The XRP Ledger has never been hacked in 14 years of continuous operation. Users have lost billions of dollars over that same period. The difference is the entire content of this lesson.
Almost no one loses crypto to broken cryptography. They lose it to a person on the other side of a screen, manipulating them into signing the wrong thing or revealing the wrong string. Recognising the patterns is more important than any technical control.
The six families of attacks you will see
1. The fake support agent
You post in a Discord or Telegram channel about a problem with your wallet. Within minutes, someone with a profile picture matching the project's branding DMs you offering to help. They ask you to "verify your wallet" by entering your seed on a website, scanning a QR, or running a script.
Reality: Legitimate support never asks for your seed, your private key, or your password. Ever. Not on call, not on chat, not via "secure form." If you're asked, the conversation is over.
2. The seed-phrase form
A pixel-perfect clone of a popular wallet's site appears at a URL that's one character off. It walks you through a fake recovery flow and asks for your seed.
Reality: You only ever enter your seed into a wallet app you've installed yourself, after verifying the domain or the binary's signature. Never paste it into a webpage somebody linked you.
3. The malicious transaction
A site connects to your wallet for what looks like a normal action — claim a free NFT, swap a token, mint a collectible. The transaction it asks you to sign actually grants the attacker permission to drain you (on EVM chains this is setApprovalForAll; on XRPL it's typically an outsized Payment to their address, or a malicious SetRegularKey that gives them a second signer).
Reality: Read what you're signing. Gopnik shows you the resolved fields of every transaction before submission. If the destination address isn't one you recognise or the amount doesn't match what you expected, cancel.
4. The "you must act now" pressure
"Your wallet will be frozen in 24 hours unless you migrate." "Limited airdrop, first 100 only." "Your friend lost access to their account and needs your seed to recover it." Urgency turns off the prefrontal cortex.
Reality: No legitimate blockchain operation depends on you acting within hours. None. If you're being rushed, you're being attacked. Walk away and verify through a second channel.
5. The romance / mentor scam (pig butchering)
A new friend on a dating app, an investing forum, or a language-exchange chat slowly builds rapport over weeks, then introduces a "great trading platform" they're using. The platform shows fake profits to keep you depositing. When you try to withdraw, "taxes" or "verification fees" eat the rest.
Reality: Anyone you've never met in person who introduces you to an investing platform is, conditional on the prior, almost certainly a scammer. The base rate is brutally high. The platform doesn't exist — only the deposit address does.
6. The address swap
You copy a wallet address to your clipboard. Malware on your machine, or a malicious browser extension, silently replaces it with the attacker's address before you paste. You don't notice because addresses are long random strings.
Reality: Verify the first six and last six characters of every paste before signing. Better: send a 1 XRP test transaction first when moving meaningful sums to a new address.
The mindset
The defenders' advantage in crypto is slowness. Attackers want speed, urgency, and isolation. You can almost always defeat them by:
- Taking 24 hours before any irreversible action.
- Asking one trusted person (a real human, in person) "does this seem right?".
- Reading every field of every transaction before pressing Sign.
If a deal is so good it can't wait 24 hours, it's not a deal.