How the scam operates.
The domain replicates the naming convention of a well-established Ethereum wallet interface that is widely used for self-custody asset management. To a user arriving via a search result, a phishing link, or a social-media advertisement, the address would appear to belong to a legitimate service. The operator's apparent goal is to attract users who believe they are accessing a trusted wallet interface to manage or recover Ethereum-based assets.
Phishing operations of this type typically present a functional-looking wallet interface that prompts users to authenticate by entering a private key, seed phrase, or keystore file. Unlike a genuine non-custodial wallet, such platforms do not process this information locally. Credentials entered into the interface are transmitted to the operator, granting immediate and irrevocable access to any funds held in the corresponding wallet addresses. The visual design is calibrated to match the experience victims expect from the legitimate service being impersonated.
The point of failure becomes apparent when users attempt to execute transactions and find their wallet balance has been drained. Because the operator has already extracted the private key or seed phrase, the theft is typically rapid and leaves no recourse through the platform itself. Victims often report a delay between credential entry and fund loss, as operators may wait before sweeping wallets or act in batches. At that stage, the fraudulent domain is frequently abandoned and the operator moves on.
Red flags we documented.
- 01Domain name mirrors a recognised wallet brandThe domain replicates the branding of a well-known Ethereum wallet service with sufficient accuracy to deceive users not examining the full URL carefully. This subdomain-impersonation technique is used to redirect search traffic and phishing-link victims toward a fraudulent interface under a familiar-looking address.
- 02Confirmed listing on CryptoScamDB blacklistThe domain appears on the CryptoScamDB blacklist, a community-maintained registry of known phishing and fraud infrastructure in the cryptocurrency space. Inclusion reflects a documented report of malicious activity, not merely a suspicion, and is a reliable early indicator of credential-harvesting intent.
- 03Private key entry is the central fraud signalWallet interfaces of this type prompt users to enter credentials that a legitimate non-custodial service would never request via a web form. Any platform soliciting a seed phrase, private key, or keystore file through a browser should be treated as a credential-harvesting operation regardless of its visual presentation.
- 04Non-standard TLD points to deceptive infrastructureThe use of a brand-associated top-level domain rather than a conventional public TLD is atypical for legitimate wallet services. Branded or unconventional TLDs can be exploited to construct domain strings that superficially resemble trusted addresses while operating outside standard registration scrutiny and consumer-protection frameworks.
- 05No verifiable operator or regulatory standingNo operator identity, company registration, or regulatory authorisation is associated with this domain. Legitimate wallet services maintain at minimum a verifiable corporate presence. The absence of any such identity is consistent with infrastructure designed for a short-lived fraud campaign and rapid abandonment after funds are taken.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.