Investigation Methodology

The six evidence categories

We score every brand across six categories. Each category contributes to the final threat score out of 100. The categories were chosen because each has an independently documented correlation with consumer harm in crypto fraud, established through regulatory enforcement actions, academic research, and our own investigation archive.

• Ad creative volume — total number of paid advertisements we have captured for the brand across all networks and geographies. Higher volume indicates larger marketing spend and greater victim exposure.
• Geographic targeting spread — number of countries in which we have captured active ads for the brand. Multi-jurisdictional targeting is a documented signal of organised rather than opportunistic fraud.
• Celebrity impersonation — count of public figures whose likeness, voice, or video appears in the brand's advertising without authorisation. Deepfake celebrity endorsement is among the strongest individual predictors of fraud in our archive.
• Funnel and registration patterns — signals from the landing page and deposit funnel: domain age, WHOIS privacy, SSL certificate issuer, payment processor, withdrawal friction, KYC patterns, and the step sequence from ad-click to deposit.
• Regulatory and infrastructure signals — explicit warnings from recognised regulators (FCA, SEC, ASIC, CONSOB, AMF, BaFin, and equivalents in every jurisdiction we cover), blocklist entries from payment processors, domain takedowns, and hosting infrastructure shared with known scam operations.
• Historical pattern matching — similarity to brands we have previously confirmed as fraudulent, measured across advertising creative, domain patterns, payment infrastructure, and funnel design.

Where the evidence comes from

The ad-creative evidence comes from CryptoKiller, our proprietary ad-surveillance platform. CryptoKiller continuously scans paid advertising on major ad networks in 84+ countries, capturing creative assets, landing-page destinations, and geographic targeting. CryptoKiller data is collected from publicly visible advertising — we do not access private ad dashboards and we do not pay for data we are not entitled to see.

Regulatory evidence comes directly from regulator bulletin pages. When we cite a regulator warning, we link to the specific bulletin. We do not cite "the regulator said" without linking the exact source.

Funnel evidence is collected by our analysts through manual inspection of landing pages, deposit flows, and withdrawal processes — without depositing real funds. When real-money interaction is required to establish a finding (for example, documenting a withdrawal-block), we note that explicitly and limit our claims to what can be established without participation.

Victim reports submitted through our /report form are cross-referenced with ad-surveillance data. We only incorporate a submitted claim into a published investigation when it is independently corroborated by at least one other evidence source.

How the threat score is calculated

The threat score is a weighted sum of normalised values across the six categories, producing a number between 0 and 100. The weights reflect each category's historical correlation with confirmed fraud in our archive — celebrity impersonation and regulatory warnings carry the heaviest weight, historical pattern matching the lightest.

A score of 0-19 is assigned to brands with insufficient signal for any conclusion — we explicitly avoid publishing these as "clean" because absence of evidence is not evidence of absence. A score of 20-39 indicates watchlist status: notable signals but not yet conclusive. 40-59 is elevated risk with multiple serious red flags. 60-79 is high risk with strong evidence of fraudulent activity. 80+ is a confirmed scam with regulator-issued warnings, multiple jurisdictional enforcement actions, or documented consumer harm.

The score is a guide, not a verdict. Every investigation page presents the full evidence so the reader can form their own conclusion. We encourage readers to consult the cited regulators directly before acting on any financial decision.

Editorial process

Every investigation moves through five stages: automated detection (CryptoKiller flags the brand), evidence collection (analyst gathers ad creatives, funnel screenshots, domain records, regulator bulletins), analysis and scoring (evidence is weighed against the six-category framework), human editorial review (a second analyst independently verifies the evidence and scoring), and publication (the investigation is published with a named byline).

Investigations are revisited when new evidence emerges — a new regulator warning, a domain change, a payment-processor update, or a victim report. When an update changes the threat score by more than 10 points, we republish with a change-log entry.

No investigation is ever published without passing human editorial review. No investigation is ever unpublished without a documented reason. The full edit history of every published investigation is available on request.

Corrections and disputes

If a subject of an investigation, a victim, a regulator, or any other party believes we have published something inaccurate, the correction path is email corrections@cryptokiller.org with the URL and a clear explanation of the error. We review every correction request on the merits. Meritorious corrections result in a dated correction notice on the affected page. Substantive factual errors may result in a full retraction — in which case the original URL is preserved with a visible retraction notice, so the record remains auditable.

We do not charge for corrections. We do not condition corrections on payment, silence, partnership, or any other consideration. A correction request is evaluated solely on whether the factual claim in question can be sustained against the cited evidence.

Frequently Asked Questions