What are the most common online scams in 2026?

According to ScamLens Q1 2026 data, phishing remains the dominant threat (809,386 unique URLs tracked), followed by scam storefronts (468,729 domains), cryptocurrency wallet drainers (330,248 addresses via ScamSniffer), and MetaMask-targeted phishing (253,080 blocked domains). Investment fraud and romance scams continue to cause the highest per-victim financial losses.

Which TLDs are most abused by scammers?

While .com accounts for the highest absolute volume (1.1M flagged domains) due to its market share, high-risk TLDs by abuse density include .top (111,952 flagged), .xyz (109,639), .shop (82,062), .click (51,865), .sbs (43,791), and .site (34,270). These TLDs are disproportionately used in phishing and scam operations relative to their registration volume.

How can I check if a website is a scam?

Enter the domain at scamlens.org/en/check-website to get a trust score from 0-100 based on 90+ threat intelligence sources. Scores below 30 indicate high risk. You can also check cryptocurrency addresses at scamlens.org/en/check-crypto for fraud and sanctions screening across 18 blockchains.

Published 2026-04-18

Q1 2026 Global Scam Intelligence Report

Name: ScamLens Q1 2026 Threat Intelligence Dataset
Creator: ScamLens
Published: 2026-04-18
License: https://scamlens.org/en/terms/

Data-driven analysis of global scam trends based on 3.1M+ threat intelligence records, 10,000+ domain lookups, and 796 cryptocurrency address analyses from the ScamLens platform.

By ScamLens Team 90+ sources Open methodology

3.1M+

Threat records processed

809K

Phishing URLs tracked

468K

Scam domains flagged

796

Crypto addresses analyzed

1. Executive Summary

ScamLens processed 3,108,723 threat intelligence records in Q1 2026, aggregated from 90+ real-time sources. This report presents five key findings from the data:

Phishing remains the dominant threat vector. Our database tracked 809,386 unique phishing URLs from PhishTank, OpenPhish, and community-verified submissions — a volume that reflects the continued industrialization of phishing kit deployment.
Scam storefronts are scaling through cheap TLDs. 468,729 domains flagged as scam-related were concentrated on TLDs with low registration costs: .top (111,952), .xyz (109,639), .shop (82,062), and .click (51,865).
Cryptocurrency wallet drainers are the fastest-growing category. ScamSniffer data shows 330,248 drainer-linked addresses, while MetaMask's community blocklist contributes 253,080 flagged domains — suggesting wallet-connect phishing is now a mass-market scam technique.
Bitcoin dominates crypto scam targeting. 78% of cryptocurrency addresses analyzed (620 of 796) were Bitcoin addresses, reflecting the chain's use as the primary payment rail in investment fraud, sextortion, and ransomware.
Multi-source consensus scoring reduces false positives. Domains flagged by only 1 of 90+ sources have a 34% false positive rate. Domains flagged by 3+ independent sources have a <2% false positive rate — validating ScamLens's cross-referencing methodology.

2. Global Threat Landscape

ScamLens aggregates threat intelligence from 10 primary feed categories. The table below shows the contribution of each major source to the Q1 2026 dataset:

Source Category	Records	Share
Hagezi TIF (DNS-level threat feed)	992,681	31.9%
Phishing Database (aggregated URLs)	809,386	26.0%
Scam Blocklist (storefront fraud)	468,729	15.1%
ScamSniffer (wallet drainers)	330,248	10.6%
MetaMask Blocklist (Web3 phishing)	253,080	8.1%
Phishing Army (community-curated)	168,527	5.4%
Red Flag Domains	36,166	1.2%
Maltrail (network forensics)	18,146	0.6%
OpenPhish (real-time phishing)	15,024	0.5%
AlienVault OTX (community IOCs)	9,761	0.3%
Total (top 10 of 90+)	3,101,748	99.8%

Key insight: The top 3 sources (Hagezi TIF, Phishing Database, Scam Blocklist) account for 73% of all threat records, but the remaining 87+ sources provide critical cross-validation — they catch 12% of threats that the top 3 miss entirely.

3. TLD Abuse Analysis

TLD (Top-Level Domain) choice is a strong early indicator of scam intent. While .com dominates by absolute volume due to market share, high-risk TLDs have abuse rates 10-50x higher than trusted TLDs when normalized by registration count.

Critical-risk TLDs (flagged domains)

.top111,952

.xyz109,639

.shop82,062

.click51,865

.sbs43,791

.site34,270

Lower-risk TLDs (by abuse density)

.gov — near-zero abuse (government-verified)

.edu — near-zero abuse (institution-verified)

.com — 1.1M flagged but <0.5% of total .com registrations

.org — 91,858 flagged, moderate abuse density

Country-code TLDs (.de, .fr, .jp) — lower abuse due to stricter registration

Recommendation for users: Exercise extra caution with .top, .xyz, .shop, .click, .sbs, and .site domains, especially when combined with other risk signals like recent registration date or missing security headers. Use ScamLens to verify any suspicious domain at scamlens.org/check-website.

4. Cryptocurrency Fraud Patterns

ScamLens analyzed 796 cryptocurrency addresses across 4 blockchain networks in Q1 2026. The distribution reveals clear patterns in how different chains are exploited:

Chain	Addresses	Share	Primary fraud types
Bitcoin	620	77.9%	Investment fraud, sextortion, ransomware
Ethereum (chain 1)	150	18.8%	Token scams, wallet drainers, rug pulls
Solana	25	3.1%	Meme token rug pulls, fake airdrops
BSC (chain 56)	1	0.1%	Token scams

Bitcoin dominance in scam targeting (78%) is notable. Unlike EVM chains where smart contract exploits dominate, Bitcoin-based scams rely primarily on social engineering — victims are instructed to send BTC to attacker-controlled addresses via investment platforms, romance scams, or sextortion emails.

Wallet drainer attacks on Ethereum and Solana represent a different threat model: automated smart contract interactions that drain approved tokens. ScamSniffer's dataset of 330,248 drainer-linked addresses suggests this is now an industrial-scale operation, with new drainer contracts deployed faster than individual wallets can be flagged.

Recommendation: Check any cryptocurrency address before sending funds at scamlens.org/check-crypto. For token contracts, use scamlens.org/check-contract to detect honeypot mechanics, excessive fees, and rug-pull indicators.

5. Emerging Threats: AI-Generated Scams

Q1 2026 saw continued growth in AI-assisted scam operations across three categories:

5.1 Deepfake voice cloning

Voice cloning attacks now require as little as 3 seconds of sample audio. Attackers use cloned voices to impersonate family members ("grandparent scams"), company executives (business email compromise), and bank representatives. ScamLens's AI Voice Clone Scam Guide documents four primary attack patterns and five identification techniques.

5.2 AI-generated phishing content

Traditional phishing detection relied on spelling errors, grammar mistakes, and template-like language. LLM-generated phishing emails eliminate these signals. ScamLens's content analyzer uses AI to detect manipulation tactics and urgency patterns rather than surface-level text quality, maintaining detection effectiveness against AI-written scams.

5.3 Fake investment platform proliferation

AI tools enable rapid creation of convincing investment platform websites with fabricated trading dashboards, fake customer testimonials, and professional marketing copy. These sites typically appear on recently registered .top/.xyz/.shop domains — ScamLens's domain age + TLD risk scoring catches the majority of these operations within hours of deployment.

6. Methodology & Data Sources

Data collection

All data in this report was collected through ScamLens's automated threat intelligence aggregation pipeline, which runs continuously on Cloudflare Workers. The pipeline queries 90+ sources including:

Feed-based sources (automated sync): Hagezi TIF, Phishing Database, Scam Blocklist, ScamSniffer, MetaMask Blocklist, Phishing Army, Red Flag Domains, Maltrail, OpenPhish, PhishTank
API-based sources (per-query): Google Safe Browsing, VirusTotal, IPQualityScore, AbuseIPDB, Cloudflare Radar, URLScan.io, SecurityTrails, Shodan, RDAP, GoPlus Security, Etherscan, Moralis, Token Sniffer, Chainalysis sanctions, OpenSanctions
Community sources: User-submitted reports, votes, and comments via scamlens.org

Scoring methodology

Trust scores (0-100) are calculated using 15+ weighted factors documented at scamlens.org/methodology. The scoring algorithm is deterministic and reproducible — the same inputs always produce the same score.

Evidence labeling

All AI-generated assessments in this report and on the ScamLens platform are labeled with evidence tiers:

[FACT] — Data directly from verified threat intelligence sources
[INFERENCE] — Pattern-based analysis derived from multiple data points
[UNVERIFIED] — Signals that require additional confirmation

Limitations

This report covers data processed by ScamLens and does not represent all global scam activity
Crypto address analysis is limited to addresses submitted by users; it is not an exhaustive blockchain scan
Feed-based threat intelligence may contain false positives from upstream sources; ScamLens mitigates this through multi-source cross-validation
Geographic visitor data (Section 2) reflects ScamLens user distribution, not scam origin distribution

Data availability

Researchers and institutions may request access to anonymized datasets from this report for academic use. Contact [email protected] with institutional affiliation and intended use.

Cite this report

ScamLens Team. (2026). Q1 2026 Global Scam Intelligence Report.

ScamLens. https://scamlens.org/en/research/q1-2026-global-scam-report

Check any website or crypto address now

Use the same 90+ threat intelligence sources from this report to verify any suspicious domain or cryptocurrency address in seconds.

Check Website Check Crypto

Chrome Companion for Safer Browsing

Save useful links, spot risky sites before you open them, and keep important research easy to find across devices.

Get Free Extension

Available on Chrome Web Store. Works on all Chromium browsers.

Start Here

Safety Check

Intelligence

Tools & Reports

Premium Services

Extension & API