If you've ever wondered whether a link was safe to click, Unphurl is for you.
How @Unphurl_bot works, what it looks for, and how crypto link scams actually operate. Straight answers.
Using @Unphurl_bot
What does @Unphurl_bot actually do?
Send a link you're not sure about. Unphurl checks it against known scam lists, looks at when the domain was registered, where the site is hosted, and where the link actually takes you. It tells you what it found. You decide whether to click.
How do I start using @Unphurl_bot?
Search @Unphurl_bot on Telegram and tap Start. You are on the free plan immediately. No credit card, no account setup. Paste any link into the chat and Unphurl returns a report within seconds. The free plan includes 10 checks per month. Paid plans with more checks are available inside the bot using /start.
What does Unphurl check on every link?
Every check looks at six things. Known scam lists: four live databases checked fresh on every request. ScamSniffer (346,000+ known scam sites), MetaMask (108,000+ flagged sites), OpenPhish (active scam sites updated twice daily), and URLhaus (sites currently spreading malicious software). Fake brand sites: lookalike addresses designed to pass a quick glance. How new the site is: when it was registered and when it expires. Where it's hosted: some hosting companies exist specifically to keep scam sites online. Where the link actually goes: some links pass you through two or three others before landing somewhere unexpected. Unphurl follows the full chain. Missing setup: real sites have standard configuration that scam sites, thrown together in a hurry, almost never do. All six run on every check, on every plan.
Can I use Unphurl to check a link I received in email, WhatsApp, Discord, or anywhere else?
Yes. Unphurl checks the link itself, not where it came from. If you receive a suspicious link in an email, a WhatsApp message, a Discord server, a text message, or anywhere else, paste it directly into @Unphurl_bot and you will get the same full report. Where you received the link does not matter. Just copy and paste it into the Unphurl_bot.
Why does Unphurl report facts instead of saying a link is safe or dangerous?
Pattern matching catches clues, not certainties. A site registered three days ago that appears on a known scam list is almost certainly dangerous. But "almost certainly" is not the same as a fact. @Unphurl_bot reports what it found. You decide what to do with that information. A tool that declares links "safe" creates false confidence and stops people from thinking carefully.
Does @Unphurl_bot work in Telegram group chats?
Yes. You can add @Unphurl_bot to any Telegram group or channel. Members can check links by sending them directly to the bot or mentioning it inline. This is useful for community managers in crypto groups, where phishing links are frequently posted by bad actors impersonating project announcements or support accounts.
Can Unphurl check shortened or redirected links like Bitly?
Yes. Unphurl follows every step of a redirect chain, up to 10 steps deep, checking each one along the way. A Bitly or t.co link that ends up at a scam site will show the full path and flag the final destination. Shortened links are one of the most common ways scammers hide where a link is really taking you.
What is the difference between the free and paid plans?
Every plan runs the same six checks on every link. The only difference is how many checks per month: Free (10), Starter (75), Active (200), Power (500). There is no reduced analysis on any plan. Upgrade inside Telegram using /start. Annual billing is available at approximately 50% off the monthly rate.
Does @Unphurl_bot store the links I check?
Links are processed to run the analysis. @Unphurl_bot does not maintain a browsing history tied to your Telegram identity.
How crypto link scams work
How do I know if a link is a scam?
Looking at a link is not enough. Scam sites use lookalike addresses, swapped letters, and fresh security certificates to appear legitimate. The facts that identify a scam link are hidden: how new the site is, who's hosting it, whether it's on known scam lists, and how it's configured. None of these are visible just by looking. In 2025, link-based scams accounted for 65% of all fraud incidents in the crypto sector.
What is a wallet drainer and how does it work?
A wallet drainer is a fake crypto app designed to steal everything in your wallet the moment you connect to it. When you connect your wallet and approve what looks like a routine step, you are actually giving the site permission to move your money. If you approve without limits, the attacker can empty your wallet at any time, even after you have closed the site. It only takes one approval. You never send anything directly to the attacker. You just gave them the keys.
What is approval phishing?
Approval phishing tricks you into giving a site permission to move the money in your wallet. That permission stays active even after you close the site or disconnect your wallet. Disconnecting only stops the site from seeing your wallet address. It does not cancel the permission you already gave. To cancel it, go to Revoke.cash, find the approval, and remove it. This requires a small transaction to confirm the cancellation.
What is a homograph attack?
A homograph attack substitutes visually identical Unicode characters for standard Latin letters in a domain name. The Cyrillic letter "а" is indistinguishable from the Latin "a" in most fonts at normal screen sizes. A domain using a Cyrillic character looks identical to the legitimate domain but resolves to a completely different server. @Unphurl_bot's brand impersonation analysis detects these character substitutions automatically on every check.
What is typosquatting?
Typosquatting is registering a domain that differs from a legitimate one by one or two characters. "binanace.com" instead of "binance.com", for example. The goal is for the victim to miss the variation when scanning a URL quickly. Unphurl checks for these patterns against a database of known crypto brands on every check.
Why are freshly registered domains a red flag?
Most scam sites are registered hours or days before they are used. Scammers create fresh sites to stay off known scam lists and to get a clean start on new hosting. Unphurl checks when the site was registered on every check. A site pretending to be a major crypto platform that was registered three days ago is a strong warning sign, regardless of how convincing it looks.
Does HTTPS mean a link is safe?
No. The padlock means your connection to the site is private. It says nothing about whether the site itself is trustworthy. Scam sites get the same padlock for free, automatically. A padlock icon is not a safety guarantee. Unphurl checks for it but treats it as one detail among many, not a sign that a link is safe.
What should I do if I connected my wallet to a suspicious site?
Act immediately. Go to Revoke.cash and check what permissions you have active. Cancel any you did not intentionally approve. If you entered your seed phrase anywhere on the site (the 12 or 24 word recovery phrase for your wallet), your wallet is permanently compromised. Move any remaining funds to a new wallet right away. Disconnecting from the website does not cancel permissions you already gave and does not protect your money.
Why do crypto scams always create urgency?
Urgency stops you from thinking carefully. By claiming a free token offer is expiring, your account is being locked, or exclusive access ends in minutes, scammers push you to act before you can verify anything. This is behind most online scams. Real projects do not message you first and do not put countdown timers on anything security-related.
How do I spot a fake admin in an online group?
Fake admins copy the profile picture and display name of a legitimate admin and create a username with a single-character variation, such as swapping a lowercase L for a capital I, or adding an underscore. They will DM you first, which legitimate admins almost never do. If anyone messages you privately claiming to be a project admin, verify their exact username against the group's verified member list before responding.
What is bulletproof hosting?
Bulletproof hosting companies deliberately ignore reports of abuse and legal requests to shut sites down. Scam sites hosted with these companies stay live much longer than they otherwise would. Unphurl checks whether a site is hosted by one of these companies on every check.
What is the difference between disconnecting a wallet and revoking an approval?
Disconnecting stops a website from seeing your wallet address. It does not cancel any permissions you have already given. Those permissions stay active until you explicitly cancel them, regardless of whether you are still connected to the site. If you approved anything on a suspicious site, go to Revoke.cash to find and cancel those permissions. Disconnecting alone does not protect your money.
Check any link before you click it.
@Unphurl_bot checks six things on every URL. Free to start, no credit card, works inside Telegram.