Criminals are deliberately preying on the desperation of cryptocurrency holders who have lost access to their digital wallets, using fake recovery software to steal personal data and finances, researchers at HP Security Lab have warned.
How the Scam Works
The fraud begins when a user who has forgotten the long access code – known as a “seed phrase” – to their cryptocurrency wallet searches online for a tool to help recover it. Instead of a legitimate program, they may be directed to a professionally designed but entirely fake website offering a free download. One such tool identified by HP Security Lab was called the “Lost crypto wallets finder – cryptocurrency recovery toolkit.” The site hosting that software has since been taken down.
“Scammers are preying on people’s desperation to recover their cryptocurrency wallets,” said Alex Holland, a senior malware analyst at HP Security Lab. “Perhaps the victim has forgotten the seed phrase used to access their wallet. If you wanted a way of recovering that, you could search ‘free cryptocurrency recovery tool’, which I did, and lo and behold one of these fake malware-laden tools came up in my search results.”
Understanding the Seed Phrase
A cryptocurrency wallet is a piece of software on a computer that stores the cryptographic keys needed to access and spend digital currencies. To make access easier for users, wallets generate a “seed phrase” – typically a sequence of 12 to 24 ordinary English words – which serves as a master key. Losing that seed phrase can effectively lock a user out of their holdings, which may be worth thousands of pounds. It is this moment of panic that the criminals exploit.
“They’re preying on emotions. They want to take advantage of that moment of vulnerability,” Holland added.
How the Malware Steals Personal Information and Files
Once a victim downloads and installs the fake recovery software, it is not a recovery tool at all, but malware designed to harvest as much sensitive data as possible. The program systematically collects passwords stored in the user’s web browser – including those for email, online banking and social media accounts. It also rifles through the computer’s document folders, photo libraries and other files, taking copies of everything it can find.
All this stolen information is then compressed into a single ZIP file and transmitted over the internet to the criminals operating the scam. The data can be used for a wide range of future frauds, from identity theft and banking fraud to targeted phishing attacks. HP Security Lab researchers note that the scam is clearly lucrative enough for criminals to invest in setting up multiple fake websites and maintaining the infrastructure needed to distribute the malware.
The scale of cryptocurrency-related fraud in the UK underlines why such scams are profitable. According to data from Action Fraud and its replacement, Report Fraud, crypto investment scams accounted for 66% of all investment fraud reports by value in 2024, with total losses reaching £649 million – a 16% increase on the previous year. Reports to the Financial Conduct Authority (FCA) about crypto investment scams have more than doubled since 2020. In the first nine months of 2021 alone, Action Fraud recorded 7,118 reports of crypto fraud, with losses of £146.2 million. By March 2023, reported losses over the preceding 12 months had hit a record £306 million. The average loss per victim has also risen, indicating that fraudsters are extracting larger sums.
Fraudsters use social media platforms, particularly WhatsApp, to advertise fake investment opportunities, often featuring deepfake videos of celebrities such as Elon Musk. The UK government’s Fraud Strategy 2026–2029 has committed £250 million in new resources, and a new Online Crime Centre aims to fuse data from policing, intelligence agencies and industry to combat criminal operations in real time. The FCA continues to take action against illegal crypto promotions, and new regulations for the sector are being developed, with a licensing window expected to open in September 2026. Most crypto activities remain unregulated in the UK, meaning victims may not have access to the Financial Ombudsman Service or the Financial Services Compensation Scheme.
What to Do If You’ve Been Targeted
Holland advises anyone struggling to remember where they wrote down their seed phrase not to panic, as panic is exactly what the fraudsters count on. There are legitimate websites that can help recover a seed phrase, but users should read online reviews thoroughly to verify their safety before engaging with them.
If you suspect you have already downloaded the malware, remove it immediately using reputable security software. Then reset all your passwords without delay, starting with the ones for your banking and other financial accounts. The FCA warns consumers to be wary of unsolicited offers of crypto investment or recovery services, and to check the FCA’s Financial Services Register to verify whether a firm is registered. If an opportunity sounds too good to be true, it almost certainly is.
Scams should be reported to Report Fraud (the UK’s national reporting centre for fraud and cybercrime), or to Police Scotland or Advice Direct Scotland in Scotland.
