Seed-Phrase Theft & Fake Support Scams

A seed phrase (also called a recovery phrase or mnemonic) is usually a list of 12 or 24 ordinary words. Those words are a human-readable form of the master private key that controls your wallet. Anyone who has the words can recreate your wallet on any device and move every asset inside it. A private key works the same way for a single account.

This leads to the single most important rule in all of self-custody:

• Never share your seed phrase or private key with anyone, for any reason.
• Never type it into a website, chat, form, app, or pop-up. Your real wallet only asks for it once, on your own device, when you first restore an existing wallet.
• Legitimate apps never need your phrase to fix a bug, unlock funds, validate, sync, migrate, or verify anything.
• Store it offline, on paper or metal, where no camera, screen, or cloud service can capture it.

If you internalize only one idea from this guide, make it this: the request itself is the attack. The moment anyone or anything asks for your recovery words, you already know it is a scam.

The most common attack is a stranger pretending to be official support. Scammers monitor public posts where people complain about a stuck transaction or a wallet error, then reach out claiming to be from the wallet's team. They are patient, polite, and professional, which is exactly why they work.

Watch for these patterns:

• Unsolicited direct messages on X, Discord, Telegram, or Instagram from accounts using a real brand's logo and a near-identical name.
• Fake support tickets and help desks that route you to a bot, a Google Form, or a chat where an agent asks you to verify your identity by entering your recovery phrase.
• Validation, sync, or migration forms that claim your wallet must be re-validated to keep working, then present a field for your 12 or 24 words.
• Urgency and authority cues such as warnings that your funds will be locked, an account suspended, or a deadline is approaching.

Real teams generally do not send the first message, do not ask you to move to a private channel to fix a public problem, and never request your phrase. Most reputable projects state explicitly that their staff will never DM you first.

Attackers publish counterfeit wallet apps and extensions that look identical to the real product. When you create or import a wallet inside one of these, the seed phrase is silently sent to the attacker, who drains the funds within seconds.

These fakes spread through several channels:

• Sponsored search ads that sit above the genuine result and link to a copycat download page.
• App stores and extension stores where a clone slips past review using a slightly altered name, a fake developer account, or paid five-star reviews.
• Direct download links shared in chats, comments, or emails that bypass any store review entirely.

Protect yourself by installing only from the official source, which you reach by typing the address yourself or using a bookmark you saved earlier. Check the developer name, the install count, and the review history. Be especially suspicious of a popular wallet that suddenly shows very few downloads, since that is a hallmark of a freshly published clone.

A whole family of scams uses fear about your account status. You receive an email, push notification, or pop-up claiming your wallet has been flagged for suspicious activity, failed a security check, or must be verified to comply with new rules. The message pushes you toward a lookalike site.

Once there, you are typically asked to do one of two things, both fatal:

• Enter your recovery phrase into a verification or unlock form, handing your keys straight to the attacker.
• Connect your wallet and approve a transaction that looks like a harmless signature but is actually a token approval granting the attacker permission to spend your assets.

No legitimate service freezes a self-custody wallet, and no blockchain has a central authority that flags individual wallets and asks you to re-verify by typing your words. Treat any unsolicited verify, unlock, or unflag request as phishing. When you do interact with a site, read every signature request carefully and reject anything you do not fully understand.

Some attacks never ask for your phrase at all. Instead, they quietly redirect funds or trick you into scanning something malicious.

• Clipboard hijacking: malware on your device watches for a copied wallet address and swaps it for the attacker's address at the moment you paste. The two addresses look similar at a glance, so the payment goes to the thief.
• Malicious QR codes: a scanned code may load a phishing site, prefill a payment to the wrong address, or trigger a connection and signature request. Codes posted in public places, sent by strangers, or stuck over a legitimate one are common traps.
• Drainer links behind QR codes: some codes open a wallet-connect prompt that immediately requests a sweeping approval.

Defend against these by always checking the full sending address after you paste, comparing the first and last several characters, and never relying on a glance. Send a small test amount for large or first-time transfers, and only scan QR codes from sources you trust.

Hardware wallets are highly secure, so scammers attack the human around the device rather than the device itself. A growing tactic is physical mail and tampered packaging.

• Fake recovery cards: a victim receives a sealed device with a pre-printed seed phrase and a letter saying to use this phrase to set it up. Any phrase someone else generated is already compromised. A real device makes you create the phrase yourself.
• Official-looking letters: printed notices, sometimes referencing a real data breach, instruct you to scan a code or visit a site to secure or update your device, leading to a phishing page or a request for your words.
• Resealed or secondhand devices: a wallet bought from a marketplace or an unofficial reseller may have been opened and preloaded so the attacker already knows the keys.

Buy hardware wallets only from the manufacturer or an authorized reseller, always generate your own recovery phrase on the device, and ignore any phrase that arrives pre-filled. Verify firmware and instructions only through the official companion app you installed yourself.

When you can recognize the lines a real support team will never cross, you can dismiss most scams in seconds. Genuine support will never:

• Ask for your seed phrase, recovery words, or private key, in full or in part.
• Ask you to enter your phrase into a form, website, or chat to validate, sync, unlock, or verify anything.
• Send you an unsolicited direct message first and pressure you to act before a deadline.
• Ask for remote control of your screen so they can help you log in.
• Request that you send a deposit, fee, or test transaction to release your own funds.
• Provide a pre-generated recovery phrase for you to use.

Real help is limited to general guidance, public documentation, and questions about non-sensitive details. The instant a conversation touches your recovery words, it is an attack, no matter how official it looks.