TLDR
Scammers register IDN homograph domains (kraken[.]com with Cyrillic 'а', krаken login[.]net, geminí[.]exchange) and run Google ads outranking the real exchange. Login form captures creds + 2FA via WebSocket relay for immediate session...
How it works
Scammers register IDN homograph domains (kraken[.]com with Cyrillic 'а', krаken login[.]net, geminí[.]exchange) and run Google ads outranking the real exchange. Login form captures creds + 2FA via WebSocket relay for immediate session...
Red flags
- Urgent pressure to click, pay, or share codes immediately.
- A link or sender that does not match the official organization.
- Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What to do
- 1Indicators: (1) URL has non ASCII chars (Punycode decode); (2) TLS cert from Let's Encrypt <30 days old; (3) Cloudflare proxy hiding origin; (4) 2FA prompt loops 2 3 times; (5) favicon mismatches real site.
- 2WHAT TO DO: bookmark real URLs; never click ad results for login; use Yubikey passkey (phish resistant).
Source
FAQ
Is Cloned Kraken/Gemini/Crypto.com login — homograph + ad injection a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What should I do first?
Indicators: (1) URL has non ASCII chars (Punycode decode); (2) TLS cert from Let's Encrypt <30 days old; (3) Cloudflare proxy hiding origin; (4) 2FA prompt loops 2 3 times; (5) favicon mismatches real site.; WHAT TO DO: bookmark real URLs; never click ad results for login; use Yubikey passkey (phish resistant).
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.