The iScans Fake Crypto Tracker Scam represents a deceptive scheme targeting cryptocurrency enthusiasts through fraudulent tracking applications and phishing websites. This threat masquerades as legitimate cryptocurrency portfolio management software, luring victims with promises of real-time crypto tracking, price alerts, and portfolio analytics. Once installed or engaged with, these fake trackers harvest login credentials for genuine cryptocurrency exchanges, steal wallet private keys, and can completely drain victims' digital assets.

iScans Fake Crypto Tracker Scam — cybersecurity illustration
Photo by Markus Winkler on Pexels

Unlike traditional malware that spreads indiscriminately, this scam deliberately targets individuals who actively trade or hold cryptocurrency—people with valuable digital assets worth stealing. The perpetrators behind iScans operate sophisticated phishing campaigns and clone legitimate-looking applications to maximize their success rate.

Think you've installed a fake crypto tracker or entered credentials into one? Immediately transfer any cryptocurrency holdings to a new wallet with a fresh private key. Change passwords on all your exchange accounts from a clean device. Do not attempt to uninstall the application first—secure your assets before taking any other action. Call us at (770) 666-9617 if you need immediate guidance on securing your crypto holdings while we clean your machine.

Threat Profile

AttributeDetails
Threat TypeCredential phishing scam, infostealer, fake application
FamilyCryptocurrency-targeted scam/PUP (Potentially Unwanted Program)
AliasesiScans crypto tracker, fake portfolio tracker, crypto phishing app
Target PlatformWindows, macOS, Android; web-based phishing pages (cross-platform)
Distribution MethodMalvertising, fake app stores, social media promotions, YouTube sponsorships, cloned websites
Primary GoalCredential theft for cryptocurrency exchanges, wallet private key extraction, clipboard hijacking
Data TargetedExchange login credentials, 2FA backup codes, wallet seed phrases, private keys, browser-stored passwords
Persistence MechanismBrowser extensions, startup registry entries, scheduled tasks (varies by delivery method)
Encryption/ObfuscationModerate—uses encrypted communications to exfiltrate data, may employ basic code obfuscation
Network BehaviorExfiltrates credentials to attacker-controlled servers; may perform clipboard monitoring for wallet addresses
Detection DifficultyModerate—often signed with legitimate-looking certificates, mimics genuine applications
Removal DifficultyLow to moderate—standard uninstallation procedures work, but damage (stolen credentials) already done

How It Spreads

The iScans Fake Crypto Tracker Scam employs sophisticated social engineering tactics that exploit the cryptocurrency community's constant search for better portfolio management tools. Scammers invest heavily in making their fake applications appear legitimate, often paying for social media advertising, YouTube sponsorships, and search engine placement to reach victims who are actively seeking crypto tracking solutions.

The fraudulent applications and websites are designed to closely mimic legitimate cryptocurrency services, using professional-looking interfaces, fabricated user testimonials, and even fake "media coverage" to build trust. Many victims discover these fake trackers through seemingly legitimate channels, which is precisely what makes this scam so effective—the distribution itself appears above-board.

Common distribution vectors include:

  • Malicious advertisements on legitimate websites — Paid ads on Google, social media platforms, and crypto news sites that promote fake tracking applications, often ranking higher than legitimate alternatives
  • YouTube sponsorships and influencer promotions — Compromised or paid influencer accounts promoting the fake tracker in videos about cryptocurrency trading
  • Cloned websites of legitimate services — Nearly identical copies of real crypto tracker websites with slightly altered domain names (typosquatting)
  • Fake app store listings — Fraudulent applications uploaded to third-party app stores or distributed as standalone installers outside official channels
  • Browser extension stores — Malicious extensions that claim to provide crypto price tracking directly in the browser
  • Social media direct messages — Targeted DMs from fake accounts suggesting you try their "amazing new portfolio tracker"
  • Email phishing campaigns — Messages claiming to be from legitimate crypto services suggesting you upgrade to their tracking platform

What It Does On Your Machine

Once installed or engaged with, the fake crypto tracker begins its primary mission: stealing anything that can provide access to your cryptocurrency holdings. If delivered as an installed application, it immediately requests permissions that seem reasonable for a portfolio tracker but are actually designed to facilitate theft. The application may ask for API keys to "sync" with your exchange accounts, request access to your clipboard "for easy wallet address copying," or prompt you to enter your exchange credentials "to import your portfolio automatically."

The credential harvesting happens in multiple ways. Web-based phishing pages simply capture whatever you type into fake login forms, transmitting the data to attacker servers in real-time. Installed applications take a more invasive approach, monitoring your clipboard for cryptocurrency wallet addresses and replacing them with addresses controlled by the attackers—meaning when you paste what you think is your wallet address, you're actually pasting the scammer's address. Some variants deploy keyloggers to capture everything you type, specifically looking for seed phrases, passwords, and private keys.

Browser-based variants often install extensions that inject themselves into legitimate exchange websites, creating fake overlay forms that capture your login credentials before passing you through to the real site. You successfully log in to your actual exchange account, never knowing that the scam extension captured your username and password along the way. More sophisticated versions monitor for authentication tokens and session cookies, allowing attackers to hijack your active sessions without ever needing your password.

Typical Filesystem and Registry Artifacts (Windows variant example):
Installation folder: %LOCALAPPDATA%\iScansTracker\ %APPDATA%\CryptoTrackerPro\tracker.exe Browser extension paths: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\[random-id]\ %APPDATA%\Mozilla\Firefox\Profiles\[profile].default\extensions\crypto-tracker@scam.xpi Persistence registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CryptoTracker HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\iScansUpdate Data exfiltration logs (sometimes left behind): %TEMP%\~ctrack.tmp %APPDATA%\iScans\logs\capture.dat Warning: File and folder names vary by variant; some use randomized GUIDs for stealth

The scam's ultimate damage isn't the presence of files on your system—it's the information already stolen. By the time most victims realize they've been compromised, their exchange credentials have been sold on dark web markets or their wallets have been drained. The installed components may remain on the system to continue monitoring for new credentials or to clipboard-hijack future cryptocurrency transactions.

Manual Removal — Step by Step

01

Secure Your Cryptocurrency Assets Immediately

Before touching the infected computer, use a clean device (smartphone, different computer) to transfer all cryptocurrency holdings to new wallets with fresh private keys. Change passwords on all exchange accounts from the clean device. This step comes first because the malware may detect removal attempts and trigger immediate asset theft.

02

Disconnect From Network

Unplug the ethernet cable or disable WiFi to prevent the scam application from communicating with its control servers. This stops further credential exfiltration and may prevent the attackers from receiving notification that you're attempting removal.

03

Boot Into Safe Mode With Networking

Restart your computer into Safe Mode to prevent the fake tracker from loading its persistence mechanisms. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and press F5 for Safe Mode with Networking. The networking component lets you download removal tools if needed.

04

Uninstall the Fraudulent Application

Open Control Panel → Programs and Features (or Settings → Apps on Windows 11) and look for any recently installed cryptocurrency-related applications you don't recognize. Uninstall anything suspicious. Common names include variations of crypto tracker, portfolio manager, or price alert tools you didn't intentionally install from official sources. Check the installation date—if it coincides with when you started seeing suspicious behavior, remove it.

05

Remove Malicious Browser Extensions

Open each web browser you use and check for unauthorized extensions. In Chrome, navigate to chrome://extensions; in Firefox, go to about:addons. Remove any crypto-related extensions you don't remember installing, paying special attention to anything claiming to track prices, manage portfolios, or enhance exchange websites. Legitimate trackers like CoinGecko or Blockfolio have official extensions, but if you didn't install them yourself, remove them.

06

Clean Persistence Mechanisms

Press Windows+R, type "msconfig" and hit Enter. Under the Startup tab (or open Task Manager → Startup tab on Windows 10/11), disable any crypto tracker entries. Then press Windows+R again, type "taskschd.msc" to open Task Scheduler, and look through the task list for anything related to the fake application. Delete suspicious scheduled tasks that might restart the scam software.

07

Delete Installation Folders and Remnants

Navigate to %LOCALAPPDATA% and %APPDATA% (paste these into File Explorer's address bar) and manually delete any folders related to the fake tracker. Common names include variations of "iScans," "CryptoTracker," or generic-sounding names with GUIDs. Empty your Recycle Bin afterward.

08

Run Malwarebytes or Another Reputable Scanner

Download and install Malwarebytes (free version works fine) and run a full system scan. This catches components you may have missed and identifies any additional malware that might have been bundled with the fake tracker. Quarantine and remove everything it finds.

09

Reset Browser Settings and Clear Saved Passwords

In each browser, reset settings to defaults to remove any lingering modifications made by the scam. More importantly, clear all saved passwords—the fake tracker may have accessed your browser's password store. You'll need to re-enter passwords on sites you visit, but this prevents attackers from using stolen browser data.

10

Change All Passwords From a Clean Device

Using a different, uninfected computer or smartphone, change passwords for every account that was accessible from the infected machine—especially email, exchange accounts, and any services linked to financial accounts. Enable or reset two-factor authentication on everything. If you stored seed phrases or private keys in files on the infected computer, consider those wallets compromised and abandon them after transferring funds.

11

Reboot Normally and Monitor for Recurrence

Restart your computer in normal mode and verify that the fake tracker doesn't reappear. Monitor your cryptocurrency accounts closely for the next several weeks. Watch for unauthorized login attempts, unexpected withdrawals, or API key usage. Consider this a good time to review and strengthen your overall crypto security practices.

Prevention

  1. Only download crypto apps from official sources — Stick to the official websites of established services like CoinGecko, Blockfolio/FTX, or CoinMarketCap. Never install crypto-related software from ads, social media links, or third-party download sites. If an influencer promotes a tracker you've never heard of, research it extensively before installing.
  2. Never enter exchange credentials into third-party applications — Legitimate portfolio trackers use read-only API keys, not your username and password. If an application asks for your exchange login credentials instead of API integration, it's a scam. Real services connect via official APIs that don't require your password.
  3. Verify domain names character-by-character — Scammers register domains that look nearly identical to legitimate services (coinbase-tracker.com vs coinbase.com/tracker). Before entering any information, verify you're on the correct domain. Bookmark legitimate sites rather than clicking search results or ads.
  4. Use hardware wallets for significant holdings — Keep substantial cryptocurrency amounts in hardware wallets (Ledger, Trezor) that aren't connected to internet-connected devices. This makes it impossible for credential-stealing malware to access these funds, even if your computer is compromised.
  5. Enable withdrawal whitelisting on exchanges — Most major exchanges let you whitelist specific wallet addresses and require additional verification for withdrawals to new addresses. Enable this feature so even if attackers get your credentials, they can't immediately drain your exchange account.
  6. Treat seed phrases and private keys like cash — Never type seed phrases into any computer or store them in digital files. Write them on paper and store them securely offline. Any application that asks you to enter your seed phrase is attempting theft—legitimate software never needs this information.
  7. Scrutinize browser extensions before installation — Check the publisher, read recent reviews, and verify the extension's permissions before installing. Crypto-related extensions should have thousands of users and established reputations. When in doubt, skip the extension and use the service's website directly.
  8. Maintain skepticism toward too-good-to-be-true features — If a crypto tracker claims to provide trading signals, guaranteed returns, or "insider information," it's a scam. Legitimate trackers display prices and portfolio values—they don't make investment promises or guarantee profits.
Our 90-Day Warranty — When Computer Repair Roswell removes the iScans Fake Crypto Tracker Scam from your system, we guarantee the work. If the same threat returns within 90 days, we'll clean it again at no charge. We'll also help you implement proper crypto security practices so you don't fall victim to similar scams in the future.

Bring It In

Cryptocurrency scams hit differently than regular malware because the damage is usually immediate and irreversible. While we can certainly clean your computer and make sure every trace of the fake tracker is gone, the more urgent concern is securing whatever crypto assets you still control. If you've installed a fake crypto tracker or suspect you've been targeted by this scam, call us right away at (770) 666-9617. We can walk you through the critical first steps to protect your holdings while you bring the computer to our Roswell location.

Beyond removal, we'll help you understand exactly what information was compromised and what steps you need to take with each affected service. We can show you how to properly secure cryptocurrency going forward, including hardware wallet setup and exchange security hardening. Our shop is located in Roswell, Georgia, and we see these crypto-targeting scams regularly enough to know exactly what to look for. Don't wait—the longer the scam application remains on your system, the more opportunity attackers have to find and steal additional credentials.