How the scam operates.
myetherwallet.nl presents itself as a legitimate Ethereum wallet interface, trading on close visual and nominal similarity to a well-established wallet brand. The domain construction follows a textbook typosquatting pattern: substituting the country-code top-level domain (.nl) for the genuine service's commercial domain, targeting users who mistype a URL, follow a poisoned search result, or receive the link through phishing correspondence. The surface presentation typically replicates the layout and language of the authentic service closely enough to pass a casual inspection.
The operational mechanics centre on credential harvesting. Visitors are prompted to import a wallet via private key, seed phrase, or keystore file. The moment any of those credentials are submitted, the operator captures them. Because private keys and seed phrases confer irrevocable control over associated wallet addresses, a single submission is sufficient to drain all assets held there. No further interaction with the victim is required.
Discovery typically occurs after the fact, when the victim checks their wallet through a legitimate channel and finds balances reduced to zero or notices outbound transactions they did not authorise. The window for intervention has almost always closed by then: blockchain transactions are irreversible, and the operator will have already moved funds through subsequent addresses. Victims frequently cannot identify who ran the site, as hosting and registration infrastructure is routinely structured to obscure attribution.
Red flags we documented.
- 01Typosquatted domain targeting a recognised wallet brandThe .nl country-code domain replicates a major Ethereum wallet brand name character-for-character. This is a deliberate construction designed to intercept users who mistype the URL or follow inauthentic links, not a coincidental naming overlap.
- 02CryptoScamDB blacklist inclusionThe domain appears in the CryptoScamDB community blacklist, a maintained registry of addresses associated with cryptocurrency fraud. Inclusion confirms independent third-party identification of this site as malicious prior to any individual complaint.
- 03Credential-entry interface with no legitimate custody functionWallet impersonation operations request private keys or seed phrases under the pretence of wallet access. No legitimate non-custodial wallet service requires a user to submit these credentials to a remote server; any interface that does is harvesting them.
- 04Irreversibility of losses once credentials are submittedThe harm model here leaves no recovery window at the platform level. Once a private key or seed phrase is captured, the operator can sweep associated addresses at any time. The absence of chargebacks or institutional intermediaries means asset loss is typically permanent.
- 05Pattern consistent with mass-deployment phishing infrastructureSingle-brand wallet impersonation sites using TLD substitution are frequently deployed in batches. The presence of one such domain suggests related domains targeting the same brand or user base may exist or have existed under similar naming conventions.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.