As many cryptocurrencies are gaining value, threat actors continue to weaponize cryptocurrency-themed lures to siphon funds from unsuspecting victims — and their tactics are steadily getting more refined. A recent phishing campaign targeting Trust Wallet users demonstrates this shift: clean visuals, proper grammar, and a slick impersonation of an official notification, all disguising a straightforward credential harvesting scam.
The lure is simple: an email appears to come from Trust Wallet and warns the user that their account has not been verified. If action isn’t taken by a stated deadline, the message warns, the wallet will be suspended. To “verify,” users are urged to log in through what’s described as an official portal.
The message is crafted to look legitimate at a glance — featuring familiar branding, clear formatting, and a plausible explanation about new compliance requirements. However, hovering over the link reveals the deceptive payload: the URL leads to https://trustuwallet[.]cc/public/index.html, a spoofed site that has no affiliation with Trust Wallet.
Once clicked, the victim is brought to a convincing clone of the Trust Wallet homepage, urging them to verify their identity either via mobile app or browser extension. The visual design includes stylized illustrations and calls to action, mimicking the Trust Wallet brand.
No matter which “verification” method is selected, the user is directed to the same phishing endpoint — a page that asks for their secret recovery phrase. This phrase is the master key to a user’s wallet and assets. Here, the attackers offer drop-downs to choose between a 12- or 24-word phrase, and even allow the victim to paste it all at once for ease of use.
Once the victim submits this information, the stolen phrase is posted directly to the attackers, who can then immediately drain any cryptocurrency stored in the wallet. These operations are often scripted and occur within minutes of a successful submission.
While phishing kits targeting crypto users are nothing new, what makes this campaign notable is its presentation. The improved visual polish and carefully structured funnel mimic real onboarding and compliance workflows — giving it a greater chance of slipping past both email filters and user skepticism. Yet, technical signals still give it away: nonstandard domain names (.cc), foreign server infrastructure, and an urgency narrative that doesn’t match actual Trust Wallet practices.
For defenders, these phishing attempts underscore the importance of user education, especially for anyone managing self-custodied crypto assets. Legitimate wallet providers will never ask for seed phrases via email. Security teams should update blocklists with indicators like trustuwallet[.]cc, monitor for wallet-themed phishing, and continue reinforcing the golden rule: if someone asks for your recovery phrase, they’re trying to rob you.
