Stablecoin Impersonation Threats Expanding Across Malicious Tokens and dApps
Introduction
Stablecoins first emerged roughly a decade ago as a tool for crypto traders seeking a reliable on-ramp and off-ramp between volatile assets and stable value. For their first several years, they existed primarily on the margins: useful for hedging positions and providing liquidity on exchanges, but far from mainstream.
That changed around 2019. The combination of DeFi's rapid growth, increasing institutional interest, and demand for dollar-denominated digital assets drove stablecoin adoption into an inflection point. Total stablecoin market capitalization surged from under $5 billion in 2019 to over $230 billion by early 2026, making stablecoins the second-largest crypto asset class behind Bitcoin.
That growth has also expanded the attack surface. Stablecoins now carry exposure to a range of distinct threat vectors, each affecting different parts of the ecosystem. Token and dApp impersonation exploit end-user trust, targeting the wallets and platforms people interact with daily. Approval phishing and malicious contract interactions put individual assets at risk the moment a user signs a transaction. De-peg events and anomalous onchain activities threaten protocol stability and institutional positions. And illicit flow patterns, from laundering to sanctions evasion, create compliance exposure for exchanges and on-ramps alike.
Research: Key Findings
Impersonation scams, specifically, are nothing new in crypto: attackers have always followed whatever captures the market's attention. As stablecoins have moved to the center of that attention, they've become a prime target. The same brand recognition that makes USDT and USDC useful to hundreds of millions of users also makes them valuable to impersonate. The result: a measurable rise in stablecoin-specific impersonation across both fraudulent tokens and malicious dApps.
Blockaid’s Threat Intelligence research team identified two primary attack channels targeting stablecoin users in 2025: malicious dApps leveraging trusted stablecoin branding, and fraudulent tokens designed to deceive through name impersonation.
dApp Impersonation
4,200+ malicious dApps detected using stablecoin branding in URLs and page titles. Peak activity occurred between October–November, with 661 new malicious dApps deployed in a single month. Blockaid identified over 2,100 unique victim addresses that interacted with these threats, preventing an estimated $2.5M in potential losses.
Token Impersonation
54,000+ fraudulent stablecoin tokens identified out of 17M+ total token deployments since the GENIUS Act passed. USDT impersonations dominated with 34,000+ deployments, followed by USDC with ~12,000 deployments—reflecting attackers' strategy of targeting the most recognized brands.
How Do Attackers Deploy Malicious dApps That Impersonate Stablecoins?
Malicious dApps exploit the high trust users place in established stablecoin brands. By incorporating recognizable branding into URLs, page titles, and visual design, attackers create convincing facades that lure users into connecting wallets and signing malicious transactions.
1. Scale and Timing: throughout 2025, Blockaid detected an average of 80 new deployments of malicious dApps using stablecoin branding per week. Activity peaked sharply in Q4, with October and November alone accounting for 661 new malicious dApps, suggesting coordinated campaigns timed to coincide with increased market activity.
2. Target Distribution: USDT and USDC were the most frequently impersonated brands, collectively representing the vast majority of detected malicious dApps. This concentration reflects the market reality: attackers prioritize brands with the highest recognition and liquidity
3. Chain Analysis: Over 87% of dApp impersonation cases targeted Ethereum, followed by BNB Smart Chain (10%) and Polygon (1%). This distribution reflects both Ethereum's position as the primary DeFi settlement layer and the relative maturity of its stablecoin ecosystem.
dApp Attack Methodology
Understanding how these attacks are constructed and distributed is essential for building effective defenses.
1. Template Sourcing: Attackers often source templates from drainer-as-a-service providers, who maintain extensive libraries of malicious dApp templates mimicking popular blockchain interfaces. These templates replicate the visual design, user flows, and branding of legitimate stablecoin-related applications with high fidelity.
2. Distribution: Once deployed, attackers distribute malicious dApps through multiple channels: social media campaigns hijacking trending topics on X and Telegram; targeted phishing via email and direct messages impersonating DeFi protocols; and fraudulent content including fake YouTube tutorials and AI-generated celebrity endorsements.
Primary Theft Mechanisms
1. Seed Phrase Harvesting: The dApp presents a deceptive interface—typically disguised as a 'security update' or 'wallet synchronization'—prompting users to enter their recovery phrase. Once captured, attackers gain full control over the victim's wallet and all associated assets.
2. Malicious Transaction Approvals: The dApp triggers a wallet connection request followed by a transaction signature prompt. Rather than executing a legitimate interaction, signing grants the attacker's smart contract permission to drain specific assets without further user authorization.
How Do Attackers Deploy Scam Tokens That Impersonate Stablecoins?
Since the GENIUS Act was signed into law in July 2025, token impersonation has accelerated dramatically. Attackers deploy fraudulent tokens bearing the names and symbols of legitimate stablecoins, relying on user familiarity with these brands to obscure the deception.
1. Scale of the Problem: Out of more than 17 million total tokens deployed, Blockaid detected over 2.1 million malicious token instances. Of these, 54,000 were identified as fraudulent impersonations of the top 20 stablecoins—representing a concentrated attack on the most trusted assets in the ecosystem.
2. Impersonation by Stablecoin: USDT led with over 34,000 fraudulent deployments, followed by USDC with approximately 12,000. This distribution directly mirrors market share—attackers bet that victims will overlook subtle discrepancies in token symbols when they see a familiar name.
3. Chain Distribution: The distribution of impersonation tokens across chains closely mirrors the actual utility and liquidity of each stablecoin on its respective host chain. Attackers follow the liquidity, concentrating efforts where the largest pools of potential victims transact.
Token Impersonation Techniques
Attackers employ several distinct methods to place fraudulent tokens in front of potential victims:
1. Dusting: Scammers send (or 'dust') small amounts of fake tokens directly to active wallets. When users attempt to swap these tokens on a DEX—believing them to be legitimate airdrops—they discover the tokens have no value. Worse, the transaction itself may trigger additional malicious approvals.
2. Memo Injection: On networks supporting transaction memos (such as Hedera and Solana), attackers exploit the metadata field to insert fake token symbols or malicious contract addresses. They rely on victims' tendency to copy-paste information directly from transaction history.
3. Homoglyph Attacks: Attackers deploy spoofed dApps using Cyrillic or other Unicode characters that appear identical to Latin letters but resolve to completely different contract addresses. A URL reading 'usdc.com' might actually use a Cyrillic 'c' that directs to an attacker-controlled site.
2026 Outlook: Stablecoin Threat Landscape
Based on 2025 threat intelligence and emerging trends, Blockaid anticipates several key developments in the stablecoin threat landscape:
- AI-Powered Attacks at Scale: Expect attackers to leverage generative AI for more convincing phishing content, deepfake celebrity endorsements, and automated social engineering campaigns. The barrier to deploying sophisticated attacks will continue to drop, making proactive detection essential.
- Multi-Chain Attack Expansion: While Ethereum dominated in 2025, the diversification of token impersonation attacks across Base, Arbitrum, and other L2s signals attackers will increasingly target emerging chains with less mature security infrastructure.
- Regulatory Compliance as Attack Vector: As GENIUS Act regulations take effect, attackers will exploit compliance messaging—fake KYC verifications, fraudulent regulatory notices, and phishing campaigns disguised as official compliance requirements.
- Emerging Stablecoin Targeting: New institutional stablecoins (PYUSD, RLUSD, USDG) will become prime targets as they gain market share. Attackers follow liquidity—expect impersonation attacks to track adoption curves closely.
How Blockaid Detects and Prevents Stablecoin Impersonation in Real Time
Stablecoin impersonation attacks exploit the exact surfaces users trust most, from dApp interfaces to token discovery to transaction signing. Preventing these attacks requires real-time detection and intervention at every step of the user journey, before a malicious interaction is ever completed.
Blockaid embeds security directly into these touchpoints, enabling platforms to detect and block impersonation threats before users are exposed.
- dApp Scanning: Real-time detection of malicious dApps leveraging stablecoin branding, allowing platforms to warn users and block connections before a wallet is ever linked to a phishing interface.
- Token Scanning: Continuous identification of impersonation tokens across chains, ensuring fraudulent assets are flagged or removed before they appear in token lists, search results, or user portfolios.
- Transaction Security: Pre-execution analysis of transactions to surface hidden approvals, malicious contract behavior, and unexpected fund movements, stopping drainer activity at the final point before assets leave the wallet.
Stablecoin risk does not stop at the user interface. The same threats that target users can propagate across protocols, treasury operations, and onchain infrastructure, where visibility and control are often limited.
- Cosigner: Behavior-based transaction validation embedded directly into signing workflows, enforcing policy controls and preventing malicious or unintended transactions before execution.
- Onchain Monitoring: Continuous monitoring of contracts, wallets, and token activity to detect anomalies, investigate threats, and trigger response as risks emerge across the ecosystem.
As attackers scale impersonation campaigns across chains and surfaces, security must move just as fast. Protection cannot rely on a single checkpoint. It requires continuous coverage across every interaction, transaction, and system.
About Blockaid
Blockaid is the onchain security platform trusted by the largest companies operating in Web3. Built by veterans of elite intelligence and cybersecurity units, Blockaid provides end-to-end protection for financial institutions, protocols, and end users — combining direct wallet and dApp integrations with real-time monitoring, detection, and response across smart contracts, infrastructure, and externally owned accounts. Since 2025, Blockaid scanned over 6.3+ billion transactions and blocked 585+ million attacks. Blockaid is the security infrastructure behind Coinbase, MetaMask, Uniswap, Safe, and dozens of the most widely used platforms in the industry.
Learn more at blockaid.io, and follow us on Twitter and LinkedIn.
Blockaid is securing the biggest companies operating onchain
Get in touch to learn how Blockaid helps teams secure their infrastructure, operations, and users.
.png&w=3840&q=100)
