Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Trust Wallet, MetaMask Crypto Wallets Targeted By New Support Scam

Trust Wallet, MetaMask Crypto Wallets Targeted By New Support Scam

Trust Wallet and MetaMask wallet users are being targeted in ongoing and aggressive Twitter phishing attacks to steal cryptocurrency funds.

MetaMask and Trust Wallet are mobile apps that let you create wallets to store, buy, send, and receive cryptocurrency and NFTs.

When users launch MetaMask or Trust Wallet apps for the first time, the app prompts them to create a new wallet. As part of this process, the app will show a recovery phrase consisting of 12 words and prompts users to save them somewhere safe.

The apps use this recovery phrase to create the private keys necessary to access your wallet. Anyone who has this recovery phrase can import your wallet and use the cryptocurrency funds stored in it.

Trust Wallet recovery phrase is shown during wallet creation
Source: BleepingComputer

Readers should note that while we have shared a screenshot of a Trust Wallet recovery phrase above, we never created the above wallet. You should never share your recovery phrase with anyone.

Also Read: Practitioner Certificate In Personal Data Protection: Everything You Need To Know

Scammers try to steal your cryptocurrency

For approximately two weeks, BleepingComputer has been tracking a Twitter phishing scam targeting Trust Wallet and MetaMask users that steals cryptocurrency wallets by promoting fake technical support forms.

The phishing scam starts with legitimate MetaMask or Trust Wallet users tweeting about a problem they are having with their wallets. These issues range from stolen funds, problems accessing their wallets, or issues using the apps.

The scammers respond to these tweets pretending to be the apps’ support team or users who say “Instant support” helped them with the same problem. These tweets recommend that users visit the included or links to fill out a support form and receive help, as shown below.

Twitter MetaMask phishing scam
Twitter MetaMask phishing scam
Source: BleepingComputer
Twitter Trust Wallet phishing scam
Twitter Trust Wallet phishing scam
Source: BleepingComputer

When users visit these links, they will be shown a page pretending to be a support form for Trust Wallet or MetaMask.

Fake MetaMask support formFake MetaMask support form
Source: BleepingComputer
Fake Trust Wallet support formFake Trust Wallet support form
Source: BleepingComputer

These forms request a visitor’s email address, name, the issue they are having, and then the crown jewel of the scam, the wallet’s 12 recovery phrases.

Fake support form asking for a Trust Wallet recovery phrase

Once a Trust Wallet or MetaMask user submits their recovery phrase, the threat actors can use it to import the victim’s wallet on their own devices and steal all of the deposited cryptocurrency funds.

Unfortunately, once a threat actor steals the funds, there is little a user can do to recover them.

Cryptocurrency phishing scams like this have been extremely successful in the past, with one MetaMask user losing over $30,000 in cryptocurrency after sharing their recovery phrase.

Also Read: The DNC Singapore: Looking At 2 Sides Better

What should Trust Wallet and MetMask users do?

First and foremost, never enter your wallet’s recovery phrase in any app or website or share it with someone else. The only time you should ever use your recovery phrase is to import your wallet on a new device you own.

Furthermore, a legitimate company will not use Google Docs or online form-building sites for support requests. Only ask for support at the specific sites associated with the application or device you need help with.

Even then, NEVER provide your recovery phrase. 

As it is easy to create lookalike domains that impersonate legitimate sites, when it comes to cryptocurrency and financial assets, always type the URL you wish to visit into your browser rather than relying on links in emails. This way, you can avoid mistakenly clicking on phishing sites that impersonate a legitimate service.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us