Seed-Phrase Theft & Fake Support Scams

A seed phrase, sometimes called a recovery phrase or mnemonic, is usually a list of 12 or 24 ordinary words. Those words are just a human-readable version of the master private key that controls your wallet. Hand the words to anyone and they can rebuild your wallet on any device and move out everything inside it. A private key does the same job for a single account.

From that one fact comes the most important rule in self-custody:

• Never share your seed phrase or private key with anyone, for any reason.
• Never type it into a website, chat, form, app, or pop-up. Your real wallet asks for it exactly once, on your own device, the first time you restore an existing wallet.
• Legitimate apps never need your phrase to fix a bug, unlock funds, validate, sync, migrate, or verify anything.
• Store it offline, on paper or metal, where no camera, screen, or cloud service can capture it.

If you take away one idea from this guide, take this one: the request itself is the attack. The moment anyone or anything asks for your recovery words, you already have your answer. It is a scam.

The attack you will see most often is a stranger pretending to be official support. Scammers watch public posts where people complain about a stuck transaction or a wallet error, then slide in claiming to be from the wallet's team. They are patient, polite, and professional. That is precisely why it works.

Watch for these patterns:

• Unsolicited direct messages on X, Discord, Telegram, or Instagram from accounts using a real brand's logo and a near-identical name.
• Fake support tickets and help desks that route you to a bot, a Google Form, or a chat where an agent asks you to verify your identity by entering your recovery phrase.
• Validation, sync, or migration forms that claim your wallet must be re-validated to keep working, then present a field for your 12 or 24 words.
• Urgency and authority cues such as warnings that your funds will be locked, an account suspended, or a deadline is approaching.

Real teams usually do not send the first message, do not ask you to move to a private channel to fix a public problem, and never request your phrase. Most reputable projects say so flatly: their staff will never DM you first.

Attackers publish counterfeit wallet apps and extensions that look identical to the real product. Create or import a wallet inside one of these and the seed phrase is quietly shipped off to the attacker, who empties the funds within seconds.

These fakes spread through several channels:

• Sponsored search ads that sit above the genuine result and link to a copycat download page.
• App stores and extension stores where a clone slips past review using a slightly altered name, a fake developer account, or paid five-star reviews.
• Direct download links shared in chats, comments, or emails that bypass any store review entirely.

Install only from the official source, which you reach by typing the address yourself or tapping a bookmark you saved earlier. Check the developer name, the install count, and the review history. Be especially wary of a popular wallet that suddenly shows very few downloads, because that is the signature of a freshly published clone.

A whole family of scams runs on fear about your account status. An email, push notification, or pop-up tells you your wallet has been flagged for suspicious activity, failed a security check, or must be verified to comply with new rules. The message steers you toward a lookalike site.

Once there, you are typically asked to do one of two things, both fatal:

• Enter your recovery phrase into a verification or unlock form, handing your keys straight to the attacker.
• Connect your wallet and approve a transaction that looks like a harmless signature but is actually a token approval granting the attacker permission to spend your assets.

No legitimate service freezes a self-custody wallet, and no blockchain has a central authority that flags individual wallets and asks you to re-verify by typing your words. Treat any unsolicited verify, unlock, or unflag request as phishing. When you do interact with a site, read every signature request carefully and reject anything you do not fully understand.

Some attacks never ask for your phrase at all. They quietly reroute funds or get you to scan something malicious.

• Clipboard hijacking: malware on your device watches for a copied wallet address and swaps it for the attacker's address at the moment you paste. The two addresses look similar at a glance, so the payment goes to the thief.
• Malicious QR codes: a scanned code may load a phishing site, prefill a payment to the wrong address, or trigger a connection and signature request. Codes posted in public places, sent by strangers, or stuck over a legitimate one are common traps.
• Drainer links behind QR codes: some codes open a wallet-connect prompt that immediately requests a sweeping approval.

Your defense is simple. After you paste, check the full sending address and compare the first and last several characters, every time, never on a glance. Send a small test amount for large or first-time transfers, and only scan QR codes from sources you trust.

Hardware wallets are very secure, so scammers go after the human around the device instead of the device itself. One tactic that keeps growing is physical mail and tampered packaging.

• Fake recovery cards: a victim receives a sealed device with a pre-printed seed phrase and a letter saying to use this phrase to set it up. Any phrase someone else generated is already compromised. A real device makes you create the phrase yourself.
• Official-looking letters: printed notices, sometimes referencing a real data breach, instruct you to scan a code or visit a site to secure or update your device, leading to a phishing page or a request for your words.
• Resealed or secondhand devices: a wallet bought from a marketplace or an unofficial reseller may have been opened and preloaded so the attacker already knows the keys.

Buy hardware wallets only from the manufacturer or an authorized reseller, always generate your own recovery phrase on the device, and ignore any phrase that arrives pre-filled. Check firmware and instructions only through the official companion app you installed yourself.

Learn the lines a real support team will never cross and you can throw out most scams in seconds. Genuine support will never:

• Ask for your seed phrase, recovery words, or private key, in full or in part.
• Ask you to enter your phrase into a form, website, or chat to validate, sync, unlock, or verify anything.
• Send you an unsolicited direct message first and pressure you to act before a deadline.
• Ask for remote control of your screen so they can help you log in.
• Request that you send a deposit, fee, or test transaction to release your own funds.
• Provide a pre-generated recovery phrase for you to use.

Real help stays within general guidance, public documentation, and questions about non-sensitive details. The instant a conversation touches your recovery words, it is an attack, no matter how official it looks.