May 22, 2026 · 10 min read
Texas and Florida Lost $90 Million to Crypto ATM Scams Last Year—78% of the Money Came From People Over 50, Lured to the Kiosk by an Email or Phone Call
The FBI's 2025 Internet Crime Report puts a number on a fraud category that has eaten through retirement accounts at hardware store kiosks. The mechanism is older than crypto. The losses are growing 58% a year.
The Numbers That Define the Scam Category
On May 20, 2026, The Record from Recorded Future News reported the FBI's 2025 Internet Crime Complaint Center figures broken out by state. Texas reported the most cryptocurrency kiosk fraud in the country, with $57 million in losses across 1,179 complaints. Florida came second with $32.7 million across 1,213 complaints. The states are not equally populated, but both cleared the threshold where the scam category became a top three consumer fraud loss vector for state attorneys general.
The national total for 2025 is $388 million across 13,400 reported complaints. The complaint count rose 23% from 2024, but the dollar losses rose 58%. Per case losses are getting bigger. The average loss per complaint in 2025 is roughly $29,000—a year ago it was closer to $22,000.
The age distribution is the part that should change how the category is regulated. Victims over fifty account for the majority of reported complaints and 78% of the dollars lost. The losses for people sixty and older are documented in prior FBI reports at roughly 86% of cases where the age was known. Crypto ATM fraud is not a youth phenomenon. It is the modern repackaging of the senior citizen wire transfer scam, with a different settlement layer.
The Mechanism, Step by Step
The FBI's reporting describes a uniform attack pattern across most of the cases. The contact begins with an email or a phone call. The pretext is one of a small number of templates: the victim's Social Security number has been flagged for fraud; their grandchild has been arrested and needs bail; their computer has malware and needs urgent tech support; a romantic relationship online needs a payment to clear customs.
The scammer keeps the victim on the phone continuously. They give specific instructions: drive to your bank, withdraw a specific amount in cash, drive to the nearest cryptocurrency ATM—often physically located in a 7-Eleven, a Circle K, or a tobacco shop—and deposit the cash. The ATM converts the cash to Bitcoin and sends it to a wallet address the scammer reads to the victim over the phone or sends by text. The victim does not understand what they have done until well after the transfer has cleared, at which point the wallet has been emptied through a mixer or off ramped through a non US exchange.
The FBI noted explicitly that criminals provide victims with "detailed information... on how to take money from their bank account, where to find a cryptocurrency kiosk and how to send the funds." The scam is not a complex social engineering operation. It is a long phone call with simple step by step directions, delivered to a target who has been frightened or manipulated into compliance.
Why the Email Is the Hook
Cold phone calls work for some of these scams, but the volume comes from email and SMS. The pretext email lands in the inbox claiming an issue with the recipient's Amazon account, their Social Security record, their Medicare benefits, or a delivery from a major retailer. The email contains a phone number to call. The victim calls the number. The scam begins.
From the operator's perspective, email is the right channel because it scales. A single campaign can hit millions of inboxes. Even at a vanishingly small response rate—say, one in ten thousand—the call volume is high enough to keep a call center of operators busy. The call centers are real, often located in Southeast Asia, and structurally indistinguishable from a normal customer service operation. The Record cites reporting that many of the operations are run by Chinese organized crime networks operating out of Cambodia and Myanmar.
The same email infrastructure that drives this fraud category is the infrastructure that drives the entire scam economy. Tracking pixels embedded in scam emails confirm the recipient's address is live and reading. The confirmation tells the operator to escalate to a call or send a follow up email. Email tracking is the targeting layer that turns a generic spam campaign into a personalized scam. Blocking the pixel cuts off the operator's ability to know that a particular target is responsive.
Why the Kiosk Is the Settlement
Cryptocurrency ATMs solve an operational problem for the scammer. The historical equivalent—the bank wire—has been a target of consumer protection law for decades. Bank tellers are trained to delay suspicious wire transfers to elderly customers, ask questions about the recipient, and sometimes refuse to send the wire entirely. Police have legal authority to claw back wires for several hours if the victim reports the fraud quickly.
A crypto ATM has none of those friction points. The transaction completes in a single block confirmation, irreversible once it lands. The kiosk operator's KYC is minimal—usually a phone number, sometimes a license scan, often neither for transactions under a certain limit. The kiosk is physically located in a retail environment where the staff has no training in detecting elder fraud. The victim feeds in cash, the kiosk delivers Bitcoin to the address provided, and the money is gone.
Massachusetts, Iowa, and Washington DC have filed lawsuits against the largest kiosk operators—Bitcoin Depot, CoinFlip, and Athena—alleging that the operators know the volume of scam traffic and have not taken meaningful action to reduce it. Complaint data filed in those cases shows that 80% to 93% of the transactions at individual kiosks were associated with scam reports. The kiosk business model, the complaints argue, depends materially on this transaction volume.
State Responses That Are Actually Reducing the Loss
Tennessee and Indiana have banned cryptocurrency ATMs outright. The Minnesota Senate passed similar legislation in 2026 and the House is expected to act before the session closes. Other states are pursuing per transaction caps, mandatory cooling off periods, and required signage in the kiosk display warning of the scam risk before the deposit can be made.
The early data from the states that have acted is straightforward. Tennessee reported a 70% decline in crypto ATM fraud complaints in the six months after the ban took effect. The displaced scammers either failed to convert their targets to alternative settlement methods—bank wires, cash apps, gift cards—or moved to operating across state lines, driving the victim into a neighboring state's kiosks. The cross border displacement is partial; some victims are unwilling or unable to drive far enough to reach a working kiosk.
Federal action has been slower. The CFPB has issued guidance but no rule. The FTC has filed actions but treated each as an individual case rather than a categorical rule. The pattern matches the slow federal response to other consumer fraud categories where state attorneys general moved first.
What Families Can Actually Do
The interventions that show measurable effect in the academic literature on elder fraud are not technical. They are social. Families who set up regular check ins with elderly relatives—particularly when those relatives live alone—catch active scams in progress. The check in does not need to be about fraud. It needs to be a conversation that surfaces the unusual urgency the scammer has cultivated.
A second intervention with documented effect is a withdrawal limit set in cooperation with the bank. Many banks will, with the account holder's permission, set a daily ATM withdrawal cap or require a call to the branch for any withdrawal over a specific amount. The cap does not prevent the scam, but it slows the transaction long enough for the victim's family to notice.
A third intervention—blocking the email channel the scam arrives through—is the one most family members can implement remotely. The scam emails almost universally use tracking pixels to confirm the address is active before the operator escalates. Email clients that block third party image loads break that confirmation. Gmail with images disabled by default; Apple Mail with the Mail Privacy Protection setting enabled; a tracking pixel blocker like Gblock—any of these cuts off the operator's signal that the target is engaging.
The Underlying Pattern: Email to Phone to Loss
The crypto ATM scam is a particularly visible instance of a broader pattern in consumer fraud. The contact starts in email. The pressure builds on the phone. The settlement happens through a payment channel optimized for speed and irreversibility. The same structure powers gift card scams ($217 million in FBI losses in 2025), business email compromise ($2.9 billion in losses), and tech support fraud ($590 million in losses). The variations are in the settlement layer. The constant is the email at the start.
Defenses that focus on the settlement layer—banning kiosks, freezing gift card purchases, regulating wire transfers—reduce a specific loss vector but do not stop the operator from migrating to the next. Defenses that focus on the contact layer—blocking tracking pixels, filtering known scam patterns, freezing inboxes against unverified senders—reduce the operator's ability to identify which targets will respond. The contact layer defense is upstream of every settlement category.
For the $388 million number to come down in 2026, both layers need to move. The state bans on kiosks are pulling the settlement layer. The growth in email privacy tools, the FTC's pressure on tracking pixels, and the broader normalization of pixel blocking in mainstream email clients are pulling the contact layer. The category will not disappear. It can be made smaller.