Telegram Crypto Pump & Wallet-Drainer Scams: 5 Variants and the Never-Connect-Wallet Rule

A coordinated Telegram group announces a target micro-cap token at a specific time. Members synchronize buy orders to inflate price; insiders dump at peak. Late buyers lose when the cascade reverses. Per Solidus Labs investigation, the PumpCell Telegram ring generated $800,000 in October 2025 across multiple micro-cap tokens.

A representative case from Solidus Labs' 2025 investigation: PumpCell, a Telegram-based pump-and-dump operation, orchestrated synchronized token launches and sniper-bot buys that inflated micro-cap tokens to seven-figure valuations within minutes. Members paying $50-$200/month for "VIP signals" received the announce-and-buy timing milliseconds before the public channel; insiders had already pre-purchased and were in position to exit at peak. Within 5-15 minutes of the announce, the price spiked, insiders sold, and the price collapsed. Members who joined the buy were left with worthless tokens. Total investigated activity in October 2025: $800,000.

The SEC and CFTC have pursued pump-and-dump organizers under existing securities-fraud and commodities-fraud statutes since at least 2021. The structural problem is enforcement scope — Telegram operators frequently use offshore channels and crypto-only payments, making jurisdiction murky. The protective rule for individual investors is simpler than the enforcement architecture: any "guaranteed pump" or "whale signal" Telegram channel is a fraud. Real legitimate trading does not work via coordinated synchronized buying.

What stops it is refusing to participate. Don't pay for Telegram signal groups. Don't synchronize buys with anyone. Don't believe "guaranteed" anything in crypto. If you've been a victim, document the transactions and report at SEC TCR (Tips, Complaints, and Referrals), FTC ReportFraud, and FBI IC3.

A "scam-as-a-service" wallet-draining malware kit (most famously Inferno Drainer) deploys fake Web3 sites mimicking legitimate crypto projects. Users connect their wallet and sign a transaction that grants the attacker authority to drain tokens. Per Scam Sniffer 2024 data, wallet drainers stole roughly $500 million across 2024; Inferno alone accounted for 40-45% of all drainer hits.

A representative case: a user clicks an X / Twitter advertisement promoting a "Uniswap V4 early access airdrop." The link routes to a site that visually matches Uniswap's official UI, with a "Claim Airdrop" button. The user clicks; a wallet-connect prompt appears (looks like the legitimate MetaMask/WalletConnect modal); the user clicks "Connect" and signs a transaction labeled "Approve" that they believe is the airdrop claim. The signature actually grants unlimited token-transfer authority to the drainer's smart contract. Within seconds, the drainer extracts every fungible token from the user's wallet — often $5,000-$500,000 depending on holdings. The user has no recourse; blockchain transactions are irreversible.

Inferno Drainer's operation through 2023 stole $80M+ from 134K victims per Group-IB. The operators announced a Telegram-channel shutdown in November 2023, but a sophisticated phishing campaign abusing Discord brought the same kit back in 2024 with even larger market share. Per Check Point Research, Inferno's 2024 resurgence accounted for 40-45% of all drainer activity that year.

What stops it is hardware-wallet discipline + approval auditing. Use a hardware wallet (Ledger, Trezor) for any non-trivial crypto holdings — hardware wallets require physical button-press confirmation per transaction, and the on-device display shows the actual transaction details (not the website's claim). Audit approvals quarterly via Revoke.cash and revoke any approvals you don't actively use. The combination defeats most drainer variants because the hardware wallet refuses to sign anything not visible on its screen.

Fake lookalike Telegram / Discord channels mimic real crypto-project support. Scammers DM users from real channels and invite them to the fake support channel, where the "support agent" walks them through wallet-connect or seed-phrase disclosure. Real support NEVER asks for your seed phrase or private key under any circumstances.

A representative case: a MetaMask user posts in the official MetaMask Discord asking why a transaction failed. Within minutes, a DM arrives from a user with "MetaMask Support" branding offering to help in a private channel. The user clicks the channel invite; the channel name is "MetaMask Help Desk" (not "MetaMask Official"), but the branding looks identical. The fake agent walks the user through a "wallet recovery procedure" that requires entering the 12-word seed phrase into a "secure verification form." The user enters the seed; the attacker uses it to import the wallet on their own device and drains every asset within seconds.

The protective rule is the most absolute one in crypto. No legitimate crypto support — MetaMask, Phantom, Coinbase, OpenSea, Uniswap, none of them — will ever ask for your seed phrase, private key, or wallet password under any circumstances. The request itself is the diagnostic for impersonation, regardless of how plausible the framing. Real support troubleshooting is done through the application itself (logs, error messages, settings) without ever requiring seed-phrase disclosure.

What stops it is the no-seed-phrase rule plus channel verification. Verify Telegram / Discord channel names against the project's official website before joining. Never enter your seed phrase anywhere outside the wallet's own UI on your trusted device. Real seed phrases are entered exactly once — when you first restore a wallet — and never again for "verification" or "recovery."

A "free token airdrop" announcement requires wallet-connect to claim. The connection grants the drainer authority to move existing tokens out of the wallet (the actual goal). Real airdrops typically push tokens automatically to eligible wallets without requiring user action; "claim" pages requiring signatures are the diagnostic for drainer fraud.

The variant is structurally the most common drainer-distribution mechanic. A user sees a viral X post claiming "Uniswap V4 early-access airdrop — claim 5,000 UNI tokens (~$50,000) at this site." The link is verified by 50+ bot reposts using the same lookalike domain. The user clicks, lands on a fake Uniswap UI, connects their wallet, signs the "claim transaction," and watches the entire wallet drain in seconds. The promised UNI tokens never arrive.

Real airdrops work differently. Eligible wallets (early users, NFT holders meeting specific criteria) receive tokens automatically — the user can see the airdrop in their wallet without any action. Some legitimate airdrops do require a "claim" transaction, but the legitimacy is verified by checking the project's official website, official Twitter, and on-chain transaction history before connecting. The "free is not free if you have to sign" rule is a near-perfect filter.

What stops it is the verify-before-connect rule + hardware wallet. Before connecting your wallet to any airdrop site: (1) navigate to the project's official URL by typing it (not via the X link); (2) confirm the airdrop announcement on the project's official Twitter and website; (3) check Etherscan / project explorer for the airdrop's smart contract address. If any of those checks fail, walk away. A hardware wallet adds a final defense by requiring physical confirmation of every transaction with the actual contract address visible on the device screen.

Telegram / Discord channels offer paid trading-bot or signal-group subscriptions. Three failure modes: (1) pure subscription fraud, (2) signals timed to the organizer's pump-and-dump exits, or (3) requires wallet-connect for "bot integration" → drainer. Real legitimate trading-signal services exist but are rare; the vast majority of paid Telegram signal groups are fraud.

A representative case: a Telegram channel offers "AlphaSignal Pro" — automated crypto-trading signals for $200/month, with screenshots of "verified members" reporting 3-5x monthly returns. The subscriber pays the $200, joins the VIP channel, and starts receiving signals. The signals turn out to be the organizer's own pump-and-dump entries (Variant #1) plus a smattering of obvious losing trades to disguise the pattern. The subscriber loses 60% of their portfolio over 3 months while the organizer extracts $200/month subscription fees + pump-and-dump exit profits. Real legitimate algorithmic-trading services exist (3Commas, Bitsgap, etc., though their efficacy is heavily debated), but they don't operate via Telegram subscription with screenshot-based marketing.

The protective rule is the no-paid-signals-on-Telegram rule. If a strategy genuinely produced consistent returns, it would not need to be sold via Telegram subscription. Real funds and legitimate trading firms have different distribution. If you genuinely want algorithmic trading, use established platforms with regulatory oversight (regulated brokerages, professional fund managers); if you just want crypto exposure, hold spot tokens via Coinbase / Kraken / hardware wallet without trading. Never connect your wallet to any "bot" regardless of framing.

What stops it is refusing to subscribe. No paid Telegram signal group is legitimate. Treat the existence of the offer as the diagnostic. If you've already subscribed and want recourse, dispute the credit-card charge under FCBA, report to FTC + SEC TCR, and never connect your wallet to any tool the channel pitches.