How the scam operates.
This operation presents itself as a legitimate Ethereum wallet management interface, leveraging a domain engineered to intercept users who mistype a single character in a widely recognised cryptocurrency service address. The substitution of the .cm country-code top-level domain for the standard .com extension is a deliberate choice: the visual difference is negligible at a glance, and the operator depends on that momentary inattention. The site's surface presentation mimics the branding and layout of its target closely enough to pass casual inspection.
The mechanics of the fraud follow a pattern consistent with credential-harvesting phishing infrastructure. Upon reaching the site, users are presented with what appears to be a standard wallet access interface, prompting them to submit their private key, seed phrase, or keystore file. These inputs are captured by the operator rather than processed by any legitimate wallet software. The site may behave normally throughout this interaction, returning no error and showing no visible sign of compromise, which delays the victim's realisation that anything is wrong.
The point of failure becomes apparent only after credentials are transmitted. Wallet balances are liquidated within a short window, often before the user has closed the browser tab. Because blockchain transfers are irreversible by design and the operator maintains no accountable presence, no mechanism exists to challenge or reverse the loss. Victims are left with an empty wallet and a transaction history leading only to unattributable addresses.
Red flags we documented.
- 01Typosquat domain targeting high-traffic wallet addressThe .cm top-level domain is a documented typosquatting vehicle, exploiting its near-indistinguishability from .com in standard typefaces. This domain is structurally designed to intercept misdirected traffic rather than attract users through any legitimate marketing or service offering.
- 02Private-key solicitation via web interfaceAny platform that requests a user's private key or seed phrase through a browser form is operating outside the boundaries of legitimate wallet security practice. Reputable non-custodial wallet services never require these credentials to be transmitted over a network connection.
- 03CryptoScamDB blacklist inclusionThe domain is catalogued in the CryptoScamDB community blacklist, a publicly maintained register of addresses associated with fraudulent activity in the cryptocurrency ecosystem. Inclusion indicates community-verified evidence of malicious behaviour.
- 04No disclosed operator or accountability structureImpersonation operations of this type characteristically offer no verifiable legal entity, registered business address, or regulatory standing. The absence of any accountable identity is itself a structural feature of the operation, not an oversight.
- 05Irreversible asset exposure on first interactionUnlike payment fraud where a dispute window exists, credential theft on a wallet phishing site produces immediate and permanent loss. A single submission of valid credentials is sufficient for the operator to drain all accessible funds, with no recourse available through the platform.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.