Should I reply to the fake admin to waste their time?

No. Replying confirms your account is active and moves you up the operator's priority list. Report to Telegram, block, and warn other group members through a screenshot in the main chat without linking to the scammer's profile.

Telegram admin DM crypto scam: the "support" message that drains your wallet in 2026

Q: How do scammers know when to DM me?

They run automated monitors on the Telegram Bot API and third-party scraper tools that watch keywords in target project groups. Words like help, stuck, swap, claim, KYC, and recovery trigger alerts, and an operator or bot DMs you within seconds. Speed is the trick. A fast reply feels like the project was watching for you.

Q: The profile photo was the exact project logo. Doesn't that prove it is real?

No. Anyone on Telegram can set any image as profile photo and any string as display name. There is no logo verification system. The only identifier that matters is the @handle, which must be compared letter by letter to the official one on the project's website.

Q: I gave the admin my seed phrase. Can the funds be recovered?

Crypto transactions on Ethereum, Solana, Base, and most chains are irreversible once confirmed. Recovery is rare. Move remaining funds to a fresh wallet on a clean device, revoke all token approvals at revoke.cash, and treat every wallet derived from that seed phrase as compromised. Report the theft with transaction hashes to FBI IC3 and Chainabuse.com.

Q: Does this happen on Discord and Signal too?

Yes. Discord crypto-project servers see constant fake MetaMask, OpenSea, Phantom, and Collab.Land verification DMs from bots that message new members. Signal sees lower volume but higher-value targeted attacks. Same playbook, same defense: real support never DMs first, never asks for seed phrases, never sends links to verify.

What the Telegram admin DM crypto scam looks like

You post a question in the official Telegram group for a wallet, chain, or DeFi protocol. Something like "my swap is stuck" or "did the snapshot happen?" Within minutes a private message arrives. The profile photo matches the project logo. The display name says "Phantom Support" or "Solana Admin." The @handle looks close to the real team but has one extra character, an underscore, or a swapped letter you would only notice comparing side by side.

The message is friendly and competent. "Hi, I saw your question in the main chat. Let me help." Then comes the lure: a "KYC verification" link, an "airdrop claim portal," a "wallet validator," a "recovery assistant," or a "Discord cross-promo" invite. Click it and one of four things happens, all of which empty the wallet.

The 4 variants in active rotation

1. The KYC verification link

"Your wallet flagged a compliance check. Complete KYC within 24 hours to avoid restrictions." The link goes to an identity form, then prompts a Web3 signature labeled as "verification proof." The signature is a Permit2 batch approval with an unlimited spender and a far-future deadline. No KYC data is ever collected. The page collected a permission slip that lets the attacker drain every ERC-20 in the wallet days later, when the victim has stopped paying attention.

2. The airdrop claim form

"You are eligible for the snapshot. Claim here." The page shows a Connect Wallet button, then a seed phrase entry field framed as "wallet sync" or "import to claim." Anything typed goes straight to the attacker. Seed phrase reuse means every wallet derived from that phrase, on every chain, is drained within minutes.

3. The recovery code request

This variant targets users who reported a stuck transaction. "I will need your 12-word backup code to push the recovery through." There is no recovery queue. The seed phrase is harvested and the wallet drained before the user finishes typing the last word.

4. The Discord cross-promo bait

"We are running a parallel campaign on Discord. Join here for an exclusive role." The Discord invite is to a controlled lookalike server with a forged member count. Inside, a Collab.Land lookalike bot asks the user to verify by signing a transaction. The signature is the same Permit2 unlimited approval, delivered through a different channel. Inferno Drainer and Angel Drainer operators favour this variant because the Discord verification ritual is familiar enough that users sign on autopilot.

Why it works in crypto specifically

Group-IB and Scam Sniffer both rank this as one of the highest-volume approval-phishing delivery methods in 2026. Four reasons it keeps landing.

Real admins do sometimes DM for paid support. Some launchpads, OTC desks, and validator services genuinely conduct paid onboarding through DMs. The blanket "no admin ever DMs" rule is technically wrong, which gives the scam a foothold.

The ecosystem is open by design. Telegram public groups have no gatekeeping on who can DM whom. There is no "verified team member" badge inside Telegram. Authority signals have to be reconstructed by the user every time.

Users trust handles with project logos. Telegram lets anyone set any profile photo and any display name. "Phantom Support" with the Phantom logo looks identical to a real Phantom employee until you read the @handle character by character. Most users do not.

The victim raises their hand first. The DM responds to a real problem the victim just posted. The user wants help. The attacker provides help. Trust is half-built before the lure ever appears.

The 7 red flags you can verify in 60 seconds

Every Telegram admin DM crypto scam shows at least three. A real admin shows zero.

The DM arrived right after you asked publicly. Real admins reply in the main chat where everyone can see. A DM landing within seconds of your public post is monitoring you, not helping you.
Profile photo matches but the username has a one-letter variant or extra underscore. Real handle: @phantom. Fake variants: @phantom_support, @phantomsupport_, @ph4ntom, @phantorn (rn instead of m). Read the @handle letter by letter, not the display name.
Urgency frame. "24 hours to claim." "Snapshot ends in 6 hours." Real KYC windows and snapshots are announced days in advance through public channels. Hour-level deadlines in a DM are pressure tactics.
Asks for seed phrase, signature, wallet connect, or private key. No real admin ever needs your seed phrase, recovery code, private key, or a Web3 signature to resolve anything. Stuck transactions are resolved by waiting or replacing with higher gas.
Cannot be cross-verified in the main chat. Ask publicly while tagging the suspected admin. A real admin responds in-channel. A scammer goes quiet because moderators would catch impersonation inside the real group.
Requests action on a non-official domain. Real Phantom support: help.phantom.com. Real Coinbase: help.coinbase.com. Real Trezor: trezor.io. Any DM linking to a Google Form, a Netlify or Vercel URL, or a .help/.live/.app/.xyz/.support domain that is not the project's published root is a scam.
Threatens account loss, fund freeze, or eligibility forfeit. "Tokens will be returned to the treasury." "Your wallet will be permanently restricted." Real teams do not threaten their own users in DMs.

The verification flow before you reply

Four checks. None require trusting the DM.

Re-ask your question in the main chat, publicly tagging the suspected admin. "Hi @[handle], is that really you who just DMed me?" Real admins confirm in public. Scammers go silent because real group moderators will ban impersonators instantly.
Check the pinned message in the main group. Most legitimate projects pin "We will NEVER DM first. We will NEVER ask for your seed phrase." If that pin exists, the DM is fake, full stop.
Verify the Telegram username against the project's own website. Type the project's domain by hand. Look in the footer for the official Telegram handle. Compare to the @handle in the DM character by character. Underscores, swapped letters, and numbers are the trick.
Never enter a seed phrase anywhere outside the official wallet software or your hardware device. Not a web page. Not a Telegram chat. Not a Google Form. The seed phrase goes only into the wallet that generated it, and into the hardware device that stores it. Every other surface is hostile.

If you already connected your wallet

Permit2 approvals can be executed minutes or days later. The window to revoke is the window the attacker has not yet used.

Within 5 minutes. Open revoke.cash and revoke every token approval on every chain. Permit2, ERC-20 allowances, NFT approvals. This costs a small gas fee and closes the permission window.
Within 15 minutes. Generate a new wallet on a clean device. Transfer remaining funds. Move native tokens first (ETH, SOL, BNB) - they are not subject to approval drainers. Move ERC-20 last.
Within 30 minutes. Treat the original wallet as burned. Do not rotate the seed phrase - if you entered it anywhere, every chain and every derived address is compromised. A new seed generated on a hardware wallet is the only safe state.
Within 2 hours. File at FBI IC3 (ic3.gov) and Chainabuse.com. Include transaction hashes, the scammer's Telegram handle, the lure URL, and the recipient wallet. ZachXBT and other on-chain investigators use Chainabuse as a primary feed.
Within 24 hours. Report the impersonator inside Telegram, notify the project's security email, and post a warning screenshot in the main group.

The ecosystem defense: the "we never DM first" pin

The most effective defense any project has against this scam is a permanent pinned notice at the top of every official group. The template, used by Phantom, MetaMask, Trezor, Ledger, Solana Foundation, and most major DeFi protocols, says: "We will NEVER DM you first. We will NEVER ask for your seed phrase, recovery code, or private key. We will NEVER send you a link to verify, claim, or unlock. Anyone DMing you claiming to be admin or support is a scammer."

If you run a project group, pin this. If you are in a group without it pinned, treat the group as higher risk - the project has not done the bare minimum to protect members. Phantom's security team has been one of the most public about this rule, and their incident write-ups document a clear drop in successful DM phishing against active users after the pin went up.

Why this scam grew so fast in 2026

Three trends collided. Chainalysis tracked a shift from credential phishing to approval phishing in 2024-2025, because exchanges added withdrawal delays and 2FA while on-chain approvals stayed instant and irreversible. The airdrop boom (EigenLayer, Hyperliquid, Jupiter, Wormhole, Berachain, Monad) trained millions of users to expect "claim your tokens" workflows. And Telegram became the default crypto comms layer globally while doing little to fix impersonation at the platform level. Group-IB's 2025 threat report flagged Telegram-based crypto phishing as one of the fastest-growing fraud categories worldwide, with drainer-as-a-service kits (Inferno, Angel, Pink, Atomic) lowering the barrier so any low-skill actor can run the playbook profitably.

How browser-layer defense catches the lure URL

The DM happens inside Telegram, which the browser cannot see. The drainer page is the first surface a browser scanner can intercept. SafeBrowz is a free Chrome, Firefox, and Edge extension that recognizes wallet-drainer pages, fake airdrop claim portals, fake KYC forms, and seed-phrase capture pages by URL and content - before the wallet connects. It tracks 539+ brands in 100+ languages. When you click a Telegram DM link and land on a lookalike, the extension shows a full-screen warning before the page renders the Connect Wallet button or seed phrase field. Free forever.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge

Frequently asked questions

How do scammers know when to DM me?

Automated monitors on the Telegram Bot API and third-party scraper tools watch keywords in target project groups. Words like "help," "stuck," "claim," "KYC," and "recovery" trigger an alert and a DM lands within seconds. Speed makes the reply feel like the project was watching for you.

The profile photo was the exact project logo. Doesn't that prove it is real?

No. Anyone can set any image as profile photo and any string as display name. There is no logo-verification system in Telegram. The only identifier that matters is the @handle, compared letter by letter to the official one published on the project's website.

What if the admin has a Telegram Premium badge?

Telegram Premium is a paid subscription with no identity verification. A premium badge means the account paid, nothing else. Scammers buy premium for around $5 a month to look more legitimate.

I gave the admin my seed phrase. Can the funds be recovered?

Transactions on Ethereum, Solana, Base, and most chains are irreversible. Recovery is rare. Move remaining funds to a fresh wallet on a clean device, revoke all token approvals at revoke.cash, treat every wallet derived from that seed as compromised, and report the theft with transaction hashes to FBI IC3 and Chainabuse.com.

Should I reply to waste the scammer's time?

No. Replying confirms your account is active and moves you up the operator's priority list. Report to Telegram, block, and warn other members through a screenshot in the main chat without linking to the scammer's profile.

Does this happen on Discord and Signal too?

Yes. Discord crypto servers see constant fake MetaMask, OpenSea, and Collab.Land verification DMs from bots that message new members. Signal sees lower volume but higher-value attacks on whales. Same five-step playbook, same defense: real support never DMs first, never asks for seed phrases, never sends a link to "verify."