Indians Lost Rs 2,800 Crore to Crypto Scams in 2024. Recovery Rate Is Under 1 Percent. Pig Butchering Drives 40% of Losses. Recovery Scams Re-Target Prior Victims. Here Is the Real Playbook From Cyber Cell Data.
Most “how to avoid crypto scams” content focuses on phishing emails and obvious Nigerian-prince variants. The actual attacks killing Indian retail in 2024-26 are structurally different — multi-week social engineering, fake recovery agents targeting prior victims, sim-swap drainers exploiting Aadhaar-linked KYC, and wallet drainer signatures most users do not understand they are authorizing.
This article maps the real attack landscape: what scams actually dominate, how they work mechanically, what cyber cell data shows about recovery rates, and the three-layer defense framework that actually works.
Indian Crypto Scam Loss Landscape — 2024 Data
Aggregated cybercell-reported data from Maharashtra, Karnataka, Delhi, Tamil Nadu, Telangana for calendar year 2024:
| Scam category | Share of total losses | Estimated Rs crore loss | Recovery rate (12 months) |
|---|---|---|---|
| Pig butchering / romance scam | ~40% | ~1,100 | <0.5% |
| Fake exchange / trading platform | ~25% | ~700 | ~2% |
| Phishing and wallet drainer | ~15% | ~400 | <0.5% |
| Recovery scam (secondary) | ~10% | ~280 | ~0% |
| Sim swap / account takeover | ~10% | ~280 | ~5% |
| Total | 100% | ~2,800 | ~1.5% |
The aggregate Rs 2,800 crore figure understates true losses because reported cases are estimated at 30-50 percent of actual incidents. Many victims do not file FIR due to embarrassment (especially romance-framed cases) or because the loss amount is below cybercell prioritization threshold.
True 2024 Indian crypto scam losses likely exceed Rs 5,000-6,000 crore.
Pig Butchering — The Dominant Indian Crypto Scam
Pig butchering (sha zhu pan) is named for fattening the pig before slaughter — building emotional or commercial trust over weeks before extracting maximum capital.
The standard playbook
| Phase | Duration | Activity |
|---|---|---|
| Phase 1 — Approach | Day 0-1 | ”Sorry, wrong number” WhatsApp, dating app match, LinkedIn “investment mentor” outreach |
| Phase 2 — Rapport | Day 1-14 | Friendly conversation, romantic or business framing, no financial mention |
| Phase 3 — Opportunity introduction | Day 14-21 | Scammer “casually” mentions their own crypto trading success, shares screenshots |
| Phase 4 — Test deposit | Day 21-28 | Victim deposits Rs 10-20K on fake platform, sees “profits”, withdraws small amount as proof |
| Phase 5 — Scale-up | Day 28-90 | Gradual deposits totaling Rs 5-50 lakh, often using loans, savings, family money |
| Phase 6 — Exit demand | Day 90+ | Victim tries to withdraw, platform demands “tax” or “verification fee” as new deposit |
| Phase 7 — Total loss | Day 100+ | Communication ceases, platform inaccessible, funds gone |
Victim profile (Maharashtra Cybercell 2024 data)
| Attribute | Pattern |
|---|---|
| Age | 70% male, 35-55 years |
| Profession | IT, finance, healthcare, business owner |
| Income | Rs 15-50 lakh household |
| Education | Graduate or post-graduate |
| Location | Tier 1 and tier 2 cities (Mumbai, Bangalore, Pune, Hyderabad, Chennai) |
| Average loss | Rs 6.5 lakh |
| Time from first contact to total loss | 3-6 months |
| Often used | Personal loans, gold loans, or family savings to fund deposits |
Why educated professionals fall for pig butchering
Three reasons that defeat the “I would never fall for that” intuition:
- The financial trap appears only after trust is established. First 2-4 weeks have no financial ask. By the time crypto is mentioned, the relationship feels real.
- The first withdrawal works. A scammer who lets you withdraw Rs 5K profit after a Rs 20K deposit appears credible. The pattern is engineered to defeat skepticism.
- Sunk cost compounds the trap. Once Rs 5-10 lakh is deposited, the victim rationalizes further deposits to “complete the verification” or “get the larger profit out.”
The defense: be skeptical of any new acquaintance who introduces crypto, regardless of how natural the conversation feels. The conversion from social to financial is the attack.
Fake Exchange and Trading Platform Scams
Cloned UIs of legitimate platforms that allow deposits but block withdrawals beyond a small threshold.
Detection signals
| Signal | Real platform | Scam platform |
|---|---|---|
| Domain TLD | .com, .io, .in, country code | .top, .live, .vip, .cc, .xyz |
| Domain age | Multi-year | Often under 6 months |
| FIU registration (India) | Listed on FIU-IND | Not registered |
| Customer support | Email + chat + phone | WhatsApp/Telegram only |
| Withdrawal of small amount | Works reliably | Works once (the bait), then fails |
| UI consistency | Polished, brand-coherent | Minor visual glitches, broken icons |
| Trustpilot / Reddit reviews | Real reviews, mixed sentiment | Either zero presence or fake 5-star clusters |
| Pressure to deposit | None | ”Your account manager” pushing for more |
Common platform names to research before depositing
Always search “[platform name] scam” and “[platform name] reddit” before any deposit. Platforms that have been called out as scams cluster around generic-sounding names like “GlobalProTrade,” “BinanceExchangeIndia” (mimicking but not real Binance), “CryptoIndiaPro,” etc.
Real FIU-registered Indian platforms are short list — CoinDCX, Mudrex, CoinSwitch, ZebPay, Bitbns are the main legitimate options. Anything claiming Indian operation outside this list deserves heavy scrutiny.
For full FIU-registered exchange comparison see crypto exchange comparison India FIU fees security.
Wallet Drainer Scams — The MetaMask Killer
Wallet drainer scams exploit the “approve unlimited token allowance” pattern in EVM-based wallets.
How it works
- User visits a fake site — often pushed via Twitter giveaway tweets, fake airdrop claim pages, hacked Discord servers, or DM from compromised verified accounts
- User clicks “claim airdrop” or “free mint”
- MetaMask popup asks user to sign a transaction
- The transaction is actually an
approvecall granting unlimited token allowance to an attacker contract - Attacker immediately drains all approved tokens
Why users sign malicious transactions
MetaMask signature prompts show transaction data in a format most users do not understand. A malicious approval looks similar to a legitimate one. The “spender” address is shown but most users do not verify it.
Even sophisticated users get caught — the December 2023 Ledger Connect Kit compromise caused millions of dollars in losses from users who thought they were interacting with legitimate sites.
Defense
| Practice | Why |
|---|---|
| Use a hardware wallet for all signatures | Physical confirmation defeats automated drainer flows |
| Revoke unused approvals at revoke.cash quarterly | Cleans up dormant attack surface |
| Use a dedicated “burner” wallet for new contracts | Main wallet stays untouched |
| Verify URL by typing manually | Defeats DNS-spoofing and homograph attacks |
| Disable Web3 auto-connect in browser | Prevents passive connection to malicious sites |
| Review signature data carefully | Understand what you are approving |
| Use simulation tools (Tenderly, Pocket Universe) | Preview what the transaction actually does |
For MetaMask safety mechanics see MetaMask download India fake app fraud hardware wallet setup.
Recovery Scams — Re-targeting Prior Victims
Once you have been scammed, your name and contact details often end up on sucker lists shared among scammer networks. Recovery scammers buy these lists and re-target victims.
The pitch
| Claim | Reality |
|---|---|
| ”We work with international cybercrime agencies” | Lie — agencies do not partner with private recovery |
| ”We have direct contact with Tornado Cash mixing breakers” | Lie — no such service exists |
| ”We can recover stolen crypto via blockchain forensics tools” | Forensics exists but does not produce private-party recovery |
| ”Pay 10-30% upfront fee, we’ll recover the rest” | Pay the fee, get nothing |
| ”We have 89% success rate” | False — real cybercell recovery is <1% |
Real crypto recovery — when it actually happens
Legitimate recovery is concentrated in cases where:
- The scammer is domestic and identifiable — cyber cell can trace and arrest
- Funds remained on a centralized exchange — exchange freezes account on FIR, returns funds after legal process
- The attack triggered an exchange-wide compliance alert — like the WazirX hack where forensics traced funds and partial recovery was attempted
In none of these cases does the victim pay a “recovery agent.” Recovery happens through cyber cell + exchange compliance + court process. The agent model is the scam.
Defense
Any communication claiming to recover stolen crypto for an upfront fee is a scam. Do not respond. Block the contact. Report to cybercell.
If you have already paid a recovery fee, file an FIR for the recovery scam separately and treat both losses as compounded.
Sim Swap Attacks on Exchange Accounts
The Indian-specific attack vector
| Step | Mechanism |
|---|---|
| 1 | Attacker collects victim’s Aadhaar, PAN, mobile number from prior data leak or phishing |
| 2 | Attacker visits telco store with fake ID, claims sim damaged/lost, requests replacement |
| 3 | Telco processes sim swap (often with weak verification) |
| 4 | Attacker’s sim now receives victim’s calls and SMS |
| 5 | Attacker logs into exchange (CoinDCX, ZebPay, etc.) using SMS-based OTP |
| 6 | Attacker initiates withdrawal; SMS OTP arrives at attacker’s phone |
| 7 | Funds drained within 5-15 minutes |
| 8 | Victim discovers attack when their phone shows no service |
Defense
| Layer | Mechanism |
|---|---|
| Hardware-key 2FA (YubiKey, Yubico, Solokeys) | Physical key required for login; SMS swap useless |
| TOTP-based 2FA (Google Authenticator, Authy) | Code generated on device; SMS swap useless |
| Withdrawal whitelist with 48-hour delay | Even if account is compromised, withdrawal address must be pre-approved |
| Email withdrawal confirmation | Adds an extra factor not tied to mobile |
| Withdrawal limit caps | Daily limits cap exposure even if breached |
| Self-custody for large holdings | Exchange custody not used for >Rs 2-3 lakh |
Most Indian exchanges support TOTP-based 2FA. CoinDCX, Mudrex, ZebPay, Bitbns all support Google Authenticator. Hardware-key 2FA support is limited to a few platforms; most users should use TOTP at minimum.
The single most important defense: never rely on SMS-only 2FA for any exchange holding above Rs 50K.
For exchange security comparison see crypto exchange comparison India FIU fees security.
How to File an FIR for Crypto Fraud in India
Step 1 — Document the case
Before approaching police, compile:
- All wallet addresses involved (yours and the scammer’s)
- All transaction hashes from blockchain explorer
- Screenshots of the scam platform UI
- WhatsApp / Telegram / dating app conversation exports
- Bank UPI transaction IDs for fund transfers
- Exchange transaction history showing crypto purchases and transfers
- Email correspondence with the scammer
Step 2 — File the FIR
Two channels:
| Channel | Best for |
|---|---|
| Local police station | Easier for small-value cases; faster initial response |
| cybercrime.gov.in (online) | Necessary for cybercell escalation; nationwide network |
IPC sections to invoke:
- Section 420 — Cheating
- Section 66C, 66D of IT Act — Identity fraud, cheating by personation
- PMLA sections if cross-border laundering involved
Step 3 — Cyber cell escalation
For losses above Rs 50K, the case typically transfers to state cyber cell. Cybercell will:
- Request wallet addresses for blockchain tracing
- Issue notifications to Indian exchanges to freeze accounts of suspect wallets
- Coordinate with foreign agencies if scammer is offshore (rarely successful)
- Update you on case status periodically
Step 4 — Realistic timeline
| Stage | Timeline |
|---|---|
| FIR registration | 1-3 days |
| Cyber cell assignment | 1-4 weeks |
| Wallet tracing report | 4-12 weeks |
| Exchange freeze (if funds still on Indian exchange) | 2-8 weeks |
| Foreign cooperation request | 6-18 months (often unsuccessful) |
| Recovery (if any) | 8-24 months typical |
Step 5 — Tax treatment of the loss
Crypto fraud loss is NOT deductible against any income under current Indian tax law. The Rs 6 lakh you lost cannot offset Rs 6 lakh of capital gains from other crypto. This is a permanent loss with no tax benefit.
The FIR establishes the fact pattern for tax purposes (in case of inquiry about the missing funds) but does not enable a deduction.
For Schedule VDA filing of the original purchase (which still counts as a tax-relevant transaction) see how to file ITR crypto Schedule VDA.
Hardware Wallet Supply Chain Attacks
The attack on Amazon and Flipkart third-party sellers
| Step | Mechanism |
|---|---|
| 1 | Attacker buys legitimate Ledger or Trezor from official channel |
| 2 | Initializes wallet, records seed phrase |
| 3 | Carefully resets packaging with high-quality counterfeit seal |
| 4 | Lists on Amazon India or Flipkart marketplace as new |
| 5 | Victim buys at slight discount, sets up “new” wallet |
| 6 | Victim deposits crypto using the PIN they chose |
| 7 | Attacker, weeks/months later, uses retained seed to drain wallet |
This attack is documented but underreported. Indian buyers who saved Rs 1-2K on a Ledger Nano S by buying from third-party marketplace have lost Rs 5-30 lakh in crypto.
Safe channels for hardware wallet purchase in India
| Channel | Trust level | Customs cost |
|---|---|---|
| Ledger.com direct | High | ~26% landed cost |
| Cypherock direct (India-based) | High | Domestic, no customs |
| Trezor.io direct | High | ~26% landed cost |
| Authorized resellers per official site | High | Variable |
| Amazon Direct (Amazon as seller, not third-party) | Medium | Domestic |
| Flipkart direct | Medium | Domestic |
| Amazon third-party sellers | Low | Domestic |
| Flipkart third-party sellers | Low | Domestic |
| OLX / Instagram / Telegram | Avoid | Domestic |
The price difference between safe and unsafe channels is typically Rs 1-3K. The risk difference is potentially your entire crypto portfolio. Never optimize for the price differential.
For full hardware wallet selection see crypto wallet India hardware customs Ledger Cypherock.
Telegram and WhatsApp Crypto Group Scams
The pump group pipeline
| Phase | Activity |
|---|---|
| Recruitment | ”Free crypto signals” or “stock tips” Telegram channel grows to 50K+ subscribers |
| Trust building | Channel posts free “calls” on legitimate coins; some pump randomly |
| Conversion | Channel admin pitches “premium VIP group” for Rs 5-50K |
| Pump | VIP group provides coordinated meme coin or low-cap pumps |
| Late entry | Subscribers buy late, channel admins front-run |
| Loss | Most participants lose money; admin profits |
Defense
- Never join Telegram channels promising “crypto signals” or “trading tips”
- Never pay for premium VIP groups
- Block and report any contact who pitches you these groups
- Recognize that the channel admin profits whether subscribers profit or not
- Real trading insights are not sold on Telegram
Sim of related WhatsApp “investment club” scams
A newer variant where the WhatsApp group claims to be an “investment club” with respected industry figures (impersonated). The group is large enough to seem legitimate. The “fund manager” sends weekly performance updates and recommends specific deposits. The deposits go to scammer-controlled platforms.
Detection: any “fund manager” who you cannot independently verify (LinkedIn, SEBI registration, real-world references) is fictitious. Real fund management requires SEBI registration and is not pitched via WhatsApp groups.
For broader investment-style scams see Pepe coin meme coin Telegram pump warnings.
Aadhaar Leak and Crypto Loss Linkage
Major Indian data leaks since 2018 (Aadhaar repository leaks, banking data leaks, telecom leaks) have exposed personal data of hundreds of millions of Indians. Attackers cross-reference these data sets to build complete identity profiles for sim-swap and exchange-account-takeover attacks.
What attackers can typically assemble:
- Aadhaar number
- PAN number
- Mobile number
- Bank account number (from past credit applications)
- Email address (from breached site lists)
- Approximate income (from credit card application data)
With this profile, the attacker can:
- Initiate sim swap (using Aadhaar + mobile)
- Access KYC’d exchange accounts (using sim + password recovery)
- Cross-check whether you have meaningful crypto holdings (research your public profile)
- Target you with personalized phishing (using your name + financial profile)
Defense at the individual level:
- Assume your Aadhaar, PAN, and mobile are already in attacker hands
- Use hardware-key or TOTP 2FA on all financial accounts
- Set sim PIN with telco (prevents sim swap without your PIN)
- Monitor mobile signal strength — sudden loss of signal in unusual locations may indicate sim swap
- Have backup methods to confirm sim integrity (alternate communication channel with family)
The Three-Layer Defense Framework
Layer 1 — Operational hygiene
| Practice | Compliance level |
|---|---|
| Hardware-key or TOTP 2FA on all exchanges | Mandatory |
| Unique passwords from password manager | Mandatory |
| Withdrawal whitelist with 48-hour delay | Strongly recommended |
| Email withdrawal confirmation enabled | Mandatory |
| Dedicated browser profile for crypto activity | Recommended |
| Verify URLs by typing, never click links | Mandatory |
| Block SMS-based 2FA | Mandatory |
Layer 2 — Custody discipline
| Holding size | Custody pattern |
|---|---|
| Under Rs 1 lakh | Exchange custody acceptable (with operational hygiene above) |
| Rs 1-5 lakh | Hardware wallet recommended |
| Rs 5+ lakh | Hardware wallet mandatory, multi-device backup of seed |
| Rs 50+ lakh | Multi-sig setup or institutional custody |
| Active trading | Small balance on exchange only, rest in cold storage |
Layer 3 — Social epistemics
| Rule | Application |
|---|---|
| Unsolicited DMs are scams by default | Block, do not respond |
| Recovery agents are scams by default | Block, file FIR for the second-attempt |
| ”Too good to be true” returns are scams | If APY > 50%, assume scam |
| New acquaintance pitching crypto is suspicious | Discount trust factor by 80% |
| Pressure to “act now” is a scam signal | Real opportunities allow time to verify |
| Verified Twitter accounts can be hacked | Do not trust giveaway tweets from verified accounts |
| When in doubt, do nothing | Inaction is the safest default |
What to Do If You Have Been Scammed
Within 24 hours
- Stop all communication with the scammer
- Screenshot every conversation and platform interaction
- Note all wallet addresses and transaction hashes
- Check if the funds are still on a centralized exchange (you may be able to freeze)
- File preliminary FIR at cybercrime.gov.in
Within 1 week
- Visit local police station to register physical FIR
- Submit complete documentation to cyber cell
- Notify your bank if UPI transfers were involved
- Notify your crypto exchange — they may freeze the receiving wallet if it is on their platform
- Inform family / accountant — emotional and tax reasons
Within 1 month
- Follow up with cyber cell for case status
- Engage a crypto-aware CA for tax implications
- Block all contacts from the scam attempt
- Strengthen 2FA and custody on remaining accounts (often the same attacker tries again)
- Document everything for potential civil action
Avoiding the second attack (recovery scam)
For 6-12 months after a primary scam, expect recovery scam outreach. Block any contact claiming to recover crypto for an upfront fee. Report to cybercell as a secondary fraud attempt.
Bottom Line
Indian crypto scam losses in 2024 exceeded Rs 2,800 crore (reported) and likely Rs 5,000+ crore (actual). Recovery rate via cybercell is under 1 percent within 6 months. Pig butchering accounts for 40 percent of losses — multi-week social engineering that defeats the “I would never fall for that” intuition. Recovery scams target prior victims for a second extraction. Sim swap exploits Aadhaar-linked KYC. Wallet drainers exploit token approval signatures most users do not understand.
Prevention is the only viable strategy. The three-layer defense:
- Operational hygiene: hardware-key or TOTP 2FA, withdrawal whitelist, unique passwords, dedicated crypto browser
- Custody discipline: hardware wallet for any holding above Rs 2-3 lakh, never optimize for small price difference on supply chain risk
- Social epistemics: unsolicited DMs are scams, recovery agents are scams, “too good to be true” is too good, when in doubt do nothing
If you have been scammed: document everything, file FIR within 24-72 hours, do not pay recovery agents, accept that funds are likely permanently lost, file Schedule VDA tax disclosure on the original purchase (no loss offset under Indian law), strengthen defenses on remaining accounts.
The honest framework: Indian retail in crypto is in a high-attack environment with weak recovery infrastructure. Defense is mandatory. Recovery is exceptional. Build for prevention, plan for the worst, and protect your remaining capital.
For exchange security see crypto exchange comparison India. For wallet selection see crypto wallet India hardware. For MetaMask self-custody see MetaMask download India fake app. For tax-on-loss treatment see crypto tax India complete guide.