DM Crypto Giveaway Hijack Scam
Compromised or spoofed accounts direct message followers claiming a limited-time cryptocurrency giveaway that requires sending a small deposit first to 'unlock' a much larger return, which never arrives.
Last reviewed: 5 July 2026
What this scam is
This scam uses an already-compromised, genuine social media account — one with real history, real followers, and real credibility — to send direct messages promoting a fraudulent cryptocurrency giveaway. Because the message comes from an account the recipient already knows and trusts, it bypasses much of the scepticism that would normally apply to an unsolicited crypto offer from a stranger.
The pitch always follows the same basic structure: send a small amount of cryptocurrency to a wallet address, and receive a larger amount back as a reward, bonus, or matched giveaway prize. This 'send a little to get a lot back' structure is a form of advance-fee fraud adapted for the mechanics of cryptocurrency, where transactions are irreversible once confirmed.
The scam can also appear without a prior account compromise, using a cloned or lookalike account instead, but the hijack variant is especially effective because the recipient has no reason to doubt the identity of the sender, only the plausibility of the offer itself, which most people do not scrutinise closely when it appears to come from someone they follow.
How it works
The attacker first gains control of an established account, typically through a prior phishing attack, a reused or leaked password, or a malicious third-party app the account owner had authorised. Once inside, the attacker mass-messages the account's followers or posts publicly, announcing a giveaway tied to a cryptocurrency, often referencing a real, well-known coin or a supposed partnership to add legitimacy.
The message specifies a wallet address and instructs followers to send an amount — commonly framed as being matched, doubled, or returned with bonus interest — within a tight time window to create urgency and prevent recipients from pausing to verify. Because cryptocurrency transactions confirm irreversibly on the blockchain, once a follower sends funds, there is no mechanism to reverse or recall the transaction.
The attacker typically deletes the messages and any related posts once enough followers have paid, or once the compromised account's real owner begins to notice unusual activity and starts changing settings. Some campaigns run for hours across hundreds of recipients before detection, since each individual message looks like a private, personal offer rather than an obvious mass broadcast.
Why this scam works
The core deception is not the offer itself, which is a familiar too-good-to-be-true scheme, but the identity of the messenger. Because the account has real history and the recipient already has an established trust relationship with it, the usual scepticism applied to unsolicited financial offers from strangers does not fully activate.
The irreversibility of cryptocurrency transactions removes the safety net that exists with reversible payment methods, meaning that by the time a recipient realises the offer was fraudulent, the funds are already unrecoverable. The tight time window compounds this by discouraging the recipient from independently confirming the giveaway through any other channel before acting.
A typical pattern
A follower of a mid-sized social media account receives a direct message from that same account, which appears completely genuine since it is the actual account they already follow, announcing an exclusive cryptocurrency giveaway open only to the first group of followers who respond within the next hour. The message explains that to participate, followers must send a small amount of cryptocurrency to a listed wallet address, which will then be matched and returned at several times the value as a thank-you for loyal support. Trusting the account because of its established history and follower count, the follower sends the requested deposit from their crypto exchange app, believing the returned amount will arrive within minutes as promised. No return payment ever comes, the account deletes the messages shortly after, and the follower later learns the account itself had been compromised days earlier and was being used to run the same message against hundreds of other followers simultaneously.
Common red flags
- Message asks you to send cryptocurrency first in order to receive a larger amount back
- Tight deadline, often under an hour, pressuring immediate action
- Sender account's messaging tone or writing style differs noticeably from how they normally communicate
- Wallet address provided has no prior transaction history or verifiable ownership
- Message deleted shortly after being sent, once you try to ask follow-up questions
- Claim of a partnership with a well-known cryptocurrency brand with no independent confirmation
- Livestream or post promoting the giveaway appeared suddenly and out of character for the account
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Exclusive giveaway for my most loyal followers! Send [amount] in crypto to this wallet in the next hour and receive [multiple]x back as a thank you.
We're matching donations 1:1 for the next 60 minutes only. Send your crypto now to double your contribution instantly.
I'm giving back to my community — send any amount to this address and I'll return 5x the value within minutes.
Claim your free token airdrop now! Just send a small gas fee to this wallet to unlock your reward.
Common variations
- Compromised-account variant using a genuine, previously trusted account with real history
- Cloned-account variant creating a lookalike profile of a public figure or brand rather than hijacking a real one
- Livestream giveaway variant, where a hijacked account starts a livestream with a fake celebrity endorsement urging viewers to send funds
- Matched-donation framing, presenting the request as a charitable matching campaign rather than a giveaway
- NFT or token airdrop variant, requiring a small 'gas fee' payment to claim a supposedly free asset
How to verify before you act
Any offer requiring you to send cryptocurrency first in order to receive more back is fraudulent without exception — no legitimate giveaway, matching programme, or reward scheme ever works this way, regardless of who appears to be sending the message. This rule applies even when the sender is someone you know and trust.
If you receive such a message from an account you follow, contact that person directly through a separate channel, such as a phone call or a different messaging app, to confirm whether their account has been compromised, since they are likely unaware their account is being used this way. Do not reply within the same platform, as the attacker controlling the account will see the reply.
Payment methods used
- Crypto
Who is usually targeted
- Followers of compromised accounts
- Cryptocurrency holders
- Fans of public figures and influencers
What to do immediately
- Do not send any cryptocurrency, and stop the transaction if it is still pending
- Contact the account owner through a separate channel to warn them their account may be compromised
- If you already sent funds, contact your cryptocurrency exchange or wallet provider immediately, though reversal is unlikely
- Report the compromised account and the fraudulent messages or posts to the platform
- Change your own passwords and enable two-factor authentication if you interacted with any link in the message
- Warn other followers if you can, since the same message is likely being sent to many people
How to prevent it
- Never send cryptocurrency to receive a larger amount back, regardless of who appears to be asking
- Verify any unexpected giveaway message through a separate communication channel before acting
- Enable two-factor authentication using an authenticator app on all social media accounts
- Avoid reusing passwords across platforms so a leak on one service cannot compromise another
- Review and revoke third-party app permissions connected to your social media accounts periodically
- Treat urgency and tight deadlines in any financial offer as an active warning sign
- Report compromised accounts to the platform immediately if you suspect a contact has been hijacked
Evidence to preserve
- Screenshots of the direct message before it is deleted, including timestamps
- The wallet address provided in the message
- Your own transaction record showing the amount sent and the destination address
- Screenshots of the account's profile at the time of the message
- Any related posts or livestream recordings promoting the giveaway
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
The message came from someone I actually know and follow. Could it still be a scam?
Yes. Compromised accounts are the primary vector for this scam, and the message will look identical to a genuine one from that account. Always verify through a separate channel, such as a phone call, before acting on any request to send cryptocurrency.
Can I get my cryptocurrency back after sending it to a scam wallet?
Cryptocurrency transactions are generally irreversible once confirmed on the blockchain. Report the transaction to your exchange and to law enforcement, as recovery is rare but reporting helps build a record that may assist wider investigations.
How did the account get compromised in the first place?
Common causes include the owner falling for an earlier phishing message, reusing a password that was leaked in an unrelated data breach, or authorising a malicious third-party app that was granted access to the account.