How Cybercriminals Use LLMs To Target Crypto Users: AI Scams & Defense

Large Language Models have quickly transformed how information is produced, consumed, and communicated in the digital world. Further, they are able to generate coherent, human-like text, understand context, answer complex questions, and generate coherent long-form content all in mere seconds. While these capabilities have created enormous value in fields such as education, customer service, software development, and content creation, unfortunately, this has also opened up whole new avenues for cybercriminals looking to exploit unsuspecting crypto users.

Because it exists in a decentralized and pseudonymous environment, the global crypto ecosystem is uniquely vulnerable. Unlike monetary fraud occurring through more traditional banking systems-where the transactions can often be reversed or stopped by intermediaries-cryptocurrency transactions are irreversible. This means the implications of being the victim of a scam are much worse. Using LLMs, bad actors can create incredibly convincing phishing messages, impersonate legitimate platforms, craft persuasive social engineering scripts, write fraudulent smart contract explanations, and even write malicious code. These allow them to target crypto wallets, exchanges, token holders, NFT collectors, and users engaging in DeFi or Web3 communities.

This article explores in extensive detail how cybercriminals use LLMs to target crypto users specifically.

Why LLMs have become a tool for crypto-focused cybercriminals

LLMs are appealing to cybercriminals for many reasons. First, they lower the barrier of entry. Once upon a time, writing effective phishing messages or constructing scam landing pages required superior writing or coding skills. Fast-forward to today, and even those with less skill can create professional-sounding messages or scripts. Second, LLMs automate scale. Cybercriminals no longer need to craft messages manually for each and every victim. They now can create thousands of types of personalized templates with adjusted tone, urgency, and technical language based on a user's behavior or profile.

Beyond ease and scale, LLMs bring a new level of adaptability. These models will give the appearance of understanding that will let attackers fine-tune their scams in real time. If a user asks a scammer a technical question about blockchain, for instance, an LLM can generate a convincing response with explanations that sound like those of real developers or customer support teams. Dynamic and conversational, this advantage is a huge plus in social engineering attacks, where credibility means everything.

The Rise of Jailbroken & Criminal LLMs (WormGPT, FraudGPT, etc.)

A critical and growing concern is the use of jailbroken, fine-tuned, or fully custom LLMs created specifically for malicious activity. Tools like WormGPT, FraudGPT, DarkBERT, and other black-market variants are trained on malware scripts, phishing templates, smart contract exploits, and social engineering data. These models bypass safety restrictions, enabling criminals to:

• Generate malware and malicious smart contracts.

• Create highly targeted phishing operations.

• Automate romance scams, fake investment support chats, and scam bots.

• Refine exploit code for DeFi attacks and rug-pull mechanisms.

Such custom LLMs massively expand the capabilities of even low-skilled attackers.

LLMs also provide multi-language capability, allowing criminals to scale globally without translation expertise. And because they can analyze blockchain forums, GitHub repos, Discord chats, and social media threads, scammers can craft content that feels personalized and contextually aware.

Major Ways Cybercriminals Use LLMs to Target Crypto Users

Cyber criminals implement LLMs in various attack strategies across the crypto ecosystem, ranging from psychological manipulation to technical exploitation-something that showcases how AI amplifies the soft-skill and hard-skill parts of scams.

AI-Generated Phishing Messages

Phishing remains the most used attack vector in the crypto space. Traditionally, these phishing attempts were relatively easy to recognize due to misspellings, outlandish claims, unusual formatting, or ambiguous warnings. LLMs remove these signals of potential fraud. The messages generated by them are highly polished and grammatically correct, mimicking the structure and tone of real communications from exchanges, wallet providers, staking platforms, or blockchain networks.

AI-generated phishing messages can be customized based on data mined from social media. For example, if a user recently tweeted about moving their finances between wallets, an attacker could build an email based on this activity and state that additional verification is required. This sort of personalization lends credence and urgency that's really hard for users to disregard.

Large language models also contribute to the generation of realistic phishing schemes, in which certain life events are used as an attack vector. In times of network congestion, emails generated by AI may indicate that users "need to 'reconfirm their wallet identity to avoid delays." If the platform is experiencing actual downtime, attackers may send messages suggesting that funds will be at risk unless actions are taken. LLMs can create timely and relevant content that greatly enhances the success rate of phishing campaigns.

Posing as Support Teams, Developers, and Crypto Influencers

Impersonation has always been at the core of crypto scams. Attackers claim to be support agents, developers, or community managers, among other disguises. Impersonation, however, is much more believable with LLMs. Based on public posts, documentation, and overall communication patterns of real individuals, an LLM can craft messages in the tone and personality, and even linguistic style of well-known figures in the crypto world.

Pseudo customer support conversations using LLMs can be lengthy and full of details. Such bots can give technical explanations of wallet issues, interactions with the blockchain, or token transfers that make the user really feel like they're talking to a trained professional. Because LLMs can refer back to previous messages in the conversation, they build continuity and engender trust.

Influencer impersonation is another LLM-powered trend. The attackers create messages or posts that appear to originate from high-profile crypto personalities. These may be used to push scam tokens, fake giveaways, or fraudulent investment opportunities. An LLM's well-rounded and knowledgeable tone helps these impersonation attempts slip through suspicion.

AI-Powered Social Engineering Scripts

Social engineering has evolved to a higher level with the ability of LLMs. Today, attackers can generate scripts which are based on methods of psychological manipulation. Such scripts adapt according to user responses: in cases of user hesitation, the LLM generates reassuring statements; when the user is confused, simpler explanations would be given by the LLM.

LLNs can generate multi-turn manipulation flows that shepherd users to leak sensitive information or perform dangerous actions. For instance, a script may initiate with empathetic language, move on to technical clarification, and then progress toward urgency-based persuasion. This kind of structured manipulation was earlier challenging for scammers to pull off reliably, at scale.

LLMs also help craft narratives that accurately use complex blockchain concepts. This is important because many crypto users ultimately base their decisions on the basis of technical explanations for legitimacy. If an attacker can provide answers that sound like developer-level insights, victims are more likely to follow through with fraudulent instructions.

AI-based Malicious Smart Contract Code

Although LLMs generally decline to provide malicious code outright, cybercriminals look for loopholes to utilize AI models in constructing or refining harmful smart contracts. This would entail breaking down the request into smaller components or cloaking the malicious intent. For example, instead of asking the model to write a rug-pull contract, they may ask for optimization or debugging of a pre-existing script.

In this way, lower skill barriers reduce the time it takes to create or modify code with malicious intent. The attackers can build smart contracts with logic hidden inside to drain users' funds or restrict token transfers. LLMs can also help refine the documentation of these contracts into a seemingly safe, professional document.

Particularly in DeFi ecosystems, this form of technical manipulation can be hazardous, where users more often interact with contracts that are unfamiliar but promise them very high yields. If an LLM helps polish the explanation of a contract's operation, users may be less apt to question subtle risks.

Creating Fake Crypto Websites, Whitepapers, and Documentation

The presentation of a crypto project often determines its credibility. Professional websites, comprehensive whitepapers, and extensive documentation engender trust and indicate that the project has been considered with reflection. LLMs let cybercriminals create such materials at an impressive speed.

Scam tokens, fraudulent exchanges, and rug-pull projects can paint very articulate stories that seem convincing. LLMs generate roadmaps, technical diagrams, audits, and FAQs that are consistent with the industry standard. In this respect, scammers lure investors, influencers, and community members.

These fake websites, generated through LLM, often use the layout and tone of other popular platforms. They may also include a customer support chatbot, real-time price tickers, and even fake customer testimonials to give the impression of legitimacy.

Automated Scam Bot Conversations

Crypto communities prosper with real-time conversations over Telegram and Discord. Attackers deploy AI-powered bots that look like real users. They start discussions, answer questions, and show support.

LLM-driven bots can impersonate the way community managers or long-time members communicate. They use blockchain terminology, technical explanations, and personalized advice. Because their responses are instant and consistent, users very often believe they are talking to helpful people, not automated scripts.

Such bots may further direct users to phishing links, promote fake investment schemes, or guide them through fraudulent processes that involve the signing of risky transactions.

AI-Tooltip Malware and Credential Theft

They use LLMs in malware refinement by improving obfuscation, debugging codes, or suggesting optimization techniques. While it may not create malicious code on its own, an AI can enhance malware to make detection harder.

Attackers also leverage LLMs to generate very convincing landing pages resembling the legitimate wallet interface. These pages would convince users to enter their seed phrase or private key. Since the wording, structure, and explanations appear professional, users feel confident that the page is trustable.

At the same time, LLM-refined scripts help attackers automate credential theft across hundreds or thousands of victims.

Pig Butchering Scams: Now Supercharged by LLMs

Pig butchering scams—long-term, emotionally manipulative schemes where scammers build fake relationships with victims before pushing them into fraudulent crypto investments—have become one of the fastest-growing AI-assisted crimes.

With the help of LLMs, criminals can now:

• Maintain multiple long-term conversations with victims simultaneously.

• Generate emotionally persuasive messages with perfect grammar and empathy.

• Adopt consistent personas with believable backstories.

• Provide convincing “financial advice,” fake dashboards, or false profit screenshots.

• Remain patient and emotionally aligned with the victim’s responses (using adaptive scripts).

Custom LLMs like WormGPT are even used to craft psychological manipulation scripts and investment “guides” that appear professional. Because these scams rely heavily on emotional trust-building, the conversational ability of LLMs dramatically increases their success rate.

How Cybercriminals Leverage LLMs to Personalize Attacks against Crypto Users

The crypto users themselves are not homogeneous groups, and they have different experiences, platforms used, preferred exchanges, blockchains, or technical backgrounds. This is precisely where LLMs enable criminals to create tailored attacks for every single group.

Wallet-Specific Phishing

LLMs generate phishing messages tailored to individual wallet brands. Each wallet has its unique user interface, terminology, and communication style. Attackers use this to their advantage in crafting messages that seem very real. For instance, the phishing message might relate to token approval permissions in MetaMask or could discuss firmware updates targeting Ledger users. That accuracy makes the scam more effectively prosecuted.

Chain-Specific Scams

Different blockchain ecosystems have specific features and user behaviors. Attackers will use LLMs to craft scams that leverage chain-specific knowledge. For instance: Ethereum users receive messages on contract interactions or gas fees. Solana users receive messages referring to transaction failures or signature issues. Fake staking opportunities are promoted to users of the BNB Chain. This level of personalization increases believability.

Airdrop Scam Optimization

Airdrop scams are very common, as they play on everyone's favorite feeling: free tokens. LLMs help attackers craft believable airdrop announcements, eligibility criteria, claim instructions, and social media posts. Some even generate fake technical documentation that explains why certain users qualify. These scams often engage in luring users into connecting wallets to fraudulent dApps, approving malicious permissions, or sharing sensitive information.

Comparison Table: Traditional Crypto Attacks vs. LLM-Enhanced Attacks