Ethereum Scam Recovery — Guide for ETH Fraud Victims

1. Common Ethereum Scam Types

Rug Pulls

A rug pull is the most common scam in the Ethereum ecosystem. The pattern: scammers create a new token, add liquidity on a decentralized exchange (Uniswap, SushiSwap), aggressively promote the token through social media, Telegram groups, and influencers, and once enough investors have bought in, the creator withdraws all liquidity. The token price crashes to zero and investors are left holding worthless tokens. According to Chainalysis, over $2 billion was lost to rug pulls in 2025 alone.

Fake Token Approvals (Approval Phishing)

In this particularly insidious scam, victims are tricked into granting a malicious smart contract permission (approval) to move tokens from their wallet. The attack often works through fake DeFi websites, bogus airdrops ("Claim your free tokens"), or manipulated links on social media. The critical danger: the scammer can drain the tokens at any time after the approval is granted, even days or weeks later. Many victims only discover the theft when they next check their wallet balance.

Phishing Attacks

Ethereum phishing targets your private keys, seed phrases, or wallet signatures. Common methods include fake MetaMask popups asking you to enter your seed phrase, fraudulent copies of popular DeFi protocols (Uniswap, Aave, Lido) that present malicious transactions for signing when you connect your wallet, fake "token migration" or "airdrop" pages, and Google Ads linking to phishing clones of legitimate exchanges. No legitimate service will ever ask for your private key or seed phrase.

Pig Butchering on DeFi

A combination of romance scam and investment fraud adapted for the DeFi ecosystem. The scammer builds trust over weeks (often through dating apps or LinkedIn), then directs the victim to a fake DeFi platform showing fabricated "returns," convincing them to deposit increasingly large amounts of ETH or stablecoins. The platform displays fake profits. When the victim tries to withdraw, "fees" are demanded, which is yet another layer of the fraud. These cases often involve the highest individual losses.

Fake Tokens and Honeypots

Scammers create tokens with familiar names (e.g., a fake "Uniswap V4" token) and list them on decentralized exchanges. Honeypot tokens are programmed so you can buy but not sell them: the smart contract blocks sell transactions. After accumulating enough buy-side liquidity, the scammers drain all ETH from the pool. Tools like tokensniffer.com can detect many honeypot patterns before you invest.

2. Immediate Actions After an Ethereum Scam

Act immediately. With Ethereum scams, speed is even more critical than with Bitcoin because smart contracts can execute automatically and instantly.

Secure Remaining Funds

If your wallet has been compromised (private key or seed phrase stolen), transfer all remaining funds to a new, secure wallet immediately. Create a completely new wallet with a new seed phrase. Do not reuse the compromised seed phrase. Transfer ETH and all ERC-20 tokens. Check other EVM chains as well (Polygon, Arbitrum, Optimism, BSC) if you used the same seed phrase there.

Revoke Token Approvals

If the scam exploited a malicious token approval, you must revoke it immediately. Go to revoke.cash and connect your wallet. The site displays all active token approvals. Revoke all approvals for suspicious or unknown smart contracts. Alternative: use Etherscan's Token Approval Checker at etherscan.io/tokenapprovalchecker. Note that revoking an approval requires a small gas fee in ETH, so make sure you have enough ETH remaining to cover the revocation transactions.

Do Not Make Further Payments

Do not send any additional funds, regardless of the pretext. Scammers commonly demand "gas fees," "unlock fees," or "verification costs" to supposedly release your funds. This is always a further scam. No legitimate DeFi protocol requires additional payments to release your funds.

3. Gathering Evidence on Etherscan

Etherscan (etherscan.io) is the primary blockchain explorer for Ethereum. It allows you to trace transactions, addresses, token transfers, and smart contract interactions, and to document everything for law enforcement.

Document the Transaction History

Enter the scammer's address on Etherscan. You will see all transactions: incoming and outgoing ETH transfers, ERC-20 token transfers, NFT transfers, and smart contract interactions. Take screenshots of all relevant transactions. Record the transaction hashes for each of your payments. Check the "Internal Transactions" tab for smart-contract-initiated transfers that are not visible in the main transaction list.

Smart Contract Analysis

If the scam involved a smart contract (rug pull, honeypot, malicious token), examine it on Etherscan: Is the contract verified (source code publicly visible)? Who is the "Creator" of the contract? What transactions has the contract executed? For verified contracts, you can review the source code and look for suspicious functions such as "blacklist," "setFee(99%)," or functions that only allow the owner to sell.

Trace the Fund Flow

Follow where the scammer moved the funds. Click on the scammer's address and examine outgoing transactions. Pay particular attention to transfers to known exchange addresses (Binance, Coinbase, Kraken), as funds there can potentially be frozen. For DeFi scams, check whether funds were bridged to other chains (Polygon, BSC, Arbitrum) or routed through mixing protocols like Tornado Cash.

4. Filing Reports with Law Enforcement

The process for filing a criminal complaint for Ethereum fraud is the same as for Bitcoin fraud. Ethereum transactions fall under the same criminal statutes: wire fraud (18 U.S.C. Section 1343), computer fraud (CFAA), and potentially money laundering and securities fraud.

FBI IC3 Filing

File a complaint at ic3.gov with all Ethereum addresses, transaction hashes, smart contract addresses, screenshots of the scam platform, and token approval details. Specifically reference the transactions on Etherscan and include links to the relevant transaction pages. The IC3 handles Ethereum fraud cases and coordinates with exchanges globally.

Financial Regulators

If the scam involved an unregistered token sale, ICO/IDO, or investment platform, file with the SEC at sec.gov/tcr. The SEC has jurisdiction over token offerings that qualify as securities and has brought numerous enforcement actions against fraudulent DeFi projects. For derivatives or leveraged trading scams, also file with the CFTC. In the UK, report to the FCA if the platform operated within or targeted UK investors.

Contact Exchanges

If your Etherscan analysis shows that stolen ETH was deposited at a regulated exchange, contact that exchange immediately. Binance, Coinbase, Kraken, and other major exchanges can freeze accounts when presented with a police report number and blockchain analysis documenting the fund flow from your transaction to the exchange deposit. Time is critical here; contact the exchange within hours if possible.

5. Prevention — Avoiding Ethereum Scams

Protect yourself against future Ethereum scams with these practices.

Minimize Token Approvals

Only grant token approvals to well-known and audited protocols. Use limited approvals instead of unlimited ones (most modern wallets offer this option). Regularly review and revoke approvals via revoke.cash. Rule of thumb: if you are no longer using a DeFi protocol, revoke its approval.

Verify URLs and Smart Contracts

Bookmark the DeFi protocols you use regularly (Uniswap, Aave, Lido). Never click on links in Telegram, Discord, or Twitter/X that lead to DeFi sites. Always double-check the URL in your address bar. Use browser extensions like Pocket Universe or Fire that simulate transactions and warn you before you sign malicious operations.

Evaluate New Tokens Critically

Before investing in any new token: check it on tokensniffer.com and dextools.io. Is the smart contract verified and audited? Is the liquidity locked, and for how long? Are the developers publicly known? If any of these checks fail, do not invest.

Use a Hardware Wallet

For significant holdings, use a hardware wallet (Ledger, Trezor). Hardware wallets protect your private keys from phishing, malware, and compromised devices. Every transaction must be physically confirmed on the device. Store your seed phrase offline in a secure location. Never store it digitally and never photograph it.

Related Guides

• How to Recover from a Bitcoin Scam — general recovery steps applicable to all crypto scams
• How to File a Crypto Fraud Complaint — detailed guide for FBI IC3, FTC, and SEC filings
• Where and How to Report Cryptocurrency Fraud — comprehensive directory of all reporting channels

Frequently Asked Questions