Short answer first, because most people reading this want to know one thing fast: if a wallet suddenly shows USDT you did not expect, or someone handed you a wallet "with funds already in it", or your own USDT will not send even though the balance is right there, you are very likely looking at one of the scams described below. The balance is usually bait, the fee they ask you to pay is the actual theft, and in most of these patterns the money was never really yours to move. This page explains each pattern so you can recognize it, what your wallet shows versus what is really true on chain, and what can and cannot be recovered.

This is a database, not a one time article. We update it when a new pattern appears or an old one changes shape. Last full check: July 17, 2026. The patterns are also published as a machine readable dataset at /data/scam-patterns.json, free to reuse with attribution.

We run CoinVast, an instant swap service, so we see the exchange facing version of these scams directly, and one of them was attempted on us. We use that real case below as a worked example instead of a hypothetical. That is the disclosure: we have a product, and we also have first hand experience defending against these attempts.

Is this happening to you? Start here

Find the first line that matches your situation and read that pattern.

  • A wallet balance appeared that you did not deposit, and to move it you are told to first send TRX, ETH, or a fee. See Pattern 1 and Pattern 2. Do not pay the fee.
  • Someone gave you a seed phrase or private key to a wallet that already holds USDT. See Pattern 2. Do not send anything to it.
  • You are about to copy a receiving address from your own history and it looks slightly off. See Pattern 3. Verify the full address before you send.
  • You connected a wallet to a site and signed something, and then tokens left on their own. See Pattern 4. Revoke approvals now.
  • You sent real USDT to a service and it says pending or was never credited after hours. See Pattern 5 and Pattern 6.

The scam pattern table

Every pattern, what the victim sees, the on chain reality, and whether recovery is realistic.

Pattern What your wallet shows What is really true on chain Recoverable?
1. Fake token or flash USDT A large USDT balance appears A worthless lookalike token at a different contract with no liquidity, or an unconfirmed transaction that will be reversed The balance was never real; a fee you pay is gone
2. Permission trap Real USDT in a wallet you were given the keys to The wallet's send permission belongs to someone else, so you can receive but never send Gas you deposit is usually lost
3. Address poisoning A past transaction to a familiar looking address A dust or zero value transfer planted a lookalike address in your history to be copied Funds are gone once the transaction confirms
4. Token approval phishing Tokens leaving your wallet with no send from you A signature you gave granted a contract permission to move your tokens Only what has not yet been taken, and only after you revoke
5. Fake or reversible deposit to a service A deposit shows as sent to an exchange The transaction is unconfirmed or reversible, sent hoping a payout goes out before it finalizes A service that waits for finality loses nothing
6. Fake record or screenshot A convincing screenshot or a pending entry No real transaction exists, or one exists that will never confirm Nothing was sent; release nothing

Pattern by pattern

Pattern 1: Fake token and flash USDT

Scammers create a token that copies the name and symbol of USDT but lives at a different contract address with no liquidity, then send it to many wallets at once. Your wallet trusts whatever a token contract reports, so it displays a large number. The number is real in the sense that the token exists, and worthless in the sense that no market will ever price it. A variant uses a genuine but unconfirmed low fee transaction, sometimes marketed as flash USDT, that appears briefly and is then dropped so it never finalizes.

The loss is never the fake balance. It is the next step, where you are asked to pay an activation fee, a tax, or a gas top up to unlock the funds. That fee is real money leaving your wallet, and it is the whole point of the setup.

How to recognize it: check the token's contract address against the official one and confirm it has real liquidity on a known venue. A balance that exists only in your wallet, and nowhere a market would price it, is bait.

Pattern 2: Permission trap

This one targets people who believe they are taking funds from a scammer, which is what makes it work. You are given a seed phrase or private key to a wallet that visibly holds USDT on Tron. The catch is that the wallet's send permission has been assigned to the scammer, so the address can receive tokens but cannot send them. When you try to move the USDT, you find you need TRX for gas. If you deposit your own TRX, it is swept, because the signing permission was never yours.

How to recognize it: never deposit gas into a wallet someone else gave you access to. If an account holds funds you were told you can freely take, and you cannot take them without first funding it, the funding is the trap.

Pattern 3: Address poisoning

The scammer generates an address that starts and ends with the same characters as one you use often, then sends you a tiny dust amount or a zero value transfer from it. Because many people copy addresses from their own history rather than retyping them, the lookalike sits there waiting to be copied by mistake. Zero value transfers are especially dangerous because they do not require your signature, so an attacker can plant them at scale. In one December 2025 case a trader copied a poisoned address and sent 49,999,950 USDT to it, a loss reported near 50 million dollars. A separate January 2026 case cost a user around 500,000 USDT. Chain analysis firms have linked tens of thousands of wallets to these campaigns, which specifically target holders with large balances.

How to recognize it: verify the entire address, not just the first and last few characters, every time you send. Send a small test amount first for any large or unfamiliar transfer.

Pattern 4: Token approval phishing

You visit a site, connect a wallet, and sign what looks like a routine approval or verification. What you actually signed granted a contract permission to move a token for you, sometimes for an unlimited amount. The attacker can then take the approved token whenever they choose, without ever needing your seed phrase or password. A single such signature has cost individual users seven figures.

How to recognize it: an approval is not a login. Read what a signature requests, be suspicious of unlimited allowances, and if you have signed something you now doubt, revoke the approval through a token approval checker before doing anything else. Revoking stops future draining. It does not reverse what already left.

Pattern 5: Fake or reversible deposit to a service (our own case)

This is the version aimed at exchanges and swap services, and it is the one we can describe from the inside. The attacker creates an order, then sends a deposit that looks real but is built not to stick: unconfirmed, underpaid on fees, or otherwise reversible. The bet is that the service will see the incoming transaction and release the payout before the deposit finalizes. If it does, the attacker keeps both the reversed deposit and the payout.

On June 20, 2026, this was attempted on us. Order 87KDPVFA76 was opened for 10,000 USDT on Tron in exchange for roughly 0.153 BTC. The deposit transaction appeared and then stalled at partial confirmations, five of the twenty we require, and never became final. Our system holds every payout until the deposit is fully confirmed and screened, so the order sat in a confirming state and no bitcoin ever left. The attacker received nothing. The order is still in our logs as a stalled confirming entry, which is what a defeated fake deposit looks like from the operator side.

How to recognize it: if someone tells you a deposit "already went through" and asks you to release goods or send something back before it confirms, wait for finality. A real transaction survives waiting. A fake one does not. The same rule protects a service: never pay out before a deposit is fully confirmed and screened.

Pattern 6: Fake record or screenshot

The lowest tech version and still one of the most common in peer to peer trades. The scammer sends you a screenshot of a completed transfer, or points at a pending entry that will never confirm, and pressures you to hand over goods, cash, or crypto on the strength of it. No real transaction exists, or one exists that is built to fail.

How to recognize it: never act on a screenshot or a pending status. Confirm the transaction yourself on a block explorer and wait for the confirmations the network actually requires before treating anything as received.

What is recoverable, honestly

The uncomfortable truth across every pattern is that on chain transactions are final, so anything you actually sent is almost always gone the moment it confirms. What you can still protect is what has not moved yet.

  • If you approved a malicious contract, revoke the approval now. That stops further taking of the approved token. It does not return what already left.
  • If you were about to copy a poisoned address, stop and verify the full string. The loss only happens on send.
  • If you were about to fund a wallet someone gave you, do not. The gas you would deposit is the only thing you stand to lose, and you would lose it.
  • If a service has not credited a deposit you genuinely sent, wait for full confirmations and contact support with the transaction hash before assuming the worst. A slow deposit and a fake one look identical for the first hour.

Treat anyone who promises to reverse a confirmed blockchain transaction for an upfront fee as a second scam layered on the first. Reversal is not technically possible, so the offer is bait.

How the screen first, never frozen model avoids most of this

Most of these scams exploit two things: custody, and payouts that happen before a deposit is final. Our design removes both. We do not hold balances, so there is no stored account for a permission trap or a drained approval to target on our side. And we screen and fully confirm a deposit before any exchange begins, which is exactly what defeated the June 20 attempt above. If a deposit fails, the coins go back to the refund address instead of being held. You can read the full logic on our trust page, and if you want to move value without leaving it somewhere it can be frozen or approved away, a USDT to BTC swap is one payment in and one payment out with the full cost shown before you send.

None of that helps with a scam that happens entirely inside your own wallet, which is why the recognition points above matter more than any product. The single habit that prevents the most loss is simple: verify before you send, and wait for finality before you trust.

Frequently asked questions

I received USDT I cannot withdraw. What is going on?

Almost always one of two things. Either the USDT is a fake lookalike token with no liquidity that only shows as a balance, or you were given access to a wallet whose send permission belongs to someone else, so you can see the funds but never move them. In both cases, the moment you are asked to pay a fee or deposit gas to unlock it, that fee is the actual scam. The displayed balance is bait.

Someone gave me a wallet with USDT already in it. Can I keep it?

No. This is the permission trap in Pattern 2. The wallet is arranged so you can receive but not send, and the moment you deposit TRX or ETH for gas, that deposit is swept along with the USDT by whoever holds the send permission. Do not send anything to a wallet a stranger handed you.

My USDT shows in my wallet but the transfer fails. Why?

Two common causes. On Tron you may simply lack the TRX needed for gas, which is normal and fixable by adding a little of your own TRX, but only if it is genuinely your own wallet. The other cause is the permission trap, where the account cannot send at all because its send permission was reassigned. If you did not create the wallet yourself, assume the second.

Is a fake deposit the same as a frozen account?

No, and confusing them wastes time. A frozen account is a real balance you temporarily cannot reach because an exchange placed a compliance hold, covered in our companion exchange frozen funds tracker. A fake deposit is a balance that was never really yours to move. The first can often be resolved with documentation. The second cannot, because there is nothing to recover.

How do I avoid address poisoning?

Verify the entire destination address every time, not just the first and last characters, and never copy an address from your transaction history without checking it. For any large transfer, send a small test amount first and confirm it arrived before sending the rest. Poisoning only costs you money at the moment you send to the wrong address, so the whole defense is at the send step.

Can I get my money back after an approval scam?

You can stop further loss by revoking the malicious approval immediately, which prevents more of that token from being taken. You generally cannot recover what already left, because confirmed blockchain transactions are final. Anyone charging an upfront fee to reverse a confirmed transaction is running a follow on scam, since reversal is not technically possible.

How does an exchange avoid paying out on a fake deposit?

By never releasing a payout until the incoming deposit is fully confirmed by the network and has passed screening. The June 20 attempt on us failed for that reason: the deposit stalled at five of twenty confirmations, the payout was held, and nothing was lost. Any service that pays out on an unconfirmed deposit is exposed to this, which is why finality before payout is a core rule for us rather than an option.

Sources and method

Pattern descriptions draw on wallet vendor security documentation, chain analysis reporting, and public incident coverage from established outlets, all read in July 2026, together with our own order records for the case in Pattern 5. Loss figures are the numbers reported at the time and can be revised. The order identifier in the case study is our own; we do not republish counterparty addresses. If you can document a new pattern or a change to one listed here, write to us at [email protected] and we will review it.

This page is companion to our exchange frozen funds tracker and to our guide on using a no KYC exchange safely.