Crypto Scams Go Industrial: $14B in 2025, AI-Fueled Impersonation Up 1400%, Record Seizures Follow

Crypto scams in 2025: What Ops teams need to change now

On-chain inflows to cryptocurrency scams hit at least $14 billion in 2025. That's up from $9.9 billion first reported for 2024 (recalculated to $12 billion). Based on historical adjustments, total 2025 inflows could clear $17 billion as more illicit addresses are identified.

Two shifts should be driving your playbooks: average scam payments jumped from $782 to $2,764 (+253% YoY), and impersonation tactics grew by roughly 1400% YoY. Fraudsters are mixing methods (HYIPs, pig butchering, impersonation, wallet-tech scams) and using AI, SMS phishing-as-a-service, and professional laundering networks to scale.

Quick stats Ops leaders should anchor on

• $14B+ received on-chain by scams in 2025; likely >$17B after reclassification.
• Average payment per scam up 253% YoY to $2,764.
• Impersonation inflows up ~1400% YoY; severity up 600%+
• AI-linked scams extract 4.5x more money ($3.2M vs $719k per operation) and move 9x more transactions daily (35.1 vs 3.89).

Impersonation at scale: Government and private sector

Government impersonation exploded. The "E-ZPass" SMS phishing campaigns used phishing-as-a-service tooling to mimic official agencies and drive victims to fake payment portals. Kits were cheap (as low as $50-$500) and heavily templatized, enabling mass delivery and rapid iteration.

Private-sector impersonation hit hard too. A December 2025 indictment detailed a Coinbase support impersonation scheme that weaponized stolen customer data via insider bribery, convincing users to "secure" their assets into attacker wallets. Even strong technical controls can be bypassed if an insider leak gives scammers credibility and context.

What Ops should do about impersonation scams

• Stand up a "customer contact integrity" protocol: official comms registry, in-app banners for known active scams, and a default "we never ask you to transfer funds" policy surfaced at login and help flows.
• Require out-of-band callback verification for high-risk events (account recovery, wallet migrations, security notices). Make callback numbers discoverable only in-app.
• Monitor for domain and SMS lookalikes. Auto-block links/domains that resemble brand assets and rotate shortlinks frequently.
• Instrument a "speed + small-dollar scaling" detector. Impersonation scams often show rapid inflow bursts from many first-time senders with similar notes/memos.

Where the money moves: DeFi-first laundering patterns

Impersonation operators leaned on DeFi more than other scam categories. In 2024, they spiked laundering through smart contracts; in 2025, waves shifted toward bridges (early-to-mid year) and DEXs (second half). Meanwhile, other scams still leaned on centralized exchanges, though that share is falling.

Controls for DeFi-driven layering

• Risk-score bridges, DEX routers, and token contracts as distinct entities. Apply dynamic friction (holds, deeper KYC/KYB) when funds originate from recent bridge hops or high-risk router clusters.
• Build "bridge→DEX→mixer" sequence detection with time-window correlation. These patterns repeat.
• Tune case management for smart-contract laundering: track contract reuse, bytecode similarity, and recurring liquidity pools tied to known scam clusters.

AI is a force multiplier (and it shows in the numbers)

Scams with visible on-chain ties to AI vendors pull in more money, faster. Median daily revenue is 9x higher, and the average daily transfer count is 9x larger. Deepfakes, face-swap tools, and LLM-driven outreach are making outreach believable and scalable.

Operational responses to AI-enabled scams

• Shift from content-only detection to behavior-first. Look for cadence anomalies: 24/7 outreach, uniform script patterns, many short conversations converting to small initial transfers.
• Flag "AI risk contexts": new accounts rapidly contacting dozens of users across multiple channels; victims signing from new devices right after a "support" chat.
• Deploy "proof-of-control" challenges before large transfers: known-device checks, in-app knowledge prompts, and delayed settlement for high-risk flows.

Fraud-as-a-service: Industrialized and modular

Tooling like phishing kit marketplaces splits the work: developers build kits, brokers sell data, spammers deliver at scale, thieves monetize, admins recruit and coordinate. This makes advanced scams accessible to low-skill actors.

Impact math is stark: campaigns using these kits are 688x more effective by dollar volume and 4x higher in average transaction size than regular scams. Bulk social media account buys show 238x higher dollar effectiveness and 2x higher average transaction size.

Practical moves for Ops

• Threat intel category mapping: tag known kit families, common hosting, registrar patterns, and Telegram vendor clusters. Block sooner, not later.
• Kill-chain focus: cut delivery (SMS/email/social) and payment steps. Rate-limit first payments from newly created social or SMS-referred users.
• Auto-lock "mass-pay" emergent behavior: many first-time recipients, repeating memos, or synchronized amounts from unrelated senders.

Law enforcement pressure: Seizures and sanctions reshape risk

Record actions landed in 2025. UK authorities seized over 61,000 BTC linked to a multibillion-pound fraud tied to Yadi Zhang, reinforcing that crypto flows are traceable and seizable at scale. The US targeted the Prince Group's forced-labor scam compounds with indictments and wide-ranging designations, aiming at executives, money networks, and infrastructure.

Another case: US action against tickmilleas[.]com, a fake investment platform tied to Myanmar-Thailand scam compounds and Chinese organized crime. Expect more coordinated seizures, forfeitures, and sanctions that ripple through laundering routes and liquidity hubs.

Ops implications

• Keep your sanctions map fresh. Integrate watchlists for scam compounds, CMLNs, and associated facilitators; re-scan existing counterparties on updates.
• Plan for sudden counterparty instability: add fallback off-ramps and liquidity routes to avoid service disruption when a hub is seized or designated.
• Expand LEA response playbooks: faster data preservation, case packaging, and asset-freeze coordination windows.

Regional nexus: East and Southeast Asia

Pig-butchering operations still lean on Chinese-language laundering services in Southeast Asia. A measurable "holiday effect" around Chinese New Year correlates with drops in pig-butchering inflows, pointing to operational centrality in the region.

CMLNs grew from processing under 1% of pig-butchering laundering flows in Q1 2022 to over 20% by Q1 2024, and consistently over 10% across 2025. Use of centralized exchanges continues to decline as scammers avoid freezes.

What to change in monitoring

• Prioritize CMLN exposure scoring over pure exchange risk. Weight layered wallets, OTC-style facilitators, and escrow/guarantee services higher.
• Add time-based heuristics (e.g., holiday slowdowns) to anomaly baselines for both inbound victim flows and outbound laundering behavior.
• Geo-behavioral alerts: cross-border hops through known Southeast Asia laundering corridors, even without direct exchange exposure.

Crypto ATMs and elder fraud: A direct ops problem

Older adults continue to suffer the largest reported losses in the US. Crypto ATMs are a preferred on-ramp for scammers guiding victims to convert cash into BTC or stablecoins, which then flow to CMLNs and guarantee services.

Countermeasures that actually reduce losses

• ATM friction for first-time use: video prompts, "are you being told to pay a fee or fine?" confirmations, and dollar caps tied to risk signals.
• Retail partner training: scripts to interrupt active scams, store signage with clear "we do not accept crypto for fines, bail, taxes, or support fees."
• Velocity and cluster controls: multiple ATM deposits to the same destination wallet within hours trigger holds and human review.
• Victim-save protocol: instant support callback option at kiosks; fast-path refunds if funds are still within your control window.

Your 90-day plan

• Week 1-2: Ship anti-impersonation UX. Add in-app security banners, known-scam alerts, and callback-only verification for account changes.
• Week 3-4: Deploy DeFi laundering risk scores. Flag bridge/DEX/router sequences and add pause-and-prove checks for large transfers.
• Week 5-6: Build AI-risk behavior rules. Detect mass outreach, script-like chats, and synchronized micro-deposits.
• Week 7-8: Expand sanctions and CMLN screening. Re-scan counterparties; establish alternative off-ramp routes.
• Week 9-10: Harden ATM and retail flows. Train staff, add kiosk friction, and tune velocity caps.
• Week 11-12: Run a red-team fraud simulation. Measure save rates, time-to-freeze, and customer comms effectiveness; fix gaps.

KPIs to track weekly

• Victim save rate before settlement (goal: up and to the right).
• Median time-to-freeze for flagged flows (goal: under 30 minutes).
• Share of outflows touching bridges/DEX routers within 2 hops (goal: down over time for high-risk cohorts).
• Impersonation false positive rate vs. true positive save rate (goal: lower friction, higher saves).
• ATM-to-CMLN hop count and velocity (goal: fewer, slower).

Enable your team

Upskill analysts and support agents on AI-era fraud patterns and DeFi laundering paths. If you need a structured path, explore role-based programs here: AI courses by job.

Bottom line

Scams are bigger, faster, and more professional. Treat impersonation, DeFi-layered laundering, and AI-driven outreach as baseline threats, not edge cases. Tighten verification, score DeFi pathways, slow the first dollar, and coach your frontline to interrupt scams in real time.