Incident Record — Cryptocurrency Fraud Network: Ethereum

Ethereum Fraud — Incident Record

Advance-fee scheme using fabricated receipts and balances to induce real transfers of Ether.

Date of record2026-06-23
Period of activityJun 19 – Jun 23, 2026
Net real loss≈ $200 in ETH
Compiled byR.P.
Reported toFBI IC3
On-chain verificationEtherscan

1Summary

Overview of the scheme

This record documents an advance-fee cryptocurrency scam carried out between June 19 and June 23, 2026. Two actors operating under the names “Alex” and “Mandukic Mandele” presented a stream of fabricated screenshots — fake conversion rates, a fake incoming receipt, and a fake account balance — to convince R.P. that a large payout was waiting and that one more transfer would release it.

The premise was a classic bait: “send me ETH, I’ll send you USDT/USDC back in 5–10 minutes.” Acting on that promise, R.P. sent a series of small, real Ether transfers totaling approximately $200. Nothing the scammers showed in return was real. Every receipt, balance, and conversion screen was a static image with invented numbers on it; none corresponds to any transaction that exists on Ethereum. The only funds that ever moved were R.P.’s own, going out.

Turkish Criminal Law — what this conduct carries

What they face in Turkey

4–10 years
in prison — the operative charge for an online crypto scam — plus a judicial fine of at least twice the amount stolen.

Aggravated fraud “using information systems” — Turkish Penal Code (TCK) Art. 158/1-f. An advance-fee “send crypto, get more back” scheme run over the internet falls squarely here. It is a serious felony tried in the Heavy Penal Court (Ağır Ceza Mahkemesi) — not a minor offense.

And the charges stack on top:

  • Money laundering — TCK Art. 282 — +3 to 7 years (moving or disguising the proceeds of the scam).
  • Unauthorized computer-system access / data interference — TCK Art. 243–244 — +1 to 5 years (the seed-phrase theft attempt).
  • 2024 crypto law (No. 7518) — crypto embezzlement carries 8 to 14 years where the scheme is run through or by an unlicensed crypto-asset service provider.

Aggravated fraud is publicly prosecuted — no victim complaint is required. A foreign victim’s IC3 → MLAT / Interpol referral can independently trigger a Turkish criminal investigation. And the statute of limitations is 15 years — it does not quietly expire.

Statutes verifiable; sourced 2026-06-23.

2The actors

Who ran the scheme

The closer

“Alex”

Supplied the receiving wallet 0x0447227f…9445c4 and ran the core pitch — send ETH now, receive USDT/USDC back in 5–10 minutes. The promised return never arrived.

The escalator

“Mandukic Mandele”

Claimed to be in Turkey; the name is fabricated. Sent the fake $1,312 USDT receipt and ran the “$23,000 unlock” and seed-phrase trap intended to capture the entire wallet.

3Timeline

What the scammers did, day by day

Jun 192026

“Alex” sends fabricated conversion screens Fabricated

Two “converter” images are presented: $5,000 = 125 ETH and $1,000 = 26.09 ETH, framed as the current exchange rate to make a large payout look one transfer away.

Lie: impossible math. At real ETH prices these figures are off by orders of magnitude. The “converter” is a picture with numbers painted on it, not a live rate.
Jun 202026

Receiving wallet provided; the “send and you’ll get more back” loop begins

“Alex” gives the receiving address 0x0447227f…9445c4 and promises USDT/USDC back within 5–10 minutes. R.P. begins sending real ETH in small $20–$53 chunks to scammer-controlled wallets. No return is ever received.

Jun 222026

The fake “+1,312.06 USDT — Completed” receipt Fabricated

A polished receipt image shows +1,312.06 USDT, “Status: Completed” arriving in R.P.’s wallet, used to signal that the return had started.

Lie: no such transaction exists. A real ERC-20 transfer is permanent and publicly visible — this one appears on Ethereum and on every chain checked. Confirmed nonexistent.
Jun 232026

The “$23,000” balance and the seed-phrase trap FabricatedSeed-phrase theft attempt

A screen displays a $23,000.00 = 5.99 ETH balance with the message “You can’t swap this to a SafePal wallet — use Trust Wallet with the same seed phrase.” The aim was to make R.P. re-enter the wallet’s recovery phrase into a wallet the scammers could drain.

Lie + theft attempt: there was never a $23,000 balance, and no legitimate wallet, swap, or exchange ever asks you to re-enter your seed phrase elsewhere. The phrase was not given.
Throughout

No real money ever came in — only R.P.’s ETH went out

Across the entire exchange there was zero real inbound. Every balance, receipt, and conversion was an image. The only verifiable transactions on the blockchain are R.P.’s own outbound ETH — approximately $200 — moving toward the scammer wallets documented below.

4What was fake

The fabricated artifacts

Fabricated $5,000 = 125 ETH conversion screen

“$5,000 = 125 ETH” conversion Fabricated

Why it’s fake: impossible math. At the real ETH price, $5,000 buys a small fraction of one ETH — not 125. The figure exists only as an image used to imply a large payout was imminent.

Fabricated $1,000 = 26.09 ETH conversion screen

“$1,000 = 26.09 ETH” conversion Fabricated

Why it’s fake: same impossible rate at a smaller number. $1,000 does not convert to 26 ETH at any real market price. Another static converter image, not a live quote.

Fabricated +1,312.06 USDT receipt

“+1,312.06 USDT received — Completed” receipt Fabricated

Why it’s fake: no transaction matching this receipt exists on Ethereum or any other chain. A genuine ERC-20 transfer is recorded permanently and publicly on-chain; this one cannot be found because it never happened.

Fabricated $23,000 unlock and seed-phrase trap screen

“$23,000” unlock & seed-phrase trap Fabricated

Why it’s fake: there was never a $23,000 balance to release. The screen’s instruction to “use Trust Wallet with the same seed phrase” is the actual objective — a seed-phrase theft attempt. No real wallet or exchange ever asks you to re-enter your recovery phrase elsewhere.

5The real money trail

The only real transactions — all on Ethereum

R.P. sent approximately $200 in ETH in small chunks. Those transfers are public and permanent. They flow from R.P.’s wallet, through several scammer-controlled addresses, into a consolidation wallet, and out to a centralized exchange that has not yet been identified. Every address and hash below links to its record on Etherscan.

StepAddress / hash
Origin — R.P.’s wallet 0xc1aa6e85a691794f5645e01a4732065f2ea336c6
Scammer wallet 1 (receiving) 0x0447227f9a532fada9332f388487a25e3b9445c4
Scammer wallet 2 0xd28d37b611718fa220a375ac368ba6a0bb4d86ef
Scammer wallet 3 0x7cfdaca5a2588cd4ac00400a2038e8e61fe5cb39
Scammer wallet 4 0x9844c85bd9b0c1d546e1d87f8a512a9e15bbb1ae
Consolidation wallet 0x431654081084e888cb2f359a1eac7038ce48aeab
Cash-out Centralized exchange — not yet identified. No exchange is named here because it has not been confirmed.

Key transaction hash

0x8e66ff97eb0d0119caf33c5b38d8a42debbde535431ffb84f1c015f3cc00a2a5
SafePal record of real ETH leaving R.P.'s wallet

Wallet record — real ETH leaving R.P.’s wallet

A “Send” of ETH from 0xc1aa6e85…2ea336c6 to scammer wallet 1. Unlike the screens in Section 4, this transaction is real, permanent, and verifiable on-chain — it is the actual money that moved.

6Exhibits / Evidence

The full set of proof screenshots

Every screenshot captured during the scheme is shown below, grouped by type. Items marked Fabricated are manufactured images with no corresponding transaction on any blockchain. Items marked Real are the actual on-chain transfers — the only money that truly moved. Click any image to enlarge.

Fabricated receipts & balances Fabricated

Fabricated +1,312.06 USDT received receipt
FabricatedThe “+1,312.06 USDT received” receipt — no such transaction exists on any chain.Jun 22, 2026
Fabricated $23,000 unlock and seed-phrase theft attempt
Fabricated + seed theftFake $23,000 “unlock” demanding the wallet seed phrase in Trust Wallet.Jun 23, 2026
Cropped detail of the fake $23,000 seed-phrase trap
Fabricated + seed theftCropped detail of the same fake $23,000 “unlock” and seed-phrase demand.Jun 23, 2026
Scammer pressure message while R.P. catches the cropped-screenshot tell
FabricatedScammer pressure play (“my boss says pay — why are you making them think you’re a scammer”) while R.P. catches the tell: a real phone takes FULL-screen screenshots, not the cropped “balance” cards he kept sending — confirming the images are fabricated/cropped, not genuine wallet captures.Jun 23, 2026

Fake conversion screens Fabricated

Fabricated $5,000 = 125 ETH conversion screen
FabricatedFake conversion screen ($5,000 = 125 ETH).Jun 19, 2026
Fabricated $1,000 = 26.09 ETH conversion screen
FabricatedFake conversion screen ($1,000 = 26.09 ETH).Jun 19, 2026

Manufactured “errors” used to stall & extract more Fabricated

Manufactured network congested error
FabricatedManufactured “network congested” error used to stall and extract more.
Manufactured need WETH error
FabricatedManufactured “need WETH” error used to stall and extract more.
Manufactured rejected gas error
FabricatedManufactured “rejected — gas” error used to stall and extract more.

“Alex” hands over the receiving wallet

Alex provides receiving wallet 0x0447227f
“Alex” hands over receiving wallet 0x0447227f… (= Scammer Wallet #1 on-chain).
Alex repeats receiving wallet 0x0447227f
“Alex” repeats receiving wallet 0x0447227f… (= Scammer Wallet #1 on-chain).
Alex receive QR code for wallet 0x0447227f
“Alex” sends a receive QR for wallet 0x0447227f… (= Scammer Wallet #1 on-chain).

“Alex” profile

Alex profile — Turkey to the world
“Alex” profile — “Turkey to the world.”
Alex profile, second screenshot
“Alex” profile — “Turkey to the world.”

R.P.’s real ETH sends to the scammer Real money

SafePal send form to scammer wallet 1
RealR.P.’s real ETH send to the scammer wallet (the only real money that moved).
SafePal send record to scammer wallet 1, A
RealR.P.’s real ETH send to the scammer wallet (the only real money that moved).
SafePal send record to scammer wallet 1, B
RealR.P.’s real ETH send to the scammer wallet (the only real money that moved).
R.P. wallet send record
RealR.P.’s real ETH send to the scammer wallet (the only real money that moved).

The WETH wrap step they instructed

ETH to WETH swap screen
The ETH→WETH wrap step they instructed R.P. to perform.
WETH balance after wrap
The resulting WETH balance from the wrap step they instructed.

Etherscan — the $5.99 trace bait Real

Etherscan record of $5.99 test send
RealEtherscan: a real $5.99 test send R.P. used to bait/trace them.
Etherscan record of $5.99 test send, detail
RealEtherscan: a real $5.99 test send R.P. used to bait/trace them.

7Where they slipped

Their traceable mistakes

Taken together: the fabricated artifacts prove intent, the reused wallet cluster makes the money traceable end-to-end, and the cash-out into a KYC’d exchange is the chokepoint where a real name can be compelled. That is what hangs them.

8Where to report

Reporting directory

A grouped map of where a US-based victim of a cross-border crypto scam can report, with what each body handles and how to reach it. Contacts the research could not independently confirm are tagged ⚠ unverified — confirm before use and must be verified on the official source before relying on them.

⚠ First, the #1 warning: beware “fund recovery” services

Anyone who DMs, texts, cold-calls, or emails you offering to recover your crypto for an upfront fee is almost always a second scam. The FBI/IC3 logged roughly $1.4 billion lost to recovery-scam complaints in a single year — and scammers have even impersonated IC3 itself, claiming to have “recovered” funds. Real agencies never charge a fee to recover money, never refer you to a paid recovery company, and never ask for financial-account details. Anyone who found you first is a red flag.

References: IC3 PSA on fictitious law firms — ic3.gov/PSA/2025/PSA250813 · FBI on IC3 impersonation — fbi.gov · FTC refund & recovery scams — consumer.ftc.gov · CFTC recovery-fraud advisory — cftc.gov.

USA — Federal & state

Start here. File with IC3 first — it accepts international victims, is the FBI’s crypto-fraud intake, and is the prerequisite that lets the US engage Turkey via treaty.

FBI — Internet Crime Complaint Center (IC3)

The primary US destination for crypto-fraud complaints. Accepts international victims (complaints from 200+ countries). Analyzes and refers to federal/state/local/international law enforcement. Include every wallet address, tx hash, amount, and timestamp.

Report ic3.gov · file at complaint.ic3.gov
Crypto ic3.gov/CrimeInfo/Cryptocurrency
Phone Online-only portal — no public complaint hotline.

Federal Trade Commission (FTC)

Consumer-fraud intake including crypto investment and imposter scams. Feeds law enforcement nationwide (does not resolve individual cases).

Report reportfraud.ftc.gov
Phone 1-877-382-4357 (1-877-FTC-HELP)

Securities and Exchange Commission (SEC)

Best fit when the scam was framed as an investment/“security.” Tips accepted from anyone.

Report sec.gov/tcr
Check investor.gov
Phone 1-800-732-0330  ·  Email Help@SEC.gov

Commodity Futures Trading Commission (CFTC)

Fraud involving virtual currencies as commodities — fake “trading platforms,” fraudulent solicitation. Many pig-butchering platform scams fall here.

Report cftc.gov/complaint
Phone 866-366-2382 (866-FON-CFTC)

U.S. Secret Service — Cyber Fraud Task Forces

Investigates cyber-enabled financial crime and crypto laundering; runs the crypto-victim “Operation Atlantic” initiative. For most individuals, file IC3 first, then contact your local field office.

Find secretservice.gov/contact/field-offices
Phone 202-406-5708 (HQ) · Operation Atlantic 202-406-8000
Email OperationAtlantic@secretservice.gov

FBI Field Office Locator

For time-sensitive or large-loss matters where you need to speak to investigators directly. For routine crypto fraud, IC3 remains the preferred intake.

Find fbi.gov/contact-us/field-offices

State Attorney General — Consumer Protection ⚠ unverified — confirm before use

Consumer-fraud enforcement under state law, sometimes assisting with restitution. The directories below are standard, but the exact per-state complaint URL must be confirmed on the destination site.

Find AG naag.org/find-my-ag
Securities nasaa.org/contact-your-regulator

International — umbrella & cross-border

INTERPOL and Europol take no direct public reports. They are police-to-police bridges — route reports through your national police, who escalate to them.

INTERPOL

Coordinates between national police forces; does not investigate, make arrests, or take public crime reports. For a US victim the path is: IC3 → FBI → INTERPOL Washington → INTERPOL Ankara.

Info interpol.int/en/What-you-can-do/If-you-need-help
Phone None for public reports.

Europol — European Cybercrime Centre (EC3)

Handles information from law-enforcement agencies only. Its page routes you to your own country’s national reporting tool. Victims report to national/local police.

Routes europol.europa.eu/report-a-crime/report-cybercrime-online
Phone None for public reports.

econsumer.gov — cross-border consumer fraud

ICPEN partnership led by the US FTC for scams where the trader/company is in another country. Shares complaints with consumer-protection authorities worldwide.

Report econsumer.gov

Global Anti-Scam Organization (GASO)

Nonprofit/NGO (not a government body) offering victim support and volunteer crypto-tracing. Use in addition to — not instead of — an official IC3/police report.

Site globalantiscam.org · contact page

Turkey & the MLAT route

A US victim generally cannot petition a Turkish agency directly and expect action. The real lever is the US–Turkey treaty (signed Ankara 7 Jun 1979, in force 1 Jan 1981, covering extradition + mutual legal assistance). You don’t file it — a US prosecutor does, via DOJ’s Office of International Affairs, once a US case exists. That is why IC3 comes first.

SPK / CMB — Capital Markets Board of Türkiye ⚠ unverified — confirm before use

The right regulator if the scam was an “investment platform” or crypto exchange — it licenses crypto-asset service providers (Law No. 7518, 2024) and files criminal complaints with the Chief Public Prosecutor against unlicensed operators. Confirm the current online complaint form on the official site before use.

Site spk.gov.tr · English cmb.gov.tr

MASAK — Financial Crimes Investigation Board (Turkey’s FIU)

Turkey’s Financial Intelligence Unit. An intelligence/analysis body, not a victim-complaint desk — it acts when a Turkish bank/exchange files a suspicious-transaction report or a prosecutor requests analysis. Reaching its leverage means reporting to the exchange and/or opening a prosecutor’s investigation. No public victim-intake email confirmed.

Site masak.hmb.gov.tr · duties (EN) en.hmb.gov.tr/fcib-duties-powers

Turkish National Police — Cyber Crimes Department (EGM) ⚠ unverified — confirm before use

Investigates cyber-enabled crime including crypto theft. Triggering an investigation generally means filing a criminal complaint (şikayet) — at a police station, gendarmerie, or the prosecutor — usually via a local lawyer with power of attorney. The EGM e-services URL changes over time; verify before use.

Site egm.gov.tr/siber
Phone 112 (Turkey unified emergency line)

U.S. Department of Justice — Office of International Affairs (OIA)

The US Central Authority for outgoing MLAT requests to Turkey’s Ministry of Justice. A US victim cannot submit an MLAT request — it is filed by a US prosecutor once a US criminal investigation exists. Slow (months to years) and aimed at prosecution, not quick recovery.

Site justice.gov

Crypto exchanges & KYC

KYC identity is released only to law enforcement with legal process (subpoena, court order, or MLAT) — never to individual victims. A flagged scam-deposit address can sometimes be temporarily restricted if reported fast, before the scammer withdraws — speed is everything. Report the deposit address to the exchange with the tx hash, and file IC3 in parallel.

Coinbase

Report account compromise/scam to security; law-enforcement requests go through the Kodex portal and the confirmed subpoenas address.

Victim security@coinbase.com
LE email subpoenas@coinbase.com
LE portal app.kodexglobal.com/gov/signup · coinbase.com/compliance

Binance

Law enforcement submits everything through the Kodex Law Enforcement Request System; there is no public LE email. Victims report via Binance support and IC3.

LE portal binance.com/en/support/law-enforcementapp.kodexglobal.com/binance/signup
LE email None — use the Law-Enforcement Request portal.

Bybit

Victims use the “Report Stolen Funds” path → Bybit’s Lazarus Security Lab (cases reviewed within 2–4 hours; discretionary temporary restrictions possible). Law-enforcement requests go through their Law-Enforcement Request portal.

Victim Report Stolen Assets guide
LE Via their Law-Enforcement Request portal (no public LE email confirmed).

Kraken

Has a dedicated victim “Report a scam” form and a separate compliance/legal form for law enforcement. Warns that legitimate authorities never charge upfront recovery fees.

Victim support.kraken.com/forms/33616932532628
LE/legal support.kraken.com/forms/648008

OKX

In-app scam reporting for victims; law-enforcement requests via the Kodex portal, with an emergency LE email for extraordinary circumstances only.

Victim OKX scam-help guide
LE portal app.kodexglobal.com/okx/signin · LE email enforcement@okx.com (emergencies only)

KuCoin

Law enforcement uses the Information Request System with an official signed/sealed subpoena or court order. Victims typically report to local LE, who then submit the official request.

LE form kucoin.com/legal/requests · guidelines kucoin.com/legal/law-enforcement-request-guidelines

Tracing tools & scam-address databases

Free, victim-usable tools to document the on-chain trail and warn the next victim. Posting the address consolidates multiple victims into one record and feeds intelligence pipelines.

Chainabuse — the main scam-address database

Run by TRM Labs. A searchable public database of scam addresses anyone can check or report to; its fraud intelligence is shared with law enforcement.

Report chainabuse.com

Etherscan — Report / Flag Address

Anyone can report an Ethereum address; confirmed scam addresses get a public “Fake_Phishing” warning label visible to every future visitor.

Guide info.etherscan.com/report-address · explorer etherscan.io

Breadcrumbs & Arkham — free public tracing

Breadcrumbs’ Pathfinder visually traces fund movement across addresses; Arkham looks up entity labels (is this hop a known exchange/mixer/scammer?). Both are free and victim-usable — but cannot freeze or recover on their own authority.

Trace breadcrumbs.app · arkhamintelligence.com

ScamSniffer & CryptoScamDB ⚠ unverified — confirm before use

Secondary blocklists. ScamSniffer is a Web3 anti-phishing tool with a public scam database (more a protection/blocklist than a formal complaint portal). CryptoScamDB is reachable but low-maintenance/legacy — Chainabuse has effectively superseded it. Use as secondary lookups.

Sites scamsniffer.io · cryptoscamdb.org

Do-not / recovery-scam warning

The single most important rule for a scam victim — repeated because the second scam targets people in exactly this moment.

Do not pay anyone who promises to recover your funds

No legitimate agency, attorney, or forensic firm cold-DMs, cold-calls, or emails a victim offering guaranteed recovery for an upfront fee. Real attorneys and forensic firms do not contact you first, do not guarantee recovery, and use clear written engagements. Verify any lawyer’s license with the state bar. Anyone who found you first — especially asking for gift cards, wire, or more crypto — is the scam.

FTC consumer.ftc.gov/articles/refund-and-recovery-scams
CFTC cftc.gov — Recovery Frauds