Fluxcrypto: A Fake ‘Wallet Sync’ That Emptied a Self-Custody Wallet

Fluxcrypto’s support page promised to ‘sync’ a stuck wallet. Ninety seconds after a Leeds nurse entered her recovery phrase, £29,800 was gone.

Point of Entry

A retired nurse in Leeds couldn’t get her hardware wallet to connect. She searched for help and landed on Fluxcrypto’s polished ‘wallet sync’ page with a live chat agent.

The agent told her the fix was to re-validate her wallet by entering her twelve-word recovery phrase. She did.

Where Custody Broke

The phrase was everything the operators needed. A drainer imported her wallet, granted itself unlimited approval, and swept her ETH and USDT — pushing the ETH through decentralised swaps in under two minutes.

By the time the ‘agent’ went quiet, the wallet was empty.

“He sounded like real support — calm and technical. The help I went looking for was the trap.”— Janet H., Leeds

The Recovery Ledger

1. L01Intake & capture. We recorded the malicious approval, the sweep transactions, and the Fluxcrypto domain that had captured the seed phrase.
2. L02Damage scoping. The ETH was gone into swaps within minutes; the USDT leg paused in a consolidation wallet.
3. L03Issuer & VASP route. Because USDT is centrally issued, we built the freeze around the stablecoin tranche and the one exchange it touched.
4. L04Freeze request. We submitted the trace, the approval-revocation proof, and the victim statement to the exchange and the issuer.
5. L05Recovery. Only the USDT that reached a compliant venue could be frozen and partially returned; the swapped ETH was unreachable.

Breach Signatures

• A search result or ad impersonating wallet or exchange support.
• Any ‘support’ that asks you to enter or re-validate your recovery phrase.
• A live chat manufacturing urgency around a routine problem.
• A domain close to, but not exactly, an official one.
• A ‘fix’ that means typing your seed into a website instead of your device.