Lesson 1 — The 35 scam patterns mapped to five macro-families
Memorising 35 individual scam names is useless under pressure. Today: collapse them into five operational families so you can predict what comes next from the first contact.
Scams look chaotic from the outside because every individual one has its own surface details — a fake exchange domain, a stolen brand logo, a new buzzword. But at the operational level, every scam in the public taxonomy is doing one of five things. If you can identify which family you're looking at within the first minute of contact, you already know the next moves, the pressure tactics, and where the trap closes. That is the single most useful piece of pattern recognition this course teaches.
Family one is **theft** — direct, unauthorised movement of funds from your wallet or account. This includes wallet drainers, seed-phrase phishing, SIM-swap account takeovers, and address-poisoning attacks. The defining feature is that the attacker doesn't need your willing participation past the moment of compromise; once they have your seed, your signature, or your phone number, the funds move regardless of what you do next. Defence is preventative because reaction is too late.
Family two is **fraud** — willing participation by the victim under false pretences. Pig-butchering, fake investment platforms, fake token sales, rug pulls, and Ponzi-structured 'yield farms' all live here. The defining feature is that the victim approves every transfer themselves. The attacker's job is to construct a story compelling enough that this approval feels rational. Defence is procedural: rules that don't bend regardless of how good today's story sounds.
Family three is **manipulation** — exploiting the victim's emotional or cognitive state to bypass judgment. Romance fraud overlaps with pig-butchering; urgency scams ('your account will be locked in 30 minutes'); authority impersonation ('this is the IRS, you owe back taxes payable in Bitcoin'); celebrity-endorsement fakes. The defining feature is time pressure or emotional flood — the manipulator wants you operating on stress rather than thought. Defence is delay: literally any deliberate pause defeats the attack vector.
Family four is **coercion** — using a real or threatened consequence to force compliance. Sextortion ('I have your camera footage'), corporate extortion ('we will publish your customer database'), and physical wrench attacks all fit here. Coercion is the rarest family for ordinary users and the most catastrophic for high-profile holders. The defining feature is that the attacker has, or claims to have, something tangible to take from you beyond money. Defence here is structural: not being identifiable as a target, and having a pre-decided refusal posture.
Family five is **infrastructure** — compromises of the systems you rely on rather than direct attacks against you. Exchange hacks, bridge exploits, supply-chain attacks on hardware wallets, and DeFi protocol drains affect users who did nothing wrong individually. The defining feature is that the attack happens at a layer below the user's decision-making. Defence is portfolio: don't concentrate exposure in a single platform, custodian, or chain.
When a scam attempt arrives, your first question shouldn't be 'which specific scam is this?' — it should be 'which family is this?' The answer determines everything else. A family-one (theft) attempt is racing against you and you need to disengage instantly. A family-two (fraud) attempt is patient and you have time to verify, ideally days. A family-three (manipulation) attempt is built on urgency and breaks the moment you take a 24-hour delay. A family-four (coercion) attempt requires a pre-decided response you don't have to invent under stress. A family-five (infrastructure) event is something you survive by having layered exposure in the first place.
Example
A reader receives a Telegram DM: 'Hi! I noticed you joined the Solana group. I work for a private liquidity desk — we've been getting 8 percent monthly with a structured staking product, would you be interested in seeing the dashboard?' The surface pattern looks like 'fake investment opportunity.' At the family level it's pig-butchering (family two: fraud through willing participation), with manipulation overlap (family three: building social rapport before the ask). Knowing the family tells you exactly what comes next — within a week you'll be shown small fake 'profits,' within a month you'll be encouraged to deposit more, and within three months the account will lock when you try to withdraw. The pattern is the same across thousands of documented cases. You don't need to research this specific desk; you need to recognise the family and exit before the script continues.
Common mistakes
- Trying to memorise every scam name. The taxonomy is useful for documentation, not for recognition under pressure.
- Assuming any one defence works against all five families. Theft requires technical hygiene; fraud requires procedural discipline; manipulation requires delay; coercion requires structural protection; infrastructure requires diversification.
- Believing scam pattern recognition is something you 'pick up over time.' Most experienced losses happen to people who already knew the surface patterns and missed the family.
- Treating each new scam variant as fundamentally new. Variants are almost always old families with new branding (the 'AI investment' scams of 2024 are pig-butchering with a chatbot in the front-end).
- Underestimating family three (manipulation). Most victims didn't lose to a clever technical attack — they lost during a moment when their judgment was already compromised by urgency, grief, or fear.
Check your understanding
You receive an unsolicited LinkedIn message from someone claiming to work at a 'private crypto fund' offering early access to a tokenised real-estate product. Which macro-family does this most clearly fit?
Key terms covered
Sources & further reading
- PrimaryFBI IC3 — 2024 Internet Crime Report
Categorises crypto fraud by adversary type with case-volume data.
- PrimaryChainalysis 2025 Crypto Crime Report
Annual taxonomy of on-chain scam categories with dollar-volume breakdowns.
- PrimaryEuropol — Internet Organised Crime Threat Assessment (IOCTA)
EU-level classification of organised crypto fraud groups.
We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.