How the scam operates.
The operation presents itself as a legitimate, bank-grade Ethereum wallet service. By pairing a name closely associated with a well-known wallet provider with the .bank top-level domain, which is typically restricted to regulated financial institutions, the site projects a dual signal of familiarity and institutional credibility. The likely target is any Ethereum user searching for wallet access, particularly those who may not scrutinise URLs carefully or who assume that the .bank suffix indicates formal regulatory oversight.
Operations built on this model typically function as credential-harvesting phishing infrastructure. Visitors encounter an interface designed to closely replicate a trusted wallet service, prompting them to submit seed phrases, private keys, or wallet connection approvals. Any credentials entered are captured by the operator. In some variants the site initiates unauthorised token transfers immediately on connection; in others, harvested credentials are stored and used later, allowing the operator to drain wallets at a time of their choosing and complicating attribution.
The point of discovery typically arrives after a user has submitted a seed phrase or private key, or after they notice unauthorised outgoing transactions from a linked wallet. By that stage the operator already holds everything required to access the account. Blockchain transactions are irreversible, and operators running impersonation infrastructure of this type tend to consolidate and move funds rapidly. The window for any meaningful intervention is narrow, and recovery of transferred assets through technical means alone is rarely possible.
Red flags we documented.
- 01Brand impersonation via domain nameThe domain reproduces the name of a widely recognised Ethereum wallet service almost exactly, combined with a different top-level domain. This is a textbook typosquatting and brand-impersonation technique, intended to intercept users who trust the original brand and may not examine the full URL before proceeding.
- 02Misuse of the .bank TLD as a trust signalThe .bank top-level domain is subject to strict eligibility requirements and is conventionally associated with regulated banking institutions. Its use here appears designed to imply formal financial oversight that this operation does not hold, exploiting user assumptions about domain-name gatekeeping to lower vigilance.
- 03Presence on an independent fraud intelligence databaseThe domain is listed on the CryptoScamDB blacklist, an independently maintained registry of confirmed malicious cryptocurrency-related domains and addresses. Inclusion indicates the site has been identified through community reporting or automated detection as actively harmful to users.
- 04No verifiable operator identity or regulatory footingPhishing operations built around brand impersonation characteristically provide no verifiable information about the entity behind the service: no company registration, no licence numbers, no physical address. This absence is structurally consistent with an operation designed to be abandoned and replaced once detected by fraud databases or wallet providers.
- 05Private-key entry through a web interface is a critical warning patternAny platform prompting users to enter seed phrases or private keys into a browser-based form should be treated as high-risk by default. Reputable, non-custodial wallet providers do not require users to submit these credentials through web interfaces, making any such prompt a strong indicator of credential-harvesting intent.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.