Skip to content
BTC ETH SOL XRP ADA LINK
Your Crypto Guide Australia · Est. 2026

Security

Crypto Scams Australia 2026: Every Major Type Explained

Verified Scamwatch and ASIC data on every major crypto scam in Australia for 2026, plus red-flag tables and the steps to take if you have been scammed.

By

YCG Research Desk

Published

12 June 2026

Fact-checked & updated

12 June 2026

Australians lost a combined $2.18 billion to scams in 2025, and cryptocurrency has become the single largest payment channel for that theft. According to the National Anti-Scam Centre, $121.3 million — 36.2% of all losses reported to Scamwatch — moved through crypto or digital currency exchanges, overtaking bank transfers for the first time. This guide covers every major crypto scam operating in Australia, the red flags for each, and exactly what to do if you have been targeted.

What the official data shows

The National Anti-Scam Centre’s Targeting Scams report, published by the ACCC on 30 March 2026, is the most authoritative picture of scam activity in Australia. Its 2025 findings are sobering:

  • Combined losses reached $2.18 billion, up 7.8% on 2024, across reports to Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and ASIC.
  • Investment scams were the costliest category, with combined losses of $837.7 million. The report notes that many Australians lose retirement savings or superannuation through investment and romance scams.
  • Cryptocurrency became the top payment method by losses reported to Scamwatch: $121.3 million across just 3,993 transactions, compared with $118.1 million across 8,858 bank transfer reports. Fewer transactions, far larger amounts.
  • The median loss fell from $500 to $400, suggesting scammers are successfully reaching more people, even as individual losses shrink.

Crypto’s appeal to criminals is structural rather than incidental: transfers settle in minutes, cross borders without friction, and are effectively irreversible once confirmed. Understanding the mechanics of each scam type is the most reliable defence, and it pairs well with a solid grounding in how crypto actually works.

Investment scams and romance baiting (“pig butchering”)

The single most damaging category. The long-form version — which Scamwatch calls romance baiting and is widely known as pig butchering — begins with an apparently innocent contact: a dating app match, a social media follow, or a “wrong number” text that turns into conversation. The scammer invests weeks or months building trust before mentioning, almost casually, their success trading crypto.

The victim is then guided onto a professional-looking trading platform that is entirely fake. Early “profits” appear on screen, and a small test withdrawal is often allowed to build confidence. Deposits escalate — frequently funded by personal loans or superannuation — until the victim tries to withdraw a meaningful amount. At that point the platform invents taxes, release fees or compliance charges, extracting further payments before the operators disappear.

Red flagWhat it looks like in practice
Unsolicited contactA stranger initiates conversation on a dating app, social platform or via a “wrong number” text
Channel switchingThe conversation quickly moves to WhatsApp or Telegram
The mentor patternA new acquaintance offers to “teach” you crypto trading on a platform they recommend
Unknown platformThe site or app is not on official app stores and the domain is recently registered
Guaranteed returnsFixed daily or weekly percentages — no legitimate investment offers these
The test withdrawalOne small withdrawal succeeds, used to justify much larger deposits
Fees to unlock fundsWithdrawals blocked behind invented taxes, before more money is demanded

Fake exchanges, clone apps and counterfeit wallets

Moneysmart identifies fake trading platforms, wallets and apps as a core crypto scam category. These take several forms: wholly invented exchanges with fabricated dashboards, clone websites that mimic real Australian platforms with a slightly altered domain, counterfeit mobile apps, and fake wallet software designed to capture seed phrases as soon as they are entered.

A related on-chain variant is the fake token: a worthless asset airdropped into a wallet or pumped through an initial coin offering before the developers withdraw all liquidity — the so-called rug pull.

Before trusting any platform, compare it against the official AUSTRAC register — our guide to AUSTRAC-registered exchanges in Australia explains how to search it and what registration does and does not mean. For wallet software, download only from the developer’s verified site or official app stores, and check independent analysis first — see, for example, our review of whether Trust Wallet is safe for how to assess a wallet’s security model.

Red flagWhy it matters
Platform reachable only via a link someone sent youLegitimate exchanges are found through official channels, not private messages
Smooth, always-positive returns on the dashboardReal markets fall as well as rise; fabricated dashboards rarely show losses
Domain misspells or imitates a known brandClone sites rely on near-identical URLs to harvest logins and deposits
Not on the AUSTRAC registerOperating an unregistered exchange for Australians breaches AML law
Withdrawal requires a further depositNo legitimate platform charges a deposit to release your own funds

Impersonation scams: ATO, myGov and exchange “support”

Impersonation fraud is industrial in scale. Services Australia alone detected and responded to more than 14,000 unique agency impersonation scams in 2025 and supported over 9,000 affected customers through its Scams and Identity Theft Helpdesk. The National Anti-Scam Centre’s call-blocking disruption work in 2025 named Binance and CoinSpot among the brands scammers most frequently impersonate, alongside Microsoft and PayPal.

The pattern is consistent. A call, email or text claims to be from the ATO chasing a debt, myGov flagging a suspended account, or an exchange’s “security team” warning of a hack. The victim is pressured to act immediately — usually by transferring crypto to a “secure wallet” the scammer controls, handing over login codes, or installing remote-access software. Two facts cut through every variant: no Australian government agency accepts cryptocurrency as payment for debts or fines, and no legitimate exchange will ever ask you to move funds to an external wallet for “protection”.

SMS phishing and fake security alerts

Text message scam reports fell 62.4% in 2025 — from 77,365 to 29,058 — as telco blocking improved, yet losses through this channel still rose from $14.0 million to $17.9 million, driven by a smaller number of higher-value hits including investment scams and phishing. Crypto holders are a prime target because a single captured login can empty an account.

Typical lures include fake withdrawal confirmations (“If this wasn’t you, call this number”), bogus verification deadlines and counterfeit security alerts. We have documented the Australian-specific wave of these messages in detail in our guide to CoinSpot scam texts. The universal rule: never act on a link or phone number delivered by SMS — open your exchange app directly or type the address yourself.

Fake celebrity endorsements

Deepfake video advertisements and fabricated news articles featuring well-known Australians continue to funnel victims into fake trading platforms. ASIC’s takedown programme removed an average of 230 investment scam and phishing websites per week during 2025, including scams promoted through paid advertising on digital platforms, and ASIC added roughly 100 suspect companies, businesses and websites per month to Moneysmart’s Investor Alert List. No legitimate platform recruits customers through celebrity giveaway videos, and public figures do not distribute free crypto.

Recovery scams: the second hit

Scamwatch reports that one in three scam victims is scammed more than once, and the follow-up is frequently a recovery scam. Posing as lawyers, blockchain forensics firms or even government agencies, these operators contact known victims — often using details traded among scam networks — and promise to retrieve lost funds for an upfront fee, or ask for a wallet seed phrase to “trace” the money. The 2025 Targeting Scams report recorded a 170% jump in rebate scam losses to $4.7 million, driven by several high-value cryptocurrency recovery scams. No genuine service guarantees crypto recovery, and none needs your seed phrase.

SMSF cold calls and super-switching schemes

A distinctly Australian variant targets the $4 trillion superannuation system. ASIC has issued formal warnings about cold-calling operators who use high-pressure sales tactics and social media clickbait — often a “super health check” or comparison calculator designed to make your existing fund look poor — to push people into switching superannuation, sometimes into a self-managed super fund that is then steered into crypto products promising fixed returns.

ASIC’s warning on SMSFs and crypto is explicit:

“Be wary of people ‘cold calling’, text messaging, or emailing you with a recommendation to transfer your super to an SMSF, or invest in crypto-assets via your SMSF.” — ASIC, Warning: Self-managed super funds and crypto investments

The same warning notes that as an SMSF trustee you ultimately bear responsibility for the fund’s decisions and legal compliance, even when relying on someone else’s advice. The Targeting Scams report separately observes that retirement savings and superannuation feature heavily in the largest individual losses. Anyone researching this area can read about the actual rules and obligations in our SMSF crypto guide — but no decision about superannuation should ever begin with an unsolicited phone call.

Address poisoning and approval drains

Two technical scams target people who already hold crypto in their own wallets. Address poisoning exploits copy-paste habits: the attacker sends a tiny transaction from an address engineered to share the same first and last characters as one you regularly use, hoping you later copy the lookalike from your transaction history and send funds to it. The defence is procedural — verify the entire address before sending, not just the ends, and send a small test amount first.

Approval drains abuse token allowances. Connecting a wallet to a malicious site — often dressed up as an airdrop claim, mint page or support portal — and signing an approval can grant unlimited spending rights over a token, which the attacker exercises later. Review and revoke unused approvals periodically, and treat every unsolicited airdrop as hostile. Unfamiliar with allowances, signatures or dusting? Our crypto glossary defines each term, and our guide to hardware wallets available in Australia explains how keeping signing keys offline changes the risk profile of these attacks.

Crypto ATMs: a pressure point regulators are watching

Australia’s crypto ATM fleet grew from roughly 20 machines in 2019 to more than 2,000 in 2026, handling an estimated $275 million in transactions a year. AUSTRAC’s Crypto Taskforce, working with police, estimates that 85% of the highest-transacting users had been coerced into feeding cash into the machines by scammers, or were acting as money mules. AUSTRAC has since imposed conditions on all operators, including a $5,000 limit on cash deposits and withdrawals and mandatory scam warnings on machines. The practical takeaway is simple: anyone who instructs you to pay a debt, fee, fine or “investment” through a crypto ATM is running a scam.

How to verify a platform before money moves

  1. Search AUSTRAC’s public register. Every business exchanging crypto for Australians must be registered — since 31 March 2026 as a virtual asset service provider. Registration is an anti-money-laundering obligation, not a licence and not an endorsement of the business, but its absence is disqualifying.
  2. Check Moneysmart’s Investor Alert List. ASIC lists entities that are not licensed to offer investments in Australia. Absence from the list is not clearance — new scam sites appear daily.
  3. Verify any “adviser” on ASIC’s registers. Moneysmart’s check-before-you-invest guidance explains how to confirm an Australian financial services licence and look up an individual adviser.
  4. Inspect the domain and app publisher independently. Type addresses yourself, check the domain’s registration date, and confirm the app developer matches the company.
  5. Test the contact details. Legitimate platforms publish a real company name, ABN and support channels you can verify.
  6. Search the name alongside the word “scam”. Scamwatch alerts, ASIC media releases and community reports surface quickly.
  7. Slow down. Urgency is the one ingredient every scam needs. A genuine opportunity will still exist tomorrow.

What to do if you have been scammed

  1. Contact your bank or card provider immediately and ask them to stop or recall any pending transactions. Speed matters most in the first hours.
  2. Contact the exchange involved. Ask it to freeze your account, and report the destination wallet address — platforms can sometimes freeze funds that remain in their systems, and the National Anti-Scam Centre’s referral network disrupted more than 800 scammer cryptocurrency wallets in 2025.
  3. Report to ReportCyber at cyber.gov.au, the police reporting channel for cybercrime.
  4. Report to Scamwatch. Reports feed the National Anti-Scam Centre’s disruption work even where individual recovery is not possible.
  5. Call IDCARE on 1800 595 160 if you shared identity documents, and ask for a free response plan.
  6. Secure your accounts. Change passwords, reset two-factor authentication, and if a seed phrase was exposed, move any remaining assets to a freshly generated wallet immediately.
  7. Escalate to AFCA — the Australian Financial Complaints Authority — if you are dissatisfied with your bank’s response.
  8. Expect the second approach. One in three victims is scammed again, frequently by fake recovery services. Treat every unsolicited offer of help as part of the original operation.

How legitimate platforms behave

The clearest protection is knowing what normal looks like. Registered Australian exchanges do not cold-call, do not recruit through dating apps or Telegram groups, do not guarantee returns, and never ask for your password, two-factor codes, seed phrase or remote access to your device. They publish verifiable company details, hold AUSTRAC registration, and let you find them — not the reverse.

Legitimate platformScam operation
You initiate contact through official channelsThey contact you first, unprompted
Appears on AUSTRAC’s public registerUnregistered, offshore or unverifiable
Fees and spreads published openlySurprise taxes and release fees at withdrawal
Never asks for seed phrases or 2FA codesRequests credentials to “verify” or “protect” you
Markets fluctuate; losses happenReturns are fixed, guaranteed or always positive

For a factual comparison of registered platforms operating locally, see our breakdown of Australian crypto exchanges; for the wider regulatory backdrop, including the licensing regime arriving in 2027, see whether crypto is legal in Australia. Scammers rely on unfamiliarity — the more precisely you understand how this market is supposed to work, the harder you are to deceive.

Common questions

Frequently asked questions

How much did Australians lose to crypto scams in 2025?

The National Anti-Scam Centre's Targeting Scams report, published in March 2026, found Australians lost a combined $2.18 billion to all scams in 2025. Cryptocurrency and digital currency exchanges were the largest payment channel reported to Scamwatch, with $121.3 million lost across 3,993 transactions — 36.2% of Scamwatch losses — overtaking bank transfers for the first time. Investment scams were the costliest category overall at $837.7 million.

How can I check if a crypto exchange is registered with AUSTRAC?

AUSTRAC publishes a public register of virtual asset service providers — the term that replaced digital currency exchange providers from 31 March 2026. Search the register on austrac.gov.au before sending money to any platform. Be aware that registration is an anti-money-laundering compliance requirement only. It is not a licence, a government endorsement, or a guarantee that the business is trustworthy or financially sound.

What should I do first if I have sent crypto to a scammer?

Act immediately. Contact your bank or card provider and ask them to stop any pending transactions, then contact the exchange you used and ask it to freeze your account and flag the destination wallet address. Report the incident to ReportCyber at cyber.gov.au and to Scamwatch. If you shared identity documents, call IDCARE on 1800 595 160 for a free response plan.

Can I get my money back after a crypto scam?

Often not, because cryptocurrency transfers are effectively irreversible once confirmed on the blockchain. Recovery is most likely when funds are still moving through the banking system or sitting on a regulated exchange that can freeze them. If you are unhappy with how your bank handled the matter, you can complain to the Australian Financial Complaints Authority. Treat any third party promising guaranteed recovery with extreme caution.

Are crypto recovery services legitimate?

Most unsolicited recovery offers are follow-up scams targeting people who have already lost money. Scamwatch reports that one in three scam victims is scammed more than once, and the 2025 Targeting Scams report linked a 170% rise in rebate scam losses to high-value cryptocurrency recovery scams. No genuine service can guarantee the return of crypto, and none needs your seed phrase or an upfront fee in crypto.

Why am I being cold-called about moving my super into crypto?

ASIC has warned repeatedly about cold-calling operators who use high-pressure sales tactics and social media clickbait to push superannuation switching, sometimes steering people into self-managed super funds that are then invested in crypto products. ASIC's guidance is to be wary of anyone who cold calls, texts or emails recommending you transfer super to an SMSF or invest in crypto-assets through one. Licensed financial advisers do not operate this way.

What is romance baiting or pig butchering?

Romance baiting — often called pig butchering — is a long-game scam in which criminals build a romantic or friendly relationship online over weeks or months, then introduce a fake crypto investment opportunity. Victims see fabricated profits on a counterfeit platform, are encouraged to deposit more, and discover the truth only when withdrawals are blocked behind invented taxes and fees. It is among the costliest scam methods reported in Australia.

Sources & further reading