Case #2
SEED-phrase theft
The modern cryptocurrency landscape offers users numerous opportunities but also brings new risks.
One of the most common fraudulent schemes is the theft of a seed phrase — a set of words that serves as the key to restoring access to a crypto wallet.
Scammers use various methods to obtain this valuable information, exploiting trust, negligence, or a lack of security awareness among victims.
Most often, fraudsters employ techniques such as phishing websites that mimic the interface of popular crypto wallets or send emails impersonating technical support, demanding that users "verify" their seed phrase to protect their accounts. Social engineering tactics are also widely used: scammers pose as support representatives or even friends, requesting the seed phrase under the guise of urgent assistance.
Most often, fraudsters employ techniques such as phishing websites that mimic the interface of popular crypto wallets or send emails impersonating technical support, demanding that users "verify" their seed phrase to protect their accounts. Social engineering tactics are also widely used: scammers pose as support representatives or even friends, requesting the seed phrase under the guise of urgent assistance.
Interviewing the Victim
AML Crypto was approached by another victim of a fraudulent scheme disguised as "training" in cryptocurrency trading and digital asset security. Thanks to the expertise of our team, the victim was able to share their story, providing as much information as possible about the scammers, their contact details, and the methods they used. As is typical in such cases, the criminals operated professionally, masquerading as cryptocurrency experts and creating an illusion of trustworthy mentorship.
It all started when the victim was searching for information about making money with cryptocurrencies
They explored various available materials but found it challenging to grasp the intricacies of trading independently and did not want to spend too much time on self-study (which turned out to be a mistake). During their search on social media and messaging platforms, they came across an advertisement for "mentors" offering training in crypto trading for a symbolic fee. A friendly and confident "instructor" suggested a Zoom call for an introductory lesson.
During the call, the scammers spent several hours explaining the basic principles of trading and security—likely to create a false sense of trust and lower the victim’s guard. As one of the first steps, they convinced the victim to create a MetaMask crypto wallet, explaining that it was essential for working with cryptocurrencies. Following their instructions, the victim installed the wallet and began setting it up while sharing their screen for "assistance." At that moment, the scammers asked them to save the seed phrase, explaining that it was the key to recovering access. However, the scammers had already seen this phrase, as it was displayed on the screen during the setup process.
To avoid raising suspicion, the scammers emphasized that the next important step was setting a password, which they claimed would secure the wallet. Following their instructions, the victim stopped screen sharing and created a personal password, believing that they were the only one with access to the wallet. However, this was a deception: the password only protects the wallet on a specific device, while knowledge of the seed phrase allows full control over the funds from any device.
During the call, the scammers spent several hours explaining the basic principles of trading and security—likely to create a false sense of trust and lower the victim’s guard. As one of the first steps, they convinced the victim to create a MetaMask crypto wallet, explaining that it was essential for working with cryptocurrencies. Following their instructions, the victim installed the wallet and began setting it up while sharing their screen for "assistance." At that moment, the scammers asked them to save the seed phrase, explaining that it was the key to recovering access. However, the scammers had already seen this phrase, as it was displayed on the screen during the setup process.
To avoid raising suspicion, the scammers emphasized that the next important step was setting a password, which they claimed would secure the wallet. Following their instructions, the victim stopped screen sharing and created a personal password, believing that they were the only one with access to the wallet. However, this was a deception: the password only protects the wallet on a specific device, while knowledge of the seed phrase allows full control over the funds from any device.
After completing the training, the victim transferred funds from their exchange account to the new MetaMask wallet, believing that they were now securely managing their cryptocurrency. However, they soon discovered that their balance had been drained—the funds were instantly withdrawn. Shocked by the loss, they attempted to recover access but found that the scammers had already used the seed phrase to log in from another device and had set their own password. In blockchain security, a seed phrase is far more critical than a password for a wallet service.
Realizing they had fallen victim to a scam, the individual turned to AML Crypto for help. Our specialists began analyzing the situation, tracking the transactions, and attempting to determine where the stolen funds had gone. The primary objectives were to trace the financial flow, identify where the stolen assets were transferred, find potential leads for unmasking the scammers, and warn other users about this type of fraud.
Blockchain Investigation
The final transaction flow graph illustrates the movement of stolen funds:
Step 1: Theft and Obfuscation
The investigation revealed that the scammer employed several techniques to cover their tracks and make transaction tracing more difficult. One such tactic involved creating multiple blockchain addresses to shuffle the stolen funds. Initially, they divided the funds into smaller amounts, distributing them across several addresses. Afterward, they either sent these funds to new addresses or consolidated them in specific wallets, attempting to build a complex network of transactions to obscure the final recipient.
The transaction graph shows that the first stage of the investigation ends with addresses that split the stolen funds across multiple scammer-controlled addresses (addresses [3], [4], [5], [6], [7], [8], [9]). Our data allowed us to determine that address [11] is a deposit address on Binance, which means that even at this early stage, the scammer transferred a portion of the stolen funds to a centralized exchange. Based on this data, we could already contact Binance to request a freeze on the funds pending further investigation.
Centralized Exchange (CEX) — A cryptocurrency trading platform managed by a central authority or organization. On such platforms, users (including scammers) provide personal and contact information.
Step 2: Laundering the Stolen Funds Through Centralized Services
This series of concealed transactions was carefully planned to make tracing cryptocurrency movement more challenging. However, despite the scammers' attempts to obfuscate the flow of funds, high-quality analytical tools enabled us to track the transactions. Ultimately, all stolen assets were transferred to centralized cryptocurrency exchanges such as Binance, Bybit, and KuCoin, where the scammer attempted to convert the illicit funds into fiat currency.
Thanks to AML Crypto's swift response and close cooperation with law enforcement, we were able to promptly and correctly file requests to the involved exchanges to freeze the funds. As a result of these actions, after reviewing all transactions and analyzing the movement of funds, we were able to identify the scammer. Based on this evidence, the necessary legal steps were taken to recover the stolen funds and return them to the victim.
This case clearly demonstrates the importance of understanding the field you are dealing with, being cautious with promises of easy money, and how rapid and professional intervention, along with following the correct investigative procedures, can lead to a successful resolution—even in complex cases of cryptocurrency fraud.
Recommendations:
How to Avoid Seed Phrase Scams and Protect Your Funds
How to Avoid Seed Phrase Scams and Protect Your Funds
Never share your seed phrase with anyone
Your seed phrase is the only way to recover access to your crypto wallet. If someone obtains it, they gain full control over your funds. Even crypto wallet providers, exchanges, or support teams will never ask for your seed phrase.
Do not store your seed phrase digitally
Keep your seed phrase offline: write it down on paper and store it in a secure location. Avoid storing it in cloud services, smartphone notes, screenshots, or text files on your computer.
Never share your screen when working with a crypto wallet
Do not enable screen sharing in Zoom, Skype, Discord, or other services when setting up or using your wallet. Scammers can record your seed phrase and steal your funds.
Be cautious of online "mentors"
Do not trust individuals offering "free training" or instructing you to create a crypto wallet during a call. Research the reputation of any services, consultants, or groups you interact with.
Incident results
positive
The stolen funds were recovered and returned to the client
Crypto trading education can turn into a trap if you do not follow basic security rules. The key takeaway is: never share your seed phrase with anyone, as its compromise grants full control over your assets.
We also recommend