Crypto scammers rake in more than one billion dollars using fake crypto wallets

Context: Bob ( fake name, real person) received a text claiming to be from his exchange. The message states that due to the recent ban on crypto in China, all users must withdraw their funds to a defi wallet. The text also included a link to the wallet where Bob can transfer his funds. After downloading the wallet, Bob removed all of his funds from the exchange. More than $10 million in ERC20-USDT were transferred. Little did Bob know that he had just become the victim of a phishing scam. Bob reached out to us for help recovering his funds.

Bob wasn’t the first person to contact us regarding these scams. Scams are becoming more common as interest in cryptocurrency grows. According to data from our MistTrack service, more than 60% of all reported hacks were related to fake wallets.

There are several ways to protect yourself against phishing attacks:

  • Never click on any link from an unknown source, even if it appears legitimate. Scammers frequently send emails or texts containing links to a fake wallet.
  • Always go to the original website rather than clicking on sponsored ads. Scammers often purchase ad space on search engines to promote their counterfeit website that often appears genuine.
  • Scammers will regularly message you pretending to help. After gaining your trust, they will send you a link to download their app and transfer funds to it. They will often fabricate why you cannot withdraw funds unless you deposit additional funds into it.

Many who fall victim to these scams never receive their money back.

Scammers would often pose as support from Metamask. They would pretend to help anyone currently having difficulties using Metamask. After gaining their trust, they would send over a link asking the victim to input their seed phase. Metamask will NEVER ask for your seed phrase or private key. This is what a fake Metamask wallet might look like.

In-depth analysis

Our team begins to analyze and research the information provided by these victims. According to our ongoing investigation, tens of thousands of victims had their assets stolen from these phishing scams. So far, the total amount stolen exceeds $1.3 billion. These are the only funds reported to SlowMist, and we only counted ETH, BTC, TRX, ERC20-USDT, and TRC20-USDT.

The graph below depicts the number of reported cases to us during November.

One victim provided us with the Tron address of the scammer. Using MistTrack, our team was able to track down and analyze the scammer’s address. It showed an additional 14 addresses that had transferred funds to this address. We can assume that these addresses also fell victims to this phishing scam. In total, the scammer was able to walk away with over $250,000 in Trc20-USDT. Which they later distributed to various Binance accounts.

We followed one of these Binance accounts and discovered it had over $600,000 in TRC20 — USDT. Imagine the total amount stolen if this was just one of the addresses the scammer uses.

As we investigated further into this account, we discovered more illegal activity associated with it. According to our AML(anti-money laundering) software, a BTC address associated with this account (32q…fia) was used for extortion. Through the investigation of this address, we concluded that these phishing schemes were not isolated events but rather part of a larger global scale.

Furthermore, our research indicates that the scammer will frequently transfer portions of the funds to multiple exchanges and to another scammer wallet with a significant amount of transactions to confuse our analysis.


This type of fraudulent activity is not only prevalent at the moment, but it is also on the rise. Every day, a growing number of people fall victim to this. Users should always be cautious and suspicious of phishing scams.




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Denial of Service (DOS) on Wifi using CommView Windows

{UPDATE} Helicopter Pilot AR Hack Free Resources Generator

Fraud: The pandemic’s impact, trends and how you can protect yourself

The 5 Most Common Vulnerability Types of 2020

@Moviebizcoin11 I like the team‘s approach to implementing their plans.

{UPDATE} Guess the Icon Hack Free Resources Generator

Mercatox TCH — THXCHAIN #Mainnet2020 SWAP Phase 2


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

More from Medium

Fork Uniswap v2 Smart-Contracts & UI on Remix

SlowMist AML: Tracking funds laundered by Tornado Cash

Hacker abuses OpenSea to buy NFTs at older, cheaper prices🌊