How the scam operates.
The domain employs an internationalised domain name (IDN) encoding, rendering in most browsers as a string that closely resembles a well-established Ethereum web wallet. The operator presents the site as a familiar, trusted interface for managing Ether and ERC-20 tokens, relying on the visual indistinguishability of the address to attract users who believe they are accessing a legitimate service they already know and trust.
The fraud is built on an IDN homograph attack: one or more Unicode characters replace standard Latin letters in the domain, producing an address that passes casual visual inspection while resolving to a server under the operator's control. Visitors who interact with the interface are typically prompted to import a wallet by submitting a seed phrase, private key, or keystore file. These credentials are transmitted to the operator's infrastructure, granting immediate and irrevocable control over any associated on-chain holdings.
Victims typically discover the compromise only after the fact, when they observe unauthorised outbound transactions or find their balances cleared. Because blockchain transfers are irreversible by design and the operator holds no regulated account subject to freezing orders, conventional recovery routes offer little traction. The domain itself may be decommissioned and replaced once it accumulates blacklist entries or triggers browser security warnings, a pattern consistent with disposable phishing infrastructure.
Red flags we documented.
- 01Punycode Domain EncodingThe xn-- prefix marks this as an internationalised domain name containing non-ASCII characters. This technique allows operators to register addresses that render as familiar brand names in most browsers, creating a convincing visual deception without altering a single recognisable character in the displayed URL.
- 02Credential Solicitation via Wallet ImportPhishing wallet interfaces commonly request seed phrases, private keys, or keystore files under the guise of a standard import flow. Submitting these credentials to any remote server transfers permanent, unrecoverable control of the associated wallet to the receiving party.
- 03CryptoScamDB Blacklist InclusionThe domain appears in the CryptoScamDB community blacklist, a collaboratively maintained registry of addresses confirmed or credibly reported to be associated with phishing and asset theft. Inclusion reflects documented reports of malicious behaviour linked to this specific URL.
- 04Homograph Impersonation DesignThe operator invested in replicating the visual identity of an established wallet platform rather than building an independent brand presence. This design choice is characteristic of credential-harvesting operations, which depend entirely on borrowed trust rather than any original service offering.
- 05No Regulatory Footprint or Auditable InfrastructureNo corporate registration, financial licence, or independently audited codebase has been associated with this domain. Operations of this type typically carry no legal presence that an affected party can pursue, and any published terms or security representations are unenforceable.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.