{
  "version": "v1",
  "slug": "spot-a-crypto-scam",
  "title": "How to spot a crypto-privacy-tool scam",
  "description": "Twelve patterns that show up in 80% of scam exits in the privacy-tool space. The chain of questions to run on any \"new no-KYC service\" before you fund the account.",
  "intro": "Bad actors target the privacy-tool space specifically because the audience self-selects for caring less about reputational signals than the average crypto user. The deployment pattern is consistent enough that one careful read of a project's homepage tells you 80% of what you need to know. Below: the twelve patterns that show up across exit-scams, fund-freeze incidents, and outright phishing, with the questions that surface them.",
  "body_plain": "Pattern 1 — Fake \"no-KYC\" branding Site loudly markets \"no-KYC\" but withdrawal flow asks for ID at certain thresholds, certain jurisdictions, or \"for security review\". The marketing lie is the first signal. Test: read the privacy policy + ToS top-to-bottom; if you can't make a small withdrawal end-to-end without ID, the marketing was the bait. Pattern 2 — Sudden \"service maintenance\" An operator that's been running for 6 months posts a \"service maintenance\" notice that lasts 48+ hours, then says funds are stuck pending a \"compliance review\". Almost always the exit-scam playbook in slow motion. Test: check social media + status pages immediately, look for similar reports from other users. Pattern 3 — Withdrawals \"queued\" Deposits are instant; withdrawals are \"in the queue for processing\". Queue length grows. Eventually withdrawals stop entirely. Test: do a small withdrawal as your first action after signup, before sending real volume. Pattern 4 — Anonymous operator + no track record Anonymous operators are normal in crypto. Anonymous operators of a brand-new service with no track record + no public commitments + no community presence is different. Test: search for the operator handle across forums; look for any thread older than the service launch. Pattern 5 — Aggressive affiliate program Legitimate privacy services have modest affiliate programs (often 10-30% of the spread). Scam services offer 70-90% commissions to flood the search results with positive reviews. Test: search \"X review\" — if the top results are obvious affiliate farm content, the service is either a scam or is heading there. Pattern 6 — Bonus / promo / yield offers \"Deposit X and get 10% bonus\" or \"earn 8% APY on stables\" in the privacy-services space is almost always a Ponzi-shaped trap. The math doesn't work for an honest operator. Test: ask yourself where the yield comes from; if you can't answer, don't deposit. Pattern 7 — Domain age vs claims \"We've been operating since 2018\" + a domain registered last month. WHOIS or Wayback Machine reveals the contradiction. Test: whois domain.com + web.archive.org/web/*/domain.com . Pattern 8 — Identical UI to a known operator Pixel-clone phishing of a legitimate operator, deployed at a typo-domain or a homoglyph. Test: visit the canonical URL from a different source (bookmark, this directory, the operator's verified social) before logging in. Pattern 9 — Unauditable rate Swap engine that quotes worse-than-market rates by 3-5% — extracting margin claiming \"best privacy\" or \"no-KYC premium\". A legitimate aggregator (like kyc.rip) has zero markup; the engine spread is the engine's. Test: compare the quote against an aggregator + against the engines directly. Pattern 10 — KYC-on-tail-events No KYC at signup, no KYC at deposit, no KYC at small withdrawal. KYC at large withdrawal, or when chain analysis flags the source. The default is privacy; the exception captures users at the moment they can't easily withdraw. Test: read the ToS for \"may require additional verification at our discretion\". Pattern 11 — Discord-only support Real support → email + chat + ticket system, response within SLA. Scam support → Discord-only, slow responses, eventual ghosting + ban from the server. Test: try to find support channels other than Discord before depositing. Pattern 12 — Frequent re-branding Operator runs a service for a year, exit-scams, rebrands under a new domain, repeats. The team handle / operator persona is often consistent across rebrands. Test: search the listed founder / team handle and look for prior services under different domain names. The triage flow Before you fund any new no-KYC service: Run the 12 patterns above. Each hit is a yellow flag; two or more is a red flag. Cross-check this directory's /audit , /archive , and removal policy . If we've never listed it, we haven't tested it. Check kycnot.me , r/privacy, r/Monero for community reports. If you proceed, deposit a small amount first. Withdraw immediately. If withdrawal is clean + matched the quoted rate, you've cleared the most-common failure mode. Never send a meaningful balance to a service you haven't successfully withdrawn from at least once. When in doubt, the listed alternatives",
  "body_html": "\n      <section>\n        <h2 class=\"section-h\">Pattern 1 — Fake \"no-KYC\" branding</h2>\n        <p>Site loudly markets \"no-KYC\" but withdrawal flow asks for ID at certain thresholds, certain jurisdictions, or \"for security review\". The marketing lie is the first signal. Test: read the privacy policy + ToS top-to-bottom; if you can't make a small withdrawal end-to-end without ID, the marketing was the bait.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 2 — Sudden \"service maintenance\"</h2>\n        <p>An operator that's been running for 6 months posts a \"service maintenance\" notice that lasts 48+ hours, then says funds are stuck pending a \"compliance review\". Almost always the exit-scam playbook in slow motion. Test: check social media + status pages immediately, look for similar reports from other users.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 3 — Withdrawals \"queued\"</h2>\n        <p>Deposits are instant; withdrawals are \"in the queue for processing\". Queue length grows. Eventually withdrawals stop entirely. Test: do a small withdrawal as your first action after signup, before sending real volume.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 4 — Anonymous operator + no track record</h2>\n        <p>Anonymous operators are normal in crypto. Anonymous operators of a brand-new service with no track record + no public commitments + no community presence is different. Test: search for the operator handle across forums; look for any thread older than the service launch.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 5 — Aggressive affiliate program</h2>\n        <p>Legitimate privacy services have modest affiliate programs (often 10-30% of the spread). Scam services offer 70-90% commissions to flood the search results with positive reviews. Test: search \"X review\" — if the top results are obvious affiliate farm content, the service is either a scam or is heading there.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 6 — Bonus / promo / yield offers</h2>\n        <p>\"Deposit X and get 10% bonus\" or \"earn 8% APY on stables\" in the privacy-services space is almost always a Ponzi-shaped trap. The math doesn't work for an honest operator. Test: ask yourself where the yield comes from; if you can't answer, don't deposit.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 7 — Domain age vs claims</h2>\n        <p>\"We've been operating since 2018\" + a domain registered last month. WHOIS or Wayback Machine reveals the contradiction. Test: <code>whois domain.com</code> + <code>web.archive.org/web/*/domain.com</code>.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 8 — Identical UI to a known operator</h2>\n        <p>Pixel-clone phishing of a legitimate operator, deployed at a typo-domain or a homoglyph. Test: visit the canonical URL from a different source (bookmark, this directory, the operator's verified social) before logging in.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 9 — Unauditable rate</h2>\n        <p>Swap engine that quotes worse-than-market rates by 3-5% — extracting margin claiming \"best privacy\" or \"no-KYC premium\". A legitimate aggregator (like kyc.rip) has zero markup; the engine spread is the engine's. Test: compare the quote against an aggregator + against the engines directly.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 10 — KYC-on-tail-events</h2>\n        <p>No KYC at signup, no KYC at deposit, no KYC at small withdrawal. KYC at large withdrawal, or when chain analysis flags the source. The default is privacy; the exception captures users at the moment they can't easily withdraw. Test: read the ToS for \"may require additional verification at our discretion\".</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 11 — Discord-only support</h2>\n        <p>Real support → email + chat + ticket system, response within SLA. Scam support → Discord-only, slow responses, eventual ghosting + ban from the server. Test: try to find support channels other than Discord before depositing.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pattern 12 — Frequent re-branding</h2>\n        <p>Operator runs a service for a year, exit-scams, rebrands under a new domain, repeats. The team handle / operator persona is often consistent across rebrands. Test: search the listed founder / team handle and look for prior services under different domain names.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">The triage flow</h2>\n        <p>Before you fund any new no-KYC service:</p>\n        <ol class=\"bullet-list\">\n          <li>Run the 12 patterns above. Each hit is a yellow flag; two or more is a red flag.</li>\n          <li>Cross-check this directory's <a href=\"/audit\">/audit</a>, <a href=\"/archive\">/archive</a>, and <a href=\"/methodology#removal\">removal policy</a>. If we've never listed it, we haven't tested it.</li>\n          <li>Check <a href=\"https://kycnot.me\">kycnot.me</a>, r/privacy, r/Monero for community reports.</li>\n          <li>If you proceed, deposit a small amount first. Withdraw immediately. If withdrawal is clean + matched the quoted rate, you've cleared the most-common failure mode.</li>\n          <li>Never send a meaningful balance to a service you haven't successfully withdrawn from at least once.</li>\n        </ol>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">When in doubt, the listed alternatives</h2>\n      </section>\n    ",
  "picks": [
    {
      "category": "exchanges",
      "id": "kyc-rip-aggregator",
      "name": "kyc.rip aggregator",
      "url": "https://www.xmr.club/exchanges/kyc-rip-aggregator",
      "markdown_twin": "https://www.xmr.club/llm/exchanges/kyc-rip-aggregator.txt",
      "why": "No markup, multi-engine routing — known-quantity swap path."
    },
    {
      "category": "exchanges",
      "id": "sideshift",
      "name": "SideShift",
      "url": "https://www.xmr.club/exchanges/sideshift",
      "markdown_twin": "https://www.xmr.club/llm/exchanges/sideshift.txt",
      "why": "Long-running no-account engine. Withdraw-first testable."
    },
    {
      "category": "exchanges",
      "id": "trocador",
      "name": "Trocador",
      "url": "https://www.xmr.club/exchanges/trocador",
      "markdown_twin": "https://www.xmr.club/llm/exchanges/trocador.txt",
      "why": "Long-running aggregator; verifiable Tor mirror."
    },
    {
      "category": "wallets",
      "id": "feather",
      "name": "Feather",
      "url": "https://www.xmr.club/wallets/feather",
      "markdown_twin": "https://www.xmr.club/llm/wallets/feather.txt",
      "why": "Wallet you control. The right default if you're unsure about a service's honesty."
    }
  ],
  "url": "https://www.xmr.club/guides/spot-a-crypto-scam",
  "markdown_twin": "https://www.xmr.club/llm/guides/spot-a-crypto-scam.txt"
}