CRYPTO SCAMS

FBI warning: crypto-investment scammers now send couriers to your door for cash

A June 15, 2026 FBI alert describes a new escalation in the crypto-investment scam: after building trust online, the scammer dispatches a person to collect physical cash, verified by a passphrase or a dollar-bill serial number.

SB

SafeBrowz Threat Research Security ResearchJune 17, 202611 min read

What the FBI just warned about

On June 15, 2026 the FBI's Internet Crime Complaint Center published public service announcement PSA260615, "Scammers Use Couriers to Collect Cash in Cryptocurrency Investment Scams." The alert documents a tactic that turns a long-running online con into a physical, in-person crime. After convincing a victim to "invest" through a fake cryptocurrency platform, the scammer arranges for a courier to come to the victim's home or a public location and collect actual cash.

The reason this shift happens is mechanical, and it is worth understanding. When a victim tries to move large sums into a scam, their bank often steps in. Legitimate financial institutions flag and sometimes refuse suspicious wire transfers, especially from older account holders. So the scammers route around the bank entirely. They tell the victim that an in-person cash pickup is the only way to "keep investing" or to "release" a withdrawal that is supposedly stuck behind a fee. Coverage from Help Net Security, Bitdefender, and Infosecurity Magazine on June 16 underlined the same point: cash beats the banking controls that block wires.

The scale is not small. According to the FBI's 2025 Internet Crime Report, Americans reported roughly $11.3 billion in cryptocurrency-related losses in 2025, with about $7.2 billion of that tied specifically to crypto-investment fraud. People aged 60 and older bore the heaviest share, reporting around $4.4 billion in crypto losses, close to double the prior year. The courier tactic targets exactly that group, because seniors are more likely to have retirement savings to drain and more likely to be home for a daytime pickup.

How the whole chain works, start to finish

The cash pickup is the last act, not the first. To understand why someone would ever hand a bag of money to a stranger, you have to follow the months of grooming that come before it.

It starts with a contact you did not ask for. A "wrong number" text that turns into a friendly conversation. A new match on a dating app who is warm, attentive, and never available for a video call. A confident "crypto mentor" who slides into your DMs or comments on your posts. The FBI's PSA describes scammers posing as people seeking business or romantic relationships, or building a public persona as a cryptocurrency investment expert. This is the trust-building phase, and it is patient. It can run for weeks before money is ever mentioned.

Then comes the platform. Once rapport is built, the new friend introduces a "can't-miss" opportunity and walks you to a polished trading website or app. You deposit a modest amount first. The dashboard shows it growing. You can even withdraw a small test amount early, which is the hook: it feels real, so you put in more. Every number on that screen is fabricated. The "gains" are a graphic, not a balance.

Then the bank says no. When you try to move serious money, your bank flags the transfer, or your wire gets held for review. To the scammer this is friction to be engineered around. They reframe the bank as the obstacle: "the system is slow," "compliance is holding your funds," "you need to add capital to unlock the withdrawal." The pressure is constant and emotionally loaded, because by now there is a relationship at stake too.

Then the courier. The scammer tells you to withdraw cash from your accounts and that someone will come collect it, supposedly to deposit it into your investment or to pay a "fine" so your money can be released. To make the handoff feel secure, they give you an authentication ritual: a code word, or the serial number of a specific U.S. dollar bill. When the courier arrives, they recite the password or show you the matching bill, and that "match" is supposed to prove they are trustworthy. It proves the opposite. The FBI notes that in-person cash collection by couriers is now used across many scam types, including grandparent scams, law-enforcement impersonation, and tech-support fraud.

The fake-platform links SafeBrowz flags (illustrative)

The trading "platform" the scammer steers you to is the one piece of the con that lives in your browser, which means it is the piece a scanner can catch before the relationship ever escalates to a cash pickup. These pages cluster on free hosting and throwaway domains. The examples below are illustrative lookalikes, not real services. Paste any one into the checker to see how a live scan reads it:

• crypto-vip-trade.vercel.app
• coinbase-pro-invest.web.app
• binance-vip-yield.netlify.app
• metatrader-fx-profit.pages.dev

Notice the shape. A real brand word ("coinbase," "binance") sits in front of a free-hosting suffix that no real exchange uses for its login. A platform whose entire reachable address is a subdomain on vercel.app, web.app, netlify.app, or pages.dev is not a regulated broker. Real exchanges live on their own verified domain and never run a "VIP yield" portal off free hosting. Use the box below to test a link a "mentor" or "advisor" sent you before you ever fund an account.

Red flags that mark this as fraud every time

You do not have to understand crypto to spot this. The structure is the tell.

• Anyone wants cash handed to a person. This is the conclusive one. No bank, broker, or investment firm sends a courier to your home or a parking lot for physical money. Ever. If a real institution needs funds, it uses your own verified account, not a stranger at your door.
• A passphrase or dollar-bill serial number to "verify" the courier. Real businesses do not authenticate a delivery person by having you match a secret code or a serial number off a bill. That ritual exists only to make a criminal handoff feel official.
• The relationship started online and moved to money. A "wrong number" text, a dating-app match who avoids video calls, or a stranger offering crypto tips. Genuine connections do not pivot to an investment pitch.
• You were told to withdraw cash because "the bank is the problem." When a scheme reframes your bank's fraud controls as an obstacle to route around, the scheme is the fraud the controls are catching.
• A platform showing big, smooth gains, with a small "test" withdrawal that worked. Letting you pull out a little early is the bait that earns the big deposit. The on-screen balance is a picture, not money.
• A "fee" or "fine" stands between you and your withdrawal. Needing to pay more to get your own money out is the signature of every investment con. Real platforms deduct fees from the balance; they do not demand fresh cash.
• Urgency and secrecy. "Act before the window closes," "don't tell your bank or family, they won't understand." Isolation is the scammer protecting the con from a second opinion.
• The platform link lives on free hosting. A login or trading page reachable only as a subdomain on vercel.app, web.app, netlify.app, or pages.dev is not a regulated exchange.

How this connects to pig butchering

If the trust-building phase sounds familiar, it is. This courier tactic is the cash-collection endgame of what is widely called pig butchering, the long-con crypto-investment fraud we break down in pig butchering crypto scam, explained. The grooming, the fake trading dashboard, the "add funds to withdraw" trap, all of it is the same machine documented in our 2026 report on the Southeast Asia scam compounds that run these operations at industrial scale.

What is new in the June 2026 FBI alert is the final mile. For years the money left by wire or by crypto transfer the victim made themselves. Now, when banks block those rails, the operators reach physically into the victim's neighborhood. The same playbook that begins with a dating-app romance pivoting to crypto can now end with a stranger on the doorstep holding a one-dollar bill. The con did not get more sophisticated. It got more brazen.

What SafeBrowz sees on the network

The cash pickup happens offline, where no software can intervene. But the link that makes the whole scheme possible, the fake trading platform, is a web page, and that is where browser-side detection earns its keep. Across the SafeBrowz engine, fake-investment platforms read consistently across all three detection layers.

First, the domains are young and disposable. A fake-trading site is almost always registered within days or weeks of being shown to a victim, then abandoned and replaced once it is reported. Real exchanges have years-old, verified domains. Domain-age signals alone flag a large share of these before any content loads.

Second, the hosting is a giveaway. A staggering share of these "platforms" run on free hosting, a brand word bolted onto a vercel.app, web.app, netlify.app, or pages.dev subdomain, because the operators churn through hundreds of disposable sites and free hosting costs nothing. A regulated exchange does not serve its login from a free subdomain. The free-host-plus-brand-keyword combination is itself a high-confidence signal, independent of what the page says.

Third, the content is a portfolio mirage. A "live" balance ticking upward, a "VIP yield" tier, a deposit form, a withdrawal locked behind a fee, and an interface that mimics a real exchange, all served from a host with no regulatory footprint, is a textbook investment-impersonation profile. Content-level analysis catches a brand-new lookalike that no blocklist has seen yet, which matters because these sites are spun up faster than any static list can track them.

Which brands and tactics the operators pivot to next

Scam crews follow what converts. The believable next moves, based on the same incentive structure, are predictable.

• "Recovery" platforms that re-victimize. After the first loss, a second crew poses as a refund or asset-recovery service and charges an upfront fee to "get your money back." The FBI's 2025 data already shows recovery scams as a large and growing line. Expect these to ride the courier tactic too, collecting a "recovery deposit" in cash.
• Crypto ATM and kiosk hops. When a courier feels too risky, operators send victims to a Bitcoin ATM with a QR code to scan. Kiosk fraud rose sharply in 2025, and it leaves the victim doing the irreversible step themselves.
• AI-assisted persona scaling. Voice-cloned check-in calls and AI-written daily messages let a single operator run many "relationships" at once, making the trust phase faster and cheaper. See our coverage of AI voice-clone emergency scams.
• Lookalikes of named exchanges and brokers. Expect more pages dressed as well-known exchanges and trading apps, hosted on free platforms, with "pro," "vip," "yield," or "invest" stitched into the subdomain.

The brand on the fake platform is interchangeable. The structure, a young or free-hosted domain impersonating a financial service, is not. That is exactly why a structural, browser-side defense beats chasing one brand at a time.

Why catching the link early beats reacting later

By the time a courier is on the way, the scam has already won most of the way. The trust is built, the relationship is real to the victim, and the emotional cost of admitting it is a con is high. Intervention at that stage usually fails, because the victim has been carefully isolated from exactly the people who would talk them out of it.

The single moment where technology can break the chain cleanly is at the start, when the "advisor" sends the platform link and the victim is about to fund an account for the first time. That link is a URL, and a browser-layer scanner inspects it directly. When you tap a fake-trading-platform link, an extension can recognize a financial-service impersonation on a young or free-hosted domain and warn before the deposit form ever loads, regardless of who sent it or how friendly they have been. Email filters and bank fraud controls are valuable, but they act on the message and the money, both of which the scammer has learned to route around. The browser layer acts on the destination, which the scam cannot avoid: to take your money, it has to land you on its page.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It catches exchange-brand keywords on free-hosting subdomains, cheap-TLD abuse, and "vip-yield" and "invest" lookalike families instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus domain-age lookup (most fake-trading sites are days old) and 30+ scam TLDs.
• Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new fake-investment platform that no blocklist has seen yet, including pages that mimic a real exchange dashboard.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any "investment platform" link and get a verdict in seconds.

What to do right now

If a courier has been arranged, or you suspect the "investment" is a con, here is the correct response.

1. Do not hand any cash to anyone. Not at your door, not in a parking lot, not anywhere. A code word or a matching dollar bill does not make the courier legitimate, it confirms the fraud. Do not meet the courier at all.
2. Hang up and stop all contact. Block the "advisor," the romantic interest, or the "support agent." It is not a real investment, and there is no relationship to preserve. The account balance you saw was never real money.
3. Do not pay any "fee" or "fine" to release funds. There are no funds to release. Every fee demand is another extraction.
4. Tell your bank. If you have already withdrawn cash or sent any transfers, call your bank using the number on the back of your card and ask about stopping or reversing transactions. The fraud controls that flagged your wire were correct.
5. Report it. File with the FBI's Internet Crime Complaint Center at ic3.gov and with the FTC at reportfraud.ftc.gov. For an older relative, the FTC's elder-fraud line is available at 877-382-4357. Include the platform link, the contact details, any courier description, and the code word or serial number you were given.
6. If your identity or accounts were exposed, go to identitytheft.gov for a recovery plan and place a free fraud alert with a credit bureau.

If you are reading this on behalf of an older parent or relative, do one more thing today: set up a verbal safe-word with them, a phrase only the family knows, so that any "urgent" request for money can be checked in person against someone they trust. A courier with a stranger's password cannot beat a family safe-word. Our full "I got scammed, what do I do now" walkthrough covers the first-hour recovery steps in detail, and our guide to what to do if your crypto was stolen covers the on-chain side.

Frequently asked questions

Is a courier coming to collect cash for a crypto investment ever legitimate?

No. No legitimate bank, broker, exchange, or investment firm sends a person to your home or a public location to collect physical cash. The FBI's June 15, 2026 alert (PSA260615) describes this courier cash-pickup as a fraud tactic. If anyone you met online arranges for a person to come get cash, it is a scam. Do not meet them.

Why did the scammer give me a password or a dollar-bill serial number?

To make a criminal handoff feel secure. The scammer tells you the courier will prove they are legitimate by reciting a code word or showing you a U.S. dollar bill whose serial number was texted to you in advance. Matching the code is meant to reassure you. In reality, that verification ritual exists only in this scam. Real businesses never authenticate a delivery this way.

The trading platform showed my balance growing and even let me withdraw once. Isn't it real?

No. Fake platforms display fabricated balances and allow a small early withdrawal specifically to build your confidence so you deposit much more. Every figure on the dashboard is a graphic the operator controls. Once you commit serious money, withdrawals stall behind "fees" and "fines" that never end. The on-screen total is not money you can ever get out.

My bank blocked my transfer. Does that mean the bank is the problem?

No. Your bank's fraud controls are doing exactly their job. Scammers reframe the bank as an obstacle precisely because the bank is the thing standing between the victim and the loss. When a "system" tells you to route cash around your bank, the cash is what the bank is trying to protect.

Who do these scams target most?

Adults aged 60 and older are hit hardest. According to the FBI's 2025 Internet Crime Report, this group reported roughly $4.4 billion in cryptocurrency losses, nearly double the prior year. Couriers are an in-person, daytime tactic, which makes seniors who are home and have retirement savings a primary target. Setting up a family safe-word is a strong defense.

How do I check a trading-platform link before I invest?

Paste it into a free URL checker before you deposit anything. A real exchange runs on its own verified domain. A platform whose entire address is a subdomain on vercel.app, web.app, netlify.app, or pages.dev, or a domain registered days ago, is a major red flag. SafeBrowz scans the link across local pattern, API, and AI content layers and returns a verdict in seconds.

I already gave cash to a courier. What now?

Cut off all contact with the scammer and do not pay any further "fee." Call your bank using the number on your card to discuss any related transactions. Report it to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov, and call the FTC elder-fraud line at 877-382-4357 if it involves an older relative. Provide the platform link, contacts, courier description, and any code word or serial number. If personal details were exposed, start recovery at identitytheft.gov.

How do I report this scam?

File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov and report to the FTC at reportfraud.ftc.gov. For elder fraud, the FTC line is 877-382-4357. Include the fake platform URL, the contact information of everyone involved, any courier details, and the password or dollar-bill serial number the scammer provided.

Install SafeBrowz free

Add the browser extension that scans every link, including the "investment platform" a stranger sends, before the page renders. Free forever.

Add to Chrome Add to Firefox Add to Edge