML regulations.
13. Check if The Project Is Audited
You already know how to verify a fake investor’s identity. What about the project? One of the tested ways to see if the project is a potential Web3 scam is to know that it’s audited. In Web3, a security audit is the baseline proof of legitimacy. If a crypto project is already live, confirm that its smart contracts have been audited and reviewed by a reputable firm. Check out Syndika’s list of top smart contract auditing companies here. If they’re still in development, ask whether an audit is planned before launch. This simple check helps filter out unserious or potentially fraudulent projects and keeps your startup aligned with security best practices.
“A legitimate project has nothing to hide. If they’re live, they should already have an audit. If they’re not live yet, they should at least have a clear plan to get one,” believes Jock Haslam, the Co-Founder and Director of Hashlock.
14. Bonus Tip: Build a Team Playbook Against Crypto Scams
Crypto security isn’t a solo job. Scammers target whichever team member seems most vulnerable – be it the Founder or your content manager.
To defend your startup, create a clear security playbook. Document rules such as: no clicking on unknown links, no signing unexpected documents, installing a 2-factor authentication on every service they use, etc. Pair these written standards with regular training sessions so the entire team understands both the risks and their role in preventing them.
Most importantly, make security a culture, not just a checklist. Encourage employees to flag suspicious activity without fear of blame. When everyone plays by the same rules and stays alert, your startup becomes far harder to exploit.
Final Words
Scams in blockchain are multiplying, getting stronger, sophisticated, and empowered with AI. From fake investors to phishing links, fraudsters adapt quickly, hoping to catch Web3 founders off guard.
The best defense is vigilance: protect your personal data, slow down conversations, and adopt strict verification habits.
Guard your crypto project, and you’ll give your vision the safe runway it deserves.
Top Smart Contract Auditing Companies to Watch in 2025
In 2024, a staggering $2.36 billion was lost across 760 on-chain security incidents. Notably, according to Cointelegraph, smart contract exploits were responsible for nearly 19% of the lost funds last year. As DeFi matures, so do the techniques of hackers and scammers. That’s why, for any Web3 startup that deals with token contracts, liquidity pools, […]
Read more
Step-by-Step Guide to Preparing for a Successful IDO in 2025
Before a crypto project launches a token, an IDO usually takes place. In a Web3 ecosystem, preparing for an IDO is just as important as the token launch itself, because execution around the IDO often determines whether your token gains traction or gets lost in the noise. According to Bitcoin Insider, total crypto fundraising—including venture […]
Read more
Top Crypto Launchpads and IDO Platforms to Raise Funds in 2025
According to CryptoRank’s 2024 fundraising report, crypto startups raised over $16.1 billion through token launches, with IDOs (Initial DEX Offerings) being the preferred fundraising method for early-stage Web3 projects. Crypto launchpads and IDO platforms help blockchain projects not only raise funds but also gain credibility, grow their audience, and launch with real impact. Choosing the […]
Read more
Got questions?
We’ve got answers and would be happy to discuss them with you
