On May 1, 2025, I came across a YouTube comment that looked innocent — maybe even a little desperate:
"Thanks for sharing such valuable information! Just a quick off-topic question: My OKX wallet holds some USDT, and I have the seed phrase... What's the best way to send them to Binance?"— @RosiVanadis, YouTube comment
The message even included a full 12-word seed phrase, casually posted in public. To a greedy or curious onlooker, it might seem like someone just gave away free money — a forgotten wallet with tokens still inside.
But if you've been in crypto long enough, your instinct should be to pause. This wasn’t carelessness. It might be bait.
Investigating the Wallet
Based on the seed phrase posted in the YouTube comment, the derived Ethereum address is 0xc6D71Cc477DFc5Fe0b0Dd8e93De620447880D52E.
The last two transactions include one it received 0.0441 ETH from a MoonPay-labeled address. Immediately afterward, the ETH was emptied out to another address https://etherscan.io/address/0x00001f9d06dce5c2d30a03396405e8d071434001. Both transactions happened at the exact second (Apr-29-2025 11:07:47 AM UTC).
It could be bait. And even if it isn’t, you have no way of knowing what traps may be set — financially or technically.
But one thing is unclear: why would someone send ETH to a wallet that appears empty? If this was bait, there was no visible token or value in the address to lure a victim. This raises the possibility that the sender and the trap operator might be the same entity — perhaps testing automated sweeping logic or tracking wallet monitoring infrastructure.
Investigating the Withdrawal Address
The destination of the swept ETH — 0x00001f9d06dce5c2d30a03396405e8d071434001 — appears to be a vanity address, possibly generated to seem benign or system-generated. Initial inspection of the address on Etherscan shows multiple incoming transfers from other compromised-looking wallets, all drained within seconds of receiving ETH. This strongly suggests it's part of a botnet or a coordinated draining infrastructure. Further clustering analysis could reveal other scam wallets it interacts with.
How to Safely Analyze a Public Seed Phrase
If you encounter a public 12-word seed phrase and want to investigate it without risk:
Use a trusted local environment:
Run the following command after installing Node.js and the ethers library (v6 or later):
node -e "import('ethers').then(e => console.log(e.HDNodeWallet.fromPhrase('your twelve words here').address))"Do not paste the phrase into web wallets or browser extensions. These may accidentally connect to live networks or leak data.
Check the wallet on a public explorer:
- Paste the derived address into Etherscan
- Look for unusual transaction patterns (instant sweeps, repeated funding, identical gas usage)
Don’t interact with the wallet:
- Never send ETH to it
- Never call smart contract functions from it
By following these steps, you can safely study traps and better understand how attackers structure their scams.
Stay curious. Stay skeptical. Stay safe.
