Seed Flooding: Why PhishDestroy Openly
“Attacks” Phishing Sites
We don’t hide it. When PhishDestroy detects an active phishing site harvesting crypto wallet seed phrases, we flood it with valid-format seed phrase entries. Here’s exactly what we do, why we do it, and why we’re not ashamed of it.
The Problem: A Phishing Site Is Live Right Now
Imagine you spot a crypto wallet phishing page running paid Google Ads. It looks legitimate. It’s got traffic. Real users are landing on it every few minutes, entering their seed phrases, and losing everything.
You report it to Google. You report it to the registrar. You submit an abuse report to the hosting provider. And then you wait.
Meanwhile, the scammer collects victim number 47. Then 48. Then 49.
The standard abuse reporting pipeline operates on timescales of 5–10 business days. Active phishing sites cause irreversible financial damage in hours. This gap is not a bug in the system — it’s a structural vulnerability scammers exploit deliberately.
What Is Seed Flooding?
Seed flooding is a counter-phishing technique where valid-format but empty/worthless cryptocurrency wallet seed phrases are automatically submitted into a phishing form at a controlled rate.
Why This Works: The Anatomy of a Cheap Phishing Kit
The vast majority of active crypto phishing sites are copy-paste kits built on free-tier third-party services. This is their biggest vulnerability. For a deeper breakdown see our full investigation.
| Module | Free Tier Limit | Effect of Flooding |
|---|---|---|
| EmailJS | ~200 submissions/month | Exhausted in hours, stops email delivery |
| Formspree | 50 submissions/month | Disabled almost immediately |
| Web3Forms | 250 submissions/month | Rapidly neutralized |
| Telegram Bot API | Rate-limited per second | Flooded into timeout loops |
| Firebase Free Tier | Read/write quotas | Database costs spike or lock out |
We have directly observed phishing infrastructure go dark after seed flooding exhausted its notification pipeline. The scammer doesn’t know why it stopped working. They just stop receiving data.
Our Technical Approach: Cloudflare Workers, Not Botnets
We use Cloudflare Workers. Requests originate from Cloudflare’s own edge network. No residential IPs misused. No botnets. No third-party servers burdened. Only the scammer’s data collection system is affected.
The Flooding Flow
Rate limiting: A strict 2 submissions per 10 seconds. Not a DDoS. A slow, deliberate, targeted contamination at a scale that makes even modest per-site rates meaningful across dozens of simultaneous targets.
We are not trying to take down servers. We are making the scammer’s workday miserable and their database worthless — with zero collateral impact on legitimate infrastructure.
“But Is It Legal? Is It Ethical?”
Submitting data to a public-facing web form — even fake data — is not inherently illegal in most frameworks. We are not accessing private systems, exploiting unauthorized vulnerabilities, or intercepting communications. The scammer built a trap. We are filling it with rocks.
PhishDestroy is not providing legal advice. This exists in a genuine gray area that varies by jurisdiction. We operate with full awareness of this complexity.
What Happens to the Scammer’s Database?
It becomes useless — thousands of entries require manual verification, signal-to-noise ratio collapses. Or it breaks — Firebase Spark and shared MongoDB instances have hard limits. Hitting them has consequences.
Both Outcomes Are Good
Whether the database becomes useless or breaks entirely — real victims’ seed phrases never reach the attacker in a useful form. Every unprocessed seed phrase is a wallet that doesn’t get drained.
When Do We Activate Seed Flooding?
| Criterion | Check | Why It Matters |
|---|---|---|
| Active traffic confirmed | Required | Ad platforms or traffic tools confirm real users are landing on the site |
| Phishing anatomy analyzed | Required | Free-tier exfil modules identified before we flood |
| Abuse reports filed | Required | We always pursue the legitimate track simultaneously |
| No takedown within SLA | Typical trigger | No response from registrar/hosting in acceptable time |
| High-volume / paid ads site | Immediate trigger | Paid advertising means we act without waiting for the bureaucratic track |
The Bigger Picture
The crypto ecosystem loses billions of dollars per year to phishing. The defense side has historically been reactive. PhishDestroy exists to introduce proactive interference into this cycle.
We are not operating in darkness. We publish our methodology. We explain our techniques. We document the phishing kits we analyze. The security community deserves to evaluate counter-phishing methods, not just consume a black-box service.
What You Can Do
- Report to Google Safe Browsing, PhishTank, and the domain registrar
- Submit it to us — we prioritize high-traffic active threats
- Check our anatomy database to understand what you’re looking at
- Share awareness — most victims don’t know what a seed phrase phishing page looks like until it’s too late
If you think feeding empty wallets to criminals is unethical — that’s your position, and you’re welcome to hold it. We’ve made ours clear.
Related Investigations
