How the scam operates.
This operation presents itself as a legitimate Ethereum wallet interface, deliberately replicating the name and implied functionality of a widely-used, community-trusted crypto wallet service. The domain construction combines a recognisable wallet brand with the ".amex" top-level domain, a brand TLD associated with American Express, to project an impression of institutional credibility. The intended audience is Ethereum users seeking to access, import, or manage their wallets online.
The operational method characteristic of this fraud class is credential harvesting. Rather than functioning as a genuine wallet interface, the site is engineered to intercept private keys, seed phrases, or keystore files submitted by users during a simulated login or wallet-import process. Once credentials are entered, the operator gains unilateral control over any associated wallet addresses. The funds held in those addresses can be swept to operator-controlled addresses with no recourse available to the victim.
The breakdown typically becomes apparent within hours or days of credential submission, when victims observe unauthorised outbound transactions from wallets they did not initiate. By the time the loss is identified, the operator has already moved assets through one or more intermediary addresses. The domain offers no legitimate support channel, no verifiable corporate identity, and no mechanism for recovery. Victims are left with an immutable blockchain record of the theft but no actionable counterparty to pursue.
Red flags we documented.
- 01Brand-name impersonation in the domainThe domain reproduces the name of a well-established Ethereum wallet service almost exactly, a classic impersonation technique designed to intercept users who mistype a URL or follow a fraudulent link. This pattern is consistently associated with credential-harvesting operations rather than legitimate services.
- 02Unauthorised use of a corporate brand TLDThe ".amex" top-level domain is a sponsored TLD associated with American Express. Its use here is almost certainly unauthorised and is engineered to project institutional backing. Legitimate wallet services do not operate under third-party corporate brand TLDs.
- 03CryptoScamDB blacklist listing confirmedThe domain appears explicitly in the CryptoScamDB community blacklist, a collaboratively maintained register of URLs and addresses linked to crypto fraud. Blacklist inclusion reflects prior evidence of malicious activity reported by independent researchers or affected users.
- 04No verifiable operator identityOperations of this type consistently omit any verifiable corporate registration, regulatory disclosure, or named personnel. The absence of an auditable organisational identity is a strong signal that accountability has been deliberately engineered out of the operation.
- 05Credential input as the core interactionAny platform that requests a private key, seed phrase, or keystore file in order to access or import a wallet is, by design, collecting credentials it has no legitimate need to see. A genuine non-custodial wallet interface never requires these materials to be transmitted to a remote server.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.