Scam & Phishing Crypto Address Checker
Phishing attacks in crypto rarely look like obvious spam. They arrive as fake support tickets, cloned Discord links, malicious browser extensions, and "free airdrop" sites that trigger wallet signatures instead of simple transfers. A scam wallet address checker evaluates whether an address or smart contract belongs to a known fraud cluster before you approve a transaction. This guide explains how to run a phishing crypto address review, perform a drainer contract check, and integrate screening into your daily wallet workflow.
How crypto phishing differs from email phishing
Email phishing steals credentials. Crypto phishing steals signing authority. Modern drainers do not ask for your seed phrase in a Google Form — they ask you to sign a seemingly harmless transaction in MetaMask or WalletConnect. That signature grants a malicious contract permission to transfer your ERC-20 tokens, NFTs, or native ETH without further prompts.
Address-level scams target inbound flows: attackers send tiny "poison" transfers from addresses that visually resemble your frequent counterparties, hoping you copy the wrong address from transaction history. Wallet-level scams target outbound flows: you interact with a fraudulent dApp and approve unlimited token allowances.
Both attack types leave on-chain fingerprints. Industry intelligence feeds cluster scam deployers, drainer operators, and phishing infrastructure into databases that a local scam wallet address checker can query before you act.
What a scam address checker evaluates
Effective screening combines graph analytics with curated label databases. When you paste an address or contract, the tool should surface:
- Known scam cluster membership — Addresses linked to reported phishing campaigns, fake exchanges, and impersonation wallets.
- Drainer contract signatures — Smart contracts associated with Pink Drainer, Angel Drainer, and similar approval-exploit frameworks.
- Ransomware and hack adjacency — Short-hop paths to wallets tagged in major exchange hacks or ransomware payment clusters.
- Behavioral anomalies — Wallets that deploy hundreds of similar contracts in 24 hours, or that receive thousands of micro-inbounds (poisoning pattern).
- Sanctions overlap — Some scam operators reuse infrastructure also tied to sanctioned entities. See our OFAC sanctions guide for SDN screening context.
- Fresh-wallet risk — New addresses with no organic history receiving large outbounds from victims.
A single red flag warrants caution. Multiple overlapping flags should trigger a hard stop until you verify the interaction through an official channel.
Drainer contract check: before you sign
Drainer attacks exploit token approval mechanics on Ethereum and EVM-compatible chains. The malicious site prompts "Sign" or "Approve" for a contract that is not the legitimate protocol. Once approved, the drainer pulls assets even after you close the browser tab.
Before signing any unfamiliar contract interaction, run a drainer contract check:
- Identify the contract address — In MetaMask, expand transaction details to see the
tofield and anyspenderin approval calls. Do not trust the website's displayed name. - Screen the contract address — Paste into your checker. Drainer contracts often appear in intelligence feeds within hours of deployment, but zero-day contracts may lack labels initially.
- Review approval scope — Unlimited approvals (
type(uint256).max) to unknown spenders are never required by legitimate DeFi protocols for simple swaps. - Cross-check the official site — Navigate to known URLs from bookmarked sources, not from Discord or Twitter replies.
- Use pre-sign screening — Our MetaMask pre-sign AML guide covers workflow integration before you click Confirm.
If screening returns a drainer label, revoke existing token approvals through a reputable allowance manager and rotate to a fresh wallet if you already signed.
Address poisoning and look-alike wallets
Address poisoning targets users who copy addresses from wallet transaction history. An attacker generates an address whose first and last characters match your real counterparty, sends a dust transaction to your wallet, and waits for you to copy the poisoned address from history instead of your saved contact.
A phishing crypto address checker helps on the outbound side when you paste a recipient address — compare the full string character-by-character against your verified contact list, not just the prefix and suffix. Screening also flags poison addresses reported in community databases when victims report losses.
Defense in depth: whitelist addresses in your hardware wallet software, use address books with labels, and never copy from transaction history for large transfers.
Common scam types and screening signals
| Scam type | What victims do | On-chain signal |
|---|---|---|
| Fake airdrop | Sign to "claim" tokens | Unknown claim contract with drainer labels |
| Support impersonation | Send crypto to "verify" wallet | Fresh wallet, inbound from many victims |
| Romance / investment | Wire or send to "trading desk" | Mule cluster, rapid peel-chain outflows |
| NFT mint phishing | Approve malicious marketplace | Contract not matching official collection deployer |
| Clipboard malware | Paste swaps attacker address | Recipient differs from intended — screen before send |
| Fake OTC desk | Send USDT before fiat arrives | Address substitution — demand signed ownership proof |
Integrating checks into your workflow
Reactive screening after you lose funds helps law enforcement but not your balance. Build habits:
- Screen every new counterparty address before first transfer — inbound or outbound.
- Screen contract addresses before every wallet signature on unfamiliar sites.
- Re-screen addresses that were clean months ago; clusters get reclassified as intelligence improves.
- Archive screening results with timestamps for dispute resolution.
- Run quarterly portfolio audits on cold storage — see cold wallet AML audit guide.
High-volume traders should use local desktop screening to avoid per-check API costs that encourage skipping verification on "small" transactions — scammers deliberately test with small amounts before large drains.
What screening cannot catch
No checker is omniscient. Zero-day drainer contracts may lack labels for hours or days after deployment. Social engineering that convinces you to send BTC to a technically "clean" fresh wallet will not trigger cluster alerts until victims report. Screening is one layer — combine it with official channel verification, hardware wallet transaction previews, and skepticism toward urgency.
Conversely, a flagged address is not always guilty. Shared exchange hot wallets and custodial services can inherit labels from adjacent bad actors. Investigate hop distance and direct vs indirect exposure before assuming malice.
After a suspected phishing interaction
- Revoke token approvals immediately on affected chains.
- Move remaining assets to a new wallet with a fresh seed — compromised signing environments may persist.
- Document transaction IDs and screened addresses for exchange support or law enforcement reports.
- Do not deposit remaining funds to a CEX without screening — inherited scam labels can trigger holds. Read CEX deposit freeze prevention first.
Check scam and phishing addresses on Windows — free
AegisAML screens wallets and contracts for scam clusters, drainer patterns, sanctions hits, and mixer exposure. Local analysis on Windows — paste addresses before you sign or send.
Download AegisAML for Windows