How the scam operates.
This domain is constructed using punycode encoding, a technique that allows non-ASCII characters to appear in web addresses. The resulting URL renders visually near-identical to a well-known Ethereum wallet service in most browsers, particularly when links are shared via messaging platforms or displayed in low-resolution contexts. The target audience is Ethereum users seeking to access a familiar wallet interface, typically via search engines or shared links rather than direct navigation.
The operational pattern observed across impersonation sites of this type involves presenting a convincing replica of the target interface. Victims who reach the site are prompted to enter recovery phrases, private keys, or connect an existing wallet. These interactions do not perform the stated function. Instead, submitted credentials are captured by the operator and used to drain connected or associated wallets. The user receives no error, or is redirected to the legitimate service after submission, giving the false impression that the interaction was routine.
The theft typically becomes apparent when the victim next accesses their genuine wallet account and finds balances depleted or assets transferred to unknown addresses. At this point, the transaction is irreversible. Recovery efforts are complicated by the pseudonymous nature of blockchain transactions and the absence of any identifiable operator behind the impersonation domain.
Red flags we documented.
- 01Punycode homograph constructionThe xn-- prefix in the domain name is a technical signal that the URL contains non-ASCII characters encoded to resemble a standard Latin-script address. This technique is specifically used to deceive users at the URL level, bypassing visual inspection in most browsers and link-preview contexts.
- 02Typosquat pattern targeting wallet usersThe domain closely mimics the structure and naming of a widely-recognised Ethereum wallet service. Impersonation of this type is a well-documented attack vector in cryptocurrency fraud, intended to intercept users who mistype a URL or follow a forged link.
- 03CryptoScamDB blacklist inclusionThe domain appears in the CryptoScamDB blacklist, a community-maintained registry of confirmed fraudulent cryptocurrency addresses and URLs. Blacklist inclusion indicates prior identification and reporting by the security research community.
- 04No verifiable operator identityNo company registration, regulatory filing, or named operator is associated with this domain. Legitimate wallet services maintain documented corporate identities and are subject to jurisdiction-specific oversight. The absence of any such identity is consistent with an operation designed to evade accountability.
- 05Credential-harvesting site patternSites operating under this impersonation pattern do not provide wallet functionality. Their sole purpose is to capture private keys or seed phrases submitted by victims who believe they are interacting with a trusted service. Any interaction beyond passive browsing should be treated as a compromise event.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.