How the scam operates.
This domain presents itself as a legitimate self-custody Ethereum wallet interface, targeting cryptocurrency holders who manage or access Ether and ERC-20 tokens through browser-based wallet tools. The site's visual presentation is engineered to be indistinguishable from a widely recognised wallet service, relying on the internationalised domain name (IDN) system to achieve that deception. Most browsers and link-preview tools render the domain in a way that conceals the substituted Unicode character, making the address appear authentic to the casual reader.
The fraud mechanism is a homograph attack: a Unicode character visually identical to a standard ASCII letter is embedded in the domain name, so the URL looks correct but resolves to an entirely different server under the operator's control. Victims who arrive at the site, typically via a phishing email, a malicious search advertisement, or a poisoned bookmark, are presented with a replica interface prompting them to enter a private key, seed phrase, or keystore file. That credential is silently transmitted to the operator the moment it is submitted.
The point of failure is irreversible. Private keys and seed phrases grant unconditional, permanent access to a wallet; once an operator receives them, the associated funds can be swept within seconds and moved through a chain of addresses designed to frustrate tracing. Victims typically discover the compromise only after checking their balance and finding it at zero. At that stage the original domain is often already abandoned, replaced by a fresh lookalike registered under a new IDN variant.
Red flags we documented.
- 01Internationalised domain name homographThe domain encodes a Unicode lookalike character within a name that closely resembles a legitimate wallet service. This technique, known as a homograph attack, is a deliberate infrastructure choice with no legitimate use case for a wallet provider. Any wallet URL that does not resolve to the verified ASCII domain of the known service should be treated as hostile.
- 02Credential harvesting interfaceLegitimate self-custody wallet services never require a user to submit a private key or seed phrase through a web form. Any interface that solicits these credentials is, by definition, a credential harvesting operation. The presence of such a prompt is sufficient grounds for immediate exit and incident response.
- 03Confirmed listing on CryptoScamDB blacklistThe domain appears in the CryptoScamDB community blacklist, a collaboratively maintained registry of confirmed phishing infrastructure. Inclusion signals that the domain has been independently identified and reported as actively malicious by the broader security community.
- 04No operator identity or accountabilityThe domain carries no verifiable operator identity, registered business entity, or jurisdictional accountability. Phishing infrastructure of this pattern is routinely registered anonymously, hosted on bulletproof providers, and rotated rapidly to evade takedown requests.
- 05Irreversible loss on successful compromiseUnlike card fraud or bank transfers, the theft of a private key or seed phrase produces a loss that cannot be reversed through a chargeback or bank dispute. Once funds leave a compromised wallet, recovery depends on tracing and legal process, both materially harder when the operator is anonymous and assets have moved through multiple addresses.
What you can do now.
Open a free 24-hour case assessment with CryptoLeek +
Tell us what happened. A senior analyst reads your file within 24 hours and replies with an honest yes/no/conditional on recovery. The assessment is free. If we cannot recover the funds we say so plainly, including which (free) regulator channel you should use instead. If we accept the case, we open a numbered case file and issue a written quote for a flat investigation retainer before any work begins, scoped to case complexity, the jurisdictions involved, and the on-chain trail.
Trace your funds on-chain with our analysts +
We trace stolen crypto across BTC, ETH, EVM L2s, Solana, Tron, and major stablecoins using the same toolchain as regulators and tier-1 exchange compliance teams. The output is a forensic report anchored to specific transaction hashes and block heights, the evidence that exchanges, payment processors, and counsel actually act on. Recovery starts here.
Recover with counsel where civil action makes sense +
Where the trace lands in a jurisdiction with cooperative banks and courts, we coordinate with bar-licensed counsel in our 40+ jurisdiction network for civil action and asset-freezing orders (Mareva-style). Counsel bill you directly; the CryptoLeek investigation retainer is independent of counsel fees. The outcome is funds released back to your nominated wallet or bank account.