Case File · GEI-2026-0421 · Seed-phrase wallet-drainer phishing

The Fake Security Update: A Seed Phrase Entered, a Wallet Emptied

A search for a “wallet update” led a retired engineer in Leeds to a page that looked exactly right, down to the logo. The form asked him to re-sync his recovery phrase. Twelve seconds after he submitted it, the wallet was empty.

Vector
Cloned-wallet phishing portal
Instrument
Self-custody wallet (seed exfiltration)
Reported loss
£74,300 (ETH, USDT, LINK)
File opened
21 April 2026
Funds recovered
29%
Claimant
Retired engineer, Leeds, UK
About this case file. This is an illustrative, dramatized composite based on patterns GEInvestigator works in the field. Names of firms, platforms, and people are fictional and any resemblance to a real entity is coincidental. Figures and outcomes are representative; recovery is never guaranteed and depends on the facts of each case.

IntakeHow the subject made contact

A browser pop-up warned that his wallet needed to be “re-validated.” When he searched for the fix, a sponsored result sat at the top of the page — a clone of the wallet vendor’s site at a near-identical domain.

The portal asked him to enter his 24-word recovery phrase to “re-sync” the device. He typed all 24 words into the box and pressed submit.

Point of compromiseWhere control was lost

An automated drainer swept the wallet in a single block batch: ETH and every ERC-20 token pulled to fresh attacker wallets at once. The tokens were swapped to ETH through a decentralised exchange, then split.

Most of the proceeds went into a mixer within the same minute. One smaller tranche moved toward a centralised exchange — the only leg that would later give us something to hold.

“It wasn’t a stranger calling me. I went looking for help and walked straight into it. That’s the part that still stings.”Field interview · Case GEI-2026-0421

Evidence chainHow the recovery was built

EX-01

Captured the drainer signature

Identified the sweep as a known automated-drainer pattern from the single-block, multi-asset transfer out of the wallet.

EX-02

Traced the swap-and-split

Followed the ERC-20-to-ETH swaps through a DEX and the split into a mixer deposit and a smaller exchange-bound tranche.

EX-03

Flagged the exchange tranche

The smaller leg reached a KYC’d exchange; we filed the trace and a UK Action Fraud reference for a compliance hold.

EX-04

Documented the phishing infrastructure

Archived the cloned domain, its hosting, and the ad placement for the claimant’s report and a takedown request.

EX-05

Recovered the held tranche

The exchange released the held funds after verification; the mixer-bound majority was marked unrecoverable.

DispositionWhat came back

29%
Funds returned to claimant

£21,500 of £74,300 was returned from the single exchange-bound tranche. A drainer that reaches a mixer inside one block sets a low ceiling — we say so plainly rather than promise a number we cannot reach.

IndicatorsFraud signals on this file

  • Any page or person asking for your 12- or 24-word recovery phrase — legitimate software never does.
  • “Re-sync,” “validate,” or “migrate” prompts arriving as pop-ups or sponsored search ads.
  • A wallet emptied in one transaction, across several tokens at once.
  • Update links that don’t resolve to the vendor’s official domain.

Seeing the same pattern in your own case?

GEInvestigator opens a file, traces the funds, and tells you honestly what can be recovered.

Open a Case →
By Case Studies