If you've read this far, the technical content is no longer your bottleneck. The remaining attack surface — by far the largest one in actual loss reports — is you. Specifically, the version of you that's tired, distracted, hopeful, scared, or trying to be helpful.
This lesson is not about cryptographic threats. It's about manipulation, which is older than crypto and doesn't care about Merkle trees.
The seven scripts that drain wallets
Almost every social-engineering attack against a crypto wallet user follows one of these scripts. Learning to recognize them is the entire defense.
Script 1 — "I'm from Gopnik support"
You receive a DM (Twitter, Discord, Telegram, Reddit) from someone with the Gopnik logo as their avatar. They say they noticed an issue with your account and need to help. They direct you to a fake support site that asks for your seed phrase, or they ask you to "verify" by typing words into chat.
Defense: Gopnik support never DMs first. Gopnik support never asks for your seed phrase, passkey credentials, or password. Period. If we contact you, it's through the wallet's in-app notification system or from a verifiable @gopnik.io email, and we never ask for credentials.
Script 2 — "You won an airdrop"
A pop-up, email, or DM tells you you've won 5,000 of some token. To claim, connect your wallet to airdrop-xxx.fake. The site is a transaction-signing trap. You sign what looks like a "claim" and you've actually signed a drain transaction.
Defense: legitimate airdrops never require you to sign anything to receive them. They just appear in your wallet. Unsolicited "claim" prompts are 99% scams.
Script 3 — "Increase your yield by staking"
A new project promises 80% APY on staked XRP. To stake, you bridge to their chain or sign a delegation transaction. The transaction actually transfers ownership of your account to the attacker.
Defense: read every transaction before signing. The Gopnik wallet displays the destination, amount, and asset transfer for every signature request. If you don't understand what you're signing, don't sign.
Script 4 — "Recovery help"
You post in a Discord that your wallet is acting funny. A helpful stranger DMs offering to help. They walk you through "verification" steps that involve sharing your seed phrase, your screen, or your transactions.
Defense: never share seed phrases. Never share screens during wallet troubleshooting. Never accept "help" from a stranger. The only valid help comes from official Gopnik support — and even they will never ask for your credentials.
Script 5 — "Romance scam"
A relationship that started on a dating app moves to crypto investment. Your new partner explains how to "invest" — they recommend a platform, you deposit, your money grows on the screen, you can withdraw small amounts (the hook), but the larger withdrawal "needs taxes paid first" and that's where the trap closes.
This is the single largest category of crypto loss in 2024-2025 by total dollars. The Federal Trade Commission reports billions in losses to "pig butchering" schemes (the industry's name for this script).
Defense: never invest through a platform recommended by someone you met online and have not met in person. No exceptions. Even if you've video-called. Even if they seem real. The script is designed to feel real.
Script 6 — "Service technician"
A real or impersonating technician (phone repair, computer repair, ISP installation) is in your home or has remote access to your device. While "fixing" something, they look at your screen, your sticky notes, your browser history, or your wallet directly.
Defense: for any non-trivial wallet balance, treat your seed-phrase backup as you would treat a stack of cash. Don't leave it visible. Don't write the seed phrase on the back of a sticky note on your monitor. Don't leave your wallet app open during a service visit.
Script 7 — "The 5 things Gopnik will never ask"
Memorize this list. We will never: 1. Ask for your seed phrase. 2. Ask for your passkey credentials or biometric data. 3. Ask you to "verify" your wallet by signing an unfamiliar transaction. 4. DM you first on Discord, Telegram, Twitter, or any other social platform. 5. Ask you to install a "support tool" or share your screen.
Anyone — even someone with a Gopnik logo and a verified-looking handle — who asks for any of these is impersonating us. End the conversation, report the account, and move on.
A worked example — the Drainer Signature
Here's an example of the most common technical-social hybrid attack.
The attacker buys an ad that appears at the top of a Google search for "Gopnik Wallet." The ad links to gopnik-walIet.io (note the capital-i instead of lowercase-l — nearly invisible on screen). The page looks exactly like ours.
You visit, click "Connect Wallet," and the page prompts you to sign a "verification" transaction. The transaction, when you read it carefully, says something like:
SetRegularKey: rAttackerAccountXXX
This is a real XRPL transaction type that changes who's allowed to sign on your behalf. Sign it, and the attacker can now sign as you. They drain the account in minutes.
The Gopnik wallet shows you the transaction type, the destination, and the asset transfer for every signature request, and it warns loudly on SetRegularKey to a non-Gopnik address. But the warning only works if you read it. Most users in this situation are already in the "I just want to fix this" mindset and click through.
The protection is two-step: (1) always type the wallet URL directly or use a bookmark, never click through ads or DMs; (2) read every transaction before signing, every single time. Even when you're tired. Especially when you're tired.
What the course unlocks
Passing Custody 101 unlocks sends up to €2,500/day. You also become eligible for Custody 201 (passkey & 2FA), which lifts the cap further and covers hardware-wallet pairing in detail.
The exam is 25 questions, 60 seconds each. 70% to pass. The Locksmith awaits.
Good luck.