How the scam operates.
The site operates under a domain that reproduces the name of a widely recognised Ethereum web wallet service character-for-character, substituting the standard commercial TLD for a Swiss country-code suffix. The .ch domain carries associations of European financial rigour, a detail that reinforces the impression of an authorised regional variant rather than a lookalike. The surface presentation almost certainly mirrors the visual identity of the genuine service, targeting Ethereum holders who arrive via search results, phishing links, or social media posts pointing to the spoofed address.
Operations of this pattern function by presenting a wallet interface that prompts users to enter a private key, keystore file, or seed phrase in order to access their holdings. These credentials represent complete, irrevocable authority over the associated address. Once submitted, they are captured server-side and transmitted to the operator, who can then initiate outbound transfers at will. The interface may appear to load normally during this window, or may return a vague access error, but the credential extraction occurs at the moment of entry.
The loss typically becomes apparent when holdings disappear without any action by the legitimate owner, or when the same credentials are used on an authentic platform and the account is found emptied. Blockchain transfers are irreversible by design, and the operator generally takes the domain offline once sufficient assets have been collected or detection becomes likely. What remains is an on-chain record of the outbound transfer and a blacklist entry, neither of which constitutes a recovery mechanism in isolation.
Red flags we documented.
- 01Brand-name impersonation via TLD substitutionThe domain reproduces the name of a well-known Ethereum wallet service character-for-character, differing only in the top-level domain. This technique exploits user inattention and search-engine proximity to intercept traffic intended for the legitimate platform, and is a documented hallmark of phishing infrastructure.
- 02Swiss country-code domain used as a credibility signalThe .ch TLD is associated with Switzerland's regulated financial environment. Its use here appears deliberate, lending an impression of European compliance and institutional standing to what CryptoScamDB has confirmed as a fraudulent operation.
- 03Credential-harvesting wallet interface patternAny platform that requests a private key, seed phrase, or keystore file to grant wallet access is, by design, capable of capturing those credentials. Legitimate non-custodial wallet interfaces do not require users to transmit these values to a remote server under any circumstances.
- 04CryptoScamDB blacklist confirmationThe domain appears in the CryptoScamDB blacklist, a community-maintained registry of addresses and domains associated with cryptocurrency fraud. Inclusion represents a documented finding, not a provisional or unverified warning.
- 05Absence of verifiable organisational or regulatory footprintA wallet service operating under a Swiss-jurisdiction domain would ordinarily carry verifiable legal disclosures, terms of service, and contact information appropriate to that jurisdiction. The absence of such documentation is consistent with a short-lived phishing operation rather than an authorised financial service.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.