How the scam operates.
This domain is an internationalised domain name (IDN) encoded in punycode format. When rendered in browsers or linked contexts, it appears visually identical to a well-known Ethereum wallet service, differing by a single substituted Unicode character invisible at a glance. The operator presents no original service; the surface offering is a replica of an existing interface designed to intercept users arriving via phishing links, malicious advertisements, or social-engineering campaigns.
IDN homograph operations replace ASCII characters in a trusted domain with Unicode equivalents that render identically in standard typefaces. The xn-- punycode prefix encodes this substitution; a casual inspection of a shortened URL rarely reveals it. Victims who reach the site encounter a wallet interface prompting entry of a seed phrase, private key, or keystore file. Credentials submitted are immediately harvested by the operator, granting irrevocable access to the associated wallet with no transaction reversal possible.
The moment victims recognise the deception is almost always after the fact: funds are missing, and the address bar reveals an unfamiliar character buried in an otherwise familiar domain. There is no custodian to contact, no transaction to reverse, and no recovery mechanism built into the underlying protocol. Post-incident investigation is complicated further by the complete absence of documented corporate identity, jurisdiction, or operator information associated with the domain.
Red flags we documented.
- 01Punycode IDN Encoding as a Deception MechanismThe xn-- prefix identifies this as a punycode-encoded internationalised domain name. This encoding is the technical basis of IDN homograph attacks, where a domain constructed to resemble a trusted brand is distinguishable only through character-level inspection of the raw URL. No legitimate wallet service registers punycode variants of its own domain to serve ordinary users.
- 02Confirmed Listing on an Industry BlacklistThe domain carries a confirmed-scam verdict on CryptoScamDB, a community-maintained registry of malicious cryptocurrency infrastructure. Blacklist inclusion without any corresponding regulatory filing, corporate registration, or operational transparency is a consistent marker of operations that rely on anonymity to function.
- 03Credential-Harvesting Pattern Targeting Self-Custody UsersOperations impersonating self-custody wallet interfaces are high-risk because they target the single point of failure in decentralised finance: the seed phrase or private key. Unlike exchange-based fraud, no custodian can freeze accounts or reverse transfers once credentials are submitted. The window between submission and total loss is typically seconds.
- 04No Corporate Identity or Regulatory FootprintNo aliases, parent company, regulator-recognised entity, or public corporate record are associated with this domain. Legitimate financial services maintain traceable organisational identities; the complete absence of such information is not a neutral signal in a regulated activity.
- 05Visual Deception as the Sole Operational PurposeUnlike investment fraud patterns that involve false returns narratives or fabricated trading platforms, this operation offers no product. The entire mechanism rests on visual indistinguishability from a genuine service. This specificity of design indicates intent: the domain exists to intercept credential entry, not to simulate a business.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.