Seed phrase phishing scam UK 2026

Your crypto seed phrase is the master key to all funds in your wallet. Criminals use ten distinct social-engineering patterns to extract it. The technical names differ; the mechanism is identical — once they have the seed, they drain the wallet. This page covers every pattern, the single rule that defeats all of them, and what to do if compromised.

Last reviewed: 14 May 2026 · ScamSupport research

The 10 social-engineering patterns

All ten have the same outcome (seed extracted, wallet drained). The technical pretext differs:

  1. Fake support DM — you post a public wallet problem; a "helper" DMs offering to assist; they direct you to a "support form" with a seed-phrase field.
  2. Fake recovery page — clone of a legitimate wallet site asking you to "restore your wallet" by entering the seed phrase.
  3. Fake validation — "verify your wallet to claim airdrop / participate in launch / qualify for staking rewards".
  4. Fake wallet upgrade — "enter your seed phrase to upgrade to the new wallet version with [feature]".
  5. Fake mobile sync — "sync your wallet to your phone by entering the seed phrase here".
  6. Fake migration — "wallet provider is migrating infrastructure; enter your seed to keep your funds".
  7. Fake unlock — "your wallet has been locked for security reasons; enter your seed to unlock".
  8. Fake KYC compliance — "regulatory compliance requires seed-phrase verification under UK / EU rules".
  9. Fake transaction refund — "enter your seed to receive crypto refund for the compromised transaction".
  10. Fake recovery scam — "we can recover your stolen funds; enter your seed phrase to authorise the recovery process".

Pattern 10 is especially cruel — it specifically targets victims who have already been scammed, exploiting the desperation of recent loss to extract the seed phrase for a second drain.

Why the single rule works

Self-custody crypto wallets (MetaMask, Phantom, Trust, Trezor, Ledger, etc.) work on the principle that only you control your funds. The wallet software doesn't have your seed; it doesn't store it on a server; it doesn't have a support team that can access your wallet. The seed phrase is the cryptographic master key — the only thing standing between funds and unauthorised access.

This means: any legitimate operation that requires moving / accessing / unlocking / verifying your wallet happens through wallet software using a signature or password — not by sharing the seed. The wallet itself uses the seed internally; it never needs you to share it.

If someone is asking you to share your seed phrase, by any method, in any context, it's because they want the same access to your wallet that you have. There is no legitimate exception to this rule.

What if the request seems super-official?

The most convincing scams will:

  • Use real branding stolen from legitimate wallet providers (MetaMask, Ledger, Trezor)
  • Reference specific recent events ("you just made a transaction", "your wallet just connected to a known scam contract")
  • Use urgency language ("act within 24 hours or your funds will be lost")
  • Appear as a popup inside what looks like the legitimate wallet UI
  • Come from a "verified" Twitter/Discord account (handle verification can be faked or hijacked)
  • Use technical-sounding language ("blockchain validation", "node synchronisation", "key rotation")

None of this changes the rule. Legitimacy of the requester is irrelevant to seed-phrase security. Even if the request came from the actual founder of MetaMask in person, sharing the seed would still be wrong — because no legitimate process requires it.

How to store your seed phrase

Offline, physically, in at least two locations. Best practices:

Acceptable storage

  • Paper, in a fireproof safe. Cheap and effective. Use a pen that won't fade; keep dry.
  • Metal plate (Cryptotag, Cryptosteel, Billfodl). £40-150; resistant to fire, water, time. The gold standard.
  • Split via Shamir's Secret Sharing (SLIP-39). Trezor supports it; advanced users only. Splits the seed into N-of-M shares so no single location holds the full phrase.
  • Two separate physical locations. Home + bank safety deposit box, or trusted relative's house. Survives accidental destruction (fire, flood).

Unacceptable storage

  • Screenshots on phone or computer. Phones get hacked; computers get compromised; cloud backups sync your seed phrase to remote servers.
  • Cloud notes (iCloud Notes, Google Docs, Dropbox). Cloud accounts get compromised; the seed should never touch any remote server.
  • Email drafts. Same risk as cloud notes.
  • Standard password managers (LastPass, 1Password) for amounts above what you can afford to lose. Password-manager-grade encryption is good but not perfect; high-value seeds belong on a hardware wallet.
  • Anywhere connected to the internet, ever. The seed phrase is air-gapped or it's not safe.

If your seed phrase has been stolen

  1. Move ALL funds to a fresh wallet with a brand-new seed phrase. Generate the new wallet on a fresh device if possible. Race the attacker; pay high gas to outrun them.
  2. Never reuse the compromised seed phrase for any wallet, ever. It's permanently burned.
  3. Save evidence — the conversation/website/phishing source, transaction hashes after the drain, attacker wallet addresses.
  4. Treat the device as potentially malware-infected. Reinstall the wallet on a fresh device or after a clean OS install.
  5. File Report Fraud report at reportfraud.police.uk.
  6. Blockchain forensics + specialist solicitor for tracing/recovery. Chainalysis, TRM Labs, OXT for tracing; TLW, CEL, Hugh James for legal action on no-win-no-fee.
  7. If funds originally from UK bank transfer: start PSR claim with our PSR claim wizard.
  8. Watch for recovery scams — seed-phrase-loss victims are heavily targeted. Pattern 10 in the list above. Recovery scam warning.
  9. Mental-health support — crypto loss combined with feeling foolish for sharing the seed is a documented mental-health trigger. Samaritans 116 123 (free 24/7); Victim Support 0808 16 89 111. Mental-health recovery routine.

Frequently asked questions

What is a seed phrase?

A seed phrase (also called recovery phrase, secret recovery phrase, mnemonic phrase, 12-word or 24-word phrase) is a sequence of words that represents the cryptographic master key to your crypto wallet. Whoever knows your seed phrase has full and irrevocable access to all funds in the wallet. The seed phrase is generated when you create a new wallet; it never needs to be changed; it's the same regardless of which wallet software you use to access funds. Standard BIP39 wordlist contains 2,048 words; phrases are typically 12 or 24 words long.

What's the single rule?

Your seed phrase never needs to be entered anywhere except into wallet software (MetaMask, Phantom, Trust, etc.) during initial setup OR restore — both initiated by you, on your device. Anyone — ANYONE — asking you to share, enter, validate, verify, or type your seed phrase elsewhere is trying to steal your funds. No legitimate process needs it. No support team needs it. No 'security validation' needs it. No 'wallet upgrade' needs it. No 'airdrop claim' needs it. No 'staking dashboard' needs it. The single rule is: if someone is asking for the seed phrase, the answer is no, every time, no exceptions.

What are the common social-engineering patterns?

Ten patterns. (1) Fake support — DM after you post a public wallet problem. (2) Fake recovery page — 'restore your wallet' on a clone site. (3) Fake validation — 'verify your wallet to claim airdrop'. (4) Fake upgrade — 'enter your seed to upgrade to new wallet version'. (5) Fake sync — 'sync your wallet to mobile by entering seed'. (6) Fake migration — 'wallet provider is migrating, enter seed to keep funds'. (7) Fake unlock — 'your wallet has been locked for security, enter seed to unlock'. (8) Fake compliance — 'KYC requires seed phrase verification'. (9) Fake refund — 'enter seed to receive crypto refund for compromised transaction'. (10) Fake recovery scam — 'we can recover your stolen funds; enter seed to authorise recovery'. All ten are theft; the technical name is different but the mechanism is identical (extract seed = drain wallet).

What if a 'support agent' insists they need it?

They're a scammer. Block them. No legitimate process needs your seed phrase shared. Wallet software (MetaMask, Phantom, Trust, etc.) doesn't have support teams that contact users about specific wallet contents — they don't have access to your wallet because the wallet is self-custody. Exchange support (Coinbase, Kraken, Binance) might ask for KYC documents but never your seed phrase, because exchanges don't use seed phrases to access your account. If anyone is insistent or aggressive about needing it, that is itself the strongest possible confirmation they're a scammer.

My seed phrase has been stolen — what now?

Assume immediate full wallet compromise. Act in this order. (1) Move ALL funds to a fresh wallet with a new seed phrase. Race the attacker; pay high gas. Some victims save substantial value in the first 60 seconds. (2) Never reuse the compromised seed phrase. Treat it as permanently burned. (3) Save evidence — conversation, website used, transaction hashes, attacker addresses. (4) Treat the device as potentially malware-infected. Use a different device for the new wallet. (5) File Report Fraud report at reportfraud.police.uk. (6) Specialist crypto-tracing solicitor (TLW, CEL) on no-win-no-fee. (7) If funds originally from UK bank transfer, start PSR claim. (8) Watch for recovery scams; drained-wallet victims are heavily targeted. The seed-phrase loss is generally unrecoverable but stop further damage.

How should I store my seed phrase?

Offline, physically, in at least two locations. Best options: (1) Written on paper, stored in a fireproof safe. (2) Engraved or stamped on a metal plate (Cryptotag, Cryptosteel, Billfodl) — resistant to fire and water. (3) Split across multiple locations using SLIP-39 (Shamir's Secret Sharing) — recovery requires N-of-M shares, no single location holds the full phrase. NEVER store digitally — no screenshots, no cloud notes, no email drafts, no password-manager entries except specifically-encrypted secrets-only managers (and even then it's risk-weighted). Two locations means survival of accidental destruction. Never share your seed phrase even with family members unless you're sure they understand the risk.

Related scam guides

Related scam guides