Skip to content
Case Study · CW-2026-0445 · Seed-phrase wallet-drainer phishing

One Fake ‘Wallet Support’ Page Emptied a Wallet in Minutes: AUD 124,000

A Melbourne business owner searched for wallet support, clicked a sponsored result that looked official, and was asked to ‘sync’ his wallet by entering his recovery phrase. Within minutes the wallet was empty. Here’s the trace — and the hard limits on recovery.

Scam typeSeed-phrase phishing (wallet drainer)
MethodFake ‘wallet support’ site requesting recovery phrase
Reported lossAUD 124,000 (ETH + ERC-20)
TimelineMinutes
Recovered29% recovered
OutcomePartial recovery

Illustrative case study. Details are a dramatized composite based on real recovery patterns; the broker, client and figures are fictional and shown for education. Outcomes vary case by case.

How the scam unfolded

Locked out of his wallet app, he searched for help and clicked the top sponsored result — a near-perfect clone of a popular wallet’s support site. A live-chat ‘agent’ told him to ‘verify and sync’ his wallet by entering his 12-word recovery phrase into a ‘secure validation’ field.

Where it went wrong

A recovery phrase is the wallet. The moment he entered it, attackers imported his wallet and swept the ETH and every ERC-20 token to a drainer address in a rapid sequence of transactions. By the time the ‘agent’ said the sync was complete, the wallet was empty.

“I thought I was talking to support. I didn’t send anything anywhere — I just typed in my words. That was all it took.”— Client statement (illustrative)

How the recovery worked

  1. 1
    Documented the drain. We reconstructed the full sweep — every token, every transaction, every destination.
  2. 2
    Traced to consolidation. The tokens were swapped to ETH and consolidated; part went to a mixer, part toward exchanges.
  3. 3
    Targeted the reachable deposit. One consolidation wallet deposited to a centralized exchange with a compliance process.
  4. 4
    Filed for a freeze. We submitted the trace and report; the exchange froze the linked balance.
  5. 5
    Recovered the frozen portion. After review, that balance was returned — 29% of the loss.
Recovered for the client29%

Seed-phrase drains are immediate and usually irreversible. The 29% reflects the one branch that reached a cooperating exchange before cash-out; the mixed portion was lost.

Warning signs to remember

  • Any site, person or ‘support agent’ asking for your recovery/seed phrase — no legitimate party ever needs it.
  • Sponsored search results impersonating official wallet or exchange support.
  • A ‘sync,’ ‘validate’ or ‘verify’ step that asks you to type your 12 or 24 words.
  • Urgency from a ‘live agent’ while you’re locked out and stressed.
What you can learn
  • Your recovery phrase should never be typed into any website, app or chat — ever.
  • Real wallet support cannot access or ‘sync’ your funds and will never ask for your phrase.
  • Bookmark official support pages; don’t trust sponsored search ads for wallet help.

Think this has happened to you?

If you’ve lost crypto to a scam like this, the first hours matter. Our team will review your case and tell you honestly what can and can’t be recovered — at no upfront cost.

Talk to a recovery specialist →
Disclaimer: Cryptowledge provides digital-asset investigative and recovery-assistance services. Past case outcomes do not guarantee future recovery. Recovery is not possible in every case and depends on the specific circumstances, transaction path, and cooperation of third parties. Cryptowledge is not a law firm, financial advisor, or regulated financial institution and does not provide legal, tax, or investment advice. All consultations are confidential. © 2026 Cryptowledge. All rights reserved.