How the scam operates.
The site presents as a legitimate Ethereum wallet interface, exploiting two deception layers: the "m." mobile-subdomain convention and a root domain differing from a recognised wallet brand by a single dropped letter. The result is a URL that passes casual visual inspection, particularly on mobile devices where address bars truncate. The intended audience is any cryptocurrency holder seeking to access a self-custody Ethereum wallet via direct URL or an unverified link.
Operations of this type function as credential and seed-phrase harvesters. The site presents a wallet interface prompting users to enter private keys, BIP-39 mnemonic phrases, or account passwords. This input is not processed by any legitimate wallet software; it is captured by the operator and used to access and drain associated on-chain holdings. Because the interface mirrors a familiar design, users often complete the input sequence without suspicion, believing they have simply authenticated normally.
The failure point typically becomes apparent minutes to hours later, when victims find holdings transferred out or credentials compromised on the legitimate service. The operator benefits from the irreversibility of confirmed blockchain transactions and the difficulty of attributing actions to an anonymous party. At that stage, the transaction record exists on-chain but the counterparty identity does not, which significantly complicates any recovery or investigative process.
Red flags we documented.
- 01Deliberate single-character URL manipulationThe domain yetherwallet.com removes one letter from a recognised Ethereum wallet brand name, a technique chosen precisely because the difference is invisible at speed. This is a structural deception, not an accidental similarity, and is a defining characteristic of credential-harvesting operations targeting crypto users.
- 02Mobile subdomain prefix used as a trust signalThe "m." prefix mimics the convention by which legitimate services serve mobile-optimised versions of their sites. Its use here is a social-engineering layer intended to make the domain read as an official mobile property rather than an independent spoofed site. No legitimate wallet service operates via this domain.
- 03Confirmed listing on an active threat blacklistCryptoScamDB, a community-maintained registry of cryptocurrency threat domains, has explicitly blacklisted this URL. Blacklist inclusion reflects documented community reports and pattern-matching against known fraud infrastructure, and is an independent corroborating signal that the domain is not a benign registration.
- 04Seed-phrase and private-key collection patternSites structured around wallet impersonation have a single operational purpose: to collect authentication material granting irrevocable on-chain access. Any interface requesting a mnemonic phrase or private key outside a locally-executed, open-source application is a collection point. There is no legitimate use case for a web service to require this input.
- 05Absent organisational and regulatory footprintLegitimate cryptocurrency services maintain discoverable company registrations, identifiable legal entities, and in many jurisdictions some form of regulatory acknowledgement. Operations of this type present none of these. The absence of any accountable organisational identity is a material risk indicator independent of the URL pattern.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.