Crypto conferences scale up, so do scams, security experts warn

Criminals are using in-person crypto events to launch phishing campaigns and impersonation scams, Kraken warns.

By now, it’s no secret that crypto is becoming mainstream, and with it, a bigger target. From Dubai’s skyline to Singapore’s high-tech halls, crypto conferences have exploded in size and scope. But amid the panels and pitches, Kraken‘s chief security officer Nick Percoco warns of a troubling pattern: people in the space may be letting their guard down at the exact moment they should be more alert.

“Personal security hygiene at crypto conferences has taken a back seat,” Percoco wrote in a blog post. His team at Kraken has been quietly observing — and what they’ve seen is hard to ignore.

At recent events, Kraken staff spotted unattended laptops with wallet access left open on expo tables, phones buzzing with wallet notifications while their owners chatted nearby. “If you’re in crypto, your digital device is not just a phone or a laptop,” Percoco reminds, adding that “it’s a vault.”

In a commentary for crypto.news, Percoco explained that phishing remains the most prevalent and effective scam at conferences — not because it’s technically sophisticated, but because of how easily it blends in. “The nature of these events – including constant networking, QR code scanning, and information sharing – creates ideal conditions for scammers to blend in and launch attacks with minimal effort,” he said.

“By exploiting common conference behaviors, attackers can easily distribute malicious links or fake scheduling invites under the guise of professional follow-ups. It’s a low-friction tactic that requires little technical sophistication but can yield significant access and financial rewards if successful.”

Nick Percoco

Conferences now hot targets

Crypto conferences have always been social hubs, but now they’re also a goldmine of unguarded intel. Percoco shared one scene: a group of conference-goers openly discussing high-value trades on a public sidewalk — lanyards displaying their names and companies in plain view.

Even if you don’t think anyone’s listening, someone probably is. Public Wi-Fi or QR codes can easily be hijacked. Percoco says it’s not paranoia — it’s pattern recognition. The suggestion: use burner wallets with minimal funds, and never scan a QR code you can’t verify.

“It only takes a single sticker swap for a bad actor to replace a legitimate QR code on a marketing material with a fake one, putting dozens (if not hundreds) of attendees at risk.”

Nick Percoco

The threats aren’t theoretical anymore. In France, a series of violent attacks on crypto professionals has underscored the very real danger of being too visible in this space.

In January, David Balland — co-founder of Ledger, a company known for secure crypto wallets — was kidnapped at gunpoint from his home. His captors severed his finger and sent it to his business partner as proof, demanding a €10 million ransom in crypto. His wife was later found tied in the trunk of a car. Both survived, but the ordeal left the community shaken.

The attackers? Young, organized, and tech-savvy, and reportedly familiar with Balland’s holdings and business ties.

It’s not an isolated case. Other attacks in France have also targeted crypto holders, sometimes extending threats to their families. These are not online scams. These are physical, deliberate abductions. The old “don’t tell people you’re in crypto” rule just got a lot more literal.

Basic mistakes, big consequences

Percoco’s biggest concern isn’t necessarily complex hacks. It’s basic situational awareness. Crypto folks know how to use cold storage. But when it comes to not leaving a MacBook Pro unlocked in a crowded room? Apparently not so much.

“In today’s high-stakes environment, crypto complacency isn’t just a personal risk, it’s a threat to our broader movement.”

Nick Percoco

That sentiment echoes what a16z crypto has also been telling its community for months if not years: in web3, the perimeter is you. A data breach — even of your phone number — can snowball into full-blown identity theft.

Every piece of information attackers glean “makes it easier for and likelier that they will acquire more,” wrote in a blog post Matt Gleason, a security engineer for a16z crypto. Once your personal data is out there, it’s a waiting game. Gleason advises freezing credit at credit bureaus, enabling multi-factor authentication with hardware keys like YubiKey, and locking down sensitive apps behind Face ID. SIM protection with mobile carrier is also a must.

On top of that, Gleason suggests to rethink passwords. Use a manager, create a vault and don’t reuse passwords. And watch for red flags like unsolicited calls or unexpected login notifications. The goal isn’t just to react — it’s to make yourself a harder target.

Culture shift might be needed

Back on the conference floor, Percoco urged attendees to adopt a more security-conscious mindset. He particularly emphasized the importance of verifying identities, avoiding sensitive discussions in public areas, keeping an eye on personal belongings, and steering clear of free charging stations, which could potentially install malware through a method known as “juice jacking.”

According to Percoco, attackers don’t operate at random. They often assess visible details like names and company affiliations on lanyards to quickly identify high-value targets such as developers, DAO contributors, or startup teams. Once a target is chosen, they may receive phishing links disguised as calendar invites or Zoom calls, designed to establish a foothold on the victim’s device. As Percoco says, the first step “can be all it takes to breach a device and move laterally from there.”

This isn’t about paranoia. It’s about catching up with reality. As the crypto industry gains legitimacy, it’s also gaining enemies — from state-sponsored hackers to opportunistic criminals. Security culture has to evolve with it.

Percoco also believes there’s no silver bullet for eliminating scammers from industry events entirely. But he pointed out that conferences already collect significant attendee data — including names, emails, and phone numbers — for legitimate logistical purposes. Under the wrong circumstances, that same data “can be leveraged by malicious actors under the right circumstances,” he adds.

A16z crypto emphasizes that cybersecurity is “no longer optional,” adding forward that it has become a “necessity.”