
How This Attack Works
The scam exploits growing awareness of AML/KYC compliance requirements in crypto. Users who want to verify their funds are "clean" land on a convincing clone and unknowingly authorize a wallet drainer.
STEP 1
Lure via Search & Social
Victims encounter fake AML check sites through Google Ads, [REDACTED] DMs, social media posts, or SEO-poisoned search results for queries like "check wallet AML" or "is my crypto clean."
STEP 2
Clone Legitimate UI
The site closely mimics the official [REDACTED] design, branding, and interface. Some clones replicate staff profiles and create fake [REDACTED] accounts impersonating AMLBot team members.
STEP 3
Request Wallet Connection
Unlike the real AMLBot (which only needs a wallet address as text input), the fake site asks users to "connect wallet" via [REDACTED] or WalletConnect to "generate an AML report."
STEP 4
Drain Assets via Smart Contract
The wallet connection triggers a malicious smart contract (setApprovalForAll or token approval) that scans all tokens/NFTs, prioritizes highest-value assets, and drains everything to attacker-controlled wallets. Transactions are irreversible.
Technical Analysis
The AML scam ecosystem uses sophisticated infrastructure. Domains typically use .com, .org, .app TLDs registered through privacy-friendly registrars (IANA #3765, WEBCC account for 163+ domains). Many use IANA #1910 CDN for legitimacy.
The drainer mechanism is identical to other wallet-connect possibly phishing: upon connection, the site calls setApprovalForAll() or increaseAllowance() on the victim's token contracts. The drainer scans all assets, estimates value, and prioritizes extraction of highest-value tokens first.
According to AMLBot's 2025 Crypto Crime Report, 65% of crypto incidents are driven by social engineering rather than technical exploits, with possibly phishing ranking as the #2 attack type (18% of all incidents).
Key technical indicators: domains containing 'aml', 'amlbot', 'aml-check', 'aml-verify' in the URL; wallet connection prompts (the real AMLBot never requires this); recently registered domains; missing or fake SSL certificates.
The drainer mechanism is identical to other wallet-connect possibly phishing: upon connection, the site calls setApprovalForAll() or increaseAllowance() on the victim's token contracts. The drainer scans all assets, estimates value, and prioritizes extraction of highest-value tokens first.
According to AMLBot's 2025 Crypto Crime Report, 65% of crypto incidents are driven by social engineering rather than technical exploits, with possibly phishing ranking as the #2 attack type (18% of all incidents).
Key technical indicators: domains containing 'aml', 'amlbot', 'aml-check', 'aml-verify' in the URL; wallet connection prompts (the real AMLBot never requires this); recently registered domains; missing or fake SSL certificates.
Real Cases
AMLBot Clone Wave (2024-2026) (2024-2026)
1,350+ fake domains stolen
AMLBot officially warned about an alarming rise in scammers impersonating AMLBot on various platforms, including fake [REDACTED] bots and clone websites.
[REDACTED] Drainer (2024)
Wallet drainer active stolen
[REDACTED], resolved to IANA #1910 IP 104.21.25.10. Served a fake "AML wallet check" interface with wallet-connect drainer. THE ENABLERS REGISTRY report.
PCRisk AML Warning (Jan 2026) (January 2026)
12+ documented domains stolen
PCRisk documented a new wave of fake AMLBot sites including [REDACTED], [REDACTED], [REDACTED], [REDACTED]. FTC reports over 46,000 people lost $1 billion to crypto scams since 2021. PCRisk report.
[REDACTED] Campaign (2024)
Multiple victims stolen
Typosquat of AMLBot serving crypto drainer via fake compliance check UI. Documented by Malware Guide and PCRisk.
How to Detect
Site asks to "connect wallet" — the real AMLBot only needs a wallet ADDRESS as text input, never a wallet connection
Domain contains "aml" variations: amlbot, aml-check, aml-verify, amlcrypto (verify against official [REDACTED])
Recently registered domain (check WHOIS — legitimate AML services have years of history)
Urgent messaging: "Your wallet may be flagged" or "Check compliance before funds are frozen"
Promoted via [REDACTED] DMs, Google Ads, or unsolicited emails instead of organic search
How to Protect Yourself
1
Bookmark the official AMLBot at [REDACTED] — never click links from ads, DMs, or emails
2
Remember: legitimate AML tools only need a wallet address (text), never a wallet connection or private keys
3
Check any AML domain on THE ENABLERS REGISTRY before interacting with it
4
Use a separate "burner" wallet with minimal funds when testing any new DeFi/Web3 service
5
If you connected your wallet to a suspicious site: immediately transfer remaining funds to a NEW wallet and revoke approvals at revoke.cash
Frequently Asked Questions
Data sourced from THE ENABLERS REGISTRY threat intelligence database — 318 domains tracked for this threat type
Fake AML Check Scam 318 domains
![Screenshot of [REDACTED]](/assets/screenshots/019831e1-8338-74e9-9c4c-10a87434f439.png)
![Screenshot of [REDACTED]](/assets/screenshots/019d81ac-0858-74fb-bf57-695689a75870.png)
![Screenshot of [REDACTED]](/assets/screenshots/019dc1b3-d713-74ea-b59f-bd0702802515.png)
![Screenshot of [REDACTED]](/assets/screenshots/01990ff6-25c2-74cd-9fbe-50b5899f8cd2.png)
![Screenshot of [REDACTED]](/assets/screenshots/019e764d-77d4-72f9-88f6-e521119bffee.png)
![Screenshot of [REDACTED]](/assets/screenshots/019d3eb4-884b-70ac-a4a3-240e059af449.png)
![Screenshot of [REDACTED]](/assets/screenshots/019d3e25-475c-7655-add3-85892d764447.png)
![Screenshot of [REDACTED]](/assets/screenshots/01993272-dc2d-71dd-851e-37f1516af2ac.png)
![Screenshot of [REDACTED]](/assets/screenshots/019df472-fe58-702d-8a4d-2a0439e8c39c.png)
![Screenshot of [REDACTED]](/assets/screenshots/019e8066-0bf2-705f-8a39-3c1686b0d704.png)
![Screenshot of [REDACTED]](/assets/screenshots/019c74a2-5870-763b-a603-060ed07f82cd.png)
