The Universal Attack Pattern

Despite different branding and backends, all 8 phishing sites follow the exact same psychological funnel:

Landing Page

Trust building

Wallet Selector

Trust building

Fake "Connecting..."

3–5 sec timer

"Connection Failed"

Always fails

Manual Entry

Seed / Key / Keystore

Exfiltration

TG / Email / API

The critical insight: the “Connecting…” animation is always hardcoded to fail. In the source code of Site #4, we found const success = false — there is no wallet connection attempt. The entire flow exists solely to push victims toward the “Connect Manually” form.
The universal 6-step attack chain shared by all phishing sites we analyzed